It's worth noting that the metasploit antiforensics stuff is different than the research discussed in the article.

The new stuff is actually exploiting the code in the forensics software directly, not just mangling the data to make it hard to analyze forensically. The best part of that is the chance for code to jump out of a drive being imaged and onto the analysis workstation itself. Fun stuff.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061


On Jul 25, 2007, at 1:41 PM, Hubbard, Dan wrote:

www.metasploit.com/projects/antiforensics/BH2005- Catch_Me_If_You_Can.ppt



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Gadi Evron
Sent: Wednesday, July 25, 2007 10:20 AM
To: Paul Ferguson
Cc: [email protected]
Subject: Re: [funsec] Researchers: Forensics Software Can Be Hacked

Wow. No [EMAIL PROTECTED]

On Wed, 25 Jul 2007, Paul Ferguson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Via InfoWorld.

[snip]

The software that police and enterprise security teams use to
investigate wrongdoing on computers is not as secure as it should be,
according to researchers with iSEC Partners.

The San Francisco security company has spent the past six months
investigating two forensic investigation programs, Guidance Software's

EnCase, and an open-source product called The Sleuth Kit. They have
discovered about a dozen bugs that could be used to crash the programs

or possibly even install unauthorized software on an investigator's
machine, according to Alex Stamos, a researcher and founding partner
with iSEC Partners.

[snip]

More:
http://www.infoworld.com/article/07/07/25/Forensics-software-can- be-ha
cked_
1.html

- - ferg

p.s. Interesting premise for a Hollywood movie: "...bugs that could be

used to crash the programs or possibly even install unauthorized
software on an investigator's machine..."

:-)

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)

wj8DBQFGp4RDq1pz9mNUZTMRAgOUAJ9fLcmHfCGZ0bzh6O0uEotyKXNHaACeOpAS
/ZgmK9+7K3Iy6MNYHbSxQyA=
=XJl3
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Reply via email to