Bollocks.
Yes it's true that your kernel is suspect, but when you arrive at the
scene and want to preserve forensic data in a useful state, the last thing
you want to do is reboot.
It's a tradeoff. The main thing is to get a disk image. And chances are
that your statically compiled "dd" will work happily.
Then you run cryogenic or similar. If you're really keen, you get dumps of
ram and other goodies for some even keener person to fiddle with later.
After you have preserved your data, ten you can think of rebooting.. in
fact, let me rephrase that, you don't reboot. You pull the plug. A lot of
the time, systems are triggered to hide traces etc if rebooted or shutdown
cleanly.
However, your course of action depends entirely on what your goals
are.. do you want to analyze data? Or do you just want to get back in
production in a clean state?
If it's the latter - you can ignore the CD anyway, because you need to
blow away the box WHOLE anyway. It can't be trusted anymore.
//umar.
> Umar Goldeli <[EMAIL PROTECTED]> wrote:
> >
> > Every admin should also have a statically compiled set of tools on CD
> > btw. Not only can binaires be trojaned, but so can libraries.
>
> But the same thing can happen to the kernel... Time to reboot with the CD.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
