Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 1 Jun 2004 05:30:48 -0700 (PDT)
Gadi,
You can do both, but still, how long do you have to work on a PC? How intrusive is it to run ANYTHING? Me? I'd try and shut everything down and (legally acceptable) mirror the HDD as soon as I possibly can like I learned to do when I just got started. Then again, it all depends on your incident response goals.
Ultimately, I think this is the key. If your goal is to treat each and every incident as though it would be prosecuted, you're correct...follow the applicable procedures (ie, shut down the system, image the drive, etc.) However, a great many cases are *not* litigous in nature, and the goal is to determine (a) *if* anything happened, (b) *what* happened, and (c) *how* it happened. The crux of these issues is many time found in the volatile memory of the system. Shutting the system down "destroys" the volatile memory.
> Perhaps...if you could get it to work. I think that > there're enough Windows tools available to do what > needs to be done on Windows systems. That's true enough, in most cases. What I find to be not advisable is to do *anything* on the original machine/HDD. You mirror it, and for mirroring it correctly you'd need to boot from a minimal OS, say, on a floppy or CD.
You're absolutely correct...never work on the original image, once you've imaged the drive. However, I wasn't referring to working on an image...I was referring to gathering (volatile) data from a live, running system.
> I've been working on the same thing, which led me to > come up with the Forensic Server Project, which is > detailed on Chapter 8 of my upcoming book ("Windows > Forensics and Incident Recovery", from > Addison-Wesley). No offense, I realize you want to advertise your book and there is nothing wrong with that or bringing us [non-stop] references. Actually, it is more than acceptable. But why don't you just post the ISBN and let us buy it and be over with it? :)
Well, for one thing...I'm not aware that the book *has* an ISBN yet. It's due out in 6 or 7 wks. And how is one reference "non-stop"?
This is starting to remind me of Bruce Schneier's Cryptogram - interesting but full of adverts. :o)
How is one mention of the book "full of adverts"? Also, there are plenty of other media (lists, forums, etc.) that refer to other sources, such as web sites, etc...are those any different? Is the actual content of a post somehow diminished simply b/c someone points to another resource?
Current thread:
- Re: NKADM rootkit - Something new? Ansgar -59cobalt- Wiechers (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 01)
- Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: Incident investigation methodologies Gadi Evron (Jun 02)
- Re: Incident investigation methodologies Harlan Carvey (Jun 03)
- Re: Incident investigation methodologies Ansgar -59cobalt- Wiechers (Jun 04)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)