lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: purdy at (Curt Purdy)
Subject: [inbox] Re: Reacting to a server compromise

Negative.  Ghost is as capapble of making a bitwise copy of a drive (one of
two modes it has) as is dd in *NIX.  It is perfectly admissable in all
courts I know, as long as it is done quickly after compromise.  Standard
procedure (as little as there is standard in this young but quickly maturing
field) dictates you make an immediate initial dd copy for the court.  Then
make as many working dd's as neccessary for forensics.

Senior Systems Engineer
Information Security Engineer
DP Solutions
936.637.7977 ext. 121


If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

-----Original Message-----
[]On Behalf Of
Sent: Saturday, August 02, 2003 9:33 PM
Subject: [inbox] Re: [Full-Disclosure] Reacting to a server compromise

On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:

> If this happens again, I would probably make a copy of the hard drive,
> or at the very least the log files since they can be entered as
> evidence of a hacked box.

Under most jurisdictions, an ordinary disk image produced by Norton Ghost
using standard hardware is completely inadmissible in court, as it is
impossible to make one without possibly compromising the integrity of the
evidence. The police etc use specialised hardware for making such copies,
which ensures that the disk can't have been altered.
Full-Disclosure - We believe in it.

Powered by blists - more mailing lists