I completely agree with Robin. I've had a few situations where the IT guys were thinking they were doing me a favor by attempting to fix the system after it had been compromised, i.e. patch, restore from backup, reimage. At best, they end up losing events in their event log (no syslog server) and making the time line analysis impossible.
As a quick aside, we would tell people to literally not touch the system and even leave it attached to the network. To provide a bit of background, I worked for AFOSI where we handled incident response for the AF. If we felt there was intelligence to be gained, we would quarantine the system and fill its standalone network with normal network noise in hopes of not tipping off the intruder. In some cases, the intruder would continue to probe and we could record their activities in hopes of identifying the intruder. -Joel "The path to hell is paved with good intentions." On Tue, Oct 6, 2009 at 10:34 AM, Robin Wood <[email protected]> wrote: > 2009/10/6 James Costello <[email protected]>: > > I am getting ready to review and update our existing first responder > > forensic responsibilities policy and wanted to know what others are using > as > > their policies. > > I am looking for the information and policies that apply to non IT who > might > > uncover the problem or the IT team member who is not responsible for the > > forensics > > I don't do forensics but my first thought for both situations, > especially the first, is to touch nothing and call the phone number > that is well advertised around the office to get the professionals in. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
