Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Pho Man <ph0k1n () yahoo com>
Date: Thu, 27 May 2004 11:29:11 -0700 (PDT)
Based on Knopppix Linux is a another Linux CD distro called Penguin Sleuth. I think the address is something like http://www.linux-forensics.com/. THis distro is very much like Knoppix, but has more forensic tools. I have tried it out a little, and it works really great. Something to check out if you're looking for a good forensics Linux CD. :) --- Paul Schmehl <pauls () utdallas edu> wrote:
Since I posted my response in this thread, I've gotten several requests for my "tool list". There's really nothing magical about it. Foundstone has a number of useful tools - Forensic Toolkit (good for examing files), Vision (shows open TCP and UDP ports and what process owns them), BinText (strings for Windows). Go to http://www.foundstone.com/ and click on Resources/Free Tools. Systinternals has a number of tools that you'll probably find in the hackers' toolkits as well, particularly pslist and pskill. But look at their whole set. ListDLLs is very useful, as is Handle, PMon, Process Explorer (find function is *very* helpful), PSTools (pskill, pslist, psservice and several others.) Go to http://www.sysinternals.com/ and click on Utilities. All these tools are very useful. Particularly when you're dealing with a process or service that's been renamed and/or is elusive, something that can tie processes to PIDs and files with complete paths is a necessity. Another good tool is Active Ports, which will show you the process, PID, IP address (local and remote), ports (local and remote), state (listen, established) and path to the executable is extremely useful. Go to http://www.snapfiles.com/get/activeports.html More good tools may be found at http://www.ntutility.com/ (including Active Ports.) Of course Microsoft also has a useful set of utilities that few seem to know about. Among them is sc,tskill, tasklist, eventquery.vbs, pstat.exe (part of the SDK). These are handy in a pinch, but not as informative as the tools mentioned above. Another tool that I've found invaluable is F.I.R.E. It's a bootable, networkable CD ROM running Linux. I've been able to mount ntfs hard drives and scp the entire contents to a server, saving all the data from a crashed machine before formatting it and reinstalling the OS. (Saved the President's laptop once, becoming a hero in the process.) I've done forensics on a Win2K box, mounting the ntfs drives and making copies of all the logs and binaries I found without disturbing the contents of the drive or changing any of the file access information. Go to http://biatchux.dmzs.com/ to get a copy. The most recent update is dated 5/14/2003, so I don't know if it's being maintained or updated. You might want to consider Knoppix instead. It comes with a boatload of extra stuff you won't use for forensics, but it's a good way to get familiar with unix, if you're not already. It even has a working version of snort with ACID! Go to http:www.knoppix.net/ for more information. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
__________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
Current thread:
- NKADM rootkit - Something new? Jeremy Pollack (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? InfoSec (May 27)
- RE: NKADM rootkit - Something new? Dave Paris (May 28)
- Re: NKADM rootkit - Something new? Tyrano Jones (May 27)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? caldcv (May 26)