Skip to main content

Protect Evidence of a Possible Data Compromise

This article applies to: Security & Policy


If you haven't already reported the incident, do so now. Work with technical support to contain the system (as outlined below) while you gather and provide incident details to the IT Security Office.

If you believe your computer or file server has been compromised, take steps to protect evidence.

Do not:

  • Scan the system with antivirus software.
  • Attempt to clean off any malicious software.
  • Run a backup.

Doing so can destroy relevant forensics data and hamper investigations.
 

Contain the System Immediately

If possible:

  • Keep the system running with the malware running in the state it was when detected.
  • Remove the system from the network (unplug ethernet cords and turn off Wi-Fi).
  • *Only when directed to do so by an IT security liaison or staff,* turn off and physically isolate the system (if it is a desktop system, remove it from the work environment and put it in a secure area).

If IT Security detects a security problem on your computer before you are aware of it:

  • Your network access may be restricted.
  • Both you and your department’s technical support staff will receive an email notification.
  • Your web browser may redirect you to an online version of the notification.

If critical university business prevents you from removing the system completely from the network, it should be isolated as much as possible. Work with the IT Security Office to restrict access to the system to the local subnet or in such a way that university business can be performed while still protecting other areas of campus and the data held on the system.

About this Article

Last updated: 

Tuesday, June 20, 2017 - 8:39am

Was this page helpful?

Your feedback helps improve the site.