Don’t panic!

Plan ahead: have response plans designed and rehearsed.

Start a diary and/or script file as soon as you discover or suspect a break-in. Note and timestamp everything you discover and do. Sign these notes.

Run hardcopies of files showing changes and tracing activity. Initial and time-stamp these copies.

Prepare a forensic toolkit with trusted software on a bootable CD-ROM.

Run machine status-checking programs regularly to watch for unusual activity: ps, w, vmstat, etc.

If a break-in occurs, consider making a dump of the system to backup media before correcting anything.

If the break-in occurs over the network, contact the attacker’s ISP by phone.

Carefully examine the system after a break-in. See the chapter for specifics—there is too much detail to list here. Specifically, be certain that you restore the system to a known, good state.

Carefully check backups and logs to determine if this is a single occurrence or is related to a set of incidents.

Trust nothing but hardcopy.