Chapter 11. Incident Response


97


a system or segment of a network containing intentionally false data   in order to track incursion


safely and without disruption to production resources.


Responding to an incident should also be accompanied by information gathering wherever possible.


Running processes, network connections, files, directories, and more should be actively audited in


real time. Having a snapshot of production resources for comparison can be helpful in tracking rogue


services or processes. CERT members and in house experts will be great resources in tracking anoma 


lies. These team members should know their systems and should be able to spot an anomaly quicker


than someone unfamiliar with the infrastructure.


11.4. Investigating the Incident


Investigating a computer breach is like investigating a crime scene. Investigators collect evidence,


note any strange clues, and take inventory on loss and damage. Analysis of computer compromise can


either be live (as the attack is happening) or post mortem (after the attack).


Although it is unwise to trust any system log files on an exploited system, there are other forensic util 


ities to aid us in our analysis. The purpose and features of these tools vary, but they commonly create


bit image copies of media, correlate events and processes, show low level filesystem information, and


recover deleted files whenever possible.


11.4.1. Collecting an Evidential Image


Creating a bit image copy of media is a feasible first step. If performing data forensic work, it is a


requirement. It is recommended to make two copies, one for analysis and investigation, and a second


to be stored along with the original for evidence in any legal proceedings.


You can use the


dd


command that is part of the


fileutils


package in Red Hat Linux. Suppose there


is a single hard drive from a system you want to image. Attach that drive as a slave to your system,


and then use


dd


to create the image file, such as the following:


dd if=/dev/hdd bs=1k conv=noerror of=/home/evidence/image1


This command creates a single file named


image1


using a 1k block size for speed. The


conv=noerror


option forces


dd


to continue reading and dumping data even if bad sectors are


encountered on the suspect drive. It is now possible to study the resulting image file, or even attempt


to recover deleted files.


11.4.2. Gathering Post Breach Information


The topic of digital forensics and analysis itself is quite broad, yet the tools are mostly architecture


specific and cannot be applied generically. However, incident response, analysis, and recovery are im 


portant topics. With proper knowledge and experience, Red Hat Linux can be an excellent platform for


performing these types of analysis, as it includes several utilities for performing post breach response


and restoration.


Table 11 1 details some commands for file auditing and management. It also lists some examples that


you can use to properly identify files and file attributes, such as permissions and access dates, so that


you can collect further evidence or items for analysis. These tools, when combined with intrusion


detection systems, firewalls, hardened services, and other security measures, can help in reducing the


potential damage when an attack occurs.


Note


For detailed information about each tool, refer to their respective manual pages.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved