brian-carrier

• The analysis is a fine piece of work, especially deleted files by name and references to RedHat advisories and Bugtraq.

• The summary is excellent. :-)

• The advisory is good. Includes reference to RH patch site.

• Excellent writeups, easy to read and understand. Clear use of whitespace.

• Like techniques.txt, which gave an overview of how you attacked the analysis. Would love to see some screen shots of your analysis tools.

• Brian produced a very readable timeline and thorough explanation of the location of data in deleted filespace (a function of the TCTUTILS and "autopsy" broswer tools he developed for this purpose.) Brian's coding resulted in an efficiency in dealing with i-node attributes (including deleted file and directory processing) that resulted in very detailed analysis of intruder activity.

• He included a separate description of tool use, which is very helpful for those learning forensic analysis techniques.