Re: Identifying Win2K/XP Encrypted Files

From: ^Shadown^ (shadownat_private)
Date: Sun Feb 02 2003 - 08:43:32 PST

Next message: Scott C. Zimmerman: "a message from the moderator"

Previous message: Nexus: "Re: Identifying Win2K/XP Encrypted Files"
Next in thread: John L. Clarke, III: "Re: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Clifford,

Hi, "pull the plug" is because many rootkits look for shutdown process to clean evidence, that's why pulling the plug is the best choice.
But before you *must* dump the hole memory to other partition, because otherwise you will get lost valius information,( i.e. passwords resident on memory, decrypted process running, command history, etc ), that in other way you'll may not be able to get.
Then make an *identical* image (a binary one), that no just copy the files, but the hole filesystem, including deleted ones, corrupted ones, etc.
Then mount as read only and start the forensics labor with all this information and all logs you are able to obtaine (FW, IDS,...).
There're many excellent tools for doing so, I may recommend you Undelete and TCT if you're working on linux.

Links are:
http://www.tu-ilmenau.de/~mojo/undelete.html
http://www.fish.com/tct/
http://www.cert.org/security-improvement/implementations/i046.02.html <--- this one may help you too.

A good policy is to install a hidden process which dumps all activity on the server and network to hidden files, just as a rootkit works, and put server back, hopping the intruder gets back in to it, to get more usefull information.
Obviously you must quote (physically) network access.
I hope this helps.
Kind regards.
^Shadown^

On Fri, Jan 31, 2003 at 11:09:18AM -0500 or thereabouts, Clifford Thurber wrote:
> Why would you pull the plug? Wouldnt using "shutdown" be sufficient to write out in memory data blocks back to disk. I would think you could image it before you shutdown the machine and then of course image after you ran shutdown for a more complete picture. Maybe "pull the plug" is not to be taken literal but I think you have to be careful with your diction on list that pertains legal issues, eividence etc.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Scott C. Zimmerman: "a message from the moderator"
Previous message: Nexus: "Re: Identifying Win2K/XP Encrypted Files"
Next in thread: John L. Clarke, III: "Re: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 09:04:37 PST