[Plug-security] forensic analysis

Wes Bateman wbateman@epicrealm.com
Sun, 24 Sep 2000 17:05:02 -0500 (CDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all:

I'm interested in advice and opinions on how to best preserve a
compromised system for later analysis.

Unplugging the network connection, of course

If the machine must be relocated, does one halt the box?  Couldn't this
trigger any response by a rootkit?

Hard power it down?

If you later pulled the drive and remounted it read only on another Linux
box, would the halt or hard power be preferable?

Any other thoughts?

Thanks :)  Thought this might generate some interesting
conversation.  This list is sooooo quiet :)

Wes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5znqVTWCWDGEEC4kRAkoSAJ95saG3vaieP9o2q+tF5wutaN0o+ACbB3VE
6m0Ofm9hSXKGyaZhHnU8cqY=
=3CHD
-----END PGP SIGNATURE-----