RE: tools used to examine a computer

From: Trevor Cushen (Trevor.Cushen@sysnet.ie)
Date: 02/20/03

  • Next message: Trevor Cushen: "RE: Strange Firewall / IDS Events"
    Date: Thu, 20 Feb 2003 09:14:38 -0000
    From: "Trevor Cushen" <Trevor.Cushen@sysnet.ie>
    To: <security-basics@securityfocus.com>
    
    

    My final word on this is that I was talking about cloning the disk or
    partition and not using dd for single files if that helps clear any
    confusion about what I was saying. At the end of the day if it was a
    serious issue that might go to full legal investigation I would call in
    professional law enforcement agencies who have the write tools and
    software for the job.

    So when running an Incident Handling operation the main thing to know is
    when to touch the machine at all to do anything and when to declare it
    serious enough for legal action to be taken.

    Trevor Cushen
    Sysnet Ltd

    www.sysnet.ie
    Tel: +353 1 2983000
    Fax: +353 1 2960499

    -----Original Message-----
    From: H C [mailto:keydet89@yahoo.com]
    Sent: 19 February 2003 19:15
    To: David J. Bianco
    Cc: Trevor Cushen; security-basics@securityfocus.com
    Subject: RE: tools used to examine a computer

    David,

    I did say "hashes the file (MD5 and/or SHA-1)"...so do
    it both before and after you copy it over the network.
     Just be sure to collect the MAC times *before* you
    hash it, as hashing causes the file to be accessed,
    and the last access time changes.

    --- "David J. Bianco" <bianco@jlab.org> wrote:
    > On Tue, 2003-02-18 at 13:02, H C wrote:
    > > > Also on the point of copying files over the
    > network
    > > > first, correct me if
    > > > I'm wrong but that damages the chain of
    > evidence.
    > >
    > > Now so? If one collects the necessary info (ie,
    > MAC
    > > times, NTFS ADSs, permissions, full path, etc),
    > hashes
    > > the file (MD5 and/or SHA-1), and then copies the
    > file
    > > over the network using something like 'dd' or
    > type,
    > > and netcat/cryptcat, how is the chain of evidence
    > > broken? Especially if it's documented?
    >
    > Although Trevor has since posted a clarification to
    > the effect that
    > was referring to file copying as opposed to creating
    > a bit image with
    > dd, I think it's worth noting that in order to guard
    > against accidental
    > or malicious network data tampering, you'd have to
    > guarantee that the
    > data traversed the network without being tampered
    > with, probably by
    > computing an md5 sum on the data at both ends of the transfer.
    > Otherwise the chain of evidence would indeed be
    > broken, since most
    > networks are not guaranteed to be reliable or secure
    > from tampering.
    >
    > David
    >
    >
    > --
    > David J. Bianco <bianco@jlab.org>
    > Thomas Jefferson National Accelerator Facility
    >

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Shopping - Send Flowers for Valentine's Day
    http://shopping.yahoo.com

    **************************************************************************************

    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.

    If you have received this message in error please notify SYSNET Ltd., at
    telephone no: +353-1-2983000 or postmaster@sysnet.ie

    **************************************************************************************