Full Disclosure mailing list archives
RE: Re: pnp worm unknown variant - post infectionactions
From: "Madison, Marc" <mmadison () fnni com>
Date: Wed, 17 Aug 2005 08:16:04 -0500
Jason Coombs wrote: "What, you expect them to take an inventory of all of your installed software? You think there are "scientific standards" for "computer forensic" examinations? Are you expecting law enforcement to also be expert infosec gurus and do exhaustive searches through hundreds of gigabytes of data looking for the needle in the haystack? What about Metasploit, which will gladly inject a RAM-only WinVNC server and give complete remote control without "installing" WinVNC anywhere on the hard drive? If your Windows box gets owned by such a thing, and you end up accused of the crimes that the attacker committed while they were in control of your box, you can kiss your ass goodbye." Just heard a key not speech from Jim Christy of the Defense Cyber Crime Institute Defense Cyber Crime Center, in which he states over eighty percent of the labs cases are related to child porn, not Al Qaeda or terrorism but these allegedly sick individuals. Mr. Christy said the lab has compiled hashes of know child porn, they use the hashes to perform quick scans of suspected criminals computers in order to facilitate a quicker response to the investigating agency in the case. Now, I agree that computer forensic work is currently unregulated and misrepresented, but according to Mr. Christy, in the near future U.S. Federal courts will not accept forensic work unless it was done in a federally certified lab. I see this as a move in the right direction for the forensics industry, though I'm many so called experts will not. And if I'm not mistaken Metasploit with out any changes is extremely noisy which makes it easy to identify as Metasploit. Marc Madison -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Jason Coombs Sent: Wednesday, August 17, 2005 2:56 AM To: adityad2005 () users sourceforge net Cc: Full-Disclosure Subject: Re: [Full-disclosure] Re: pnp worm unknown variant - post infectionactions Aditya Deshmukh wrote:
suppose we have VNC installed and that is used to take control of the computer and the actions show up as done by the user - would it not be
caught by law enforcement ?
What, you expect them to take an inventory of all of your installed software? You think there are "scientific standards" for "computer forensic" examinations? Are you expecting law enforcement to also be expert infosec gurus and do exhaustive searches through hundreds of gigabytes of data looking for the needle in the haystack? What about Metasploit, which will gladly inject a RAM-only WinVNC server and give complete remote control without "installing" WinVNC anywhere on the hard drive? If your Windows box gets owned by such a thing, and you end up accused of the crimes that the attacker committed while they were in control of your box, you can kiss your ass goodbye. This is what I'm trying to correct. And I'm not alone, but I am in the minority. Your help would be most welcome, but I honestly don't know what you can do... Just be aware, gather proof that "computer forensics" as it is practiced today has very serious flaws, and tell others. I predict that we will see a wave of convictions overturned, and prisoners released, based on faulty computer forensic evidence, that will make wrongful convictions based on faulty DNA evidence seem insignificant by comparison. Regards, Jason Coombs jasonc () science org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Re: pnp worm unknown variant - post infectionactions Madison, Marc (Aug 17)
- Re: Re: pnp worm unknown variant - post infectionactions Valdis . Kletnieks (Aug 17)
- Re: Re: pnp worm unknown variant - post infectionactions foofus (Aug 17)
- Re: Re: pnp worm unknown variant - post infectionactions Jason Coombs (Aug 17)