Mark, Id suggest picking up a book on computer forensics and data collection to prepare for the future.
And in regards to the debate on logs, I'm copying this from a book called "Computer Forensics: Computer Crime Scene Investigation." "To collect evidence, certain legal requirements must be met. These legal requirements are vast, complex, and vary from country to country. However, there are certain requirements that are generally agreed on within the United states. US Code Title 28, Section 1732 provides that log files are admissible as evidence if they are collected *in the course of regularly conducted business activity*. This means you'd be much safer to log everything all the time and deal with the storage issues, than to turn on logging only after an incident is suspected. Not only is this a bit like closing the barn door after the horse has fled, it may also render your logs inadmissible in court." "Another factor in admissibility of log files is the ability to prove that they have not been subject to tampering. Whenever possible, digital signatures should be used to verify log authenticity. Other protective measures include, but are not limited to, storing logs in a dedicated logging server and/or encrypting log files. Log files are often one of the best, if not only sources of evidence available. Therefore, due diligence should be applied in protecting them." "One other generally accepted requirement of evidence collection is a user's expectation of privacy. A key to establishing that a user has no right to privacy when using corporate networks and/or computer systems is the implementation of a log-on banner. CERT Advisory CA-1992-19 suggests the following text be tailored to a corporations specific needs under the guidance of legal counsel:" (several versions of log-on banners) Anyway, as you can see, under the right circumstances, log files *can* be admissible in court. I'd really suggest one or more of these types of books.. There's a lot of information about tools to use, collection procedures, what to do, what not to do, etc. Cheers, David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sent: Friday, August 01, 2003 10:39 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Reacting to a server compromise Hello list, In light of the current state of the internet with the DCOM vuln, I would like to ask for some advice on a situation I had at work. A little while ago(but before the DCOM vuln was released) I had a Win2k box hacked. The box was outside our firewall, running minimal services(ftp/www/smtp - gateway only) and was set to download/install everything it could via Auto-updates. Apparently I didn't reboot it often enough for all of the updates to take effect. <snip> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
