Security Incidents mailing list archives
RE: NKADM rootkit - Something new?
From: "Levinson, Karl" <Karl.Levinson () dhs gov>
Date: Tue, 1 Jun 2004 11:16:23 -0400
The question is, sufficient for what? Doing such a memory dump writes the entire contents of memory to the hard drive, thus altering a large portion of the hard disk image and possibly overwriting useful information. In some scenarios, this could possibly cause problems, e.g. if something important on the drive is overwritten, or if the hard drive needs to stand up as evidence in court. The question is probably academic. You cannot do this memory dump on demand unless you previously added the registry value AND rebooted, before the compromise took place. And as Harlan pointed out, if you did do this dump, you would have a lot of data to go through in the dump. You would have to be prepared with the knowledge, tools and time to go through that dump, or else making the dump will probably not help anyone. Examining a Windows memory dump is not trivial. -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Monday, May 31, 2004 5:09 PM To: incidents () securityfocus com Subject: Re: NKADM rootkit - Something new? Microsoft has documented a way to create a memory dump on demand [1]. Could this be considered sufficient to preserve the system's state?
Current thread:
- Re: NKADM rootkit - Something new? Ansgar -59cobalt- Wiechers (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 01)
- Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: Incident investigation methodologies Gadi Evron (Jun 02)
- Re: Incident investigation methodologies Harlan Carvey (Jun 03)
- Re: Incident investigation methodologies Ansgar -59cobalt- Wiechers (Jun 04)
- Re: Incident investigation methodologies Paul Schmehl (Jun 04)
- Re: Incident investigation methodologies Jon Coller (Jun 04)
- Re: Incident investigation methodologies Valdis . Kletnieks (Jun 04)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)