Other types of filesystem evidence

• cron jobs: /var/spool/cron/crontabs/*
• at jobs: under /var/spool/cron/atjobs/
• logs in /var/adm/messages* (see /etc/syslog.conf)
• rpc.cmsd logs in /var/spool/calendar/callog.root.*
• DDOS agents: see http://www.fbi.gov/nipc/trinoo.htm
• files that an intruder has made setuid
  • find / /usr /var -mount -perm -4000 -type f -print
  • there will probably be legitimate setuid files
• searching the raw disk for parts of deleted files
  • need a search string, e.g., "TCP/IP LOG" from sniffer log
  • Gnu grep (ggrep) can be useful to examine adjacent data
  • strings - /dev/rdsk/c0t4d0s0 | ggrep -A30 "TCP/IP LOG"