Full Disclosure mailing list archives
Re: Re: Reacting to a server compromise
From: manohar singh <seclistaddress () yahoo com>
Date: Sun, 3 Aug 2003 05:01:15 -0700 (PDT)
This is going off topic, but I'll still reply. Server Logs, provided their integrity is maintained are admissible as evidence in the US, most countries in Europe, as well as Asia by now. The fact that the integrity of the logs is proven is left upto the maintainer of the logs, as is the authenticity of these transactions. In simple english, the probability that these logs can be doctored, hacked, content be mislead is definitely there. But this does not rule out the usage of these as evidence. Stating that logs must not be used or presented as evidence is presenting a very narrow view, and is definitely not an acceptible stand. Company policy must define a process by which the Law Enforcement agencies must be contacted, and this must be understood by both parties well in advances (read: not enacted after an incident occurs). In this case, I would have contacted the affected parties directly, and gained the goodwill and understanding before waiting for a summons. but then hey, this is just my two cents. sincerely, ! --- morning_wood <se_cur_ity () hotmail com> wrote:
we could start adding your ip to our headers, log, and use that as evidence against you, ok "Jenn" logs can be originally faked, before the data reaches the logging device. sorry, IMHO server logs etc, should clearly not be admissable. if I recall didnt thet actually have to catch "Kevin" "in the act" so to speak? Contrary to popular belief server logs are not like a video tape as evidence , and i think that is what the"popular" belief is about logs. this topic was once brought up by me and i got bl;asted as this is not the proper forum for this discussion, but yet my wood spoke now didnt it? Donnie "sometimes the XSS King" Werner http://e2-labs.com http://www.exploitlabs.com ----- Original Message ----- From: "Jennifer Bradley" <jenbradley () webmail co za> To: <full-disclosure () lists netsys com> Sent: Sunday, August 03, 2003 2:06 AM Subject: Re: Re: [Full-disclosure] Reacting to a server compromiseOn Sun, 3 Aug 2003 12:31:39 +1000(devnull () iprimus com au) wrote:On Sun, 3 Aug 2003 01:38 am, Jennifer Bradleywrote:If this happens again, I would probably make acopy of the harddrive,or at the very least the log files since theycan be entered asevidence of a hacked box.Under most jurisdictions, an ordinary disk imageproduced by NortonGhost etcusing standard hardware is completelyinadmissible in court, as it isimpossible to make one without possiblycompromising the integrity oftheevidence. The police etc use specialised hardwarefor making suchcopies,which ensures that the disk can't have beenaltered.This is not true, at least in the US. Log filescan be entered intoevidence unless you can prove that the log fileshave been tamperedwith. The "possibility" of changing data does notmake evidenceinadmissible, only proof that data has beenchanged.I don't see why a Norton Ghost image is anydifferent than a tapebackup, and backups have been regularly entered inas evidence in manyfamous cases, such as the Microsoft anti-trustcase.jb
_______________________________________________________________________
LOOK GOOD, FEEL GOOD - WWW.HEALTHIEST.CO.ZA Cool Connection, Cool Price, Internet Access forR59 monthly @ WebMailhttp://www.webmail.co.za/dialup/ _______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: Reacting to a server compromise, (continued)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- Re: Reacting to a server compromise David Hayes (Aug 05)
- Re: Reacting to a server compromise Ron DuFresne (Aug 05)
- Re: Hard drive images Craig Pratt (Aug 05)
- RE: [inbox] Re: Hard drive images Curt Purdy (Aug 05)
- Re: Hard drive images ldreamer (Aug 05)
- Re: Hard drive images madsaxon (Aug 05)
- Re: Re: Reacting to a server compromise morning_wood (Aug 03)
- Re: Re: Reacting to a server compromise manohar singh (Aug 03)
- Re: Reacting to a server compromise James A. Cox (Aug 03)
- Re: Re: Reacting to a server compromise Frank Bruzzaniti (Aug 04)
- RE: Re: Reacting to a server compromise Ron DuFresne (Aug 04)
- RE: Re: Reacting to a server compromise security snot (Aug 04)
- SV: Re: Reacting to a server compromise martin scherer (Aug 04)
- RE: Re: Reacting to a server compromise madsaxon (Aug 04)
- Re: Re: Reacting to a server compromise Darren Reed (Aug 04)