|< Day Day Up >|
Where to Look for Forensic Data
There are the obvious places to look for information after a computer attack. The machine or machines that were exploited are the first place to start. Log file and key system files often hold clues as to methods and identity. You should also consult any intrusion detection systems you have in place. These tools may be what alerted you to the incident in the first place. Tools like Tripwire (described in Chapter 7) can be invaluable in determining what was done and if a system has been compromised.
However, important information is often located in the least likely places, such as a user's directory in the case of an exploited account or temporary directories created by your assailant. If possible, quarantine the entire system to go through it with a fine-tooth comb. The tools described later in this chapter will help expedite this process.
Also, don't limit yourself to the suspect computers. Often you will want to look somewhere other than the machine(s) in question to find information on your attackers. While they might wipe the local logs on the exploited machine, you can sometimes find their tracks on nearby servers or devices. An attack is rarely successful the first time it is tried. Usually an attacker has to try multiple machines to find one that is vulnerable. This activity shows on the log files of neighboring machines. You can find evidence of reconnaissance scans on other machines. Also, you can find signs of unusual activity on your router and firewalls. Check the logs around the time of the break-in (here is where synchronized log files really make a difference). You might look at your public Web server logs around the time of the break-in. When hackers find a vulnerable server, they will often go to the Web site associated with that domain name to see whom they have hacked. Try to find IP addresses that match between logs.
|< Day Day Up >|