Security Incidents mailing list archives
RE: Incident investigation methodologies
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 7 Jun 2004 20:55:55 -0500
-----Original Message----- From: Jon Coller [mailto:jon () coller org] Sent: Friday, June 04, 2004 3:35 PM To: Schmehl, Paul L Cc: incidents () securityfocus com Subject: Re: Incident investigation methodologies Paul Schmehl wrote: <snip>For example, a statically compiled copy of ls on a CD isgoing to showyou what's on the hard drive of a unix machine no matter what the rootkit may have done.<snip> This is most definitely not true! How do you think ls gets the contents of a directory? (here's a hint, the kernel via the getdents system call) take a read of this for a decent example of how trivial it is to make user land tools lie: http://packetstormsecurity.com/groups/thc/LKM_HACKING.html
I apologize to the list for posting false information. I obviously hadn't thought of the aspect of alteration of the kernel. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Current thread:
- RE: Incident investigation methodologies, (continued)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Dave Paris (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 07)
- RE: Incident investigation methodologies pfft (Jun 13)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 13)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- Re: Incident investigation methodologies Valdis . Kletnieks (Jun 20)