Rick, saliskorat_private wrote: > If there is value in mounting and analysing, is there a particular -t > parameter for mounting a swap file system? What should I be looking for > once i get it mounted ? the trick is, don't mount, just grep :-) You just can't mount a swap partition, so you have to search through the image file ... For an excellent example of what to look for in a swap partition, see Thomas Roessler's winning entry of the honeynet project's forensic challenge, esp page 8: http://project.honeynet.org/challenge/results/submissions/roessler/evidence.txt By issueing a command like strings < swap-image.dd | grep -A3 'Nov ' he found very interesting syslog entries from the month November that were never written to the logfiles on disk, because syslogd had already been already disabled by the attacker. The entries had been "set up" in the process memory of several daemons prior to calling syslog(3). Later that memory regions were paged out to the swap partition, that's why the entries appear in the image of the swap partition. Best regards, Knut ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 03:58:41 PDT