 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
I'm just curious, has anyone played with the idea of having two machines have concurrent access to a scsi drive? I'm not even sure if its possible in the x86 world, but on Sparcs running Solaris, at least, you can have two different controllers access the same drive, doing this you could have a system constantly monitor what was being written to the disk, without it being in danger of being affected itself. jeff > One convenience for some systems is to create a mountable and bootable > CDROM with: > 1. The md5sums > 2. A program for checking the md5sums. If you write one of your own > in C or some other language that generates executable code you > increase the difficulty of a modified kernel recognizing and > defeating it. > 3. A usable small complete OS for initial forensics. > > A modified kernel can hide modifications by trapping filesystem I/O, so > only rebooting directly from the CDROM with the known good OS and tools > is the only way to detect kernel modifications. Using a CDROM is just a > convenience. It avoids dis-assembling the computer to take the suspect > disks over to another known good system for analysis. It is usually > much easier to reboot from the CDROM. > > If they've penetrated the boot ROM, well, you can reflash it from a > known good copy. > > R Horn > -- Jeff Bachtel (NOC,CIS,TAMU) http://www.cepheid.org/~jeff [finger [EMAIL PROTECTED] for PGP key] Mountain Dew and doughnuts... because breakfast is the most important meal of the day.
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.