Building a Forensic Toolkit That Will Protect You From Evil Influences

Presented at Black Hat USA 1999, July 7, 1999, 5:10 p.m. (60 minutes).

When responding to computer security incidents, you will invariably have to work on compromised hosts. Check to see if the interface is in promiscuous mode, what processes are running, and if anything interesting has been left in /tmp. You will be making bit-for-bit copies of hard drives and shutting down the system. And you want to do all these operations safely and without compromising the integrity of evidence. So, you are going to use "known good" copies of all the utilities that you have so carefully placed on a floppy or CD-ROM. But does this really protect you or the evidence from little nasties that the bad guy may have left behind? No.

This presentation will focus on the subtle and technical aspects of operating in a hostile computing environment. We will go over how to create a reasonably secure environment for doing forensic analysis of a running compromised system and what utilities you will most likely need. Solaris and Windows NT will be used as the demonstration environments.


Presenters:

Similar Presentations: