Rescuing data from attackers

Data Rescue

Article from Issue 134/2012

When attackers strike your system, you need to determine exactly what damage has been done. Here are some tools to help.

Typically, when the term “data rescue” is mentioned, failed RAID arrays, accidentally deleted files, and corrupted backups come to mind. But, what happens when a break-in occurs and you need to find out how the attacker got in and how much damage has been done?

If you’re lucky (relatively speaking), the attacker will make changes to the filesystem. For example, in the recent security breach, the OpenSSH binaries were replaced with ones that would log usernames, passwords, and keys, allowing the attacker to access additional systems. In theory, tools like AIDE or Tripwire should catch these modifications, but in practice this doesn’t always work.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus

Direct Download

Read full article as PDF:

056-057_kurt.pdf (628.10 kB)