Along with information technology's development, more and more people like with the computer work, sends the mail, constructed own individual stand, the company establishes own enterprise stand gradually, the government has also adopted on-line work, better served for the people, the bank and the negotiable securities organization also started according to hold the Internet to carry on the finance and the stock transaction, but simultaneously has also brought the new some computer network safe hidden danger along with convenient at the same time, along with Judicial organ's involvement, I believe in the near future, the network attack investigation evidence collection will also become the lawmaking body to need to consider set up a new discipline, openly expressed at present supposes this curriculumMany in cybercop and some special institutions, now I give everybody to speak an evidence collection process which my personal experience and participation completes, narrated with the fact;
I have been engaged in the viral analysis, the network attack response related work, this time on good friend's invitation, helps to coordinate to aid in an investigation several servers, we arrived at some XXX station, first carries on the routine inspection. After 1 day of about time inspection, used some special purpose equipment also to contain the reconnaissance evidence collection software which the independent compilation the tool as well as the third party provided, altogether found that problem main engine server 10, 2 were quite serious, (below server replaced after a server and B) and the friend decided that decided that brought back to our laboratory, carried on the special thorough analysis.
Custom checkout procedure operation:
The server operating system edition information - - > the operating system patch installs the situation - - > the operating system the setup time, middle has the process to carry on installs the software release information which - - > the server maintenance situation - - > above the server installs
Diary inspection - - IDS diary information /IIS diary information/system log information
Website code audit - - whether to have a few words wooden horse, whether in the source code to have the malicious code insertion
Kills the poisonous software release renewal situation - - whether is the newest edition, disposition whether reasonable, whether the necessary surveillance does open completely
The data recovery - - > uses the private data to restore the software to carry on the data recovery, restores some diary information which and the system message deletes, had installed file operation information.
Withdraws the suspicious document (virus, wooden horse, back door, malicious advertisement plug-in unit) - - or from develops the software in the system file catalog using the third party, carries on to the suspicious document withdraws and carries on the depth analysis.
The above step is I summarizes, has the improper place also to ask the friends to point out mistakes, to introduce the theory, we practice under processing these two servers.
Other pages: : 1 * 2 * 3 * 4 * 5 * Next>>
|
You are here: hacking technology
> hacker invade
> Content
Category: Home
> hacker invade