Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Disk wiping -- An alternate approach?
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Mon, 25 Jan 2010 13:43:48 -0500

You are telling me "Modern forensic" examiners DRAW CONCLUSIONS
without look it ALL possible evidence and by shifting just a few bytes
of possible "related keywords" and draw insufficient conclusions?

No, they find the keyword in a file (or fragment thereof) and examine
the resulting file or reconstruct the fragments to see if it's relevant
to their investigation. Putting YOUR bomb plot amidst thousands of news
articles about OTHER bomb plots won't fool them, and it'll make you look
sufficiently guilty that you'll sit in jail while they waste their time.

it like, when an forensic incident happens you take fingerprint from
the whole house skipping a few rooms thinking there are sooooo many
rooms to look for.....?


Depends on what they're trying to prove. In a burglary case, they might
see prints on the stereo cabinet and lift those. No need to fingerprint
the entire house when they've got a clear print, although they usually
grab a few others just to be sure.

Apparently you've never sat through a trial .. find an interesting case
and go attend, it's highly educational. Basically a jury is 12 people of
the general population (in actuality, an in-depth knowledge of the
subject matter at hand is likely to get you dismissed as a juror by one
or both sides). The jury, having watched CSI and such will listen with
utter fascination at the State's expert in computer forensics talk about
how he extracted the data and it will paint a VERY convincing picture
for 12 people that know nothing about computers.

On top of that, the keywords they fish-out that way is by no guarantee
belonging to the OWNER OF THE COMPUTER instead as leftover chunks from
the internet written by someone and lands on your computer's in
disk-fragments as free-space as browser cache is flushed ?

Possession is 9/10ths of the law. You can try and float your "wikipedia
did it" theory at trial, but ultimately it's a matter of which theory
sounds more plausible to the jury :

1. defendant had illegal stuff on his computer.
2. defendant says illegal stuff on his computer was an effort to hide
any potential illegal stuff by putting articles about related illegal
stuff he didn't do on there.

Quit trying to re-invent the wheel and get your crypto on and lawyer up
when asked about it.


Michael Holstein
Cleveland State University

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]