2,2 Computer Forensics

If, during the proccss of live response, the investigator notices a particular

process that catches his attention as being suspicious, he may dump the

memory image of this process so that he can dissect it later on.

When Powering Down Isn't an Option

Once the live response has completed, the investigator needs to decide if he

should power down the machine to perform a postmortem, how he should

do so, and if he can afford to generate additional artifacts during the process

(i.e., create a crash dump). In the event that the machine in question cannot

be powered down, live response may be the only option available.

This can be the case when a machine is providing mission critical services

(e.g., financial transactions) and the owner literally cannot afford downtime.

Perhaps the owner has signed a service level agreement (SLA) that imposes

punitive measures for downtime. The issue of liability also rears its ugly head

as the forensic investigator may also be held responsible for damages if the

machine is shut down (e.g., operational costs, recovering corrupted files, lost

transaction fees, etc.). Finally, there's also the investigative angle. In some

cases, a responder might want to keep a machine up so that he can watch

what an attacker is doing and perhaps track the intruder down.

The Debate over Pulling the Plug

One aspect of live response that investigators often disagree on is how to

power down a machine. Should they perform a normal shutdown or simply

yank the power cable (or remove the battery)?

Both schools of thought have their arguments. Shutting down a machine through

the appropriate channels allows the machine to perfomi all of the actions it

needs to in order to maintain the integrity of the file system. If you yank the

power cable of a machine, it may leave the file system in an inconsistent state.

In contrast, formally shutting down the machine also exposes the machine to

shutdown scripts, scheduled events, and the like, which could be maliciously

set as booby traps by an attacker who realizes that someone is on to him. I'll

also add that there have been times where I was looking at a compromised

machine while the attacker was actually logged on. When the attacker be¬

lieved 1 was getting too close for comfort, he shut down the machine himself

to destroy evidence. Yanking the power allows the investigator to sidestep

this contingency by seizing initiative.

In the end, it's up to the investigator to use his or her best judgment based on

the specific circumstances of an incident.

Parti I 43