[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE14zlYbvhBIS000027d7@hotmail.com>
From: se_cur_ity at hotmail.com (Hotmail)
Subject: Break-in discovery and forensics tools
I want to thank you all for your input. This thread may die now in peace.
wood
----- Original Message -----
From: "batz" <batsy@...our.net>
To: "Brad Bemis" <Brad.Bemis@...borne.com>
Cc: "Hotmail" <se_cur_ity@...mail.com>; "Shawn McMahon" <smcmahon@....com>;
<full-disclosure@...ts.netsys.com>
Sent: Thursday, April 24, 2003 10:32 AM
Subject: RE: [Full-Disclosure] Break-in discovery and forensics tools
> On Thu, 24 Apr 2003, Brad Bemis wrote:
>
> :Once an investigation begins, the defendant computer(s) are more than
> :likely going to be confiscated and analyzed. It is the digital forensic
> :evidence that carries a greater weight than just the victims log files.
In
> :some cases log files may be all that you have to go on, but it is going
to
> :be up the judge and/or jury to make an appropriate determination.
>
> Indeed, this is something I have been thinking about with IDS logs.
> Logs can only point you in the direction of where to find the
> physical evidence, which will ultimately be the attackers computer.
>
> Replayed sessions from an IDS will illustrate what happened, but
> I would bet the attackers disk is the only real evidence.
>
> Because of this, I think there is limited value in throwing too many
> resources at maintaining the sanctity of IDS logs. They are crucial,
> and they should be md5'd etc, but I have found that most administrators
> and security consultants over-emphasize their value, especially
> relative to their primary purpose of showing the path to the real
> evidence.
>
> --
> batz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists