Re: [PLUG] makeshift forensic copy with scp

Michael Lazin via plug on 25 Jun 2023 18:42:25 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] makeshift forensic copy with scp

From: Michael Lazin via plug <plug@lists.phillylinux.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] makeshift forensic copy with scp
Date: Sun, 25 Jun 2023 21:42:09 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687743741; x=1690335741; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=eZnv8vQFkx7ks1ApN4Qd+MFe2HNf4RCgAeZ6XyM3Hkw=; b=WIUBmz4DxUR9ZV2v0mJq4xeyCco8Ychh5Npz/uXvUWq6SGlV8v4QDTdinkVPee89vB TIhyFhLus+aS2NvYStv6sGWDDdof8g+dwU1n8+l/zdqOJrt5mI2nGi3I/ToALa0t2GJN 5gvcv2bR2ON1L/8DlzmxQmPbi07ag4d8h598sY8P2s1vyOxHVoRtNOR48DG606qQH40F 5cljxpFq6U3JjuCxTTmeHhZRKvuFYnvtobIoKP0TIFwyUZ2Met/BF4qIWYL3ZTgDLyIN HJ7XBbKcDgjvnbm+clMzj7ETfmOMcu27/gRycOaxdmMo1QQJZjkBHCRgiBveZox1WWkI VSAQ==
Reply-to: Michael Lazin <microlaser@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

Thank you Steve. It is actually an openwrt router so it would be challenging to make a copy with dd. I am more interested in examining the rest of the filesystem because I can pull it from github and do a diff of the filesystem because I have made very few changes so this would work for me. I found a rogue service in /etc/init.d on the router and I would ideally like to compare my router with a fresh pull from github. Please excuse me but I am treating this like a Linux system because it is but it is separated from the outside with very strong firewall rules. Thanks again.

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

On Sun, Jun 25, 2023 at 8:48 PM Steve Litt via plug <plug@lists.phillylinux.org> wrote:

Michael Lazin via plug said on Sun, 25 Jun 2023 19:54:40 -0400

>I have a system that I found malware on and I want to examine it
>locally. I connected to it with ssh as root,

The generally accepted way to make a forensic copy is to boot a
different OS, then dd the suspect hard disk to an image. Is there
anyone with hands-on at the current location of the suspect hard disk
who could do this?

Thanks,

SteveT

Steve Litt
Autumn 2022 featured book: Thriving in Tough Times
http://www.troubleshooters.com/bookstore/thrive.htm
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] makeshift forensic copy with scp
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>
- Re: [PLUG] makeshift forensic copy with scp
  - From: Steve Litt via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] Red Hat cutting back RHEL source availability
Next by Date: Re: [PLUG] Red Hat cutting back RHEL source availability
Previous by thread: Re: [PLUG] makeshift forensic copy with scp
Next by thread: [PLUG] Linux equivalent of a Windows SID
Index(es):
- Date
- Thread