In this second part of our hacking series post we will learn WHAT TO DO NEXT when a cyber or information security incident occurs. Usually all these steps should be well documented in an Information Security Policy or an Incident Response Policy.
The Carnegie Mellon University And Software Engineering Institute provides many free and detailed guides (they are considered the industry norm) at their web site: http://www.cert.org/csirts/
The first step is to start logging the responder activities, via a voice recorder [part of your forensics toolset] or via mobile phone. This is an important step in case this investigation’s evidence will be used in a court case or just to document these steps for training or future reference. Note that the responder may or may not be the final person conducting the forensic investigation. They are there to collect the evidence and follow proper procedures and protocols to preserve this evidence.
The next decision step is to determine if it’s safe to plug the plug and turn off the server or just disconnect it from the network. Example: you have been alerted that an attack is stealing credit card or health records information from this server. In most cases the evidence is ephemeral; residing only in the server memory thereby turning off the server will destroy this precious evidence. In very rare cases, the attacker will have created some scripts or sensors which will detect network disconnection and it will cause mayhem on the server or malicious script self-destruction. The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. Full list of memory imaging tools available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.
So if you decided to keep the server running but disconnected or disabled the network you will need to copy the existing memory to an external USB drive [another item part of your forensic kit] then proceed to an expedited shutdown. The forensic tools need to created an exact bit-by-bit copy of the disk because even erased or deleted space contains valuable evidence. Full list of tools available at http://www.forensicswiki.org/wiki/Disk_Imaging Again copies of these toosl should be on a CD or write protected USB drive in your forensic toolkit bag!
After the system has been shutdown, now is the “BAG AND TAG” step where the hard drives are removed and individually bagged. Once the evidence reaches the forensics lab, next step begins: INVESTIGATION, which is our next blog post…