march information systems developed a great product for "forensically sound" log collection (don't know if it has been used in court) called secure log manager. The product collected logs from UNIX and NT (with NT objects for review), encrypted and digitally signed them so that they could not be altered and automated their writing to cdrom. when it was owned by march it was also extremely cheap to cover a whole enterprise. MIS was bought by ISS so i am not sure if SLM is still cheap. see here for more details. http://www.iss.net/customer_care/resource_center/product_lit/security_assess ment/slm_faq.php chris -----Original Message----- From: Chris Tobkin [mailto:tobkinat_private] Sent: Thursday, July 19, 2001 5:01 PM To: n9ubhat_private; Forensics List Subject: RE: Putting a signature on logs Actually, I think an easier (and better) way to do this would be either: a) save the logs off at regular intervals to a read-only medium (i.e. cdrom) b) take an md5 hash of the file each time you archive it and send it to lp (the printer) so you have something physically that directly correlates to something digitally -- the similarity of the md5sums show that it hasn't been tampered with since you took the hash, but what about files that are tampered with before they're archived? c) the best way to see if something has been tampered with is to have two copies and compare them.. I've seen this implemented in the following manner: - logs are sent to a syslog server unencrypted - IDS or other passive network recorder reads packets off the wire destined for the syslog server and saves them to disk - if logs are disputed, they can be dumped out from the passive sniffer Keep in mind, though, that the nature of the digital data beast is that it is easily copied and changed. // Chris tobkinat_private -----Original Message----- From: David Douthitt [mailto:ssratat_private] Sent: Thursday, July 19, 2001 1:57 PM To: Forensics List Subject: Putting a signature on logs I've gone to using syslog-ng to keeping logs separated out, and to preserve logs for a long time for record purposes. Now it occurs to me that someone could say, "Gee, how do we know that these logs haven't been altered?" What about a digital signature for each log? How would you go about this? I was thinking of using gpg (GNU Privacy Guard) but haven't gotten far enough to know how - and my reference book is the PGP book from O'Reilly and Associates. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 11:55:56 PDT