If you are the owner or administrator of a computer that has been involved in a security incident there may be evidence on your computer that is vital to understanding what has happened. For University-owned systems it is imperative that we preserve the system as it was when the compromise was detected. Even in the case of personal systems, there may be cases where you wish to preserve the data for forensic analysis.
A compromised computer is like a police crime scene. Once a compromise has been detected it is important to prevent the contents of the computer from being altered until they can be investigated by a trained security professional.
When the Incident Response Team has identified your computer as being compromised, they will ask you to do the following:
- Remove the network cord from the system or wall-jack (whichever is easier) so that no remote access to the system is possible. This not only prevents further abuse but prevents an intruder from erasing evidence (or even your own data!) Do NOT remove the power cord or shut the system down.
- Place a sign on the monitor and/or keyboard indicating that the system should not be used or connected to the network. If someone is actively logged into the computer you may wish to lock the screen, but do not log the user out unless directed to do so by the Incident Response Team.
Following these two steps can help preserve needed evidence that will help the Incident Response Team analyze the system compromise.
It is common for administrators and system owners to try to secure their systems immediately or help us conduct the investigation. While your interest in understanding the incident and wanting to help is laudable, often these actions have unintended consequences that hamper the investigation.
Please do NOT:
- Install patches, install software, change configurations, or stop services.
- Kill processes, reboot, or power off the system.
- Remove or add files, or restore items from backup tapes.
- Allow the system to be used, even locally, until an inspection can be arranged.
The Incident Response Team is sensitive to your needs to continue your work and return to normal as quickly as possible. Please discuss your business needs with the Incident Response Team. They will attempt to get things back to normal for you as quickly as possible.
Please note that it is the University’s policy that systems that have been compromised at the superuser (root, administrator) level must be completely reinstalled following the investigation.