Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Gadi Evron <ge () linuxbox org>
Date: Sat, 29 May 2004 13:33:33 +0200
> On a side/tangential note, I've had discussions > regarding the collection of the contents of physical > memory. While I've heard that it's been desired or > recommended, I fail to see the value of using a tool > such as dd.exe to dump the entire contents of > RAM...how would you then parse it apart into anything > usable. My recommendation would be to use tools such > as pmdump.exe to dump the memory contents of specific > processes to a USB-connected thumb drive...that way, > any information found via 'strings' could be easily > associated w/ a particular process.What if a certain process released some memory? Or a process is no longer running?
You can do both, but still, how long do you have to work on a PC? How intrusive is it to run ANYTHING?
Me? I'd try and shut everything down and (legally acceptable) mirror the HDD as soon as I possibly can like I learned to do when I just got started.
Then again, it all depends on your incident response goals.Do you want to monitor the possible hack, the process? Do you want to just secure the network/PC real quick? Etc.
> Perhaps...if you could get it to work. I think that > there're enough Windows tools available to do what > needs to be done on Windows systems. That's true enough, in most cases.What I find to be not advisable is to do *anything* on the original machine/HDD. You mirror it, and for mirroring it correctly you'd need to boot from a minimal OS, say, on a floppy or CD.
You'd encounter many of the same problem when you want to wipe. > I've been working on the same thing, which led me to > come up with the Forensic Server Project, which is > detailed on Chapter 8 of my upcoming book ("Windows > Forensics and Incident Recovery", from > Addison-Wesley).No offense, I realize you want to advertise your book and there is nothing wrong with that or bringing us [non-stop] references. Actually, it is more than acceptable. But why don't you just post the ISBN and let us buy it and be over with it? :)
This is starting to remind me of Bruce Schneier's Cryptogram - interesting but full of adverts. :o)
Gadi Evron. -- Email: ge () linuxbox org. Work: gadie () cbs gov il. Backup: ge () warp mx dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
Current thread:
- NKADM rootkit - Something new? Jeremy Pollack (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? InfoSec (May 27)
- RE: NKADM rootkit - Something new? Dave Paris (May 28)
- Re: NKADM rootkit - Something new? Tyrano Jones (May 27)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? caldcv (May 26)