Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Jun 3, 2005

Preserving digital evidence

Deb Schinder's Computerworld article Preserving Digital Evidence to Bring Hackers and Attackers to Justice is a brief but useful overview of how to deal with a PC that may contain forensic evidence of a breach. The key elements are: don't switch it off, disconnect it from the network; don't run any programs on it; don't open files to examine them; do call on forensic experts; do take bit-level disk and memory copies to another machine. "Pull out the network cable" is a good phrase to teach your IT help desk and information security staff, and should perhaps be splashed across the front of the incident response procedure manual, a bit like "Don't panic" across the Hitchhiker's Guide To The Universe.
More on incident management