Article: 14789 of alt.sysadmin.recovery
From: INVALID_SEE_SIG@example.com (J.D. Baldwin)
Newsgroups: alt.sysadmin.recovery
Subject: Re: Certain parts of monkhood sucks far too much..
Date: Fri, 19 Apr 2002 18:16:57 +0000 (UTC)
Organization: Revealed on a need-to-know basis
Lines: 38
Approved: And with obsequious majesty approv'd.
Message-ID: <a9pmup$5fb$3@reader1.panix.com>
References: <uofgfx47j.fsf@slempike.com> <slrnac0mmh.704.andrew+usenet@brains.not.invalid>
Reply-To: baldwin+news@panix.com
NNTP-Posting-Host: panix3.panix.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: reader1.panix.com 1019240217 5611 166.84.1.3 (19 Apr 2002 18:16:57 GMT)
X-Complaints-To: abuse@panix.com
NNTP-Posting-Date: Fri, 19 Apr 2002 18:16:57 +0000 (UTC)
X-No-Ahbou: Yes
X-PGP-Key-Info: Key number 869CC8A5, finger me for full key
X-Newsreader: trn 4.0-test74 (May 26, 2000)
Path: news.meer.net!sea-read.news.verio.net!dfw-artgen!iad-peer.news.verio.net!news.verio.net!washdc3-snh1.gtei.net!nycmny1-snh1.gtei.net!news.gtei.net!panix!not-for-mail
Xref: archive.mv.meer.net alt.sysadmin.recovery:14789


In the previous article, Andrew Dalgleish
<andrew+usenet@dalgleish.dyndns.org> wrote:
> > And yes, I had to look. I had to look at every single second of
> 
> It's probably not in your job description, and be damn
> carefull that you are not destroying *any* evidence.
> Not even atimes.

UI presented with no apologies, rotting or regrets whatsoever.  Avert
your eyes, if you like.

If you find something like this, as soon as you see the *first* image,
take these actions:

1. Shut down all outside access to the file server in question.

2. Make a tarball (zip file, whatever) of the whole directory
hierarchy under which the suspect material resides.  Make sure the
tarball itself is written off to a completely different device, then
transfer it immediately to a different machine.

3. Obtain an MD5 (or other cryptographically strong) checksum of the
result of #2.

4. Send an email with the name of the archive file you created, along
with the aforementioned checksum, and listing all the details of what
you think you saw, where you think you saw it, what you have done so
far, etc., to the PGP timestamp service of your choice.

Now that you have an unforgeable record of what you found and when you
found it, you can proceed with whatever else you want to do about it.
But do this stuff FIRST.
-- 
  _+_ From the catapult of |If anyone disagrees with any statement I make, I
_|70|___:)=}- J.D. Baldwin |am quite prepared not only to retract it, but also
\      /  baldwin@panix.com|to deny under oath that I ever made it. -T. Lehrer
***~~~~-----------------------------------------------------------------------