Hacks #96-100
Incident recovery and response is a
very broad topic, and there are many opinions on the proper methods
to use and actions to take once an intrusion has been
discovered. Just as the debate rages
on regarding vi versus emacs, Linux versus Windows, and BSD versus
everything else, there is much debate in the computer forensics crowd
on the "clean shutdown" versus
"pull the plug" argument. A whole book could be written on recovering
from and responding to an incident since there are many things to
consider when doing so, and the procedure you should use is far from
well defined.With this in mind, this chapter is not meant to be a guide on what to
do when you first discover an incident, but it does show you how to
perform tasks that you might decide to undertake in the event of a
successful intrusion. In reading
this chapter, you will learn how to properly create a filesystem
image to use for forensic investigation of an incident, methods for
verifying that files on your system haven't been
tampered with, and some ideas on how to quickly track down the owner
of an IP address. |
لطفا منتظر باشید ...
