RE: NKADM rootkit - Something new?

From: Don Wolf (don.wolf_at_ssisc.com)
Date: 05/28/04

  • Next message: Harlan Carvey: "RE: Trojan of somesort - Update" 
    To: "'Harlan Carvey'" <keydet89@yahoo.com>, <incidents@securityfocus.com>
Date: Fri, 28 May 2004 07:02:16 -0400

    " Linux distros are... useless on Windows systems for gathering volatile
    data"

    Harlan, you're absolutely right. Anyone with enough forensic, IR or even
    data recovery experience knows maintaining state is critical. If you change
    the state (e.g. reboot) than you've effectively lost any chance of
    recovering meaningful information. This more so in the context or tracking
    hacks than recovering client data.

    An option - Virtual sessions of Linux (Knoppix, Insert, etc) may be possible
    on a Windows platform. Without any extensive knowledge of those bootable CD
    OSes, I cannot say that it would work, but it would certainly be of more use
    in forensic data recovery or incident response on Windows platforms.

    The approach of using a handful of tried and true tools is arguably the most
    logical and productive method. If having all the tools on-hand in a nice
    neat package is a concern (seems to be in this thread), burn them all to CD
    and create some non-intrusive scripts to run them. I've consolidated a
    number of tools in my time that I've put to CD's and flash. Furthermore
    I've been working for the last few months to determine what method of
    running these tools would yield the best results with the least impact.
    This has led to a number of both complex scripts and rudimentary scripts.

    I suggest all those interested look at what the experienced guys are using
    and put together your own kit. Don't risk destroying the data at hand
    because someone put a "convenient" CD together.

    Don

    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Thursday, May 27, 2004 4:08 PM
    To: incidents@securityfocus.com
    Cc: ho Man; Paul Schmehl
    Subject: Re: NKADM rootkit - Something new?

    For what it's worth, while bootable Linux distros are
    great for doing full-out forensics, they are useless
    on Windows systems for gathering volatile data...after
    all, when you boot to the Linux distro, all of your
    volatile data is gone.

    --- Pho Man <ph0k1n@yahoo.com> wrote:
    > Based on Knopppix Linux is a another Linux CD distro
    > called Penguin Sleuth. I think the address is
    > something like http://www.linux-forensics.com/.
    > THis
    > distro is very much like Knoppix, but has more
    > forensic tools. I have tried it out a little, and
    > it
    > works really great.
    >
    > Something to check out if you're looking for a good
    > forensics Linux CD. :)
    >
    > --- Paul Schmehl <pauls@utdallas.edu> wrote:
    > > Since I posted my response in this thread, I've
    > > gotten several requests for
    > > my "tool list". There's really nothing magical
    > > about it.
    > >
    > > Foundstone has a number of useful tools - Forensic
    > > Toolkit (good for
    > > examing files), Vision (shows open TCP and UDP
    > ports
    > > and what process owns
    > > them), BinText (strings for Windows).
    > >
    > > Go to http://www.foundstone.com/ and click on
    > > Resources/Free Tools.
    > >
    > > Systinternals has a number of tools that you'll
    > > probably find in the
    > > hackers' toolkits as well, particularly pslist and
    > > pskill. But look at
    > > their whole set. ListDLLs is very useful, as is
    > > Handle, PMon, Process
    > > Explorer (find function is *very* helpful),
    > PSTools
    > > (pskill, pslist,
    > > psservice and several others.)
    > >
    > > Go to http://www.sysinternals.com/ and click on
    > > Utilities.
    > > All these tools are very useful. Particularly
    > when
    > > you're dealing with a
    > > process or service that's been renamed and/or is
    > > elusive, something that
    > > can tie processes to PIDs and files with complete
    > > paths is a necessity.
    > >
    > > Another good tool is Active Ports, which will show
    > > you the process, PID, IP
    > > address (local and remote), ports (local and
    > > remote), state (listen,
    > > established) and path to the executable is
    > extremely
    > > useful.
    > >
    > > Go to
    > http://www.snapfiles.com/get/activeports.html
    > >
    > > More good tools may be found at
    > > http://www.ntutility.com/ (including Active
    > > Ports.)
    > >
    > > Of course Microsoft also has a useful set of
    > > utilities that few seem to
    > > know about. Among them is sc,tskill, tasklist,
    > > eventquery.vbs, pstat.exe
    > > (part of the SDK). These are handy in a pinch,
    > but
    > > not as informative as
    > > the tools mentioned above.
    > >
    > > Another tool that I've found invaluable is
    > F.I.R.E.
    > > It's a bootable,
    > > networkable CD ROM running Linux. I've been able
    > to
    > > mount ntfs hard drives
    > > and scp the entire contents to a server, saving
    > all
    > > the data from a crashed
    > > machine before formatting it and reinstalling the
    > > OS. (Saved the
    > > President's laptop once, becoming a hero in the
    > > process.) I've done
    > > forensics on a Win2K box, mounting the ntfs drives
    > > and making copies of all
    > > the logs and binaries I found without disturbing
    > the
    > > contents of the drive
    > > or changing any of the file access information.
    > >
    > > Go to http://biatchux.dmzs.com/ to get a copy.
    > >
    > > The most recent update is dated 5/14/2003, so I
    > > don't know if it's being
    > > maintained or updated.
    > >
    > > You might want to consider Knoppix instead. It
    > > comes with a boatload of
    > > extra stuff you won't use for forensics, but it's
    > a
    > > good way to get
    > > familiar with unix, if you're not already. It
    > even
    > > has a working version
    > > of snort with ACID!
    > >
    > > Go to http:www.knoppix.net/ for more information.
    > >
    > > Paul Schmehl (pauls@utdallas.edu)
    > > Adjunct Information Security Officer
    > > The University of Texas at Dallas
    > > AVIEN Founding Member
    > > http://www.utdallas.edu/ir/security/
    >
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Friends. Fun. Try the all-new Yahoo! Messenger.
    > http://messenger.yahoo.com/

  • Next message: Harlan Carvey: "RE: Trojan of somesort - Update"

    Relevant Pages

    • Re: NKADM rootkit - Something new?
      ... while bootable Linux distros are ... great for doing full-out forensics, ... on Windows systems for gathering volatile data...after ...
      (Incidents)
    • Re: Zuverlaessiges DVD Brennprogramm (Ubuntu 8.10)
      ... Diese ewige Diskusion gibt es einzig alleine nur weil Eduard Bloch die ... Wenn die Linux Distributionen juristisch auf der sicheren Seite sein wollten, ... Diese Linux Distros vertreiben alle GNU vcdimager in dem eine Reed Solomon ... GPL Code aufrufen - das ist illegal weil GPL und LGPL inkompatibel sind. ...
      (de.comp.os.unix.linux.misc)
    • Re: NKADM rootkit - Something new?
      ... Based on Knopppix Linux is a another Linux CD distro ... > forensics on a Win2K box, mounting the ntfs drives ...
      (Incidents)
    • Re: [opensuse] World-largest Linux Migration Project
      ... I wonder what a pay-for-it software company thinks of Linux distros ... they would make a Linux version of Word ... these things, well, that is what the court case would be to decide. ... not just the IBM applications groups. ...
      (SuSE)
    • Re: OEM License
      ... and take a look at the latest Linux distros. ... I have not intention to disrupt this newsgroup. ...
      (microsoft.public.windowsxp.general)