A colleague and myself are reviewing a Suse based timeline generating kit, that generates something similar to a super timeline except it can be used on a live OS from the LiveCD via a mounted share. My thoughts were, What if we notify an agency that we just saw a snort alert on an IP in their location. The techs for that agency could fire up this LiveCD, connect to the machines c$ share and generate the timeline while running other tools that allow sending suspect files to virustotal etc, while this timeline tool is being run. What I was wondering is, though a properly functioning rootkit will hide itself from from ring3 tools running on the compromised OS, will the rootkit still be hiding it's files when accessed via cifs shares from a linux machine across the network?
In case my explanation isn't clear, which I think it isn't, here would be the steps
Snort detects a possible drive by.
We notify agency.
Agency tech fires up laptop with the Sue based volatile data collection tool.
Tech connects the Suse laptop to the suspect machine c$ share and starts looking for suspicious data.
Steps this tool uses for finding suspicious data are running various linux based antivirus tools.
Running a supertimeline tool that parses registry, eventlogs, mac dates.
question
Does the rootkit prevent the antimalware tools from seeing the infected files during a scan, or during mac date collection of all files on the machine.
If rootkits running at ring 0 hide stuff from apps running at ring 3, what rings is the share performed from, and would it be able to hide the files from being seen on a network share.
The answer is, it depends…on the implementation of the rootkit.
In one of my previous books, I described how user-mode rootkits could be easily detected via differential analysis of the system using local vs remote data collection.
My recommendation would be to give it a shot and see what you find.
Ok. Since this will hopefully be an ongoing event I'll read up on it. Which Book, I have Windows Forensics and Incident Recovery, the new Green Book, and I thought I had another older book, but it's at home…
Let me know which one, and I'll get to it this weekend.
Rootkits Subverting the Windows Kernel
Publisher Addison Wesley; 1 edition (22 July 2005)
Language English
ISBN-10 0321294319
ISBN-13 978-0321294319
Thanks We have that book in our library also. I appreciate the info.
–Bruce
Which Book, I have Windows Forensics and Incident Recovery, the new Green Book, and I thought I had another older book, but it's at home…
Let me know which one, and I'll get to it this weekend.
I'd start by cracking each one open, starting with the first one…seriously.