Full Disclosure mailing list archives

Re: Re: [ISN] Book Review: Forensic Discovery

From: Anthony Zboralski <bcs2005 () bellua com>
Date: Fri, 21 Jan 2005 11:20:42 +0700

This article in Phrack is being cited as this guys
qualifications for conducting a security seminar?
Getting fired for writing an article (an article so
clueless --devoid of substance-- as this one) is cited
as a good thing (just because it appeared in phrack)?
Phrack Editors: please apply some standard in choosing
articles, because people do think that having an
article published in phrack amounts to something, and
mostly your articles are superb (except when you plug
articles like this because your friend wrote it)

Just because one tool does not check bad cluster,
doesn't mean that you can use this method of data
hiding to defeat forensics as a whole.


It seems that Dan Farmer and Wieste Venema are less than
forthcoming regarding the problems their forensic package,
'The Coronor's Toolkit' (TCT) has had in the past, and still
has today.

The Phrack 59 article's old! Have you checked the latest slides and
articles or watch the grugq's speech before posting your flame bait?

http://www.hert.org/z/grugq.torrent

A lot of incompetent people buy commercial products like encase
or download TCT and improvise themselves "Forensic Experts".

In the Art of Defiling, Grugq talks about:

* Trivial ways to defeat file system forensic tools,
e.g. sanitizing deleted inodes and directory entries

* TCT specific issues (some of them have been fixed):
  incorrect ext2 implementation
  bad bounds checking
  lame pseudo codes, and more

* Most forensic tools don't look for data in:
Journals (e.g. ext3 journal), directory files, OLE2 files, bad blocks,
inode reserved space, null directory entries,  file system meta
data structures (reserve space, padding)

* Simple ways to avoid using the file system, e.g. using gdb stubs
(libgdbrpc) http://www.phrack.org/show.php?p=62&a=8 and
ul_exec() http://www.hcunix.net/papers/grugq_ul_exec.txt

Anthony Zboralski: We would expect yot to plug some
article with substance when you promote your speaker
and conference in a lot of security mailing lists. Oh
yeah and you are going to jail if you talk about
anti-forensics in US, you stupid promoter.


If the PATRIOT ACT makes discussing these problems
illegal!? Is the future of security research in jeopardy
because only a one sided view can legally be presented to us.

Anthony

--
Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005 () bellua com - Phone: +62213918330 HP:+628159102495

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: [ISN] Book Review: Forensic Discovery Anthony Zboralski (Jan 20)
- <Possible follow-ups>
- Re: Re: [ISN] Book Review: Forensic Discovery j mark (Jan 20)
  - Re: Re: [ISN] Book Review: Forensic Discovery Anthony Zboralski (Jan 20)