| 摘要 |
<p>The incident response team enters relevant data into a CGI template, i.e. a script. The script then generates an appropriate kernel image for the client machine (10) along with a client folder on the evidence aggregation server. This is where the data is stored, the data about the victim machine. A partition on the evidence aggregation server is also created. The client is also provided orally with a one-time password. The client then connects to the signing authority web site with the one-time password and downloades the kernel boot image onto a storage medium, such as a floppy disk. The disk image is encrypted using an encryption application such as open PGP, and the encrypted image is sent to the client (12). The client inserts the floppy disk that contains the bootable image into the victim machine, and reboots the machine from the floppy disk (14). Data are retrieved from the victim machine, streamed to the evidence aggregation server (18) via an SSL connection, stored at the evidence aggregation server (18) to a hard drive of the victim machine, and processed (16). A message digest is written across the secure connection to a disk on the secure server (24). Hashes are sent to trusted party via the ssl (26 and 28) and compared to the original hash from the compromised machine. Timestamps are also taken and written to the disk on the secure server (18). The disk on the secure server (18) is removed and a chain of custody is created (22). The evidence is stored in a secure location (20).</p> |
