marcyu wrote:
You're not reading properly - the live cd is read only (you can't write to it). The evidentiary disk is read only (you can't write to it) when using a hardware write blocker. You can't have a trojan program if the file system isn't even mounted, as it's not even on the same layer on the OSI model. And what would it execute? There is nothing to execute on, as the only writable medium is the collection disk, which is already wiped. This argument is invalid on its face value.
I understood your position. However, I have to disagree with you:
1. It is a common practice to keep several disk images on one target drive (for the purpose of adequate space utilization). What can a trojan program do with such data on a target drive? It can delete these disk images, alter them or even add some false evidence. But I don't think that such possibility is more than a theory. Let's just skip ahead.
2. What else can a trojan program do? Perhaps, it can alter the process of acquisition, thus affecting the results of a subsequent forensic examination. If examiner trusts his tools, it's unlikely that he will examine the original evidence in order to find the differences in a verified copy (a verified forensic image) in each particular case, so alteration is very likely to remain unnoticed. Is there a technical possibility to do so in case of Ubuntu-based forensic Live CDs? Yes. Such Live CDs, as I said before, are based on code that was not designed with computer forensics in mind. But is this another theoretical attack? May be.
3. Many computers don't have CD drives nowadays. So we should expand the judgements to Live USBs, which are, in general, writable.
4. Quite often Live CDs and Live USBs are used to preview a suspect computer or a drive on a site (usually without a hardware write blocker). At this point, many conclusions from this paper come into play.
5. Finally, the most practical implication of arbitrary code execution in Live CDs and Live USBs, is that a plaintiff/defendant can demonstrate (in practice, not in demagogy) that your method of creating a forensic image or your method of conducting the examination using <your tool here> is flawed (based on argument #2), and then convince the court that your results cannot be trusted. In some jurisdictions regulators state that forensic methods, not only the tools or particular results of their usage in a case, should be verified.
↧