Reading memory after turning off? There are a easy way to it? When I said "your own binaries", I mean "get fresh copies of binaries and use in system with a USB stick or something like that. Do not use the compromised system binaries". That's it. ;-)
BR, Fernando Mercês Linux Registered User #432779 www.mentebinaria.com.br softwarelivre-rj.org @MenteBinaria ------------------------------------ II Hack'n Rio - 23 e 24/11 hacknrio.org ------------------------------------ On Wed, Feb 8, 2012 at 2:55 PM, Michael Stummvoll <mich...@stummi.org> wrote: > On 08.02.2012 17:03, Fernando Mercês wrote: >> Humm... you're all right, dumping before reboot is much better. >> >> Another tip: dump with your own dd/rsync binary copies. Remember: you >> cannot trust this system. >> >> You can also capture some network traffic and general volatile data >> (memory) before reboot. >> > Strictly said, you either cannot trust that you call your own binary copies > then or they work as expected an a rootkitted machine. > > Another way would be hard turning off the machine. You have a little risk to > get an inconsitent filesystem or swap than, but you have a "freezed" version > of you rootkitted system while running. > But you may not get to the content of your ram that, except you can use > forensic tools or so for reading the memory after turning off or something. > > Kind Regards, > Michael > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/4f32a8e5.1060...@stummi.org > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM7p17MyvsWKTd-CH0SDoDCCU5VxqLXW_cPSC=_jkhqun3+...@mail.gmail.com
