An introduction to the subject of computer forensic analysis and to some of the technical traps and pitfalls that one needs to be aware of.
Reconstructing the past from file access patterns, using the time stamps that are recorded by UNIX and Windows file systems. This column introduces the mactime tool.
An intruder leaves behind a running program of unknown origin. The executable file is deleted. How does one figure out the purpose of a running program without triggering a possible logical bomb?
An intruder compromises a friend's machine and deletes most of the files. To investigate the case, Dan and Wietse write the first version of their file recovery tools and stumble from discovery into discovery. By looking at file access time patterns of deleted file inodes, Wietse finds that deleted file information can stay around much longer than expected.
This is part two on Dan and Wietse's experiences with recovering files from a thrashed machine. Dan presents the lazarus program, an amazing tool to sift through deleted information.
This column is not about intrusion detection - it is about being prepared for the intrusion that will inevitably happen. The column discusses how to instrument hosts and networks, so that you can find out what happened, and so that you can avoid being taken by complete surprise.