ANALYSIS
If you're hoping to identify the individual who caused the problem or perform more diagnosis to determine the exact source of the attack, you'll want to image the system or systems that were compromised. Imaging a system, using a package such as Symantec Ghost, creates a file you can use to recreate the system as it was when you discovered the attack. You can copy the image to another hard drive to preserve a record of the problem and then use it to help pinpoint the attacker or specific vulnerabilities. Once you've created the image, you can restore the production system to its operational state. It's best to image to another set of hard drives and use them for your further investigations, because the imaging process copies only data that is marked as being used in the file allocation tables. As a result, recently deleted files that can be recovered will not be copied to the image. Ultimately, few go to the lengths required to recover files that have already been deleted, but some do. Evaluate systems to detect tampering
Before reconnecting systems to the Internet, you have to determine whether they have been compromised. This is perhaps the most difficult part of being hacked because it requires a critical look at the status of the systems and the logs that may have been generated. The first step is to review every security account on the machine and all of the connected systems. In a typical network environment, this means both the local machine accounts and the network accounts coming from Novell Directory Services (NDS) or Active Directory. It also means reviewing database accounts and verifying that they have not been tampered with. This includes making sure that none of the disabled accounts that you have in your system has been activated. You're looking for any account that shouldn't be there or can't be explained. If you find one, it should be disabled until you can determine its reason for being on the network.
