Re: [sleuthkit-users] mounted origin filesystems ?
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2003-04-25 14:28:45
|
Josep M Homs <jm...@me...> said: > I wonder if it's really desirable to make the dd images from a live > system mounting the origin hacked filesystems from it , and transferring > the images with ssh / nc to the analisys host , or if it would be also > correct to do it with the origin hacked system up and running with the > filesystems mounted. > Would I find any problems with the second option ? I'm not sure if I fully understand the question. Are you booting from a trusted OS with the first option (such as the FIRE or knoppix Linux CD)? And the second scenario you are using the suspect OS? Both of them will work, but in the second scenario you risk having an image that is not complete. Since it may take 10 or 15 minutes to image, a lot can change at the begining of the disk that was imaged at time X versus time X+15 when the end of the disk is imaged. The other downside, is that you can not generate an MD5 of the disk before imaging in scenario 2. That means that you cannot verify that the imaging generated an acurate copy. Also, in the future it could be possible for attackers to modify the OS so that a live acquisition does not copy invalid data (the equivalent of a modified 'ls' now). brian |