Full Disclosure mailing list archives
RE: Break-in discovery and forensics tools
From: "Brad Bemis" <Brad.Bemis () airborne com>
Date: Thu, 24 Apr 2003 09:14:24 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think you are missing the big picture. Logs are just one piece of evidence used in a court case. Used appropriately, they serve as an indicator. Yes, you could fake the log files, but in a court case you are generally going to have a defendant. The log files would be used to show a pattern of attack in relation to the traffic normally seen and show how and why an organization would have been alerted to the situation. Once an investigation begins, the defendant computer(s) are more than likely going to be confiscated and analyzed. It is the digital forensic evidence that carries a greater weight than just the victims log files. In some cases log files may be all that you have to go on, but it is going to be up the judge and/or jury to make an appropriate determination. A lot of that weight depends on what steps you as a victim have or do take to protect your log files and assure their reliability. If you just show up with a log file that was implemented without any other security controls, it will mean a lot less to court exports and the court itself than a log that has been retrieved from several different locations (like two or more syslog servers set up to collect the same traffic for redundancy), that has been timestamped, hashed, and certified through the chain of custody process. Yes, technically it can still be falsified, but I don't think that your argument holds up well in light of observed due diligence and due care as interpreted by a court. - -----Original Message----- From: Hotmail [mailto:se_cur_ity () hotmail com] Sent: Wednesday, April 23, 2003 11:53 AM To: Shawn McMahon; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Break-in discovery and forensics tools Belive me, a printed log from a computer carries more weight as "firm evidence" than does a verbal testimony. As well, any log, etc from any electronic device is tamperable from its origin. Hell, I could make a proxy server, spoof whatever damn originating IP and header etc, and frame anyone in the world.. just cause I have a "log" of it...I DONT THINK SO comments appriciated on this thread.. morning_wood http://exploit.wox.org - ----- Original Message ----- From: "Shawn McMahon" <smcmahon () eiv com> To: <full-disclosure () lists netsys com> Sent: Wednesday, April 23, 2003 10:31 AM Subject: Re: [Full-disclosure] Break-in discovery and forensics tools _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Version: PGP Freeware, Ver 6.5.8CKT - Build 8 Comment: KeyID: 0xB8F26ADD Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD iQA/AwUBPqgNYJDnOfS48mrdEQIw6ACeKXXklRJ+g6eRjxXG9i9LraHsNAIAoMZw qrUHoDQJoRkhb4oHNKCu4Om6 =BO1N -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Break-in discovery and forensics tools, (continued)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- RE: Break-in discovery and forensics tools Richard M. Smith (Apr 23)
- RE: Break-in discovery and forensics tools Ron DuFresne (Apr 23)
- Re: Break-in discovery and forensics tools Valdis . Kletnieks (Apr 23)
- Re: Break-in discovery and forensics tools Tina Bird (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- RE: Break-in discovery and forensics tools batz (Apr 24)
- Re: Break-in discovery and forensics tools Hotmail (Apr 24)
- SPOOFED HOTMAIL ADDRESS --- http://www.security-hotmail.com/ morning_wood (Apr 26)