Home page logo
/

basics logo Security Basics mailing list archives

RE: tools used to examine a computer
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Thu, 20 Feb 2003 09:14:38 -0000

My final word on this is that I was talking about cloning the disk or
partition and not using dd for single files if that helps clear any
confusion about what I was saying.  At the end of the day if it was a
serious issue that might go to full legal investigation I would call in
professional law enforcement agencies who have the write tools and
software for the job.

So when running an Incident Handling operation the main thing to know is
when to touch the machine at all to do anything and when to declare it
serious enough for legal action to be taken.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: H C [mailto:keydet89 () yahoo com] 
Sent: 19 February 2003 19:15
To: David J. Bianco
Cc: Trevor Cushen; security-basics () securityfocus com
Subject: RE: tools used to examine a computer


David,

I did say "hashes the file (MD5 and/or SHA-1)"...so do
it both before and after you copy it over the network.
 Just be sure to collect the MAC times *before* you
hash it, as hashing causes the file to be accessed,
and the last access time changes.

--- "David J. Bianco" <bianco () jlab org> wrote:
On Tue, 2003-02-18 at 13:02, H C wrote:
Also on the point of copying files over the
network
first, correct me if
I'm wrong but that damages the chain of
evidence.

Now so?  If one collects the necessary info (ie,
MAC
times, NTFS ADSs, permissions, full path, etc),
hashes
the file (MD5 and/or SHA-1), and then copies the
file
over the network using something like 'dd' or
type,
and netcat/cryptcat, how is the chain of evidence
broken?  Especially if it's documented?

Although Trevor has since posted a clarification to
the effect that
was referring to file copying as opposed to creating
a bit image with
dd, I think it's worth noting that in order to guard
against accidental
or malicious network data tampering, you'd have to
guarantee that the
data traversed the network without being tampered
with, probably by
computing an md5 sum on the data at both ends of the transfer.
Otherwise the chain of evidence would indeed be
broken, since most 
networks are not guaranteed to be reliable or secure
from tampering.

      David


--
David J. Bianco <bianco () jlab org>
Thomas Jefferson National Accelerator Facility



__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault