Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)
| < Day Day Up > |
|
Once you’ve developed a plan of attack and identified the evidence that needs to be collected, it’s time to start the actual process of capturing the data. Storage of that data is also important as it can affect how the data is perceived.
Logs and Logging
You should be running some kind of system logging function. It is important to keep these logs secure and to back them up periodically. Because logs are usually automatically timestamped, a simple copy should suffice, although you should digitally sign and encrypt any logs that are important, to protect them from contamination. Remember, if the logs are kept locally on the compromised machine, they are susceptible to either alteration or deletion by an attacker. Having a remote syslog server and storing logs in a sticky directory can reduce this risk, although it is still possible for an attacker to add decoy or junk entries into the logs.
Regular auditing and accounting of your system is useful not only for detecting intruders but also as a form of evidence. Messages and logs from programs such as Tripwire™ can be used to show what damage an attacker did. Of course, you need a clean snapshot for these to work, so there’s no use trying it after the compromise.
Monitoring
Monitoring network traffic can be useful for many reasons—you can gather statistics, watch out for irregular activity (and possibly stop an intrusion before it happens), and trace where an attacker is coming from and what they are doing. Monitoring logs as they are created can often show you important information you might have missed had you seen them separately. This doesn’t mean you should ignore logs later—it may be what’s missing from the logs that are suspicious.
Information gathered while monitoring network traffic can be compiled into statistics to define normal behavior for your system. These statistics can be used as an early warning of an attacker’s actions.
You can also monitor the actions of your users. This can, once again, act as an early warning system—unusual activity or the sudden appearance of unknown users should be considered definite cause for closer inspection.
No matter the type of monitoring done, you should be very careful—there are plenty of laws you could inadvertently break. In general, you should limit your monitoring to traffic or user information and leave the content unmonitored unless the situation necessitates it. You should also display a disclaimer stating what monitoring is done when users log-on. The content of this should be worked out in conjunction with your lawyer.
| < Day Day Up > |
|