marco

• Mactime analysis does not include deleted files (uses debugfs instead).

• Uses e2recover for file recovery.

• Good lastlog analysis finds non-existent user.

• Recovered parts of deleted tar files.

• Good origins of /usr/man/.Ci files.

• Detects libc differences in /usr/man/.Ci files.

• Recovers deleted messages from free blocks.

• Recovers environments from swap.

• Recovers /proc/net/tcp from swap.

• Recovers logging from swap.

• Recovers rootkit install from free blocks (link bash history, install modified system utilities, install rpms, sshd).

• Recovers ssh tar, named tar.

• Recovers passwd+shadow entries.

• No disassembly.

• Little checksum analysis.

• Identification of intrusion method is OK, but mis-estimates clock skew between IDS and victim host.

• Produced a good list of replaced programs in Ci_log file.

• See Ci_log for origins, backdoors, config files, no advisories.

• Semi-detailed time line, references some files that are not shipped with the submission.

• Summary report is very short, perhaps too short. But the essential information is there.

• Advisory over-estimates the impact of sniffers/password grabbers, as no evidence exists that passwords were actually recorded. The "how to detect" refers to evidence.txt, rather than summarizing. The "how to protect" instructions are not specific enough (install specific RPM).

• Files overall are relatively rough material.

• Technically he is on the right track.

• Uses standard tools, occasionally writes a modified version to get what he wants (blowfish decryptor, lastlog dumper).

• Excellent technical analysis, great point in advisory.txt. Especially liked the PERL script for the decryption and the data pulled out of swap.

• Difficult to read at times (though evidence.txt was well written). Also, more information on how you obtained the data would have been helpful.

• Used an ongoing investigative log technique in his "Changelog" file, which timestamps and annotates his activites during the investigation. This is preferable to the method that I commonly use, which is to build the "evidence.txt" file in chronological order, but working on sections in an ad-hoc way and moving them around to fit the activity timeline.