Data Loss Investigation Procedures

Computing at Cornell • CIT Contact Center (HelpDesk)

Data Loss Investigation Procedures

See also Procedure for Reporting Security Incidents

Immediate Containment

When a system that may contain sensitive data has been identified as compromised, do not scan the system with antivirus software or the Cornell Spider program, attempt to clean off malware, or run a backup. Doing so can destroy relevant forensics data that will hamper any investigation of the incident.

If possible, take the affected system down immediately by pulling the power cable from the computer and the wall. If you cannot immediately take down the system, coordinate with the IT Security Office to consider what options are available to isolate the data contained on the system as quickly as possible.

Physically isolate the system. If it is a desktop system, remove it from the work environment and put it in a secure area. Do not leave the system plugged in to either power or network jacks.

Preparing for Follow-up

Identify all relevant logs available. These include logs that might be on the system in question as well as firewall logs, domain logs, or IDS logs.

Identify all applications that reside on this system, including databases, servers, and user applications.

Identify and locate the relevant backup media for this system. Also, document what the backup schedule is for the affected system.

Document who should have legitimate access to the system, when they should be accessing it, how they should be accessing it (console, VPN, etc.), and what data they would normally access on the system.