Hey, hope you are recovering from this ordeal. I attribute some of the oddities in your post to panicked writing, but it would be great if you can clarify these points:
listed as .BRM for windows 6
What does that mean?
As soon as they saw me, they wiped everything from my home folder, everything that wasn’t a base part of kde was gone
What do you mean base part of KDE? Did they delete more than just the home directory?
because since they schroot, none of those processes were available to me to view
Why wouldn’t you be able to view processes running in schroot? Doesn’t it use the same pid namespace and uses the same /proc as the init process?
I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage
You wrote in a comment “that was the server farm rooted into me”. Why do you think that is the case?
Also, it’s not quite clear what the screenshots are meant to show. The first two are a list of files in your home directory, showing it’s not empty. So did they wipe everything or not? How are we supposed to know what those files are and what you expect should be there… And then the other screenshots are of you trying to recover files from the disk image.
I understand if you don’t, but do you actually have any evidence of an attack? Like cellphone video of the screen while you are seeing suspicious activity on Wireshark? I can definitely understand being more concerned with minimizing the damage once you realize files are being deleted than gathering evidence. But can you for example fish out that .dll file from the disk image?
Hey, hope you are recovering from this ordeal. I attribute some of the oddities in your post to panicked writing, but it would be great if you can clarify these points:
What does that mean?
What do you mean base part of KDE? Did they delete more than just the home directory?
Why wouldn’t you be able to view processes running in schroot? Doesn’t it use the same pid namespace and uses the same
/procas the init process?You wrote in a comment “that was the server farm rooted into me”. Why do you think that is the case?
Also, it’s not quite clear what the screenshots are meant to show. The first two are a list of files in your home directory, showing it’s not empty. So did they wipe everything or not? How are we supposed to know what those files are and what you expect should be there… And then the other screenshots are of you trying to recover files from the disk image.
I understand if you don’t, but do you actually have any evidence of an attack? Like cellphone video of the screen while you are seeing suspicious activity on Wireshark? I can definitely understand being more concerned with minimizing the damage once you realize files are being deleted than gathering evidence. But can you for example fish out that .dll file from the disk image?