Security Basics mailing list archives
RE: Steps on how to handle an infected computers ( in forensicsperspective)
From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Tue, 27 Jul 2010 15:19:00 -0400
My expertise in forensic is really limited, but i believe that pulling the power cord at that step is unwise as you will basically be throwing out the window a lot of data and information's. Shouldn't he get access to the memory b4 flushing the power cord? Also, I get that unpluggin the system from the network is wise to protect both the system & the network. But wont you effectively change the state of a machine when you want to capture the machine in the "bad state". Shouldn't he pull the power cord b4 the network cable? My reading of the TCT is a way back, so please forgive me if I'm wrong here. Btw - My first step would be to call an expert & read on my corporate policy & procedure ;) Philippe Rivest - CISSP, CISA, CEH, Network+, Server+, A+ TransForce Inc. Internal auditor - Information security Vérificateur interne - Sécurité de l'information 8585 Trans-Canada Highway, Suite 300 Saint-Laurent (Quebec) H4S 1Z6 Tel.: 514-331-4417 Fax: 514-856-7541
Web Site
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar Wiechers Sent: 27 juillet 2010 13:40 To: security-basics () securityfocus com Subject: Re: Steps on how to handle an infected computers ( in forensicsperspective) On 2010-07-27 Raja wrote:
Can anybody provide me good practicable steps on handling a malware infected computer?
First and foremost: remove the computer from the net immediately. After doing that you have to decide if you want to do a first analysis from within the running system, or directly switch it off. Analyzing the running system has the advantage that you may gather information about the infected system (running processes, open ports, established connections, ...), but also has the disadvantage that malware may detect your activities and start wiping its tracks or counter your analysis. Regardless of whether or not you do a live analysis, your next step is to switch off (as in "unplug the power cord") the computer. That is to prevent the malware from altering the system during shutdown. After that you image the hard disk(s), and do any further analysis on compies of that image, so the original data will remain unchanged. It's advisable to create an isolated lab environment for this kind of analysis. The actual analysis (i.e. which tools to use, where to look, and what to look for) will depend on what operating system the infected system is running and what symptoms it was showing. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d 1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Steps on how to handle an infected computers ( in forensics perspective) Raja (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensics perspective) Adam Mooz (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensics perspective) Ansgar Wiechers (Jul 27)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Rivest, Philippe (Jul 27)
- Re: Steps on how to handle an infected computers ( in forensicsperspective) Ansgar Wiechers (Jul 27)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Sacks, Cailan C (Jul 28)
- Re: Steps on how to handle an infected computers ( in forensicsperspective) John Morrison (Jul 28)
- RE: Steps on how to handle an infected computers ( in forensicsperspective) Rivest, Philippe (Jul 27)
- <Possible follow-ups>
- Re: Steps on how to handle an infected computers ( in forensics perspective) lukasz (Jul 27)