|
-
October 18th, 2003, 04:31 PM
#19
Originally posted here by aze
Just a side note, Juridian if you did suffer a real break in and you needed to collect forensic evidence you would not pull the plug on your box. The power down could have undesired effects. You would disconnect from the network, note any running processes, and what may have been going on. Then when your local network guru or whomever you call for help arrives they can take the appropriate measures, i.e. complete disk to disk dump etc.
Just my spare change
AZE
Well, actually there are a couple of recommended methods according to all my reading, training, etc. It really all depends on if you are going for live acquisition or if you want to capture the hard drive in a single state.
Pulling the power cord is recommended by many agencies (such as SANS/GIAC, ISS, etc) because you never know what may be set off on the drive if you try an actual power down or if you pull the netcable. There is the possibility that there will be a piece of malware looking for the connection with the intent of wiping out the data you need (also why it's recommended that incident handlers carry a hub with them).
It's just the old 'pull the plug' dilemma rearing it's ugly head....
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote