(.pdf) download - IAC - Defense Technical Information Center

More documents

Recommendations

Info

Computer Crime Scene: 1Contact Law Enforcement Your intrusion policy document should identify the appropriate law enforcement agency to contact. It should also identify circumstances that will be handled internally and those that warrant referral to an outside agency. 2 3 Begin Keystroke Monitoring Keystroke monitoring can provide a valuable record of activity on the system. However, it can also be a violation of privacy rights unless users are advised that it may be part of your security operations. If you are unsure of the legality of this operation, seek advice. As with audit trails, key stroke monitoring may alter or add artifacts to the evidence. If it is turned on after the incident is discovered, advise the investigator. Turn on Audit Trails This simple step will enable logins and related activity to be recorded. Audit trails should be turned on and maintained as a normal course of business. However, if this has not been the case, they should be turned on at this point. The investigator will need to know if the audit trails were turned on after discovery of the incident because the audit trail may alter the evidence. 1. Contact law enforce 2. Turn on audit trails 3. Begin keystroke mo 4. Assemble the incide management team 5. Designate an eviden 6. Make backups and p 7. Begin recording cos to recover from the 8. Document your acti 9. Theorize. 4 12 Assemble the Incident Management Team Your plans should identify everyone on the incident management team and define their roles and responsibilities. A typical team consists of— • Manager—Leads the team, has ultimate responsibility for documentation • System Administrator—Subject matter expert for system issues and questions • Auditor—Determines economic impact of the crime or intrusion. Source: IATAC Computer Forensics: Tools & Methodology CR/TA, May 12, 1999 5D e s i g n One person person will be r origin (e.g., who maintain the “ch as well as the d the incident. Th cials as they be
9 Recommended Steps 6 Begin Recording Costs ment Necessary to Recover from the Incident 7 In criminal prosecutions, the value of your time and effort, as well as direct costs for restoring the system, may Make be admissible during the penalty phase of a trial. Loss means Backups & nitoring more than just loss of equipment and software. You should place appropriate value on information that may have been Print Log stolen, lost, or damaged, productive time lost on the system; nt costs of alternate systems necessary for day-to-day operations while the investigation is proceeding, etc. 8 ce custodian Document Your rint log files ts necessary incident vity Activity Keep track of everything you do. This will not only assist the investigator, but may be crucial for the prosecutor during trial. The general rule is, “if you didn’t record it, it didn’t happen.” e an Evidence Custodian should be in charge of all evidence recovered at this stage. This esponsible for the information’s security and for documenting its recovered it, when and where it was recovered). This person will ain-of-custody” and will receive the evidence you have gathered, ocumentation associated with your initial efforts after discovering is same person will be a point of contact for law enforcement offigin their investigation. 9 Files This is the beginning of your evidence collection efforts within your compromised system. The best evidence will be an image of the system. If this is impractical, make a logical copy. Do not copy the backup or the log files onto the compromised system. The investigator will also need the most recent routine backup. Theorize The system administrator and the team assembled to manage this event know more about the system than anyone else. Try to reconstruct the crime, being as open and candid as possible. Investigators will need your technical expertise and your ideas about issues, such as: • Your theory on how the intruder got in • Attacks on the system in the past (both successful and unsuccessful) • Unusual patterns of activity on the system • General system vulnerabilities. Spring 1 999 • Vo l. 2 No. 4 I An e w s l e t t e r 13
Page 1 and 2: The Newsletter for Information Assu
Page 3 and 4: Moving Sensitive U.S. Electrons Aro
Page 5 and 6: will go to your system administ ra
Page 7 and 8: Meeting the Melissa Virus Head On D
Page 9 and 10: Information Assurance— The Achill
Page 11: systems command I2WD’s Role in Se
Page 15 and 16: gov’t r&d community such as systa
Page 17 and 18: Face Recognition Technology: the Ke
Page 19 and 20: Public STINET Enhanced! www.dtic.mi
Page 21 and 22: Subscription Accounts and Technical
Page 23 and 24: order form IMPORTANT NOTE: All IATA

(.pdf) download - IAC - Defense Technical Information Center

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?