[Dshield] Interesting Zombie Data Graphs

Chris Brenton cbrenton at chrisbrenton.org
Fri Nov 11 21:21:54 GMT 2005


On Fri, 2005-11-11 at 18:49 +0100, MaXX wrote:
>
> You mean "destruction of evidence"? As English is not my native tongue I may 
> have missed something. Being completly naive is also an option...

Or accessory after the fact or even conspiracy. Obviously each situation
is different. Depends on how helpful the system admin is perceived as
being, the logistics of the situation, etc. 

> Let's say: reading my morning logs, I notice that my system has been 
> compromised; I take the machine offline, find the vector and jump on my 
> backups. Then I restore the machine in the last good state, and patch the 
> system and disable the component involved in the intrusion. I could get in 
> trouble for that wheather I've checked or not what's the actual content 
> dropped/hidden on the machine?

I do not represent law enforcement. With that said, I doubt you would
get in trouble for _unknowingly_ destroying potential evidence. In the
situation you describe above, there is no knowledge of what was done to
the system or the existing content. You are simply following standard op
procedure for restoring after a compromise.

HTH,
Chris




More information about the list mailing list