lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: se_cur_ity at hotmail.com (Hotmail)
Subject: Break-in discovery and forensics tools

 I want to thank you all for your input. This thread may die now in peace.

wood
----- Original Message -----
From: "batz" <batsy@...our.net>
To: "Brad Bemis" <Brad.Bemis@...borne.com>
Cc: "Hotmail" <se_cur_ity@...mail.com>; "Shawn McMahon" <smcmahon@....com>;
<full-disclosure@...ts.netsys.com>
Sent: Thursday, April 24, 2003 10:32 AM
Subject: RE: [Full-Disclosure] Break-in discovery and forensics tools


> On Thu, 24 Apr 2003, Brad Bemis wrote:
>
> :Once an investigation begins, the defendant computer(s) are more than
> :likely going to be confiscated and analyzed.  It is the digital forensic
> :evidence that carries a greater weight than just the victims log files.
In
> :some cases log files may be all that you have to go on, but it is going
to
> :be up the judge and/or jury to make an appropriate determination.
>
> Indeed, this is something I have been thinking about with IDS logs.
> Logs can only point you in the direction of where to find the
> physical evidence, which will ultimately be the attackers computer.
>
> Replayed sessions from an IDS will illustrate what happened, but
> I would bet the attackers disk is the only real evidence.
>
> Because of this, I think there is limited value in throwing too many
> resources at maintaining the sanctity of IDS logs. They are crucial,
> and they should be md5'd etc, but I have found that most administrators
> and security consultants over-emphasize their value, especially
> relative to their primary purpose of showing the path to the real
> evidence.
>
> --
> batz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ