lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <D02FDCC1-6B63-11D9-97C7-000A95B1B62E@bellua.com>
From: bcs2005 at bellua.com (Anthony Zboralski)
Subject: Re: [ISN] Book Review: Forensic Discovery

> This article in Phrack is being cited as this guys
> qualifications for conducting a security seminar?
> Getting fired for writing an article (an article so
> clueless --devoid of substance-- as this one) is cited
> as a good thing (just because it appeared in phrack)?
> Phrack Editors: please apply some standard in choosing
> articles, because people do think that having an
> article published in phrack amounts to something, and
> mostly your articles are superb (except when you plug
> articles like this because your friend wrote it)
>
> Just because one tool does not check bad cluster,
> doesn't mean that you can use this method of data
> hiding to defeat forensics as a whole.

It seems that Dan Farmer and Wieste Venema are less than
forthcoming regarding the problems their forensic package,
'The Coronor's Toolkit' (TCT) has had in the past, and still
has today.

The Phrack 59 article's old! Have you checked the latest slides and
articles or watch the grugq's speech before posting your flame bait?

http://www.hert.org/z/grugq.torrent

A lot of incompetent people buy commercial products like encase
or download TCT and improvise themselves "Forensic Experts".

In the Art of Defiling, Grugq talks about:

* Trivial ways to defeat file system forensic tools,
e.g. sanitizing deleted inodes and directory entries

* TCT specific issues (some of them have been fixed):
   incorrect ext2 implementation
   bad bounds checking
   lame pseudo codes, and more

* Most forensic tools don't look for data in:
Journals (e.g. ext3 journal), directory files, OLE2 files, bad blocks,
inode reserved space, null directory entries,  file system meta
data structures (reserve space, padding)

* Simple ways to avoid using the file system, e.g. using gdb stubs
(libgdbrpc) http://www.phrack.org/show.php?p=62&a=8 and
ul_exec() http://www.hcunix.net/papers/grugq_ul_exec.txt

> Anthony Zboralski: We would expect yot to plug some
> article with substance when you promote your speaker
> and conference in a lot of security mailing lists. Oh
> yeah and you are going to jail if you talk about
> anti-forensics in US, you stupid promoter.

If the PATRIOT ACT makes discussing these problems
illegal!? Is the future of security research in jeopardy
because only a one sided view can legally be presented to us.

Anthony

-- 
Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005@...lua.com - Phone: +62213918330 HP:+628159102495


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ