Re: Break-in discovery and forensics tools

["Hotmail" <se_cur_ity () hotmail com>]

 I want to thank you all for your input. This thread may die now in peace.

wood
----- Original Message -----
From: "batz" <batsy () vapour net>
To: "Brad Bemis" <Brad.Bemis () airborne com>
Cc: "Hotmail" <se_cur_ity () hotmail com>; "Shawn McMahon" <smcmahon () eiv com>;
<full-disclosure () lists netsys com>
Sent: Thursday, April 24, 2003 10:32 AM
Subject: RE: [Full-disclosure] Break-in discovery and forensics tools


> On Thu, 24 Apr 2003, Brad Bemis wrote:
>
> :Once an investigation begins, the defendant computer(s) are more than
> :likely going to be confiscated and analyzed.  It is the digital forensic
> :evidence that carries a greater weight than just the victims log files.
In
> :some cases log files may be all that you have to go on, but it is going
to
> :be up the judge and/or jury to make an appropriate determination.
>
> Indeed, this is something I have been thinking about with IDS logs.
> Logs can only point you in the direction of where to find the
> physical evidence, which will ultimately be the attackers computer.
>
> Replayed sessions from an IDS will illustrate what happened, but
> I would bet the attackers disk is the only real evidence.
>
> Because of this, I think there is limited value in throwing too many
> resources at maintaining the sanctity of IDS logs. They are crucial,
> and they should be md5'd etc, but I have found that most administrators
> and security consultants over-emphasize their value, especially
> relative to their primary purpose of showing the path to the real
> evidence.
>
> --
> batz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html