If you are the owner or administrator of a computer that has been involved in a security incident there may be evidence on your computer that is vital to understanding what has happened.
For University-owned systems it is imperative that we preserve the system as it was when the compromise was detected for forensic analysis (the same is true for personal systems compromised.)
A compromised computer is like a police crime scene. Once a compromise has been detected it is important to prevent the contents of the computer from being altered until it can be investigated by a trained security professional.
When the Incident Response Team has identified your computer as being compromised, they will ask you to do the following:
- Remove the network cord from the system or wall-jack (whichever is easier) so that no remote access to the system is possible. This not only prevents further abuse but prevents an intruder from erasing evidence (or even your own data!) Do NOT remove the power cord or shut the system down.
- Place a sign on the monitor and/or keyboard indicating that the system should not be used or connected to the network. If someone is actively logged into the computer you may wish to lock the screen, but do not log the user out unless directed to do so by the Incident Response Team.
It is common for administrators and owners to try and secure their systems immediately or help us conduct the investigation. While your interest in understanding the incident and wanting to help is laudable, often these actions have unintended consequences that hamper the investigation.
Please do NOT:
- Install patches, install software, change configurations, or stop services
- Kill processes, reboot, or power off the system
- Remove or add files, or restore items from backup tapes
- Allow the system to be used, even locally, until an inspection can be arranged
The Incident Response Team is sensitive to your needs to continue your work and return to normal as quickly as possible. Please discuss your business needs with the Incident Response Team and they will attempt to get things back to normal for you as quickly as possible.
Please note that it is the University’s policy that systems that have been compromised at the superuser root, administrator level must be completely reinstalled following the investigation