lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <02c301c397cf$72dff450$01c8a8c0@broadbander>
From: DaveHowe at cmn.sharp-uk.co.uk (David Howe)
Subject: Re: Teenager cleared of hacking - Off Topic?

> The experts gave very clear evidence that the attack was initiated
> locally and log files cannot be planted remotely the way they werew
> found on his computer.
I would be astonished if this were true - there is *no limit* on what a
trojan can do if it gains full control of your computer.
Admittedly most trojan operators aren't smart enough to cover their own
tracks sufficiently a good forensic expert couldn't track them down; that
doesn't mean some aren't though.

> "If you edit a file after you finish writing it to disk, it results in
> block fractures.
under certain circumstances, this is true - however, that requires that the
"defrag" tool is not run at any point after the write, and/or that the file
is not moved to another medium. It also requires that the additional write
overflow an allocated cluster - disk is allocated in "chunks" that are
rarely completely filled - provided the alterations result in a file little
if any larger than the original, it will "fit back" into the same storage.
it is also possible (but unlikely) that the file next in line in the block
was deleted and the file "grew" into the extra space.

> Barrett conceded that a hacker could, in theory, have planted a
> different log file on Caffrey's computer, but said it would be obvious
> that it was inserted later because of the physical position of the
> file's data blocks. "There is obviously a way of introducing (the file)
> on the computer, but not in the correct place," he said.
you can introduce a file anywhere you like; it is stretching credibility
that an attacker would take the trouble to do so though.

> Caffrey's counsel questioned the validity of Barrett's evidence because
> the witness had not physically examined the actual hard disk from
> Caffrey's computer, but an image of it that was sent to him on CD-ROM.
> Barrett argued that this did not make a difference because the image
> was "forensically sound".
that requires it to be a "true" (or "raw") image - not for example a "ghost"
image which extracts files without retaining the disk structure - but
assuming this is true the image is as good if not better than the original
for such tasks.

-------------- next part --------------
----------------------------------------- (on Sharp Electronics UK mailscan)

Sharp UK

---------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ