Notes:
Only copies of the disk images were used for forensic study. MD5 checksums were verified prior to every use of the disk images to ensure integrity. The disk images were stored on a hardened and physically secure system while under investigation.
Shell environment variables were employed to make navigation between the host filesystems and the compromised system easier. $ROOT $ROOTKIT