164 Handbook of SCADA/Control Systems Security
However, risks are associated with acquiring information from the live system.
Any action performed on the host itself will alter the state of the machine to some
extent. In addition, the attacker may currently be on the system and notice the
handler’s activity, which could have disastrous consequences.
An incident handler should be able to issue only the minimum commands needed
for acquiring the dynamic evidence without inadvertently altering other evidence.
A single poorly chosen command can irrevocably destroy evidence; for example,
simply displaying the directory contents can alter the last access time on each listed
le. Furthermore, running commands from the affected host is dangerous because ...