lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: gaurav at e2-labs.com (Gaurav Kumar)
Subject: [inbox] Re: Reacting to a server compromise

i guess one may use encase (http://www.guidancesoftware.com/products/software/encaseforensic/index.shtm)
as the url says that "Validated by trial and appellate court rulings"


----- Original Message ----- 
From: "Curt Purdy" <purdy@...man.com>
To: <devnull@...imus.com.au>; <full-disclosure@...ts.netsys.com>
Sent: Monday, August 04, 2003 12:11 AM
Subject: RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise


> Negative.  Ghost is as capapble of making a bitwise copy of a drive (one of
> two modes it has) as is dd in *NIX.  It is perfectly admissable in all
> courts I know, as long as it is done quickly after compromise.  Standard
> procedure (as little as there is standard in this young but quickly maturing
> field) dictates you make an immediate initial dd copy for the court.  Then
> make as many working dd's as neccessary for forensics.
> 
> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> Senior Systems Engineer
> Information Security Engineer
> DP Solutions
> cpurdy@...ol.com
> 936.637.7977 ext. 121
> 
> ----------------------------------------
> 
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- White House cybersecurity adviser Richard Clarke
> 
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
> devnull@...imus.com.au
> Sent: Saturday, August 02, 2003 9:33 PM
> To: full-disclosure@...ts.netsys.com
> Subject: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
> 
> 
> On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
> 
> > If this happens again, I would probably make a copy of the hard drive,
> > or at the very least the log files since they can be entered as
> > evidence of a hacked box.
> 
> Under most jurisdictions, an ordinary disk image produced by Norton Ghost
> etc
> using standard hardware is completely inadmissible in court, as it is
> impossible to make one without possibly compromising the integrity of the
> evidence. The police etc use specialised hardware for making such copies,
> which ensures that the disk can't have been altered.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030804/df3a77f0/attachment.html

Powered by blists - more mailing lists