Plan ahead: have response plans designed and rehearsed.
Start a diary and/or script file as soon as you discover or suspect a break-in. Note and timestamp everything you discover and do. Sign these notes.
Run hardcopies of files showing changes and tracing activity. Initial and time-stamp these copies.
Prepare a forensic toolkit with trusted software on a bootable CD-ROM.
Run machine status-checking programs regularly to watch for unusual activity: ps, w, vmstat, etc.
If a break-in occurs, consider making a dump of the system to backup media before correcting anything.
If the break-in occurs over the network, contact the attacker's ISP by phone.
Carefully examine the system after a break-in. See the chapter for specifics?there is too much detail to list here. Specifically, be certain that you restore the system to a known, good state.
Carefully check backups and logs to determine if this is a single occurrence or is related to a set of incidents.
Trust nothing but hardcopy.