METHODS OF COLLECTION

There are two basic forms of collection—freezing the scene and honeypotting. The two aren’t mutually exclusive—you can collect frozen information after or during any honeypotting.

Freezing the scene involves taking a snapshot of the system in its compromised state. The necessary authorities should be notified (e.g., the police and your incident response and legal teams), but you shouldn’t go out and tell the world just yet.

You should then start to collect whatever data is important onto removable nonvolatile media in a standard format. Make sure that the programs and utilities used to collect the data are also collected onto the same media as the data. All data collected should have a cryptographic message digest created, and those digests should be compared to the originals for verification.

Honeypotting is the process of creating a replica system and luring the attacker into it for further monitoring. A related method (sandboxing) involves limiting what the attacker can do while still on the compromised system, so they can be monitored without (much) further damage. The placement of misleading information and the attacker’s response to it is a good method for determining the attacker’s motives. You must make sure that any data on the system related to the attacker’s detection and actions is either removed or encrypted; otherwise they can cover their tracks by destroying it. Honeypotting and sandboxing are extremely resource intensive, so they may be infeasible to perform. There are also some legal issues to contend with, most importantly entrapment. As previously mentioned—you should consult your lawyers.