I'd argue that the most sensible approach is to encrypt your hard drive at low level (a number of packages exist, some free) to implement a booby trap. All that has to happen then is power down and the trap springs, data being encrypted already. Then the most a booby trap would need would be to power off possibly after wiping the cipher key in memory a few times. I have not however seen any code to implement such a trap. Obviously you'd want it to trigger time-based every few minutes and require perhaps some mystery key sequence to keep going. If I am right that these things really aren't out there much (apart from the cryptodisk) it implies that the often-recommended approach of pulling the plug on the disk is exactly the wrong thing to do. I would be most interested to see if anybody in the real world actually has a data destroying daemon ready to run at a keystroke. Seens hard to imagine trusting records on such a box. If then you figure to encrypt rather than destroy data, isn't it simpler to have it encrypted all the time on disk in the first place? By now surely criminals informed enough to think about booby traps can figure the foregoing out. Glenn Everhart -----Original Message----- From: H Carvey [mailto:keydet89at_private] Sent: Thursday, November 29, 2001 5:17 AM To: forensicsat_private Subject: Re: boobytraps In-Reply-To: <sc061540.013at_private> >I want to set up a pc in my lab that has boobytraps and/ > or logic bombs set (for boot or shut down). Very interesting. Can you specify a platform (ie, Linux, NT/2K, etc)? I'd explore options used on Win32 systems by trojans and worms to remain persistent... Win9x/ME - Entries in the autoexec.bat, such as "rmdir /s /q c:\*" - Entries in the system.ini and win.ini files NT/2K - Trojaning the GINA DLL Both - The classic "Run" key and it's variants - Entries in user startup directories You might also consider some physical boobytraps... - Rewire the power switch to initiate something other than power to the box - Place an empty shot glass on top of the hard drive inside the case, and close the case. If the investigator picks the box up and moves it without checking inside the box, inform him of a case (I was told about this one during some forensics training I attended) in which a shot glass was filled w/ extremely powerful acid and 'hidden' in such a manner. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 15:31:26 PST