2009/10/6 <[email protected]> > Well jim this is why you should always run your tools from a known good > source such as a cd or usb key and not depend on the dll's on the machines. > It is easy enough to do this and was well documented in sans 608 class. > Brett Hoff > Senior IT Security Engineer Antler,Inc. > Sec+,Linux+,RHCT,GCFA > > I totally agree. The problem with the Helix tools is that it cannot load cygwin1.dll from the removable media if another copy has already been loaded into memory. What can happen here is the examiner runs the tools believing a known good copy of the DLL is being used because it's on the Helix CD.
What can you do to get around this when doing live acquisitions? You need to trust some of the OS to run live tools but it is clear that anti-forensic techniques can be used to subvert this type of information gathering. Jim
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
