Security Incidents mailing list archives
Re: Incident investigation methodologies
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 04 Jun 2004 10:42:46 -0500
--On Thursday, June 03, 2004 12:07:41 PM +0200 Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:
Keep in mind that there can be many different goals for analyzing a system. In our case, we almost never intend to involve law enforcement or pursue the "bad guy(s)". All we're trying to do is:Don't get me wrong. My question was: is it sufficient to analyze the system's state with tools/scripts running on the compromised system itself, or is it better to preserve the state in a memory dump and analyze it offline? The latter is of course more complicated, whereas the former bears the risk of a rootkit manipulating the data. What is the best practice? Is the risk of a rootkit manipulating system calls low enough to work around it with an assorted collection of tools? What are the experiences of the professionals in this field?
1) Determine what unwanted elements are on the system 2) Determine how they got there 3) Get rid of them 4) Devise protective measures to prevent a repeatPreservation of evidence, for us, is not a factor. What we do isn't even forensics. It's more along the lines of a thorough investigation.
To answer your question directly, *if* your goals are similar to ours, than a CD rom with the necessary tools, running on the live system, is sufficient to determine the location of the "evil" and determine the cause. Since the tools don't rely on the OS for their information gathering, they are unaffected by any alterations made by a rootkit.
For example, a statically compiled copy of ls on a CD is going to show you what's on the hard drive of a unix machine no matter what the rootkit may have done.
If you're asking about genuine forensics examinations, then you first have to hope that the host is in a "pristine" state WRT the problem, which is almost never the case, before memory dumps would even matter.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
Current thread:
- Re: NKADM rootkit - Something new?, (continued)
- Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: Incident investigation methodologies Gadi Evron (Jun 02)
- Re: Incident investigation methodologies Harlan Carvey (Jun 03)
- Re: Incident investigation methodologies Ansgar -59cobalt- Wiechers (Jun 04)
- Re: Incident investigation methodologies Paul Schmehl (Jun 04)
- Re: Incident investigation methodologies Jon Coller (Jun 04)
- Re: Incident investigation methodologies Valdis . Kletnieks (Jun 04)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: Incident investigation methodologies Harlan Carvey (Jun 07)
- Re: Incident investigation methodologies Pho Man (Jun 04)
- RE: Incident investigation methodologies James C Slora Jr (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 08)
- Re: Incident investigation methodologies James C. Slora Jr. (Jun 08)