Day 12 Containment: Gathering Evidence That Can be Used in Court

Day 12 Containment: Gathering Evidence That Can be Used in Court
Unfortunately we work events and incidents every day. Some are worse than others, but the one rule of incident handling is that every incident must be handled as if it were going to end up in court. Gathering evidence should begin as soon as it is identified. Every incident handler should have a bound incident log book with numbered pages. Once you begin to work an incident, record every detail into the journal. Every handler should be recording their efforts, too. This becomes collaberative evidence in court. Make sure to date and initial every entry. The next evidence gathering technique is the bit-by-bit backup. Before you start working on the system, it is imperative that a backup is made. Some people are taking the hard drive out and replacing it, using the original as the backup. This is probably the best method if you have spare hard drives, but if you don't you must make a binary backup. A binary backup preserves all the evidence including deleted and fragmentary files. One of the most popular tools is "dd". It comes in most Unix and Linux distributions. A Windows version can be found here. Be sure to practice with your incident response team and help desk personnel, as making a backup under pressure can be more difficult than you think. If you have more tips for gathering evidence, send them to us here and we'll pass them along. Mari Nichols iMarSolutions	Mari Nichols 76 Posts Oct 12th 2008
Thread locked Subscribe	Oct 12th 2008 1 decade ago
In the article you state: ...More "incident responders" should take the time to play with Helix in simulations/exercises... That sounds great. DO you know of any such events? Maybe a webgoat of the forensics world for Helix?	Anonymous
Quote	Oct 13th 2008 1 decade ago