Omar Herrera wrote: >I was looking for documentation available discussing circumstances where >each of the following approaches is better: > > a) leave the system online/plugged to the network -> online >investigation > b) unplug the system from network and shutdown -> offline forensics > c) unplug the system from network and unplug from power source -> >offline forensics > >It can be argued that with any of these approaches you potentially loose >or alter evidence in some way; usually, approach c) is considered best in >procedures as it freezes the hard disk and makes impossible further >tampering (network connection information and data in volatile memory not >written to disk would be lost however). > There may also be the possibility of power-fail subroutines executing as the power is lost performing some unknown action. I'm not sure about new systems but older systems I remember had several hundred milliseconds of DC carry over after AC was removed and I believe I recall specific bus signals used for power fail interrupt routines. >Approach a) is sometimes >necessary , for example, if there is an incident with a mission critical >system that cannot be unplugged from the network or shut down (even if >backups are available, sometimes bringing up a replacement system might >take just too long or be extremely difficult because of specialized >hardware availability). > On the other hand, if the mission critical system holds sensitive data or controls sensitive processes, leaving it online implies allowing continued exposure of those sensitive items. Probably obvious is the fact that leaving such a system online that is subsequently used to compromise or otherwise adversely affect other systems may expose one to a liability suit. Gary Flynn Security Engineer James Madison University ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Mar 29 2003 - 10:57:07 PST