Re: The "unplug the cord" dilemma

From: <pspielmann(at)vitek.fr>
Date: Tue Apr 01 2003 - 05:08:11 EST

De Velopment wrote:
> Hello Omar,

>>I was looking for documentation available discussing circumstances where
>>each of the following approaches is better:
>>
>>   a) leave the system online/plugged to the network -> online
>>investigation
>>   b) unplug the system from network and shutdown -> offline forensics
>>   c) unplug the system from network and unplug from power source ->
>>offline forensics

>
>
> I would like to suggest a fourth option: Unplugging the Ethernet cable

I would even suggest some other models to save the most possible information:

If it is a system critical machine unplug the network cable, otherwise just sniff all traffic to this IP (or paranoid MAC-address) for a while. Copy all volatile information (network state, routing infos, process listings, open files, etc) using statically compiled trusted binaries from a CD-Rom to a remote computer (do not log this traffic!) and then switch it off to do all the other fornesics you want to do.

To do this I suggest to prepare
1. a cdrom with static compiled forensic binaries 2. scripts to grabb all volatil information:

1. as normal user
2. as root (on Unix) user for all information gathering that needs root privileges 3. a rescue-system with forensic tools (may be the cd of above) 4. a lot of time ;-)

I would also include a portscan (TCP and UDP) to check for differences in the output of netstat and real open ports.

keep us informed about your paper, I would like to read it!

bye
Pierre

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Apr 1 22:18:05 2003