|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Gathering volatile information
From: Bob the Builder (builder173
hotmail.com)
Date: Wed Apr 13 2005 - 07:01:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all,
I am currently working on some of our incident response procedures and have
been looking at gathering volatile data before taking a machine off line or
determining whether or not to take a machine offline. On Windows you can run
the Windows Forensic Toolchest which produces detailed output and can be
configured to control how much forensic damage you are happy to sustain
before taking a system offline for imaging.
In the Unix environment there seem to be various lists of bits and pieces
but no really definitive list of commands related to gathering volatile
information that you should and shouldn't run and what types of things they
are likely to interfere with. Am I missing something here, does just such a
list exist and I'm just not looking in the right place, or is it about time
somone set about righting one? I'm not talking about a religious argument on
the merits of what stage a machine should be taken offline at but more what
the volatile data gathering options are that are available to you if as in
incident handler you need them.
Cheers,
Bob
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]