[Dshield] team amber alert server compromised

John Dietz www.whitewolf at gmail.com
Mon Aug 21 13:26:59 GMT 2006


Yes, simply by logging on to the system, you introduce changes, however
minor they might seem.  These changes can affect file access times and
potentially be rather damaging to your case.  Personally,  would recommend
mounting the drive read-only as a slave and running dd (Disk Druid) to make
a forensically sound copy of the drive.  The image can then be used by a
forensics examiner to evaluate the evidence.  After you have that image, I
would still recommend not using the drive until all investigations are over,
if at all possible, accept to copy all needed files to a new drive to get
your site back up and operational.  If not possible, you should at least
wait to talk to the person preforming the investigation before using the
drive.

Unfortunately, I don't have any spare time to donate, but I will do my best
to answer any questions you might have, or point you in the right direction
of someone else who may know the answer.

~John

-- 
There is intelligence is in having all the answers, but wisdom lies in
knowing which of the questions to answer.


More information about the list mailing list