Security Incidents mailing list archives
Re: Incident investigation methodologies
From: Jon Coller <jon () coller org>
Date: Fri, 04 Jun 2004 14:35:07 -0600
Paul Schmehl wrote: <snip>
For example, a statically compiled copy of ls on a CD is going to show you what's on the hard drive of a unix machine no matter what the rootkit may have done.
<snip> This is most definitely not true!How do you think ls gets the contents of a directory? (here's a hint, the kernel via the getdents system call)
take a read of this for a decent example of how trivial it is to make user land tools lie:
http://packetstormsecurity.com/groups/thc/LKM_HACKING.html -Jon
Current thread:
- RE: NKADM rootkit - Something new?, (continued)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: Incident investigation methodologies Gadi Evron (Jun 02)
- Re: Incident investigation methodologies Harlan Carvey (Jun 03)
- Re: Incident investigation methodologies Ansgar -59cobalt- Wiechers (Jun 04)
- Re: Incident investigation methodologies Paul Schmehl (Jun 04)
- Re: Incident investigation methodologies Jon Coller (Jun 04)
- Re: Incident investigation methodologies Valdis . Kletnieks (Jun 04)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: Incident investigation methodologies Harlan Carvey (Jun 07)
- Re: Incident investigation methodologies Pho Man (Jun 04)
- RE: Incident investigation methodologies James C Slora Jr (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 08)
- Re: Incident investigation methodologies James C. Slora Jr. (Jun 08)