[Plug-security] forensic analysis

[sinck@ugive.com]

\_ -----BEGIN PGP SIGNED MESSAGE-----
\_ Hash: SHA1
\_ 
\_ Hey all:
\_ 
\_ I'm interested in advice and opinions on how to best preserve a
\_ compromised system for later analysis.
\_ 
\_ Unplugging the network connection, of course

http://www.cert.org/security-improvement/; see "responding to
intrusions".  The biggest thing that stuck out to me was the "chain of
control" of the offending data.  If it's publicly accessible, then you
lose credibility in court, which makes it harder to convict the lamer.


\_ If the machine must be relocated, does one halt the box?  Couldn't this
\_ trigger any response by a rootkit?

You could load a trusted 'shutdown' on the system from cd and call
that and have it skip the rc-downing scripts.  

If that doesn't help, I've got a list of other articles that some
idjut has saved by just the links, but no data other than that.  I'm
off to have words with him about that....

David