RE: Re: Reacting to a server compromise

[Ron DuFresne <dufresne () winternet com>]

I believe the way to go to store a drive from a system is to make a dd
copy to a new drive, remove the drive itself, and stoore it following
proper chain of evidence proceedures, and do any forensics on the new
drive.  Now, if that's enough, perhaps not, in some instances the machine
itself might need to be tored in a full chain of evidence process also.

Tina Bird's sight might offer some infoo on this, she has popped up in
many of these threads to clarify issues of such on the various lists as
some of us have pondered without knowledge.  Tina, you have any words on
this to offer up?

Thanks,

Ron DuFresne

On Mon, 4 Aug 2003, Richard Stevens wrote:

> I'd be interested to know if a ghost image (or even hardware systems
> like image-master) carrys over deleted files to the new image?.. as
> these can usually be undeleted easily enough.
>
> anyone know?
>
> I'd guess the safest way is just to keep the orignal drive.. but if it's
> a nice big expensive scsi raid set I'd guess this probably isnt
> practical.
>
>
>
> -----Original Message-----
> From: Alexandre Dulaunoy [mailto:alexandre.dulaunoy () ael be]
> Sent: 03 August 2003 20:01
> To: devnull () iprimus com au
> Cc: full-disclosure () lists netsys com
> Subject: [Full-disclosure] Re: Reacting to a server compromise
>
>
> On 03/Aug/03 12:33 +1000, devnull () iprimus com au wrote:
> > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
> >
> > > If this happens again, I would probably make a copy of the hard
> drive,
> > > or at the very least the log files since they can be entered as
> > > evidence of a hacked box.
> >
> > Under most jurisdictions, an ordinary disk image produced by Norton
> Ghost etc
> > using standard hardware is completely inadmissible in court, as it is
> > impossible to make one without possibly compromising the integrity of
> the
> > evidence. The police etc use specialised hardware for making such
> copies,
> > which ensures that the disk can't have been altered.
>
> Getting evidence  by reading (via  any software or  hardware solution)
> may compromise the integrity of the evidence. I would like to know the
> difference between  for example a  (s)dd and the  specialised hardware
> that you talk about ? Do you have any references ?
>
> Preserving  the  scene integrity  is  really  difficult.  You have  to
> minimize the  intrusion to the  scene. On computer hardware  is really
> difficult...  Using a hardware device that doesn't change too much the
> scene is difficult... (think of a compromised disk firmware).
>
> And  the worst,  sometimes  we  see something  that  doesn't exist  at
> all. Forensic analysis is the land of illusion...
>
> just my .02 EUR.
>
> adulau
>
> --
> --                 Alexandre Dulaunoy (adulau) -- http://www.foo.be/
> --       http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
> --       "Knowledge can create problems, it is not through ignorance
> --                              that we can solve them" Isaac Asimov
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html