Security Basics mailing list archives
RE: tools used to examine a computer
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Wed, 19 Feb 2003 19:05:55 -0000
Yes the MD5 signatures at both end have to match before you could proceed. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: David J. Bianco [mailto:bianco () jlab org] Sent: 19 February 2003 18:38 To: H C Cc: Trevor Cushen; security-basics () securityfocus com Subject: RE: tools used to examine a computer On Tue, 2003-02-18 at 13:02, H C wrote:
Also on the point of copying files over the network first, correct me if I'm wrong but that damages the chain of evidence.Now so? If one collects the necessary info (ie, MAC times, NTFS ADSs, permissions, full path, etc), hashes the file (MD5 and/or SHA-1), and then copies the file over the network using something like 'dd' or type, and netcat/cryptcat, how is the chain of evidence broken? Especially if it's documented?
Although Trevor has since posted a clarification to the effect that was
referring to file copying as opposed to creating a bit image with dd, I
think it's worth noting that in order to guard against accidental or
malicious network data tampering, you'd have to guarantee that the data
traversed the network without being tampered with, probably by computing
an md5 sum on the data at both ends of the transfer.
Otherwise the chain of evidence would indeed be broken, since most
networks are not guaranteed to be reliable or secure from tampering.
David
--
David J. Bianco <bianco () jlab org>
Thomas Jefferson National Accelerator Facility
**************************************************************************************
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie
**************************************************************************************
Current thread:
- RE: tools used to examine a computer, (continued)
- RE: tools used to examine a computer Mitchell, Edmund (Feb 14)
- RE: tools used to examine a computer Nickels, Walter P (Nick), SOLCM (Feb 14)
- re: tools used to examine a computer H C (Feb 17)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer H C (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Robinson, Sonja (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 22)
- RE: tools used to examine a computer Robinson, Sonja (Feb 22)
- RE: tools used to examine a computer Trevor Cushen (Feb 24)
- RE: tools used to examine a computer H C (Feb 25)