Hello Omar, On 27 Mar 2003, Omar Herrera wrote: > I was looking for documentation available discussing circumstances where > each of the following approaches is better: > > a) leave the system online/plugged to the network -> online > investigation > b) unplug the system from network and shutdown -> offline forensics > c) unplug the system from network and unplug from power source -> > offline forensics I would like to suggest a fourth option: Unplugging the Ethernet cable from the system itself, but leaving it on, at least for a bit. This is, of course, safer than option a) above, since it will put an immediate stop to any attacks the system might have been making to others. Also, it MIGHT allow one to see what processes are running, though, like with option a) above, the commands, on the system itself, could be trojaned. Rather than when an individual option is appropriate, the question may be better asked, which option should be started with, as I submit that the offline backup and forensics need to be done in any case where getting answers is important. In cases likely to go to court, option c), right away, might be appropriate, to eliminate "tampering with evidence" defenses. (I am not a lawyer, however). Good luck and best regards, Ken Parker ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 30 2003 - 07:29:40 PST