wouldn't one want to dump RAM to some trusted media in hopes of snagging memory resident code BEFORE rebooting the box? this seems [to me] like a fairly important step... tips for various platforms: linux: http://www.linux.org/docs/ldp/howto/Linux-Crash-HOWTO/index.html (could also 'dump' it, i suppose) winders: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q254649 cisco: http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/tr19aa.htm slowaris: http://unixguide.net/sun/sunobscure.shtml (look for "savecore") -adam On Saturday 04 May 2002 04:49 pm, crazytrain.com wrote: > James > > this is where using a bootable data forensics cd would help you . . . have > all your tools on the cd (or multiples), pop in the cd, make sure it's set > to boot from CD-ROM first, and boot it from there. You can then mount all > the drives RO and work without touching the evidence. > > If this were a running RAID system and depending upon circumstances I would > pop in my statically linked binariries CD, mount the CD, and do a 'safe > analysis' on the running box from my trusted sources, logging as I go. > There are many variables though, so it depends on your particular > situation. > > farmerdude > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 06:22:49 PDT