Re: The "unplug the cord" dilemma

From: Gary Flynn (flynngnat_private)
Date: Sat Mar 29 2003 - 09:29:07 PST

Next message: De Velopment: "Re: The "unplug the cord" dilemma"

Previous message: Omar Herrera: "The "unplug the cord" dilemma"
In reply to: Omar Herrera: "The "unplug the cord" dilemma"
Next in thread: Omar Herrera: "RE: The "unplug the cord" dilemma"
Next in thread: De Velopment: "Re: The "unplug the cord" dilemma"
Reply: Omar Herrera: "RE: The "unplug the cord" dilemma"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Omar Herrera wrote:

>I was looking for documentation available discussing circumstances where 
>each of the following approaches is better:
>
>   a) leave the system online/plugged to the network -> online 
>investigation
>   b) unplug the system from network and shutdown -> offline forensics
>   c) unplug the system from network and unplug from power source -> 
>offline forensics
>
>It can be argued that with any of these approaches you potentially loose 
>or alter evidence in some way; usually, approach c) is considered best in 
>procedures as it freezes the hard disk and makes impossible further 
>tampering (network connection information and data in volatile memory not 
>written to disk would be lost however). 
>

There may also be the possibility of power-fail subroutines executing as 
the power is lost
performing some unknown action. I'm not sure about new systems but older 
systems I
remember had several hundred milliseconds of DC carry over after AC was 
removed and
I believe I recall specific bus signals used for power fail interrupt 
routines.

>Approach a) is sometimes 
>necessary , for example, if there is an incident with a mission critical 
>system that cannot be unplugged from the network or shut down (even if 
>backups are available, sometimes bringing up a replacement system might 
>take just too long or be extremely difficult because of specialized 
>hardware availability).
>

On the other hand, if the mission critical system holds sensitive data 
or controls sensitive processes,
leaving it online implies allowing continued exposure of those sensitive 
items.

Probably obvious is the fact that leaving such a system online that is 
subsequently used to
compromise or otherwise adversely affect other systems may expose one to 
a liability suit.

Gary Flynn
Security Engineer
James Madison University

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: De Velopment: "Re: The "unplug the cord" dilemma"
Previous message: Omar Herrera: "The "unplug the cord" dilemma"
In reply to: Omar Herrera: "The "unplug the cord" dilemma"
Next in thread: Omar Herrera: "RE: The "unplug the cord" dilemma"
Next in thread: De Velopment: "Re: The "unplug the cord" dilemma"
Reply: Omar Herrera: "RE: The "unplug the cord" dilemma"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 29 2003 - 10:57:07 PST