ABSTRACT
Once a network administrator fi nds out that one of his/her servers was illegally compromised, it is necessary to proceed immediately to conduct a forensic analysis in the compromised system in order to produce an assessment of the damages caused by the attacker. However, there are two problems affecting incident response:
• Frequently, compromised systems cannot be disconnected from the network to be analyzed and;
• The amount of generated information is considerably large, in such a way that it is very diffi cult to determine what the attacker really did inside the system.
