📄 rfc3227.txt
字号:
Network Working Group D. Brezinski
Request for Comments: 3227 In-Q-Tel
BCP: 55 T. Killalea
Category: Best Current Practice neart.org
February 2002
Guidelines for Evidence Collection and Archiving
Status of this Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
A "security incident" as defined in the "Internet Security Glossary",
RFC 2828, is a security-relevant system event in which the system's
security policy is disobeyed or otherwise breached. The purpose of
this document is to provide System Administrators with guidelines on
the collection and archiving of evidence relevant to such a security
incident.
If evidence collection is done correctly, it is much more useful in
apprehending the attacker, and stands a much greater chance of being
admissible in the event of a prosecution.
Table of Contents
1 Introduction.................................................... 2
1.1 Conventions Used in this Document........................... 2
2 Guiding Principles during Evidence Collection................... 3
2.1 Order of Volatility......................................... 4
2.2 Things to avoid............................................. 4
2.3 Privacy Considerations...................................... 5
2.4 Legal Considerations........................................ 5
3 The Collection Procedure........................................ 6
3.1 Transparency................................................ 6
3.2 Collection Steps............................................ 6
4 The Archiving Procedure......................................... 7
4.1 Chain of Custody............................................ 7
4.2 The Archive................................................. 7
5 Tools you'll need............................................... 7
Brezinski & Killalea Best Current Practice [Page 1]
RFC 3227 Evidence Collection and Archiving February 2002
6 References...................................................... 8
7 Acknowledgements................................................ 8
8 Security Considerations......................................... 8
9 Authors' Addresses.............................................. 9
10 Full Copyright Statement.......................................10
1 Introduction
A "security incident" as defined in [RFC2828] is a security-relevant
system event in which the system's security policy is disobeyed or
otherwise breached. The purpose of this document is to provide
System Administrators with guidelines on the collection and archiving
of evidence relevant to such a security incident. It's not our
intention to insist that all System Administrators rigidly follow
these guidelines every time they have a security incident. Rather,
we want to provide guidance on what they should do if they elect to
collect and protect information relating to an intrusion.
Such collection represents a considerable effort on the part of the
System Administrator. Great progress has been made in recent years
to speed up the re-installation of the Operating System and to
facilitate the reversion of a system to a 'known' state, thus making
the 'easy option' even more attractive. Meanwhile little has been
done to provide easy ways of archiving evidence (the difficult
option). Further, increasing disk and memory capacities and the more
widespread use of stealth and cover-your-tracks tactics by attackers
have exacerbated the problem.
If evidence collection is done correctly, it is much more useful in
apprehending the attacker, and stands a much greater chance of being
admissible in the event of a prosecution.
You should use these guidelines as a basis for formulating your
site's evidence collection procedures, and should incorporate your
site's procedures into your Incident Handling documentation. The
guidelines in this document may not be appropriate under all
jurisdictions. Once you've formulated your site's evidence
collection procedures, you should have law enforcement for your
jurisdiction confirm that they're adequate.
1.1 Conventions Used in this Document
The key words "REQUIRED", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",
and "MAY" in this document are to be interpreted as described in "Key
words for use in RFCs to Indicate Requirement Levels" [RFC2119].
Brezinski & Killalea Best Current Practice [Page 2]
RFC 3227 Evidence Collection and Archiving February 2002
2 Guiding Principles during Evidence Collection
- Adhere to your site's Security Policy and engage the
appropriate Incident Handling and Law Enforcement personnel.
- Capture as accurate a picture of the system as possible.
- Keep detailed notes. These should include dates and times. If
possible generate an automatic transcript. (e.g., On Unix
systems the 'script' program can be used, however the output
file it generates should not be to media that is part of the
evidence). Notes and print-outs should be signed and dated.
- Note the difference between the system clock and UTC. For each
timestamp provided, indicate whether UTC or local time is used.
- Be prepared to testify (perhaps years later) outlining all
actions you took and at what times. Detailed notes will be
vital.
- Minimise changes to the data as you are collecting it. This is
not limited to content changes; you should avoid updating file
or directory access times.
- Remove external avenues for change.
- When confronted with a choice between collection and analysis
you should do collection first and analysis later.
- Though it hardly needs stating, your procedures should be
implementable. As with any aspect of an incident response
policy, procedures should be tested to ensure feasibility,
particularly in a crisis. If possible procedures should be
automated for reasons of speed and accuracy. Be methodical.
- For each device, a methodical approach should be adopted which
follows the guidelines laid down in your collection procedure.
Speed will often be critical so where there are a number of
devices requiring examination it may be appropriate to spread
the work among your team to collect the evidence in parallel.
However on a single given system collection should be done step
by step.
- Proceed from the volatile to the less volatile (see the Order
of Volatility below).
Brezinski & Killalea Best Current Practice [Page 3]
RFC 3227 Evidence Collection and Archiving February 2002
- You should make a bit-level copy of the system's media. If you
wish to do forensics analysis you should make a bit-level copy
of your evidence copy for that purpose, as your analysis will
almost certainly alter file access times. Avoid doing
forensics on the evidence copy.
2.1 Order of Volatility
When collecting evidence you should proceed from the volatile to the
less volatile. Here is an example order of volatility for a typical
system.
- registers, cache
- routing table, arp cache, process table, kernel statistics,
memory
- temporary file systems
- disk
- remote logging and monitoring data that is relevant to the
system in question
- physical configuration, network topology
- archival media
2.2 Things to avoid
It's all too easy to destroy evidence, however inadvertently.
- Don't shutdown until you've completed evidence collection.
Much evidence may be lost and the attacker may have altered the
startup/shutdown scripts/services to destroy evidence.
- Don't trust the programs on the system. Run your evidence
gathering programs from appropriately protected media (see
below).
- Don't run programs that modify the access time of all files on
the system (e.g., 'tar' or 'xcopy').
Brezinski & Killalea Best Current Practice [Page 4]
RFC 3227 Evidence Collection and Archiving February 2002
- When removing external avenues for change note that simply
disconnecting or filtering from the network may trigger
"deadman switches" that detect when they're off the net and
wipe evidence.
2.3 Privacy Considerations
- Respect the privacy rules and guidelines of your company and
your legal jurisdiction. In particular, make sure no
information collected along with the evidence you are searching
for is available to anyone who would not normally have access
to this information. This includes access to log files (which
may reveal patterns of user behaviour) as well as personal data
files.
- Do not intrude on people's privacy without strong
justification. In particular, do not collect information from
areas you do not normally have reason to access (such as
personal file stores) unless you have sufficient indication
that there is a real incident.
- Make sure you have the backing of your company's established
procedures in taking the steps you do to collect evidence of an
incident.
2.4 Legal Considerations
Computer evidence needs to be
- Admissible: It must conform to certain legal rules before it
can be put before a court.
- Authentic: It must be possible to positively tie evidentiary
material to the incident.
- Complete: It must tell the whole story and not just a
particular perspective.
- Reliable: There must be nothing about how the evidence was
collected and subsequently handled that casts doubt about its
authenticity and veracity.
- Believable: It must be readily believable and understandable
by a court.
Brezinski & Killalea Best Current Practice [Page 5]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -