Thanks for your comments, > > I was looking for documentation available discussing circumstances where > > each of the following approaches is better: > > > > a) leave the system online/plugged to the network -> online > > investigation > > b) unplug the system from network and shutdown -> offline forensics > > c) unplug the system from network and unplug from power source -> > > offline forensics > > I would like to suggest a fourth option: Unplugging the Ethernet cable > from the system itself, but leaving it on, at least for a bit. This is, > of course, safer than option a) above, since it will put an immediate > stop to any attacks the system might have been making to others. Also, > it MIGHT allow one to see what processes are running, though, like with > option a) above, the commands, on the system itself, could be trojaned. > Connecting some kind of honeypot replacing the compromised system (or simply any system with a sniffer and same ip address) could also give information; connection retries might take place and they could be recorded. > Rather than when an individual option is appropriate, the question may > be better asked, which option should be started with, as I submit that > the offline backup and forensics need to be done in any case where > getting answers is important. In cases likely to go to court, option > c), right away, might be appropriate, to eliminate "tampering with > evidence" defenses. (I am not a lawyer, however). Still the call should be made buy the company owning the system and with a person with appropriate level of authority within it, unless you are forced to do formal forensics by law... maybe some government institutions have to (in some cases) Best regards, Omar ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 30 2003 - 07:31:15 PST