Full Disclosure mailing list archives
Re: Break-in discovery and forensics tools
From: "Hotmail" <se_cur_ity () hotmail com>
Date: Thu, 24 Apr 2003 12:07:16 -0700
I want to thank you all for your input. This thread may die now in peace. wood ----- Original Message ----- From: "batz" <batsy () vapour net> To: "Brad Bemis" <Brad.Bemis () airborne com> Cc: "Hotmail" <se_cur_ity () hotmail com>; "Shawn McMahon" <smcmahon () eiv com>; <full-disclosure () lists netsys com> Sent: Thursday, April 24, 2003 10:32 AM Subject: RE: [Full-disclosure] Break-in discovery and forensics tools
On Thu, 24 Apr 2003, Brad Bemis wrote: :Once an investigation begins, the defendant computer(s) are more than :likely going to be confiscated and analyzed. It is the digital forensic :evidence that carries a greater weight than just the victims log files.
In
:some cases log files may be all that you have to go on, but it is going
to
:be up the judge and/or jury to make an appropriate determination. Indeed, this is something I have been thinking about with IDS logs. Logs can only point you in the direction of where to find the physical evidence, which will ultimately be the attackers computer. Replayed sessions from an IDS will illustrate what happened, but I would bet the attackers disk is the only real evidence. Because of this, I think there is limited value in throwing too many resources at maintaining the sanctity of IDS logs. They are crucial, and they should be md5'd etc, but I have found that most administrators and security consultants over-emphasize their value, especially relative to their primary purpose of showing the path to the real evidence. -- batz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Break-in discovery and forensics tools, (continued)
- RE: Break-in discovery and forensics tools Ron DuFresne (Apr 23)
- Re: Break-in discovery and forensics tools Valdis . Kletnieks (Apr 23)
- Re: Break-in discovery and forensics tools Tina Bird (Apr 23)
- RE: Break-in discovery and forensics tools Golomb, Gary (Apr 23)
- RE: Break-in discovery and forensics tools Rainer Gerhards (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Steve Manzuik (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- RE: Break-in discovery and forensics tools Brad Bemis (Apr 24)
- RE: Break-in discovery and forensics tools batz (Apr 24)
- Re: Break-in discovery and forensics tools Hotmail (Apr 24)
- SPOOFED HOTMAIL ADDRESS --- http://www.security-hotmail.com/ morning_wood (Apr 26)
- RE: Break-in discovery and forensics tools batz (Apr 24)