About Craig

The "ln" command is an important tool in any Unix admin's arsenal and attackers use it too, so it is essential that forensics analysts understand it.

This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the shellcode creation process. In this article, we are looking at extending our knowledge of assembly and shellcoding. This is a precursor to the actual injection and hooking process to follow.

There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX.

It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.

Accounting reports created by the system accounting service present the *NIX administrator with the information to assess current resource assignments, set resource limits and quotas, and predict future resource requirements. This information is also valuable to the forensic analyst and allows for the monitoring of system resourcing.

The more routine a task is we see the greater the need for a checklist. Even the smartest of us can forget where we parked our cars on returning from a long flight. So, the question is, why not create a straightforward checklist that will improve system management and security? In Information Technology operations, the vast majority of skilled people have re-built servers, but in an incident response situation, it can be unforgivable to overlook a serious security configuration simply because in the stress of the environment causes one to lose track of which stage they were on while being interrupted and multitasking.

The Helix Live function is used to collect volatile data (evidence) and in cases where the system cannot be shutdown. Whenever you work on a live system, you need to ensure that you take care to minimize any changes to the system. Changes always occur on live systems. Just letting a system run creates change.

Drive technology is set to change in the near future with patterned media (which uses a single pre-patterned large grain per bit)1. It is this type of technology, which will soon allow us to achieve "Terrabit per Square Inch" recording densities.

I have recently been involved in a case where the argument came to one of who is an expert. This is not an uncommon attack when the issues at hand are not really in dispute and the opposing team wants to focus the case on other things. It may seem strange that a person with multiple post graduate degrees, SANS/GIAC certifications (and others) up the wazzoo and years of experience can be challenged on these grounds, but it is not unusual in this industry.