> It would be quite simple for an attacker to modify or delete the logs on
> most operating systems. That being said, some organizations take steps
> to protect the integrity of their logs. A central syslog server is
> typically used and in some cases I have even seen logfiles on that
> central server digitally signed, encrypted and stored on some sort of
> write once/read only (ie: CDR) media. I have even seen some go as far
> as tunneling this traffic over SSH.
>
you can alter logs as simply as using a proxy to cache and inserting ann ip
before it gets logged even on a syslog server. What I am saying is no
electronic data capture evidence can be used.. period. It's not even "real"
facts. Thats the isue here
wood
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
