Security Incidents mailing list archives
RE: NKADM rootkit - Something new?
From: "Dave Paris" <dparis () w3works com>
Date: Tue, 1 Jun 2004 10:49:45 -0400
Definitely not a stupid question. Most forensic toolkits are created from statically-compiled executables, created on a known-safe system and then loaded from CD or other removable media. This prevents a) any interaction with potentially tainted libraries and b) a known/provably[1]-safe version of the executable. Also, you'd ideally be working on a block-for-block copy of the original file system - or in a worse case, the actual filesystem, mounted in a read-only manner. Kind Regards, -dsp [1] - with the realm that *anything* can be "proven" safe to one degree or another.
-----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Monday, May 31, 2004 5:09 PM To: incidents () securityfocus com Subject: Re: NKADM rootkit - Something new?
[...]
Since a compromised box may have some sort of rootkit installed on it, how reliable would you consider the output of a forensic tool running on the compromised system? Wouldn't a rootkit (at least theoretically) be able to manipulate the data which is requested by such a tool or script? I'm less than a novice to forensics, so excuse me if these questions sound stupid.
[...]
Current thread:
- Re: NKADM rootkit - Something new? Ansgar -59cobalt- Wiechers (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 01)
- Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)