RFC 3227
RFC 3227
txt
BCP: 55 T. Killalea
February 2002
Copyright Notice
Abstract
incident.
Table of Contents
1 Introduction.................................................... 2
3.1 Transparency................................................ 6
6 References...................................................... 8
7 Acknowledgements................................................ 8
https://www.ietf.org/rfc/rfc3227.txt 1/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
8 Security Considerations......................................... 8
9 Authors' Addresses.............................................. 9
1 Introduction
the 'easy option' even more attractive. Meanwhile little has been
option). Further, increasing disk and memory capacities and the more
The key words "REQUIRED", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",
https://www.ietf.org/rfc/rfc3227.txt 2/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
- Note the difference between the system clock and UTC. For each
vital.
by step.
- Proceed from the volatile to the less volatile (see the Order
of Volatility below).
When collecting evidence you should proceed from the volatile to the
system.
- registers, cache
memory
- disk
https://www.ietf.org/rfc/rfc3227.txt 3/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
system in question
- archival media
Much evidence may be lost and the attacker may have altered the
below).
- Don't run programs that modify the access time of all files on
"deadman switches" that detect when they're off the net and
wipe evidence.
files.
incident.
https://www.ietf.org/rfc/rfc3227.txt 4/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
- Admissible: It must conform to certain legal rules before it
particular perspective.
by a court.
the case with your overall Incident Handling procedures, they should
3.1 Transparency
experts.
in doubt err on the side of collecting too much rather than not
enough.
collection steps.
- Don't forget the people involved. Make notes of who was there
https://www.ietf.org/rfc/rfc3227.txt 5/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
and what were they doing, what they observed and how they
reacted.
You should be able to clearly describe how the evidence was found,
collected.
- Who had custody of the evidence, during what period. How was
it stored.
- When the evidence changed custody, when and how did the
access.
You should have the programs you need to do evidence collection and
such a set of tools for each of the Operating Systems that you manage
https://www.ietf.org/rfc/rfc3227.txt 6/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
Toolkit [FAR1999]).
should not require the use of any libraries other than those on the
through loadable kernel modules, you should consider that your tools
6 References
September 1997.
7 Acknowledgements
8 Security Considerations
https://www.ietf.org/rfc/rfc3227.txt 7/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
9 Authors' Addresses
Dominique Brezinski
In-Q-Tel
Arlington, VA 22209
USA
EMail: [email protected]
Tom Killalea
Lisi/n na Bro/n
Co. Mhaigh Eo
IRELAND
EMail: [email protected]
kind, provided that the above copyright notice and this paragraph are
https://www.ietf.org/rfc/rfc3227.txt 8/9
8/3/22, 08:48 https://www.ietf.org/rfc/rfc3227.txt
English.
The limited permissions granted above are perpetual and will not be
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Acknowledgement
Internet Society.
https://www.ietf.org/rfc/rfc3227.txt 9/9