Security Incidents mailing list archives
RE: info
From: Head of the Councel of Wizards <rich.hart () qwest com>
Date: 07 May 2002 08:05:13 -0600
On Mon, 2002-05-06 at 15:12, dlaumann () suntzu net wrote:
[snip]- any other recommendations? I'm pretty proficient in linux, but this is the first time ive ran into a hacked box. from my past reading, i know the steps are to try and recover any data not malformed and reinstall. any other pointers?you should try to do an offline investigation of the system, by getting an 'image' of the entire drive as soon as possible. then work off of a copy of that image. this will allow you to work in a controlled environment, and get the 'dirty' host back up and running. the coroners toolkit, task, encase, and nti can help in offline analysis. these tool suites allow you to retrieve and view the device image safely and even view deleted data among other things... http://www.fish.com/tct/ http://www.atstake.com/research/tools/task/ dd, encase, and safeback can yield device images. -dave
What I've done in cases like this, (when possible) is to take the drive out and rebuild the box on a different drive, and then mount the hacked drive on a different box, and do the analysis there. That way, you can analyse the drive with known -not-hacked tools, at your leasure. Rich Hart
Attachment:
signature.asc
Description: This is a digitally signed message part