|
Security Basics
tools to run on compromised linux box Aug 05 2008 11:50PM lister lihim org (4 replies) Re: tools to run on compromised linux box Aug 06 2008 03:26PM Adriel Desautels (adriel netragard com) (1 replies) Re: tools to run on compromised linux box Aug 06 2008 02:16PM Nikhil Wagholikar (visitnikhil gmail com) (1 replies) RE: tools to run on compromised linux box Aug 06 2008 08:31PM Murda Mcloud (murdamcloud bigpond com) (1 replies) Re: tools to run on compromised linux box Aug 07 2008 01:12PM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies) Re: tools to run on compromised linux box Aug 06 2008 01:20PM Sukbum Hong (sukbum hong cdnetworks co kr) |
|
|
Privacy Statement |
> >> is an important choice-otherwise you run the risk of further infection
> >> or destroying potential evidence by writing over files that could be
> >> recovered.
> >
> >You'll run that risk one way or the other. If you do forensics on the
> >live system, the malware may become aware of what you're doing and try
> >to wipe its trails. If you cut the power you may lose volatile data
> >(from the RAM). However, if you have Firewire enabled on the machine in
> >question, you can dump the contents of the RAM before cutting the power.
You're right Ansgar-I should have clarified the 'steps' in order. Ie take
memory from the live machine first if you choose to or take an image after
killing the power and then running from another OS to do the investigation.
The either/or scenario you indicate is the decision that has to be made by
the investigator-depending on what is more important. Thanks for pointing
that out.
> >> Another suggestion would be to image the compromised box. Then you can
> >> take your time. Adepto on the Helix cd is great for this kind of op.
> >
> >That should always be the first step after powering the machine off.
Right again.
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of Ansgar -59cobalt- Wiechers
> >Sent: Thursday, August 07, 2008 11:12 PM
> >To: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: Re: tools to run on compromised linux box
> >
> >On 2008-08-07 Murda Mcloud wrote:
> >> Nikhil's suggestion of booting to another OS to do the investigation
> >> is an important choice-otherwise you run the risk of further infection
> >> or destroying potential evidence by writing over files that could be
> >> recovered.
> >
> >You'll run that risk one way or the other. If you do forensics on the
> >live system, the malware may become aware of what you're doing and try
> >to wipe its trails. If you cut the power you may lose volatile data
> >(from the RAM). However, if you have Firewire enabled on the machine in
> >question, you can dump the contents of the RAM before cutting the power.
> >
> >BTW, never do a "normal" shutdown on an infected machine, as that may
> >erase evidence, either by the system overwriting/deleting something, or
> >by the malware doing some "cleanup".
> >
> >> Another suggestion would be to image the compromised box. Then you can
> >> take your time. Adepto on the Helix cd is great for this kind of op.
> >
> >That should always be the first step after powering the machine off.
> >
> >Regards
> >Ansgar Wiechers
> >--
> >"All vulnerabilities deserve a public fear period prior to patches
> >becoming available."
> >--Jason Coombs on Bugtraq
[ reply ]