Re: NKADM rootkit - Something new?

[Harlan Carvey <keydet89 () yahoo com>]

Gadi,

> You can do both, but still, how long do you have to
> work on a PC? How 
> intrusive is it to run ANYTHING?
>
> Me? I'd try and shut everything down and (legally
> acceptable) mirror the 
> HDD as soon as I possibly can like I learned to do
> when I just got started.
>
> Then again, it all depends on your incident response
> goals.

Ultimately, I think this is the key.  If your goal is
to treat each and every incident as though it would be
prosecuted, you're correct...follow the applicable
procedures (ie, shut down the system, image the drive,
etc.)  However, a great many cases are *not* litigous
in nature, and the goal is to determine (a) *if*
anything happened, (b) *what* happened, and (c) *how*
it happened.  The crux of these issues is many time
found in the volatile memory of the system.  Shutting
the system down "destroys" the volatile memory.

>  > Perhaps...if you could get it to work.  I think
> that
>  > there're enough Windows tools available to do
> what
>  > needs to be done on Windows systems.
>
> That's true enough, in most cases.
>
> What I find to be not advisable is to do *anything*
> on the original 
> machine/HDD. You mirror it, and for mirroring it
> correctly you'd need to 
> boot from a minimal OS, say, on a floppy or CD.

You're absolutely correct...never work on the original
image, once you've imaged the drive.  However, I
wasn't referring to working on an image...I was
referring to gathering (volatile) data from a live,
running system.

>  > I've been working on the same thing, which led me
> to
>  > come up with the Forensic Server Project, which
> is
>  > detailed on Chapter 8 of my upcoming book
> ("Windows
>  > Forensics and Incident Recovery", from
>  > Addison-Wesley).
>
> No offense, I realize you want to advertise your
> book and there is 
> nothing wrong with that or bringing us [non-stop]
> references. Actually, 
> it is more than acceptable. But why don't you just
> post the ISBN and let 
> us buy it and be over with it? :)

Well, for one thing...I'm not aware that the book
*has* an ISBN yet.  It's due out in 6 or 7 wks.
 
And how is one reference "non-stop"?

> This is starting to remind me of Bruce Schneier's
> Cryptogram - 
> interesting but full of adverts. :o)

How is one mention of the book "full of adverts"? 
Also, there are plenty of other media (lists, forums,
etc.) that refer to other sources, such as web sites,
etc...are those any different?  Is the actual content
of a post somehow diminished simply b/c someone points
to another resource?