Security Basics mailing list archives
RE: tools used to examine a computer
From: "Mitchell, Edmund" <EMitchell () fnis com>
Date: Fri, 14 Feb 2003 09:59:28 -0800
-----Original Message----- From: Hopkins, Joshua [mailto:joshua.hopkins () aruplab com] What tools are out there that can really be helpful in monitoring/forensics. Joshua R. Hopkins
Micheal Warfield from Internet Security Systems gave a nice presentation on this a couple of weeks ago, including an overview of some of the legal necessities. Their site has some good links to common tools: http://www.iss.net/security_center/advice/default.htm and I can email you the slides from his presentation if you like. They cover the basics. For example, copying the drive in question - the original must be pristine, for legal reasons, so you make a copy or copies which you then examine. The copy must not be logical, because the match isn't then exact, so no tar or cpio type backups. The image must be made first, before anything else, even mounting the fs, because a journalling fs might log the fact that it was mounted, altering the contents. Also, Intrusion Detections Systems as Evidence: http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/Sommer_text.pdf HTH Edmund
Current thread:
- tools used to examine a computer Hopkins, Joshua (Feb 14)
- Re: tools used to examine a computer Chuck Swiger (Feb 14)
- Re: tools used to examine a computer Ivan Hernandez (Feb 18)
- Re: tools used to examine a computer planz (Feb 19)
- <Possible follow-ups>
- RE: tools used to examine a computer Michael Parker (Feb 14)
- RE: tools used to examine a computer Mitchell, Edmund (Feb 14)
- RE: tools used to examine a computer Nickels, Walter P (Nick), SOLCM (Feb 14)
- re: tools used to examine a computer H C (Feb 17)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer H C (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)