Preserve the State of the Computer

Capturing the state of the system at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder, will capture a picture of what has been done to the system. Any hacker tools which have been loaded on the system will be recorded. This captured data, and the information derived from it, is the evidence which will be needed to stop and prosecute the hacker.

Re-creating the activities of a hacker is a difficult and time-consuming task and deters organizations from prosecuting. Skilled hackers will employ the methods highlighted in this chapter and hop from one system to another, increasing the difficulty of synchronizing logs from many machines to create an accurate picture of the hacker's activities.

Destructive Hacker Tools

Today, some hacker tools monitor their environment and self-destruct if they perceive that they have been detected . Some of the ways a tool will monitor for discovery is if the system is shut down or if it is unable to access the Internet. So, to avoid alerting these smart tools, it is best to crash the system and remount the system disks onto another system so that the code has no chance to take its responsive actions. At this time, the exact images of the disks can be copied .