Re: NKADM rootkit - Something new?

From: Gadi Evron (ge_at_linuxbox.org)
Date: 05/29/04 

Date: Sat, 29 May 2004 13:33:33 +0200
To: Harlan Carvey <keydet89@yahoo.com>

> On a side/tangential note, I've had discussions
> regarding the collection of the contents of physical
> memory. While I've heard that it's been desired or
> recommended, I fail to see the value of using a tool
> such as dd.exe to dump the entire contents of
> RAM...how would you then parse it apart into anything
> usable. My recommendation would be to use tools such
> as pmdump.exe to dump the memory contents of specific
> processes to a USB-connected thumb drive...that way,
> any information found via 'strings' could be easily
> associated w/ a particular process.

What if a certain process released some memory? Or a process is no
longer running?

You can do both, but still, how long do you have to work on a PC? How
intrusive is it to run ANYTHING?

Me? I'd try and shut everything down and (legally acceptable) mirror the
HDD as soon as I possibly can like I learned to do when I just got started.

Then again, it all depends on your incident response goals.

Do you want to monitor the possible hack, the process? Do you want to
just secure the network/PC real quick? Etc.

> Perhaps...if you could get it to work. I think that
> there're enough Windows tools available to do what
> needs to be done on Windows systems.

That's true enough, in most cases.

What I find to be not advisable is to do *anything* on the original
machine/HDD. You mirror it, and for mirroring it correctly you'd need to
boot from a minimal OS, say, on a floppy or CD.

You'd encounter many of the same problem when you want to wipe.

> I've been working on the same thing, which led me to
> come up with the Forensic Server Project, which is
> detailed on Chapter 8 of my upcoming book ("Windows
> Forensics and Incident Recovery", from
> Addison-Wesley).

No offense, I realize you want to advertise your book and there is
nothing wrong with that or bringing us [non-stop] references. Actually,
it is more than acceptable. But why don't you just post the ISBN and let
us buy it and be over with it? :)

This is starting to remind me of Bruce Schneier's Cryptogram -
interesting but full of adverts. :o)

        Gadi Evron. 

-- 
Email: ge@linuxbox.org.  Work: gadie@cbs.gov.il. Backup: ge@warp.mx.dk.
Phone: +972-50-428610 (Cell).
PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450

Relevant Pages

  • Re: The Ultimate - A No-Numbers Dsplacement Cipher -Adacrypt.
    ... next to the memory. ... Her recruitment was eventual, equal, and ... reads with regard to the mirror. ...
    (sci.crypt)
  • Re: SBS2008, 8GB shows in System Info, 4GB in Task Manager?
    ... When I bought the HP server I'm running SBS 2008 on, ... The funny thing, since I was there today, they had the memory in MIRROR ... 8CPU's, when I enabled Virtualization and set the memory to Optimized, I ...
    (microsoft.public.windows.server.sbs)
  • Re: sf idea
    ... Memory of the past has the same ... around familiar looking passages, and find your way back to ... Tennessee Williams, A Streetcar Named Expire ... mirror 1: http://dsgood.insanejournal.com ...
    (rec.arts.sf.composition)
  • Re: SATA 750 and jumpters
    ... Sudden loss of memory? ... Brainfart? ... Looking in the mirror, are we? ...
    (comp.sys.ibm.pc.hardware.storage)
  • Re: memory restored without free() after termination?
    ... >>always be restored upon program exit. ... >>memory like a good programmer. ... running TSO, where programs were loaded as subtasks not ... http://www.blu.org PGP key id:C5061EA9 ...
    (comp.unix.programmer)
Quantcast