􀁆 Report the crime immediately.

Don’t wait for hours or days; to preserve the evidence, you need to report the incidence to law enforcement as soon as possible so the crime scene technicians, who are experienced in handling digital evidence, can get to the scene.

               􀁆 Don‘t shut down the computers.

The first inclination when you’re attacked might be to shut down, but this can destroy evidence that’s still in RAM. Disconnect the computer from the network, modems, and any other external connections to prevent further attacks (and to prevent the attacker from deliberately erasing evidence) but don’t shut down or reboot the systems.

                    􀁆 Switch over to your backup/failover systems.

Part of your business continuity plan should involve having duplicate systems that can take over the functions of critical servers, routers, and so forth in case of failure. After an incident, switch to your failover systems to maintain productivity while the “evidence” is out of service.

                􀁆 Don’t run any programs.

The data on the system needs to be preserved in a state as close to that immediately following the attacker’s activity as possible. Running programs can introduce changes to the data that can be used by a defense attorney to argue that the evidence has been tampered with.

       􀁆 Don’t access files.

You will naturally want to open event and security logs to see what’s happened, but you need to exercise will power and wait until after crime scene techs have made a bit-level exact copy of the disk contents before you do so. Just opening a file changes its date/timestamp, and once again, this can bring up a question at trial as to whether the evidence was modified.

         􀁆 Do “protect the perimeter.”

While waiting for law enforcement officers to arrive, establish a crime scene perimeter that includes all affected computers and network devices. Lock the room if possible. Station a trusted person to watch over the devices at all times and ensure that someone doesn’t run programs, access files, or plug back into the network. Don’t leave the computers containing the evidence alone for even a short time.


        􀁆 Establish the chain of custody from the beginning.

If it takes a while for law enforcement to arrive and you have to switch out “guards,” document the “changing of the guard.” That is, create a log showing who was in the room at all points in time. This is called the “chain of custody” log and it’s a vital factor in establishing the continued integrity of the evidence.

              􀁆 Take pictures.

If there happens to be information on the monitor screen that is relevant to the crime, take a photograph of the screen just in case it’s gone by the time the crime scene techs arrive. If you don’t have a camera available, write down the information that’s on the screen and get several witnesses to observe it so they can later testify to the accuracy of what you wrote down.

                􀁆 Preserve physical evidence.

If the attack involved physical access to your servers or computers, don’t touch the keyboards, cases, desks, or other surfaces to avoid destroying fingerprint evidence. Backup tapes, printed logs, and network diagrams may also be needed as evidence of the state of the systems prior to the intrusion.

For additional information in IT-Security go to: www.bisnerconsulting.com