Security Incidents mailing list archives

Re: Forensics CD (was: Re: Strange Folder

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 08 Oct 2002 21:16:00 +1200

neil () geol niu edu wrote:

"Meritt James" <meritt_james () bah com> wrote in response to me:

[ ... Kit of tools on a CD-ROM ... ]

REAL good suggestion!  Any specific recommendations as to what should be
on the CD?


Thanks!  I think I picked up the idea from someone on this list, as a
matter of fact.  I wish I could remember who.


Carv perhaps??

He teaches forensics and other post-mortem courses, and features such 
a disk that I seem to recall him mentioneing here.

Aside from that, it is a fairly obvious idea -- if you have to run
code in a compromised environment (not necessarily a good idea to do
extensively if you are doing forensics work) then obviously you must
not trust anything already on the machine.  (Of course, at some level
the tools on the CD are "trusting" the various APIs, etc to be
returning true results and as anyone who has failed to adequately
handle a box with a rootkit installed will tell you, that is not a
clever idea...).


Regards,

Nick FitzGerald

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Nick FitzGerald (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder robjeh (Oct 08)
- <Possible follow-ups>
- RE: Forensics CD (was: Re: Strange Folder Brian Taylor (Oct 08)
  - Re: Forensics CD (was: Re: Strange Folder sunzi (Oct 09)
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 09)
- RE: Forensics CD (was: Re: Strange Folder Morris, Rod (Oct 10)
- RE: Forensics CD (was: Re: Strange Folder Jonathan Watts (Oct 11)