On Fri, 22 Jun 2012 03:48:28 +0200 "Lentes, Bernd"
>i found a solution to examine a possibly compromised system with a
>live cd. I used an Ubuntu Live CD and installed rkhunter using the
>installer skript. I used the switch --layout customdir to install
>it in the disk of the suspicious system. Then i mounted all
>partitions from the suspicious system, and afterwards chroot to
>it. When i start now rkhunter, it examines the desired system.
>Fortunaly it didn't find anything. The method is a bit difficult,
>bu it's working.
While talking about Incident Response and Forensics is not a topic
for this list I should point out the file system of a (perceived)
compromised machine should be acquired in a forensically sound way
prior to inspection and following proper procedure, unless deemed
unnecessary or prohibitive in terms of say size or time or other
constraints work against the investigator. This because it may hold
clues that could aid further investigation. Any ops on a Live file
system ranging from running tools to installing SW alters it and
potentially destroys what could potentially be marked as evidence.