RE: tools used to examine a computer

["Mitchell, Edmund" <EMitchell () fnis com>]

> -----Original Message-----
> From: Hopkins, Joshua [mailto:joshua.hopkins () aruplab com]
> What tools are out there that can really be helpful in
> monitoring/forensics.
> Joshua R. Hopkins

Micheal Warfield from Internet Security Systems gave a nice presentation on
this a couple of weeks ago, including an overview of some of the legal
necessities.
Their site has some good links to common tools:
http://www.iss.net/security_center/advice/default.htm
and I can email you the slides from his presentation if you like.  They
cover the basics.

For example, copying the drive in question - the original must be pristine,
for legal reasons, so you make a copy or copies which you then examine.  The
copy must not be logical, because the match isn't then exact, so no tar or
cpio type backups.  The image must be made first, before anything else, even
mounting the fs, because a journalling fs might log the fact that it was
mounted, altering the contents. 

Also, Intrusion Detections Systems as Evidence:
http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/Sommer_text.pdf

HTH

Edmund