Jason said: < A well-designed stealth rootkit would be certain to interfere with hash verification -- returning the expected hashes of compromised files so as to further reduce the chance of detection. > This is certainly true when doing analysis on a live system where the rootkit is installed and running and can detect when you initiate a call to MD5 or SHA-1. But one of the 4 Cardinal Rules of Computer Forensics is to never trust the subject operating system. We never know how an OS may have been compromised and can not explicitly trust the results of any process run using the binaries and memory space on the platform under investigation without additional work to independently verify those results. However, if you have an image of the system and are analyzing the image on another system, of course the rootkit is not "up and running" and has no way to interfere with a call to MD5 or SHA-1. When I do a training class for entry level students, I show them how I have modified IO.SYS on a DOS machine to delete files when the student issues the "DIR" command on the compromised system. But "DIR" on our forensics machine behaves as it is supposed to. The demonstration is fairly simple and intended only to relay a concept - Never Trust the Subject OS. For the advanced class, we go over details of the startup scripts on our Linux box to show them how to configure a forensics platform and why certain things should be done and certain other things should not be done on boot up. You must control your forensic environment. Just as a reminder, the 4 Cardinal Rules are 1) Never mishandle evidence 2) Never trust the subject operating system 3) Never work on the original evidence 4) Document everything As long as you are not violating one of these rules, then the specific way you proceed to investigate something can be tailored to the circumstances and based on your own training and experience. But violating one of these can compromise your investigation or your evidence. James =============================== James O. Holley Ernst & Young Litigation Advisory Services & Computer Forensic Services http://litigation.ey.com Office: 703.747.1059 Fax: 703.747.0104 Lab: 703.747.0253 Pager: 888.620.5275 Pager email: 6205275 "AT" skytel.com =============================== ________________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 07:35:41 PST