Security Basics mailing list archives
Re: Steps on how to handle an infected computers ( in forensicsperspective)
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Tue, 27 Jul 2010 22:28:04 +0200
On 2010-07-27 Rivest, Philippe wrote:
My expertise in forensic is really limited, but i believe that pulling the power cord at that step is unwise as you will basically be throwing out the window a lot of data and information's.
You may want to re-read the part of my reply between "remove from the net" and "pull the cord".
Shouldn't he get access to the memory b4 flushing the power cord?
Indeed. I meant to suggest taking an image of the RAM in case FireWire DMA is enabled, but somehow it slipped my mind.
Also, I get that unpluggin the system from the network is wise to protect both the system & the network. But wont you effectively change the state of a machine when you want to capture the machine in the "bad state". Shouldn't he pull the power cord b4 the network cable?
Depends. If he knows what to do (and has his toolbox at hand) I think it would be better to examine the system first, and then pull the plug. If he needs to do some research first, I'd give protecting the network the higher priority. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Steps on how to handle an infected computers ( in forensics perspective) Raja (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensics perspective) Adam Mooz (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensics perspective) Ansgar Wiechers (Jul 27)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Rivest, Philippe (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensicsperspective) Ansgar Wiechers (Jul 27)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Sacks, Cailan C (Jul 28)
- Re: Steps on how to handle an infected computers ( in forensicsperspective) John Morrison (Jul 28)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Rivest, Philippe (Jul 27)
- <Possible follow-ups>
- Re: Steps on how to handle an infected computers ( in forensics perspective) lukasz (Jul 27)