1 / 12

Procedure for scaling images of computers under attack or under suspicion”

Joint Security Policy Group Ginebra, 24-25 Enero 2005. Procedure for scaling images of computers under attack or under suspicion”. Simple procedure. Follow the yellow line, procedure. Non technical knowledge needed. Less an hour your system newly online.

hoang
Download Presentation

Procedure for scaling images of computers under attack or under suspicion”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Joint Security Policy Group Ginebra, 24-25 Enero 2005 Procedure for scaling images of computers under attack or under suspicion”

  2. Simple procedure • Follow the yellow line, procedure. • Non technical knowledge needed. • Less an hour your system newly online. • Less an hour your system newly safely. • Collection first and analysis later.

  3. For avoid the propagation of the infection. Remove external avenues for changes. Step A • Unplug the network connection.

  4. To save system information before the set off of the system. To save information only available in the live system (from the volatile to the less volatile information). Step B • Enter into computer and execute the follow commands. • ps –aux > process.txt • netstat –listen > connections.txt • w > users.txt • mount > partitions.txt • arp > arp.txt

  5. To get information about the number of partitions to make a copy of every them. Step C • List the partitions mounted. • In a paper, copy the information of the command (only for don’t forget a partition). • mount

  6. To put the hard disk suspicious in a clean and safe system. Avoid doing forensics on the evidence copy. Step D • Off the system. • Unplug the hard disk. • Plug the hard disk in other system.

  7. To make a image of every partition of the system. Don’t run programs that modify the access time of files, only programs doing bit-to-bit copies. Step E • To execute dd for copy the partitions. • For every partition: dd if=/dev/hdb? of=/hdb?.dd

  8. To add the hash md5 to the information sent. Worry with the md5 collisions? To avoid the tampering the files. To make easy the sending the information. Step F • To make a md5sum of the dd-files: md5sum hdb?.dd >> md5.txt • To make a tarball of all hdb?.dd files and the md5.txt: tar czvf * ip-dd.tgz

  9. To deliver the information from a potential crime to the expert. Step G • To send to the CCSI team the tarball and the hash. • CCSI = Computer Crime Science Investigation • ccsi@........ • ftp server to put

  10. The system is newly ready for produce e-science. Less than an hour to restart the system clean and safe. The CCSI will report you advices to improve the security. Other report to group. Step H • To send back the hard disk to the original system, and reinstall it.

  11. Conclusions • This procedure can be write into a sheet. Only one sheet. • This procedure could be the start for a more formal document. • This procedure could be the base for a further discussion. I hope!

  12. Thanks • For all us for your patience with my English level. • Thanks to Elio Pérez.

More Related