[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F2F44F2.5060202@ameritech.net>
From: dbailey27 at ameritech.net (northern snowfall)
Subject: Re: Reacting to a server compromise
>
>
>The FBI loaded some software (by booting off a floppy) prior
>to allowing him to copy data off of the machine. He was told by the agents
>that the software made the disk read-only. He was observed by the agents
>duing the copy process. Is the FBI still operating like this?
>
Might be checksum monitoring software to determine whether
given vectors of data representing security sensitive files
are maintained. This way the FBI knows the person creating
the image isn't also exploiting access to the raw disk. Yes,
it is necessary, but it's usually implemented in a special
imaging machine, IIRC.
However, I don't know of any instance where the software is
on a boot disk. Besides, the software couldn't make the data on
the disk read-only. That isn't how hard disks work. The only
way image monitoring software can work is if the executive is
loaded then the software is loaded. Then the image has to be
created while the executive is loaded, which creates probability
of the image changing during mirror.
Any SCSI or ATA can be altered during raw data access. Unless
you're working with an optical WORM (et al) there is no way to
make it read-only.
Besides, executives can't see all the data on a disk. So, an
imager cannot work in co-operation with the executive. Check the
security facilities of the ATA (I'm not sure if the T10 has
implemented this?), you can create segments of an ATA that are
hidden from any executive.
The ATA Technical Committee:
http://www.t13.org/
The SCSI Technical Committee:
http://www.t10.org/
Most government agencies should be using their specialized
hardware unit that creates a raw image vector of one disk
mirrored onto another. Your friend might be pulling your
leg. Or, the FBI agents really *don't* know what they're
doing.
Don
http://www.7f.no-ip.com/~north_
Powered by blists - more mailing lists