We've been experimenting a bit with VMware Server and virtualizing as many of our "single-task" hosts as possible. The VM host system is locked up as tight as can be (SELinux, firewall, minimal install to begin with, limited SSH access, etc.), but the various service guest hosts need to be open to actually be useful. Well, VMware has this feature called "snapshots", which would have proven infinitely useful back when we got hacked. Just leave the host up and running, make a snapshot of it, and let the forensics guys have the snapshots while we go about cleaning up and rebuilding the "host". And, once you have a snapshot of a VM, you can make as many copies as you need, so you can try all manner of different forensics tricks without worry of damaging the data.
Just a thought. Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
