Hosting Provided By

Re: The "unplug the cord" dilemma

From: De Velopment <devel(at)www2.kparker.org>
Date: Sat Mar 29 2003 - 16:27:44 EST

On 27 Mar 2003, Omar Herrera wrote:

> I was looking for documentation available discussing circumstances where

I would like to suggest a fourth option: Unplugging the Ethernet cable from the system itself, but leaving it on, at least for a bit. This is, of course, safer than option a) above, since it will put an immediate stop to any attacks the system might have been making to others. Also, it MIGHT allow one to see what processes are running, though, like with option a) above, the commands, on the system itself, could be trojaned.

Rather than when an individual option is appropriate, the question may be better asked, which option should be started with, as I submit that the offline backup and forensics need to be done in any case where getting answers is important. In cases likely to go to court, option c), right away, might be appropriate, to eliminate "tampering with evidence" defenses. (I am not a lawyer, however).

Good luck and best regards,

Ken Parker

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Mar 30 10:29:49 2003

This message: [ Message body ]
Next message: Omar Herrera: "RE: The "unplug the cord" dilemma"
Previous message: Gary Flynn: "Re: The "unplug the cord" dilemma"
In reply to Omar Herrera: "The "unplug the cord" dilemma"
Next in thread: Omar Herrera: "RE: The "unplug the cord" dilemma"
Reply: Omar Herrera: "RE: The "unplug the cord" dilemma"
Reply: pspielmann(at)vitek.fr: "Re: The "unplug the cord" dilemma"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Do you need help?