Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: pnp worm unknown variant - post infectionactions

From: Jason Coombs <jasonc () science org>
Date: Tue, 16 Aug 2005 21:56:11 -1000
Aditya Deshmukh wrote:

suppose we have VNC installed and that is used to take control of the
computer and the actions show up as done by the user - would it not be
caught by law enforcement ?
What, you expect them to take an inventory of all of your installed software? You think there are "scientific standards" for "computer forensic" examinations? Are you expecting law enforcement to also be expert infosec gurus and do exhaustive searches through hundreds of gigabytes of data looking for the needle in the haystack?
What about Metasploit, which will gladly inject a RAM-only WinVNC server and give complete remote control without "installing" WinVNC anywhere on the hard drive?
If your Windows box gets owned by such a thing, and you end up accused of the crimes that the attacker committed while they were in control of your box, you can kiss your ass goodbye.
This is what I'm trying to correct. And I'm not alone, but I am in the minority. Your help would be most welcome, but I honestly don't know what you can do...
Just be aware, gather proof that "computer forensics" as it is practiced today has very serious flaws, and tell others.
I predict that we will see a wave of convictions overturned, and prisoners released, based on faulty computer forensic evidence, that will make wrongful convictions based on faulty DNA evidence seem insignificant by comparison. 

Regards,

Jason Coombs
jasonc () science org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: