White dot for spacing only
The Dice Project

Compromised Machine or User Account Investigation

This document provides guidance on how to go about investigating a believed-compromised machine or user account. It's in four main parts: a section which sets out the context and lists the preliminary steps which must be done; a section which provides suggestions as to how to go about an investigation; a collection of useful links; and some possibly-useful examples.

The first section is complete. The other three are necessarily works-in-progress, and will be added to in the light of experience.

There will often be a tension between the desire to bring a service back quickly and the wish to investigate thoroughly. This document does not attempt to draw any hard and fast rules -- each case will have to be determined on its own merits. At the very least, however, all incidents must be investigated in sufficient depth that it becomes possible to say with reasonable confidence that data integrity has been assured and that it would be safe to bring the service back.

To ensure a high-quality investigation, all incidents must be investigated by a member of the Computing Team, that includes any event which affects a self-managed system.

You should also consult the related "incident management procedures" document.


This section sets out the basic ground rules for undertaking an investigation into a believed-compromised machine. While it is understood that the investigation may have originally started as something else, once it is suspected that a compromise may have taken place any subsequent steps must follow the rules laid out here.

The "suggested techniques" in the next section may be followed, as desired. The requirements listed here must be followed as applicable.

  1. (It is assumed throughout that the Head of Computing will consult with and take direction from the Head of School as necessary.)
  2. The Head of Computing (or nominee) must be informed as soon as it is realised that a compromise may have taken place. The Head of Computing may appoint a Lead Investigator, who will be responsible for coordinating the investigation and the activities of any other people involved.
  3. You (the Lead Investigator) should agree with the Head of Computing how questions from users will be answered while the investigation is under way. It is important that users are kept as informed as possible, though of course there will be some things which you may prefer to hold back, at least for a while. You should bear in mind that the Freedom of Information (Scotland) Act 2002 will still apply, and if necessary you should take advice as to its requirements and exemptions. Note that the Head of School's approval must be obtained before any FoI(S)A exemption is claimed.
  4. You should notify irt@ed of the incident, at least in general terms, and be prepared to liaise with them as necessary should the incident turn out to reach beyond Informatics. You should keep them updated as necessary as your investigation proceeds.
  5. The University's Computing Regulations do cover self-managed and personal machines which are or have been attached to the network, though there may be practical difficulties in investigating these. The School's self-managed machines policy can be found here.
  6. If the investigation requires that users' activities be traced or that users' filespace be searched then the Head of School's (or nominee's) permission must be obtained. It will not in general be practicable, or even necessarily desirable, to obtain individual permission in advance from all the users who might be involved.
  7. In all cases, data must still be processed in accordance with applicable legislation (for example, the Data Protection Act 2018, the GDPR, or the Human Rights Act 1998). You should be aware that you may find private, confidential or sensitive material, and you must treat it appropriately. If in doubt, seek advice. Note also the School's privacy policy.
  8. If possible you should make a read-only copy of the data and work from that. If this is not possible for some reason, you should be very careful about any steps which might modify the data or associated timestamps. Ideally you should boot from a clean disc, a network filesystem or a "live USB", rather than booting a suspected-to-be-compromised machine directly. You should be aware that working on the original data is likely to invalidate any evidential status.
  9. A complete written log of all steps must be maintained. This should be either handwritten, or else printed out and signed. It should be clearly dated, and include frequent timestamps throughout. It must be preserved in a safe place until such time as the Head of Computing agrees that it may be disposed of.
  10. If it appears that one or more user accounts should be suspended, you must inform the Head of Computing, who will arrange to have this done and will inform any Directors of Studies, Supervisors, ISS management, line managers and so on as necessary.
  11. If it becomes apparent that the findings of the investigation might be used in formal proceedings (whether School, University or external), STOP. Before you proceed any further you must obtain permission from the Head of Computing. You must be familiar with the ACPO Good Practice Guide for Digital Evidence. You MUST have a second person observing. That second person must make their own separate written record. Ideally that second person would be independent of the School, such as one of the members of irt@ed. You MUST make a copy of the data before you start; bag it along with a written, signed and dated description of the contents, and a copy of your notes to date; seal it; and have it stored in a safe place. Failure to follow any of these steps may make the material worthless as evidence. You should be aware that you may be cross-examined over your findings and any steps which you did or did not take.
  12. There are certain classes of material (various pornography and terrorism-related) which are illegal even to possess. If your investigation turns up any of these then:
  13. Once you have determined the extent of the compromise, or alternatively concluded that you have investigated as much as you reasonably can, you must report your findings to the Head of Computing. It is the Head of Computing's responsibility to decide what steps may then be necessary as a result of the compromise.
  14. After the investigation is complete you must write a detailed report for the Head of Computing, who will circulate it as appropriate. You should also write a public report, possibly based on the detailed report, which you must submit to the Head of Computing and the Head of School for their approval before publishing.
  15. Having notified irt@ed earlier, you should now inform them of your of your conclusions, at least in general terms, and point them towards your public report. With the Head of Computing's agreement, you may provide them with more detailed information, if this would be in the University's interest.

Suggested techniques

The National Cyber Security Centre provide some very helpful guidance on incident response

The following suggestions borrow heavily from analysis of local incidents which occurred in October 2011 and May 2021



Adjust paths, parameters and options as appropriate throughout. Some tools are in /sbin or /usr/sbin.

CompromisedMachineInvestigation.html,v 1.106 2021/07/07 13:53:41 squinney Exp

 : Org 

Mini Informatics Logo - Link to Main Informatics Page
Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh
Spacing Line