December 09, 2003

Forensic Analysis of a Compromised Linux Harddisk

Spent some time tonight at the local University doing a presentation for the LUG about forensic investigation, and how to use common Linux tools available through Knoppix-STD to do an analysis of a compromised harddisk. I promised I would put the presentation online, so here it is.

The cavet is that as I look over the presentation, I notice much of it is useless if you were not there for the live demo. Seeing a listing of steps to take and tools to use isn't as good as actually seeing me use it to do an analysis right there in front of you. Recovering deleted data directly from the lost inodes and tracing the attack sequence is kinda hard unless you know HOW to use the tools. I'm sorry I didn't think about that sooner and screenshot it or something. Oh well... hopefully you will still get some use from it.

Don't forget, you can hone your skills by heading over to the Honeynet Project and taking a crack at their challenges. It is well worth the effort, and even kinda fun.

Posted by SilverStr at December 9, 2003 01:15 AM | TrackBack
Comments

Nifty!

As I said last night, awsome presentation, and invaluable for someone interested in playing in this area but not knowing where to start. I've wanted to check out the honeynet challenges, but when presented with simply a disk image, it's hard to know where to start ;)

Oh, and now I can look into recovering my disk of mp3s, though I think I've already written 0's over the damaged disk :(

Posted by: Arcterex at December 9, 2003 07:27 AM

Glad you enjoyed it.

Posted by: SilverStr at December 9, 2003 11:36 AM