|
Security Incidents
mailing list archives
RE: info
From: dlaumann () suntzu net
Date: Mon, 6 May 2002 16:12:00 -0500
[snip]
- any other recommendations? I'm pretty proficient in linux,
but this is the first time
ive ran into a hacked box. from my past reading, i know the
steps are to try and recover
any data not malformed and reinstall. any other pointers?
you should try to do an offline investigation of the system, by getting an
'image' of the entire drive as soon as possible. then work off of a copy of
that image. this will allow you to work in a controlled environment, and get
the 'dirty' host back up and running. the coroners toolkit, task, encase,
and nti can help in offline analysis. these tool suites allow you to
retrieve and view the device image safely and even view deleted data among
other things...
http://www.fish.com/tct/
http://www.atstake.com/research/tools/task/
dd, encase, and safeback can yield device images.
-dave
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- RE: info, (continued)
- Re: info W.G. Iyer (May 06)
- Re: info Michel Arboi (May 06)
- RE: info dlaumann (May 06)
- RE: info Head of the Councel of Wizards (May 07)
|
Intro
