Honeypots mailing list archives
Re: Free/Open Source Disk Imaging Tools
From: "Bernie, CTA" <cta () hcsin net>
Date: Fri, 7 Feb 2003 14:12:04 -0500
In reguards to forensic disk imaging and storage of data in general.. I would like to point out that disk imaging wont capture all possible data that could be stored on a hard drive due to a vulnerability of the Drives Controller, which enables an attacker to hide data with detection. The threat is that shellcode could be written to directly control the drives SCSI or IDE controller and specifically position the read/write heads to inject bits of data into the out of band areas of the drives magnetic media, which could be undiscoverable through disk imaging. Once access to the out-of-band areas is obtained attacks upon the systems / data integrity, security and availability could be potentially launched without detection. Furthermore, I believe that given enough positional entropy and the fact that there could exist a significant quantity of out-of- band space, that it would be easy for one to conceal data and shellcode that would not be captured by most if not all of the disk imaging tools currently available. Thus a strong legal argument could be made as to the completeness and therefore the accuracy and admissibility of information forensically obtained by such imaging methods. Those in computer forensics must understand that current disk imaging methods are flawed and will be challenged in court as more focus is put on integrity and completeness of evidence collected from the scene of the crime. More thought must be put into the identification and prioritization of ALL Practical vulnerabilities, threats and forms of attacks, assessment of the Risks, identification and implementation of the safeguards, and continuous auditing of all Actions outside and inside the box. Bottom line is that those who are responsible for developing and implementing system security topologies must employ well though out system security engineering processes which are dynamically balanced to achieve a goodness-of-fit. - - **************************************************** Bernie cta () hcsin net Euclidean Systems ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> ******************************************************* This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain material protected by the attorney-client privilege, trade secret law, or copyright law. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email.
Current thread:
- Re: Free/Open Source Disk Imaging Tools, (continued)
- Re: Free/Open Source Disk Imaging Tools Brian Carrier (Feb 06)
- Re: Free/Open Source Disk Imaging Tools Volker Kindermann (Feb 06)
- Re: Free/Open Source Disk Imaging Tools Mel (Feb 06)
- Re: Free/Open Source Disk Imaging Tools Seth Arnold (Feb 06)
- RE: Free/Open Source Disk Imaging Tools Hudak, Tyler (Feb 06)
- RE: Free/Open Source Disk Imaging Tools george chamales (Feb 06)
- Re: Free/Open Source Disk Imaging Tools Volker Tanger (Feb 07)
- RE: Free/Open Source Disk Imaging Tools george chamales (Feb 06)
- Re: Free/Open Source Disk Imaging Tools William Salusky (Feb 06)
- RE: Free/Open Source Disk Imaging Tools crazytrain.com (Feb 07)
- Re: Free/Open Source Disk Imaging Tools George Bakos (Feb 07)
- Re: Free/Open Source Disk Imaging Tools Bernie, CTA (Feb 07)
- Re: Free/Open Source Disk Imaging Tools Bill Moylan (Feb 07)
- Re: Free/Open Source Disk Imaging Tools George Bakos (Feb 07)
- Re: Free/Open Source Disk Imaging Tools Bernie, CTA (Feb 09)