Re: NKADM rootkit - Something new?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 05/27/04

  • Next message: Harlan Carvey: "Re: Trojan of somesort - Update" 
    Date: Thu, 27 May 2004 13:07:33 -0700 (PDT)
To: incidents@securityfocus.com

    For what it's worth, while bootable Linux distros are
    great for doing full-out forensics, they are useless
    on Windows systems for gathering volatile data...after
    all, when you boot to the Linux distro, all of your
    volatile data is gone.

    --- Pho Man <ph0k1n@yahoo.com> wrote:
    > Based on Knopppix Linux is a another Linux CD distro
    > called Penguin Sleuth. I think the address is
    > something like http://www.linux-forensics.com/.
    > THis
    > distro is very much like Knoppix, but has more
    > forensic tools. I have tried it out a little, and
    > it
    > works really great.
    >
    > Something to check out if you're looking for a good
    > forensics Linux CD. :)
    >
    > --- Paul Schmehl <pauls@utdallas.edu> wrote:
    > > Since I posted my response in this thread, I've
    > > gotten several requests for
    > > my "tool list". There's really nothing magical
    > > about it.
    > >
    > > Foundstone has a number of useful tools - Forensic
    > > Toolkit (good for
    > > examing files), Vision (shows open TCP and UDP
    > ports
    > > and what process owns
    > > them), BinText (strings for Windows).
    > >
    > > Go to http://www.foundstone.com/ and click on
    > > Resources/Free Tools.
    > >
    > > Systinternals has a number of tools that you'll
    > > probably find in the
    > > hackers' toolkits as well, particularly pslist and
    > > pskill. But look at
    > > their whole set. ListDLLs is very useful, as is
    > > Handle, PMon, Process
    > > Explorer (find function is *very* helpful),
    > PSTools
    > > (pskill, pslist,
    > > psservice and several others.)
    > >
    > > Go to http://www.sysinternals.com/ and click on
    > > Utilities.
    > > All these tools are very useful. Particularly
    > when
    > > you're dealing with a
    > > process or service that's been renamed and/or is
    > > elusive, something that
    > > can tie processes to PIDs and files with complete
    > > paths is a necessity.
    > >
    > > Another good tool is Active Ports, which will show
    > > you the process, PID, IP
    > > address (local and remote), ports (local and
    > > remote), state (listen,
    > > established) and path to the executable is
    > extremely
    > > useful.
    > >
    > > Go to
    > http://www.snapfiles.com/get/activeports.html
    > >
    > > More good tools may be found at
    > > http://www.ntutility.com/ (including Active
    > > Ports.)
    > >
    > > Of course Microsoft also has a useful set of
    > > utilities that few seem to
    > > know about. Among them is sc,tskill, tasklist,
    > > eventquery.vbs, pstat.exe
    > > (part of the SDK). These are handy in a pinch,
    > but
    > > not as informative as
    > > the tools mentioned above.
    > >
    > > Another tool that I've found invaluable is
    > F.I.R.E.
    > > It's a bootable,
    > > networkable CD ROM running Linux. I've been able
    > to
    > > mount ntfs hard drives
    > > and scp the entire contents to a server, saving
    > all
    > > the data from a crashed
    > > machine before formatting it and reinstalling the
    > > OS. (Saved the
    > > President's laptop once, becoming a hero in the
    > > process.) I've done
    > > forensics on a Win2K box, mounting the ntfs drives
    > > and making copies of all
    > > the logs and binaries I found without disturbing
    > the
    > > contents of the drive
    > > or changing any of the file access information.
    > >
    > > Go to http://biatchux.dmzs.com/ to get a copy.
    > >
    > > The most recent update is dated 5/14/2003, so I
    > > don't know if it's being
    > > maintained or updated.
    > >
    > > You might want to consider Knoppix instead. It
    > > comes with a boatload of
    > > extra stuff you won't use for forensics, but it's
    > a
    > > good way to get
    > > familiar with unix, if you're not already. It
    > even
    > > has a working version
    > > of snort with ACID!
    > >
    > > Go to http:www.knoppix.net/ for more information.
    > >
    > > Paul Schmehl (pauls@utdallas.edu)
    > > Adjunct Information Security Officer
    > > The University of Texas at Dallas
    > > AVIEN Founding Member
    > > http://www.utdallas.edu/ir/security/
    >
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Friends. Fun. Try the all-new Yahoo! Messenger.
    > http://messenger.yahoo.com/

  • Next message: Harlan Carvey: "Re: Trojan of somesort - Update"

    Relevant Pages

    • Re: Zuverlaessiges DVD Brennprogramm (Ubuntu 8.10)
      ... Diese ewige Diskusion gibt es einzig alleine nur weil Eduard Bloch die ... Wenn die Linux Distributionen juristisch auf der sicheren Seite sein wollten, ... Diese Linux Distros vertreiben alle GNU vcdimager in dem eine Reed Solomon ... GPL Code aufrufen - das ist illegal weil GPL und LGPL inkompatibel sind. ...
      (de.comp.os.unix.linux.misc)
    • RE: NKADM rootkit - Something new?
      ... " Linux distros are... ... in forensic data recovery or incident response on Windows platforms. ... while bootable Linux distros are ... great for doing full-out forensics, ...
      (Incidents)
    • Re: [opensuse] World-largest Linux Migration Project
      ... I wonder what a pay-for-it software company thinks of Linux distros ... they would make a Linux version of Word ... these things, well, that is what the court case would be to decide. ... not just the IBM applications groups. ...
      (SuSE)
    • Re: OEM License
      ... and take a look at the latest Linux distros. ... I have not intention to disrupt this newsgroup. ...
      (microsoft.public.windowsxp.general)
    • Re: NKADM rootkit - Something new?
      ... Based on Knopppix Linux is a another Linux CD distro ... > forensics on a Win2K box, mounting the ntfs drives ...
      (Incidents)