Re: Reacting to a server compromise

[devnull () iprimus com au]

On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:

> If this happens again, I would probably make a copy of the hard drive,
> or at the very least the log files since they can be entered as
> evidence of a hacked box.

Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc 
using standard hardware is completely inadmissible in court, as it is 
impossible to make one without possibly compromising the integrity of the 
evidence. The police etc use specialised hardware for making such copies, 
which ensures that the disk can't have been altered.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html