System failures may be the result of malicious activity, but differentiating these failures from hardware or known software bug failures requires experience and expertise. This topic looks at some of the techniques for analysing failures caused by malicious activity.

• Incomplete analysis of a system failure may not reveal that the failure was due to malicious activity, thus leaving a back door opportunity for future disruption of services.

• Perform the following types of investigative activity :-

1. Examine operating system accounting files in order to ascertain which system processes were running when the system failed.
2. Examine any intrusion detection software to see if external parties were involved in the activity.
3. Examine any error log files associated with the system failure for details of processes and users who were active on the system at the time of the failure.
4. Combine the details from the three aforementioned sources to pin point user activity at the time of the failure.
5. Where possible, ensure that system start up checks are run before users are allowed to log on, in order to ensure the integrity of the data.
6. Ensure that all system failures are logged, whether they are deemed as being caused by an information security breach or not.
7. Build up a database of system failures and subsequent recovery procedures in order to provide quick cross references for any future failures.