Sunday, April 29, 2007

Strengthening the case for live response

I was doing some browsing today on the government's cybercrime site and I began fishing through some of the documents they have posted and ended up coming across the updated prosecuting cybercrimes manual

I'd like to call your attention to appendix C in the document listed above. Take a look at Section B, step 2. An excerpt from the section:

[..."Initial response should include at a minimum documenting: users currently logged on, current connections, processes running, all listening sockets and their associated applications. Image the RAM of the attacked systems."...]

What's my initial reaction?
Whoa, even the government is suggesting that people collect evidence from live systems now. Ladies and gents of the private sector/edu world, if the federal government(who is typically years behind the rest of us) is suggesting you collect this information, then by all means do so. The case is being strengthened for conducting this type of activity. Now's the time to update, modify and/or create procedures specifically for this purpose.


Keydet89 said...

Rather than "update, modify and/or create procedures", I'd say "use" the words of Fox Mulder, "the truth is out there". It's already there, it's been there, it's been written why not start using it?


hogfly said...

Indeed. However, many groups don't have procedures for this yet and some people I've talked to haven't yet made the distinction between live response and root cause analyses; as in they believe that the only purpose behind live response is to determine the root cause.