10. Take a low-level filesystem dump

You want to get your hacked machine back in service as soon as possible; you don't want to lose any available forensic data; you want to determine how the intruder go access to you system: make a low-level copy/dump of your disks/partitions/slices — a copy using rsync, cp -pr, tar or similar high-level tools will not do, as any decent rootkit will have hidden itself, perhaps by wrapping system-calls.

The plan: take a low-level copy; mount the copy on a trusted host and investigate — there should no longer be any rootkit-hidden files.

10.1. Standard Dump Tools

The standard tools for this kind of backup, or dump are: for Solaris, ufsdump; for Linux, dump. The latter, however is the subject of some discussion:

Pros:

• bypasses the kernel's filesystem interface — reads the filesystem through the block device — and therefore possibly wrapped/intercepted system calls;
• can handle unmounted filesystems;

Cons:

• handles Ext2 and Ext3 filesystems only (e.g., there is no ReiserFS dump utility);

10.2. Ghost

Norton/Symantec's Ghost can be used to make a copy of a filesystem. However, Ghost supports only Ext2 and Ext3, not ReiserFS, XFS, JFS...

10.3. dd or cat /dev/[hs]d[a-z]\d+

Enough! Any real Unix/Linux sysadmin will simply use dd or even cat. I have tried and tested both the following procedures. On the hacked machine

    dd if=/dev/hda1 of=/scratch/hda1image 

    cat /dev/hda1 > /scratch/hda1.cat

    cd /scratch 
    mkdir hda1
    mount hda1image hda1 -t ext3 -o loop=/dev/loop2

It is plausible that dd and/or cat, or something they depend on, will have been compromised in a way which will interfere with these procedures, so the truly paranoid should boot the hacked machine from a "live" CD, or attach its hard-disks to a trusted machine (as slave devices).