what to do when you've been rooted
dugan at passwall.com
Sat Jan 20 21:58:31 PST 2001
Everyone else seems to be addressing the poster's original questions.
I have not played with it yet, but you may want to check out TCT.
Dan and Wietse created and release "The Coroner's Toolkit"
>TCT is a collection of programs that can be used for a post-mortem
>analysis of a UNIX system after break-in. The software was presented
>first during a free Computer Forensics Analysis class that we gave
>one year ago (almost to the day).
>Notable TCT components are the grave-robber tool that captures
>information, the ils and mactime tools that display access patterns
>of files dead or alive, the unrm and lazarus tools that recover
>deleted files, and the keyfind tool that recovers cryptographic
>keys from a running process or from files.
>To set your expectations, the TCT software is not for the faint of
>heart. It is relatively unpolished compared to the software that
>we usually release. TCT can spend a lot of time collecting data.
>And although TCT collects lots of data, many analysis tools still
>need to be written. Nevertheless TCT sure beats the competition,
>which is non-existent, and beats them at the right price, too.
>TCT runs on recent versions of SUN Solaris, FreeBSD, RedHat Linux,
>BSD/OS, OpenBSD, and even runs on SunOS 4.x. It requires perl 5.004
>or later, although perl 5.000 is probably adequate if you are going
>to do the actual analysis on a different machine.
>TCT source code is available from the following places:
Realize, use of this or any other post break-in analysis software on the
original drive may create problems with potential legal prosecution, as
you are tampering with evidence by disturbing it as soon as you try to
shine a light on it. If you are not required to prosecute, or want to
dig into to see what happened and do not care about prosecution, then play
away! (Personally, I would want to know how and what more than prosecute.)
More information about the talk