Internet Security Systems 3.5, Desktop Protector Collecting Evidence Files

Chapter 4: Configuring RealSecure Desktop P rotector

Collecting Evidence Files

Introduction RealSecure Desktop Protector can capture network traffic attributed to an intrusion and

place that information into an evidence file. Desktop Protector captures and decodes each

packet coming into the system, so it can generate files that contain detailed information

about the intruder's network traffic.

Where are my

evidence files?

Desktop Protector evidence files are stored in the installation directory folder. For

example, if you install Desktop Protector in the

Program Files

directory on the

drive,

the evidence files are located in

C:\Program Files\ISS\BlackICE

. Each file has an

*.enc

extension.

Note: If you upgraded to RealSecure Desktop Protector 3.5 from a previous version of

BlackICE, your evidence log files are still stored in

C:\Program Files\Network

ICE\BlackICE

Evidence file format The evidence and packet log files are trace files. You must have a trace file decoding

application to view the contents of these files. Many networking and security product

companies produce such decoders. Some shareware decoders are also available on the

Internet. If you are using Windows NT or Windows 2000 Server, you can install the

Network Monitoring service, which includes Network Monitor, a decoding application.

See the Windows NT or Windows 2000 documentation for more information.

Procedure To collect evidence files:

1. From the Main Menu, select To ols ÆEdit BlackICE Settings.

2. Select the Evidence Log tab.

3. Select Logging Enabled.

4. In the File prefix box, specify the prefix for the evidence file names.

■To place a date stamp (format YYYYMMDD) and number (NN) in the file name,

enter

after the prefix. For example, if you enter

evd%d

, the file names will look

like this:

evdYYYYMMDD-NN.enc

. The time is in 24-hour format in Greenwich Mean

Time (GMT).

5. In the Maximum Size box, specify how large each evidence file can get.

Note: For best results, keep this value smaller than 2048 kilobytes (2 MB).

6. In the Maximum Number of Files box, choose how many files Desktop Protector can

generate in the specified collection time period.

Note: For example, if the maximum number of files is 32 (the default value), Desktop

Protector does not generate more than 32 evidence files in any 24-hour period.

Clearing evidence

logs

To delete evidence logs:

Note: Clearing evidence log data does not affect the Desktop Protector intrusion

detection and firewall functions.

1. From the Main Menu, click ToolsÆClear Files.

The Files to Delete window appears.

2. Select Evidenc e logs.