On Mon, 2002-05-06 at 15:12, dlaumannat_private wrote: > [snip] > > - any other recommendations? I'm pretty proficient in linux, > > but this is the first time > > ive ran into a hacked box. from my past reading, i know the > > steps are to try and recover > > any data not malformed and reinstall. any other pointers? > > you should try to do an offline investigation of the system, by getting an > 'image' of the entire drive as soon as possible. then work off of a copy of > that image. this will allow you to work in a controlled environment, and get > the 'dirty' host back up and running. the coroners toolkit, task, encase, > and nti can help in offline analysis. these tool suites allow you to > retrieve and view the device image safely and even view deleted data among > other things... > > http://www.fish.com/tct/ > http://www.atstake.com/research/tools/task/ > > dd, encase, and safeback can yield device images. > > -dave > What I've done in cases like this, (when possible) is to take the drive out and rebuild the box on a different drive, and then mount the hacked drive on a different box, and do the analysis there. That way, you can analyse the drive with known -not-hacked tools, at your leasure. Rich Hart
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 08:56:25 PDT