Posted by: Arian Eigen Heald
Data Breaches, Digital Forensics, Incident Response, information security
In a previous column, I talked about the importance of locking up a computer and not continuing to use it after it has been compromised, or the fraudster was fired.
This works in a lot of situations, but there’s also situations where it’s NOT the best thing to do. If you know a computer has been compromised by an external entity, the best things to do are:
1. leave it on,
2. don’t let anybody use it, and
3. call your experts in.
Why leave it on? There are things running in memory that won’t be captured if you shut it down. Remember that you lose everything that’s in RAM, as well as network connections and processes running. It’s critical information if you want to find out who is doing it, and how they’re doing it.
Don’t log into it to “see what you can find out.” In some cases, servers get hacked, and admins tend to log in to “fix it.” As I noted earlier, Sometimes they reboot the box to “clear it out.” There goes all your information, and very probably the ability to at least find out how it was done so that you don’t restore the box to the same “hackable” condition.
Don’t have experts you can call on, that you know are good? That means you’re suffering from the ostrich syndrome. The time to build relationships that can help in a crisis is not during the crisis. Do yourself a favor and at least research the mostly likely people you’ll need to get the job done.