Computer Forensics Incident First Response: First, Do No Harm

Forensics is becoming a popular following, thanks to the multitude of TV shows that show crime scene technicians collecting evidence, spending a few minutes in the lab determining the guilt of the culprit, and wrapping up the case at the end of the show. But in real life, forensics, like other complex issues distilled on TV, is much more time-consuming, process intensive, and sometimes inconclusive. The art and science of computer forensics is no different. Digital forensics is gaining in popularity as the next must-have skill set in the IT job market arsenal. However, computer forensics technicians and analysts require some intensive and usually expensive training.

Since computer-related incidences are sometimes few and far between (the ones that are discovered, anyway), most companies don’t see an immediate return on investment by hiring someone exclusively devoted to that task. Only a few more see some value in expensive training for the support technicians and system administrators that are already working for them, since they may never have a need for these skills. As a result, when incidents do happen and are actually discovered, the company may find itself in a situation where the “server guy” or other support technician may be called upon to do the initial response to the incident. Despite lack of training or experience, this article is here to help you with a few critical points that can make or break your investigation and ensure that key evidence is not contaminated or rendered unusable in administrative or legal actions. We’re not going to make you a forensics expert, but you will at least be able to handle the critical first response tasks.

Using Windows Safe Mode to Get Rid of Gunk-Ware

To me, Windows’ Safe Mode is one of the best inventions since sliced bread. I find that most “gunk-ware” (temp files, cache, and even some spyware and malware) can sometimes better be cleaned when the computer is booted into this special diagnostics mode. Since Safe Mode only loads a minimum of prescribed drivers and services, usually you don’t have the problem of trying to delete a file that is “in use” or running as a process (as a lot of malware does in normal mode).

Whenever I encounter a computer that is slow, sluggish, or in need of a good cleaning, the first thing I do is boot into the Safe Mode (Command Prompt) option and start cleaning house. When you do this, it’s a good idea to login as the local administrator account, or an equivalent account, because you’ll need higher privileges to complete some of the actions I’m going to describe. Because it’s difficult to delete some files belonging to the user profile you are currently logged in as, try to login as a user that normally does not log into the machine (you don’t log in normally as the local administrator, right?!) on a routine basis.

As a precautionary note, it’s a good idea to back up your system before executing any of the commands I’m going to discuss, of course. Although you shouldn’t have any ill side effects from any of these methods, I do have to warn you that these are just some of the things I do to clean gunk; try them at your own risk, your mileage may vary, offer not good in all states and countries, and so forth. Having said that, let’s move on.

One logged in, I usually change to the system’s root directory (usually known on the average PC as “C:”) and start there. First, I delete all of the .tmp files that can take up space and hide malware. Run this command at the prompt:

C:> del *.tmp /s /f

The /s switch recurses all subdirectories, and the /f switch forces a delete even if the file is in use (hopefully it won’t be since we’re in safe mode).

Planning an ISA Server Deployment (Part 2)

Welcome back to the continuing series on ISA Server 2004! In this article, part two of “Planning an ISA Server 2004 Deployment”, we are going to cover server requirements necessary to actually install ISA 2004. We’ll talk about hardware requirements as well as some of the unique requirements we need to plan on when installing the software on both Windows 2000 and Windows Server 2003 platforms.

As we talked about in our last article, planning is of vital importance in an ISA Server 2004 deployment, in order to prevent having to go back and correct what may become serious problems later down the road after the install is declared a “success”. Before the CD is even inserted into the box which will become an ISA server, some considerations that must be taken into account are hardware and operating system platforms. We’ll talk about both of those issues in this article.

First, let’s look at hardware. ISA Server 2004 has a minimum set of hardware requirements, of course, as all Microsoft products do, but the minimum requirements are only established to set the low-end boundary of what a computer must have just to get ISA server installed, not necessarily to run it well. We’ll list the minimum requirements, but understand that you should always, especially in a large production environment, go with considerably more hardware than just the minimum if you want it to run right.

Microsoft says that the minimum hardware requirements for an ISA Server 2004 are: a Pentium III or compatible CPU running at least at 550 MHz, 256 MB of RAM, and an NTFS –formatted hard disk drive with at least 150MB of space available on it. Of course, if you are going to use the ISA server for content caching, you will need additional hard disk space. It should go without saying, of course, that a CD-ROM, keyboard, mouse, and VGA-compatible video adapter are also necessary to install the server.

Planning an ISA Server Deployment (Part 1)

In this two- part article in our continuing series on ISA Server 2004, we will look at a very critical part of the process, the planning phase. Planning is one of the most important parts of an ISA Server deployment, but is also the part that very few people put a lot of time and energy into. Unfortunately, failing to plan the deployment properly can lead to problems later that will cost you more in terms of time and work to go back and correct these issues. That’s why this phase is so important.

The first part of planning, which this particular article covers, is planning out the network infrastructure that your ISA Server will be a part of, and knowing exactly how it will fit into the architecture. This is critical because there are several considerations to look at before you actually bring the server online. There are several aspects of your infrastructure you will need to examine, including: network infrastructure, organizational security policies, client requirements, branch office connections, VPN structure, server publishing, partner access, fault tolerance, and the actual roll-out itself. We’ll briefly look at each one of these now:

Network Infrastructure: This involves having a comprehensive network diagram and configuration documentation that exactly lays out the way the network is built. Critical parts of the infrastructure that may affect and be affected by the ISA server rollout will be DHCP services, DNS, email services, Active Directory structure, perimeter network configuration, web servers, and any other network services that must be reconfigured to coexist with an ISA Server. You should know what protocols your company network uses, and how