Guidelines for Evidence Collection and Archiving A "security incident" as defined in the "Internet Security Glossary", RFC 2828, is a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. The purpose of this document is to provide System Administrators with guidelines on the collection and archiving of evidence relevant to such a security incident.
If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution.
Wednesday, February 13, 2002
ZGram
The ZGram is an electronic newsletter containing news, resources, products, symposia, employment, and business opportunities regarding the United States Defense and Law Enforcement Communities.
The ZGram is an electronic newsletter containing news, resources, products, symposia, employment, and business opportunities regarding the United States Defense and Law Enforcement Communities.
Tuesday, February 12, 2002
Night Vision Equipment Company
Night Vision Equipment Company (NVEC),
a privately held company, has been a leader in the development of specialized night vision devices for over two decades. Our specialty products enjoy wide acceptance in numerous special operations organizations in the United States and abroad
Night Vision Equipment Company (NVEC),
a privately held company, has been a leader in the development of specialized night vision devices for over two decades. Our specialty products enjoy wide acceptance in numerous special operations organizations in the United States and abroad
BXDR
A DOS based application that simply lists the Geometry of any attached hard disk drives using standard BIOS calls, Extended BIOS calls and Direct Disk access (ATA) calls.
One of the more interesting features of BXDR and Direct Access calls is that it is possible to set the maximum addressable sector to an arbitary value. Future reads of the disk will then report the maximum sector to be the new value. This command can be (and via BXDR is) non-volatile - i.e. the limit will remain until reset with a subsequent command.
From a forensic viewpoint this command can defeat most modern imaging systems. To test it I performed the following test.
I took an 80GB hard disk drive and using BXDR set the max addressable sector to 999999 (1,000,000 sectors) approx 5GB. (BXDR 128 /s999999)
Removed the hard disk drive and placed it into a second machine
Attempted to image with SafeBack (using BIOS, XBIOS and Direct Access) and with Encase (DOS and FastBloc).
Both SafeBack and Encase reported the drive as a 5GB device.
I then ran BXDR to reset the max addressible sector to the maximum native addressable sector (BXDR 128 /r)
SafeBack and Encase could subsequently see the full drive.
A DOS based application that simply lists the Geometry of any attached hard disk drives using standard BIOS calls, Extended BIOS calls and Direct Disk access (ATA) calls.
One of the more interesting features of BXDR and Direct Access calls is that it is possible to set the maximum addressable sector to an arbitary value. Future reads of the disk will then report the maximum sector to be the new value. This command can be (and via BXDR is) non-volatile - i.e. the limit will remain until reset with a subsequent command.
From a forensic viewpoint this command can defeat most modern imaging systems. To test it I performed the following test.
I took an 80GB hard disk drive and using BXDR set the max addressable sector to 999999 (1,000,000 sectors) approx 5GB. (BXDR 128 /s999999)
Removed the hard disk drive and placed it into a second machine
Attempted to image with SafeBack (using BIOS, XBIOS and Direct Access) and with Encase (DOS and FastBloc).
Both SafeBack and Encase reported the drive as a 5GB device.
I then ran BXDR to reset the max addressible sector to the maximum native addressable sector (BXDR 128 /r)
SafeBack and Encase could subsequently see the full drive.
Monday, February 11, 2002
Introduction to Computer and Network Security
This page contains the table of contents for a book I'm working on, to be published by Prentice Hall. It also contains links to draft versions of several chapters and to lectures (foils) from courses I gave based on the draft book in Tel Aviv University and in the Interdisciplinary Center. The material is copyrighted, but you are encouraged to use it for personal or educational purposes (if you plan to give a course using this material, please let me know). My goal is to create a textbook which can be used for introductory courses in cryptography, secure communication and secure commerce.
This page contains the table of contents for a book I'm working on, to be published by Prentice Hall. It also contains links to draft versions of several chapters and to lectures (foils) from courses I gave based on the draft book in Tel Aviv University and in the Interdisciplinary Center. The material is copyrighted, but you are encouraged to use it for personal or educational purposes (if you plan to give a course using this material, please let me know). My goal is to create a textbook which can be used for introductory courses in cryptography, secure communication and secure commerce.
Networks and Netwars: The Future of Terror, Crime, and Militancy
The fight for the future is not between the armies of leading states, nor are its weapons those of traditional armed forces. Rather, the combatants come from bomb-making terrorist groups like Osama bin Laden's al-Qaeda, or drug smuggling cartels like those in Colombia and Mexico. On the positive side are civil-society activists fighting for the environment, democracy and human rights. What all have in common is that they operate in small, dispersed units that can deploy anywhere, anytime to penetrate and disrupt. They all feature network forms of organization, doctrine, strategy, and technology attuned to the information age. And, from the Intifadah to the drug war, they are proving very hard to beat.
Subscribe to:
Posts (Atom)
