Live System Forensics - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: Live System Forensics

  1. #11
    It wasn't in the OP, but I wanted tools to observe the behavior of an executable. I wasn't very clear on that, sorry.

    Short of reverse engineering the file, I was looking for ways to see what parts of the OS were touched so I would know how to clean up.

    In my case, I wouldn't be analyzing the entire system, only a binary provided to me. So you folks may be debating about different situations (comprimised system, single file)

  2. #12
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Nihil, that is what is known as a process with no maturity whatsoever.

    cheers,

    catch

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Soda:

    Did you see this
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Junior Member
    Join Date
    Oct 2003
    Posts
    1
    A few thoughts.

    First - WFT is a GREAT tool. There isn;'t anything else like it that allows you to collect realtime process data on a system in a forensically sound manner. Secondly, anyone scoffing at WFT OBVIOUSLY hasn't read the configuration file. If you had any idea how much time it takes to defin all of the commands in the config file, to make sure they work, and to find better (and sometimes best) tool that collects a spcific amount of information, then you would know what a valuable tool it is.

    Second - anyone scoffing at live system forensics hasn't worked in a preassure cooker like a University where we get whacked boxes frequently. Live forensics allows us to make an inspection and within a half an hour make the "rebuild/remediate" decision w/ some intel. WFT has proven itself amply well over the past year here at my school. So much so that I developed a course for my sfaff on live system forensics, and now I have my job back.

    To wrap =>

    IF you need a tool, buy Encase and then use WFT.
    If you want to know where to look w/ Encase, than run WFT first, else you will spend three days analyzing the system becuse you don't know where to look based on current data.

    End of Line.

  5. #15
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    Foolmoon: 5 messages is starting to sound a whole lot like spam... if you want to do it the right way, submit your link here - that's what it's for.

  6. #16
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Negative: I think he only posted to two threads here. He posted a total of 5 times on various boards... if I understand correclty. I only saw two posts here...

    Both threads that he posted in are relevant. maybe he just didn't know that they would be bumped up to the main page. a new thread would have been appropriate... but whatever. I'm happy that he posted the update here.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #17
    Junior Member
    Join Date
    May 2005
    Posts
    4
    Encase has a version for live forensics.

    Encase enterprise edition

    The general public version is the Enterprise Edition and is used to protect an EnterPrise network.

    It is expensive, but works well for documenting rogue processes, rogue ports along with being able to view the true file system. It understands many common filesystems such as NTFS, EXT,HFS, UFS, BSD.

    RP

  8. #18
    Banned
    Join Date
    May 2003
    Posts
    1,004
    anyone scoffing at live system forensics hasn't worked in a preassure cooker like a University where we get whacked boxes frequently. Live forensics allows us to make an inspection and within a half an hour make the "rebuild/remediate" decision w/ some intel. WFT has proven itself amply well over the past year here at my school. So much so that I developed a course for my sfaff on live system forensics, and now I have my job back.
    Anyone praising live system forensics is wasting their organization quite a bit of money in training, time, and just all around inefficient system configuration.

    At my work, all the desktop systems are set up identically, if a system has a problem it is shut down, a spare preconfigured drive is plugged in and the system is returned to a live status. All in five minutes on the outside.

    The other drive can then be analyzed outside the scope of its security policy when time permits. This approach is faster, cheaper, and higher assurance.

    cheers,

    catch

  9. #19
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    catch Once again I think your argument is sparked by semantic and terminological differences, at least I certainly hope so

    No-one in their right mind is going to leave a suspect compromised machine on their network. Over here, that is what we call the "production environment". It is just the same for a hardware failure, you pull the defective kit from the production environment and replace it. That lets the user get on with what they are supposed to be doing.

    As for "live forensics", that would be understood to be a system running in its normal configuration, but obviously not in the production environment. Other approaches would include examining hard drives on a forensics machine or in a lab, decompiling malware, and examining malware induced system changes.

    The actual theme of this thread is not about security, it is about tools that let you run malware, and tell you what it tries to do. That is "live" forensics, as opposed to a post mortem, a biopsy rather than a necropsy Obviously all that takes place in a controlled laboratory environment.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #20
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Nihil, live forensics is by definition on a live system or "a system running in its normal configuration" which is still flawed as it is possible for the security policy (or elements of the user interface for that matter) to interfere with such forensics. This means that in order to ensure a clean system you must perform the forensics on the system in a dead state.

    The ONLY reason you'd need to look at a live system is to figure out exactly where the problem was IF you don't have a map of what the system should look like. Having the system baselined beforehand completely removes the need for live forensics and should be used in all production environments.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides