<<< Previous
Next>>>

Preliminary tasks


There are some tasks we have done before starting the investagtion of the compromised system. These actions and informations taked into consideration are  :
  1. Extraction of the strings of printable characters in the following VMware files  :
      • linux.vmdk
      • linux.vmss

     Strings are retrieved by the following command :
    strings linux.vmdk > result-vmdk
    strings linux.vmss > result-vmss
     The output of the above commands is useful when responding  to the incident and some traces will be extracted from these files.
  2. Prepare a trusted toolkit. This toolkit is a set of tools used for investigation and that are compiled or get from a clean copy of linux redhat 7.2. Tools used for investigation are :
    netstat
    		 ps
    		 find
    more
    		ls
    		 cat
    file
    		 lsof
    		 strings
    md5sum
    		 vi
    		 icat
    sh
    		 grep
    		 locate
    awk
    		 batchfile
    The above tools are renamed by adding a letter (letter added is "i") on the begin of each tool's name. For example, the netstat tool is replaced by intetstat. This is a precaution from using accidently running an untrusted version of these commands.
    There are other tools but what we have presented are the command used for this invetigation.This toolkit is primordial since the system commands in Linux are often trojaned by attackers.
  3. Informations retrieved during the initial response will be stored to a remote media (floppy disk).
  4. The current compromised system is running in console mode with root-level privileges.
  5. The system was compromised on August 10, 2003.
    NOTE : ALL the commands that are indicated in the Answers to question are located on a floppy disk. For clarety purpose, the floppy path will not be                    mentioned in command line listings.