"...until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice,.."
Link/line above seems to indicate don't plug out a compromised PC or don't power off a compromised PC?
if we want to see using sysinternals Tcpview the Network IOCs, I guess we should not even disconnect the network at all??
Or still disconnect the compromised PC from network (to stop further re-infections or data being maliciously copied out
or stop call-backs) but don't power it off but just disconnect from network?
In our environment, USB ports are all (except a few rare exceptions for business purpose on isolated PCs) disabled using
DLP products (not using registry) : so if we disconnect a compromised PC from LAN, the consoles of the DLP can't be
used to enable back the USB anymore for us to copy forensic tools to the compromised PC. However, speed is of essence
to disconnect an infected (we have a few ransomware cases) PC from network thus there's no time to use the DLP
consoles to enable the USB. So how do we still copy the forensic tools into the PCs? I assume if we use DLP consoles
to access the infected PCs, the DLP console may be at risk or I'm being paranoid?
Someone suggested that the forensic tools should always be readily deployed into all PCs & servers to overcome the
issue in Q4 above, ie place a copy in them from the very start. However, this means we have to often update the
versions of the tools or patch them if there's any. I would rather have a couple of dedicated forensics laptops with
these installers & use LAN cable (someone suggest LAP cable adaptor to USB) to copy the installers over & the
dedicated laptops are treated as risky & should be wiped out after the whole exercise is over.