±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 107

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Disproving the Trojan Defense

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

keydet89
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 23, 05 00:46

Hogfly,

In many cases, I find analysis reports by A/V vendors to be lacking in necessary detail...largely because they are not analyzing the malware from the perspective of a foresnic analyst attempting prove or disprove something.

Regarding clout...a file recovered from an image will be the same regardless of who views it; ie, the prosecution or the defense. Analysis techniques can and should be documented, and those techniques are not available at any A/V site that I'm aware of. I'm not an expert witness, but I know for a fact that I would not go to court based on the "analysis" available from Symantec or any other site...if for no other reason that because the first question from the defense will be with regards to the analysis process. "I searched on Google" or "I read the Symantec web site" as an answer will destroy a professional reputation.

> Could you share some of the methods used for determining the validity
> of the defenses in CP cases?

Well, certain Registry files maintain information specific to user activity. Not all activity is recorded, but some is, along with timestamps, ie, LastWrite times. If the user interacted with the files that he claims were left there by a Trojan, then that interaction may be recorded in the Registry.

Some applications maintain lists of recently accessed files. For example, when you open Word and click on File, the bottom of the drop-down menu has a list of files. This infomation is maintained in the Registry.

The Registry also maintains a list of recently accessed files, by type (ie, extension). When a user double-clicks a file, the Registry is examined for the application to use to open it...but the interaction of double-clicking places a reference to the file (by type) in the Registry, along with an MRU list.

Information about USB devices connected to the system is maintained in the Registry. While EXIF data maintained within JPEG images taken with a digital camera do not contain unique identifying information (with regards to the camera), the Registry does (in some cases). Examining the Registry and the device descriptor of the camera may show that the camera used to create certain digital images had been connected to the system.

The data about USB storage devices may also be used in correlation with the contents of LNK files in the "My Recent Documents" folder.

As you can see, there are a variety of areas that can be examined. Limited testing of my own has shown that accessing image files remotely via a network share or a backdoor (ie, netcat) do not place the entries in the Registry, while accessing them locally will...which would obviate a "Trojan Defense".

> I haven't seen the registry mentioned or used in any of the affadavits
> or testimonies I've read yet either.

I would suspect, based on my conversations with LEOs, that this is because Registry analysis is not something that's being done. My impression is that this is the case, due to lack of knowledge and understanding.  
 
  

hogfly
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 23, 05 03:16

- keydet89
Hogfly,



Regarding clout...a file recovered from an image will be the same regardless of who views it; ie, the prosecution or the defense. Analysis techniques can and should be documented, and those techniques are not available at any A/V site that I'm aware of. I'm not an expert witness, but I know for a fact that I would not go to court based on the "analysis" available from Symantec or any other site...if for no other reason that because the first question from the defense will be with regards to the analysis process. "I searched on Google" or "I read the Symantec web site" as an answer will destroy a professional reputation.


Absolutely, but note I said a experienced malware analyst at symantec, not symantec as a whole or it's crappy analysis site where they post what equates to the executive analysis.

If the AV vendors provided a service whereby one of their analysts appeared in court after analyzing a submitted piece of malware that's being used in a 'trojan defense' case, I would think it hold more weight than a forensic analyst that dabbles in malware analysis providing 'expert' testimony.  
 
  

keydet89
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 23, 05 05:17

> note I said a experienced malware analyst at symantec

Sure, but what's the likelihood that Symantec is going to expose themselves to that kind of liability?

> If the AV vendors provided a service whereby one of their analysts
> appeared in court after analyzing a submitted piece of malware that's being
> used in a 'trojan defense' case, I would think it hold more weight than a
> forensic analyst that dabbles in malware analysis providing 'expert'
> testimony.

Well, like I said, I doubt that Symantec is going to expose themselves to that kind of liability. The analyst could serve as an expert witness without appearing as a Symantec employee...but A/V analysts don't necessarily look for the same kinds of things as a forensic analyst or expert witness. Finally, I really doubt that anyone who "dabbles" in anything is ever called to the stand as an expert witness.

So much for the original subject line, I guess...  
 

Page 2 of 2
Page Previous  1, 2