My presentation from the March 10, 2005 meeting can be found here: http://www.mattfrye.net/march2005_tct.pdf
There was a question about using TCT on image based systems, on which I had promised to provide more information. Specifically, virtual machines may be used to capture activity down to the actual machine code instructions, but on a practical level, it is not possible on general purpose computers given all their peripherals, etc. However, increased "trustworthiness" can be achieved with image based systems because they are not subject (not directly, anyway) to the laws of physics, e.g. bad disks, etc. Special care should be taken however, after a malicious attack, to keep malware confined to the vm "partition*." If hostile software can recognize it's virtual environment, it may be able to exploit bus in the implementation of the virtual monitor and escape confinement. Chapter 6 of Forensic Discovery (see recommended reading in the pdf) addresses Malware Analysis Basics. * Not a concise word in this case. Please let me know if I owe you a follow-up. Incidentally, the Red Hat Magazine article to which I referred during my presentation, and which provided the basis for much of my research, is now available online. http://www.redhat.com/magazine/005mar05/features/security/ Matt Frye -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
