Signup Login
Try it for FREE!

Categories

Home > system security

First steps in Computer Forensics: Securing your network

POSTED ON: May 17, 2012 POSTED BY Irina Tihova

No matter how secure your infrastructure is, sooner or later you will become a victim of a computer crime. Someone may point a DDoS (Distributed Denial of Service) attack at your services, may sniff your network, or may copy/delete confidential information. You may not even realize such a thing has happened. However, in an organized and secured network, you will be notified at the first signs of an attack. Now what? Your first normal reaction would be to stop the attack with whatever means possible. However, that may not be the best response. If you don’t possess the needed knowledge yourself, it might be a good idea to leave the crime scene as it is and let a computer forensics investigator deal with it. Let’s focus on the steps that the investigator would take. You may choose to take these steps alone but you will most likely not have all the necessary support tools and systems for that.

  1. Document the system – name, date, time, purpose, hardware, software, it all matters.
  2. Collect evidence – all the information about the attack should be securely taken off the target system. This is usually done through specific software that hashes all the information. This way, the information is legitimate and can be used as formal evidence for prosecution. The evidence that is usually collected includes active network connections, processes loaded into memory, and a copy of all the information on the disk with the respective creation, modification, and access values. The collector should be confident about the security of the system used for storage and analysis of the copied evidence. Only after this step, is it beneficial to unplug or shut down the affected system. If the affected system is saving logs on a remote server, copy them as well, they are less likely to be compromised by the attack. In Linux, programs could still be running even after their files have been deleted. You can search for such programs with the command: file /proc/[0-9]*/exe|grep “(deleted)” . If you want to make a copy of this list use: /bin/dd if=/proc/filename/exe of=filename .
  3. Recreate the timeline of the attack – once all the information is copied on a secured workstation, the timeline of the attack can be recreated from the times of creation, modification, and access of all the files. This should be done before anything else, because the other steps can change the original times of the files. The timeline will show the last executed file, the last created/deleted folder, executed
    Read the full post
Category: Security

Trusted by:

trusted by trusted by trusted by trusted by trusted by trusted by trusted by trusted by trusted by trusted by
About Monitis

Monitis GFI is a specialist provider of web and Cloud monitoring services that include website monitoring, site load testing, transaction monitoring, application and database monitoring, Cloud resource monitoring, and server and internal network monitoring within one easy-to-use dashboard. Over 100,000 users worldwide have chosen Monitis as their provider of choice to increase uptime and user experience of their services and products. What makes Monitis' solutions different is that they are fast to deploy, feature-rich in technology and provide a comprehensive single-pane view of on-premise and off-premise infrastructure and applications.

Follow Monitis on Facebook
Follow Monitis on Twitter
Home | Products | Tools | Blog | Support | Company | Plans

All Rights Reserved. Monitis Inc.info@monitis.com