Re: Compromised system - still ok?
On Monday 07 February 2005 14:43, Alvin Oga <aoga@ns.linux-consulting.com>
wrote:
> > No, you make an image, reinstall, and if you have time (ie. you normally
> > dont) then you can start the forensics.
>
> yes about making an image ... i assume you mean
> - take the box down,
> - i hate taking the box down, as you can lose
> valuable info in its memory
Unless you have special hardware installed it's impossible to take a memory
image of a running machine. There are PCI cards available which use
bus-mastering to copy the memory of a live machine for forensics, but they
are expensive and would have to be installed before the machine was cracked.
Inspecting the memory of a running machine that has been properly cracked is a
problem as it may be obscured by a kernel module.
Most people recommend abruptly cutting the power to a machine that may have
been compromised. That prevents unlinking files that have no links but which
were in use at the time. A shutdown process will give a consistent file
system (losing data from temporary files) and may also lose other data.
> - i'd "re-install" into a new disk and leave the cracked one alone
> ( disks are super cheap )
> - i would not reinstall on the cracked disk
> as it can have hidden filesystems
How would hidden filesystems work?
Some name-brand machines (particularly laptops) have a BIOS extension stored
on an IDE hard disk which apparently has some reserved disk space. It seems
that my Thinkpad had something like this, but now that I'm running 2.6.10
Linux sees all the disk space which would allow me to increase my Linux use
by 3.4G which would overwrite the Thinkpad stuff. Once Linux is using all
the space there's no-where to hide.
Assuming that you use all your disk space then hidden file systems shouldn't
be an issue.
However it may be good to keep the disk anyway for evidence purposes. Data on
original disk may be better regarded than data on a DVD if the case ever
comes to court.
> - for forensics.. use a good cd or build a custom disk
> with with lot of fun forensics on it and fiddle till one finds
> all the answers :-0
Make sure that you don't do forensics on the original image. Investigating
the situation may require running fsck etc which changes things.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: