RE: The "unplug the cord" dilemma

From: Omar Herrera (oherreraat_private)
Date: Sun Mar 30 2003 - 05:57:12 PST

Next message: Chuck Swiger: "Re: The "unplug the cord" dilemma"

Previous message: Omar Herrera: "RE: The "unplug the cord" dilemma"
In reply to: De Velopment: "Re: The "unplug the cord" dilemma"
Next in thread: MARLON BORBA: "Re: The "unplug the cord" dilemma"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for your comments,

> > I was looking for documentation available discussing circumstances
where
> > each of the following approaches is better:
> >
> >    a) leave the system online/plugged to the network -> online
> > investigation
> >    b) unplug the system from network and shutdown -> offline
forensics
> >    c) unplug the system from network and unplug from power source ->
> > offline forensics
> 
> I would like to suggest a fourth option:  Unplugging the Ethernet
cable
> from the system itself, but leaving it on, at least for a bit.  This
is,
> of course, safer than option a) above, since it will put an immediate
> stop to any attacks the system might have been making to others.
Also,
> it MIGHT allow one to see what processes are running, though, like
with
> option a) above, the commands, on the system itself, could be
trojaned.
> 

Connecting some kind of honeypot replacing the compromised system (or
simply any system with a sniffer and same ip address) could also give
information; connection retries might take place and they could be
recorded.

> Rather than when an individual option is appropriate, the question may
> be better asked, which option should be started with, as I submit that
> the offline backup and forensics need to be done in any case where
> getting answers is important.  In cases likely to go to court, option
> c), right away, might be appropriate, to eliminate "tampering with
> evidence" defenses.  (I am not a lawyer, however).

Still the call should be made buy the company owning the system and with
a person with appropriate level of authority within it, unless you are
forced to do formal forensics by law... maybe some government
institutions have to (in some cases)

Best regards,

Omar




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chuck Swiger: "Re: The "unplug the cord" dilemma"
Previous message: Omar Herrera: "RE: The "unplug the cord" dilemma"
In reply to: De Velopment: "Re: The "unplug the cord" dilemma"
Next in thread: MARLON BORBA: "Re: The "unplug the cord" dilemma"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 30 2003 - 07:31:15 PST