Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Ever seen a dead-man switch

from [John Brightwell] Network Security [Permanent Link]
Subject: RE: Ever seen a dead-man switch
Date: Mon, 25 Oct 2004 15:23:23 +0100 (BST) 
As some other respondents have already noted - most of
the standard hardware deployed for multi-purpose
operating systems isn't designed to support hot
insertion of cards to the motherboard. Even if you
have a card which purports to get around that risk
(unlikely), what are the chances that there will be a
free slot available.

I note from the pdf that was referred to in one
response the firewire standard reputedly allows direct
access to system memory (this might be an interesting
forensic solution ...as well as a security risk during
normal operation)

i.e. maybe it's possible to dump RAM via firewire

there are a number of different ways to respond to an
incident - with the most important initial decision
being
"do we want to investigate the incident or recover the
system"

Having decided to investigate the incident you then
need to decide what the risks are in leaving the
system running as it is (is the situation getting
worse, is it possible that a dead-man switch is in
place which will erase any evidence without the
required intervention...)

If there is a virus on a critical system which is
destroying valuable data it may be determined that the
best course  of action is to switch off the system and
save as much data as possible before looking into the
incident.

If there is a worm on a system which is attacking
other systems then simply unplugging the network cable
may be sufficient as na initial response.

If there's a chance that criminal activity may need to
be investigated on a system then I suspect that the
best course of action will still be powering down the
system ASAP and sealing the system. 
 
Of course, if a system is being used for criminal
activity then it may well include trip switches to
remove evidence (such as a dead-man switch) - or it
may use strong encryption with volatile keys ... this
is something of a quandary as you don't want to leave
it running in case the dead-man switch is invoked yet
you don't want to power it down without recovering the
keys first (or you lose all the evidence). Then again,
logging onto the system to analyse processes and
memory may well taint the audit trail and weaken the
strength of any gathered evoidence - or it may trip
some logic bomb in the system.
I'd be interested to know how intrusive the firewire
option for dumping memory might be (if it's for real)
as this might be something that can be done just
before a power-off.




        
        
                
___________________________________________________________ALL-NEW Yahoo! 
Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
  • RE: Ever seen a dead-man switch, John Brightwell <=
Previous by Date:  RE: Ever seen a dead-man switch?, Mark Ahlers
Next by Date:  RE: Ever seen a dead-man switch?, Yvan G.J. Boily
Previous by Thread:  e-crime and computer evidence conference 2005 - programme now online, Angus Marshall
Next by Thread:  Forensic software for MacOS X, Maximillian Dornseif
Indexes:  [Date] [Thread] [Top] [All Lists]