Full Disclosure mailing list archives

Re: [inbox] Re: Reacting to a server compromise

From: "Gaurav Kumar" <gaurav () e2-labs com>
Date: Mon, 4 Aug 2003 13:29:17 +0530

i guess one may use encase (http://www.guidancesoftware.com/products/software/encaseforensic/index.shtm)
as the url says that "Validated by trial and appellate court rulings"


----- Original Message ----- 
From: "Curt Purdy" <purdy () tecman com>
To: <devnull () iprimus com au>; <full-disclosure () lists netsys com>
Sent: Monday, August 04, 2003 12:11 AM
Subject: RE: [inbox] Re: [Full-disclosure] Reacting to a server compromise

Negative.  Ghost is as capapble of making a bitwise copy of a drive (one of
two modes it has) as is dd in *NIX.  It is perfectly admissable in all
courts I know, as long as it is done quickly after compromise.  Standard
procedure (as little as there is standard in this young but quickly maturing
field) dictates you make an immediate initial dd copy for the court.  Then
make as many working dd's as neccessary for forensics.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Senior Systems Engineer
Information Security Engineer
DP Solutions
cpurdy () dpsol com
936.637.7977 ext. 121

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of
devnull () iprimus com au
Sent: Saturday, August 02, 2003 9:33 PM
To: full-disclosure () lists netsys com
Subject: [inbox] Re: [Full-disclosure] Reacting to a server compromise


On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:

If this happens again, I would probably make a copy of the hard drive,
or at the very least the log files since they can be entered as
evidence of a hacked box.


Under most jurisdictions, an ordinary disk image produced by Norton Ghost
etc
using standard hardware is completely inadmissible in court, as it is
impossible to make one without possibly compromising the integrity of the
evidence. The police etc use specialised hardware for making such copies,
which ensures that the disk can't have been altered.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: [inbox] Re: Reacting to a server compromise, (continued)
- - - RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 05)
    - RE: [inbox] Re: Reacting to a server compromise Bojan Zdrnja (Aug 06)
    - RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 06)
    - Re: [inbox] Re: Reacting to a server compromise Valdis . Kletnieks (Aug 05)
    - Re: [inbox] Re: Reacting to a server compromise morning_wood (Aug 03)
    - Re: [inbox] Re: Reacting to a server compromise Peter Busser (Aug 04)
- Re: Reacting to a server compromise devnull (Aug 02)
  - Re: Reacting to a server compromise SecuresDotComs (Aug 02)
    - Re: Reacting to a server compromise madsaxon (Aug 02)
  - RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
    - Re: [inbox] Re: Reacting to a server compromise Gaurav Kumar (Aug 03)
  - Re: Reacting to a server compromise Alexandre Dulaunoy (Aug 03)
    - RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
  - Re: Reacting to a server compromise David Hayes (Aug 05)
    - Re: Reacting to a server compromise Ron DuFresne (Aug 05)
    - Re: Hard drive images Craig Pratt (Aug 05)
    - RE: [inbox] Re: Hard drive images Curt Purdy (Aug 05)
    - Re: Hard drive images ldreamer (Aug 05)
    - Re: Hard drive images madsaxon (Aug 05)
- Re: Reacting to a server compromise Mark (Aug 02)
- Re: Re: Reacting to a server compromise Jennifer Bradley (Aug 03)

(Thread continues...)