Re: Reacting to a server compromise

[Alexandre Dulaunoy <alexandre.dulaunoy () ael be>]

On 03/Aug/03 12:33 +1000, devnull () iprimus com au wrote:
> On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
>
> > If this happens again, I would probably make a copy of the hard drive,
> > or at the very least the log files since they can be entered as
> > evidence of a hacked box.
>
> Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc 
> using standard hardware is completely inadmissible in court, as it is 
> impossible to make one without possibly compromising the integrity of the 
> evidence. The police etc use specialised hardware for making such copies, 
> which ensures that the disk can't have been altered.

Getting evidence  by reading (via  any software or  hardware solution)
may compromise the integrity of the evidence. I would like to know the
difference between  for example a  (s)dd and the  specialised hardware
that you talk about ? Do you have any references ? 

Preserving  the  scene integrity  is  really  difficult.  You have  to
minimize the  intrusion to the  scene. On computer hardware  is really
difficult...  Using a hardware device that doesn't change too much the
scene is difficult... (think of a compromised disk firmware). 

And  the worst,  sometimes  we  see something  that  doesn't exist  at
all. Forensic analysis is the land of illusion... 

just my .02 EUR. 

adulau

-- 
--                   Alexandre Dulaunoy (adulau) -- http://www.foo.be/
--         http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
--         "Knowledge can create problems, it is not through ignorance
--                                that we can solve them" Isaac Asimov

Attachment: _bin
Description: