De Velopment wrote:
> Hello Omar,
>
> On 27 Mar 2003, Omar Herrera wrote:
>
>
>>I was looking for documentation available discussing circumstances where
>>each of the following approaches is better:
>>
>> a) leave the system online/plugged to the network -> online
>>investigation
>> b) unplug the system from network and shutdown -> offline forensics
>> c) unplug the system from network and unplug from power source ->
>>offline forensics
>
>
> I would like to suggest a fourth option: Unplugging the Ethernet cable
> from the system itself, but leaving it on, at least for a bit. This is,
> of course, safer than option a) above, since it will put an immediate
I would even suggest some other models to save the most possible
information:
If it is a system critical machine unplug the network cable, otherwise
just sniff all traffic to this IP (or paranoid MAC-address) for a while.
Copy all volatile information (network state, routing infos, process
listings, open files, etc) using statically compiled trusted binaries
from a CD-Rom to a remote computer (do not log this traffic!) and then
switch it off to do all the other fornesics you want to do.
To do this I suggest to prepare
1. a cdrom with static compiled forensic binaries
2. scripts to grabb all volatil information:
a) as normal user
b) as root (on Unix) user for all information gathering that needs
root privileges
3. a rescue-system with forensic tools (may be the cd of above)
4. a lot of time ;-)
I would also include a portscan (TCP and UDP) to check for differences
in the output of netstat and real open ports.
keep us informed about your paper, I would like to read it!
bye
Pierre
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 19:12:35 PST