|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
IDS: RE: RE: RE: Honey pots / decoy servers
Dale.Drew
Level3.com
Thu, 26 Aug 1999 11:27:38 -0600
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Larry Chin: "IDS: Re: [NTSEC] Default trojan ports"
- Previous message: Staggs, Michael: "IDS: RE: RE: Honey pots / decoy servers"
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------
--- With regards to evidence admissibility, the court system gives a fairly significant amount of leeway on the types of information that can be considered directly related to the chain of evidence to substantiate the commission of a crime.It's not uncommon for Public Domain, Internally written and/or modified commercial utilities to be used in the commission of protecting systems - and as such, their output is used in court (both Civil and Criminal) and admitted as evidence to help prove the execution of a crime or civil misact (eg; Corporate policy violation).
The difficult part isnt admission of these materials in court -- it's proving their reliability in reporting accurate, non-modified, information, and validating the "chain of custody" that the data took. It's much easier to prove the reliability and accuracy of corporate "business records" (billing statements, etc), since their is usually a solid business foundation around them that can be reviewed, and proved. Non business record information (FW log data, sniffer data, etc) require a bit more work since their typically isn't as much documentation structure around them.
In addition, the analysis of the data you collect needs to be conservative, accurate and pertain directly and specifically to the deeds you can prove relating to the individual you take to court. The "other side" is going to analyze that data and and challenge every data point - to try and prove the collection or analysis process was unreliable, and therefore unadmissable. A defense attorney is going to focus on your data storage policies and who had access to modify the data you've collected; how the application collects and saves data, and if you've made any modifications of the original since it's collection time (courts are very interested in "source material" - objects that have not been tampered or modified with in any way).
They are also going to focus on the application itself, and any potential reporting or collection bugs that may result in misreported data.
You can also consider getting "court recognized" or "court approved" applications - applications that do a majority of the collection, storage, parsing and reporting on their own. These are applications that reduce as much potential "human error" or missreporting as possible, and whose application specifics have been reviewed and approved by the court, and dont need to be reproved by another court. Forensic tools like "Expert Witness" is an example. DoD/DoE security tools like "NID" is another. I havent seen a court register that indicates that NAI's network sniffer is court approved, but would love to see a case or docket number where it was used.
Dale
_________________________ "SUCCESS THROUGH TEAMWORK"
Dale Drew Level 3 Director, Network Security Engineering 303-926-3295 dale.drew
> -----Original Message----- > From: Brotschi, Brian [mailto:Brian_Brotschi
- Next message: Larry Chin: "IDS: Re: [NTSEC] Default trojan ports"
- Previous message: Staggs, Michael: "IDS: RE: RE: Honey pots / decoy servers"
This archive was generated by hypermail 2.0b3 on Fri Aug 27 1999 - 00:47:57 CDT