Obstacles to data gathering

• Continued "production" use of the system
• Editing/deletion of system logs
• Hidden directories
• Changed argv[]
• Linking history/syslog files to /dev/null
• Use of /tmp file system
• Unlinked files
• Replaced system binaries (Standard rootkits)
• Loadable kernel modules (Advanced)
• Modified kernel system call table (State of the Black Art)
• Use of "anti-sniffer/anti-IDS" programs

[Next] | [Prev] | [Top]