On This Page:
- 1. Keep Detailed Notes
- 2. Minimize System Changes
- 3. Gather volatile information while the system is running (optional)
- 4. Shut the system down & preserve hard drive data
- 5. Run Identity Finder & a malware detection scan
- 6. Provide IT with an Incident Report
- Preliminary Analysis: Findings & Next Steps
Computers compromised by malware are the most common data security incident on campus. Departments can choose to handle portions of an incident internally (using the checklist below) or contact UMass Amherst IT at firstname.lastname@example.org as soon as possible.
- If your department’s computers are maintained by UMass Amherst IT LAN Support, complete the steps below in collaboration with your LAN Support contact.
- If a server is compromised, contact email@example.com for instructions.
- UMass Amherst IT can help! We can provide assistance with any of the steps below. We can also provide additional information related to an incident, such as network logs or centralized system/application logs (epo, ISS, AD, DNS).
Use the following checklist for your preliminary analysis. Contact firstname.lastname@example.org if you need assistance with any of the steps.
Depending on the severity of the incident, you may have to provide details about the incident, including how you first responded, to other staff, management, University Legal Counsel, or Internal Audit.
Keep the system intact as changes can destroy valuable data related to the incident. Do not power off, run anti-virus software, or attempt to back up data.
Document any open network connections, running processes, logged-in users, and connected drives. Capture an image of the computer’s memory.
You need to shut the system down before completing the next steps.
Option A: Get a forensically-sound copy of the hard drive
Get a forensically-sound 'bit-by-bit' copy of the affected hard drive(s) and keep this information until the incident is resolved. You should also preserve an MD5 hash of the original drive(s) and image(s). Note: You will need a hard drive write blocker to complete this step (see details below).
Option B: Connect the hard drive to a write blocker
Alternatively, you can connect the hard drive to a hard drive write blocker before performing the next steps. Write blockers enable you to acquire information from a drive without damaging its contents. We recommend Tableau products, available from multiple online retailers.
With the write blocker in place or after you obtained a forensically-sound copy of the affected hard drive(s):
- Run Identity Finder (if installed) to determine whether personally identifiable information is stored on this device and where it is located.
- Complete a virus/malware detection scan using your preferred anti-virus/malware application.
- Gather any other information relevant to this incident.
6. Provide UMass Amherst IT with an Incident Report
You must contact UMass Amherst IT if Identity Finder finds any personally identifiable information, if UMass Amherst IT first contacted you about this incident, or if you cannot rule out the presence of sensitive data on this device.
If you have completed a preliminary analysis, these are some general recommendations based on the most common findings. For additional information, contact email@example.com.
Malware and personally identifiable information found
Submit an Incident Report (see Step 6 above). UMass Amherst IT will need the compromised device (or the forensically-sound copy) for an in-depth analysis.
Personally identifiable information found, but no malware
Contact UMass Amherst IT for a secondary analysis (additional detection tools may be required). Remove the data if no longer necessary or save it in a safe location (e.g., server). Review the business processes that require sensitive data to be placed in this location.
Malware found, but no personally identifiable information
Review the scope of the incident to ensure other devices are not affected. Change all passwords and complete the appropriate recovery steps for this device. Submit an Incident Report if UMass Amherst IT originally notified you of this incident. Alternatively, email your malware scan results to firstname.lastname@example.org (we'll share them with other IT Administrators).
No malware, no personally identifiable information
You may need to re-diagnose the problem: check the incident symptoms and contact UMass Amherst IT for assistance.