Security Basics mailing list archives
Re: forensics procedure for PC analysis
From: max <maximilianbianco () gmail com>
Date: Fri, 1 May 2009 12:12:46 -0400
On Mon, Apr 27, 2009 at 11:31:17AM +0100, John O Laoi wrote:
Hello, Does anyone have pointers to a full recommended procedure on preserving PC data for forensic analysis? I'm thinking about things like getting a full backup (using dd), preserving the disks, graceful shutdown or not, etc.
dd is a good choice but also see ddrescue. As for a graceful shutdown that depends on the circumstances and what your referring to as illicit material. If you think someone is downloading porn then I think a graceful shutdown is fine, if on the other hand you think you have an intruder or a trojaned host then I'd lean toward pulling the plug simply because you don't know what an intruder or trojan is prepared to do if a shutdown is detected, at the least they will try to erasse log data about their visit and activities or perhaps worse. How important the that particular host is will also be something to consider. There are more than a few live cd's available that help with things this, HELIX is one and DEFT is another, though you may prefer to load your distro of choice and appropriate tools on a flash drive. Cert has a repo for Fedora: http://www.cert.org/forensics/tools/
My employer has asked me to look into drafting a policy to address this, in situations where say illicit material has been lodged to disk.
Any such policy should only be used as a general guide in these situations, try not to get trapped in the proper procedure box.After all it can be hard to tell when the intrusion first occurred, perhaps an intruder found your proper procedure list and left you a few surprises. Just saying be flexible above all else. Good Luck, Max -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- forensics procedure for PC analysis John O Laoi (May 01)
- Re: forensics procedure for PC analysis Richard Thomas (May 01)
- Re: forensics procedure for PC analysis max (May 01)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Dave Kleiman (May 06)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Simon Thornton (May 04)