GROUND ZERO ñ WHAT TO DO

• do not start looking through files

• start a journal with the date and time, keep detailed notes

• unplug the system from the network if possible

• do not back the system up with dump or other backup utilities

• if possible without rebooting, make two byte by byte copies of the physical disk

• capture network info

• capture process listings and open files

• capture configuration information to disk and notes

• collate mail, DNS and other network service logs to support host data

• capture exhaustive external TCP and UDP port scans of the host

• contact security department or CERT/management/police or FBI

• if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented

• short-term storage

• packaging/labeling

• shipping

Previous slide

Next slide

Back to first slide

View graphic version