draft-ietf-grip-prot-evidence-00.txt   draft-ietf-grip-prot-evidence-01.txt 
Internet Engineering Task Force Dominique Brezinski Internet Engineering Task Force Dominique Brezinski
INTERNET-DRAFT [...] INTERNET-DRAFT [...]
Valid for six months Tom Killalea Valid for six months Tom Killalea
neart.org neart.org
Guidelines for Evidence Collection and Archiving Guidelines for Evidence Collection and Archiving
<draft-ietf-grip-prot-evidence-00.txt> <draft-ietf-grip-prot-evidence-01.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet Drafts are working all provisions of Section 10 of RFC2026. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas, documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts. working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six Internet Drafts are draft documents valid for a maximum of six
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Table of Contents Table of Contents
1 Introduction 1 Introduction
1.1 Conventions Used in this Document 1.1 Conventions Used in this Document
2 Guiding Principles during Evidence Collection 2 Guiding Principles during Evidence Collection
2.1 Order of Volatility 2.1 Order of Volatility
2.2 Things to avoid 2.2 Things to avoid
3 The Collection Procedure 3 The Collection Procedure
3.1 Transparency
3.2 Collection Steps
4 The Archiving Procedure 4 The Archiving Procedure
4.1 Chain of Custody 4.1 Chain of Custody
4.2 The Archive 4.2 The Archive
5 Tools you'll need 5 Tools you'll need
6 Security Considerations 6 Security Considerations
7 Author's Address 7 Author's Address
skipping to change at page 2, line 30 skipping to change at page 2, line 32
1 Introduction 1 Introduction
The purpose of this document is to provide System Administrators with The purpose of this document is to provide System Administrators with
guidelines on the collection and archiving of evidence. It's not our guidelines on the collection and archiving of evidence. It's not our
intention to insist that all System Administrators rigidly follow intention to insist that all System Administrators rigidly follow
these guidelines every time they have a security incident. Rather, these guidelines every time they have a security incident. Rather,
we want to provide guidance on what they should do if they elect to we want to provide guidance on what they should do if they elect to
collect and protect information relating to an intrusion. collect and protect information relating to an intrusion.
Such collection represents a considerable effort on the part of the Such collection represents a considerable effort on the part of the
System Administrator. In addition, great progress has been made in System Administrator. Great progress has been made in recent years
recent years to speed up the re-installation of the Operating System to speed up the re-installation of the Operating System and to
and the reversion of a system to a 'trusted state', thus making the facilitate the reversion of a system to a 'known' state, thus making
provide easy ways of archiving evidence (the difficult option). the 'easy option' even more attractive. Meanwhile little has been
Further, increasing disk and memory capacities and the more done to provide easy ways of archiving evidence (the difficult
option). Further, increasing disk and memory capacities and the more
widespread use of stealth and cover-your-tracks tactics by attackers widespread use of stealth and cover-your-tracks tactics by attackers
have exacerbated the problem. have exacerbated the problem.
If evidence collection is done correctly, it is much more useful in If evidence collection is done correctly, it is much more useful in
apprehending the attacker, and stands a much greater chance of being apprehending the attacker, and stands a much greater chance of being
admissible in the event of a prosecution. admissible in the event of a prosecution.
You should use these guidelines as a basis for formulating your You should use these guidelines as a basis for formulating your
site's evidence collection procedures, and should incorporate your site's evidence collection procedures, and should incorporate your
site's procedures into your Incident Handling documentation. The site's procedures into your Incident Handling documentation. The
skipping to change at page 3, line 43 skipping to change at page 3, line 44
- When confronted with a choice between collection and analysis you - When confronted with a choice between collection and analysis you
should do collection first and analysis later. should do collection first and analysis later.
- Though it hardly needs stating, your procedures should be - Though it hardly needs stating, your procedures should be
implementable. If possible procedures should be automated for implementable. If possible procedures should be automated for
reasons of speed and accuracy. Be methodical. reasons of speed and accuracy. Be methodical.
- Speed will often be critical so your team should break up and - Speed will often be critical so your team should break up and
collect evidence from multiple systems (including network collect evidence from multiple systems (including network
devices) devices) in parallel. However on a single given system
in parallel. However on a single given system collection should collection should be done step by step, strictly according to
be done step by step, strictly according to your collection your collection procedure.
procedure.
- Proceed from the volatile to the less volatile (see the Order of - Proceed from the volatile to the less volatile (see the Order of
Volatility below). Volatility below).
- You should make a bit-level copy of the system's media. If you - You should make a bit-level copy of the system's media. If you
wish to do forensics analysis you should make a bit-level copy of wish to do forensics analysis you should make a bit-level copy of
your evidence copy for that purpose, as your analysis will almost your evidence copy for that purpose, as your analysis will almost
certainly alter file access times. Avoid doing forensics on the certainly alter file access times. Avoid doing forensics on the
evidence copy. evidence copy.
skipping to change at page 4, line 25 skipping to change at page 4, line 27
- Registers, cache - Registers, cache
- routing table, arp cache, process table, kernel statistics - routing table, arp cache, process table, kernel statistics
- Memory - Memory
- temporary file systems - temporary file systems
- Disk - Disk
- physical configuration, network topology
2.2 Things to avoid 2.2 Things to avoid
It's all too easy to destroy evidence, however inadvertently. It's all too easy to destroy evidence, however inadvertently.
- Don't shutdown until you've completed evidence collection. Much - Don't shutdown until you've completed evidence collection. Much
evidence may be lost and the attacker may have altered the evidence may be lost and the attacker may have altered the
startup scripts/services to destroy evidence. startup/shutdown scripts/services to destroy evidence.
- Don't trust the programs on the system. Run your evidence - Don't trust the programs on the system. Run your evidence
gathering gathering programs from your Forensics CD (see below) or similar
programs from your Forensics CD (see below) or similar read-only read-only media.
media.
- Don't run programs that modify the access time of all files on - Don't run programs that modify the access time of all files on
the system (e.g., 'tar' or 'xcopy'). the system (e.g., 'tar' or 'xcopy').
3 The Collection Procedure 3 The Collection Procedure
[more text needed here] Your collection procedures should be as detailed as possible. As is
the case with your overall Incident Handling procedures, they should
be unambiguous, and should minimise the amount of decision-making
needed during the collection process.
3.1 Transparency
The methods used to collect evidence should be transparent. You
should be prepared to disclose precisely the methods you used, and
have those methods tested by independent experts.
3.2 Collection Steps
- Where is the evidence ? List what systems were involved in the
incident and from which evidence will be collected.
- Establish what is likely to be relevant and admissable. When in
doubt err on the side of collecting too much rather than not
enough.
- For each system, obtain the relevant order of volatility.
- Remove external avenues for change.
- Following the order of volatility, collect the evidence with
tools as discussed in Section 5.
- Question what else may be evidence as you work through the
collection steps.
- Document each step.
Where feasible you should consider cryptographically signing the
collected evidence, as this may make it easier to preserve a strong
chain of evidence. In doing so you must not alter the evidence.
4 The Archiving Procedure 4 The Archiving Procedure
Evidence must be strictly secured. In addition, the Chain of Custody Evidence must be strictly secured. In addition, the Chain of Custody
needs to be clearly documented. needs to be clearly documented.
4.1 Chain of Custody 4.1 Chain of Custody
You should be able to clearly describe how the evidence was found,
how it was handled and everything that happened to it.
The following need to be documented The following need to be documented
- Where, when and by whom discovered. - Where, when and by whom was the evidence discovered.
- Where, when and by whom was the evidence handled or examined. - Where, when and by whom was the evidence handled or examined.
- Who had custody of the evidence, during what period. How was it - Who had custody of the evidence, during what period. How was it
stored. stored.
- When the evidence changed custody, when and how did the transfer - When the evidence changed custody, when and how did the transfer
occur (include shipping numbers, etc.) occur (include shipping numbers, etc.).
4.2 Where and how to Archive 4.2 Where and how to Archive
If possible commonly used media (rather than some obscure storage If possible commonly used media (rather than some obscure storage
media) should be used for archiving. media) should be used for archiving.
[more text needed here] Access to evidence should be extremely restricted, and should be
clearly documented. It should be possible to detect unauthorised
access.
5 Tools you'll need 5 Tools you'll need
You should have the programs you need to do evidence collection and You should have the programs you need to do evidence collection and
forensics on read-only media (e.g., CD). You should have prepared forensics on read-only media (e.g., CD). You should have prepared
such a CD for each of the Operating Systems that you manage in such a CD for each of the Operating Systems that you manage in
advance of having to use it. When your systems are in production you advance of having to use it. When your systems are in production you
might consider leaving a Forensics CD in the CD drive of each system, might consider leaving a Forensics CD in the CD drive of each system,
especially if your systems rarely need to use the CD drive after the especially if your systems rarely need to use the CD drive after the
installation process. installation process.
Your forensics CD should include Your forensics CD should include the following
- a program for examining processes (e.g., 'ps'). - a program for examining processes (e.g., 'ps').
- programs for examining system state (e.g., 'showrev', 'ifconfig', - programs for examining system state (e.g., 'showrev', 'ifconfig',
'netstat', 'arp'). 'netstat', 'arp').
- a program for doing bit-to-bit copies (e.g., 'dd'). - a program for doing bit-to-bit copies (e.g., 'dd').
- programs for generating core images and for examining them (e.g, - programs for generating core images and for examining them (e.g,
'gcore', 'gdb'). 'gcore', 'gdb').
- scripts to automate evidence collection (e.g., The Coroner's - scripts to automate evidence collection (e.g., The Coroner's
Toolkit [FAR1999]). Toolkit [FAR1999]).
The programs on the forensics CD should be statically linked, and
should not require the use of any libraries other than those on the
CD.
You should be prepared to testify to the authenticity and reliability You should be prepared to testify to the authenticity and reliability
of the tools that you use. of the tools that you use.
6 References 6 References
[FAR1999]
Farmer, D., and W Venema, "Computer Forensics Analysis Class
Handouts", http://www.fish.com/forensics/
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC2196] Fraser, B., "Site Security Handbook", RFC 2196, September [RFC2196] Fraser, B., "Site Security Handbook", RFC 2196, September
1997. 1997.
[RFC2350] Brownlee, N., and E. Guttman, "Expectations for Computer [RFC2350] Brownlee, N., and E. Guttman, "Expectations for Computer
Security Incident Response", RFC 2350, June 1998. Security Incident Response", RFC 2350, June 1998.
[FAR1999]
Farmer, D., and W Venema, "Computer Forensics Analysis Class
Handouts", http://www.fish.com/forensics/
7 Acknowledgements 7 Acknowledgements
We gratefully acknowledge the constructive comments received from We gratefully acknowledge the constructive comments received from
Barbara Y. Fraser and Floyd Short. Barbara Y. Fraser and Floyd Short.
6 Security Considerations 6 Security Considerations
This entire document discusses security issues. This entire document discusses security issues.
7 Authors' Addresses 7 Authors' Addresses
Dominique Brezinski Dominique Brezinski
P.O. Box 81226
Seattle, WA 98108-1226
USA USA
Phone: +1 206 266-6900
E-Mail: dbrez@reflexnet.net
Tom Killalea Tom Killalea
P.O. Box 81226 P.O. Box 81226
Seattle, WA 98108-1226 Seattle, WA 98108-1226
USA USA
Phone: +1 206 266-2196 Phone: +1 206 266-2196
E-Mail: tomk@neart.org E-Mail: tomk@neart.org
8 Full Copyright Statement 8 Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved. Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and or assist in its implmentation may be prepared, copied, published and
skipping to change at page 7, line 35 skipping to change at page 8, line 29
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
This document expires September 10, 2000. This document expires January 9, 2001.
 End of changes. 20 change blocks. 
28 lines changed or deleted 70 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/