ICS-CERT: Preserving Forensic Data

Friday, June 01, 2012

Infosec Island Admin


Cyber Intrusion Mitigation Strategies Part One: Preserving Forensic Data

ICS-CERT developed this guidance to provide basic recommendations for owners and operators of critical infrastructure to enhance their network security posture.

It is not intended to be a detailed examination of all actions involved in incident response but is an attempt to provide high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.

This guidance applies to both enterprise and control system networks, particularly where interconnectivity could allow movement between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to ensure there is no impact to normal operations.

The guidance is organized into topical areas within the major phases of incident response—detection, mitigation, and eradication/recovery—and closes with recommendations for long term security posture improvements.

The implementation of concepts discussed in this document is the responsibility of each organization and is dependent on the organization’s needs, network topology, and operational requirements.


Preserving forensic data is an essential aspect of any incident response plan. The forensic data acquired during the overall incident response process are critical to containing the current intrusion and improving security to defend against the next attack.

An organization’s network defenders should make note of the following recommendations for retention of essential forensic data:

• Keep detailed notes of all observations, including dates/times, mitigation steps taken/not taken, device logging enabled/disabled, and machine names for suspected compromised equipment. More information is generally better than less information.

• When possible, capture live system data (i.e., current network connections and open processes) prior to disconnecting a compromised machine from the network.

• Capture a forensic image of the system memory prior to powering down.

• When powering down a system, physically pull the plug from the wall rather than gracefully shutting down. Forensic data may be destroyed by the Operating System during the shutdown process.

• After shutting down, capture forensic images of any hard drives.

• Avoid running any antivirus software “after the fact” as the antivirus scan changes critical file dates and impedes discovery and analysis of suspected malicious files and timelines.

• Avoid making any changes to the operating system or hardware, including updates and patches, as they may overwrite important information relevant to an investigation. Organizations should consult with trained forensic investigators for advice and assistance prior to implementing any recovery or forensic efforts.

Control system environments have special needs that must be evaluated when establishing a cyber forensic plan. Organizations should review CSSP Recommended Practice: Creating Cyber Forensics Plans for Control Systems.

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01.pdf

Possibly Related Articles:
Industrial Control Systems
SCADA Forensics Incident Response Network Security Investigation Guidelines ICS-CERT Industrial Control Systems Data Collection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.