Re: NKADM rootkit - Something new?
From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 05/31/04
- Next in thread: Harlan Carvey: "Re: NKADM rootkit - Something new?"
- Maybe reply: Harlan Carvey: "Re: NKADM rootkit - Something new?"
- Reply: Dave Paris: "RE: NKADM rootkit - Something new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 31 May 2004 23:08:49 +0200 To: incidents@securityfocus.com
On 2004-05-28 Don Wolf wrote:
> Anyone with enough forensic, IR or even data recovery experience knows
> maintaining state is critical. If you change the state (e.g. reboot)
> than you've effectively lost any chance of recovering meaningful
> information. This more so in the context or tracking hacks than
> recovering client data.
Microsoft has documented a way to create a memory dump on demand [1].
Could this be considered sufficient to preserve the system's state?
> An option - Virtual sessions of Linux (Knoppix, Insert, etc) may be
> possible on a Windows platform.
Since a compromised box may have some sort of rootkit installed on it,
how reliable would you consider the output of a forensic tool running on
the compromised system? Wouldn't a rootkit (at least theoretically) be
able to manipulate the data which is requested by such a tool or script?
I'm less than a novice to forensics, so excuse me if these questions
sound stupid.
[1] http://support.microsoft.com/default.aspx?scid=kb;en-us;244139
Regards
Ansgar Wiechers
- Next in thread: Harlan Carvey: "Re: NKADM rootkit - Something new?"
- Maybe reply: Harlan Carvey: "Re: NKADM rootkit - Something new?"
- Reply: Dave Paris: "RE: NKADM rootkit - Something new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
