jump to navigation

Live Response August 13, 2006

Posted by Ted Summers in : Technical , trackback

What is a Live Response? A Live Response is a term often used in Disaster Recovery Planning. It applies to systems that have been compromised and cannot be powered off either because of lack of backups or due to the critical function they have in a company.

The steps used in a Live Response are often also used by people involved in Computer Forensics. This is because the data gathered from a Live Response can also be use as evidence in criminal investigations when a Live Response is done properly.

As a systems administrator it may be your job to perform a Live Response on a system. Often times the duty or job is outsourced to a company that specializes in systems / network security.

Because the system in question has been compromised, it goes without saying that the system cannot be trusted. Therefore you need what we call a Live Response Toolkit for the system that is in question.

So what is a Live Response Toolkit? It is a Disc with that has trusted tools that we can use to gather data about the system in question. Often times this disc is used in conjunction with a trusted system so that information can be collected from the compromised system and passed to the trusted system.

By now you may be asking yourself where can someone acquire a Live Response Toolkit? A Live Response Toolkit is a Disc that is often created from a trusted system because it contains trusted system tools as well as some trusted third party utilities that are used for network / system administration and analysis.

The exact tools that would be on this Live Response Toolkit Disc depend largely on the Operating System being used on the compromised system. Just like I hope you would not bring a knife to a gun fight, you should not try to use Windows tools on a Unix box or vice versa. The best tools for the job are often made to to fit the environment for which they were created, even though there are exceptions to this rule.

So what kind of information do we hope to gather from our Live Response? Hopefully the information gathered from a Live Response can answer or hope to answer the following basic questions.

Apart from the above listed information a Live Response may allow us to salvage data from the compromised system via methods such as disc imaging. Lastly a Live Response is often the first step taken in any forensic investigation.


no comments yet - be the first?