lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: purdy at tecman.com (Curt Purdy) Subject: [inbox] Re: Reacting to a server compromise Negative. Ghost is as capapble of making a bitwise copy of a drive (one of two modes it has) as is dd in *NIX. It is perfectly admissable in all courts I know, as long as it is done quickly after compromise. Standard procedure (as little as there is standard in this young but quickly maturing field) dictates you make an immediate initial dd copy for the court. Then make as many working dd's as neccessary for forensics. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Senior Systems Engineer Information Security Engineer DP Solutions cpurdy@...ol.com 936.637.7977 ext. 121 ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of devnull@...imus.com.au Sent: Saturday, August 02, 2003 9:33 PM To: full-disclosure@...ts.netsys.com Subject: [inbox] Re: [Full-Disclosure] Reacting to a server compromise On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote: > If this happens again, I would probably make a copy of the hard drive, > or at the very least the log files since they can be entered as > evidence of a hacked box. Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc using standard hardware is completely inadmissible in court, as it is impossible to make one without possibly compromising the integrity of the evidence. The police etc use specialised hardware for making such copies, which ensures that the disk can't have been altered. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists