RE: tools to run on compromised linux box

Nikhil's suggestion of booting to another OS to do the investigation
is an important choice-otherwise you run the risk of further infection
or destroying potential evidence by writing over files that could be
recovered.

You'll run that risk one way or the other. If you do forensics on the
live system, the malware may become aware of what you're doing and try
to wipe its trails. If you cut the power you may lose volatile data
(from the RAM). However, if you have Firewire enabled on the machine in
question, you can dump the contents of the RAM before cutting the power.

You're right Ansgar-I should have clarified the 'steps' in order. Ie take
memory from the live machine first if you choose to or take an image after
killing the power and then running from another OS to do the investigation.
The either/or scenario you indicate is the decision that has to be made by
the investigator-depending on what is more important. Thanks for pointing
that out.

Another suggestion would be to image the compromised box. Then you can
take your time. Adepto on the Helix cd is great for this kind of op.

That should always be the first step after powering the machine off.

Right again.





-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Thursday, August 07, 2008 11:12 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: tools to run on compromised linux box

On 2008-08-07 Murda Mcloud wrote:
Nikhil's suggestion of booting to another OS to do the investigation
is an important choice-otherwise you run the risk of further infection
or destroying potential evidence by writing over files that could be
recovered.

You'll run that risk one way or the other. If you do forensics on the
live system, the malware may become aware of what you're doing and try
to wipe its trails. If you cut the power you may lose volatile data
(from the RAM). However, if you have Firewire enabled on the machine in
question, you can dump the contents of the RAM before cutting the power.

BTW, never do a "normal" shutdown on an infected machine, as that may
erase evidence, either by the system overwriting/deleting something, or
by the malware doing some "cleanup".

Another suggestion would be to image the compromised box. Then you can
take your time. Adepto on the Helix cd is great for this kind of op.

That should always be the first step after powering the machine off.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Relevant Pages

  • Re: tools to run on compromised linux box
    ... is an important choice-otherwise you run the risk of further infection ... or destroying potential evidence by writing over files that could be ... You'll run that risk one way or the other. ... you can dump the contents of the RAM before cutting the power. ...
    (Security-Basics)
  • Re: TURMEL: Ben Franklin, Prof. Flaherty, on Death gamble
    ... > provide is the same between a small loan and a large. ... > outstanding principal are a risk premium, ... > amalgamated to the power of government. ... that Congress shall have the power "To coin Money, ...
    (sci.econ)
  • Re: Gangsterdom and the Mans World Myth
    ... By Denise Noe ... much freer in life than those who are used for child bearing and sexual ... The real "RISK" is ... Women without an equal 'say' in their lives have little power to be ...
    (soc.men)
  • Risks Digest 24.38
    ... Another auditor's laptop stolen ... LA power outages ... Subject: REVIEW: "Risk Management Solutions ... ...
    (comp.risks)
  • Re: Zero avian flu risk from wild birds
    ... Multiplication of the numerator of a fraction by zero does not ... confirmed its first infection on 21 July. ... Where does it say there is zero risk of contracting avian flu ... with a bird or birds which were sick with the disease or which had died from ...
    (uk.environment.conservation)