I read in some topic before, that it is possible to capture rootkits and simmilar tools with VMware "reverte" feature... So you would know exaclty what was intalled, what reg keys have been added etc. and you would have it all on plate..
I haven't still figured out how to do it with VMware, cause reverte only gets mashine back to previous state without showing what was changed..
Anyone had more success with this?
I know that one way is using INCTRL program, but it is not very accurate..
Full Version: Capture Rootkit With Vmware
Here is info on my honeypot configuration:
http://www.governmentsecurity.org/forum/in...showtopic=12239
I use a file integrity checker that will make a MD5 hash of all (or certain files/directories) and index the system before I do a snapshot. Once it is done and all of my other steps are complete, I do my snapshot. When the box gets exploited, I run my file integrity checker to index the changes.
I use AFICK.
http://afick.sourceforge.net/
There are other tools you should use for forensic information gathering.
http://www.governmentsecurity.org/forum/in...showtopic=12239
I use a file integrity checker that will make a MD5 hash of all (or certain files/directories) and index the system before I do a snapshot. Once it is done and all of my other steps are complete, I do my snapshot. When the box gets exploited, I run my file integrity checker to index the changes.
I use AFICK.
http://afick.sourceforge.net/
There are other tools you should use for forensic information gathering.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
