Security Basics mailing list archives
Re: tools used to examine a computer
From: Chuck Swiger <cswiger () mac com>
Date: Fri, 14 Feb 2003 13:02:17 -0500
Hopkins, Joshua wrote: [ ... ]
I found that a login script was placed into the admin account for that machine and the script erased the evidence. I was able to copy some files over the network before I took the computer into custody. What tools are out there that can really be helpful in monitoring/forensics.
Considering how cheap basic RAID-1 mirroring for IDE drives is, you might think about setting up all of your machines with two disks in a mirror. When you want to examine a machine without risking the problem you encountered, break the RAID-1 mirror before starting up the OS.
If you're really worried, or if you'd really like to make sure evidence stays intact, you can even take one disk out and add a write-protect jumper before investigating the system.
-Chuck
Current thread:
- tools used to examine a computer Hopkins, Joshua (Feb 14)
- Re: tools used to examine a computer Chuck Swiger (Feb 14)
- Re: tools used to examine a computer Ivan Hernandez (Feb 18)
- Re: tools used to examine a computer planz (Feb 19)
- <Possible follow-ups>
- RE: tools used to examine a computer Michael Parker (Feb 14)
- RE: tools used to examine a computer Mitchell, Edmund (Feb 14)
- RE: tools used to examine a computer Nickels, Walter P (Nick), SOLCM (Feb 14)
- re: tools used to examine a computer H C (Feb 17)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer H C (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
(Thread continues...)