An Interesting Challenge.
- Thread starter Overwriter
- Start date
It's never going to be taken up. The cost far outweighs the reward to even attempt let alone potentially succeed (MFM)
further reading: http://sansforensics.wordpress.com/2009 ... rive-data/
further reading: http://sansforensics.wordpress.com/2009 ... rive-data/
Overwriter
Active Member
From a site you mentioned on another thread.
http://www.forensicfocus.com/index.php? ... pic&t=3387
http://www.securityfocus.com/brief/888?ref=rss
Craig Wright seems to know what he is doing and I don’t think I need to disagree with him.
Overwriter said:
I also mentioned the work in this thread
Overwriter said:Craig Wright seems to know what he is doing and I don’t think I need to disagree with him.
His findings makes one big assumption, the program doing the wiping works as advertised. There will be bugs, in some cases bugs big enough to cause data to remain. I'll give you an example:
- Eraser (along with many others) back in 2002 did not properly NTFS alternate data streams resulting in pwnage (see KSSA-003)
Have we learned from it, yes but there is always the possibility for bugs to be (re)introduced, especially when doing something major like rewriting a program from scratch... Which brings us back to the other thread calling for eyes
Joel
Active Member
Correct - can't remember who said it, I think it was Schneier, but the quote goes something like this: security-related software should almost always be public in order for code reviews so as to ensure that the security of the application is not compromised. Perhaps I even mis-quoted him or anyone else (sorry), but I still believe it holds.
Joel
Joel
Modifying MS Word Metadata and MACE values
Perhaps a less difficult challenge - I am running an anti-forensics test - In a nutshell, I have a MS WORD document on an NTFS/XP/Windows Small Business Server. As part of the test, I want to modify the timestamp meta-data on the document - both the MACE values and the actual WORD metadata. Perhaps using timestomp and http://ms-word-document-file-properties ... nshot.html or whatever tools would be best. The goal of the test is to modify the MS WORD document's timestamp meta data - both in the document and on the server system/MACE - so that the effort to make the modifications are not detectable via any computer forensics tools that could be used on the server, including analysis of the MFT. As part of this test, I have full access to the server via my laptop and no forensic testing will be performed on the laptop - only the server.
Responses are welcome via email as well - juan.ziman@gmx.com
Furthermore, if someone is available for consulting work to assist in conducting this test, please contact me.
Perhaps a less difficult challenge - I am running an anti-forensics test - In a nutshell, I have a MS WORD document on an NTFS/XP/Windows Small Business Server. As part of the test, I want to modify the timestamp meta-data on the document - both the MACE values and the actual WORD metadata. Perhaps using timestomp and http://ms-word-document-file-properties ... nshot.html or whatever tools would be best. The goal of the test is to modify the MS WORD document's timestamp meta data - both in the document and on the server system/MACE - so that the effort to make the modifications are not detectable via any computer forensics tools that could be used on the server, including analysis of the MFT. As part of this test, I have full access to the server via my laptop and no forensic testing will be performed on the laptop - only the server.
Responses are welcome via email as well - juan.ziman@gmx.com
Furthermore, if someone is available for consulting work to assist in conducting this test, please contact me.
Christian Stewart
New Member
hahaha, it looks like that all the world's top technical experts are gathered at a single placeFrom a site you mentioned on another thread.
http://www.forensicfocus.com/index.php? ... pic&t=3387
http://www.securityfocus.com/brief/888?ref=rss
Craig Wright seems to know what he is doing and I don’t think I need to disagree with him.