Appendix E. How to Crowbar Unix Hosts
The term crowbar refers to the circumventing of a host’s access control by booting it with an external medium (i.e., a floppy disk, CD, or externally attached hard drive) and then accessing the hard drives. The easiest way to do this on a Unix system is to boot from a CD, mount the root partition, and then edit either /etc/passwd or /etc/shadow to remove the password from the root account. After this process has been completed, the system can be rebooted, enabling anyone to log on as root. This trick is certainly not the preferred method of forensic investigation, but it is one that everyone doing incident response should know. If you are forced to perform a quick investigation of a Unix system and the ...
Get Computer Forensics: Incident Response Essentials now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
