Live forensics tools and Cygwin

[jim.halfpenny at gmail.com (Jim Halfpenny)]

Hi,
I noticed some interesting behaviour when playing with Helix recently. It
ships with a number of cygwin tools including netcat for gathering evidence
and sending it to remote systems. I started a netcat listener on my local PC
and tried using Helix to capture evidence from the same PC using IRCR.
Status: FAIL. Cause: the cygwin DLL loaded into memory by my bash shell and
netcat listener clashed with the one on Helix so the script would not run
sucessfully.

It strikes me that loading a copy of the cygwin DLL into memory can
effectively break some forensics tools and could even subvert them to alter
the results. Loading a poisoned cygwin DLL could  be an effective
anti-forensic technique if cygwin tools are used. This is also worth knowing
if you plan to use Helix or similar tools to do live examination on Windows.

This is kind of an edge case for live forensics I know but even the bad guys
can practice defence in depth. If Bob was going to build a nasty cygwin1.dll
what should he include? Corruption of data from read() would play merry hell
with acquisition tools using cygwin and if this corruption were predictable
then checksums from cygwin versions of md5sum, sha1sum, dfcldd etc. could
fool an examiner into thinking a collection was sound when it was in fact
corrupt.

Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091006/dfd91cc7/attachment.htm