Security Incidents mailing list archives

RE: maybe a simple problem

From: george.wasgatt () insurity com
Date: Fri, 4 Oct 2002 07:35:45 -0400

What is the certain switch in GHOST and why is it necessary.  I thought that
GHOST defaults produced a saved copy of the disk drive bit by bit the same
as the original.

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
Sent: Thursday, October 03, 2002 1:04 PM
To: 'Greg Reber'; Andrew Fison; incidents () securityfocus com
Subject: RE: maybe a simple problem

IF you alter the files onthe machine they will not hold up in court.  You
must do a bit level back up which is normally done using a tool such as
safeback, snapback, encase ,etc.  You canuse Ghost if you have a certain
switch set but I would not suggest it.  Normally you must be physically
present to do so.  

1)  DO not boot the machine or do a back up.  You may destroy the files and
evidence you need by doing so
2)  Using an approved FORENSIC method/tool (safeback, snapback, encase,
SOloMasster, etc.  Make TWO forensic copies.  1 for them to put back in
their machine and 1 for you to use as a back up to restore as many times as
necessary if you are going drive to drive.  If oyu are using a non-intrusive
means of analysis such as encase then you can do analysis on this drive as
long AS YOU KEEP THE ORIGINAL COPY IN CUSTODY.  I always suggest and
original and a forensic copy (unused) just in case a drive fails.

Depending upon the cost (and potential loss), Ontrack can grabthe stuff
remotely for you.  Depends onwhat it's worth to your client.

E-mail me off line for more info.  I specialize in forensics.

-----Original Message-----
From: Greg Reber [mailto:greg.reber () astechconsulting com]
Sent: Wednesday, October 02, 2002 9:16 PM
To: Andrew Fison; incidents () securityfocus com
Subject: RE: maybe a simple problem

Andrew - if there is a suspicion that the client's machine has been
compromised, they should stop using it and have you do some quick forensics.
Back up files that they need, but not the whole HD.
http://biatchux.dmzs.com/ is a great site for free forensics tools.

-greg

The information in this email is likely confidential and may be legally
privileged. It is intended solely for the addressee. Access to this email by
anyone else is unauthorized. If you are not the intended recipient,  any
disclosure, copying, distribution or any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful.

-----Original Message-----
From: Andrew Fison [mailto:afison () brit-tex net]
Sent: Wednesday, October 02, 2002 2:37 AM
To: incidents () securityfocus com
Subject: maybe a simple problem

I have a client who believes that thier win98 pc has been hacked with some
remote control software. They are pretty vague and not close buy so i cannot
look at the machine all the time. I asked them to do netstat when they think
they are being spied on but as yet they have not given me anything useful.

I think there is reason to believe them as the owner is involed in a hostile
boardroom take over of his company by some other entities, whilst this is
legal, they have used other underhand methods against my customer before and
they are trying to force him to sign over the business to them a little too
swiftly.

this all started when his wife was suing the pc, and a telescop came on the
screen and then disapeared, since then the machine crashes, documents
pertaing to the business have  gone missing etc, any clues to what this
telescope could be?

yours

andrew

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended
only for the individual(s) named herein or others specifically authorized to
receive the communication. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender of the error immediately,
do not read or use the communication in any manner, destroy all copies, and
delete it from your system if the communication was sent via email. 

**********************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: maybe a simple problem Brooke, O'neil (EXP) (Oct 02)
- <Possible follow-ups>
- Re: maybe a simple problem Michael Anuzis (Oct 03)
- RE: maybe a simple problem Robinson, Sonja (Oct 03)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Robinson, Sonja (Oct 04)
- RE: maybe a simple problem george . wasgatt (Oct 04)
  - RE: maybe a simple problem Clayton Hoskinson (Oct 05)
- RE: maybe a simple problem Jeff Peterson (Oct 05)
  - RE: maybe a simple problem Hugo van der Kooij (Oct 05)
- Re: maybe a simple problem tabrams (Oct 05)
- RE: maybe a simple problem Rob Keown (Oct 05)