Hanning wrote: > Hi all, > > I am currently trying to work on some tools for solaris forensic > investigation. One of the main problem I am facing is how to create > trusted binaries for live memory dump, since Solaris 10 is no longer > capable of static linking. > > So far the alternatives I have come up with is compile tools that is > set to specify my own library path, which I am successful. However > at the end of the day, I am still faced with issues in which > libc.so.1 and libmd.so.1 still link to solaris' default base folders, > probably because these two shared libraries are built to set to link > to /platform or /lib. > > For example, below is the results for memdump which I have compiled, > notice it calls forth > /platform/SUNW,SPARC-Enterprise-T5220/lib/libc_psr.so.1. It is there > anyway I can modify the linking process to not utilize the default > location, rather one in which I can specify? The best would be > something like linking to /my/own/location/for/libc_psr.so.1 >
Forensic analysis would seem to be necessarily performed using a separate OS image that was not accessible from the suspect image. I appreciate the desire to do such analysis from the image itself, but if the attacker was able to write files as root, he was also likely able to load kernel modules, modify the kernel memory image, etc. I would trust nothing from the suspect kernel; I'd power-cycle the box and boot a CD containing my forensic tools of choice. For OpenSolaris, this would be the liveCD; for Nevada or S10 the install dvd may have everything you need as well. - Bart -- Bart Smaalders Solaris Kernel Performance barts at cyber.eng.sun.com http://blogs.sun.com/barts "You will contribute more with mercurial than with thunderbird."
