Full Disclosure mailing list archives

Re: Re: Reacting to a server compromise

From: northern snowfall <dbailey27 () ameritech net>
Date: Tue, 05 Aug 2003 00:47:30 -0500



The FBI loaded some software (by booting off a floppy) prior
to allowing him to copy data off of the machine. He was told by the agents
that the software made the disk read-only. He was observed by the agents
duing the copy process. Is the FBI still operating like this?

Might be checksum monitoring software to determine whether
given vectors of data representing security sensitive files
are maintained. This way the FBI knows the person creating
the image isn't also exploiting access to the raw disk. Yes,
it is necessary, but it's usually implemented in a special
imaging machine, IIRC.

However, I don't know of any instance where the software is
on a boot disk. Besides, the software couldn't make the data on
the disk read-only. That isn't how hard disks work. The only
way image monitoring software can work is if the executive is
loaded then the software is loaded. Then the image has to be
created while the executive is loaded, which creates probability
of the image changing during mirror.

Any SCSI or ATA can be altered during raw data access. Unless
you're working with an optical WORM (et al) there is no way to
make it read-only.

Besides, executives can't see all the data on a disk. So, an
imager cannot work in co-operation with the executive. Check the
security facilities of the ATA (I'm not sure if the T10 has
implemented this?), you can create segments of an ATA that are
hidden from any executive.

The ATA Technical Committee:
   http://www.t13.org/

The SCSI Technical Committee:
   http://www.t10.org/

Most government agencies should be using their specialized
hardware unit that creates a raw image vector of one disk
mirrored onto another. Your friend might be pulling your
leg. Or, the FBI agents really *don't* know what they're
doing.

Don

http://www.7f.no-ip.com/~north_



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: Reacting to a server compromise, (continued)
- - Re: Re: Reacting to a server compromise Frank Bruzzaniti (Aug 04)
  - RE: Re: Reacting to a server compromise Ron DuFresne (Aug 04)
    - RE: Re: Reacting to a server compromise security snot (Aug 04)
    - SV: Re: Reacting to a server compromise martin scherer (Aug 04)
    - RE: Re: Reacting to a server compromise madsaxon (Aug 04)
    - Re: Re: Reacting to a server compromise Darren Reed (Aug 04)
- RE: Reacting to a server compromise Brad Bemis (Aug 04)
- RE: Reacting to a server compromise Brad Bemis (Aug 04)
- RE: Reacting to a server compromise Jones, David H (Aug 04)
- Re: Reacting to a server compromise Jason Ellison (Aug 04)
  - Re: Re: Reacting to a server compromise northern snowfall (Aug 04)
- RE: Reacting to a server compromise John . Airey (Aug 05)