Welcome to NBlog, the NoticeBored blog

The blogging will continue until morale improves

Jun 3, 2005

Preserving digital evidence

Deb Schinder's Computerworld article Preserving Digital Evidence to Bring Hackers and Attackers to Justice is a brief but useful overview of how to deal with a PC that may contain forensic evidence of a breach. The key elements are: don't switch it off, disconnect it from the network; don't run any programs on it; don't open files to examine them; do call on forensic experts; do take bit-level disk and memory copies to another machine. "Pull out the network cable" is a good phrase to teach your IT help desk and information security staff, and should perhaps be splashed across the front of the incident response procedure manual, a bit like "Don't panic" across the Hitchhiker's Guide To The Universe.
More on incident management

No comments:

Post a Comment