Information Technology Reference
In-Depth Information
should be avoided. In the jargon, a machine that has been altered is known as
tainted
fruit
.
Other operators think that the best thing to do is turn off the machine simply by
pulling the plug. This is a rather widespread practice even though it has certain con-
traindications, not least among them the loss of critical information or the risk of
irreparable damage to the file system. In many cases, however, the swap file remains
unaltered, and may contain very important information.
An alternative method for “crystallizing the scene of the crime” often used by
certain investigators is the following:
Photograph the screen and document which programs are running;
Right click on the menu;
Select
Console
;
If the prompt is not on the user root, get there by typing
su
-;
If the root password is not available, pull the plug on the computer;
If the root password is available, enter it. At the pound sign (
#
) type
sync; sync;
halt
and the system will shut down;
Unplug the machine.
The sequence
sync;sync;halt
is often discouraged since it might write something.
However, numerous guidelines [DoE01] indicate this as the most suitable option.
As always, whatever approach is taken, it is critical that all operations be docu-
mented in a report.
2.2.1 Search Tools and Data Left in the System by an Intruder
Intruders generally install customized tools to enable them to monitor the system
and/or access the machine in the future.
The main tool categories are the following:
Network sniffer;
Trojan horse;
backdoor;
vulnerability exploit;
other (Denial-Of-Service, use of processing resources);
communication systems with other compromised systems.
When a system is compromised, the intruder may install a network monitoring
program (on UNIX systems) commonly known as sniffers or packet sniffers, with
