November 28th, 2003, 12:13 AM
Evidence collection from compromised hosts
I got into a debate with a professor of mine today and we can't seem to agree on a solution...
We were discussing the cataloging of evidence from compromised hosts, and we came to the subject of sending that data to a remote computer with netcat. I brought up the point that by sending the data across a network from an untrusted machine, you are employing a possibly compromised OSI stack and therefore the integrity of your evidence and its accountability in court as well.
His argument to this was that if the OSI stack had been compromised on a machine, it would not work at all. I do not agree. I would think that if a host was compromised, it would certainly be possible to modify the stack subtly enough to alter simple text data being sent across such as that acquired during an initial investigation.
Has there ever been a successful compromise, or even a proof of concept, proving that it would be possible to replace the OSI stack on a compromised host with one that could alter data being sent out?
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError