Educause Security Discussion mailing list archives
Re: Compromised Server Policy (electronic evidence)
From: Jeni Li <jeni.li () ASU EDU>
Date: Mon, 16 May 2005 12:34:32 -0700
Check out your local HTCIA chapter for a good way to get to know those electronic crimes folks and what they need from you in terms of evidence preservation. http://www.htcia.org/ Also InfraGard for cybercrime contacts in the FBI. http://www.infragard.net/ It's important to have a chain-of-custody procedure in place BEFORE you need it, because the first impulse of us curious geeks is to trample all over the evidence trying to figure out what happened. And it's good to have the relationships in place with local/state/federal LE before you have an incident. Jeni Li Arizona State University
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Greg Jackson Sent: Monday, May 16, 2005 11:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Server Policy One added step, which has made our law-enforcement friends happier: When we preserve an extract from a compromise and/or logs, we digitally sign the extract and then write it to an CD-R, which we then keep in a safe. This custody-chain stuff has been important in several cases. BTW, if you haven't, it's interesting to have your local electronic-crimes folks (especially the FBI ones, who are often young and quite savvy and good) come talk to a pizza lunch for campus system administrators. Nothing like actually having a chance to interact to build trust, gain mutual understanding, etc. They'll do stock PowerPoint, of course, most of it very boilerplate. But then they'll take questions. Joel Rosenblatt wrote:In cases where we are interested in preserving the evidence, we have the compromised HD removed and a new system is built on anew HD. Thedrives have gotten so cheep now that this is not usually a problem. If that can't be done, we have the contents of the machine tar'ed or zip'ed, backed up somewhere and then the machine is rebuilt.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Compromised Server Policy (electronic evidence) Jeni Li (May 16)