First page Back Continue Last page Summary Graphics

GROUND ZERO – WHAT YOU CAN DO

do not start looking through files
establish an evidence custodian - start a journal with the date and time, keep detailed notes
Designate equipment as “off-limits” to normal activity (if possible) – especially back-ups (with dump or other backup utilities), locally or remotely scheduled house-keeping, and configuration changes.
collate mail, DNS and other network service logs to support host data
capture exhaustive external TCP and UDP port scans of the host (unless tcp-wrapped)
contact security department or CERT,management,police or FBI, affected sites*
packaging/labeling and shipping
short-term storage

Notes:

DO NOT: look through files as access times will be lost
CUSTODIAN: required to assure integrity of evidence through accountability for chain-of-custody. Person from the victim organization should serve as evidence custodian.
OFF-LIMITS: unless it would be detremental to the business or obvious to the intruder, cease normal activities. If fingerprints would be useful to the case, physical access to the system should be off-limits until proper examinations are performed. With any latent issues resolved, only forensic examiners (and potentially the intruder) should be allowed access to the system.
COLLATE: all the local and remote logs you can think of
PORTSCAN: portscan the host in hopes of identifying how the intruder is getting in – unless tcp-wrapped in which case the intruder will notice the scan
CONTACT: a representative from the victim is the best contact designee. It is easier for the victim to talk to affected sites, especially foreign, than for law enforcement. Internal CERT or security departments are the best place to start. Management should be made aware as well.
PACKING: Forensic Labs will want contact info, case info, name of equip. owner, name of perpetrator, examination types, where to return equip. and report, other examinations prior to this one, timeframe/schedule
If fingerprints required, mark as LATENT
Make package tamper evident
shipping via USPS Registered mail (if FedEx or UPS - record tracking#) and save all receipts and information
STORAGE:ultimately, low-traffic, camera-monitored storage. @stake uses a low-traffic, to-be-camera-monitored, restricted access (to-be-card-reader) room with a classified-document-container and air-gapped network which provides SAN services and docking for evidence servers as well as mount points for hard disks. Various removable media formats are supported and will be added. CDR capabilities are also provided for a evidence-locker and forensic lab environment combined.

GROUND ZERO – WHAT YOU CAN DO

do not start looking through files

establish an evidence custodian - start a journal with the date and time, keep detailed notes

Designate equipment as “off-limits” to normal activity (if possible) – especially back-ups (with dump or other backup utilities), locally or remotely scheduled house-keeping, and configuration changes.

collate mail, DNS and other network service logs to support host data

capture exhaustive external TCP and UDP port scans of the host (unless tcp-wrapped)

contact security department or CERT,management,police or FBI, affected sites*

packaging/labeling and shipping

short-term storage

Notes: