RE: info

From: Head of the Councel of Wizards (rich.hartat_private)
Date: Tue May 07 2002 - 07:05:13 PDT

  • Next message: Rainer Duffner: "Re: netbuie.exe, and"

    On Mon, 2002-05-06 at 15:12, dlaumannat_private wrote:
    > [snip]
    > > - any other recommendations? I'm pretty proficient in linux, 
    > > but this is the first time
    > > ive ran into a hacked box. from my past reading, i know the 
    > > steps are to try and recover
    > > any data not malformed and reinstall. any other pointers?
    > you should try to do an offline investigation of the system, by getting an
    > 'image' of the entire drive as soon as possible. then work off of a copy of
    > that image. this will allow you to work in a controlled environment, and get
    > the 'dirty' host back up and running. the coroners toolkit, task, encase,
    > and nti can help in offline analysis. these tool suites allow you to
    > retrieve and view the device image safely and even view deleted data among
    > other things...
    > dd, encase, and safeback can yield device images.
    > -dave
    What I've done in cases like this, (when possible) is to take the drive
    out and rebuild the box on a different drive, and then mount the hacked
    drive on a different box, and do the analysis there. That way, you can
    analyse the drive with known -not-hacked tools, at your leasure.
    	Rich Hart

    This archive was generated by hypermail 2b30 : Tue May 07 2002 - 08:56:25 PDT