Quoting Mike Lewinski <mikeat_private>: > "Hugo van der Kooij" wrote Sunday, June 23, 2002 3:07 AM > > > However leaving a compromised system online makes you guilty of criminal > > neglect. (Aiding and embedding criminals and all that sort of thing.) > > IANAL, but my understanding is that if you want to prosecute the offender, > you shouldn't touch the box again after discovering the compromise (i.e. > could be construed as tampering w/ evidence). > > Just one of many legal catch-22's I've run into on the job. You can touch, as long as you document appropriately what you touch and have a valid chain/record of custody for everything including your notes. There are many sites on the web which try to teach how to do this (document, date/sign everything, chain of custody, how to work on copies rather than the original, etc). The problem of course is how exactly to do these things changes from area to area, so you should always check with local legal folks if possible before, during, and after you touch anything ;) -- Eric Rostetter The Department of Physics The University of Texas at Austin "TAD (Technology Attachment Disorder) is an unshakable, impractical devotion to a brand, platform, product line, or programming language. It's relatively harmless among the rank and file, but when management is afflicted the damage can be measured in dollars. It's also contagious -- someone with sufficient political clout can infect an entire organization." --"Enterprise Strategies" columnist Tom Yager. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 03:34:33 PDT