Information Technology Reference
In-Depth Information
Regarding response procedures to information incidents, best practices are pre-
sented for analyzing the victim machines in order to retrace the hacking episodes
and understand how the attack was waged, with the final aim of providing a valid
response to the intrusion. This response should be understood as a more effective
and informed hardening of the system to reduce the possibility of future attacks. It
does not mean the generation of a counterattack.
All the operations described so far are carried out with special attention to the
method of identification, storage and possible use of evidence in a disciplinary hear-
ing or in court. The unifying theme of the CD-ROM is the set of actions to undertake
in response to an intrusion. It contains a number of sections offering a detailed analy-
sis of each step:
the intrusion response preparation phase;
the analysis of available information on the intrusion;
the collection and storage of associated information (evidence);
the elimination (deletion) of tools used for gaining and maintaining illicit access
to the machine (rootkits);
the restoration of the systems to normal operating conditions.
Detailed information is provided on the following:
management of different file systems;
procedures for data backup;
operations for creating images of hard and removable discs;
management of secure electronic communication;
cryptographic algorithms and their implementation;
tools for the acquisition, analysis and safeguarding of log files.
The CD also proposes a number of standardized forms to improve organization
and facilitate interactions between organizations that analyze the incident and the
different targets involved in the attack. Specifically, an incident report form and a
chain of custody form are provided. The latter is a valuable document for keeping
track of all information regarding the evidence.
The CD-ROM may be used to do an initial examination of the configuration of the
compromised computer.
The tools included offer the possibility to carry out analyses of the discs, generate
an image of them and examine logs in order to carry out a preliminary analysis of
the incident. The IRItaly CD-ROM
(
http://www.iritaly.org
)
is bootable and contains
a series of disc and log analysis tools. All the programs are on the CD in the form
of static binaries and are checked before the preparation of the magnetic support.
