Full Disclosure mailing list archives

Re: Re: Teenager cleared of hacking - Off Topic?

From: "David Howe" <DaveHowe () cmn sharp-uk co uk>
Date: Tue, 21 Oct 2003 13:32:47 +0100

The experts gave very clear evidence that the attack was initiated
locally and log files cannot be planted remotely the way they werew
found on his computer.

I would be astonished if this were true - there is *no limit* on what a
trojan can do if it gains full control of your computer.
Admittedly most trojan operators aren't smart enough to cover their own
tracks sufficiently a good forensic expert couldn't track them down; that
doesn't mean some aren't though.

"If you edit a file after you finish writing it to disk, it results in
block fractures.

under certain circumstances, this is true - however, that requires that the
"defrag" tool is not run at any point after the write, and/or that the file
is not moved to another medium. It also requires that the additional write
overflow an allocated cluster - disk is allocated in "chunks" that are
rarely completely filled - provided the alterations result in a file little
if any larger than the original, it will "fit back" into the same storage.
it is also possible (but unlikely) that the file next in line in the block
was deleted and the file "grew" into the extra space.

Barrett conceded that a hacker could, in theory, have planted a
different log file on Caffrey's computer, but said it would be obvious
that it was inserted later because of the physical position of the
file's data blocks. "There is obviously a way of introducing (the file)
on the computer, but not in the correct place," he said.

you can introduce a file anywhere you like; it is stretching credibility
that an attacker would take the trouble to do so though.

Caffrey's counsel questioned the validity of Barrett's evidence because
the witness had not physically examined the actual hard disk from
Caffrey's computer, but an image of it that was sent to him on CD-ROM.
Barrett argued that this did not make a difference because the image
was "forensically sound".

that requires it to be a "true" (or "raw") image - not for example a "ghost"
image which extracts files without retaining the disk structure - but
assuming this is true the image is as good if not better than the original
for such tasks.

Attachment: VirusWall_Message.txt
Description:

Current thread:

Teenager cleared of hacking - Off Topic? John . Airey (Oct 17)
- Re: Teenager cleared of hacking - Off Topic? Jonathan A. Zdziarski (Oct 17)
- Re: Teenager cleared of hacking - Off Topic? Randal L. Schwartz (Oct 17)
  - Re: Teenager cleared of hacking - Off Topic? Jonathan A. Zdziarski (Oct 17)
- <Possible follow-ups>
- RE: Teenager cleared of hacking - Off Topic? John . Airey (Oct 17)
- RE: Teenager cleared of hacking - Off Topic? John . Airey (Oct 17)
- Re: Teenager cleared of hacking - Off Topic? Feher Tamas (Oct 20)
  - Re: Re: Teenager cleared of hacking - Off Topic? David Howe (Oct 21)