Re: NKADM rootkit - Something new?

[Harlan Carvey <keydet89 () yahoo com>]

Valdis,
 
> Note that loading statically linked binaries from a
> CD, but doing so under
> control of a possibly compromised operating system,
> is still unsafe.  You really
> need to boot a known-trusted kernel as well (as far
> as I know, nobody is
> currently hacking the boot/BIOS ROMs to backdoor the
> boot process,
> but even THAT can be suspect... ;)

A couple of comments...

First, booting to a known good kernel destroys the
extremely valuable volatile data available on a live
system.  Let's say that you suspect that a
Trojan/backdoor is running.  If you boot to any of the
available distros to do your forensics, you may find
the backdoor files w/ last access times, but you won't
know things like, was the backdoor running at the time
you shut the system down, and was anyone connected to
it?

Also, one thing to keep in mind is that it's very easy
to keep saying things like "the boot process could be
backdoored" and "MAC times on files could have been
altered", but at some point, your paranoia overwhelms
your ability to do anything.  With all of the things
that *could* happen, what is the point of doing
forensics at all?