On Mon, 2003-09-22 at 21:36, Steve Phillips wrote: > At 09:17 p.m. 22/09/2003 -0400, you wrote: > > > >Yup. Not to mention that rebooting is a red flag to hackers. The idea > >here is to run diagnostics while trying to stay off their radar, else > >you risk losing the evidence (and possibly your filesystem). > > Actually, if you suspected the system that much that you needed to take it > offline for analysis - you would _NEVER_ boot off the medium again until it > had been verified clean.
I've never suggested booting off any media at all... Benjamin did. I suggested downloading the source, downloading trusted binaries, and running it in the existing state. I then went on to mention that a compromised system should be isolated. It was not my intention to escalate the email into a full-blown forensics HOWTO. > The first step is to make a 1:1 identical copy of the system then store the > hardware away as evidence, powering off should also be via the wall, rather > than triggering a reboot. See above. > you can then work off the image you created and mount that under a system > that is in a _known_ good state, that way you cant be accused of tampering > with data and you can do all your investigations without the potential > attacker(s) influencing your results. See above. > In a large enterprise scenario I would also suspect that you would have > spare boxes to act as a backup incase this happens - if not then I would > suggest you go get some. See above. > In a small environment you would probably never convict as the cost to do > so would outweigh the benefits, so why bother, if you suspect infection > then simply re-install and harden. (or slap that spare box into operation > after ensuring it is hardened) > > Basic forensics 101 - there are good tutorials available via google search. I'm happy that you consider yourself an expert in forensics. I don't. When I need an expert to perform forensics work for me, I subcontract out to Raven. You may have met her... her team came in 2nd place at this year's Defcon CTF. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
