full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Disk wiping -- An alte

Re: [Full-disclosure] Disk wiping -- An alternate approach?

From: Michael Holstein <michael.holstein_at_nospam>
Date: Mon Jan 25 2010 - 18:43:48 GMT
To: Bipin Gautam <bipin.gautam@gmail.com>

> You are telling me "Modern forensic" examiners DRAW CONCLUSIONS
> without look it ALL possible evidence and by shifting just a few bytes
> of possible "related keywords" and draw insufficient conclusions?

No, they find the keyword in a file (or fragment thereof) and examine the resulting file or reconstruct the fragments to see if it's relevant to their investigation. Putting YOUR bomb plot amidst thousands of news articles about OTHER bomb plots won't fool them, and it'll make you look sufficiently guilty that you'll sit in jail while they waste their time.

> it like, when an forensic incident happens you take fingerprint from
> the whole house skipping a few rooms thinking there are sooooo many
> rooms to look for.....?

Depends on what they're trying to prove. In a burglary case, they might see prints on the stereo cabinet and lift those. No need to fingerprint the entire house when they've got a clear print, although they usually grab a few others just to be sure.

Apparently you've never sat through a trial .. find an interesting case and go attend, it's highly educational. Basically a jury is 12 people of the general population (in actuality, an in-depth knowledge of the subject matter at hand is likely to get you dismissed as a juror by one or both sides). The jury, having watched CSI and such will listen with utter fascination at the State's expert in computer forensics talk about how he extracted the data and it will paint a VERY convincing picture for 12 people that know nothing about computers.

> On top of that, the keywords they fish-out that way is by no guarantee
> belonging to the OWNER OF THE COMPUTER instead as leftover chunks from
> the internet written by someone and lands on your computer's in
> disk-fragments as free-space as browser cache is flushed ?

Possession is 9/10ths of the law. You can try and float your "wikipedia did it" theory at trial, but ultimately it's a matter of which theory sounds more plausible to the jury :

  1. defendant had illegal stuff on his computer.
  2. defendant says illegal stuff on his computer was an effort to hide any potential illegal stuff by putting articles about related illegal stuff he didn't do on there.

Quit trying to re-invent the wheel and get your crypto on and lawyer up when asked about it.


Michael Holstein
Cleveland State University

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/