I attended a SANS conference in D.C. last week and there were two reps from the FBI running one of the classes and they said they do not confiscate the "victim" machine. They ask for copies of the drives so they can run their tests. The FBI and other instructors, from SANS, suggested calling the authorities after you conduct your own investigation. That's because once you call the authorities, such as the FBI, you become an extension, of sorts, of that agency and then you are limited in what you can do from there. They control things from that point. Derek sween <sweenat_private> 08/09/2001 09:17 PM To: loganalysisat_private cc: Subject: fact, fiction, nonetheless... Is it true that, in the event of intrusion, the authorities will confiscate the machines to apply forensics to the logs etc.? Meaning: if I do not have a logging server available across nodes, and I report an intrusion that causes considerable damage, the authorities will toss my mission critical machines into a trunk and withold them evidence. So: if I had a logging server that centralized the logs, in the event of intrusion, the authorities would just confiscate IT... right? How accurate is this? -- --- -sween | M | http://www.modelm.org --- "force feedback computing since 1984." <meta name="MSSmartTagsPreventParsing" content="TRUE"> --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:17:17 PDT