Full Disclosure mailing list archives
Re: Re: [ISN] Book Review: Forensic Discovery
From: Anthony Zboralski <bcs2005 () bellua com>
Date: Fri, 21 Jan 2005 11:20:42 +0700
This article in Phrack is being cited as this guys qualifications for conducting a security seminar? Getting fired for writing an article (an article so clueless --devoid of substance-- as this one) is cited as a good thing (just because it appeared in phrack)? Phrack Editors: please apply some standard in choosing articles, because people do think that having an article published in phrack amounts to something, and mostly your articles are superb (except when you plug articles like this because your friend wrote it) Just because one tool does not check bad cluster, doesn't mean that you can use this method of data hiding to defeat forensics as a whole.
It seems that Dan Farmer and Wieste Venema are less than forthcoming regarding the problems their forensic package, 'The Coronor's Toolkit' (TCT) has had in the past, and still has today. The Phrack 59 article's old! Have you checked the latest slides and articles or watch the grugq's speech before posting your flame bait? http://www.hert.org/z/grugq.torrent A lot of incompetent people buy commercial products like encase or download TCT and improvise themselves "Forensic Experts". In the Art of Defiling, Grugq talks about: * Trivial ways to defeat file system forensic tools, e.g. sanitizing deleted inodes and directory entries * TCT specific issues (some of them have been fixed): incorrect ext2 implementation bad bounds checking lame pseudo codes, and more * Most forensic tools don't look for data in: Journals (e.g. ext3 journal), directory files, OLE2 files, bad blocks, inode reserved space, null directory entries, file system meta data structures (reserve space, padding) * Simple ways to avoid using the file system, e.g. using gdb stubs (libgdbrpc) http://www.phrack.org/show.php?p=62&a=8 and ul_exec() http://www.hcunix.net/papers/grugq_ul_exec.txt
Anthony Zboralski: We would expect yot to plug some article with substance when you promote your speaker and conference in a lot of security mailing lists. Oh yeah and you are going to jail if you talk about anti-forensics in US, you stupid promoter.
If the PATRIOT ACT makes discussing these problems illegal!? Is the future of security research in jeopardy because only a one sided view can legally be presented to us. Anthony -- Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005 21-22 March - The Workshops - 23-24 March - The Conference bcs2005 () bellua com - Phone: +62213918330 HP:+628159102495 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [ISN] Book Review: Forensic Discovery Anthony Zboralski (Jan 20)
- <Possible follow-ups>
- Re: Re: [ISN] Book Review: Forensic Discovery j mark (Jan 20)
- Re: Re: [ISN] Book Review: Forensic Discovery Anthony Zboralski (Jan 20)