[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re: [Full-Disclosure] Reacting to a server compromise
- To: full-disclosure@lists.netsys.com
- Subject: Re: Re: [Full-Disclosure] Reacting to a server compromise
- From: "Jennifer Bradley" <jenbradley@webmail.co.za>
- Date: Sun, 3 Aug 2003 02:06:56 -0700
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6336.0">
<TITLE>Re: Re: [Full-Disclosure] Reacting to a server compromise</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>On Sun, 3 Aug 2003 12:31:39 +1000 (devnull@iprimus.com.au) wrote:<BR>
<BR>
>On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:<BR>
><BR>
>> If this happens again, I would probably make a copy of the hard<BR>
drive,<BR>
>> or at the very least the log files since they can be entered as<BR>
>> evidence of a hacked box.<BR>
><BR>
>Under most jurisdictions, an ordinary disk image produced by Norton<BR>
Ghost etc<BR>
>using standard hardware is completely inadmissible in court, as it is<BR>
>impossible to make one without possibly compromising the integrity of<BR>
the<BR>
>evidence. The police etc use specialised hardware for making such<BR>
copies,<BR>
>which ensures that the disk can't have been altered.<BR>
<BR>
This is not true, at least in the US. Log files can be entered into<BR>
evidence unless you can prove that the log files have been tampered<BR>
with. The "possibility" of changing data does not make evidence<BR>
inadmissible, only proof that data has been changed.<BR>
<BR>
I don't see why a Norton Ghost image is any different than a tape<BR>
backup, and backups have been regularly entered in as evidence in many<BR>
famous cases, such as the Microsoft anti-trust case.<BR>
<BR>
jb<BR>
_______________________________________________________________________<BR>
LOOK GOOD, FEEL GOOD - WWW.HEALTHIEST.CO.ZA<BR>
<BR>
Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail<BR>
<A HREF="http://www.webmail.co.za/dialup/";>http://www.webmail.co.za/dialup/</A><BR>
_______________________________________________<BR>
Full-Disclosure - We believe in it.<BR>
Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>