Appendix E. How to Crowbar Unix Hosts

The term crowbar refers to the circumventing of a host’s access control by booting it with an external medium (i.e., a floppy disk, CD, or externally attached hard drive) and then accessing the hard drives. The easiest way to do this on a Unix system is to boot from a CD, mount the root partition, and then edit either /etc/passwd or /etc/shadow to remove the password from the root account. After this process has been completed, the system can be rebooted, enabling anyone to log on as root. This trick is certainly not the preferred method of forensic investigation, but it is one that everyone doing incident response should know. If you are forced to perform a quick investigation of a Unix system and the ...

Get Computer Forensics: Incident Response Essentials now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.