Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of...
-
Upload
thomas-joseph -
Category
Documents
-
view
214 -
download
1
Transcript of Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of...
![Page 1: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/1.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
1
Procedure for scaling images of computers under attack or under
suspicion”
Joint Security Policy Group
Ginebra, 24-25 Enero 2005
![Page 2: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/2.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
2
Simple procedure
• Follow the yellow line, procedure.
• Non technical knowledge needed.
• Less an hour your system newly online.
• Less an hour your system newly safely.
• Collection first and analysis later.
![Page 3: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/3.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
3
Step A
• Unplug the network connection.
For avoid the propagation of the infection.
Remove external avenues for changes.
![Page 4: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/4.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
4
Step B
• Enter into computer and execute the follow commands.
– ps –aux > process.txt– netstat –listen > connections.txt– w > users.txt– mount > partitions.txt– arp > arp.txt
To save system information before the set off of the system.
To save information only available in the live system (from the volatile to the less volatile information).
![Page 5: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/5.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
5
Step C
• List the partitions mounted.
• In a paper, copy the information of the command (only for don’t forget a partition).
– mount
To get information about the number of partitions to make a copy of every them.
![Page 6: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/6.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
6
Step D
• Off the system.• Unplug the hard disk.• Plug the hard disk in
other system.
To put the hard disk suspicious in a clean and safe system.
Avoid doing forensics on the evidence copy.
![Page 7: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/7.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
7
Step E
• To execute dd for copy the partitions.
• For every partition:dd if=/dev/hdb? of=/hdb?.dd
To make a image of every partition of the system.
Don’t run programs that modify the access time of files, only programs doing bit-to-bit copies.
![Page 8: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/8.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
8
Step F
• To make a md5sum of the dd-files:
md5sum hdb?.dd >> md5.txt
• To make a tarball of all hdb?.dd files and the md5.txt:
tar czvf * ip-dd.tgz
To add the hash md5 to the information sent. Worry with the md5 collisions?
To avoid the tampering the files.
To make easy the sending the information.
![Page 9: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/9.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
9
Step G
• To send to the CCSI team the tarball and the hash.
• CCSI = Computer Crime Science Investigation
• ccsi@........• ftp server to put
To deliver the information from a potential crime to the expert.
![Page 10: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/10.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
10
Step H
• To send back the hard disk to the original system, and reinstall it.
The system is newly ready for produce e-science.
Less than an hour to restart the system clean and safe.
The CCSI will report you advices to improve the security.
Other report to group.
![Page 11: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/11.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
11
Conclusions
• This procedure can be write into a sheet. Only one sheet.
• This procedure could be the start for a more formal document.
• This procedure could be the base for a further discussion. I hope!
![Page 12: Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004 1 Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.](https://reader035.fdocuments.net/reader035/viewer/2022072015/56649ece5503460f94bdab6a/html5/thumbnails/12.jpg)
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004
12
Thanks
• For all us for your patience with my English level.
• Thanks to Elio Pérez.