Using Computer Forensics When Investigating System Attacks

This paper explains how to conduct a computer forensic investigation of a system in response to the suspicion, or actual occurrence, of an attack on that system. It discusses computer forensic analysis at different levels and provides information that is useful to a wide audience, including CIOs, DSOs, auditors, and system administrators. It helps organizations prepare systems for faster recovery and recommends ways of preserving evidence so that it can possibly be used in a prosecution. This paper describes a range of options for responding to a computer attack, including the ramifications of each option, and provides recommendations for determining the best course of action given the specific circumstances of the attack.