Page 660 - StudyBook.pdf
P. 660
644 Chapter 11 • Operational and Organizational Security: Incident Response
9. Place circuit cards, disks, and the like in antistatic bags for transport. Keep
all equipment away from heat sources and magnetic fields.
EXAM WARNING
Remember that copies of data made for examination should be created
on forensically sterile media. If other data resides on the disk or CD
storing the image file (or copy of original data), it can be argued that
the evidence was compromised by this other data. When CDs that can
be rewritten (CD-RW) are used, it can be argued that the evidence was
preexisting data or that it was corrupted in some manner.
EXERCISE 11.02
VIEWING VOLATILE DATA IN MEMORY
You have received a complaint about a possible hacking attempt on
servers used by the company for file storage. These machines run
Windows NT Server and Windows 2000 Server OSes. When you arrive,
you find that these machines are still running. You want to document
any volatile information that resides in memory before proceeding with
further forensic procedures. Follow the following steps to acquire this
volatile data:
1. Using a computer running Windows NT or Windows 2000, click
Start | Run. Type CMD at the Run command, and click OK.
2. When a window opens, you will see a command prompt. Type
NETSTAT and then press Enter. Document any information on
current network connections that is displayed. This will show
whether the hacker is still connected to the machine.
3. Type IPCONFIG and then press Enter. Document any information
about the state of the network.
4. Type ARP –A to view the ARP cache. Document the information
on addresses of computers that are connected to the system. This
will show the addresses of machines recently connected to the
system, and may show the IP address of the machine used by the
hacker.
www.syngress.com
