Presentation is loading. Please wait.

Presentation is loading. Please wait.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.

Published byThomas Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy."— Presentation transcript:

1 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy Group Ginebra, 24-25 Enero 2005

2 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 2 Simple procedure Follow the yellow line, procedure. Non technical knowledge needed. Less an hour your system newly online. Less an hour your system newly safely. Collection first and analysis later.

3 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 3 Step A Unplug the network connection.  For avoid the propagation of the infection.  Remove external avenues for changes.

4 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 4 Step B Enter into computer and execute the follow commands. –ps –aux > process.txt –netstat –listen > connections.txt –w > users.txt –mount > partitions.txt –arp > arp.txt  To save system information before the set off of the system.  To save information only available in the live system (from the volatile to the less volatile information).

5 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 5 Step C List the partitions mounted. In a paper, copy the information of the command (only for don’t forget a partition). –mount  To get information about the number of partitions to make a copy of every them.

6 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 6 Step D Off the system. Unplug the hard disk. Plug the hard disk in other system.  To put the hard disk suspicious in a clean and safe system.  Avoid doing forensics on the evidence copy.

7 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 7 Step E To execute dd for copy the partitions. For every partition: dd if=/dev/hdb? of=/hdb?.dd  To make a image of every partition of the system.  Don’t run programs that modify the access time of files, only programs doing bit- to-bit copies.

8 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 8 Step F To make a md5sum of the dd-files: md5sum hdb?.dd >> md5.txt To make a tarball of all hdb?.dd files and the md5.txt: tar czvf * ip-dd.tgz  To add the hash md5 to the information sent. Worry with the md5 collisions?  To avoid the tampering the files.  To make easy the sending the information.

9 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 9 Step G To send to the CCSI team the tarball and the hash. CCSI = Computer Crime Science Investigation ccsi@........ ftp server to put  To deliver the information from a potential crime to the expert.

10 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 10 Step H To send back the hard disk to the original system, and reinstall it.  The system is newly ready for produce e- science.  Less than an hour to restart the system clean and safe.  The CCSI will report you advices to improve the security.  Other report to group.

11 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 11 Conclusions This procedure can be write into a sheet. Only one sheet. This procedure could be the start for a more formal document. This procedure could be the base for a further discussion. I hope!

12 Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 12 Thanks For all us for your patience with my English level. Thanks to Elio Pérez.

Download ppt "Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy."

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Hard Drives on Your Old Desktop Computer SIR Phil Goff Branch 116 August 21, 2014 1.

Hard Drives on Your Old Desktop Computer SIR Phil Goff Branch 116 August 21,
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
5-9/12/2005 CPE 101 1 How to format your computer and re-install Windows XP.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.
Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,

Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,
Digital Locker Today you will learn about your digital locker. You will- upload a file to your digital locker. reply to an email.

Digital Locker Today you will learn about your digital locker. You will- upload a file to your digital locker. reply to an .
Sarah Showalter Summer 2007. Utilizing the school computers, network, e-mail and storage space is a privilege! Each year all users are expected to review.

Sarah Showalter Summer Utilizing the school computers, network, and storage space is a privilege! Each year all users are expected to review.
Source XP vs Windows 7 XPWin 7.

Source XP vs Windows 7 XPWin 7.
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Passwords, Encryption Forensic Tools

Passwords, Encryption Forensic Tools
The Impact of Physical Security on Network Security

The Impact of Physical Security on Network Security
Chapter Three OPERATING SYSTEMS.

Chapter Three OPERATING SYSTEMS.
Safe Computing Outreach Joseph Howard Undergraduate Research Assistant 05/01/2015 Disclaimer: This research was supported by the National Science Foundation.

Safe Computing Outreach Joseph Howard Undergraduate Research Assistant 05/01/2015 Disclaimer: This research was supported by the National Science Foundation.

Similar presentations

Ads by Google