[sf-lug] sf-lug Digest, Vol 46, Issue 26
mai wurd
maiwurd at gmail.com
Wed Nov 18 13:06:42 PST 2009
Subject: forensics with Linux
First, if this is a significant/potential financial breach DO NOTHING TO THE
BOX. Turn it over the the police. Preserve the "Crime Scene" once you boot
it up via any method the metadata is compromised and taints the audit trail.
If you just want to perform you own audit, use a computer forensics tool
e.g. SleuthKit...http://www.sleuthkit.org/ etc.
Brad
On Wed, Nov 18, 2009 at 12:00 PM, <sf-lug-request at linuxmafia.com> wrote:
> Send sf-lug mailing list submissions to
> sf-lug at linuxmafia.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://linuxmafia.com/mailman/listinfo/sf-lug
> or, via email, send a message with subject or body 'help' to
> sf-lug-request at linuxmafia.com
>
> You can reach the person managing the list at
> sf-lug-owner at linuxmafia.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sf-lug digest..."
>
>
> Today's Topics:
>
> 1. Re: SF-LUG DNS (jim)
> 2. forensics with Linux (Pseudo Anonymous)
> 3. BayPIGgies meeting Thursday November 19, 2009: Python in
> Computational Biology and Chemistry (jim)
> 4. Re: forensics with Linux (Rick Moen)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 17 Nov 2009 21:06:22 -0800
> From: jim <jim at well.com>
> Subject: Re: [sf-lug] SF-LUG DNS
> To: Rick Moen <rick at linuxmafia.com>
> Cc: sf-lug at linuxmafia.com
> Message-ID: <1258520782.8131.6.camel at jim-laptop>
> Content-Type: text/plain
>
>
>
> jim was studying diligently until the dentist
> pulled out one of his teeth and filled him with
> pain pills. jim will study more in the morning.
>
>
>
> On Tue, 2009-11-17 at 12:17 -0800, Rick Moen wrote:
> > Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
> >
> > > Yes, definitely still stuff to be done (I keep hoping Jim or someone
> > > else will get SF-LUG.COM. DNS squared away before the secondary
> expires
> > > the zone ... but if the timing gets too close on that, I plan to
> correct
> > > it - and in the meantime Jim Stockford and/or other SF-LUG.COM.
> > > systems/DNS administrators can contact me if they need assistance or
> > > have questions).
> >
> > If need be, it's simple to prevent zone expiration by temporarily
> > telling the secondary that it's master for the zone (until the
> > replacement master is ready).
> >
> > > Actually, by coincidence, turns out the "new" (substituted) master DNS
> > > server is ... well, will be anyway, on the same IP (host is there, but
> > > last I checked it's not yet serving up DNS nor particularly being DNS
> > > for SF-LUG.COM.).
> >
> > OK, good for me, then. ;-> Everything should Just Work when Jim has
> > the master DNS back online.
> >
> >
> > > # cat var/named/chroot/var/named/sf-lug.com
> > > $TTL 86400
> > > $ORIGIN sf-lug.COM.
> > > @ IN SOA ns1.sf-lug.com. jim.well.com. (
> > > 2007102904 ;Serial
> > > 3600 ;refresh period
> > > 3600 ;retry period
> > > 1209600 ;expire period
> > > 10800) ;minimum TTL period
> > > ;
> >
> > Minor correction: The last SOA sub-field hasn't signified "minimum TTL
> > period" since BIND4 days. The above annotation is a dusty holdover,
> > probably copied from an old example file, and should be replaced. The
> > new-er purpose of that subfield is "negative TTL" aka "negative
> > caching", which is how many seconds a nameserver should cache a NAME
> > ERROR (NXDOMAIN) record.
> >
> > FYI, the value you specify, 10800 = 3 hours, is the longest time period
> > for negative caching allowed by RFCs.
> >
> > FWIW, I tend to use these values in SOAs:
> >
> > 7200 ; refresh 2 hours
> > 3600 ; retry 1 hour
> > 2419200 ; expire 28 days
> > 10800 ; negative TTL 3 hours
> >
> >
> >
> > [snip suggested steps when moving master DNS]
> >
> > > Yes, ... not quite the situation in this case.
> >
> > True, those remarks having been based on the assumption of moving master
> > DNS to a new IP.
> >
> > It's still good to let your secondaries know about planned downtime.
> > Which of course means it's a good idea to keep contact information in
> > your /etc/named.conf[.local].
> >
> >
> >
> > _______________________________________________
> > sf-lug mailing list
> > sf-lug at linuxmafia.com
> > http://linuxmafia.com/mailman/listinfo/sf-lug
> > Information about SF-LUG is at http://www.sf-lug.org/
> >
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 18 Nov 2009 07:05:33 -0800
> From: Pseudo Anonymous <pseudo.anonymous70 at gmail.com>
> Subject: [sf-lug] forensics with Linux
> To: sf-lug at linuxmafia.com
> Message-ID:
> <c4e67a470911180705re87c76akc0292ca8de8e8196 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> forensics with Linux
>
> Let's say someone hands us a laptop that is or likely has been
> compromised. Let's say we actually want to preserve an exact image
> copy of the laptop hard drive. Let's say we also want to compute some
> secure cryptographic hashes of entire laptop hard drive and
> digitally sign - such as with gpg - those hashes and statement about
> those hashes. Let's say we've got quite sufficiently large external
> USB drive that we can attach and that wasn't at all involved in
> compromise and hasn't been attached to that laptop before.
>
> So, how would we best proceed to: boot Linux off of CD or DVD (or
> possibly even USB stick) and make absolutely no write access to the
> laptop hard drive - e.g. nothing that would automatically or by default
> mount or attempt to mount anything on the laptop filesystem(s) rw?
> We'd also want to be sure nothing attempts to run/boot/execute anything
> off the laptop hard drive. Let's say we've got someone that well knows
> how to wield fdisk/cfdisk/sfdisk/mke2fs/dd/gpg/openssl, and at least
> most common Linux systems administration tasks, but may or may not be a
> forensics expert, and we're mostly interested in preserving evidence of
> state and data of laptop hard drive.
>
> Any particular recommendations of handy readily available Linux
> distribution that would be best/easiest to accomplish these tasks -
> such as run from live CD image, and if needed, including actions or
> boot options to ensure it doesn't make or attempt to make any write
> access to laptop hard drive by default including having it not making
> nor attempting to make any rw mounts of laptop filesystem(s).
>
> And for the legal or legally inclined folks, particular recommendations
> for evidence preservation/handling for possible use in criminal and/or
> civil case(s) in such described situation?
>
> Thanks in advance for the information.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 18 Nov 2009 08:48:33 -0800
> From: jim <jim at well.com>
> Subject: [sf-lug] BayPIGgies meeting Thursday November 19, 2009:
> Python in Computational Biology and Chemistry
> To: sf-lug at linuxmafia.com
> Message-ID: <1258562913.8131.26.camel at jim-laptop>
> Content-Type: text/plain
>
>
> (NOTE: Because of Thanksgiving, BayPIGgies meets in November
> on the third, not the fourth, Thursday of the month.
>
> And next month BayPIGiges will meet on December 14: the
> second MONDAY of the month.)
>
>
> BayPIGgies meeting Thursday November 19, 2009:
>
> Tonight's talk is
> * Python in Computational Biology and Chemistry
> by Andrew Dalke
>
> Meetings start with a Newbie Nugget, a short discussion of an
> essential Python feature, especially for those new to Python.
> Tonight's Newbie Nugget: chaining operators
>
> LOCATION
> Symantec Corporation
> Symantec Vcafe
> 350 Ellis Street
> Mountain View, CA 94043
>
> http://maps.google.com/maps/ms?oe=utf-8&client=firefox-a&ie=UTF8&fb=1&split=1&gl=us&ei=w6i_Sfr6MZmQsQOzlv0v&hl=en&t=h&msa=0&msid=116202735295394761637.00046550c09ff3d96bff1&ll=37.397693,-122.053707&spn=0.002902,0.004828&z=18
>
> BayPIGgies meeting information is available at
> http://www.baypiggies.net/
>
>
> ------------------------ Agenda ------------------------
>
> ..... 7:30 PM ...........................
> General hubbub, inventory end-of-meeting announcements, any
> first-minute announcements.
>
>
> ..... 7:35 PM to 7:40 PM ................
> Newbie Nugget: chaining operators
>
>
> ..... 7:40 PM to 8:45 PM (or so) ................
>
> Python in Computational Biology and Chemistry
> by Andrew Dalke
>
> Andrew will describe how Python is used in molecular modeling,
> bioinformatics, chemoinformatics, and related fields.
>
> Wait! Don't leave!
>
> You're not a researcher in these fields and he knows it. He's
> going to give a taste of what the underlying problems are in some
> of those subfields, an idea of what Python tools are available
> and describe a few of the reasons why sometimes Perl, FORTRAN, or
> another language is the dominate language for that some that domain.
> There will be some colorful pictures. He'll also include a bit of
> what it's like to be a software developer in a scientific field.
>
> LINKS: http://dalkescientific.com/writings/
>
>
> ..... 8:45 PM to 9:20 PM ................
> Mapping and Random Access
>
> Mapping is a rapid-fire audience announcement of issues, hiring,
> events, and other topics.
>
> Random Access follows immediately to allow follow up individually
> on the announcements and other interests.
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 18 Nov 2009 09:32:42 -0800
> From: Rick Moen <rick at linuxmafia.com>
> Subject: Re: [sf-lug] forensics with Linux
> To: sf-lug at linuxmafia.com
> Message-ID: <20091118173242.GL6625 at linuxmafia.com>
> Content-Type: text/plain; charset=utf-8
>
> Quoting Pseudo Anonymous (pseudo.anonymous70 at gmail.com):
>
> > Any particular recommendations of handy readily available Linux
> > distribution that would be best/easiest to accomplish these tasks -
> > such as run from live CD image, and if needed, including actions or
> > boot options to ensure it doesn't make or attempt to make any write
> > access to laptop hard drive by default including having it not making
> > nor attempting to make any rw mounts of laptop filesystem(s).
>
> Check with the applicable legal authorities about which of these are
> deemed to result in admissible evidence:
>
> DEFT Linux CD, http://www.deftlinux.net/
> CAINE Live CD, http://www.caine-live.net/
> FCCU GNU/Linux Forensic Boot CD, http://www.lnx4n6.be/
> Grml, http://grml.org/
> Helix3, https://www.e-fense.com/store/index.php?_a=viewProd&productId=11
> (proprietary no longer maintained)
> Helix3 Pro, http://www.e-fense.com/helix3pro.php (proprietary)
> Masterkey Linux, http://www.e-fense.com/helix3pro.php
> SPADA, http://spada-cd.info/
> The Farmer's Boot CD, http://www.forensicbootcd.com/
> Operator, http://www.ussysadmin.com/operator/
> Knoppix-STD, http://www.knoppix-std.org/
> Inside Security Rescue Toolkit,
> http://www.inside-security.de/insert_en.html
>
>
>
>
> ------------------------------
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
>
> End of sf-lug Digest, Vol 46, Issue 26
> **************************************
>
--
Always think about positive affirmations before going to sleep. This spirit
guides our subconscious as we sleep and creates our reality.
Giving thanks, for that which has not happened yet, allows a spirit/life
pattern to manifest in our lives.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20091118/c322106f/attachment.html>
More information about the sf-lug
mailing list