Security Incidents mailing list archives

RE: info

From: Head of the Councel of Wizards <rich.hart () qwest com>
Date: 07 May 2002 08:05:13 -0600

On Mon, 2002-05-06 at 15:12, dlaumann () suntzu net wrote:

[snip]

- any other recommendations? I'm pretty proficient in linux, 
but this is the first time
ive ran into a hacked box. from my past reading, i know the 
steps are to try and recover
any data not malformed and reinstall. any other pointers?


you should try to do an offline investigation of the system, by getting an
'image' of the entire drive as soon as possible. then work off of a copy of
that image. this will allow you to work in a controlled environment, and get
the 'dirty' host back up and running. the coroners toolkit, task, encase,
and nti can help in offline analysis. these tool suites allow you to
retrieve and view the device image safely and even view deleted data among
other things...

http://www.fish.com/tct/
http://www.atstake.com/research/tools/task/

dd, encase, and safeback can yield device images.

-dave



What I've done in cases like this, (when possible) is to take the drive
out and rebuild the box on a different drive, and then mount the hacked
drive on a different box, and do the analysis there. That way, you can
analyse the drive with known -not-hacked tools, at your leasure.
        Rich Hart

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

info Joe T. (May 03)
- RE: info Loki (May 03)
  - RE: info Joe T. (May 06)
- Re: info W.G. Iyer (May 06)
  - Re: info Joe T. (May 06)
    - Re: info Jose Nazario (May 06)
- Re: info Michel Arboi (May 06)
- <Possible follow-ups>
- RE: info dlaumann (May 06)
  - RE: info Head of the Councel of Wizards (May 07)