From: "Henrique de Moraes Holschuh" <hmh@hmh.eng.br>
To: "Alan Cox" <alan@lxorguk.ukuu.org.uk>
Cc: "Robert Hancock" <hancockrwd@gmail.com>,
"Anton D. Kachalov" <mouse@mayc.ru>,
linux-kernel@vger.kernel.org
Subject: Re: Reading /dev/mem by dd
Date: Thu, 12 Nov 2009 14:06:47 -0200 [thread overview]
Message-ID: <1258042007.31158.1344897055@webmail.messagingengine.com> (raw)
In-Reply-To: <20091112110949.339c0c64@lxorguk.ukuu.org.uk>
On Thu, 12 Nov 2009 11:09 +0000, "Alan Cox" <alan@lxorguk.ukuu.org.uk> wrote:
> On Thu, 12 Nov 2009 00:12:09 -0200 Henrique de Moraes Holschuh
> <hmh@hmh.eng.br> wrote:
> > On Wed, 11 Nov 2009, Robert Hancock wrote:
> > > I don't think that we prevent any access to device registers in
> > > /dev/mem - if you read something that has side effects and
> > > something breaks, well I guess you get to keep both pieces :-)
> > > There's a reason it's root-only..
> >
> > We should. Imaging /dev/mem is one of the oldest tricks in the book
> > of the forensics people, they do it to live systems to help track
> > down WTF happened to a compromised host. This kind of crap bites
> > them hard.
>
> Any forensics person who images /dev/mem needs to go back to school.
While I do agree with you, I can assure you they do it all the time at
least around here, and it is still listed as "best practice" in the
notebooks of many.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
next prev parent reply other threads:[~2009-11-12 16:06 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-11 14:36 Reading /dev/mem by dd Anton D. Kachalov
2009-11-11 16:20 ` Américo Wang
2009-11-12 15:46 ` Anton D. Kachalov
2009-11-11 21:09 ` Robert Hancock
2009-11-12 2:12 ` Henrique de Moraes Holschuh
2009-11-12 11:09 ` Alan Cox
2009-11-12 16:06 ` Henrique de Moraes Holschuh [this message]
2009-11-12 17:52 ` Alan Cox
2009-11-12 16:44 ` Andi Kleen
2009-11-12 17:37 ` Henrique de Moraes Holschuh
2009-11-12 17:49 ` Alan Cox
2009-11-12 17:57 ` Henrique de Moraes Holschuh
2009-11-12 18:13 ` Alan Cox
2009-11-12 20:02 ` Henrique de Moraes Holschuh
2009-11-12 20:06 ` Alan Cox
2009-11-12 21:07 ` Krzysztof Halasa
2009-11-12 21:29 ` Cyrill Gorcunov
-- strict thread matches above, loose matches on Subject: below --
2010-02-16 8:35 Nameer Yarkon
2010-02-16 8:41 ` Andi Kleen
2010-02-16 9:03 ` Nameer Yarkon
2010-02-16 12:31 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1258042007.31158.1344897055@webmail.messagingengine.com \
--to=hmh@hmh.eng.br \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=hancockrwd@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mouse@mayc.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox