• @[email protected]
    link
    fedilink
    117 months ago

    You DONT want to turn it off. Digital forensics work WAAAAAAY better if you have a memory dump of the system. And all the memory is lost if you turn it off. Even if the virus ran 10h ago and the program has long stoped running, there will most likely still be traces in the RAM. Like a hard drive, simply deleting something in RAM doesn’t mean it is gone. As long as that specific area was not written over later it will still hold the same contenta. You can sometimes find memory that belonged to a virus days or even weeks after the infection if the system was never shut down. There is so much information in ram that is lost when the power is turned off.

    You want to 1: quarantine from network (don’t pull the cable at the system, but firewall it at the switch if possible) 2: take a full copy of the RAM 2.5: read out bitlocker keys if the drive is encrypted. 3: turn off and take a bitwise copy of the hard drive or just send the drive + memory dump to the forensics team. 4: get coffee

    • @Emerald
      link
      77 months ago

      Why would you be doing digital forensics?

      • @KISSmyOSFeddit
        link
        137 months ago

        To find out if nuking that one workstation is enough or if you have to take more drastic measures.

        • @Emerald
          link
          47 months ago

          I feel like most companies wouldn’t bother with all that. They’d probably just nuke the workstation and call it a day.

          • @[email protected]
            link
            fedilink
            27 months ago

            Yeah no. You gotta do due diligence. Getting one system compromised isn’t enough. The whole point is to pivot, elevate, repeat.