On Monday 07 February 2005 14:43, Alvin Oga <[EMAIL PROTECTED]> wrote: > > No, you make an image, reinstall, and if you have time (ie. you normally > > dont) then you can start the forensics. > > yes about making an image ... i assume you mean > - take the box down, > - i hate taking the box down, as you can lose > valuable info in its memory
Unless you have special hardware installed it's impossible to take a memory image of a running machine. There are PCI cards available which use bus-mastering to copy the memory of a live machine for forensics, but they are expensive and would have to be installed before the machine was cracked. Inspecting the memory of a running machine that has been properly cracked is a problem as it may be obscured by a kernel module. Most people recommend abruptly cutting the power to a machine that may have been compromised. That prevents unlinking files that have no links but which were in use at the time. A shutdown process will give a consistent file system (losing data from temporary files) and may also lose other data. > - i'd "re-install" into a new disk and leave the cracked one alone > ( disks are super cheap ) > - i would not reinstall on the cracked disk > as it can have hidden filesystems How would hidden filesystems work? Some name-brand machines (particularly laptops) have a BIOS extension stored on an IDE hard disk which apparently has some reserved disk space. It seems that my Thinkpad had something like this, but now that I'm running 2.6.10 Linux sees all the disk space which would allow me to increase my Linux use by 3.4G which would overwrite the Thinkpad stuff. Once Linux is using all the space there's no-where to hide. Assuming that you use all your disk space then hidden file systems shouldn't be an issue. However it may be good to keep the disk anyway for evidence purposes. Data on original disk may be better regarded than data on a DVD if the case ever comes to court. > - for forensics.. use a good cd or build a custom disk > with with lot of fun forensics on it and fiddle till one finds > all the answers :-0 Make sure that you don't do forensics on the original image. Investigating the situation may require running fsck etc which changes things. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
