-
Don't panic!
-
Plan ahead: have response plans designed and rehearsed.
-
Start a diary and/or script file as soon as you discover or suspect a break-in. Note and timestamp everything you discover and do. Sign these notes.
-
Run hardcopies of files showing changes and tracing activity. Initial and time-stamp these copies.
-
Prepare a forensic toolkit with trusted software on a bootable CD-ROM.
-
Run machine status-checking programs regularly to watch for unusual activity: ps , w , vmstat , etc.
-
If a break-in occurs, consider making a dump of the system to backup media before correcting anything.
-
If the break-in occurs over the network, contact the attacker's ISP by phone.
-
Carefully examine the system after a break-in. See the chapter for specifics ”there is too much detail to list here. Specifically, be certain that you restore the system to a known, good state.
-
Carefully check backups and logs to determine if this is a single occurrence or is related to a set of incidents.
-
Trust nothing but hardcopy.