Loading
Introduction to Forensics - A Report from Southwest Drupal Summit
What do you do once you realize one of your servers has been compromised? I recently had the opportunity to hear Linux Journal's own Kyle Rankin give a very impressive talk covering this situation at the Southwest Drupal Summit in Houston, Texas.
The actions you choose to take are very important and should be prepared before the fateful event. Most people will spend time on the server trying to figure out how the intruder gained access to the machine, and what they have been doing. Not only is this problematic in that the intruder has more time to do his damage, but the longer the server is up, the more likely critical forensic data will be lost.
Kyle argued that the best first step is to immediately pull the plug on the box. Do not diagnose the situation and do not shut the machine down gracefully. We use journaling file systems for a reason and the machine will probably be rebuilt from scratch, so the danger of corrupted data from killing the power is small. Once the machine is off, you should image the compromised drive with something like 'dd' and make a copy of the image to do your work on to protect you from accidentally contaminating the evidence.
The issue with poking around on the live system is that you will destroy any information you could have learned from the meta data stored on every file on the computer. Linux uses MAC times to record when certain events occurred most recently. The events that change MAC times on a file are “modification” (the data in the file was modified), “access” (some part of the file was read or executed), and “metadata change” (the file's permissions or ownership were changed). By pulling power from the server at the earliest possible moment, you decrease the likelihood that MAC times recorded by the intruder's action will have been updated by another user.
Kyle then did a live demo on a compromised image showing how to use The Sleuth Kit and Autopsy Browser to perform the investigation. These tools can be used to view log files, recover deleted files, and to order the files on the file system by MAC times. With this information, he was able to paint an interesting picture of not only how an intruder gained access to one of his machines, but what they did once they once they had access.
Kyle is a great public speaker and I highly recommend seeing him if you get the chance. His slides for the Southwest Drupal Summit presentation are available online as is his Linux Journal article Introduction to Forensics where he goes into great detail on how to use these tools.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- I once had a better way I
3 hours 2 min ago - Not only you I too assumed
3 hours 20 min ago - another very interesting
5 hours 13 min ago - Reply to comment | Linux Journal
7 hours 6 min ago - Reply to comment | Linux Journal
14 hours 51 sec ago - Reply to comment | Linux Journal
14 hours 17 min ago - Favorite (and easily brute-forced) pw's
16 hours 8 min ago - Have you tried Boxen? It's a
22 hours 7 sec ago - seo services in india
1 day 2 hours ago - For KDE install kio-mtp
1 day 2 hours ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
Good to also focus on prevention
Drupal owners should also focus on prevention. Overall Drupal is pretty secure, though some modules can reduce that security.
To that end, site owners (not only drupal) should consider scanning their sites ahead of time to avoid having to do this kind of work. There are some good scanners out there for just that, including my own, Golem Technologies website security scanner https://www.golemtechnologies.com
SPAM
Dear Editors,
I really think it's time for a SPAM button for comments.
testing. testing 123.
testing. testing 123.