RE: [inbox] Re: Reacting to a server compromise

[Michal Zalewski <lcamtuf () ghettot org>]

On Sun, 3 Aug 2003, Curt Purdy wrote:

> Jennifer, I made a reply to someone disagreeing with your statement on
> copying the drive, supporting your contention.  However, most courts
> will not accept log files on magnetic media as evidence due to the ease
> of alteration.  This is why we collect all logs on a central syslog
> server that writes directly to write-once media.  That is irrefutable
> evidence.

Of that someone spoofed a log message to your central log server, or that
someone messed with the log server itself to log fake entries?

What is your write-once media? Does it ensure integrity of the data stored
(so that it is evident when a prinout or a cd or whatnot is replaced)?
If not, it's hardly "irrefutable". If yes, what was the cost of this
device and how many businesses can afford one?

Besdies, what do your logs prove? That someone sent packets with some poor
guy's IP address as a source?

Most courts - IANALBMSUTO - will accept electronic logs, although they
usually expect them to be confirmed by several sources (i.e.  the attacked
host, your ISP) and backed with an official expert opinion to be of any
value.

Still, hardly an evidence the owner of the box was in control of the
application that sent the offending traffic. The hard evidence comes from
a different source, usually.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-03 22:54 --


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html