Re: Computer Forensics - Shutdown or Switch-Off

"bright" <brightwell_151@xxxxxxxxxxx> writes:

Hello All,

I'm not sure if this is the right forum - if anyone knows of a more
suitable group I will be grateful for a pointer.

If faced with an incident
-> Evidence of fraudulent acitivty
-> A request from management to look into a system
-> Strange goings on in system logs
-> IDS or firewall logs indicating a system has been compromised
-> etc

Can anyone point me to a good guide or checklist covering the steps
that should be followed.

It all depends. For example removing the system for two weeks could do far
far more damage to the firm that the "request by management" could ever
warrent.

The standard advice is to shut down the system immediately, remove the hard
drive, install it on another computer and make a copy of it to a pristine
hard drive by a low level copy (eg dd) Then place the original disk into a
vault and never touch it, only doing forensics on the copy.

Of course if what management wanted was to know where the Leverhouse.doc
file was located this may be overkill. Similarly if those "strange goings
on in system logs" was because you do not understand system logs.



I know that this does depend on the OS in question and the type of
activity suspected, but there most be some rough guidelines out there
already to save me having to make some up myself.

Shutdown
This is potentially a risk if the attacker has implemented a watch for
shutdown (with scripted processes to hide any tracks). On the other
hand in most cases an attacker won't have done this and we can ensure
that any disk writes are completed and the filesystem integrity is
maintained. The fact that commands will be run as part of the shutdown
might overwrite sections of memory which might otherewise be useful for
forensics. Pagefiles or virtual memory areas may be cleared

Memory is almost impossible to preserve.



Switch-Off
For non-journalled filesystems data might be lost of corrupted. On the
other hand Pagefiles or Virtual Memory might later serve up interesting
informaiton about the processes that were going on when the system was
switched off. A switch-off won't run commands or trigger watch features
which might write additional info to log files or write to the disk.

Example
Let's say the first indication I have is some suspicious connections
from another internal system (indicating that the user of the system is
up to no good, or that the system has been compromised by another
party).

We don't want to leave ourselves exposed but we don't want to trample
over evidence in case we need to find out what damage was done or maybe
it will turn out that criminal activity has taken place (in which case
we will need to hand over the evidence to the authorities)

1. Start making notes of exactly what action is taken including
accurate date/time
2. Double check the details
2.a. Which system is the source
2.b. Where is it located
2.c. A quick check to see if it is being operated remotely (if this can
be done externally - from the LAN switch or router)
3. If the observed attacks are a concern then we need to halt them
immediately by either shutting down the system under attack or, more
likely, by disabling the source of the attack.
3.a. Remove it from the network and create an image
OR
3.b. Switch it off, boot from another system and image the hard disk
(ghost, encase etc)
OR
3.c. Shut it down, boot from another system and image the hard disk
4. Snapshot the logs of access servers and fileservers (maybe CCTV)
which might have been used by the attacker
5. If possible, image the attacked system as well (as a minimum
snapshot the logs).
Note: It might even be necessary to re-build the attacked system from a
trusted image

If subsequent investigation reveals serious wrong doing or maybe even
criminal activity then evidence may be required... Anyone got a feel
for what the best approach should be?

Anyone been through this and have a tale to tell?

Note: I don't have anything going on att he moment I hasten to add, but
I'd like to have a rough idea in my head of the correct process to
follow


In 99 % of cases, preservation of evidence is not the problem. The problem
is getting the system back to being a useable system. Few firms has so many
computers hanging around that they can afford to have one or more taken
offline for days. If you work for NSA or in the police force, this may not
be the right attitude.

You have to balance the need for retribution or even forensics for
operation of the equipment.


.