In today's corporate environment, computer security incidents are commonplace, and quickly and appropriately responding to a security incident is vital. In "Building and Using an Incident Response Toolkit, Part 1," April 2004, InstantDoc ID 41900, I showed you how to build an incident response toolkit and how to use it to collect basic data from a compromised machine. In this article, I show you how to use the toolkit to quickly collect data about the compromised machine's file system.
Gathering File-System Data
At this point, you're ready to use the incident response toolkit to gather information about the file system. Ideally, you should duplicate the compromised machine's hard disk, hash the hard disk's contents, analyze the contents at a different workstation, then hash the contents again after getting whatever information is possible. Alternatively, you could use an IDE or SCSI write blocker on the compromised machine. (A write blocker is a device that lets you use your computer to access and investigate the compromised hard disk but prevents your computer from writing to that disk.) However, duplication or a write blocker might not be viable because of time and budget constraints. So, instead, I cover the toolkit utilities that you can use on a live system for a quick-and-dirty analysis. The utilities make their best effort to avoid writing to the compromised hard disk, but the risk of doing so is still present, as you'll later see. . . .
Register
