RFC 3227 (rfc3227) - Page 2 of 10

Guidelines for Evidence Collection and Archiving

Alternative Format: Original Text Document
< Previous
Next >
RFC 3227           Evidence Collection and Archiving       February 2002


   6 References...................................................... 8
   7 Acknowledgements................................................ 8
   8 Security Considerations......................................... 8
   9 Authors' Addresses.............................................. 9
   10 Full Copyright Statement.......................................10

1 Introduction

   A "security incident" as defined in [RFC 2828] is a security-relevant
   system event in which the system's security policy is disobeyed or
   otherwise breached.  The purpose of this document is to provide
   System Administrators with guidelines on the collection and archiving
   of evidence relevant to such a security incident.  It's not our
   intention to insist that all System Administrators rigidly follow
   these guidelines every time they have a security incident.  Rather,
   we want to provide guidance on what they should do if they elect to
   collect and protect information relating to an intrusion.

   Such collection represents a considerable effort on the part of the
   System Administrator.  Great progress has been made in recent years
   to speed up the re-installation of the Operating System and to
   facilitate the reversion of a system to a 'known' state, thus making
   the 'easy option' even more attractive.  Meanwhile little has been
   done to provide easy ways of archiving evidence (the difficult
   option).  Further, increasing disk and memory capacities and the more
   widespread use of stealth and cover-your-tracks tactics by attackers
   have exacerbated the problem.

   If evidence collection is done correctly, it is much more useful in
   apprehending the attacker, and stands a much greater chance of being
   admissible in the event of a prosecution.

   You should use these guidelines as a basis for formulating your
   site's evidence collection procedures, and should incorporate your
   site's procedures into your Incident Handling documentation.  The
   guidelines in this document may not be appropriate under all
   jurisdictions.  Once you've formulated your site's evidence
   collection procedures, you should have law enforcement for your
   jurisdiction confirm that they're adequate.

1.1 Conventions Used in this Document

   The key words "REQUIRED", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",
   and "MAY" in this document are to be interpreted as described in "Key
   words for use in RFCs to Indicate Requirement Levels" [RFC 2119].






Brezinski & Killalea     Best Current Practice
< Previous
Next >