Incident response: performing investigtions on a Live Host

• Autores: Keith J. Jones
• Localización: ;login:: the magazine of USENIX & SAGE, ISSN 1044-6397, Vol. 26, Nº. 7, 2001 (Ejemplar dedicado a: Special focus Issue: Security. Guest editor: Rik Farrow), págs. 26-31
• Idioma: inglés
• Texto completo no disponible (Saber más ...)
• Resumen

  • Corporate IT staffs are investigating computer security incidents and computer crime more than ever before. Who would have thought the IT staff would become the �network cops� of the company? But that is exactly what they have become. Therefore, your Incident Response (IR) staff needs to be armed and prepared to support the decisions and investigations to protect corporate assets, protect employee privacy, and enforce the policies that general counsel and senior management endorse. A methodology and formal investigative process needs to be implemented.

    This article will describe the process of performing a successful live incident response on a UNIX operating system and will discuss the mechanisms used to preserve the evidence. It is assumed the reader has basic system administration skills and little or noexperience with investigations. Therefore, this article will provide deeper focus on the investigative aspects of the live response and methods used to collect the evidence in a forensically sound manner rather than the technical usage of the tools. Since no investigation is the same, a step-by-step process that will encompass every aspect you may encounter is difficult to provide. The information in this article will provide a solid base to executing and transferring most of the information needed for a successful investigation in a forensically sound manner.