[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <42FA6B6D.3010104@science.org>
Date: Wed Aug 10 22:01:51 2005
From: jasonc at science.org (Jason Coombs)
Subject: Re: Help put a stop to incompetent computer
forensics
anonymous wrote:
> I know when running EnCase or some other software you can see the
> cookies of the machine. More importantly, you can see what "search
> items" the invidual was searching for.
No, you cannot. You can see what the Internet Explorer history files
contain. This does not prove that a person typed search terms into
Google. If you'd like me to prove this to you, ship your computer to me.
I will ship it back to you and it will contain proof that you are a
very, very bad person.
> So I can tell if the person had the intent or atleast give some ammo to
> the prosecution that the perp was searching for "zzzzz" and "yyyy" etc.
No you can't. You can tell that the Internet Explorer history files
contain data.
> So if their entire defense is that a trojan put the kiddie porn on their
> machine yet their search items were things related to that sort of thing
> then we can show the the perp was searching for related topics.
Come on, do you even understand what a Trojan is?
By definition, the Trojan gives a third-party the ability to control the
computer from a remote location. I'm not suggesting that the Trojan was
programmed to plant evidence. I'm saying that a third-party was in
control of the computer and any data that you see on the computer's hard
drive, including things that you seem to think "prove" that a person
typed on the attached keyboard, reflects, at best, the actions of many
people and a lot of software -- and at worst the data are meaningless
because the files have been tampered with on purpose by a third party.
> But I do believe that once an analysis of the perp's hard drive has been
> done said examiner should be able to determine if the information on the
> machine was from the surfing habits of the perp, or if they may have
> come from a trojan. Besides, if a trojan was present it should still be
> there when the examiner is looking at the system!
No. The analyst can only determine that the computer may have been
executing software in the past at various purported times (based on
date/time stamps) -- or, maybe what you can determine is that the
computer has been receiving files from elsewhere, and the date/time
stamps don't have any connection whatsoever to the local computer but
have some connection to another computer. Furthermore, Trojan infections
come and go, and you probably know that remote exploitable
vulnerabilities make it unnecessary to plant a Trojan -- if the
attacker/intruder is only interested in gaining control of the computer
one time, and a victim comes along with a vulnerable IE browser, then
arbitrary code can be executed and no Trojan infection will necessarily
result. That's up to the attacker. Nevertheless, the arbitrary code
execution resulted in the attacker being able to do anything they want
with the computer, including launch IE and visit Web sites and enter
search terms which IE will log.
> However, if the information came from an email, cd, diskette or other
> media then it's going to open a whole other can of worms.
It's not a can of worms for a CD or diskette to be found alongside a
computer, that's called reasonable circumstantial evidence. Computer
data stored on hard drives connected to the Internet is NOT reasonable
circumstantial evidence. It's just data.
The "circumstances" under which data come to be on a hard drive are
UNKNOWN unless law enforcement have established appropriate forensic
controls to monitor computer operation during an investigation.
When the circumstances of software execution on a computer and the data
communications to and from a computer are UNKNOWN, all data from that
computer should be excluded from use in court as "evidence" of anything.
Sincerely,
Jason Coombs
jasonc@...ence.org
Powered by blists - more mailing lists