Computer Forensics

Robert Meyer meyer_rm at yahoo.com
Sun Mar 17 21:43:26 EST 2002 


> So, with all the knowledge here, I'd like to ask:
> 
> 1) What's the best way to deal with a compromised system?
> 2) I used "find", "awk", "sed", "grep" to aide me with disseminating what
>    happened and what had been changed. Anyone know of a better way?
> 3) I may have missed it, but has there ever been discussion (online or
>    offline) regarding computer security?

The best way to deal with a compromised system is to start over by formatting
the disk and reloading your data from backups (everyone keeps good backups,
don't they :-).  One of the problems with compromised systems is that some of
the crackers (I don't use the word 'hacker' for criminals) are very good at
hiding their tracks.  Some of the best rootkits are real good at getting the
original date of the files that they replace and use 'touch' (read the man
page) to set the date of their newly installed executables/scripts to be the
same as the originals.  The hard part then, is finding out when the system was
compromised so you know how far back in your backups to go to get something
that wasn't damaged.

In general, you'd like to keep two sets of backups if you can.  One backup is a
full backup of all of the filesystems that you use to recover the system in the
event of a catastrophic failure. The second set is a backup of your data.  If
you put data on separate filesystems from the O/S, then you only  need one
backup set.

A good rule of thumb is to try to keep archived backup sets for at least two
years.  You'd be surprised how far back I've had to go to get things.

I've never been a fan of trying to 'clean' a compromised system because you can
 never be sure if you got everything.  There are tools out there that store
MD5SUMs of all of the critical files on your system.  You would keep copies of
these sums on another machine.  Then if you suspect that a system has been
compromised, you could mount the disk with 'sosuid', etc. and check the sums of
all of the files.  This takes quite a while (probably more time than a format
and restore). You might want to keep spare disks around to restore your system
to and then keep the compromised disk around to play forensics games with at
your leisure.

A great place to look for security information is a place called 'Security
Focus' (http://securityfocus.com if you couldn't guess :-).  If you want to get
real paranoid, read this site a lot.

Now that I've drifted way off the original topic, I'll shut up.

Cheers!

Bob

=====
Bob Meyer
Knightwing Communications, Inc.
36 Cayuga Blvd
Depew, NY 14043
Phone: 716-308-8931 or 716-681-0076
Meyer_RM at Yahoo.com

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

More information about the nflug mailing list