-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There have been a lot of posts about imaging compromised systems and using that as forensic evidence, but it seems to me that this approach gives a lot of clues about the what, but not the who. Most of the clues that you would need to find the what, when, who and how are in the audit logs (assuming the administrator turns logging on). If the audit logs could be handled in such a way that it could be proved that they are telling the truth, then it seems to me that they would yield enough evidence for legal action. Has anyone had any experience with using audit logs as forensic evidence? What should an administrator do to ensure the logs he keeps can be used in case legal action is required? Obviously you can not trust logs residing on the compromised system, but what can you trust? A seperate log server using MD5 checksums? What about the things an administrator may do to better handle the sheer mass of audit logs? If he parses raw logs and imports them into a database for better analysis, does that taint the evidence to where it couldn't be used? What about syslog? Does syslog "taint" the evidence of raw audit logs? If raw kernel generated audit logs are the only things submissible as forensic evidence, how do you obtain them and keep them "clean"? - -Miles -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPQ9Ob4mSCsFQKGr9EQKX4ACg08E6eS4ZGeCsS6Dg2qxRiR+yqUUAoO2h E+j5qbFzu4gIQ4KAMkebMfGf =6Cx6 -----END PGP SIGNATURE----- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 17:51:45 PDT