Jason said:
<
A well-designed stealth rootkit would be certain to interfere with hash
verification -- returning the expected hashes of compromised files so as
to
further reduce the chance of detection.
>
This is certainly true when doing analysis on a live system where the
rootkit is installed and running and can detect when you initiate a call
to MD5 or SHA-1. But one of the 4 Cardinal Rules of Computer Forensics is
to never trust the subject operating system. We never know how an OS may
have been compromised and can not explicitly trust the results of any
process run using the binaries and memory space on the platform under
investigation without additional work to independently verify those
results.
However, if you have an image of the system and are analyzing the image on
another system, of course the rootkit is not "up and running" and has no
way to interfere with a call to MD5 or SHA-1.
When I do a training class for entry level students, I show them how I
have modified IO.SYS on a DOS machine to delete files when the student
issues the "DIR" command on the compromised system. But "DIR" on our
forensics machine behaves as it is supposed to. The demonstration is
fairly simple and intended only to relay a concept - Never Trust the
Subject OS. For the advanced class, we go over details of the startup
scripts on our Linux box to show them how to configure a forensics
platform and why certain things should be done and certain other things
should not be done on boot up. You must control your forensic environment.
Just as a reminder, the 4 Cardinal Rules are
1) Never mishandle evidence
2) Never trust the subject operating system
3) Never work on the original evidence
4) Document everything
As long as you are not violating one of these rules, then the specific way
you proceed to investigate something can be tailored to the circumstances
and based on your own training and experience. But violating one of these
can compromise your investigation or your evidence.
James
===============================
James O. Holley
Ernst & Young
Litigation Advisory Services &
Computer Forensic Services
http://litigation.ey.com
Office: 703.747.1059
Fax: 703.747.0104
Lab: 703.747.0253
Pager: 888.620.5275
Pager email: 6205275 "AT" skytel.com
===============================
________________________________________________________________________
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 07:35:41 PST