Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Reacting to a server compromise

From: "Frank Bruzzaniti" <frank () chariot net au>
Date: Mon, 4 Aug 2003 19:51:10 +0930
If you use ghost you must do a sector by sector copy, it takes a lot longer
but you will be able to undelete files.

Frank

----- Original Message -----
From: "Richard Stevens" <richard () tccnet co uk>
To: <full-disclosure () lists netsys com>
Sent: Monday, August 04, 2003 5:17 PM
Subject: RE: [Full-disclosure] Re: Reacting to a server compromise



I'd be interested to know if a ghost image (or even hardware systems
like image-master) carrys over deleted files to the new image?.. as
these can usually be undeleted easily enough.

anyone know?

I'd guess the safest way is just to keep the orignal drive.. but if it's
a nice big expensive scsi raid set I'd guess this probably isnt
practical.



-----Original Message-----
From: Alexandre Dulaunoy [mailto:alexandre.dulaunoy () ael be]
Sent: 03 August 2003 20:01
To: devnull () iprimus com au
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Reacting to a server compromise


On 03/Aug/03 12:33 +1000, devnull () iprimus com au wrote:

On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:


If this happens again, I would probably make a copy of the hard

drive,

or at the very least the log files since they can be entered as
evidence of a hacked box.


Under most jurisdictions, an ordinary disk image produced by Norton

Ghost etc

using standard hardware is completely inadmissible in court, as it is
impossible to make one without possibly compromising the integrity of

the

evidence. The police etc use specialised hardware for making such

copies,

which ensures that the disk can't have been altered.


Getting evidence  by reading (via  any software or  hardware solution)
may compromise the integrity of the evidence. I would like to know the
difference between  for example a  (s)dd and the  specialised hardware
that you talk about ? Do you have any references ?

Preserving  the  scene integrity  is  really  difficult.  You have  to
minimize the  intrusion to the  scene. On computer hardware  is really
difficult...  Using a hardware device that doesn't change too much the
scene is difficult... (think of a compromised disk firmware).

And  the worst,  sometimes  we  see something  that  doesn't exist  at
all. Forensic analysis is the land of illusion...

just my .02 EUR.

adulau

--
--        Alexandre Dulaunoy (adulau) -- http://www.foo.be/
--    http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
--    "Knowledge can create problems, it is not through ignorance
--   that we can solve them" Isaac Asimov
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: