Re: [sleuthkit-users] Interesting problem
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Interesting problem
|
From: Ty B. <teb...@gm...> - 2005-09-29 23:45:52
|
On 9/29/05, Slade E. Griffin <sl...@ss...> wrote: > > Brian et-al, > > I would be interested in hearing some comments on the writeup and > presentation contained here. Any thoughts? > http://www.metasploit.com/projects/antiforensics/ > Thanks in advance for those who participate. > > Slade E. Griffin, GCIH GCFA Between the concepts presented at http://www.metasploit.com/projects/antiforensics/ and the always evolving "Art of Defiling" materials from the Grugq ( latest? slides here: http://blackhat.com/presentations/bh-usa-05/bh-us-05-grugq.pdf ) there coul= d be some serious improvement done in the investigative process. Both of these presentations feature points that exploit the forensics investigation process and/or the examiner. The specific holes in forensic software can be fixed and hopefully they will be soon but the "exploits" fo= r the investigative process, etc need more thought. Some of the mentioned exploits of the process aren't practical to fix. For example both of the above presentations mention exhausting the typical resources (mostly time which in turn equals money) available examiner. I'm not sure this has a practical fix, I mean if more resources could be allocated to the process they would be but we don't have time to chase down every bit on all the evidence because it is suspected that anti-forensics measures were taken in the attack/case. I'd like to writeup some ideas on possible solutions to "exploits" in this process and more ideas to improve robustness of the systems/network arch. (to give examiners more potential evidence via the network or host-based measures). Thoughts anyone? Thanks, Ty E. Bodell, CCE |
