Full Disclosure mailing list archives
Re: Reacting to a server compromise
From: Alexandre Dulaunoy <alexandre.dulaunoy () ael be>
Date: Sun, 3 Aug 2003 21:00:42 +0200
On 03/Aug/03 12:33 +1000, devnull () iprimus com au wrote:
On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:If this happens again, I would probably make a copy of the hard drive, or at the very least the log files since they can be entered as evidence of a hacked box.Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc using standard hardware is completely inadmissible in court, as it is impossible to make one without possibly compromising the integrity of the evidence. The police etc use specialised hardware for making such copies, which ensures that the disk can't have been altered.
Getting evidence by reading (via any software or hardware solution) may compromise the integrity of the evidence. I would like to know the difference between for example a (s)dd and the specialised hardware that you talk about ? Do you have any references ? Preserving the scene integrity is really difficult. You have to minimize the intrusion to the scene. On computer hardware is really difficult... Using a hardware device that doesn't change too much the scene is difficult... (think of a compromised disk firmware). And the worst, sometimes we see something that doesn't exist at all. Forensic analysis is the land of illusion... just my .02 EUR. adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov
Attachment:
_bin
Description:
Current thread:
- RE: [inbox] Re: Reacting to a server compromise, (continued)
- RE: [inbox] Re: Reacting to a server compromise Bojan Zdrnja (Aug 06)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 06)
- Re: [inbox] Re: Reacting to a server compromise Valdis . Kletnieks (Aug 05)
- Re: [inbox] Re: Reacting to a server compromise morning_wood (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise Peter Busser (Aug 04)
- Re: Reacting to a server compromise devnull (Aug 02)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)
- Re: Reacting to a server compromise madsaxon (Aug 02)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise Gaurav Kumar (Aug 03)
- Re: Reacting to a server compromise Alexandre Dulaunoy (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- Re: Reacting to a server compromise David Hayes (Aug 05)
- Re: Reacting to a server compromise Ron DuFresne (Aug 05)
- Re: Hard drive images Craig Pratt (Aug 05)
- RE: [inbox] Re: Hard drive images Curt Purdy (Aug 05)
- Re: Hard drive images ldreamer (Aug 05)
- Re: Hard drive images madsaxon (Aug 05)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)
- Re: Re: Reacting to a server compromise morning_wood (Aug 03)