lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: alexandre.dulaunoy at (Alexandre Dulaunoy)
Subject: Re: Reacting to a server compromise

On 03/Aug/03 12:33 +1000, wrote:
> On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
> > If this happens again, I would probably make a copy of the hard drive,
> > or at the very least the log files since they can be entered as
> > evidence of a hacked box.
> Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc 
> using standard hardware is completely inadmissible in court, as it is 
> impossible to make one without possibly compromising the integrity of the 
> evidence. The police etc use specialised hardware for making such copies, 
> which ensures that the disk can't have been altered.

Getting evidence  by reading (via  any software or  hardware solution)
may compromise the integrity of the evidence. I would like to know the
difference between  for example a  (s)dd and the  specialised hardware
that you talk about ? Do you have any references ? 

Preserving  the  scene integrity  is  really  difficult.  You have  to
minimize the  intrusion to the  scene. On computer hardware  is really
difficult...  Using a hardware device that doesn't change too much the
scene is difficult... (think of a compromised disk firmware). 

And  the worst,  sometimes  we  see something  that  doesn't exist  at
all. Forensic analysis is the land of illusion... 

just my .02 EUR. 


-- 	  	     Alexandre Dulaunoy (adulau) --
-- 	   "Knowledge can create problems, it is not through ignorance
-- 				  that we can solve them" Isaac Asimov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

Powered by blists - more mailing lists