Sunday, September 09, 2007

First responders toolkit

First responders toolkit

When it comes to professional security , the moto , nothing is secure is a must.

It is far better to plan ahead ... that is ,a step after security.

Because one way or another, someone better, or faster (yes there will always will be at least one guy ahead of you) than you, sooner or later is going to break in and if we are talking about enterprise security where the steaks are high then if you do not plan ahead you have lost the game! and who knows what else :)

So what is the next step after the proper security measures have been applied?

Obviously a toolkit and a methodology that in a case of an incident the system administrator will follow in order to save and log the important volatile data - that is until the forensic investigator comes in and takes over.

This process however, of the collection and storage of the volatile data, should be saved in a medium other than the hard drive since otherwise it may lead to destruction of digital evidences.

One issue when creating a first reponderer toolkit, is the problem with the DLLs dependencies with the forensic tools in windows.

Because windows source code is closed we cannot statically compile windows native executables. Therefore at a minimum we have to find out an application's footprint in memory and analyse it's dependencies by using a utility such as Filemon.

The issue with the DLLs is NOT as pressing in the UNIX world.
Since most of the operating systems are open source it is possible to statically build binaries that will not rely on shared libraries. This is the preferred type of tool because its output is more trustworthy.

Now regarding the methodology

1. Create a forensic tool testbed
2. Document the testbed

2.1 OS and S/W installed
2.2 Loaded DLLs (and a hash)
2.3 Types of H/W
2.4 Patches and hotfixes installed
3. Document and setup the forensic tools
3.1 Acuisition
3.2 Description
3.3 Functionality
3.4 Dependencies and system affects
4. Test the tools

As a first responderer, you should follow this methodology to ensure the integrity and reliability of each collection tool, command, or application you use in the field.

Posted by nanoagent at 8:16 PM

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)