RE: Imaging a "live" system

From: Jonathan Bloomquist (bocasolutionsat_private)
Date: Tue Jun 18 2002 - 12:25:33 PDT

Next message: Jonathan A. Zdziarski: "RE: Audit Logs as submissible evidence."

Previous message: Jonathan A. Zdziarski: "RE: irc"
In reply to: Mark Menz: "RE: Imaging a "live" system"
Next in thread: crazytrain.com: "RE: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--- Mark Menz <markmenzat_private> wrote:
--snip--
> > One of the best things about a live system is the
> > volatile info
> 
> Agreed.  However, I think we need to address the
> issue
> of methodologies...like develop one.  From my
> perspective at this point, very few admins are
> collecting this information.  Now, I understand that
> not every situation requires it, but some do...and I
> think admins aren't doing it for a couple of
> reasons.
> 
> First, there isn't even a framework, let alone a
> methodology, available.

OK

> Second, no one really wants to do all the repetitive
> documenting of their actions...they'd rather just
> get
> on with it.

BAD idea.  I am no forensics expert, but I would say
documenting the actions of the examiner should be key
so it can be shown that the examiner did not alter the
system.

> Third...and I think this was brought out at
> CanSecWest
> to a degree...most don't know how to interpret the
> data they do get.  The issues seem to be as much a
> lack of time as they are a lack of skill.

Well, now that really is a problem.

> What if there were some way to collect this
> information in a "clean" manner that also performed
> the necessary documentation?  What if the collection
> of volatile (and some non-volatile) information
> could
> be automated and thoroughly documented?

How about keeping a ledger of all commands used and
using a few tools from read-only media to gather state
info and pipe the output to floppy.  e.g. (for
starters):

d:\netstat -an >> a:\gather.txt  # current connections

d:\fport >> a:\gather.txt    # applications bound to
ports

d:\set >> a:\gather.txt   # env variables

d:\pslist >> a:\gather.txt  # processes


=====
Jonathan Bloomquist, CISSP

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jonathan A. Zdziarski: "RE: Audit Logs as submissible evidence."
Previous message: Jonathan A. Zdziarski: "RE: irc"
In reply to: Mark Menz: "RE: Imaging a "live" system"
Next in thread: crazytrain.com: "RE: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 18:04:20 PDT