Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been browsing through the Knoppix Pocket Reference by Kyle Rankin (O'Reilly)and have come across this curious remark on page 36 concerning the use of the Grave-robber program: "conf_vault - a full copy of 'interesting' files such as ./etc configuration files."
So there's a feature in Grave-robber that enables one to grab config files from the /etc directory where they typically reside. The question is, why is the word "interesting" in inverted commas? The author himself doesn't go on to explain....
I've been browsing through the Knoppix Pocket Reference by Kyle Rankin (O'Reilly)and have come across this curious remark on page 36 concerning the use of the Grave-robber program: "conf_vault - a full copy of 'interesting' files such as ./etc configuration files."
So there's a feature in Grave-robber that enables one to grab config files from the /etc directory where they typically reside. The question is, why is the word "interesting" in inverted commas? The author himself doesn't go on to explain....
Any ideas?
cc.
I haven't read the book but wouldn't the context indicate that interesting was placed in quotation marks to convey that they are files which could be valuable for intelligence and/or forensic purposes (instead of mainly for personal reasons)?
I haven't read the book but wouldn't the context indicate that interesting was placed in quotation marks to convey that they are files which could be valuable for intelligence and/or forensic purposes (instead of mainly for personal reasons)?
Dunno. The only point I can see of examining config files for forensic purposes is if they have been altered from their defaults. This must self-evidently be true. But for what reason would anyone do so? Is it possible to hide evidence of wrongdoing by changing config files from their defaults? That's the only possibility that comes to my mind. :-/
I don't think he was implying anything out of the ordinary, just that you may want your config files back, that's all. They may be interesting to you, or important to you.
I don't think he was implying anything out of the ordinary, just that you may want your config files back, that's all. They may be interesting to you, or important to you.
Hi again TM,
Well I just don't know for sure. It's hard for you guys to correctly infer the context where none is given. Short of posting a scan of the page in question (not possible at present) there's not much I can do. But I don't believe that's the case. The author was discussing the recovery of forensic data from a seized computer, which clearly implies it's nothing to do with system rescue in the usual sense, but rather gleaning vital evidence of criminality. I just don't see how such evidence could be uncovered from the configuration files. :-/
Whatever grave-robber sucks up from the corpse is defined in grave-robber.cf. Vault specifics are defined in "save_these_files". If you'd check it you'd see shell regexes like "$CORPSE/etc/passwd", "$CORPSE/etc/group" and "$CORPSE/etc/*/*" meaning grave-robber should save at least some specifc, named files but basically everything in /etc.
As far as Forensics goes "interesting" may be defined by the scope of your investigation. Data in standalone mode may perhaps not be interesting but for instance being able to corellate local MAC times and data with say networked auth, DHCPd, router, proxy or sniffer logs may help you pinpoint the machine, and therefore an account, at a certain time and location.
The author was discussing the recovery of forensic data from a seized computer, which clearly implies it's nothing to do with system rescue in the usual sense, but rather gleaning vital evidence of criminality. I just don't see how such evidence could be uncovered from the configuration files. :-/
I see, well then in that context, he probably means data that is potentially useful or interesting to you as an agent. And you're right, in this case it wouldn't mean much, because in most cases config files won't really help you in making a case. Odd, maybe you should send the author an e-mail and ask him.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Forensic data recovery
