[Full-Disclosure] Re: Reacting to a server compromise

From: Alexandre Dulaunoy (alexandre.dulaunoy_at_ael.be)
Date: 08/03/03

  • Next message: Michal Zalewski: "[Full-Disclosure] Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning" 
    To: devnull@iprimus.com.au
Date: Sun, 3 Aug 2003 21:00:42 +0200

    On 03/Aug/03 12:33 +1000, devnull@iprimus.com.au wrote:
    > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
    >
    > > If this happens again, I would probably make a copy of the hard drive,
    > > or at the very least the log files since they can be entered as
    > > evidence of a hacked box.
    >
    > Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc
    > using standard hardware is completely inadmissible in court, as it is
    > impossible to make one without possibly compromising the integrity of the
    > evidence. The police etc use specialised hardware for making such copies,
    > which ensures that the disk can't have been altered.

    Getting evidence by reading (via any software or hardware solution)
    may compromise the integrity of the evidence. I would like to know the
    difference between for example a (s)dd and the specialised hardware
    that you talk about ? Do you have any references ?

    Preserving the scene integrity is really difficult. You have to
    minimize the intrusion to the scene. On computer hardware is really
    difficult... Using a hardware device that doesn't change too much the
    scene is difficult... (think of a compromised disk firmware).

    And the worst, sometimes we see something that doesn't exist at
    all. Forensic analysis is the land of illusion...

    just my .02 EUR.

    adulau 

    -- 
-- 	  	     Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- 	   http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
-- 	   "Knowledge can create problems, it is not through ignorance
-- 				  that we can solve them" Isaac Asimov

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Michal Zalewski: "[Full-Disclosure] Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning"

    Relevant Pages

    • RE: [Full-Disclosure] Re: Reacting to a server compromise
      ... itself might need to be tored in a full chain of evidence process also. ... The police etc use specialised hardware for making such ... > may compromise the integrity of the evidence. ... > Preserving the scene integrity is really difficult. ...
      (Full-Disclosure)
    • Re: How difficult is it to clone a HD?
      ... with a serious crime they are investigating. ... but I would not mind the cops cloning my HD and releasing my property. ... return of your hardware with a cloned HD. ... in the corruption of their primary evidence, by the activity of cloning it ...
      (uk.legal)
    • Re: Repairing Usn Journal
      ... >>hardware is at the heart of the problem. ... > There is no evidence that it is hardware. ... :) Another thing a clean ... installation might prove useful for. ...
      (microsoft.public.win2000.registry)
    • Cessna aircraft with G1000 series avionics
      ... I would prefer not to have the Glass cockpit as I have heard some ... fairly strong evidence that the software is still two years behind the ... the DU's go blank in flight and require a hard reboot to get them back ... There is also a suggestion that the overall quality of the hardware is ...
      (rec.aviation.owning)
    • Re: Cessna aircraft with G1000 series avionics
      ... I would prefer not to have the Glass cockpit as I have heard some ... fairly strong evidence that the software is still two years behind the ... the DU's go blank in flight and require a hard reboot to get them back ... There is also a suggestion that the overall quality of the hardware is ...
      (rec.aviation.owning)