Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Day 12 Containment: Gathering Evidence That Can be Used in Court - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Day 12 Containment: Gathering Evidence That Can be Used in Court

Unfortunately we work events and incidents every day.  Some are worse than others, but the one rule of incident handling is that every incident must be handled as if it were going to end up in court.  Gathering evidence should begin as soon as it is identified. 

Every incident handler should have a bound incident log book with numbered pages.  Once you begin to work an incident, record every detail into the journal.  Every handler should be recording their efforts, too.  This becomes collaberative evidence in court.  Make sure to date and initial every entry. 

The next evidence gathering technique is the bit-by-bit backup.  Before you start working on the system, it is imperative that a backup is made.  Some people are taking the hard drive out and replacing it, using the original as the backup.  This is probably the best method if you have spare hard drives, but if you don't you must make a binary backup.  A binary backup preserves all the evidence including deleted and fragmentary files. 

One of the most popular tools is "dd".  It comes in most Unix and Linux distributions.  A Windows version can be found here.   Be sure to practice with your incident response team and help desk personnel, as making a backup under pressure can be more difficult than you think.

If you have more tips for gathering evidence, send them to us here and we'll pass them along.

Mari Nichols   iMarSolutions


Mari Nichols

76 Posts
Oct 12th 2008
In the article you state:
...More "incident responders" should take the time to play with Helix in simulations/exercises...

That sounds great. DO you know of any such events?

Maybe a webgoat of the forensics world for Helix?

Sign Up for Free or Log In to start participating in the conversation!