Re: NKADM rootkit - Something new?
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: Thu, 27 May 2004 13:07:33 -0700 (PDT) To: firstname.lastname@example.org
For what it's worth, while bootable Linux distros are
great for doing full-out forensics, they are useless
on Windows systems for gathering volatile data...after
all, when you boot to the Linux distro, all of your
volatile data is gone.
--- Pho Man <email@example.com> wrote:
> Based on Knopppix Linux is a another Linux CD distro
> called Penguin Sleuth. I think the address is
> something like http://www.linux-forensics.com/.
> distro is very much like Knoppix, but has more
> forensic tools. I have tried it out a little, and
> works really great.
> Something to check out if you're looking for a good
> forensics Linux CD. :)
> --- Paul Schmehl <firstname.lastname@example.org> wrote:
> > Since I posted my response in this thread, I've
> > gotten several requests for
> > my "tool list". There's really nothing magical
> > about it.
> > Foundstone has a number of useful tools - Forensic
> > Toolkit (good for
> > examing files), Vision (shows open TCP and UDP
> > and what process owns
> > them), BinText (strings for Windows).
> > Go to http://www.foundstone.com/ and click on
> > Resources/Free Tools.
> > Systinternals has a number of tools that you'll
> > probably find in the
> > hackers' toolkits as well, particularly pslist and
> > pskill. But look at
> > their whole set. ListDLLs is very useful, as is
> > Handle, PMon, Process
> > Explorer (find function is *very* helpful),
> > (pskill, pslist,
> > psservice and several others.)
> > Go to http://www.sysinternals.com/ and click on
> > Utilities.
> > All these tools are very useful. Particularly
> > you're dealing with a
> > process or service that's been renamed and/or is
> > elusive, something that
> > can tie processes to PIDs and files with complete
> > paths is a necessity.
> > Another good tool is Active Ports, which will show
> > you the process, PID, IP
> > address (local and remote), ports (local and
> > remote), state (listen,
> > established) and path to the executable is
> > useful.
> > Go to
> > More good tools may be found at
> > http://www.ntutility.com/ (including Active
> > Ports.)
> > Of course Microsoft also has a useful set of
> > utilities that few seem to
> > know about. Among them is sc,tskill, tasklist,
> > eventquery.vbs, pstat.exe
> > (part of the SDK). These are handy in a pinch,
> > not as informative as
> > the tools mentioned above.
> > Another tool that I've found invaluable is
> > It's a bootable,
> > networkable CD ROM running Linux. I've been able
> > mount ntfs hard drives
> > and scp the entire contents to a server, saving
> > the data from a crashed
> > machine before formatting it and reinstalling the
> > OS. (Saved the
> > President's laptop once, becoming a hero in the
> > process.) I've done
> > forensics on a Win2K box, mounting the ntfs drives
> > and making copies of all
> > the logs and binaries I found without disturbing
> > contents of the drive
> > or changing any of the file access information.
> > Go to http://biatchux.dmzs.com/ to get a copy.
> > The most recent update is dated 5/14/2003, so I
> > don't know if it's being
> > maintained or updated.
> > You might want to consider Knoppix instead. It
> > comes with a boatload of
> > extra stuff you won't use for forensics, but it's
> > good way to get
> > familiar with unix, if you're not already. It
> > has a working version
> > of snort with ACID!
> > Go to http:www.knoppix.net/ for more information.
> > Paul Schmehl (email@example.com)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu/ir/security/
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger.