Full Disclosure mailing list archives
Re: Re: Reacting to a server compromise
From: "Frank Bruzzaniti" <frank () chariot net au>
Date: Mon, 4 Aug 2003 19:51:10 +0930
If you use ghost you must do a sector by sector copy, it takes a lot longer but you will be able to undelete files. Frank ----- Original Message ----- From: "Richard Stevens" <richard () tccnet co uk> To: <full-disclosure () lists netsys com> Sent: Monday, August 04, 2003 5:17 PM Subject: RE: [Full-disclosure] Re: Reacting to a server compromise
I'd be interested to know if a ghost image (or even hardware systems like image-master) carrys over deleted files to the new image?.. as these can usually be undeleted easily enough. anyone know? I'd guess the safest way is just to keep the orignal drive.. but if it's a nice big expensive scsi raid set I'd guess this probably isnt practical. -----Original Message----- From: Alexandre Dulaunoy [mailto:alexandre.dulaunoy () ael be] Sent: 03 August 2003 20:01 To: devnull () iprimus com au Cc: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Reacting to a server compromise On 03/Aug/03 12:33 +1000, devnull () iprimus com au wrote:On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:If this happens again, I would probably make a copy of the harddrive,or at the very least the log files since they can be entered as evidence of a hacked box.Under most jurisdictions, an ordinary disk image produced by NortonGhost etcusing standard hardware is completely inadmissible in court, as it is impossible to make one without possibly compromising the integrity oftheevidence. The police etc use specialised hardware for making suchcopies,which ensures that the disk can't have been altered.Getting evidence by reading (via any software or hardware solution) may compromise the integrity of the evidence. I would like to know the difference between for example a (s)dd and the specialised hardware that you talk about ? Do you have any references ? Preserving the scene integrity is really difficult. You have to minimize the intrusion to the scene. On computer hardware is really difficult... Using a hardware device that doesn't change too much the scene is difficult... (think of a compromised disk firmware). And the worst, sometimes we see something that doesn't exist at all. Forensic analysis is the land of illusion... just my .02 EUR. adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Hard drive images, (continued)
- Re: Hard drive images Craig Pratt (Aug 05)
- RE: [inbox] Re: Hard drive images Curt Purdy (Aug 05)
- Re: Hard drive images ldreamer (Aug 05)
- Re: Hard drive images madsaxon (Aug 05)
- Re: Reacting to a server compromise Mark (Aug 02)
- Re: Re: Reacting to a server compromise Jennifer Bradley (Aug 03)
- Re: Re: Reacting to a server compromise morning_wood (Aug 03)
- Re: Re: Reacting to a server compromise manohar singh (Aug 03)
- Re: Reacting to a server compromise James A. Cox (Aug 03)
- Re: Re: Reacting to a server compromise morning_wood (Aug 03)
- RE: Re: Reacting to a server compromise Richard Stevens (Aug 04)
- Re: Re: Reacting to a server compromise Frank Bruzzaniti (Aug 04)
- RE: Re: Reacting to a server compromise Ron DuFresne (Aug 04)
- RE: Re: Reacting to a server compromise security snot (Aug 04)
- SV: Re: Reacting to a server compromise martin scherer (Aug 04)
- RE: Re: Reacting to a server compromise madsaxon (Aug 04)
- Re: Re: Reacting to a server compromise Darren Reed (Aug 04)
- Re: Re: Reacting to a server compromise northern snowfall (Aug 04)