Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

1

Procedure for scaling images of computers under attack or under

suspicion”

Joint Security Policy Group

Ginebra, 24-25 Enero 2005

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

2

Simple procedure

• Follow the yellow line, procedure.

• Non technical knowledge needed.

• Less an hour your system newly online.

• Less an hour your system newly safely.

• Collection first and analysis later.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

3

Step A

• Unplug the network connection.

For avoid the propagation of the infection.

Remove external avenues for changes.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

4

Step B

• Enter into computer and execute the follow commands.

– ps –aux > process.txt– netstat –listen > connections.txt– w > users.txt– mount > partitions.txt– arp > arp.txt

To save system information before the set off of the system.

To save information only available in the live system (from the volatile to the less volatile information).

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

5

Step C

• List the partitions mounted.

• In a paper, copy the information of the command (only for don’t forget a partition).

– mount

To get information about the number of partitions to make a copy of every them.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

6

Step D

• Off the system.• Unplug the hard disk.• Plug the hard disk in

other system.

To put the hard disk suspicious in a clean and safe system.

Avoid doing forensics on the evidence copy.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

7

Step E

• To execute dd for copy the partitions.

• For every partition:dd if=/dev/hdb? of=/hdb?.dd

To make a image of every partition of the system.

Don’t run programs that modify the access time of files, only programs doing bit-to-bit copies.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

8

Step F

• To make a md5sum of the dd-files:

md5sum hdb?.dd >> md5.txt

• To make a tarball of all hdb?.dd files and the md5.txt:

tar czvf * ip-dd.tgz

To add the hash md5 to the information sent. Worry with the md5 collisions?

To avoid the tampering the files.

To make easy the sending the information.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

9

Step G

• To send to the CCSI team the tarball and the hash.

• CCSI = Computer Crime Science Investigation

• ccsi@........• ftp server to put

To deliver the information from a potential crime to the expert.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

10

Step H

• To send back the hard disk to the original system, and reinstall it.

The system is newly ready for produce e-science.

Less than an hour to restart the system clean and safe.

The CCSI will report you advices to improve the security.

Other report to group.

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

11

Conclusions

• This procedure can be write into a sheet. Only one sheet.

• This procedure could be the start for a more formal document.

• This procedure could be the base for a further discussion. I hope!

Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, 25-11-2004

12

Thanks

• For all us for your patience with my English level.

• Thanks to Elio Pérez.