| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <006701c35a5e$4f57ddd0$5a2799ca@screwdriver> From: gaurav at e2-labs.com (Gaurav Kumar) Subject: [inbox] Re: Reacting to a server compromise i guess one may use encase (http://www.guidancesoftware.com/products/software/encaseforensic/index.shtm) as the url says that "Validated by trial and appellate court rulings" ----- Original Message ----- From: "Curt Purdy" <purdy@...man.com> To: <devnull@...imus.com.au>; <full-disclosure@...ts.netsys.com> Sent: Monday, August 04, 2003 12:11 AM Subject: RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise > Negative. Ghost is as capapble of making a bitwise copy of a drive (one of > two modes it has) as is dd in *NIX. It is perfectly admissable in all > courts I know, as long as it is done quickly after compromise. Standard > procedure (as little as there is standard in this young but quickly maturing > field) dictates you make an immediate initial dd copy for the court. Then > make as many working dd's as neccessary for forensics. > > Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA > Senior Systems Engineer > Information Security Engineer > DP Solutions > cpurdy@...ol.com > 936.637.7977 ext. 121 > > ---------------------------------------- > > If you spend more on coffee than on IT security, you will be hacked. > What's more, you deserve to be hacked. > -- White House cybersecurity adviser Richard Clarke > > > > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of > devnull@...imus.com.au > Sent: Saturday, August 02, 2003 9:33 PM > To: full-disclosure@...ts.netsys.com > Subject: [inbox] Re: [Full-Disclosure] Reacting to a server compromise > > > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote: > > > If this happens again, I would probably make a copy of the hard drive, > > or at the very least the log files since they can be entered as > > evidence of a hacked box. > > Under most jurisdictions, an ordinary disk image produced by Norton Ghost > etc > using standard hardware is completely inadmissible in court, as it is > impossible to make one without possibly compromising the integrity of the > evidence. The police etc use specialised hardware for making such copies, > which ensures that the disk can't have been altered. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030804/df3a77f0/attachment.html
Powered by blists - more mailing lists