draft-ietf-grip-prot-evidence-04.txt   draft-ietf-grip-prot-evidence-05.txt 
Internet Engineering Task Force Dominique Brezinski Internet Engineering Task Force Dominique Brezinski
INTERNET-DRAFT In-Q-Tel INTERNET-DRAFT In-Q-Tel
Valid for six months Tom Killalea Valid for six months Tom Killalea
neart.org neart.org
November 2001 November 2001
Guidelines for Evidence Collection and Archiving Guidelines for Evidence Collection and Archiving
<draft-ietf-grip-prot-evidence-04.txt> <draft-ietf-grip-prot-evidence-05.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet Drafts are working all provisions of Section 10 of RFC2026. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas, documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts. working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six Internet Drafts are draft documents valid for a maximum of six
skipping to change at page 8, line 25 skipping to change at page 8, line 25
such a set of tools for each of the Operating Systems that you manage such a set of tools for each of the Operating Systems that you manage
in advance of having to use it. in advance of having to use it.
Your set of tools should include the following Your set of tools should include the following
- a program for examining processes (e.g., 'ps'). - a program for examining processes (e.g., 'ps').
- programs for examining system state (e.g., 'showrev', 'ifconfig', - programs for examining system state (e.g., 'showrev', 'ifconfig',
'netstat', 'arp'). 'netstat', 'arp').
- a program for doing bit-to-bit copies (e.g., 'dd'). - a program for doing bit-to-bit copies (e.g., 'dd', 'SafeBack').
- programs for generating core images and for examining them (e.g, - programs for generating checksums and signatures (e.g.,
'sha1sum', a checksum-enabled 'dd', 'SafeBack', 'pgp').
- programs for generating core images and for examining them (e.g.,
'gcore', 'gdb'). 'gcore', 'gdb').
- scripts to automate evidence collection (e.g., The Coroner's - scripts to automate evidence collection (e.g., The Coroner's
Toolkit [FAR1999]). Toolkit [FAR1999]).
The programs in your set of tools should be statically linked, and The programs in your set of tools should be statically linked, and
should not require the use of any libraries other than those on the should not require the use of any libraries other than those on the
read-only media. Even then, since modern rootkits may be installed read-only media. Even then, since modern rootkits may be installed
through loadable kernel modules, you should consider that your tools through loadable kernel modules, you should consider that your tools
might not be giving you a full picture of the system. might not be giving you a full picture of the system.
skipping to change at page 10, line 26 skipping to change at page 10, line 29
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
This document expires May 5, 2002. This document expires May 15, 2002.
 End of changes. 4 change blocks. 
3 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/