PaulDotCom mailing list archives
Live forensics tools and Cygwin
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Tue, 6 Oct 2009 13:35:04 +0100
Hi, I noticed some interesting behaviour when playing with Helix recently. It ships with a number of cygwin tools including netcat for gathering evidence and sending it to remote systems. I started a netcat listener on my local PC and tried using Helix to capture evidence from the same PC using IRCR. Status: FAIL. Cause: the cygwin DLL loaded into memory by my bash shell and netcat listener clashed with the one on Helix so the script would not run sucessfully. It strikes me that loading a copy of the cygwin DLL into memory can effectively break some forensics tools and could even subvert them to alter the results. Loading a poisoned cygwin DLL could be an effective anti-forensic technique if cygwin tools are used. This is also worth knowing if you plan to use Helix or similar tools to do live examination on Windows. This is kind of an edge case for live forensics I know but even the bad guys can practice defence in depth. If Bob was going to build a nasty cygwin1.dll what should he include? Corruption of data from read() would play merry hell with acquisition tools using cygwin and if this corruption were predictable then checksums from cygwin versions of md5sum, sha1sum, dfcldd etc. could fool an examiner into thinking a collection was sound when it was in fact corrupt. Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091006/dfd91cc7/attachment.htm
Current thread:
- Live forensics tools and Cygwin Jim Halfpenny (Oct 06)
- Live forensics tools and Cygwin bhoff at itworldclass.com (Oct 06)
- Live forensics tools and Cygwin Jim Halfpenny (Oct 06)
- Live forensics tools and Cygwin bhoff at itworldclass.com (Oct 06)