Forensics, recovery, undelete

Hi, I found this reference information. Good for people who wants to get rich knowlege about sysadmin.. (Part 5)

Read:
Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part5 - Forensics, recovery, undelete

Forensics HOWTO's, docs
Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
Open Web Application Security Project (OWASP): http://www.owasp.org/
Open Source Computer Forensics Manual: http://sourceforge.net/project/showf...ease_id=171701
OSSTM: Institute for Security and Open Methodologies (formerly ideahamster.org): http://www.isecom.org/projects/osstmm.htm
Forensics Basic Steps: http://staff.washington.edu/dittrich/misc/forensics/ or http://staff.washington.edu/dittrich...forensics.html
Dd and netcat cloning disks: http://www.rajeevnet.com/hacks_hints...s_cloning.html
Security Applications of Bootable Linux CD-ROMs: http://rr.sans.org/linux/sec_apps.php
Honeypot project (Hone your skills with the SOM): http://project.honeynet.org/scans/
RH8.0: Chapter 11. Incident Response (Red Hat Linux Security Guide): http://www.redhat.com/docs/manuals/l...se-invest.html
Forensics and Incident Response Resources: http://is-it-true.org/pt/ptips8.shtml
Forensics presentation by Weld Pond and Tan: http://www.cs.neu.edu/groups/acm/lectures/Forensics_NU/
Law Enforcement and Forensics Links.: http://www.computerforensics.net/links.htm
Forensics commercial svc's: http://forensic.to/links/pages/Foren...Investigation/

Forensics CDR's
FIRE (formerly Biatchux +TCT): http://biatchux.dmzs.com/?section=main
The Penguin Sleuth Kit (Knoppix-based +TCT + Sleuthkit): http://luge.cc.emory.edu/psl.html
Knoppix

Forensics tools
OSSTM Tools listing: http://www.isecom.org/projects/operationaltools.htm
The Coroners Toolkit (TCT): http://www.porcupine.org/forensics/ or http://www.fish.com/forensics/
tomsrtbt (1 floppy distro): http://www.toms.net/rb/
Trinux, (Pentest/sniff/scan/recovery/IDS/forensics CD): http://www.trinux.org/
Snarl (Forensics CD based on FreeBSD): http://snarl.eecue.com
Freeware Forensics Tools for Unix: http://online.securityfocus.com/infocus/1503
The @stake Sleuth Kit (TASK): http://sleuthkit.sourceforge.net/
Tools used by CSIRTs to Collect Incident Data/Evidence, Investigate and Track Incidents (list): http://www.uazone.org/demch/analysis/sec-inchtools.html
Freeware Forensics Tools (reflist, Linux w32).: http://www.theiia.org/itaudit/index....=forum&fid=325
TUCOFS - The Ultimate Collection of Forensic Software, : http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu
Response kits (precompiled static binaries for Linux, Slowaris and wintendo): http://www.incident-response.org/irtoolkits.htm
Precompiled static binaries for Linux (iso): http://www.stearns.org/staticiso/
Forensic Acquisition Utilities for w32: http://users.erols.com/gmgarner/forensics/
CREED (Cisco Router Evidence Extraction Disk),: http://cybercrime.kennesaw.edu/creed/
...else check Zone-h.org, Packetstorm, Wiretapped.net, whatever.

Undelete HOWTO's
Recovering a Lost Partition Table: http://tsaling.home.attbi.com/linux/lost_partition.html
Linux Partition HOWTO: http://surfer.nmr.mgh.harvard.edu/pa...Partition.html
How to recover lost partitions: http://cvs.sslug.dk/hdmaint/hdm_rescue.html
Linux Ext2fs Undeletion mini-HOWTO: http://www.linuxdoc.org/HOWTO/mini/E...ndeletion.html
Linux Partition Rescue mini-HOWTO: http://www.linux-france.org/article/...ini-HOWTO.html
File Recovery.v.0.81 (using Midnight Commander): http://www.ists.dartmouth.edu/text/I...very.v0.81.php

Rescue tools for partition table/ext2fs
Gpart: http://www.stud.uni-hannover.de/user/76201/gpart/
Testdisk: http://www.cgsecurity.org/index.html
Parted: http://www.gnu.org/software/parted/parted.html
Recover (app + info): http://recover.sourceforge.net/linux/recover/
R-Linux: http://www.r-tt.com/RLinux.shtml
Unrm: http://www.securiteam.com/tools/Unrm...for_Linux.html
Dd-rescue: http://www.garloff.de/kurt/linux/ddrescue/
Also see mc (the Midnight Commander)
TCT (above).

Rescue tools from dd image
Foremost: http://sourceforge.net/projects/foremost/

Rescue tools for FAT/VFAT/FAT32 from Linux
Fatback: http://sourceforge.net/projects/biatchux/

Partition imaging
: http://www.partimage.orgPartimage.
* For more rescue tools check Freshmeat.net, metalab.unc.edu or other depots for a /Linux/system/recovery/ dir.

II. Runefs: The first inode that can allocate block resources on a ext2 file system is in fact the bad blocks inode (inode 1) -- *not* the root inode (inode 2). Because of this mis-implementation of the ext2fs it is possible to store data on blocks allocated to the bad blocks inode and have it hidden from an analyst using TCT or TASK. To illustrate the severity of this attack the following examples demonstrate using the accompanying runefs toolkit to: create hidden storage space; copy data to and from this area, and show how this area remains secure from a forensic analyst.: http://www.phrack.org/show.php?p=59&a=6

Original Source: Linuxquestions.org

0 Comments: