First page Back Continue Last page Summary Graphics

The HoneyNet Forensic Challenge Collection and Preservation of Evidence

Once compromised, you cannot trust the system
Use known good binaries from a CD-ROM or floppy
Don't do anything that would modify data (including timestamps) on the system
[From another host 192.168.1.1 - listening]
# nc -l -p 32000 > compromised_hda1.dd
[from compromised host - sending]
# /mnt/cdrom/dd if=/dev/hda1 | /mnt/cdrom/nc -n 192.168.1.1 32000
After data is collected, pull the power cord -- Don't shutdown (This could trigger deletion of data)

Notes:

The Linuxcare Bootable Business Card Rescue CD is great for this (but need to boot from it due to compressed filesystem).

When copying disk images, don't forget the swap partition!

Note the use of IP Address on the compromised system. CANNOT trust DNS...

The HoneyNet Forensic Challenge Collection and Preservation of Evidence

Once compromised, you cannot trust the system

Use known good binaries from a CD-ROM or floppy

Don't do anything that would modify data (including timestamps) on the system

[From another host 192.168.1.1 - listening]

# nc -l -p 32000 > compromised_hda1.dd

[from compromised host - sending]

# /mnt/cdrom/dd if=/dev/hda1 | /mnt/cdrom/nc -n 192.168.1.1 32000

After data is collected, pull the power cord -- Don't shutdown (This could trigger deletion of data)

Notes: