A.23 Chapter 22: Discovering a Break-In

• Don't panic!

• Plan ahead: have response plans designed and rehearsed.

• Start a diary and/or script file as soon as you discover or suspect a break-in. Note and timestamp everything you discover and do. Sign these notes.

• Run hardcopies of files showing changes and tracing activity. Initial and time-stamp these copies.

• Prepare a forensic toolkit with trusted software on a bootable CD-ROM.

• Run machine status-checking programs regularly to watch for unusual activity: ps, w, vmstat, etc.

• If a break-in occurs, consider making a dump of the system to backup media before correcting anything.

• If the break-in occurs over the network, contact the attacker's ISP by phone.

• Carefully examine the system after a break-in. See the chapter for specifics—there is too much detail to list here. Specifically, be certain that you restore the system to a known, good state.

• Carefully check backups and logs to determine if this is a single occurrence or is related to a set of incidents.

• Trust nothing but hardcopy.