lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed Aug 10 22:01:51 2005
From: jasonc at science.org (Jason Coombs)
Subject: Re: Help put a stop to incompetent computer
	forensics

anonymous wrote:
> I know when running EnCase or some other software you can see the 
> cookies of the machine. More importantly, you can see what "search 
> items" the invidual was searching for.


No, you cannot. You can see what the Internet Explorer history files 
contain. This does not prove that a person typed search terms into 
Google. If you'd like me to prove this to you, ship your computer to me. 
I will ship it back to you and it will contain proof that you are a 
very, very bad person.


> So I can tell if the person had the intent or atleast give some ammo to 
> the prosecution that the perp was searching for "zzzzz" and "yyyy" etc.

No you can't. You can tell that the Internet Explorer history files 
contain data.


> So if their entire defense is that a trojan put the kiddie porn on their 
> machine yet their search items were things related to that sort of thing 
> then we can show the the perp was searching for related topics.

Come on, do you even understand what a Trojan is?

By definition, the Trojan gives a third-party the ability to control the 
computer from a remote location. I'm not suggesting that the Trojan was 
programmed to plant evidence. I'm saying that a third-party was in 
control of the computer and any data that you see on the computer's hard 
drive, including things that you seem to think "prove" that a person 
typed on the attached keyboard, reflects, at best, the actions of many 
people and a lot of software -- and at worst the data are meaningless 
because the files have been tampered with on purpose by a third party.

> But I do believe that once an analysis of the perp's hard drive has been 
> done said examiner should be able to determine if the information on the 
> machine was from the surfing habits of the perp, or if they may have 
> come from a trojan. Besides, if a trojan was present it should still be 
> there when the examiner is looking at the system!

No. The analyst can only determine that the computer may have been 
executing software in the past at various purported times (based on 
date/time stamps) -- or, maybe what you can determine is that the 
computer has been receiving files from elsewhere, and the date/time 
stamps don't have any connection whatsoever to the local computer but 
have some connection to another computer. Furthermore, Trojan infections 
come and go, and you probably know that remote exploitable 
vulnerabilities make it unnecessary to plant a Trojan -- if the 
attacker/intruder is only interested in gaining control of the computer 
one time, and a victim comes along with a vulnerable IE browser, then 
arbitrary code can be executed and no Trojan infection will necessarily 
result. That's up to the attacker. Nevertheless, the arbitrary code 
execution resulted in the attacker being able to do anything they want 
with the computer, including launch IE and visit Web sites and enter 
search terms which IE will log.

> However, if the information came from an email, cd, diskette or other 
> media then it's going to open a whole other can of worms.

It's not a can of worms for a CD or diskette to be found alongside a 
computer, that's called reasonable circumstantial evidence. Computer 
data stored on hard drives connected to the Internet is NOT reasonable 
circumstantial evidence. It's just data.

The "circumstances" under which data come to be on a hard drive are 
UNKNOWN unless law enforcement have established appropriate forensic 
controls to monitor computer operation during an investigation.

When the circumstances of software execution on a computer and the data 
communications to and from a computer are UNKNOWN, all data from that 
computer should be excluded from use in court as "evidence" of anything.

Sincerely,

Jason Coombs
jasonc@...ence.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ