Reading memory after turning off? There are a easy way to it?
When I said "your own binaries", I mean "get fresh copies of binaries
and use in system with a USB stick or something like that. Do not use
the compromised system binaries". That's it. ;-)
BR,
Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
softwarelivre-rj.org
@MenteBinaria
------------------------------------
II Hack'n Rio - 23 e 24/11
hacknrio.org
------------------------------------
On Wed, Feb 8, 2012 at 2:55 PM, Michael Stummvoll<michael@stummi.org> wrote:
On 08.02.2012 17:03, Fernando Mercês wrote:
Humm... you're all right, dumping before reboot is much better.
Another tip: dump with your own dd/rsync binary copies. Remember: you
cannot trust this system.
You can also capture some network traffic and general volatile data
(memory) before reboot.
Strictly said, you either cannot trust that you call your own binary copies then or they work as expected an a rootkitted machine.
Another way would be hard turning off the machine. You have a little risk to get an inconsitent filesystem or swap than, but you have a "freezed" version of you rootkitted system while running.
But you may not get to the content of your ram that, except you can use forensic tools or so for reading the memory after turning off or something.
Kind Regards,
Michael
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F32A8E5.1060806@stummi.org">http://lists.debian.org/4F32A8E5.1060806@stummi.org