Notes:
CUSTODIAN:
Identify, designate or become the evidence custodian such that a chain of custody is observed, maintained and documented.
JOURNAL:
Notebook + liberal usage of script(1).
SNIFFER:
Determine when the attacker attacks
Determine where the attacker goes
Md5(1) stamp logs as archived
BACKDOORS:
Scan the host and sniff against Backdoor Common Ports List
Some backdoors may also be found during log analysis by absence of entries in log files collected by TCT’s grave-robber(1).
DISK COPY:
During a large window of time when the intruder is not present – consider intentional Internet or modem outage
Use of cryptcat(1) with dd(1) and to transferred to evidence server for analysis with lazarus(1) and strings(1).
NETWORK INFO:
collected by grave-robber(1), results tar(1)’d and cryptcat(1)’d to evidence server.
PROCESS AND FILES:
collected by grave-robber(1) , results tar(1)’d and cryptcat(1)’d to evidence server.
CONFIGURATION INFORMATION:
collected by grave-robber(1), results tar(1)’d and cryptcat(1)’d to evidence server.
RECEIPT OF DATA:
Use of md5(1) automatically by grave-robber(1) to build checksums and checksums of the checksums.