> Funny you should mention OpenBSD and FreeBSD. Don't they (and Solaris, and > NetBSD) have disklabels? Which the OS will auto-generate for you if missing? > Which are different from, and don't have to agree with, the partition table > most i386 Windows people are familiar with? For which large sections of the > install FAQ's are devoted because so many people get them wrong? Disklabels are normally placed on the first sector of the drive right by the bootstrap area, in which case labels will be embedded within. Disklabels contain information about drive geometry AND partition layout addresses, etc. At initial installation time a disklabel usually won't exist on the target drive in which case, disklabel will query the drive itself for geometry, then update the on-disk AND in-core label with the correct information. When adding a new drive to a system that does not have a known entry in /etc/disktab, the disklabel -r option will query the disk itself. When the system boots up, a kernel disk driver will be loaded ('wdc' for instance), the geometry information the driver relays to the user is the disk's 'real geometry' not the BIOS translated geometry. However, if an older disk is encountered on boot, sometimes the wd_get_params() function will return CMD_ERR; in which case the driver will fake drive geometry information in order to read the MBR. Irregardless, if you don't feel comfortable about the geometry information that is being detected, supplement through proper procedure and define the correct drive geometry in BIOS. > The reality is many of us will not be ending up in court, or anywhere > else as strict. We have (and accept) lesser goals, different requirements, and > limited resources. We're interested in finding out what happened so that we > can stop it _now_ and then make sure it doesn't happen again, or at least > mitigate the risks. Granted, lesser goals, different requirements, however you cannot honestly state with 100% certainty that you will never end up in court. You don't know. What if a significant dollar amount is connected to the investigation of a breakin, and your boss wants to recoup some of that cost in civil court? Or what if that breakin was a part of a much larger, more serious attack in which criminal charges are pending? You should do your best to maintain the integrity of any evidence collected, irregardless of its intended purpose. Following proper procedure has nothing todo with having limited resources at your disposal. - phzy -- Sent with Antiplur webmail: http://www.antiplur.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 06:59:49 PDT