lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: frank at chariot.net.au (Frank Bruzzaniti)
Subject: Re: Reacting to a server compromise

If you use ghost you must do a sector by sector copy, it takes a lot longer
but you will be able to undelete files.

Frank

----- Original Message -----
From: "Richard Stevens" <richard@...net.co.uk>
To: <full-disclosure@...ts.netsys.com>
Sent: Monday, August 04, 2003 5:17 PM
Subject: RE: [Full-Disclosure] Re: Reacting to a server compromise


> I'd be interested to know if a ghost image (or even hardware systems
> like image-master) carrys over deleted files to the new image?.. as
> these can usually be undeleted easily enough.
>
> anyone know?
>
> I'd guess the safest way is just to keep the orignal drive.. but if it's
> a nice big expensive scsi raid set I'd guess this probably isnt
> practical.
>
>
>
> -----Original Message-----
> From: Alexandre Dulaunoy [mailto:alexandre.dulaunoy@....be]
> Sent: 03 August 2003 20:01
> To: devnull@...imus.com.au
> Cc: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Re: Reacting to a server compromise
>
>
> On 03/Aug/03 12:33 +1000, devnull@...imus.com.au wrote:
> > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
> >
> > > If this happens again, I would probably make a copy of the hard
> drive,
> > > or at the very least the log files since they can be entered as
> > > evidence of a hacked box.
> >
> > Under most jurisdictions, an ordinary disk image produced by Norton
> Ghost etc
> > using standard hardware is completely inadmissible in court, as it is
> > impossible to make one without possibly compromising the integrity of
> the
> > evidence. The police etc use specialised hardware for making such
> copies,
> > which ensures that the disk can't have been altered.
>
> Getting evidence  by reading (via  any software or  hardware solution)
> may compromise the integrity of the evidence. I would like to know the
> difference between  for example a  (s)dd and the  specialised hardware
> that you talk about ? Do you have any references ?
>
> Preserving  the  scene integrity  is  really  difficult.  You have  to
> minimize the  intrusion to the  scene. On computer hardware  is really
> difficult...  Using a hardware device that doesn't change too much the
> scene is difficult... (think of a compromised disk firmware).
>
> And  the worst,  sometimes  we  see something  that  doesn't exist  at
> all. Forensic analysis is the land of illusion...
>
> just my .02 EUR.
>
> adulau
>
> --
> --        Alexandre Dulaunoy (adulau) -- http://www.foo.be/
> --    http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
> --    "Knowledge can create problems, it is not through ignorance
> --   that we can solve them" Isaac Asimov
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>



Powered by blists - more mailing lists