[Plug-security] forensic analysis
Jason
jkenner@mindspring.com
Mon, 25 Sep 2000 16:23:47 -0700
Wes Bateman wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey all:
>
> I'm interested in advice and opinions on how to best preserve a
> compromised system for later analysis.
>
> Unplugging the network connection, of course
>
> If the machine must be relocated, does one halt the box? Couldn't this
> trigger any response by a rootkit?
>
> Hard power it down?
>
> If you later pulled the drive and remounted it read only on another Linux
> box, would the halt or hard power be preferable?
Since scripts run at a system halt, obviously doing this opens an
oppurtunity for something to happen. Since you dont really care so
much about halting the system properly as preserving data, one
possibility is simply to kill -9 all current processes (except your
shell) from a console login, all at once, sync the drives, then umount
them all (you need to kill processes to be able to umount them), THEN
do a hard powerdown...
check your PATH variable and verify the size and date of the
appropriate commands before executing them.
/bin/echo $PATH
/bin/ls (whatever command) ...
--
jkenner@mindspring.com __
I Support Linux: _> _ _ |_ _ _ _|
Working Together To <__(_||_)| )| `(_|(_)(_|
To Build A Better Future. | <s>