('binary' encoding is not supported, stored as-is) I just posted this on the Honeypot Mail-list, but I thought it would be relevant here as well. The paper that I wrote highlights using a modified version of the normal Unix Script utility to capture Blackhat shell sessions on honeypots and forward the data to a remote host. While the use of this technique for honeypots is obvious, I would like to mention another use which would be relevant for a Forensic Investigator. This technique can be used (I have used it in an actual investigation) when responding to a live compromise. After all appropriate fornesic steps have been completed (IE- Live Incident Investigation, Imaging Disks, etc...) and it has been decided that the system will be kept online, you can implement this technique to continue to monitor the activities of the malicious user. Anyways, here is my original post to the honeypot list - Due to the continued questions about shell monitoring options and alternatives (besides BASH patches, TTY-Snoop and Remote Syslog), I thought I would post this info. I have come up with a method of shell session monitoring by using a modified version of the standard unix "script" utility. Instead of going into any details here on the list - I will simply give you all a link to my paper. http://mywebpages.comcast.net/rbarnett45/ryan_barnett_gcfa/ryan_barnett_gcf a_practical.html This is a link to my SANS Forensic Analyst (GCFA) Practical Assignment on my Comcast webpage. The paper is not available on the SANS website yet since I still have to take the final tests to be certified - then they will post this paper. Actually, I am the first person to have my Practical accepted for this brand new Certification, and SANS doesn't have the tests ready yet ;) Anyways, Please give my paper a read and let me know your thoughts, or recommendations for change. Hopefully, many people will be able to use this technique and gain some good Blackhat shell info to share. ************************* Ryan C. Barnett Senior Security Analyst SANS - GCIH, GCUX, GSEC ************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 28 2002 - 12:19:24 PDT