sleuthkit-users

[sleuthkit-users] anti-forensic

[nighty <nig...@gm...>]

Hi everyone,

today I found an interesting article titled "Defeating Forensic Analysis =
on=20
Unix" in the phrack magazine #59 dealing with several anti-forensic=20
strategies, as well an with flaws of forensic tools, "The Coroner's Toolk=
it"=20
in particular. The article can be found on:
www.phrack.org/phrack/59/p59-0x06.txt

It was published on 2002-07-28 (as stated in the magazine). I found it=20
usefull, at least interesting, and hope that you will have a look at it, =
if=20
you haven't already done so.

It would be interesting to know, whether the technical insufficiencies=20
presented in the article have also any validity for the Sleuth Kit's=20
capabilities of forensic analysis.

Regards,

Harald

Re: [sleuthkit-users] anti-forensic

[Brian C. <ca...@sl...>]

On Tuesday, January 27, 2004, at 01:58  PM, nighty wrote:
> today I found an interesting article titled "Defeating Forensic 
> Analysis on
> Unix" in the phrack magazine #59 dealing with several anti-forensic
> strategies, as well an with flaws of forensic tools, "The Coroner's 
> Toolkit"

[...]

> It would be interesting to know, whether the technical insufficiencies
> presented in the article have also any validity for the Sleuth Kit's
> capabilities of forensic analysis.

I haven't read that in a while, but it dealt with not being able to 
view inode #1.  When The Sleuth Kit was developed, that limitation was 
removed and it was able to view the contents of inode #1.  TCT fixed 
the bug at some point, but I'm not sure which version.

brian