RE: Break-in discovery and forensics tools

["Richard M. Smith" <rms () computerbytesman com>]

Log files are used fairly often nowadays in both criminal investigations
and trials.  Here are some examples from the past few years:

E-Mail Trail To Pearl Suspects
http://www.cbsnews.com/stories/2002/05/08/world/main508294.shtml

Philippine ISP cooperating with FBI in virus probe 
http://news.com.com/2100-1001-240089.html

Tracking Melissa's alter egos
http://zdnet.com.com/2100-11-514231.html

Arrest made in Bloomberg story hoax 
http://news.com.com/2100-1023-224500.html?legacy=cnet&tag=st.ne.1002.src
hres.ni

Emulex hoax suspect bond set at $100,000 
http://news.com.com/2100-1033-245239.html

A person can't be convicted of a crime just because of log files, but
they certainly can be used in a trial to tell part of the story of a
crime.

Richard


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Hotmail
Sent: Wednesday, April 23, 2003 12:19 PM
To: roman.kunz () juliusbaer com; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Break-in discovery and forensics tools


 I realize the importance of after incident forensics... What I dont
understand is logs used in a court for prosecution. Logs are inheritly
not
preservable or physical evidence, it is tamperable from the time the
external data hits a MAC, if that were the case basicly I could take my
logs
and edit any damn originating ip i choose, send thosse logs to law
enforcement, and have an innocent person convicted. Logs are nice.. but
IMHO
defeatable in court.

wood

----- Original Message -----
From: <roman.kunz () juliusbaer com>
To: <steve.wray () paradise net nz>; <full-disclosure () lists netsys com>
Sent: Wednesday, April 23, 2003 2:47 AM
Subject: RE: [Full-disclosure] Break-in discovery and forensics tools


> Hi Steve,
>
> > > steve wrote:
> > > You mean for every OS that runs on a PC, right? Like BeOS for
example?
> > > How about OpenBSD? SCO Unixware? Solaris (PC version)?
>
> BeOS i dunno. But the unix's shouldn't be that hard. simply replace
the
> encrypted pass in the /etc/shadow file is enough.
> you can create your own encrypted passwd's with: perl -e 'print
> substr(crypt("<your pass>", "<salt>"), 0) . "\n"'
> just replace in the shadow file and you can login with <your pass>.
>
>
> cheers
> --r
>
>
> *****Disclaimer*****
> This message is for the addressee only and may contain confidential or
> privileged information. You must delete and not use it if you are not
the
> intended recipient. It may not be secure or error-free. All e-mail
> communications to and from the Julius Baer Group may be monitored.
> Processing of incoming e-mails cannot be guaranteed. Any views
expressed
in
> this message are those of the individual sender. This message is for
> information purposes only. All liability of the Julius Baer Group and
its
> entities for any damages resulting from e-mail use is excluded. US
persons
> are kindly requested to read the important legal information presented
> after clicking here: http://www.juliusbaer.com/maildisclaimer
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html