Should the event have information security implications, care must be taken to ensure that available evidence is preserved.
This requires leaving the computing device in the same state as it was when the event was observed. In particular it means that, as a general rule:
Depending on specific circumstances, the ISM and IRT may decide that the danger from an ongoing incident is sufficient to risk the destruction of evidence. Options include, as appropriate,
- Capturing volatile memory before powering a device down
- Segmenting a device to block its access to other parts of the corporate network while leaving it connected to the Internet
[1] Modern malware often stores valuable information in volatile RAM. This information disappears when a computing device is powered down.
[2] Some malware continuously monitors for an Internet connection. If it discovers that the Internet has become unavailable, it destroys all evidence of its activity.
Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.