tag:blogger.com,1999:blog-6447283518071683105.post1450158953748069872..comments2023-04-02T10:17:04.631-04:00Comments on Forensic Incident Response: Which plug to pull?hogflyhttp://www.blogger.com/profile/00741773109962883616noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-6447283518071683105.post-77950143298572552562008-01-29T17:35:00.000-05:002008-01-29T17:35:00.000-05:00Sysadmins need to replace their "immediate actions...<I>Sysadmins need to replace their "immediate actions" of yanking the plug with "capture data" first, then consider pulling the plug.</I><BR/>LOL, the same could be said for some forensic analysts.echo6https://www.blogger.com/profile/06162017216837926615noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-44901412607317637582008-01-29T06:05:00.000-05:002008-01-29T06:05:00.000-05:00Good post!In my experience, organizations pull the...Good post!<BR/><BR/>In my experience, organizations pull the plug simply because they have no other idea what to do. They have no plan for what to do when an incident occurs, and what is pertinent.<BR/><BR/>Visa PCI forensic audits are a great example. Many organizations (and I'm not talking the small restaurants and gas stations...) simply have no idea where the PCI sensitive data is processedH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-88578948328414923032008-01-25T13:53:00.000-05:002008-01-25T13:53:00.000-05:00Anonymous,Thanks for the comment. Blocking the IP...Anonymous,<BR/><BR/>Thanks for the comment. Blocking the IP at the firewall or router is definitely a good containment method. <BR/><BR/>I prefer a block over pulling any cable, but the intent here was to decide which plug to pull (power or data).hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-46998649240872365182008-01-25T13:42:00.000-05:002008-01-25T13:42:00.000-05:00When pulling the network cable, you would lose por...When pulling the network cable, you would lose port and connection information. Blocking the computer's IP at the firewall sounds like a better alternative since the connections to the ports will remain...however, won't that disappear when the TTLs expire?Anonymousnoreply@blogger.com