| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Brad.Bemis at airborne.com (Brad Bemis) Subject: Break-in discovery and forensics tools -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think you are missing the big picture. Logs are just one piece of evidence used in a court case. Used appropriately, they serve as an indicator. Yes, you could fake the log files, but in a court case you are generally going to have a defendant. The log files would be used to show a pattern of attack in relation to the traffic normally seen and show how and why an organization would have been alerted to the situation. Once an investigation begins, the defendant computer(s) are more than likely going to be confiscated and analyzed. It is the digital forensic evidence that carries a greater weight than just the victims log files. In some cases log files may be all that you have to go on, but it is going to be up the judge and/or jury to make an appropriate determination. A lot of that weight depends on what steps you as a victim have or do take to protect your log files and assure their reliability. If you just show up with a log file that was implemented without any other security controls, it will mean a lot less to court exports and the court itself than a log that has been retrieved from several different locations (like two or more syslog servers set up to collect the same traffic for redundancy), that has been timestamped, hashed, and certified through the chain of custody process. Yes, technically it can still be falsified, but I don't think that your argument holds up well in light of observed due diligence and due care as interpreted by a court. - -----Original Message----- From: Hotmail [mailto:se_cur_ity@...mail.com] Sent: Wednesday, April 23, 2003 11:53 AM To: Shawn McMahon; full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] Break-in discovery and forensics tools Belive me, a printed log from a computer carries more weight as "firm evidence" than does a verbal testimony. As well, any log, etc from any electronic device is tamperable from its origin. Hell, I could make a proxy server, spoof whatever damn originating IP and header etc, and frame anyone in the world.. just cause I have a "log" of it...I DONT THINK SO comments appriciated on this thread.. morning_wood http://exploit.wox.org - ----- Original Message ----- From: "Shawn McMahon" <smcmahon@....com> To: <full-disclosure@...ts.netsys.com> Sent: Wednesday, April 23, 2003 10:31 AM Subject: Re: [Full-Disclosure] Break-in discovery and forensics tools _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Version: PGP Freeware, Ver 6.5.8CKT - Build 8 Comment: KeyID: 0xB8F26ADD Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD iQA/AwUBPqgNYJDnOfS48mrdEQIw6ACeKXXklRJ+g6eRjxXG9i9LraHsNAIAoMZw qrUHoDQJoRkhb4oHNKCu4Om6 =BO1N -----END PGP SIGNATURE-----
Powered by blists - more mailing lists