Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)
| < Day Day Up > |
|
Whenever a system is compromised, there is almost always something left behind by the attacker—be it code fragments, trojaned programs, running processes, or sniffer log files. These are known as artefacts. They are one of the important things you should be collecting, but you must be careful. You should never attempt to analyze an artefact on the compromised system. Artefacts are capable of anything, and you want to make sure their effects are controlled.
Artefacts may be difficult to find—trojaned programs may be identical in all obvious ways to the originals (file size, MAC times, etc.). Use of cryptographic checksums may be necessary, so you may need to know the original file’s checksum. If you are performing regular file integrity assessments, this shouldn’t be a problem. Analysis of artefacts can be useful in finding other systems the attacker (or their tools) has broken into.
| < Day Day Up > |
|