[Plug-security] forensic analysis
Kevin Saling
networkpro@email.com
Wed, 27 Sep 2000 08:55:24 -0700
Some classic forensics stuff at Dan Farmer's site...
http://www.fish.com/forensics/
...Kevin
> -----Original Message-----
> From: plug-security-admin@lists.PLUG.phoenix.az.us
> [mailto:plug-security-admin@lists.PLUG.phoenix.az.us]On Behalf Of
> sinck@ugive.com
> Sent: Monday, September 25, 2000 7:56 AM
> To: plug-security@lists.PLUG.phoenix.az.us
> Subject: [Plug-security] forensic analysis
>
>
>
>
> \_ -----BEGIN PGP SIGNED MESSAGE-----
> \_ Hash: SHA1
> \_
> \_ Hey all:
> \_
> \_ I'm interested in advice and opinions on how to best preserve a
> \_ compromised system for later analysis.
> \_
> \_ Unplugging the network connection, of course
>
> http://www.cert.org/security-improvement/; see "responding to
> intrusions". The biggest thing that stuck out to me was the "chain of
> control" of the offending data. If it's publicly accessible, then you
> lose credibility in court, which makes it harder to convict the lamer.
>
>
> \_ If the machine must be relocated, does one halt the box? Couldn't this
> \_ trigger any response by a rootkit?
>
> You could load a trusted 'shutdown' on the system from cd and call
> that and have it skip the rc-downing scripts.
>
> If that doesn't help, I've got a list of other articles that some
> idjut has saved by just the links, but no data other than that. I'm
> off to have words with him about that....
>
> David
>
> _______________________________________________
> Plug-security mailing list - Plug-security@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
>