Rescuing data from attackers

Data Rescue

Author(s):

When attackers strike your system, you need to determine exactly what damage has been done. Here are some tools to help.

Typically, when the term “data rescue” is mentioned, failed RAID arrays, accidentally deleted files, and corrupted backups come to mind. But, what happens when a break-in occurs and you need to find out how the attacker got in and how much damage has been done?

If you’re lucky (relatively speaking), the attacker will make changes to the filesystem. For example, in the recent kernel.org security breach, the OpenSSH binaries were replaced with ones that would log usernames, passwords, and keys, allowing the attacker to access additional systems. In theory, tools like AIDE or Tripwire should catch these modifications, but in practice this doesn’t always work.

Read full article as PDF:

056-057_kurt.pdf (628.10 kB)

Related content

  • Memory Analysis

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

  • Volatility 2.3

    The Volatility forensic tool helps admins analyze what went wrong on a system. When you need to draw conclusions about malware, or even compromised services, peer into memory with Volatility.

  • Security Lessons: Secure Backup

    Creating backups is one thing, making sure they’re secure is another. We offer some tips for ensuring the process is as painless as possible.

  • Security Lessons

    We look at the history of the rootkit, including its newest incarnation, the DR RootKit.

  • BackTrack and Sleuth Kit

    Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.

comments powered by Disqus

Direct Download

Read full article as PDF:

056-057_kurt.pdf (628.10 kB)

News