Sorter

> Is there a way I can make the "File Analysis" section exclude files that
> sorter has determined to be known good?

Could you cut-n-paste the file names out of the HTML file and then use Perl to remove those filenames from the output of the "File Analysis" section?

> …sorter says that some of the system files that the script replaced are known good.

Two thoughts…

1. How do you know the rootkit replaced them?
2. Windows File Protection…check the Event Log and see if WFP "woke up" and replaced the files w/ the "known good" copies from the cache…

Unfortunately I'm not much of a programmer, but hopefully that will change someday. I just need to find the time to learn how. Isn't there an easier way to use sorter without having to be a programmer? Excluding known good isn't very much help if you have to manually exclude the files in the exclusion list sorter creates, with the files in the file system that autopsy creates.

I've recovered the rootkit's install script and one of the first things it does is replace system files that sorter is saying are known good.

Here is an example of login…

r / r login 2003.02.24 191143 (EST) 2008.02.29 004325 (EST) 2008.02.29 004322 (EST) 19964 0 0 97375

/1/bin/login
Image /usr/local/evidence/RH9_Honeypot/testbox/images/root.img Inode 97375
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
MD5 ed78748061c05d2263baf43c6a2e400f
Exclude Database

The honeypot was compromised on Feb 29th, login has changed, yet sorter in the exclude.html says it is fine.

This is on Linux so WFP isn't involved…