From owner-freebsd-hackers@FreeBSD.ORG Sat Jan 14 17:23:36 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1B1E16A41F for ; Sat, 14 Jan 2006 17:23:36 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8010343D49 for ; Sat, 14 Jan 2006 17:23:33 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by komquats.com (Postfix) with ESMTP id BC3554C5D0; Sat, 14 Jan 2006 09:23:30 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.4/8.13.4) with ESMTP id k0EHN874037714; Sat, 14 Jan 2006 09:23:08 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200601141723.k0EHN874037714@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: les@safety.net In-Reply-To: Message from les@safety.net of "Sat, 14 Jan 2006 09:52:28 MST." <200601141652.k0EGqStk006474@ns3.safety.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 14 Jan 2006 09:23:08 -0800 Sender: Cy.Schubert@komquats.com Cc: anchor , Cy Schubert , freebsd-hackers@freebsd.org Subject: Re: My machine been hacked, I need help X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cy Schubert List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2006 17:23:36 -0000 In message <200601141652.k0EGqStk006474@ns3.safety.net>, les@safety.net writes: > > In message <200601141632.29709.doconnor@gsoft.com.au>, "Daniel O'Connor" > > writes > > Only evidence collected by a forensic analysis tool > > is admissible in court. > > Not necessarily true. Log data that is routinely collected can be > admissible. Though, log data that you collected starting when you > suspected there was something amiss will not be. That is true for logfiles, however Canadian law requires a filesystem analysis tool. As little as fiveyears ago taking a DD dump of a device was admissible but I've been told by the RCMP that a forensic analysis tool is now required. I've been told that this is also true of US law. I'm not sure about British or European law. Unfortunately taking people to court over hacking is difficult but not impossible. Police forces are becoming more receptive to the idea and tools which have been admitted in court previously make the job of preparing a successful case easier. Cheers, Cy Schubert Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: Web: http://www.FreeBSD.org BC Government: "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper