Incident recovery and response is a very broad topic, and there are many opinions on the proper methods to use and actions to take once an intrusion has been discovered. Just as the debate rages on regarding vi versus emacs, Linux versus Windows, and BSD versus everything else, there is much debate in the computer forensics crowd on the “clean shutdown” versus “pull the plug” argument. A whole book could be written on recovering from and responding to an incident since there are many things to consider when doing so, and the procedure you should use is far from well defined.

With this in mind, this chapter is not meant to be a guide on what to do when you first discover an incident, but it does show you how to perform tasks that you might decide to undertake in the event of a successful intrusion. In reading this chapter, you will learn how to properly create a filesystem image to use for forensic investigation of an incident, methods for verifying that files on your system haven’t been tampered with, and some ideas on how to quickly track down the owner of an IP address.