Home page logo
/

basics logo Security Basics mailing list archives

RE: tools used to examine a computer
From: "Mitchell, Edmund" <EMitchell () fnis com>
Date: Fri, 14 Feb 2003 09:59:28 -0800

-----Original Message-----
From: Hopkins, Joshua [mailto:joshua.hopkins () aruplab com]
What tools are out there that can really be helpful in
monitoring/forensics.
Joshua R. Hopkins

Micheal Warfield from Internet Security Systems gave a nice presentation on
this a couple of weeks ago, including an overview of some of the legal
necessities.
Their site has some good links to common tools:
http://www.iss.net/security_center/advice/default.htm
and I can email you the slides from his presentation if you like.  They
cover the basics.

For example, copying the drive in question - the original must be pristine,
for legal reasons, so you make a copy or copies which you then examine.  The
copy must not be logical, because the match isn't then exact, so no tar or
cpio type backups.  The image must be made first, before anything else, even
mounting the fs, because a journalling fs might log the fact that it was
mounted, altering the contents. 

Also, Intrusion Detections Systems as Evidence:
http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/Sommer_text.pdf

HTH

Edmund


 
 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault