Home page logo
/

basics logo Security Basics mailing list archives

Re: tools used to examine a computer
From: Chuck Swiger <cswiger () mac com>
Date: Fri, 14 Feb 2003 13:02:17 -0500

Hopkins, Joshua wrote:
[ ... ]
I found that a login script was placed into the admin account for
that machine and the script erased the evidence.  I was able to copy
some files over the network before I took the computer into custody.
What tools are out there that can really be helpful in
monitoring/forensics.

Considering how cheap basic RAID-1 mirroring for IDE drives is, you might think about setting up all of your machines with two disks in a mirror. When you want to examine a machine without risking the problem you encountered, break the RAID-1 mirror before starting up the OS.

If you're really worried, or if you'd really like to make sure evidence stays intact, you can even take one disk out and add a write-protect jumper before investigating the system.

-Chuck


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault