Full Disclosure mailing list archives
Re: [inbox] Re: Reacting to a server compromise
From: "Gaurav Kumar" <gaurav () e2-labs com>
Date: Mon, 4 Aug 2003 13:29:17 +0530
i guess one may use encase (http://www.guidancesoftware.com/products/software/encaseforensic/index.shtm) as the url says that "Validated by trial and appellate court rulings" ----- Original Message ----- From: "Curt Purdy" <purdy () tecman com> To: <devnull () iprimus com au>; <full-disclosure () lists netsys com> Sent: Monday, August 04, 2003 12:11 AM Subject: RE: [inbox] Re: [Full-disclosure] Reacting to a server compromise
Negative. Ghost is as capapble of making a bitwise copy of a drive (one of two modes it has) as is dd in *NIX. It is perfectly admissable in all courts I know, as long as it is done quickly after compromise. Standard procedure (as little as there is standard in this young but quickly maturing field) dictates you make an immediate initial dd copy for the court. Then make as many working dd's as neccessary for forensics. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Senior Systems Engineer Information Security Engineer DP Solutions cpurdy () dpsol com 936.637.7977 ext. 121 ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of devnull () iprimus com au Sent: Saturday, August 02, 2003 9:33 PM To: full-disclosure () lists netsys com Subject: [inbox] Re: [Full-disclosure] Reacting to a server compromise On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:If this happens again, I would probably make a copy of the hard drive, or at the very least the log files since they can be entered as evidence of a hacked box.Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc using standard hardware is completely inadmissible in court, as it is impossible to make one without possibly compromising the integrity of the evidence. The police etc use specialised hardware for making such copies, which ensures that the disk can't have been altered. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: Reacting to a server compromise, (continued)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 05)
- RE: [inbox] Re: Reacting to a server compromise Bojan Zdrnja (Aug 06)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 06)
- Re: [inbox] Re: Reacting to a server compromise Valdis . Kletnieks (Aug 05)
- Re: [inbox] Re: Reacting to a server compromise morning_wood (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise Peter Busser (Aug 04)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)
- Re: Reacting to a server compromise madsaxon (Aug 02)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise Gaurav Kumar (Aug 03)
- Re: Reacting to a server compromise Alexandre Dulaunoy (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- Re: Reacting to a server compromise David Hayes (Aug 05)
- Re: Reacting to a server compromise Ron DuFresne (Aug 05)
- Re: Hard drive images Craig Pratt (Aug 05)
- RE: [inbox] Re: Hard drive images Curt Purdy (Aug 05)
- Re: Hard drive images ldreamer (Aug 05)
- Re: Hard drive images madsaxon (Aug 05)