Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 030273.html (Request Expert securityfocus.com Support)

The "unplug the cord" dilemma

From: Omar Herrera <oherrera(at)prodigy.net.mx>
Date: Thu Mar 27 2003 - 09:34:35 EST
('binary' encoding is not supported, stored as-is)

I was looking for documentation available discussing circumstances where each of the following approaches is better:

  1. leave the system online/plugged to the network -> online investigation
  2. unplug the system from network and shutdown -> offline forensics
  3. unplug the system from network and unplug from power source ->
offline forensics

It can be argued that with any of these approaches you potentially loose or alter evidence in some way; usually, approach c) is considered best in procedures as it freezes the hard disk and makes impossible further tampering (network connection information and data in volatile memory not written to disk would be lost however). Approach a) is sometimes necessary , for example, if there is an incident with a mission critical system that cannot be unplugged from the network or shut down (even if backups are available, sometimes bringing up a replacement system might take just too long or be extremely difficult because of specialized hardware availability).

I intend to write a paper on the matter including a list of situations where each approach is better suited but I want to include as well legal implications for each approach (legal requirements from different countries are welcome) and also recommended procedures for each approach (for example, in an online investigation you might still use trusted binaries saved on a floppy or cdrom rather than system binaries; if the kernel was tampered with this might be of no use though).

Finally, I was dreaming of a system which had a kind of “forensic hibernation mode”; currently I’m not aware of a system with this capability (that would preserve memory an network connection sate while freezing hard disks and, at the same time, being easy to do forensics on it). If there is still no work in progress on this kind of systems I would also like to discuss requirements for a standard that would allow computer makers to include this capability on computer systems.

All feedback, comments and suggestions will be greatly appreciated.

Regards,

Omar Herrera


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Mar 29 08:33:55 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library