lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AE46D0386422BF4FA18E1A9FB67161A004D07DDA@GOAEVS01.abf.ad.airborne.com>
From: Brad.Bemis at airborne.com (Brad Bemis)
Subject: Break-in discovery and forensics tools

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you are missing the big picture.  

Logs are just one piece of evidence used in a court case.  Used
appropriately, they serve as an indicator.  Yes, you could fake the log
files, but in a court case you are generally going to have a defendant. 
The log files would be used to show a pattern of attack in relation to the
traffic normally seen and show how and why an organization would have been
alerted to the situation.  

Once an investigation begins, the defendant computer(s) are more than
likely going to be confiscated and analyzed.  It is the digital forensic
evidence that carries a greater weight than just the victims log files.  In
some cases log files may be all that you have to go on, but it is going to
be up the judge and/or jury to make an appropriate determination.  

A lot of that weight depends on what steps you as a victim have or do take
to protect your log files and assure their reliability.  If you just show
up with a log file that was implemented without any other security
controls, it will mean a lot less to court exports and the court itself
than a log that has been retrieved from several different locations (like
two or more syslog servers set up to collect the same traffic for
redundancy), that has been timestamped, hashed, and certified through the
chain of custody process.  

Yes, technically it can still be falsified, but I don't think that your
argument holds up well in light of observed due diligence and due care as
interpreted by a court.  


- -----Original Message-----
From: Hotmail [mailto:se_cur_ity@...mail.com]
Sent: Wednesday, April 23, 2003 11:53 AM
To: Shawn McMahon; full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Break-in discovery and forensics tools


Belive me, a printed log from a computer carries more weight as "firm
evidence" than does a verbal testimony. As well, any log, etc from any
electronic device is tamperable from its origin. Hell, I could make a proxy
server, spoof whatever damn originating IP and header etc, and frame anyone
in the world.. just cause I have a "log" of it...I DONT THINK SO

comments appriciated on this thread..

morning_wood
http://exploit.wox.org

- ----- Original Message -----
From: "Shawn McMahon" <smcmahon@....com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, April 23, 2003 10:31 AM
Subject: Re: [Full-Disclosure] Break-in discovery and forensics tools

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


-----BEGIN PGP SIGNATURE-----
Version: PGP Freeware, Ver 6.5.8CKT - Build 8
Comment: KeyID: 0xB8F26ADD
Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5  4C68 90E7 39F4 B8F2 6ADD

iQA/AwUBPqgNYJDnOfS48mrdEQIw6ACeKXXklRJ+g6eRjxXG9i9LraHsNAIAoMZw
qrUHoDQJoRkhb4oHNKCu4Om6
=BO1N
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ