[Full-Disclosure] Re: [ISN] Book Review: Forensic Discovery
bcs2005 at bellua.com
Fri Jan 21 04:20:42 GMT 2005
> This article in Phrack is being cited as this guys
> qualifications for conducting a security seminar?
> Getting fired for writing an article (an article so
> clueless --devoid of substance-- as this one) is cited
> as a good thing (just because it appeared in phrack)?
> Phrack Editors: please apply some standard in choosing
> articles, because people do think that having an
> article published in phrack amounts to something, and
> mostly your articles are superb (except when you plug
> articles like this because your friend wrote it)
> Just because one tool does not check bad cluster,
> doesn't mean that you can use this method of data
> hiding to defeat forensics as a whole.
It seems that Dan Farmer and Wieste Venema are less than
forthcoming regarding the problems their forensic package,
'The Coronor's Toolkit' (TCT) has had in the past, and still
The Phrack 59 article's old! Have you checked the latest slides and
articles or watch the grugq's speech before posting your flame bait?
A lot of incompetent people buy commercial products like encase
or download TCT and improvise themselves "Forensic Experts".
In the Art of Defiling, Grugq talks about:
* Trivial ways to defeat file system forensic tools,
e.g. sanitizing deleted inodes and directory entries
* TCT specific issues (some of them have been fixed):
incorrect ext2 implementation
bad bounds checking
lame pseudo codes, and more
* Most forensic tools don't look for data in:
Journals (e.g. ext3 journal), directory files, OLE2 files, bad blocks,
inode reserved space, null directory entries, file system meta
data structures (reserve space, padding)
* Simple ways to avoid using the file system, e.g. using gdb stubs
(libgdbrpc) http://www.phrack.org/show.php?p=62&a=8 and
> Anthony Zboralski: We would expect yot to plug some
> article with substance when you promote your speaker
> and conference in a lot of security mailing lists. Oh
> yeah and you are going to jail if you talk about
> anti-forensics in US, you stupid promoter.
If the PATRIOT ACT makes discussing these problems
illegal!? Is the future of security research in jeopardy
because only a one sided view can legally be presented to us.
Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005 at bellua.com - Phone: +62213918330 HP:+628159102495
Full-Disclosure is hosted and sponsored by Secunia.