Chapter 11. Incident Response
97
a system or segment of a network containing intentionally false data in order to track incursion
safely and without disruption to production resources.
Responding to an incident should also be accompanied by information gathering wherever possible.
Running processes, network connections, files, directories, and more should be actively audited in
real time. Having a snapshot of production resources for comparison can be helpful in tracking rogue
services or processes. CERT members and in house experts will be great resources in tracking anoma
lies. These team members should know their systems and should be able to spot an anomaly quicker
than someone unfamiliar with the infrastructure.
11.4. Investigating the Incident
Investigating a computer breach is like investigating a crime scene. Investigators collect evidence,
note any strange clues, and take inventory on loss and damage. Analysis of computer compromise can
either be live (as the attack is happening) or post mortem (after the attack).
Although it is unwise to trust any system log files on an exploited system, there are other forensic util
ities to aid us in our analysis. The purpose and features of these tools vary, but they commonly create
bit image copies of media, correlate events and processes, show low level filesystem information, and
recover deleted files whenever possible.
11.4.1. Collecting an Evidential Image
Creating a bit image copy of media is a feasible first step. If performing data forensic work, it is a
requirement. It is recommended to make two copies, one for analysis and investigation, and a second
to be stored along with the original for evidence in any legal proceedings.
You can use the
dd
command that is part of the
fileutils
package in Red Hat Linux. Suppose there
is a single hard drive from a system you want to image. Attach that drive as a slave to your system,
and then use
dd
to create the image file, such as the following:
dd if=/dev/hdd bs=1k conv=noerror of=/home/evidence/image1
This command creates a single file named
image1
using a 1k block size for speed. The
conv=noerror
option forces
dd
to continue reading and dumping data even if bad sectors are
encountered on the suspect drive. It is now possible to study the resulting image file, or even attempt
to recover deleted files.
11.4.2. Gathering Post Breach Information
The topic of digital forensics and analysis itself is quite broad, yet the tools are mostly architecture
specific and cannot be applied generically. However, incident response, analysis, and recovery are im
portant topics. With proper knowledge and experience, Red Hat Linux can be an excellent platform for
performing these types of analysis, as it includes several utilities for performing post breach response
and restoration.
Table 11 1 details some commands for file auditing and management. It also lists some examples that
you can use to properly identify files and file attributes, such as permissions and access dates, so that
you can collect further evidence or items for analysis. These tools, when combined with intrusion
detection systems, firewalls, hardened services, and other security measures, can help in reducing the
potential damage when an attack occurs.
Note
For detailed information about each tool, refer to their respective manual pages.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved