Computer Forensics - Shutdown or Switch-Off

Hello All,

I'm not sure if this is the right forum - if anyone knows of a more
suitable group I will be grateful for a pointer.

If faced with an incident
-> Evidence of fraudulent acitivty
-> A request from management to look into a system
-> Strange goings on in system logs
-> IDS or firewall logs indicating a system has been compromised
-> etc

Can anyone point me to a good guide or checklist covering the steps
that should be followed.

I know that this does depend on the OS in question and the type of
activity suspected, but there most be some rough guidelines out there
already to save me having to make some up myself.

Shutdown
This is potentially a risk if the attacker has implemented a watch for
shutdown (with scripted processes to hide any tracks). On the other
hand in most cases an attacker won't have done this and we can ensure
that any disk writes are completed and the filesystem integrity is
maintained. The fact that commands will be run as part of the shutdown
might overwrite sections of memory which might otherewise be useful for
forensics. Pagefiles or virtual memory areas may be cleared

Switch-Off
For non-journalled filesystems data might be lost of corrupted. On the
other hand Pagefiles or Virtual Memory might later serve up interesting
informaiton about the processes that were going on when the system was
switched off. A switch-off won't run commands or trigger watch features
which might write additional info to log files or write to the disk.

Example
Let's say the first indication I have is some suspicious connections
from another internal system (indicating that the user of the system is
up to no good, or that the system has been compromised by another
party).

We don't want to leave ourselves exposed but we don't want to trample
over evidence in case we need to find out what damage was done or maybe
it will turn out that criminal activity has taken place (in which case
we will need to hand over the evidence to the authorities)

1. Start making notes of exactly what action is taken including
accurate date/time
2. Double check the details
2.a. Which system is the source
2.b. Where is it located
2.c. A quick check to see if it is being operated remotely (if this can
be done externally - from the LAN switch or router)
3. If the observed attacks are a concern then we need to halt them
immediately by either shutting down the system under attack or, more
likely, by disabling the source of the attack.
3.a. Remove it from the network and create an image
OR
3.b. Switch it off, boot from another system and image the hard disk
(ghost, encase etc)
OR
3.c. Shut it down, boot from another system and image the hard disk
4. Snapshot the logs of access servers and fileservers (maybe CCTV)
which might have been used by the attacker
5. If possible, image the attacked system as well (as a minimum
snapshot the logs).
Note: It might even be necessary to re-build the attacked system from a
trusted image

If subsequent investigation reveals serious wrong doing or maybe even
criminal activity then evidence may be required... Anyone got a feel
for what the best approach should be?

Anyone been through this and have a tale to tell?

Note: I don't have anything going on att he moment I hasten to add, but
I'd like to have a rough idea in my head of the correct process to
follow

Re: Computer Forensics - Shutdown or Switch-Off

"bright" writes:

>Hello All,

>I'm not sure if this is the right forum - if anyone knows of a more
>suitable group I will be grateful for a pointer.

>If faced with an incident
>-> Evidence of fraudulent acitivty
>-> A request from management to look into a system
>-> Strange goings on in system logs
>-> IDS or firewall logs indicating a system has been compromised
>-> etc

>Can anyone point me to a good guide or checklist covering the steps
>that should be followed.

It all depends. For example removing the system for two weeks could do far
far more damage to the firm that the "request by management" could ever
warrent.

The standard advice is to shut down the system immediately, remove the hard
drive, install it on another computer and make a copy of it to a pristine
hard drive by a low level copy (eg dd) Then place the original disk into a
vault and never touch it, only doing forensics on the copy.

Of course if what management wanted was to know where the Leverhouse.doc
file was located this may be overkill. Similarly if those "strange goings
on in system logs" was because you do not understand system logs.



>I know that this does depend on the OS in question and the type of
>activity suspected, but there most be some rough guidelines out there
>already to save me having to make some up myself.

>Shutdown
>This is potentially a risk if the attacker has implemented a watch for
>shutdown (with scripted processes to hide any tracks). On the other
>hand in most cases an attacker won't have done this and we can ensure
>that any disk writes are completed and the filesystem integrity is
>maintained. The fact that commands will be run as part of the shutdown
>might overwrite sections of memory which might otherewise be useful for
>forensics. Pagefiles or virtual memory areas may be cleared

Memory is almost impossible to preserve.



>Switch-Off
>For non-journalled filesystems data might be lost of corrupted. On the
>other hand Pagefiles or Virtual Memory might later serve up interesting
>informaiton about the processes that were going on when the system was
>switched off. A switch-off won't run commands or trigger watch features
>which might write additional info to log files or write to the disk.

>Example
>Let's say the first indication I have is some suspicious connections
>from another internal system (indicating that the user of the system is
>up to no good, or that the system has been compromised by another
>party).

>We don't want to leave ourselves exposed but we don't want to trample
>over evidence in case we need to find out what damage was done or maybe
>it will turn out that criminal activity has taken place (in which case
>we will need to hand over the evidence to the authorities)

>1. Start making notes of exactly what action is taken including
>accurate date/time
>2. Double check the details
>2.a. Which system is the source
>2.b. Where is it located
>2.c. A quick check to see if it is being operated remotely (if this can
>be done externally - from the LAN switch or router)
>3. If the observed attacks are a concern then we need to halt them
>immediately by either shutting down the system under attack or, more
>likely, by disabling the source of the attack.
>3.a. Remove it from the network and create an image
>OR
>3.b. Switch it off, boot from another system and image the hard disk
>(ghost, encase etc)
>OR
>3.c. Shut it down, boot from another system and image the hard disk
>4. Snapshot the logs of access servers and fileservers (maybe CCTV)
>which might have been used by the attacker
>5. If possible, image the attacked system as well (as a minimum
>snapshot the logs).
>Note: It might even be necessary to re-build the attacked system from a
>trusted image

>If subsequent investigation reveals serious wrong doing or maybe even
>criminal activity then evidence may be required... Anyone got a feel
>for what the best approach should be?

>Anyone been through this and have a tale to tell?

>Note: I don't have anything going on att he moment I hasten to add, but
>I'd like to have a rough idea in my head of the correct process to
>follow


In 99 % of cases, preservation of evidence is not the problem. The problem
is getting the system back to being a useable system. Few firms has so many
computers hanging around that they can afford to have one or more taken
offline for days. If you work for NSA or in the police force, this may not
be the right attitude.

You have to balance the need for retribution or even forensics for
operation of the equipment.

Re: Computer Forensics - Shutdown or Switch-Off

Thanks for the response

I agree that in most cases, the priority is to get things up and
running - in fact it may only be until very much later that nefarious
activity comes to light.

Of the scenarios, probably the most likely indicator of nefarious
activity might be suspicious network connections from the victim system
- if we have an internal honeynet or maybe just from IDS or firewall
logs.

We might assume that the system has been compromised by an internal
user or maybe by a worm. In such an instance I was wondering whether
it's better to switch the system off (preserving the pagefile or cache
and logs etc) or run an orderly shutdown potentially allowing the
attacker to cover their tracks.

But I guess that's a very specific example and in general it's better
to shutdown, remove and image the disk and then get the system up and
running (ideally building from the original image). Probably store the
disk in the firesafe and forget all about it ;-)




Unruh wrote:
> "bright" writes:
>
> >Hello All,
>
> >I'm not sure if this is the right forum - if anyone knows of a more
> >suitable group I will be grateful for a pointer.
>
> >If faced with an incident
> >-> Evidence of fraudulent acitivty
> >-> A request from management to look into a system
> >-> Strange goings on in system logs
> >-> IDS or firewall logs indicating a system has been compromised
> >-> etc
>
> >Can anyone point me to a good guide or checklist covering the steps
> >that should be followed.
>
> It all depends. For example removing the system for two weeks could do far
> far more damage to the firm that the "request by management" could ever
> warrent.
>
> The standard advice is to shut down the system immediately, remove the hard
> drive, install it on another computer and make a copy of it to a pristine
> hard drive by a low level copy (eg dd) Then place the original disk into a
> vault and never touch it, only doing forensics on the copy.
>
> Of course if what management wanted was to know where the Leverhouse.doc
> file was located this may be overkill. Similarly if those "strange goings
> on in system logs" was because you do not understand system logs.
>
>
>
> >I know that this does depend on the OS in question and the type of
> >activity suspected, but there most be some rough guidelines out there
> >already to save me having to make some up myself.
>
> >Shutdown
> >This is potentially a risk if the attacker has implemented a watch for
> >shutdown (with scripted processes to hide any tracks). On the other
> >hand in most cases an attacker won't have done this and we can ensure
> >that any disk writes are completed and the filesystem integrity is
> >maintained. The fact that commands will be run as part of the shutdown
> >might overwrite sections of memory which might otherewise be useful for
> >forensics. Pagefiles or virtual memory areas may be cleared
>
> Memory is almost impossible to preserve.
>
>
>
> >Switch-Off
> >For non-journalled filesystems data might be lost of corrupted. On the
> >other hand Pagefiles or Virtual Memory might later serve up interesting
> >informaiton about the processes that were going on when the system was
> >switched off. A switch-off won't run commands or trigger watch features
> >which might write additional info to log files or write to the disk.
>
> >Example
> >Let's say the first indication I have is some suspicious connections
> >from another internal system (indicating that the user of the system is
> >up to no good, or that the system has been compromised by another
> >party).
>
> >We don't want to leave ourselves exposed but we don't want to trample
> >over evidence in case we need to find out what damage was done or maybe
> >it will turn out that criminal activity has taken place (in which case
> >we will need to hand over the evidence to the authorities)
>
> >1. Start making notes of exactly what action is taken including
> >accurate date/time
> >2. Double check the details
> >2.a. Which system is the source
> >2.b. Where is it located
> >2.c. A quick check to see if it is being operated remotely (if this can
> >be done externally - from the LAN switch or router)
> >3. If the observed attacks are a concern then we need to halt them
> >immediately by either shutting down the system under attack or, more
> >likely, by disabling the source of the attack.
> >3.a. Remove it from the network and create an image
> >OR
> >3.b. Switch it off, boot from another system and image the hard disk
> >(ghost, encase etc)
> >OR
> >3.c. Shut it down, boot from another system and image the hard disk
> >4. Snapshot the logs of access servers and fileservers (maybe CCTV)
> >which might have been used by the attacker
> >5. If possible, image the attacked system as well (as a minimum
> >snapshot the logs).
> >Note: It might even be necessary to re-build the attacked system from a
> >trusted image
>
> >If subsequent investigation reveals serious wrong doing or maybe even
> >criminal activity then evidence may be required... Anyone got a feel
> >for what the best approach should be?
>
> >Anyone been through this and have a tale to tell?
>
> >Note: I don't have anything going on att he moment I hasten to add, but
> >I'd like to have a rough idea in my head of the correct process to
> >follow
>
>
> In 99 % of cases, preservation of evidence is not the problem. The problem
> is getting the system back to being a useable system. Few firms has so many
> computers hanging around that they can afford to have one or more taken
> offline for days. If you work for NSA or in the police force, this may not
> be the right attitude.
>
> You have to balance the need for retribution or even forensics for
> operation of the equipment.