RE: NKADM rootkit - Something new?

["Don Wolf" <don.wolf () ssisc com>]

" Linux distros are... useless on Windows systems for gathering volatile
data"

Harlan, you're absolutely right.  Anyone with enough forensic, IR or even
data recovery experience knows maintaining state is critical.  If you change
the state (e.g. reboot) than you've effectively lost any chance of
recovering meaningful information.  This more so in the context or tracking
hacks than recovering client data.

An option - Virtual sessions of Linux (Knoppix, Insert, etc) may be possible
on a Windows platform.  Without any extensive knowledge of those bootable CD
OSes, I cannot say that it would work, but it would certainly be of more use
in forensic data recovery or incident response on Windows platforms.

The approach of using a handful of tried and true tools is arguably the most
logical and productive method.  If having all the tools on-hand in a nice
neat package is a concern (seems to be in this thread), burn them all to CD
and create some non-intrusive scripts to run them.  I've consolidated a
number of tools in my time that I've put to CD's and flash.  Furthermore
I've been working for the last few months to determine what method of
running these tools would yield the best results with the least impact.
This has led to a number of both complex scripts and rudimentary scripts.  

I suggest all those interested look at what the experienced guys are using
and put together your own kit.  Don't risk destroying the data at hand
because someone put a "convenient" CD together.


Don



-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com] 
Sent: Thursday, May 27, 2004 4:08 PM
To: incidents () securityfocus com
Cc: ho Man; Paul Schmehl
Subject: Re: NKADM rootkit - Something new?

For what it's worth, while bootable Linux distros are
great for doing full-out forensics, they are useless
on Windows systems for gathering volatile data...after
all, when you boot to the Linux distro, all of your
volatile data is gone.

--- Pho Man <ph0k1n () yahoo com> wrote:
> Based on Knopppix Linux is a another Linux CD distro
> called Penguin Sleuth.  I think the address is
> something like http://www.linux-forensics.com/. 
> THis
> distro is very much like Knoppix, but has more
> forensic tools.  I have tried it out a little, and
> it
> works really great.
>
> Something to check out if you're looking for a good
> forensics Linux CD.  :)
>
> --- Paul Schmehl <pauls () utdallas edu> wrote:
> > Since I posted my response in this thread, I've
> > gotten several requests for 
> > my "tool list".  There's really nothing magical
> > about it.
> >
> > Foundstone has a number of useful tools - Forensic
> > Toolkit (good for 
> > examing files), Vision (shows open TCP and UDP
> ports
> > and what process owns 
> > them), BinText (strings for Windows).
> >
> > Go to http://www.foundstone.com/ and click on
> > Resources/Free Tools.
> >
> > Systinternals has a number of tools that you'll
> > probably find in the 
> > hackers' toolkits as well, particularly pslist and
> > pskill.  But look at 
> > their whole set.  ListDLLs is very useful, as is
> > Handle, PMon, Process 
> > Explorer (find function is *very* helpful),
> PSTools
> > (pskill, pslist, 
> > psservice and several others.)
> >
> > Go to http://www.sysinternals.com/ and click on
> > Utilities.
> > All these tools are very useful.  Particularly
> when
> > you're dealing with a 
> > process or service that's been renamed and/or is
> > elusive, something that 
> > can tie processes to PIDs and files with complete
> > paths is a necessity.
> >
> > Another good tool is Active Ports, which will show
> > you the process, PID, IP 
> > address (local and remote), ports (local and
> > remote), state (listen, 
> > established) and path to the executable is
> extremely
> > useful.
> >
> > Go to
> http://www.snapfiles.com/get/activeports.html
> > More good tools may be found at
> > http://www.ntutility.com/ (including Active 
> > Ports.)
> >
> > Of course Microsoft also has a useful set of
> > utilities that few seem to 
> > know about.  Among them is sc,tskill, tasklist,
> > eventquery.vbs, pstat.exe 
> > (part of the SDK).  These are handy in a pinch,
> but
> > not as informative as 
> > the tools mentioned above.
> >
> > Another tool that I've found invaluable is
> F.I.R.E. 
> > It's a bootable, 
> > networkable CD ROM running Linux.  I've been able
> to
> > mount ntfs hard drives 
> > and scp the entire contents to a server, saving
> all
> > the data from a crashed 
> > machine before formatting it and reinstalling the
> > OS.  (Saved the 
> > President's laptop once, becoming a hero in the
> > process.)  I've done 
> > forensics on a Win2K box, mounting the ntfs drives
> > and making copies of all 
> > the logs and binaries I found without disturbing
> the
> > contents of the drive 
> > or changing any of the file access information.
> >
> > Go to http://biatchux.dmzs.com/ to get a copy.
> >
> > The most recent update is dated 5/14/2003, so I
> > don't know if it's being 
> > maintained or updated.
> >
> > You might want to consider Knoppix instead.  It
> > comes with a boatload of 
> > extra stuff you won't use for forensics, but it's
> a
> > good way to get 
> > familiar with unix, if you're not already.  It
> even
> > has a working version 
> > of snort with ACID!
> >
> > Go to http:www.knoppix.net/ for more information.
> >
> > Paul Schmehl (pauls () utdallas edu)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu/ir/security/
>
>
>
>       
>               
> __________________________________
> Do you Yahoo!?
> Friends.  Fun.  Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/