Detecting root kits?
Tom Buskey
tom at buskey.name
Mon Jun 23 14:09:37 EDT 2003
Ben Boulanger wrote:
> Then by this logic, -anything- you do, except for pulling the drive and
> mounting it in a system or booting off of a CD is suspect. While the most
> correct way, it's also the most impractical. You can find rootkits on
> systems with a much more minimal effort. Will you find the really good
> hackers? No - but you won't find them if you boot off of a CD either.
If you're doing forensics:
pull the drive
install it as a slave in another system
with the write protect jumpber if it has one
dd the drive to an image
remove the drive
loopback mount the image read only
You might be able to boot off a CD and dd the image across the network.
More information about the gnhlug-discuss
mailing list