Re: Incident investigation methodologies
From: Jon Coller (jon_at_coller.org)
Date: 06/04/04
- Previous message: Paul Schmehl: "Re: Incident investigation methodologies"
- In reply to: Paul Schmehl: "Re: Incident investigation methodologies"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Incident investigation methodologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 04 Jun 2004 14:35:07 -0600 To: Paul Schmehl <pauls@utdallas.edu>
Paul Schmehl wrote:
<snip>
> For example, a statically compiled copy of ls on a CD is going to show
> you what's on the hard drive of a unix machine no matter what the
> rootkit may have done.
<snip>
This is most definitely not true!
How do you think ls gets the contents of a directory? (here's a hint,
the kernel via the getdents system call)
take a read of this for a decent example of how trivial it is to make
user land tools lie:
http://packetstormsecurity.com/groups/thc/LKM_HACKING.html
-Jon
- Previous message: Paul Schmehl: "Re: Incident investigation methodologies"
- In reply to: Paul Schmehl: "Re: Incident investigation methodologies"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Incident investigation methodologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
