lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Aug 2005 10:55:23 +0100
From: James Tucker <jftucker@...il.com>
To: jasonc@...ence.org
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: Help put a stop to incompetent computer
	forensics


On 8/10/05, Jason Coombs <jasonc@...ence.org> wrote:
> "An experienced computer forensics person could tell you whether it was
> because of [a Trojan virus] or not." -- Marcus Lawson.

As you know, typical.
 
> This quote and article citation below concerning "computer forensics" is
> typical of the opinion of "computer forensics" professionals. We know
> it's a big fat lie told by self-important people who don't know anything
> about information security 

I understand your upset with regard to this sort of stupid comment,
but I think you'd find you get a much more serious response if you
simply dump sentences like that. Insults aren't necessary - people
that know will already be sufficiently aware of it.

> and have never written software in their
> lives, but I'm asking anyone who reads this, who has ideas about how to
> put a stop to this "computer forensics" absurdity where people who don't
> know how software is written and don't understand infosec are allowed to
> be the voice of "computer forensics" expertise in court, to please
> contact me.

Simple - create a program which distributes random programs and data
accross the internet and picks data/applications to execute at random.
>From then on, one can make absolutely no solid judgement about ANY
information found on the machine, except by physcial inspection of
that data and it's paths, which is predictive and circumstantial
anyway due to a lack of support under law in most countries.
 
> In addition, anyone who has any information about computer forensics
> professional Marcus Lawson please contact me immediately.

Why dig up dirt, just explain professionally why his actions are
incorrect. If you wanted you may be able to approach him under a
lawful banner with regard to submitting false testement or evidence.
 
> The fact that malware authors aren't cooperating with the computer
> forensics industry by making sure that it's easy to distinguish between
> the actions of malware and the actions of a human computer user,
> combined with uninformed expert opinions like those shown below, is
> resulting in innocent people being put behind bars, and people like
> Marcus Lawson who think they know what they're doing but clearly do not
> are helping to get innocent people convicted by spewing nonsense.

Innocence is always subject to bias, as is everything else. Whilst
Lawsons statement above, in the general sense is very much incorrect,
the specific circumstances may allow for such a statement to be made.
There are many malware which simply do not perform complex or
confusing operations and can therefore be very easily analysed to be
(mostly) sure that the malware was not responsible for the data in
question. Logs may indicate a users physical presence which will
increase again the circumstantial evidence. It is and always will be
hard to make an accurate judgement for a court in such a scenario. As
an industry we should be providing statistical figures to back up any
claims which need to be made. If a user has booted a machine and
started printing fake bank notes out of the printer five minutes
later, having edited the images with some large image manipulation
program, it's really unlikely that the multitude of malware on the
machine could have contributed to his crime. Nevertheless if the
malware has touched any of the files on the local system, a computer
scientist may claim that we have no way of proving the user was
responsible - that is until the CCTV camera footage is presented. In
this field more than others, one must take circumstance with a pinch
of salt, and be very clear about what you DONT know.
 
> This undermines the ability of the criminal court system to convict
> those who are truly guilty, and keep them convicted on appeal.

Bring on physical data analysis, thats all I have to say about that.

> Somehow we need to fix this broken system and insist that all computer
> forensics be performed with the help of a competent information security
> professional, at the very least.

Infosec is now such a large industry that as with most of the rest of
the computer industry, no one man can cover even a few percentiles of
the total spread of technologies. This makes qualification very
difficult. The best solution (and one which is becoming more common
worldwide) is to use highly practiced and well trained police officers
as forensics staff.
 
> Any other suggestions?

Yeah, next time lets claim it was the FBI's trojan, and they're
starting a big conspiracy trying to frame us all.
 
> Sincerely,
> 
> Jason Coombs
> jasonc@...ence.org
> 
> 
> http://edition.cnn.com/2003/LAW/08/12/ctv.trojan/
> 
> Though it raises new and important issues, say industry sources, the
> Trojan Horse problem won't likely mint a new defense strategy: It's just
> a riff on the standard "not me" defense.
> 
> "There are a lot of child porn defendants who say, well, somebody else
> might have done it," said the EFF's Tien.  "But it doesn't fare very
> well, for obvious reasons."
> 
> In the end, experienced computer forensics investigators should be able
> to tell whether the computer's owner, or a Trojan Horse, spawned the
> material in question.
> 
> "You wouldn't want to just throw that out there as your defense," said
> Marcus Lawson, a computer forensic analyst who testified in the trial of
> convicted child rapist and murderer David Westerfield. "An experienced
> computer forensics person could tell you whether it was because of [a
> Trojan virus] or not."
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ