[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sg-dc
Subject:    RE: [sg-dc] Forensics procedures
From:       "St. Clair, James" <JStClair () vredenburg ! com>
Date:       2003-06-12 13:29:07
[Download RAW message or body]

 Jim,

From a technical perspective the box does NOT necessarily have to be
removed. 

If you believe the compromise is "done", the box can be mirrored on site
with a forensic tool kit and a certified original copy can be made for
evidence. The box will have to be taken down for a brief period to have this
done. COnversely, the whole HDD can be swapped out for a fresh one, and the
original retained. These are parameters you will work to set in conjucntion
with the real owners and your forensics team.

If the compromise is still ongoing (i.e. it has been exploited and now in
use for hack tools or file storage, etc.) you can also install a honey pot
for evidence capture for some specified period, as well.

Hope this helps..
Jim



-----Original Message-----
From: Jim Anderson
To: sg-dc@securitygeeks.com
Sent: 6/11/2003 8:13 PM
Subject: [sg-dc] Forensics procedures


If my server gets rooted, and the (real) owners of the box
want to track down the bad guys and press charges, how likely
is it that the forensics folks will want to physically take
the box out of the server room to do their voodoo on it?
Or is it more likely that they'll collect their evidence on site
without taking the box with them?  How much time does this
process normally take?  What normally happens during this process?

Thanks.


__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

_______________________________________________
sg-dc mailing list
sg-dc@securitygeeks.com
http://securitygeeks.shmoo.com/mailman/listinfo/sg-dc

_______________________________________________
sg-dc mailing list
sg-dc@securitygeeks.com
http://securitygeeks.shmoo.com/mailman/listinfo/sg-dc
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic