lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.BSF.4.21.0304241246470.18144-100000@vapour.net>
From: batsy at vapour.net (batz)
Subject: Break-in discovery and forensics tools

On Thu, 24 Apr 2003, Brad Bemis wrote:

:Once an investigation begins, the defendant computer(s) are more than
:likely going to be confiscated and analyzed.  It is the digital forensic
:evidence that carries a greater weight than just the victims log files.  In
:some cases log files may be all that you have to go on, but it is going to
:be up the judge and/or jury to make an appropriate determination.  

Indeed, this is something I have been thinking about with IDS logs. 
Logs can only point you in the direction of where to find the 
physical evidence, which will ultimately be the attackers computer. 

Replayed sessions from an IDS will illustrate what happened, but 
I would bet the attackers disk is the only real evidence.  

Because of this, I think there is limited value in throwing too many 
resources at maintaining the sanctity of IDS logs. They are crucial, 
and they should be md5'd etc, but I have found that most administrators 
and security consultants over-emphasize their value, especially 
relative to their primary purpose of showing the path to the real 
evidence. 

-- 
batz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ