PaulDotCom mailing list archives
First Responder Forensic Responsibilities
From: joel.folkerts at gmail.com (Joel Folkerts)
Date: Tue, 6 Oct 2009 12:52:37 -0500
I completely agree with Robin. I've had a few situations where the IT guys were thinking they were doing me a favor by attempting to fix the system after it had been compromised, i.e. patch, restore from backup, reimage. At best, they end up losing events in their event log (no syslog server) and making the time line analysis impossible. As a quick aside, we would tell people to literally not touch the system and even leave it attached to the network. To provide a bit of background, I worked for AFOSI where we handled incident response for the AF. If we felt there was intelligence to be gained, we would quarantine the system and fill its standalone network with normal network noise in hopes of not tipping off the intruder. In some cases, the intruder would continue to probe and we could record their activities in hopes of identifying the intruder. -Joel "The path to hell is paved with good intentions." On Tue, Oct 6, 2009 at 10:34 AM, Robin Wood <dninja at gmail.com> wrote:
2009/10/6 James Costello <genesiswave at gmail.com>:I am getting ready to review and update our existing first responder forensic responsibilities policy and wanted to know what others are usingastheir policies. I am looking for the information and policies that apply to non IT whomightuncover the problem or the IT team member who is not responsible for the forensicsI don't do forensics but my first thought for both situations, especially the first, is to touch nothing and call the phone number that is well advertised around the office to get the professionals in. Robin _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091006/ce86d272/attachment.htm
Current thread:
- First Responder Forensic Responsibilities James Costello (Oct 06)
- First Responder Forensic Responsibilities Robin Wood (Oct 06)
- First Responder Forensic Responsibilities Joel Folkerts (Oct 06)
- First Responder Forensic Responsibilities Robin Wood (Oct 06)