RFC - 3227
Guidelines for Evidence Collection and Archiving
| Original: | ftp://ftp.isi.edu/in-notes/rfc3227.txt |
|---|---|
| Authors: | D. Brezinski [In-Q-Tel], T. Killalea [neart.org] |
| Date: | February 2002 |
| Category: | Best Current Practice [ BCP-55 ] |
| Referred by: | 3 RFC |
| Refers to: | 4 RFC |
Status
This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
A "security incident" as defined in the "Internet Security Glossary", RFC 2828fyi36, is a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. The purpose of this document is to provide System Administrators with guidelines on the collection and archiving of evidence relevant to such a security incident.
If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution.
-
prepared by Miloslav Nic
- the founder of Zvon.org and Law-Ref.org
- the head of B.Sc. program Informatics and chemistry [in Czech]
- the founder of Lidem.org - Volby 2006 - parliamentary elections in the Czech Republic [in Czech]
- the chief consultant of the publishing house ICT Press
- and Pavel Srb, a student of B.Sc. program Informatics and chemistry