[ale] Linux Firewall

Jacob Langseth jlangseth at vodavi-ct.com
Thu Apr 8 18:04:41 EDT 1999 

Rattle [SMTP:rattle at tlorah.net] wrote:
> Hopefully, immediately after the box was hacked you made a complete backup
> of it before doing ANYTHING.  The second you discover a box has been
> hacked, back it up.  You don't want to risk messing up any evidence.
> Chances are they were sloppy and you would have no trouble tracking the
> cracker(s) down.

Actually, if it's evidence you're after, a simple backup isn't quite
what you want.  Turn the power off immediately, or if you're
running 2.2.x, hit the Magic SysRq key.  Remove the drives
and perform an exact duplication.  If at all possible, conduct
the rest of your diagnostic / forensic work on the duplicated
drive rather than the original.

This is done to preserve any and all information the filesystem may
contain, such as executables which may have unlinked themself
after execution, removed files which could potentially be linked to
the culprit, etc.  In short, DO back it up - but make it an EXACT
backup.  No shutdown, and tar isn't going to cut it.

Duplicating the drive can be done using hard drive duplication
equipment if you're lucky enough to have some handy, or by
placing the drive in another system and doing something like
	dd if=/dev/<source drive> of=/dev/<target drive>
.  If you don't have an extra drive, but have enough disk space
available, I believe you can get away with substituting a file
for <target drive>.  Make sure you enough space for the entire,
sector by sector copy, though.

Perhaps someone should write an evidence gathering howto?
I certainly don't have the qualifications, but would love to see one.

Come to think of it, this is exactly the type of stuff I would like to
see come out of the newly formed government task forces for fighting
computing crime.  Instructions on what to do when a breakin is
detected, how to collect evidence, whom to notify, etc.  Anyone
know if such instructions exist?  If not, is there anyone qualified
and willing to write a mini-howto?  The benefits this would have
for the community can not be stressed enough...

--	     	   	   	       		    	  		 
Jacob Langseth  	      
Vodavi-CT, Inc.		<jlangseth at vodavi-ct.com>

More information about the Ale mailing list