Re: Are computer forensics people as stupid as they seem?
- From: Anonymous via Panta Rhei <anonymous@xxxxxxxxxxxxxxxxx>
- Date: 5 Jun 2007 18:59:55 -0000
From the description on the link you gave, it looks like DCPP 3.9
would be unsuitable because it seems to write unencrypted data to
somewhere other than the first 63 sectors. That bothers me a little. I
Well, by default this is the case due to the "bootauth.sys" files.
However, out of the box DCPP isn't really intended to be stealthy
in the first place. My only thought is that it might be easier
to modify the bootauth.sys files to be trojans than when DCPP was
just using the boot sector code only. The extra bootauth files are
supposed to add some redundancy which is probably a good idea for
But the bootauth.sys files are only in the outer OS. When you make the
hidden OS in DCPP you will notice that those files aren't included. So
when you write your clean OS back to disk you overwrite the boot sector
"stub" and also the bootauth.sys files. But you could always use DCPP
version 3.0, since it was still using only the boot sector "stub".
That should be the case but feel free to double check me if you have
One obvious drawback of the description on the link is that you have
to have a boot disk. My guess would be you would have to carry this
with you at all times, since I would presume it would be unwise to
leave it lying next to your system. It's still workable, but a bit of
The DCPP boot disk should just function like the boot sector does: you
have to enter your password the same as before. So the bootdisk
wouldn't be any more of a liability than the boot sectors/bootauth
files on disk. I don't believe that the DCPP boot media has anything
that identifies that it boots a hidden OS in addition to a normal
one. Possibly, you could make a DD copy of the encrypted outer OS
and write it to a smaller, throw-away, drive. Then your boot disk
would actually be able to get into something other than your real
system: "Why yes officer, the boot disk in the box with the drive over
there is something I was testing. You can start it up if you like,
the password is password." >:->
Incidently, you always have to have *something* that runs the
decryption. Even if it is something you download when you need it.
You have to have some sort of boot disk if you don't use on-disk
decryption code....unless you have some sort of magical decryption
Reading that site is a little eery because just over the last week,
I've discussed USB security while a computer is running and locked.
I've discussed hidden operating systems and forensic software. And I
almost never see anyone else talking about that stuff.
<Cue Twilight Zone music>. Actually, I am suprised that more people
aren't discussing the same things. Well, I'm sure the FEDS are
talking about it, but that hardly counts.
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.eu.org
for abuse and hashcash info.
- Prev by Date: Re: Are computer forensics people as stupid as they seem?
- Next by Date: Re: Are computer forensics people as stupid as they seem?
- Previous by thread: Re: Are computer forensics people as stupid as they seem?
- Next by thread: Re: Are computer forensics people as stupid as they seem?