Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

 < Day Day Up > 


Once a compromise has been detected, you have two options—pull the system off the network and begin collecting evidence or leave it on-line and attempt to monitor the intruder. Both have their pros and cons. In the case of monitoring, you may accidentally alert the intruder while monitoring and cause them to wipe their tracks any way necessary, destroying evidence as they go. You also leave yourself open to possible liability issues if the attacker launches further attacks at other systems from your own network system. If you disconnect the system from the network, you may find that you have insufficient evidence or, worse, that the attacker left a dead man switch that destroys any evidence once the system detects that it’s off-line. What you choose to do should be based on the situation. The “Collection and Archiving” section later in the chapter contains information on what to do for either case.


 < Day Day Up > 

Категории