Full Disclosure mailing list archives
RE: Break-in discovery and forensics tools
From: Ron DuFresne <dufresne () winternet com>
Date: Wed, 23 Apr 2003 16:12:39 -0500 (CDT)
This thread occuredon another list not long ago, and if I recall, tina bird had some solid information concerning the amissability of system logs in courts. Hopefully if she monitors this list, she will share her knowledge again, and lay this thread to rest. Thanks, Ron DuFresne On Wed, 23 Apr 2003, Richard M. Smith wrote:
Log files are used fairly often nowadays in both criminal investigations and trials. Here are some examples from the past few years: E-Mail Trail To Pearl Suspects http://www.cbsnews.com/stories/2002/05/08/world/main508294.shtml Philippine ISP cooperating with FBI in virus probe http://news.com.com/2100-1001-240089.html Tracking Melissa's alter egos http://zdnet.com.com/2100-11-514231.html Arrest made in Bloomberg story hoax http://news.com.com/2100-1023-224500.html?legacy=cnet&tag=st.ne.1002.src hres.ni Emulex hoax suspect bond set at $100,000 http://news.com.com/2100-1033-245239.html A person can't be convicted of a crime just because of log files, but they certainly can be used in a trial to tell part of the story of a crime. Richard -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Hotmail Sent: Wednesday, April 23, 2003 12:19 PM To: roman.kunz () juliusbaer com; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Break-in discovery and forensics tools I realize the importance of after incident forensics... What I dont understand is logs used in a court for prosecution. Logs are inheritly not preservable or physical evidence, it is tamperable from the time the external data hits a MAC, if that were the case basicly I could take my logs and edit any damn originating ip i choose, send thosse logs to law enforcement, and have an innocent person convicted. Logs are nice.. but IMHO defeatable in court. wood ----- Original Message ----- From: <roman.kunz () juliusbaer com> To: <steve.wray () paradise net nz>; <full-disclosure () lists netsys com> Sent: Wednesday, April 23, 2003 2:47 AM Subject: RE: [Full-disclosure] Break-in discovery and forensics toolsHi Steve,steve wrote: You mean for every OS that runs on a PC, right? Like BeOS forexample?How about OpenBSD? SCO Unixware? Solaris (PC version)?BeOS i dunno. But the unix's shouldn't be that hard. simply replacetheencrypted pass in the /etc/shadow file is enough. you can create your own encrypted passwd's with: perl -e 'print substr(crypt("<your pass>", "<salt>"), 0) . "\n"' just replace in the shadow file and you can login with <your pass>. cheers --r *****Disclaimer***** This message is for the addressee only and may contain confidential or privileged information. You must delete and not use it if you are nottheintended recipient. It may not be secure or error-free. All e-mail communications to and from the Julius Baer Group may be monitored. Processing of incoming e-mails cannot be guaranteed. Any viewsexpressed inthis message are those of the individual sender. This message is for information purposes only. All liability of the Julius Baer Group anditsentities for any damages resulting from e-mail use is excluded. USpersonsare kindly requested to read the important legal information presented after clicking here: http://www.juliusbaer.com/maildisclaimer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Break-in discovery and forensics tools, (continued)
- Re: Break-in discovery and forensics tools yannick san (Apr 23)
- Re: Break-in discovery and forensics tools yannick san (Apr 23)
- Re: Break-in discovery and forensics tools Dirk Mueller (Apr 23)
- RE: Break-in discovery and forensics tools roman . kunz (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Shawn McMahon (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Shawn McMahon (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- RE: Break-in discovery and forensics tools Richard M. Smith (Apr 23)
- RE: Break-in discovery and forensics tools Ron DuFresne (Apr 23)
- Re: Break-in discovery and forensics tools Valdis . Kletnieks (Apr 23)
- Re: Break-in discovery and forensics tools Tina Bird (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- RE: Break-in discovery and forensics tools batz (Apr 24)
- Re: Break-in discovery and forensics tools Hotmail (Apr 24)