Hi Slade,
I actually saw this presentation when it was given at Blackhat USA,
and although it brought some of the problems of forensic analysis to
the attention of those not in the field (some of my collegues found it
interesting), I'd say that it didn't really bring anything new to the
table. Most of the techniques that they mentioned have been used or
understood for years (although they do mention this a few times) such
as timestamp modification. The EnCase example, where the date was set
sufficiently in the past, was fairly interesting but isn't exactly
something someone who wanted to remain hidden would use!
The logging exploitation techniques would have has more value if an
example was given, and the tactic of not putting files in System32
isn't groundbreaking either. File signature modification and hash
modification are also an old tactics that are only really a problem if
your investigations throw out huge sets of data without some form of
secondary validation.
(Side note: avoiding signature matching is more interesting using the
old technique of cat'ing a filesystem onto the end of a binary to make
the tools think it is a standard ELF binary, which can then be mounted
using mount's "offset" option)
I don't mean to sound overly critical of this presentation, because as
mentioned earlier it *did* bring these issues to the attention of
non-forensic examiners. However, hearing the way the presentation was
put over and the discussion afterwards, you'd be forgiven for thinking
the sky was falling. Most of the issues are very old and can be fixed
using minor tweaks in software and by using proper investigation
methodologies.
Personally, I'd be more interested in seeing more hidden data storage
in filesystems and parsing bugs in common forensics tools which
prevent data from even being displayed to the examiner. Those are the
kind of issues to be worried about, especially as the people in the
know probably aren't too keen on revealing them to the world :-)
Regards,
Tom Goldsmith
|
