427 Botnet fm qxd

your organization from wanting a police presence, but catching the botherder
or hacker who attacked your network will prevent further attacks in the
future.
Preserving evidence of the attack is essential to a successful investigation.
Keeping the server up and running is a goal of IT staff, while keeping evi-
dence intact is the goal of an investigation. Specialists in law enforcement may
request computers aren’t touched until they are analyzed.To avoid modifying
any of the contents of the drive, it may be necessary to remove the drives of
any systems that were affected by the attack, which may contain the bot or
other related files (such as pirated software, movies, or other items stored on
the drive). As mentioned previously, the hard drive may be required as evi-
dence if law enforcement is contacted. Once the hard drive is removed,
replace it with a clean version of the drive that doesn’t contain the bot.This
may involve restoring information to the drive from a backup, or making a
copy of the existing drive and removing the botnet and restoring any items it
may have altered (such as registry entries). If your organization is the victim
of a DoS attack, such actions would be overkill, as you would only need to
gather log files, router statistics, and other samples of the network traffic
during the attack. In any situation, however, it is vital that you provide law
enforcement with as much access as they require, even if it is supervised by a
member of your IT staff. If there is information that will require warrants or a
subpoena to release, you should try to identify it early, so the investigators can
obtain them early.
It is also important to remember that the first officers to respond to an
incident may not necessarily be the ones performing an investigation. When a
call is made to police, an officer is sent to respond to the incident. If the inci-
dent requires special investigation skills, other units specializing in these areas
will be called. Most police departments in North America have a Technology
Crime Unit or a partnership with larger law enforcement organizations to
perform computer forensic investigations. In some cases, local police may refer
the case to federal law enforcement if it involves computers or suspects in
other states, provinces, or countries.

Download 6,98 Mb.

Do'stlaringiz bilan baham: