> Funny you should mention OpenBSD and FreeBSD. Don't they (and Solaris, and
> NetBSD) have disklabels? Which the OS will auto-generate for you if
missing?
> Which are different from, and don't have to agree with, the partition
table
> most i386 Windows people are familiar with? For which large sections of
the
> install FAQ's are devoted because so many people get them wrong?
Disklabels are normally placed on the first sector of the drive right by the
bootstrap area, in which case labels will be embedded within.
Disklabels contain information about drive geometry AND partition layout
addresses, etc. At initial installation time a disklabel usually won't exist
on the target drive in which case, disklabel will query the drive itself
for geometry, then update the on-disk AND in-core label
with the correct information. When adding a new drive to a system
that does not have a known entry in /etc/disktab, the disklabel -r
option will query the disk itself.
When the system boots up, a kernel disk driver will be loaded ('wdc' for
instance),
the geometry information the driver relays to the user is the disk's 'real
geometry'
not the BIOS translated geometry. However, if an older disk is encountered
on
boot, sometimes the wd_get_params() function will return CMD_ERR; in which
case the driver will fake drive geometry information in order to read the
MBR.
Irregardless, if you don't feel comfortable about the geometry information
that
is being detected, supplement through proper procedure and define the
correct drive geometry in BIOS.
> The reality is many of us will not be ending up in court, or anywhere
> else as strict. We have (and accept) lesser goals, different requirements,
and
> limited resources. We're interested in finding out what happened so that
we
> can stop it _now_ and then make sure it doesn't happen again, or at least
> mitigate the risks.
Granted, lesser goals, different requirements, however you cannot honestly
state
with 100% certainty that you will never end up in court. You don't know.
What if
a significant dollar amount is connected to the investigation of a breakin,
and your
boss wants to recoup some of that cost in civil court? Or what if that
breakin was a
part of a much larger, more serious attack in which criminal charges are
pending?
You should do your best to maintain the integrity of any evidence collected,
irregardless
of its intended purpose. Following proper procedure has nothing todo with
having limited resources at your disposal.
- phzy
--
Sent with Antiplur webmail: http://www.antiplur.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 06:59:49 PDT