Matt, > Say you scan a production machine that costs $ for > every minute of downtime, > it has an extra port open or shows signs of a > certain signature (odd > external connections, IRC attempts, etc.) If you > had aware staff, before > mucking around significantly (like a typical admin), > you could run > fport/handle/netstat/lsof and then image the drive. I still don't see the need for or use of "live" imaging. Understand...I'm not trying to be difficult here, just trying to wrap my neurons around this one. Say I have a production server that costs $$K per minute of downtime, and there is reportedly "strange" activity coming from the box. I'm going to run the tools you mentioned (add listdlls.exe and pslist.exe for NT/2K boxen) and perhaps make a decision based on that info. If it's a bot loaded on the system, I'd likely take it off, and then try to find out where it came from and how it got on the box in the first place (assuming I've got my auditing configured appropriately). Many managers may not be interested in prosecuting...they'd want the box back. If I did find enough information to indicate that taking the system down is justified, then that's a different matter. At that point, we're talking high dollar, and probably contacting a consulting firm that is trusted to do forensics analysis. LEOs may not be called, even at this point. In many of the cases I've personally seen, the FBI was contacted by the admin, who never told his manager that he'd called them... But still...I don't see what the point of having a "live" image is. Sure, you've got a "snapshot" of the drive...if you can call it that. But what good is that? Seems to me that it's a waste of a drive, and of time...however long it took you to actually make the image. > * Hackers rarely stay put, This one is another topic/thread all together, I think. I've talked to a great many people who have hundreds or thousands of NT/2K systems they're responsible for (Quantico NOC, etc), and outside of web page defacings and possibly exploited FTP systems, it doesn't seem as if anyone is seeing NT/2K "rooted", in the sense that a Linux box is "rooted". There doesn't seem to be anyone reporting "hackers" camping out on NT/2K systems, launching attacks on neighboring systems, trojaning binaries, installing rootkits, etc. > As far as collecting unused drives, that's why I'm > on this list... to find > easier and faster ways to do IR and move faster than > the hacker. I think there are ways of doing this, possibly even in such a way that a box could then be turned over to the LEOs for analysis, and a conviction obtained. That's what I'm trying to discuss both here, and in the Yahoo group that was started, to discuss "evidence dynamics". Carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 08:12:47 PDT