Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joint Security Policy Group Ginebra, Enero 2005

Published byDominick Armstrong Modified over 6 years ago

Similar presentations

Presentation on theme: "Joint Security Policy Group Ginebra, Enero 2005"— Presentation transcript:

1 Joint Security Policy Group Ginebra, 24-25 Enero 2005
Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy Group Ginebra, Enero 2005

2 Simple procedure Follow the yellow line, procedure.
Non technical knowledge needed. Less an hour your system newly online. Less an hour your system newly safely. Collection first and analysis later.

3 Step A Unplug the network connection.
For avoid the propagation of the infection. Remove external avenues for changes.

4 Step B Enter into computer and execute the follow commands.
ps –aux > process.txt netstat –listen > connections.txt w > users.txt mount > partitions.txt arp > arp.txt To save system information before the set off of the system. To save information only available in the live system (from the volatile to the less volatile information).

5 Step C List the partitions mounted.
In a paper, copy the information of the command (only for don’t forget a partition). mount To get information about the number of partitions to make a copy of every them.

6 Step D Off the system. Unplug the hard disk.
Plug the hard disk in other system. To put the hard disk suspicious in a clean and safe system. Avoid doing forensics on the evidence copy.

7 Step E To execute dd for copy the partitions. For every partition:
dd if=/dev/hdb? of=/hdb?.dd To make a image of every partition of the system. Don’t run programs that modify the access time of files, only programs doing bit- to-bit copies.

8 Step F To make a md5sum of the dd-files:
md5sum hdb?.dd >> md5.txt To make a tarball of all hdb?.dd files and the md5.txt: tar czvf * ip-dd.tgz To add the hash md5 to the information sent. Worry with the md5 collisions? To avoid the tampering the files. To make easy the sending the information.

9 Step G To send to the CCSI team the tarball and the hash.
CCSI = Computer Crime Science Investigation ftp server to put To deliver the information from a potential crime to the expert.

10 Step H To send back the hard disk to the original system, and reinstall it. The system is newly ready for produce e- science. Less than an hour to restart the system clean and safe. The CCSI will report you advices to improve the security. Other report to group.

11 Conclusions This procedure can be write into a sheet. Only one sheet.
This procedure could be the start for a more formal document. This procedure could be the base for a further discussion. I hope!

12 Thanks For all us for your patience with my English level.
Thanks to Elio Pérez.

Download ppt "Joint Security Policy Group Ginebra, Enero 2005"

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Hard Drives on Your Old Desktop Computer SIR Phil Goff Branch 116 August 21, 2014 1.

Hard Drives on Your Old Desktop Computer SIR Phil Goff Branch 116 August 21,
METEOROLOGICAL TELECOMMUNICATION AND METCAP A GLANCE TO NETWORK BRIEFLY Ömer Hüdai ALBAYRAK 2010ALANYA.

METEOROLOGICAL TELECOMMUNICATION AND METCAP A GLANCE TO NETWORK BRIEFLY Ömer Hüdai ALBAYRAK 2010ALANYA.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
5-9/12/2005 CPE 101 1 How to format your computer and re-install Windows XP.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.
Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,

Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,
Digital Locker Today you will learn about your digital locker. You will- upload a file to your digital locker. reply to an email.

Digital Locker Today you will learn about your digital locker. You will- upload a file to your digital locker. reply to an .
Sarah Showalter Summer 2007. Utilizing the school computers, network, e-mail and storage space is a privilege! Each year all users are expected to review.

Sarah Showalter Summer Utilizing the school computers, network, and storage space is a privilege! Each year all users are expected to review.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Source XP vs Windows 7 XPWin 7.

Source XP vs Windows 7 XPWin 7.
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
RADIUS Server (Brocade Controller)

RADIUS Server (Brocade Controller)
Passwords, Encryption Forensic Tools

Passwords, Encryption Forensic Tools
Chapter Three OPERATING SYSTEMS.

Chapter Three OPERATING SYSTEMS.

Similar presentations

Ads by Google