< Day Day Up > 


There are two basic forms of collection—freezing the scene and honeypotting. The two aren’t mutually exclusive—you can collect frozen information after or during any honeypotting.

Freezing the scene involves taking a snapshot of the system in its compromised state. The necessary authorities should be notified (e.g., the police and your incident response and legal teams), but you shouldn’t go out and tell the world just yet.

You should then start to collect whatever data is important onto removable nonvolatile media in a standard format. Make sure that the programs and utilities used to collect the data are also collected onto the same media as the data. All data collected should have a cryptographic message digest created, and those digests should be compared to the originals for verification.

Honeypotting is the process of creating a replica system and luring the attacker into it for further monitoring. A related method (sandboxing) involves limiting what the attacker can do while still on the compromised system, so they can be monitored without (much) further damage. The placement of misleading information and the attacker’s response to it is a good method for determining the attacker’s motives. You must make sure that any data on the system related to the attacker’s detection and actions is either removed or encrypted; otherwise they can cover their tracks by destroying it. Honeypotting and sandboxing are extremely resource intensive, so they may be infeasible to perform. There are also some legal issues to contend with, most importantly entrapment. As previously mentioned—you should consult your lawyers.

 < Day Day Up > 

 < Day Day Up > 


Whenever a system is compromised, there is almost always something left behind by the attacker—be it code fragments, trojaned programs, running processes, or sniffer log files. These are known as artefacts. They are one of the important things you should be collecting, but you must be careful. You should never attempt to analyze an artefact on the compromised system. Artefacts are capable of anything, and you want to make sure their effects are controlled.

Artefacts may be difficult to find—trojaned programs may be identical in all obvious ways to the originals (file size, MAC times, etc.). Use of cryptographic checksums may be necessary, so you may need to know the original file’s checksum. If you are performing regular file integrity assessments, this shouldn’t be a problem. Analysis of artefacts can be useful in finding other systems the attacker (or their tools) has broken into.

 < Day Day Up > 

 < Day Day Up > 


You now have enough information to build a step-by-step guide for the collection of the evidence. Once again, this is only a guide—you should customize it to your specific situation. You should perform the following collection steps:

  1. Find the evidence

  2. Find the relevant data

  3. Create an Order of Volatility

  4. Remove external avenues of change

  5. Collect the evidence

  6. Document everything

Find the Evidence

Determine where the evidence you are looking for is stored. Use a checklist—not only does it help you to collect evidence but it also can be used to double-check that everything you are looking for is there.

Find the Relevant Data

Once you’ve found the evidence, you must figure out what part of it is relevant to the case. In general, you should err on the side of over-collection, but you must remember that you have to work fast—don’t spend hours collecting information that is obviously useless.

Create an Order of Volatility

Now that you know exactly what to gather, work out the best order in which to gather it. The Order of Volatility for your system is a good guide, and ensures that you minimize loss of uncorrupted evidence.

Remove External Avenues of Change

It is essential that you avoid alterations to the original data, and prevention is always better than a cure. Preventing anyone from tampering with the evidence helps you to create as exact an image as possible. However, you have to be careful—the attacker may have been smart and left a dead-man switch. In the end, you should try and do as much as possible to prevent changes.

Collect the Evidence

You can now start to collect the evidence using the appropriate tools for the job. As you go, reevaluate the evidence you’ve already collected. You may find that you missed something important. Now is the time to make sure you get it.

Document Everything

Your collection procedures may be questioned later, so it is important that you document everything that you do. Timestamps, digital signatures, and signed statements are all important—don’t leave anything out!

 < Day Day Up >