Product SiteDocumentation Site

11.4. Analisi "patologica"

If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a post mortem analysis of a system. tct allows the user to collect information about deleted files, running processes and more. See the included documentation for more information. These same utilities and some others can be found in by Brian Carrier, which provides a web front-end for forensic analysis of disk images. In Debian you can find both sleuthkit (the tools) and autopsy (the graphical front-end).
Ricordate di condurre sempre l'analisi patologica sulla copia di ripristino dei dati, mai direttamente sui dati stessi: in caso di alterazione durante l'analisi, ogni tipo di prova andrebbe persa!
You will find more information on forensic analysis in Dan Farmer's and Wietse Venema's book (available online), as well as in their and their Brian Carrier's newsletter is also a very good resource on forensic analysis tips. Finally, the are an excellent way to hone your forensic analysis skills as they include real attacks against honeypot systems and provide challenges that vary from forensic analysis of disks to firewall logs and packet captures. For information about available forensics packages in Debian visit
FIXME: Se tutto va bene, in futuro questo paragrafo dovrebbe contenere maggiori informazioni sui metodi di diagnosi in un sistema Debian che ha subito un attacco.
FIXME: Bisognerebbe parlare di come creare un archivio di tipo debsum su un sistema stabile, salvando i file MD5sum su CD e ripristinando su una partizione distinta il sistema recuperato.
FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse challenge or