Actually, I think an easier (and better) way to do this would be either: a) save the logs off at regular intervals to a read-only medium (i.e. cdrom) b) take an md5 hash of the file each time you archive it and send it to lp (the printer) so you have something physically that directly correlates to something digitally -- the similarity of the md5sums show that it hasn't been tampered with since you took the hash, but what about files that are tampered with before they're archived? c) the best way to see if something has been tampered with is to have two copies and compare them.. I've seen this implemented in the following manner: - logs are sent to a syslog server unencrypted - IDS or other passive network recorder reads packets off the wire destined for the syslog server and saves them to disk - if logs are disputed, they can be dumped out from the passive sniffer Keep in mind, though, that the nature of the digital data beast is that it is easily copied and changed. // Chris tobkinat_private -----Original Message----- From: David Douthitt [mailto:ssratat_private] Sent: Thursday, July 19, 2001 1:57 PM To: Forensics List Subject: Putting a signature on logs I've gone to using syslog-ng to keeping logs separated out, and to preserve logs for a long time for record purposes. Now it occurs to me that someone could say, "Gee, how do we know that these logs haven't been altered?" What about a digital signature for each log? How would you go about this? I was thinking of using gpg (GNU Privacy Guard) but haven't gotten far enough to know how - and my reference book is the PGP book from O'Reilly and Associates. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 11:56:24 PDT