Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised Server Policy (electronic evidence)

From: Jeni Li <jeni.li () ASU EDU>
Date: Mon, 16 May 2005 12:34:32 -0700
Check out your local HTCIA chapter for a good way to get to know those electronic crimes folks and what they need from 
you in terms of evidence preservation.
http://www.htcia.org/

Also InfraGard for cybercrime contacts in the FBI.
http://www.infragard.net/

It's important to have a chain-of-custody procedure in place BEFORE you need it, because the first impulse of us 
curious geeks is to trample all over the evidence trying to figure out what happened. And it's good to have the 
relationships in place with local/state/federal LE before you have an incident.

Jeni Li
Arizona State University


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Greg Jackson
Sent: Monday, May 16, 2005 11:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Compromised Server Policy


One added step, which has made our law-enforcement friends 
happier: When
we preserve an extract from a compromise and/or logs, we 
digitally sign
the extract and then write it to an CD-R, which we then keep 
in a safe.
This custody-chain stuff has been important in several cases.

BTW, if you haven't, it's interesting to have your local
electronic-crimes folks (especially the FBI ones, who are often young
and quite savvy and good) come talk to a pizza lunch for campus system
administrators. Nothing like actually having a chance to interact to
build trust, gain mutual understanding, etc. They'll do stock
PowerPoint, of course, most of it very boilerplate. But then they'll
take questions.

Joel Rosenblatt wrote:


In cases where we are interested in preserving the evidence, we have
the compromised HD removed and a new system is built on a 

new HD.  The

drives have gotten
so cheep now that this is not usually a problem.

If that can't be done, we have the contents of the machine tar'ed or
zip'ed, backed up somewhere and then the machine is rebuilt.



**********
Participation and subscription information for this EDUCAUSE 
Discussion Group discussion list can be found at 

http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: