RE: The "unplug the cord" dilemma

From: Omar Herrera <oherrera(at)prodigy.net.mx>
Date: Sun Mar 30 2003 - 08:57:12 EST

Thanks for your comments,

> > I was looking for documentation available discussing circumstances
where
> > each of the following approaches is better:
> >
> > a) leave the system online/plugged to the network -> online
> > investigation
forensics
> > c) unplug the system from network and unplug from power source ->
> > offline forensics
>
> I would like to suggest a fourth option: Unplugging the Ethernet
cable
> from the system itself, but leaving it on, at least for a bit. This
is,
> of course, safer than option a) above, since it will put an immediate
Also,
> it MIGHT allow one to see what processes are running, though, like
with
> option a) above, the commands, on the system itself, could be
trojaned.
>

Connecting some kind of honeypot replacing the compromised system (or simply any system with a sniffer and same ip address) could also give information; connection retries might take place and they could be recorded.

> Rather than when an individual option is appropriate, the question may

Still the call should be made buy the company owning the system and with a person with appropriate level of authority within it, unless you are forced to do formal forensics by law... maybe some government institutions have to (in some cases)

Best regards,

Omar

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Mar 30 10:31:39 2003