For serious breaches you should always seek guidance from law enforcement and computer professionals and perhaps your legal counsel on what your next moves should be. When CSI is asked to assist in these incidents, we are concerned about shutting down the breach and understanding who the bad guys are so the authorities can apprehend them. I had one case where the organization's technical staff first cleaned the infection that caused the breach. This stopped the breach, but it left an unclear picture of exactly what was done to them and thus made it harder, but not impossible, to see if the same thing had happened on other computers.
I once spoke to an "ethical hacker" who was a computer forensics consultant to the US Secret Service. He advised for a hacked workstation that crashing the computer is a "good" idea. The rationale is that Microsoft Windows can be set to delete various temporary files, and caches on logout, shutdown, or reboot. Simply pulling the power plug prevents those processes from occurring. Once the computer is shutdown improperly , the recommendation would be then to immediately create a backup image of that computer in the present state using a program such as Symantec Ghost - without ever booting to the operating system again. By doing those steps we have preserved a perfect copy of the infected computer. That copy can be imaged to computers in a secure setting, or examined off-line to see what there is to see without compromising the original computer. More than likely the police or federal authorities are going to take the infected computer(s) for inspection by their crime labs. The authorities will have your computers for a long time before they release them back to you. Imaging also gives you independent access to your critical business data that may be on the computer that is in police custody.
The Wall Street Journal has a good summary of what to do if you are hacked - (https://tiny.cc/467rf).
Over the last three decades CSI has been asked to participate in a number of investigations. We have also assisted our clients in working with local and federal law enforcement agencies. If you find yourself in this unfortunate situation, we may be able to help you, or at least help you figure out what your next step is. Contact us for assistance.
Leave a comment!
You must be logged in to post a comment.