>>> Omar Herrera <oherreraat_private> 27/03/03 11:34 >>> >--> My US$ 0,01 here... I was looking for documentation available discussing circumstances where each of the following approaches is better: a) leave the system online/plugged to the network -> online investigation >--> There is a price here, the risk of more compromise to logs and other logical evidence, as even by natural (trusted) system use logs could be 'rotated' depending on the day/hour of the attack. But could be the only way to collect vital information (e.g. ongoing TCP connections with a tcpdump) if that data is not written to disk (but disk records are prone to tampering!). b) unplug the system from network and shutdown -> offline forensics >--> The best approach if you are going to examine it "post-mortem", i.e., it is not anymore under attack, but some evidence must be collected while the system is being attacked, e.g. netstat -Aan to show ongoing connections or fuser to see which files are open. Anyway if you suspect there are in-disk evidence this is the best way to secure it (you could collect files and logs in a tamper-proof medium for further examination). c) unplug the system from network and unplug from power source -> offline forensics >--> This option is OK if you are going to investigate physical/electrical damage (e.g. system tampering and/or defective hardware) but obviously no logs, no connections, no corrupted files to examine. But you must choose carefully the moment to shut down the computer, and you must be sure the attack has really ceased and in-disk information has not been tampered before you shut it down, in order to preserve evidences. It can be argued that with any of these approaches you potentially loose or alter evidence in some way; usually, approach c) is considered best in procedures as it freezes the hard disk and makes impossible further tampering (network connection information and data in volatile memory not written to disk would be lost however). Approach a) is sometimes necessary , for example, if there is an incident with a mission critical system that cannot be unplugged from the network or shut down (even if backups are available, sometimes bringing up a replacement system might take just too long or be extremely difficult because of specialized hardware availability). >--> Agree with your comments. I intend to write a paper on the matter including a list of situations where each approach is better suited but I want to include as well legal implications for each approach (legal requirements from different countries are welcome) and also recommended procedures for each approach (for example, in an online investigation you might still use trusted binaries saved on a floppy or cdrom rather than system binaries; if the kernel was tampered with this might be of no use though). Finally, I was dreaming of a system which had a kind of ôforensic hibernation modeö; currently IÆm not aware of a system with this capability (that would preserve memory an network connection sate while freezing hard disks and, at the same time, being easy to do forensics on it). If there is still no work in progress on this kind of systems I would also like to discuss requirements for a standard that would allow computer makers to include this capability on computer systems. All feedback, comments and suggestions will be greatly appreciated. Regards, Omar Herrera ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 19:09:28 PST