Security Basics mailing list archives
Re: Steps on how to handle an infected computers ( in forensics perspective)
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Tue, 27 Jul 2010 19:39:35 +0200
On 2010-07-27 Raja wrote:
Can anybody provide me good practicable steps on handling a malware infected computer?
First and foremost: remove the computer from the net immediately. After doing that you have to decide if you want to do a first analysis from within the running system, or directly switch it off. Analyzing the running system has the advantage that you may gather information about the infected system (running processes, open ports, established connections, ...), but also has the disadvantage that malware may detect your activities and start wiping its tracks or counter your analysis. Regardless of whether or not you do a live analysis, your next step is to switch off (as in "unplug the power cord") the computer. That is to prevent the malware from altering the system during shutdown. After that you image the hard disk(s), and do any further analysis on compies of that image, so the original data will remain unchanged. It's advisable to create an isolated lab environment for this kind of analysis. The actual analysis (i.e. which tools to use, where to look, and what to look for) will depend on what operating system the infected system is running and what symptoms it was showing. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Steps on how to handle an infected computers ( in forensics perspective) Raja (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensics perspective) Adam Mooz (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensics perspective) Ansgar Wiechers (Jul 27)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Rivest, Philippe (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensicsperspective) Ansgar Wiechers (Jul 27)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Sacks, Cailan C (Jul 28)
- Re: Steps on how to handle an infected computers ( in forensicsperspective) John Morrison (Jul 28)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Rivest, Philippe (Jul 27)
- <Possible follow-ups>
- Re: Steps on how to handle an infected computers ( in forensics perspective) lukasz (Jul 27)