This has also been available for years through the journalling, but the change I have is to have live RO medium as the so-called substrate for your system. This can allow you to have a strong subsystem, that if the machine is compromised, the base system can be brought up quickly, without the loss of the base system. So in theory you could build a dynamic website (ASP,PHP,CGI, etc), and put it on a read only medium, and if the system gets compromised and someone places a rootkit on the system, you just pull the RW drive out, and start the system back up, and disable the services that were compromised. And review what changes were made on the RW drive on a seperate machine. jason On 20 Jun 2002 at 7:42, Burnette, Michael wrote: Subject: RE: Imaging a "live" system Date sent: Thu, 20 Jun 2002 07:42:53 -0400 From: "Burnette, Michael" <MWB@rh-law.com> To: "Jason Robertson" <jasonat_private> Priority: normal Copies to: <forensicsat_private> > This makes me think of LiveVault. It is backup software that uses an > agent to send byte (or bit) level changes to a remote backup of a > system. It is not an image since unallocated areas are not "backed up" > but a history is kept and a machine can be restored to a point in time. > If it could be altered for forensic instead of admin use, it gets fairly > close to what you are thinking of. I don't know which OS's it works on, > I haven't looked at it in a while. > > Michael Burnette > Rogers & Hardin LLP > Atlanta, GA > > -----Original Message----- > From: Jason Robertson [mailto:jasonat_private] > Sent: Wednesday June 19, 2002 8:37 PM > To: forensicsat_private > Subject: Re: Imaging a "live" system > > > Would this not be a possible thing to maintain a live image of a > system, through something like a journalled file system, though again, > this could be better if you could design a file system with a few > things. > > First an Overlay Filesystem, (there is 2 OFS's that do exist both are > still lacking, due to implementation problems, could be solved with > making a virtual file system, like a raid 5 system), but in the most > basic sense, you would have the primary medium being a read only > system, eg some of the old seagate HD's had a readonly pin, or CDR. > then you would overlay that file system, with a RW file system, so that > you could update, and change files, and this would not cause problems > with the base system, and if it is done right you could in theory > rebuild on a regular basis the RO version. > > Now the next thing to add to this, is a transaction log as found in SQL > database. Therefore transactions could be rolled back, but this could > be done on a WORM style of medium, therefore all changes are one way > keeping a record of actions. > > If anyone steals my idea, at least give me credit for it, such as > "Thanks for nothing, Jason" j/k > > jason > > > -- > Jason Robertson > Now at the Nation Research Council. > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > This message and any attachments are intended for the use of the > addressee(s) only and may be confidential and covered by the > attorney/client and other privileges. If the reader is not the intended > recipient, DO NOT READ, notify sender and delete this message. In > addition, be aware that any disclosure, copying, distribution or use of > the contents of this message is strictly prohibited. > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 02:15:07 PDT