First page Back Continue Last page Summary Graphics

The HoneyNet Forensic Challenge -- Analysis & Findings

Mounting the disk images
# mount -o ro,loop,nodev,noexec \
/mnt/cracked_raw/honeypot.hda?.dd \
/mnt/cracked_box/{mountpoint}
- Techniques and Processes
  - Preliminary analysis was performed manually using standard Linux commands and utilities.
- Recovery of deleted inodes and low-level analysis of filesystems was done using debugfs.

Notes:

Only copies of the disk images were used for forensic study. MD5 checksums were verified prior to every use of the disk images to ensure integrity. The disk images were stored on a hardened and physically secure system while under investigation.

Shell environment variables were employed to make navigation between the host filesystems and the compromised system easier. $ROOT $ROOTKIT

The HoneyNet Forensic Challenge -- Analysis & Findings

Mounting the disk images

# mount -o ro,loop,nodev,noexec \

/mnt/cracked_raw/honeypot.hda?.dd \

/mnt/cracked_box/{mountpoint}

Notes: