What Did the First Responders Really Do?
A common occurrence that many consultants experience is a discrepancy between what first responders “claim” they did and what the analyst actually sees that happended upon examination. More often than not, the consultant is told that the first responders took the system offline but didn’t do anything else.
Consultants often find that contrary to what is being said, various other actions have actually transpired, such as deleating files, running anti-virus and spy-ware tools, and even attempting to restore files from back up.
Once the approximate time-line of the incident is determined, it can be seen that an administrator logged in, installed, deleted and/or removed stuff , only to turn around and deny doing so. Now, all of the file access times on the system have been modified. A solution to this common occurrence is education and training, starting with senior management. They are the ones that must make the protection of company data a priority in the event of a data disaster.