Educause Security Discussion mailing list archives
Re: Identify Finder
From: Mike Lococo <mike.lococo () NYU EDU>
Date: Thu, 28 Feb 2008 11:03:02 -0500
While it makes a fine discovery tool, I wonder how often one needs to run it - once per day/week/quarter/year and/or just on compromised systems?
While this probably goes without saying, if you're going to use these scanning tools for incident response you should do so in a forensically sound manner. * Spider for Linux is included on the Helix LiveCD which will allow you to boot the compromised system with a trusted OS and read-only drive mounting. * Other *nix tools like SENF and Find_SSN can likely be run from Helix as well * Windows tools like IdentityFinder or Spider for Windows should be run from the trusted os on your forensic workstation, and evidence media mounted through a hardware write-blocker. Otherwise you're tromping all over file-access times which might be useful to show that an attacker *didn't* access some bit of interesting data you find. Thanks, Mike Lococo
Current thread:
- Identify Finder McNeil, Sharon McLawhorn (Feb 27)
- <Possible follow-ups>
- Re: Identify Finder Gary Dobbins (Feb 27)
- Re: Identify Finder Halliday,Paul (Feb 27)
- Re: Identify Finder Petreski, Samuel (Feb 27)
- Re: Identify Finder Isac Balder (Feb 27)
- Re: Identify Finder Brad Judy (Feb 27)
- Re: Identify Finder Theodore Pham (Feb 27)
- Re: Identify Finder Allison Dolan (Feb 28)
- Re: Identify Finder Nick Silkey (Feb 28)
- Re: Identify Finder Howell, Paul (Feb 28)
- Re: Identify Finder Mike Lococo (Feb 28)
- Re: Identify Finder Brad Judy (Feb 28)
- Re: Identify Finder Roger Safian (Feb 28)
- Re: Identify Finder Shamblin, Quinn (shamblqn) (Feb 28)
- Re: Identify Finder Felecia Vlahos (Feb 28)