120 likes | 259 Views
Joint Security Policy Group Ginebra, 24-25 Enero 2005. Procedure for scaling images of computers under attack or under suspicion”. Simple procedure. Follow the yellow line, procedure. Non technical knowledge needed. Less an hour your system newly online.
E N D
Joint Security Policy Group Ginebra, 24-25 Enero 2005 Procedure for scaling images of computers under attack or under suspicion”
Simple procedure • Follow the yellow line, procedure. • Non technical knowledge needed. • Less an hour your system newly online. • Less an hour your system newly safely. • Collection first and analysis later.
For avoid the propagation of the infection. Remove external avenues for changes. Step A • Unplug the network connection.
To save system information before the set off of the system. To save information only available in the live system (from the volatile to the less volatile information). Step B • Enter into computer and execute the follow commands. • ps –aux > process.txt • netstat –listen > connections.txt • w > users.txt • mount > partitions.txt • arp > arp.txt
To get information about the number of partitions to make a copy of every them. Step C • List the partitions mounted. • In a paper, copy the information of the command (only for don’t forget a partition). • mount
To put the hard disk suspicious in a clean and safe system. Avoid doing forensics on the evidence copy. Step D • Off the system. • Unplug the hard disk. • Plug the hard disk in other system.
To make a image of every partition of the system. Don’t run programs that modify the access time of files, only programs doing bit-to-bit copies. Step E • To execute dd for copy the partitions. • For every partition: dd if=/dev/hdb? of=/hdb?.dd
To add the hash md5 to the information sent. Worry with the md5 collisions? To avoid the tampering the files. To make easy the sending the information. Step F • To make a md5sum of the dd-files: md5sum hdb?.dd >> md5.txt • To make a tarball of all hdb?.dd files and the md5.txt: tar czvf * ip-dd.tgz
To deliver the information from a potential crime to the expert. Step G • To send to the CCSI team the tarball and the hash. • CCSI = Computer Crime Science Investigation • ccsi@........ • ftp server to put
The system is newly ready for produce e-science. Less than an hour to restart the system clean and safe. The CCSI will report you advices to improve the security. Other report to group. Step H • To send back the hard disk to the original system, and reinstall it.
Conclusions • This procedure can be write into a sheet. Only one sheet. • This procedure could be the start for a more formal document. • This procedure could be the base for a further discussion. I hope!
Thanks • For all us for your patience with my English level. • Thanks to Elio Pérez.