When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When an intrusion has been detected and confirmed, if you wish to prosecute the attacker in court,the following actions should be performed in the following order: Capture and record system information and evidence that may be lost, modified,or not captured during the execution of a backup procedure.Start with the most volative memory areas first.
Make at least two full backups of the compromised systems, using hardware-write-protectable or write-once media.
A first backup may be used to re-install the compromised system for further analysis and the second one should be preserved in a secure location to preserve the chain of custody of evidence.
Isolate the compromised systems.
Search for signs of intrusions on other systems.
Examine logs in order to gather more information and better identify other systems to which the intruder might have gained access.
Search through logs of compromised systems for information that would reveal the kind of attacks used to gain access.
Identify what the intruder did, for example by analyzing various log files, comparing checksums of known, trusted files to those on the compromised machine and by using other intrusion analysis tools.
Regardless of the exact steps being followed,if you wish to prosecute in a court of law it means you MUST capture the evidence as a first step before it could be lost or contaminated.You always start with the most volatile evidence first.
NOTE: I have received feedback saying that some other steps may be done such as Disconnecting the system from the network or shutting down the system.This is true.
However, those are not choices listed within the 4 choices attached to this question,you MUST avoid changing the question.
You must stick to the four choices presented and pick which one is the best out of the four presented.
In real life, Forensic is not always black or white.There are many shades of grey.In real life you would have to consult your system policy (if you have one), get your Computer Incident team involved, and talk to your forensic expert and then decide what is the best course of action.
Reference(s) Used for this question: http://www.newyorkcomputerforensics.com/learn/forensics_process.php and ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 273-277).
When a true positive intrusion is detected and confirmed, the first step that should be taken if you wish to prosecute the attacker in court is to capture and record system information. Option C is the correct answer.
Capturing and recording system information helps to preserve evidence of the attack and provides a clear understanding of the scope of the intrusion. This information is critical when building a legal case against the attacker.
The information that should be captured and recorded includes:
Logs: System logs, network logs, and application logs should be collected to identify the attacker's activities and determine the extent of the damage.
Memory dumps: Memory dumps should be taken to capture the state of the system at the time of the attack. This includes the contents of RAM, the processor state, and any open network connections.
Hard drive images: The hard drive should be imaged to preserve evidence of the attacker's activities and to prevent accidental destruction of evidence.
Network traffic: Network traffic should be captured to identify the attacker's methods and determine the extent of the damage.
After capturing and recording system information, the compromised systems should be isolated to prevent further damage. Backing up the compromised systems and identifying the attacks used to gain access are also important steps but should be taken after capturing and recording system information.
In summary, capturing and recording system information is the first step that should be taken if you wish to prosecute the attacker in court when analyzing an intrusion that has just been detected and confirmed as a true positive.