January 22nd, 2006 03:03 PM
Initially, you said the hacker has root; therefore, you are wasting your time typing those commands since you should operate under the assumption a rootkit has been applied/installed. You should have a CD on standby with statically linked versions of those commands, that way its a little harder for the commands to be hijaacked. Regardless, before I turned the system off, I'd use memdump to dump out everything thats running to removeable media. Browsing through memory can provide useful places for you to begin your search when you do go through the filesystem.
After you get the memdump, you can use something like helix to boot from to get your image of the hdd. After that, as h3r3tic said, mount the image (though I'd add to mount it read-only and to take a md5 hash of both the memory image and the hdd image and would also consider making two copies and only playing with the second). You can then go to town looking for the evidence (helix comes with several tools) but you can also use something like autopsy (if you don't have the funds for something like encase) and use it to browse the not only the file system but slack space and through deleted files and for looking at MAC times (modify/access/created), which can be very useful for backtracking what the hacker did while in the system.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)