Presented at THOTCON 0x1 (2010)
April 23, 2010, 2:20 p.m.
Forensic analysis is one of the least developed areas of computer security. Investigations are often handled by individuals withlittle more than a software certifications and very few investigators have detailed knowledge of the inner workings of the software and systems they analyze. A checklist of search terms and a copy of EnCase is often sufficient for cases involving less knowledgeable defendants, but what happens when a skilled attacker plans for the eventuality of forensic analysis? This talk will discuss the process and failings of forensic analysis as it is commonly performed today. We will present the details of techniques which can be used to undermine modern forensic analysis. These techniques will be outlined through detailed samples implemented in a Linux rootkit along with improvements that could be made to the forensic process.
As an Application Security Consultant at Neohapsis Inc., Greg specializes in application security assessment, internal and external penetration testing, as well as performing research on topics ranging from kernel-level exploitation to web application vulnerabilities. Prior to joining Neohapsis, Greg developed a lightweight security framework for mobile devices and implemented a secure boot and re-imaging infrastructure to enforce data integrity.
Cris Neckar is currently a jobless bum but will be starting on Google's security team in May. Until recently he was a Senior Application Security Consultant at Neohapsis Inc. where he specialized in application assessment, vulnerability research, and exploit development. In this capacity Cris led penetration tests and whitebox assessments on high profile software, web applications and embedded devices as well as forensic malware analysis. Cris also spends his time performing and publishing research into new attack techniques. As an adjunct professor for DePaul University's College of Digital Media in Chicago, Cris developed and teaches one of the first graduate level courses on the technical details of application assessment and exploit development.