Re: Forensics CD (was: Re: Strange Folder

From: Neil Dickey (neilat_private)
Date: Wed Oct 09 2002 - 14:00:24 PDT

Next message: Darryl Luff: "Re: Why can I see other traffic at switch environment just tcpdump?"

Previous message: Rob Shein: "RE: Why can I see other traffic at switch environment just tcpdump?"
Maybe in reply to: Meritt James: "Forensics CD (was: Re: Strange Folder"
Next in thread: Morris, Rod: "RE: Forensics CD (was: Re: Strange Folder"
Next in thread: P.P. Lodder: "Re: Strange Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nick FitzGerald <nick@virus-l.demon.co.uk>  wrote in response to me:

>> Thanks!  I think I picked up the idea from someone on this list, as a
>> matter of fact.  I wish I could remember who.
>
>Carv perhaps??
>
>He teaches forensics and other post-mortem courses, and features such 
>a disk that I seem to recall him mentioneing here.

No, I don't think so.  It wasn't a specific reference.  Someone just
mentioned CDs and utilities, and the light went on.  I obviously don't
claim to have originated the idea.

>Aside from that, it is a fairly obvious idea

Nonetheless, judging from the private e-mail I got there were quite a
few who appreciated hearing about it.  Not all of us have sprung full-
blown from the brow of Zeus.  ;-)

>-- if you have to run
>code in a compromised environment (not necessarily a good idea to do
>extensively if you are doing forensics work) then obviously you must
>not trust anything already on the machine.

Yup.  I learned that back when everyone was worried about what viruses
did to boot sectors.  "Boot from a write-protected floppy" was the
mantra then.  That's what clicked when I thought about a CD.

>(Of course, at some level
>the tools on the CD are "trusting" the various APIs, etc to be
>returning true results and as anyone who has failed to adequately
>handle a box with a rootkit installed will tell you, that is not a
>clever idea...).

As I suggested in an earlier post, many -- if not most -- of us on the
list do forensics on occasion and somewhat rarely.  A CD put together
ahead of time is at least a place to start, if the boss even lets you
go that far.

Ultimately, of course, most of us will have to clean and re-install
anyway.  It's not very satisfying, but it's reality.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Darryl Luff: "Re: Why can I see other traffic at switch environment just tcpdump?"
Previous message: Rob Shein: "RE: Why can I see other traffic at switch environment just tcpdump?"
Maybe in reply to: Meritt James: "Forensics CD (was: Re: Strange Folder"
Next in thread: Morris, Rod: "RE: Forensics CD (was: Re: Strange Folder"
Next in thread: P.P. Lodder: "Re: Strange Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 15:33:50 PDT