First page Back Continue Last page Summary Graphics
Incident Response – What the Pros Do
Identify designate or become the evidence custodian
Review any journal of what has been done to the system already and how the intrusion was detected
Start or maintain existing journal
Install a sniffer
Backdoors
If possible without rebooting, make two byte by byte copies of the physical disk
Capture network info
Capture process listings and open files
Capture configuration information to disk and notes
Receipt and signing of data
Notes:
CUSTODIAN:
Identify, designate or become the evidence custodian such that a chain of custody is observed, maintained and documented.
JOURNAL:
Notebook + liberal usage of script(1).
SNIFFER:
Determine when the attacker attacks
Determine where the attacker goes
Md5(1) stamp logs as archived
BACKDOORS:
Scan the host and sniff against Backdoor Common Ports List
Some backdoors may also be found during log analysis by absence of entries in log files collected by TCT’s grave-robber(1).
DISK COPY:
During a large window of time when the intruder is not present – consider intentional Internet or modem outage
Use of cryptcat(1) with dd(1) and to transferred to evidence server for analysis with lazarus(1) and strings(1).
NETWORK INFO:
collected by grave-robber(1), results tar(1)’d and cryptcat(1)’d to evidence server.
PROCESS AND FILES:
collected by grave-robber(1) , results tar(1)’d and cryptcat(1)’d to evidence server.
CONFIGURATION INFORMATION:
collected by grave-robber(1), results tar(1)’d and cryptcat(1)’d to evidence server.
RECEIPT OF DATA:
Use of md5(1) automatically by grave-robber(1) to build checksums and checksums of the checksums.