Re: Compromised system - still ok?

To: debian-security@lists.debian.org
Subject: Re: Compromised system - still ok?
From: Russell Coker <russell@coker.com.au>
Date: Wed, 16 Feb 2005 15:22:16 +1100
Message-id: <[🔎] 200502161522.18182.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] Pine.LNX.3.96.1050206193613.24313A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] Pine.LNX.3.96.1050206193613.24313A-100000@Maggie.Linux-Consulting.com>

On Monday 07 February 2005 14:43, Alvin Oga <aoga@ns.linux-consulting.com> 
wrote:
> > No, you make an image, reinstall, and if you  have time (ie. you normally
> > dont) then you can start the forensics.
>
> yes about making an image ... i assume you mean
>  - take the box down,
>   - i hate taking the box down, as you can lose
>   valuable info in its memory

Unless you have special hardware installed it's impossible to take a memory 
image of a running machine.  There are PCI cards available which use 
bus-mastering to copy the memory of a live machine for forensics, but they 
are expensive and would have to be installed before the machine was cracked.

Inspecting the memory of a running machine that has been properly cracked is a 
problem as it may be obscured by a kernel module.

Most people recommend abruptly cutting the power to a machine that may have 
been compromised.  That prevents unlinking files that have no links but which 
were in use at the time.  A shutdown process will give a consistent file 
system (losing data from temporary files) and may also lose other data.

>  - i'd "re-install" into a new disk and leave the cracked one alone
>  ( disks are super cheap )
>   - i would not reinstall on the cracked disk
>   as it can have hidden filesystems

How would hidden filesystems work?

Some name-brand machines (particularly laptops) have a BIOS extension stored 
on an IDE hard disk which apparently has some reserved disk space.  It seems 
that my Thinkpad had something like this, but now that I'm running 2.6.10 
Linux sees all the disk space which would allow me to increase my Linux use 
by 3.4G which would overwrite the Thinkpad stuff.  Once Linux is using all 
the space there's no-where to hide.

Assuming that you use all your disk space then hidden file systems shouldn't 
be an issue.

However it may be good to keep the disk anyway for evidence purposes.  Data on 
original disk may be better regarded than data on a DVD if the case ever 
comes to court.

>  - for forensics.. use a good cd or build a custom disk
>  with with lot of fun forensics on it and fiddle till one finds
>  all the answers :-0

Make sure that you don't do forensics on the original image.  Investigating 
the situation may require running fsck etc which changes things.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: Compromised system - still ok?
  - From: Bernd Eckenfels <ecki@lina.inka.de>

References:
- Re: Compromised system - still ok?
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

Prev by Date: Re: Cyrus21 does not work corectly with SSL
Next by Date: Re: Compromised system - still ok?
Previous by thread: Re: Compromised system - still ok? - doorstep
Next by thread: Re: Compromised system - still ok?
Index(es):
- Date
- Thread