De Velopment wrote: > Hello Omar, > > On 27 Mar 2003, Omar Herrera wrote: > > >>I was looking for documentation available discussing circumstances where >>each of the following approaches is better: >> >> a) leave the system online/plugged to the network -> online >>investigation >> b) unplug the system from network and shutdown -> offline forensics >> c) unplug the system from network and unplug from power source -> >>offline forensics > > > I would like to suggest a fourth option: Unplugging the Ethernet cable > from the system itself, but leaving it on, at least for a bit. This is, > of course, safer than option a) above, since it will put an immediate I would even suggest some other models to save the most possible information: If it is a system critical machine unplug the network cable, otherwise just sniff all traffic to this IP (or paranoid MAC-address) for a while. Copy all volatile information (network state, routing infos, process listings, open files, etc) using statically compiled trusted binaries from a CD-Rom to a remote computer (do not log this traffic!) and then switch it off to do all the other fornesics you want to do. To do this I suggest to prepare 1. a cdrom with static compiled forensic binaries 2. scripts to grabb all volatil information: a) as normal user b) as root (on Unix) user for all information gathering that needs root privileges 3. a rescue-system with forensic tools (may be the cd of above) 4. a lot of time ;-) I would also include a portscan (TCP and UDP) to check for differences in the output of netstat and real open ports. keep us informed about your paper, I would like to read it! bye Pierre ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 19:12:35 PST