On Fri, 22 Jun 2012 03:48:28 +0200 "Lentes, Bernd" <bernd.len...@helmholtz-muenchen.de> wrote: >i found a solution to examine a possibly compromised system with a >live cd. I used an Ubuntu Live CD and installed rkhunter using the >installer skript. I used the switch --layout customdir to install >it in the disk of the suspicious system. Then i mounted all >partitions from the suspicious system, and afterwards chroot to >it. When i start now rkhunter, it examines the desired system. >Fortunaly it didn't find anything. The method is a bit difficult, >bu it's working.
While talking about Incident Response and Forensics is not a topic for this list I should point out the file system of a (perceived) compromised machine should be acquired in a forensically sound way prior to inspection and following proper procedure, unless deemed unnecessary or prohibitive in terms of say size or time or other constraints work against the investigator. This because it may hold clues that could aid further investigation. Any ops on a Live file system ranging from running tools to installing SW alters it and potentially destroys what could potentially be marked as evidence. Regards, unSpawn --- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
