[sleuthkit-users] Re: Interesting problem
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Re: Interesting problem
|
From: Tom G. <tom...@gm...> - 2005-10-03 10:21:51
|
Hi Slade, I actually saw this presentation when it was given at Blackhat USA, and although it brought some of the problems of forensic analysis to the attention of those not in the field (some of my collegues found it interesting), I'd say that it didn't really bring anything new to the table. Most of the techniques that they mentioned have been used or understood for years (although they do mention this a few times) such as timestamp modification. The EnCase example, where the date was set sufficiently in the past, was fairly interesting but isn't exactly something someone who wanted to remain hidden would use! The logging exploitation techniques would have has more value if an example was given, and the tactic of not putting files in System32 isn't groundbreaking either. File signature modification and hash modification are also an old tactics that are only really a problem if your investigations throw out huge sets of data without some form of secondary validation. (Side note: avoiding signature matching is more interesting using the old technique of cat'ing a filesystem onto the end of a binary to make the tools think it is a standard ELF binary, which can then be mounted using mount's "offset" option) I don't mean to sound overly critical of this presentation, because as mentioned earlier it *did* bring these issues to the attention of non-forensic examiners. However, hearing the way the presentation was put over and the discussion afterwards, you'd be forgiven for thinking the sky was falling. Most of the issues are very old and can be fixed using minor tweaks in software and by using proper investigation methodologies. Personally, I'd be more interested in seeing more hidden data storage in filesystems and parsing bugs in common forensics tools which prevent data from even being displayed to the examiner. Those are the kind of issues to be worried about, especially as the people in the know probably aren't too keen on revealing them to the world :-) Regards, Tom Goldsmith |
