Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: NKADM rootkit - Something new?

From: "Dave Paris" <dparis () w3works com>
Date: Tue, 1 Jun 2004 10:49:45 -0400
Definitely not a stupid question.  Most forensic toolkits are created from
statically-compiled executables, created on a known-safe system and then
loaded from CD or other removable media.  This prevents a) any interaction
with potentially tainted libraries and b) a known/provably[1]-safe version
of the executable.  Also, you'd ideally be working on a block-for-block copy
of the original file system - or in a worse case, the actual filesystem,
mounted in a read-only manner.

Kind Regards,
-dsp

[1] - with the realm that *anything* can be "proven" safe to one degree or
another.


-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: Monday, May 31, 2004 5:09 PM
To: incidents () securityfocus com
Subject: Re: NKADM rootkit - Something new?

[...]

Since a compromised box may have some sort of rootkit installed on it,
how reliable would you consider the output of a forensic tool running on
the compromised system? Wouldn't a rootkit (at least theoretically) be
able to manipulate the data which is requested by such a tool or script?

I'm less than a novice to forensics, so excuse me if these questions
sound stupid.

[...]
Previous By Date Next
Previous By Thread Next

Current thread: