Security Incidents mailing list archives

Re: NKADM rootkit - Something new?

From: Gadi Evron <ge () linuxbox org>
Date: Sat, 29 May 2004 13:33:33 +0200

> On a side/tangential note, I've had discussions
> regarding the collection of the contents of physical
> memory.  While I've heard that it's been desired or
> recommended, I fail to see the value of using a tool
> such as dd.exe to dump the entire contents of
> RAM...how would you then parse it apart into anything
> usable.  My recommendation would be to use tools such
> as pmdump.exe to dump the memory contents of specific
> processes to a USB-connected thumb drive...that way,
> any information found via 'strings' could be easily
> associated w/ a particular process.

What if a certain process released some memory? Or a process is nolonger running?

You can do both, but still, how long do you have to work on a PC? Howintrusive is it to run ANYTHING?

Me? I'd try and shut everything down and (legally acceptable) mirror theHDD as soon as I possibly can like I learned to do when I just got started.


Then again, it all depends on your incident response goals.

Do you want to monitor the possible hack, the process? Do you want tojust secure the network/PC real quick? Etc.


> Perhaps...if you could get it to work.  I think that
> there're enough Windows tools available to do what
> needs to be done on Windows systems.

That's true enough, in most cases.

What I find to be not advisable is to do *anything* on the originalmachine/HDD. You mirror it, and for mirroring it correctly you'd need toboot from a minimal OS, say, on a floppy or CD.


You'd encounter many of the same problem when you want to wipe.

> I've been working on the same thing, which led me to
> come up with the Forensic Server Project, which is
> detailed on Chapter 8 of my upcoming book ("Windows
> Forensics and Incident Recovery", from
> Addison-Wesley).

No offense, I realize you want to advertise your book and there isnothing wrong with that or bringing us [non-stop] references. Actually,it is more than acceptable. But why don't you just post the ISBN and letus buy it and be over with it? :)

This is starting to remind me of Bruce Schneier's Cryptogram -interesting but full of adverts. :o)


        Gadi Evron.

--
Email: ge () linuxbox org.  Work: gadie () cbs gov il. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06

GPG key for encrypted email:http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc

ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450

Current thread:

NKADM rootkit - Something new? Jeremy Pollack (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
  - Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
    - Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
    - Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
    - Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
    - Re: NKADM rootkit - Something new? Pho Man (May 27)
    - Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
    - RE: NKADM rootkit - Something new? Don Wolf (May 28)
    - RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
    - Re: NKADM rootkit - Something new? Gadi Evron (May 31)
    - Re: NKADM rootkit - Something new? InfoSec (May 27)
    - RE: NKADM rootkit - Something new? Dave Paris (May 28)
- RE: NKADM rootkit - Something new? Ferruh Mavituna (May 26)
- Message not available
  - Re: NKADM rootkit - Something new? Tyrano Jones (May 27)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? caldcv (May 26)