Educause Security Discussion mailing list archives

Re: Identify Finder

From: Mike Lococo <mike.lococo () NYU EDU>
Date: Thu, 28 Feb 2008 11:03:02 -0500

While it makes a fine discovery tool, I wonder how often one needs to
run it - once per day/week/quarter/year and/or just on compromised
systems?


While this probably goes without saying, if you're going to use these
scanning tools for incident response you should do so in a forensically
sound manner.

 * Spider for Linux is included on the Helix LiveCD which will allow
   you to boot the compromised system with a trusted OS and read-only
   drive mounting.
 * Other *nix tools like SENF and Find_SSN can likely be run from Helix
   as well
 * Windows tools like IdentityFinder or Spider for Windows should be run
   from the trusted os on your forensic workstation, and evidence media
   mounted through a hardware write-blocker.  Otherwise you're tromping
   all over file-access times which might be useful to show that
   an attacker *didn't* access some bit of interesting data you find.

Thanks,
Mike Lococo

Current thread:

Identify Finder McNeil, Sharon McLawhorn (Feb 27)
- <Possible follow-ups>
- Re: Identify Finder Gary Dobbins (Feb 27)
- Re: Identify Finder Halliday,Paul (Feb 27)
- Re: Identify Finder Petreski, Samuel (Feb 27)
- Re: Identify Finder Isac Balder (Feb 27)
- Re: Identify Finder Brad Judy (Feb 27)
- Re: Identify Finder Theodore Pham (Feb 27)
- Re: Identify Finder Allison Dolan (Feb 28)
- Re: Identify Finder Nick Silkey (Feb 28)
- Re: Identify Finder Howell, Paul (Feb 28)
- Re: Identify Finder Mike Lococo (Feb 28)
- Re: Identify Finder Brad Judy (Feb 28)
- Re: Identify Finder Roger Safian (Feb 28)
- Re: Identify Finder Shamblin, Quinn (shamblqn) (Feb 28)
- Re: Identify Finder Felecia Vlahos (Feb 28)