On Mon, 2003-09-22 at 21:10, Ian Mortimer wrote: > > However, many of us work and exist in environments where > > carrying around a CD doesn't scale. > > Not to mention the need to reboot every box to run off the CD and > then reboot again when done. Several days work there.
Yup. Not to mention that rebooting is a red flag to hackers. The idea here is to run diagnostics while trying to stay off their radar, else you risk losing the evidence (and possibly your filesystem).
Actually, if you suspected the system that much that you needed to take it offline for analysis - you would _NEVER_ boot off the medium again until it had been verified clean.
The first step is to make a 1:1 identical copy of the system then store the hardware away as evidence, powering off should also be via the wall, rather than triggering a reboot.
you can then work off the image you created and mount that under a system that is in a _known_ good state, that way you cant be accused of tampering with data and you can do all your investigations without the potential attacker(s) influencing your results.
In a large enterprise scenario I would also suspect that you would have spare boxes to act as a backup incase this happens - if not then I would suggest you go get some.
In a small environment you would probably never convict as the cost to do so would outweigh the benefits, so why bother, if you suspect infection then simply re-install and harden. (or slap that spare box into operation after ensuring it is hardened)
Basic forensics 101 - there are good tutorials available via google search.
--
Steve.
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
