Full Disclosure mailing list archives
Re: Re: Reacting to a server compromise
From: northern snowfall <dbailey27 () ameritech net>
Date: Tue, 05 Aug 2003 00:47:30 -0500
The FBI loaded some software (by booting off a floppy) prior to allowing him to copy data off of the machine. He was told by the agents that the software made the disk read-only. He was observed by the agents duing the copy process. Is the FBI still operating like this?
Might be checksum monitoring software to determine whether given vectors of data representing security sensitive files are maintained. This way the FBI knows the person creating the image isn't also exploiting access to the raw disk. Yes, it is necessary, but it's usually implemented in a special imaging machine, IIRC. However, I don't know of any instance where the software is on a boot disk. Besides, the software couldn't make the data on the disk read-only. That isn't how hard disks work. The only way image monitoring software can work is if the executive is loaded then the software is loaded. Then the image has to be created while the executive is loaded, which creates probability of the image changing during mirror. Any SCSI or ATA can be altered during raw data access. Unless you're working with an optical WORM (et al) there is no way to make it read-only. Besides, executives can't see all the data on a disk. So, an imager cannot work in co-operation with the executive. Check the security facilities of the ATA (I'm not sure if the T10 has implemented this?), you can create segments of an ATA that are hidden from any executive. The ATA Technical Committee: http://www.t13.org/ The SCSI Technical Committee: http://www.t10.org/ Most government agencies should be using their specialized hardware unit that creates a raw image vector of one disk mirrored onto another. Your friend might be pulling your leg. Or, the FBI agents really *don't* know what they're doing. Don http://www.7f.no-ip.com/~north_ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Reacting to a server compromise, (continued)
- Re: Re: Reacting to a server compromise Frank Bruzzaniti (Aug 04)
- RE: Re: Reacting to a server compromise Ron DuFresne (Aug 04)
- RE: Re: Reacting to a server compromise security snot (Aug 04)
- SV: Re: Reacting to a server compromise martin scherer (Aug 04)
- RE: Re: Reacting to a server compromise madsaxon (Aug 04)
- Re: Re: Reacting to a server compromise Darren Reed (Aug 04)
- RE: Reacting to a server compromise Brad Bemis (Aug 04)
- RE: Reacting to a server compromise Brad Bemis (Aug 04)
- RE: Reacting to a server compromise Jones, David H (Aug 04)
- Re: Reacting to a server compromise Jason Ellison (Aug 04)
- Re: Re: Reacting to a server compromise northern snowfall (Aug 04)
- RE: Reacting to a server compromise John . Airey (Aug 05)