The US Department of Justice has an interesting guide to computer forensics, titled
Electronic Crime Scene Investigation: A Guide for First Responders. From the abstract:
Computers and other electronic devices are being used increasingly to commit, enable, or support crimes against persons, organizations, or property. This NIJ Guide (NCJ 187736) is intended for use by law enforcement and other responders who have the responsibility for protecting an electronic crime scene and for the recognition, collection, and preservation of electronic evidence.
For experienced admins, there’s not much new here, but it’s a good overview of different classes of devices and some of the forensic concerns surrounding them. One question I’m often asked when I teach is whether forensic recovery is important. The answer is a little surprising.
CERT, Microsoft, and SANS all recommend flattening a machine that you know or suspect has been compromised. Why? It’s very difficult to be sure that it’s clean even after you clean it. For a simple compromise like Blaster or Slammer, it’s easy to remove the executable, but there are much more sophisticated tools that aren’t easily removed (or detected, for that matter), thus the flattening recommendation. However, as soon as you erase the disk, guess what? You’ll lose much of the forensic information that you might want to help identify the scope and source of the compromise. This is critical if you want to get help from law enforcement, since there are standards of evidence that must be maintained in order to successfully prosecute an attacker. That’s why most forensic investigations begin by unplugging the suspect machine and cloning its data using a tool like Encase, which is approved as a method of gathering admissible evidence (Ghost, for example, works fine but its copies aren’t generally accepted as “pure” evidence). However, if all you care about is quickly getting the compromised machine back in service, flattening it is obviously the way to go.
Deb Shinder’s excellent book Scene of the Cybercrimediscusses forensics in more detail, and I recommend it if you’re interested in the field.
Paul's Down-Home Page 