検索

このコンテンツは選択した言語では利用できません。

10.4. Investigating the Incident

download PDF
Investigating a computer breach is like investigating a crime scene. Detectives collect evidence, note any strange clues, and take inventory on loss and damage. An analysis of a computer compromise can either be done as the attack is happening or post-mortem.
Although it is unwise to trust any system log files on an exploited system, there are other forensic utilities to aid in the analysis. The purpose and features of these tools vary, but they commonly create bit-image copies of media, correlate events and processes, show low level file system information, and recover deleted files whenever possible.
It is also a good idea to record of all of the investigatory actions executed on a compromised system by using the script command, as in the following example:
 script -q <file-name>
Replace <file-name> with file name for the script log. Always save the log file on media other than the hard drive of the compromised system — a floppy disk or CD-ROM works particularly well for this purpose.
By recording all your actions, an audit trail is created that may prove valuable if the attacker is ever caught.

10.4.1. Collecting an Evidential Image

Creating a bit-image copy of media is a feasible first step. If performing data forensic work, it is a requirement. It is recommended to make two copies: one for analysis and investigation, and a second to be stored along with the original for evidence in any legal proceedings.
You can use the dd command that is part of the coreutils package in Red Hat Enterprise Linux to create a monolithic image of an exploited system as evidence in an investigation or for comparison with trusted images. Suppose there is a single hard drive from a system you want to image. Attach that drive as a slave to the system and then use dd to create the image file, such as the following:
 dd if=/dev/hdd bs=1k conv=noerror,sync of=/home/evidence/image1 
This command creates a single file named image1 using a 1k block size for speed. The conv=noerror,sync options force dd to continue reading and dumping data even if bad sectors are encountered on the suspect drive. It is now possible to study the resulting image file or even attempt to recover deleted files.
Red Hat logoGithubRedditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

© 2024 Red Hat, Inc.