lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: purdy at (Curt Purdy)
Subject: [inbox] Re: Reacting to a server compromise

Doing a disk dd with *NIX or a bitwise ghost does not compromise the data
(other than in the quantum sense of not being able to observe an electron
without changing it's orbit). If this is the rigor you would impose then any
copying including your "specialized police hardware", would fall under the
same restriction.  Although I am not familiar with this hardware, most law
inforcement I know use Encase, a $30K dd with a few analysis tools thrown

Information Security Engineer
DP Solutions


If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

-----Original Message-----
[]On Behalf Of Alexandre
Sent: Sunday, August 03, 2003 2:01 PM
Subject: [inbox] [Full-Disclosure] Re: Reacting to a server compromise

On 03/Aug/03 12:33 +1000, wrote:
> On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
> > If this happens again, I would probably make a copy of the hard drive,
> > or at the very least the log files since they can be entered as
> > evidence of a hacked box.
> Under most jurisdictions, an ordinary disk image produced by Norton Ghost
> using standard hardware is completely inadmissible in court, as it is
> impossible to make one without possibly compromising the integrity of the
> evidence. The police etc use specialised hardware for making such copies,
> which ensures that the disk can't have been altered.

Getting evidence  by reading (via  any software or  hardware solution)
may compromise the integrity of the evidence. I would like to know the
difference between  for example a  (s)dd and the  specialised hardware
that you talk about ? Do you have any references ?

Preserving  the  scene integrity  is  really  difficult.  You have  to
minimize the  intrusion to the  scene. On computer hardware  is really
difficult...  Using a hardware device that doesn't change too much the
scene is difficult... (think of a compromised disk firmware).

And  the worst,  sometimes  we  see something  that  doesn't exist  at
all. Forensic analysis is the land of illusion...

just my .02 EUR.


-- 	  	     Alexandre Dulaunoy (adulau) --
-- 	   "Knowledge can create problems, it is not through ignorance
-- 				  that we can solve them" Isaac Asimov

Powered by blists - more mailing lists