RE: Break-in discovery and forensics tools

[batz <batsy () vapour net>]

On Thu, 24 Apr 2003, Brad Bemis wrote:

:Once an investigation begins, the defendant computer(s) are more than
:likely going to be confiscated and analyzed.  It is the digital forensic
:evidence that carries a greater weight than just the victims log files.  In
:some cases log files may be all that you have to go on, but it is going to
:be up the judge and/or jury to make an appropriate determination.  

Indeed, this is something I have been thinking about with IDS logs. 
Logs can only point you in the direction of where to find the 
physical evidence, which will ultimately be the attackers computer. 

Replayed sessions from an IDS will illustrate what happened, but 
I would bet the attackers disk is the only real evidence.  

Because of this, I think there is limited value in throwing too many 
resources at maintaining the sanctity of IDS logs. They are crucial, 
and they should be md5'd etc, but I have found that most administrators 
and security consultants over-emphasize their value, especially 
relative to their primary purpose of showing the path to the real 
evidence. 

-- 
batz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html