Full Disclosure mailing list archives
Re: Re: Teenager cleared of hacking - Off Topic?
From: "David Howe" <DaveHowe () cmn sharp-uk co uk>
Date: Tue, 21 Oct 2003 13:32:47 +0100
The experts gave very clear evidence that the attack was initiated locally and log files cannot be planted remotely the way they werew found on his computer.
I would be astonished if this were true - there is *no limit* on what a trojan can do if it gains full control of your computer. Admittedly most trojan operators aren't smart enough to cover their own tracks sufficiently a good forensic expert couldn't track them down; that doesn't mean some aren't though.
"If you edit a file after you finish writing it to disk, it results in block fractures.
under certain circumstances, this is true - however, that requires that the "defrag" tool is not run at any point after the write, and/or that the file is not moved to another medium. It also requires that the additional write overflow an allocated cluster - disk is allocated in "chunks" that are rarely completely filled - provided the alterations result in a file little if any larger than the original, it will "fit back" into the same storage. it is also possible (but unlikely) that the file next in line in the block was deleted and the file "grew" into the extra space.
Barrett conceded that a hacker could, in theory, have planted a different log file on Caffrey's computer, but said it would be obvious that it was inserted later because of the physical position of the file's data blocks. "There is obviously a way of introducing (the file) on the computer, but not in the correct place," he said.
you can introduce a file anywhere you like; it is stretching credibility that an attacker would take the trouble to do so though.
Caffrey's counsel questioned the validity of Barrett's evidence because the witness had not physically examined the actual hard disk from Caffrey's computer, but an image of it that was sent to him on CD-ROM. Barrett argued that this did not make a difference because the image was "forensically sound".
that requires it to be a "true" (or "raw") image - not for example a "ghost" image which extracts files without retaining the disk structure - but assuming this is true the image is as good if not better than the original for such tasks.
Attachment:
VirusWall_Message.txt
Description:
Current thread:
- Teenager cleared of hacking - Off Topic? John . Airey (Oct 17)
- Re: Teenager cleared of hacking - Off Topic? Jonathan A. Zdziarski (Oct 17)
- Re: Teenager cleared of hacking - Off Topic? Randal L. Schwartz (Oct 17)
- Re: Teenager cleared of hacking - Off Topic? Jonathan A. Zdziarski (Oct 17)
- <Possible follow-ups>
- RE: Teenager cleared of hacking - Off Topic? John . Airey (Oct 17)
- RE: Teenager cleared of hacking - Off Topic? John . Airey (Oct 17)
- Re: Teenager cleared of hacking - Off Topic? Feher Tamas (Oct 20)
- Re: Re: Teenager cleared of hacking - Off Topic? David Howe (Oct 21)