Security Incidents mailing list archives
Re: Forensics CD (was: Re: Strange Folder
From: Neil Dickey <neil () geol niu edu>
Date: Wed, 9 Oct 2002 16:00:24 -0500 (CDT)
Nick FitzGerald <nick () virus-l demon co uk> wrote in response to me:
Thanks! I think I picked up the idea from someone on this list, as a matter of fact. I wish I could remember who.Carv perhaps?? He teaches forensics and other post-mortem courses, and features such a disk that I seem to recall him mentioneing here.
No, I don't think so. It wasn't a specific reference. Someone just mentioned CDs and utilities, and the light went on. I obviously don't claim to have originated the idea.
Aside from that, it is a fairly obvious idea
Nonetheless, judging from the private e-mail I got there were quite a few who appreciated hearing about it. Not all of us have sprung full- blown from the brow of Zeus. ;-)
-- if you have to run code in a compromised environment (not necessarily a good idea to do extensively if you are doing forensics work) then obviously you must not trust anything already on the machine.
Yup. I learned that back when everyone was worried about what viruses did to boot sectors. "Boot from a write-protected floppy" was the mantra then. That's what clicked when I thought about a CD.
(Of course, at some level the tools on the CD are "trusting" the various APIs, etc to be returning true results and as anyone who has failed to adequately handle a box with a rootkit installed will tell you, that is not a clever idea...).
As I suggested in an earlier post, many -- if not most -- of us on the list do forensics on occasion and somewhat rarely. A CD put together ahead of time is at least a place to start, if the boss even lets you go that far. Ultimately, of course, most of us will have to clean and re-install anyway. It's not very satisfying, but it's reality. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Nick FitzGerald (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder robjeh (Oct 08)
- <Possible follow-ups>
- RE: Forensics CD (was: Re: Strange Folder Brian Taylor (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder sunzi (Oct 09)
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 09)
- RE: Forensics CD (was: Re: Strange Folder Morris, Rod (Oct 10)
- RE: Forensics CD (was: Re: Strange Folder Jonathan Watts (Oct 11)