Re:Hackers please help

From: alexboko@umich.edu
Date: Fri Feb 21 2003 - 20:12:11 MST

  • Next message: Dehede011@aol.com: "Re: IRAQ sort of: Re: Tim May calls for nuking of D.C."

    From: "Alex Future Bokov" <alexboko@umich.edu>
    X-Mailer: YaBB

    If you want to gather forensic-quality evidence, before you touch the computer
    any further, trun it off and don't turn it back on until you've done the
    following: buy an external USB drive-casing. They sell on eBay for ~$60,
    probably a few dozen bucks more at BestBuy. Get a copy of Norton Ghost. Find
    a clean computer and install Norton Ghost on it. Rip the HD out of your
    old computer, install it inside the USB casing, hook it up to the clean
    computer. Run Norton Ghost on it and make an exact bit-image of it. Burn the
    image to as many CD-R's as it takes. Now, no matter what you do to the HD, the
    original evidence will always be there in case you need to consult an forensic
    expert, press charges, think of a new approach to sleuthing this out, etc.

    Now, here are a few things to try:

    <quote> - c:\\windows\\system32\\wbem\\repository\\fs\\index.btr
    - c:\\windows\\system32\\wbem\\repository\\fs\\objects.map.new
    - c:\\windows\\system32\\wbem\\repository\\fs\\index.map.new -
    c:\\windows\\system32\\wbem\\repository\\fs\\objects.data
    </quote>

    Do a text-string search on these files for your login and/or password and/or a
    string whose *exact* typing you're absolutely certain of.

    I know you already have Norton Antivirus or some equivalent, but run a full
    scan on the compromised HD anyway. Full scan-- data, archives, every single
    file, not just the execs. And tell it not to repair problems-- just scan.

    Two popular trojans are BackOrifice (http://www.cultdeadcow.com/tools/bo.html)
    and NetBus (hard to find ON PURPOSE, but probably out there in google-land
    someplace). Download the distros, read the manuals, see if this gives you any
    further insights into what to look for and where.

    If you're very lucky, in the process of digging through what's left of your
    drive, you may find incriminating IP addresses, email addresses, or other
    clues. Good luck!

    PS: the USB enclosure and Ghost are money/effort well spent-- they're a VERY
    effective combo for data backups and troubleshooting. No matter how fuX0r3d
    you manage to get your machine, from now on you'll always be able to pop the
    drive into the USB enclosure and blow the last known good ghost image onto
    it... and/or recover whatever it is that's on it.

    ----
    This message was posted by Alex Future Bokov to the Extropians 2003 board on ExI BBS.
    <http://www.extropy.org/bbs/index.php?board=67;action=display;threadid=54922>
    


    This archive was generated by hypermail 2.1.5 : Fri Feb 21 2003 - 20:14:21 MST