On 9/29/05, Slade E. Griffin <sl...@ss...> wrote:
>
> Brian et-al,
>
> I would be interested in hearing some comments on the writeup and
> presentation contained here. Any thoughts?
> http://www.metasploit.com/projects/antiforensics/
>
Thanks in advance for those who participate.
>
> Slade E. Griffin, GCIH GCFA
Between the concepts presented at
http://www.metasploit.com/projects/antiforensics/ and the always evolving
"Art of Defiling" materials from the Grugq ( latest? slides here:
http://blackhat.com/presentations/bh-usa-05/bh-us-05-grugq.pdf ) there coul=
d
be some serious improvement done in the investigative process.
Both of these presentations feature points that exploit the forensics
investigation process and/or the examiner. The specific holes in forensic
software can be fixed and hopefully they will be soon but the "exploits" fo=
r
the investigative process, etc need more thought. Some of the mentioned
exploits of the process aren't practical to fix. For example both of the
above presentations mention exhausting the typical resources (mostly time
which in turn equals money) available examiner. I'm not sure this has a
practical fix, I mean if more resources could be allocated to the process
they would be but we don't have time to chase down every bit on all the
evidence because it is suspected that anti-forensics measures were taken in
the attack/case.
I'd like to writeup some ideas on possible solutions to "exploits" in this
process and more ideas to improve robustness of the systems/network arch.
(to give examiners more potential evidence via the network or host-based
measures). Thoughts anyone?
Thanks,
Ty E. Bodell, CCE
|
