Policy for Gathering Evidence

• Document all details regarding an incident

• Vary monitoring techniques and times

• Establish post-incident operating procedures for

  • system administrators
  • operators
  • users
  • decide how to handle compromised system(s)

• Record details via logs

  • system events
  • time stamped actions taken by the attacker and yourself
  • phone conversations - date,time, person, subject

Previous slide

Next slide

Back to first slide

View graphic version