Security Incidents mailing list archives
RE: NKADM rootkit - Something new?
From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Tue, 1 Jun 2004 10:38:44 -0400
That's a good reference, and it might be useful *IF* you prepared the machine for this ahead of time. Reading the URL you sent, though, it is not a feature that is enabled by default: "This feature is disabled by default. To enable this feature, you must edit the registry as indicated below and restart the computer. After you restart the computer, you can generate a Memory.dmp file by holding down the right CTRL key and pressing the SCROLL LOCK key twice." So, for the majority of incident response done by outside agencies (consultants, etc.) you can bet that this will not be enabled. Heck, most victims have the default event logging / auditing parameters. I'd also be interested in hearing what the best way to parse that Memory.dmp file is. Would it contain network state information? Mark Lachniet
-----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Monday, May 31, 2004 5:09 PM To: incidents () securityfocus com Subject: Re: NKADM rootkit - Something new? On 2004-05-28 Don Wolf wrote:Anyone with enough forensic, IR or even data recoveryexperience knowsmaintaining state is critical. If you change the state(e.g. reboot)than you've effectively lost any chance of recovering meaningful information. This more so in the context or tracking hacks than recovering client data.Microsoft has documented a way to create a memory dump on demand [1]. Could this be considered sufficient to preserve the system's state?An option - Virtual sessions of Linux (Knoppix, Insert, etc) may be possible on a Windows platform.Since a compromised box may have some sort of rootkit installed on it, how reliable would you consider the output of a forensic tool running on the compromised system? Wouldn't a rootkit (at least theoretically) be able to manipulate the data which is requested by such a tool or script? I'm less than a novice to forensics, so excuse me if these questions sound stupid. [1] http://support.microsoft.com/default.aspx?scid=kb;en-us;244139 Regards Ansgar Wiechers
Current thread:
- Re: NKADM rootkit - Something new? Ansgar -59cobalt- Wiechers (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 01)
- Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: Incident investigation methodologies Gadi Evron (Jun 02)
- Re: Incident investigation methodologies Harlan Carvey (Jun 03)
- Re: Incident investigation methodologies Ansgar -59cobalt- Wiechers (Jun 04)
- Re: Incident investigation methodologies Paul Schmehl (Jun 04)
- Re: Incident investigation methodologies Jon Coller (Jun 04)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)