Computer Forensics

Darin Perusich Darin.Perusich at cognigencorp.com
Mon Mar 18 13:55:41 EST 2002


there's an artical at
linuxsecurity.com/feature_stories/data-hiding-forensics.html about ways
to hide data in such a way that checksums, and md5sums do not matter,
very interesting read. 

if you ask me the only way to deal with a compromised system it to wipe
it and start from scratch, and restore the content from a "known good
backup", known good being the key phrase. 

this leaves the question, if systems ABC was compromised what about DEF,
XYZ, and so forth?


Robert Meyer wrote:
> 
> > So, with all the knowledge here, I'd like to ask:
> >
> > 1) What's the best way to deal with a compromised system?
> > 2) I used "find", "awk", "sed", "grep" to aide me with disseminating what
> >    happened and what had been changed. Anyone know of a better way?
> > 3) I may have missed it, but has there ever been discussion (online or
> >    offline) regarding computer security?
> 
> The best way to deal with a compromised system is to start over by formatting
> the disk and reloading your data from backups (everyone keeps good backups,
> don't they :-).  One of the problems with compromised systems is that some of
> the crackers (I don't use the word 'hacker' for criminals) are very good at
> hiding their tracks.  Some of the best rootkits are real good at getting the
> original date of the files that they replace and use 'touch' (read the man
> page) to set the date of their newly installed executables/scripts to be the
> same as the originals.  The hard part then, is finding out when the system was
> compromised so you know how far back in your backups to go to get something
> that wasn't damaged.
> 
> In general, you'd like to keep two sets of backups if you can.  One backup is a
> full backup of all of the filesystems that you use to recover the system in the
> event of a catastrophic failure. The second set is a backup of your data.  If
> you put data on separate filesystems from the O/S, then you only  need one
> backup set.
> 
> A good rule of thumb is to try to keep archived backup sets for at least two
> years.  You'd be surprised how far back I've had to go to get things.
> 
> I've never been a fan of trying to 'clean' a compromised system because you can
>  never be sure if you got everything.  There are tools out there that store
> MD5SUMs of all of the critical files on your system.  You would keep copies of
> these sums on another machine.  Then if you suspect that a system has been
> compromised, you could mount the disk with 'sosuid', etc. and check the sums of
> all of the files.  This takes quite a while (probably more time than a format
> and restore). You might want to keep spare disks around to restore your system
> to and then keep the compromised disk around to play forensics games with at
> your leisure.
> 
> A great place to look for security information is a place called 'Security
> Focus' (http://securityfocus.com if you couldn't guess :-).  If you want to get
> real paranoid, read this site a lot.
> 
> Now that I've drifted way off the original topic, I'll shut up.
> 
> Cheers!
> 
> Bob
> 
> =====
> Bob Meyer
> Knightwing Communications, Inc.
> 36 Cayuga Blvd
> Depew, NY 14043
> Phone: 716-308-8931 or 716-681-0076
> Meyer_RM at Yahoo.com
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
> http://sports.yahoo.com/

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corp.
darinper at cognigencorp.com


More information about the nflug mailing list