The Hitchhiker's World Issue 4: Reviewing buffer overflow issues/concepts covered in Aleph One's seminal paper, Conclusion of "Advanced Meal - A keylogger in an API", Report on the forensics experiment.
394cc60c5406a5c4298bef738a6be77237f8f0304d005f15e31e248a1a992ee9
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="keywords" content="hitchhiker, security magazine, security holes, exploit, buffer overflow, vulnerability, security writers, malware, virus, trojan, security writers">
<meta name="description" content="The HH's World features mostly network-security articles/programs along with a touch of personal expression. Entries & comments are welcomed.">
<META NAME="AUTHOR" CONTENT="Arun Koshy">
<title>HH World 4</title>
<link rel="stylesheet" type="text/css" href="libstyle.css">
</head>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="120">
<tr>
<td width="100%" height="43" align="center" class="bluelink">
<p class="title">The Hitchhiker's World <br>
Issue #4 </p>
</td>
</tr>
<tr>
<td width="100%" height="19">
<div align="center">
<p><b>Soli Deo gloria - To God alone be glory</b></p>
</div>
</td>
</tr>
<tr>
<td width="100%" height="19">
<p>Updated : September' 2002</p>
</td>
</tr>
<tr>
<td width="100%" height="19">
<p>Editor : <a href="mailto:hwcol@arunkoshy.cjb.net">Arun Koshy</a></p>
</td>
</tr>
<tr>
<td width="100%" height="19">
<p>Contributors : <a href="mailto:root@ayanthegreat.cjb.net">Ayan Chakrabarti</a>,
<a href="mailto:mrcorp@yahoo.com">Charles Hornat</a></p>
</td>
</tr>
</table>
<p><B>DISCLAIMER :</B> [Insert the biggest, most comprehensive lawyerspeak here].
<B>Securitywriters.org (SWG) or the author(s) are NOT RESPONSIBLE for anything</B>
that happens to you, ur cat, dog, sexlife or wife after you go through the information
presented below. Enjoy.</P>
<p><br>
Contents<BR>
</P>
<UL>
<LI><A
href="#PREV">Editorial</A><BR>
{ News, Views etc }<BR>
</LI>
</UL>
<UL>
<LI><A
href="#BOF">Buffer Overflows : My notes</A><BR>
(..while reading Aleph One's classic paper..)<BR>
<BR>
{ Contrib : Hitchhiker } <BR>
</LI>
</UL>
<UL>
<LI>
<P ><A
href="#KEYS">Advanced Meal (Continued from #3)</A><BR>
(Case Study - A keylogger in an API, Concluding part)<BR>
<BR>
{ Contrib : Ayan Chakrabarti }<BR>
{ Note : Be sure to read the previous parts }</P>
</LI>
<LI><font face="Arial, Helvetica, sans-serif" size="2"><a href="#FOREN">Forensics
: The SWG experiment</a><br>
{ Contrib : Charles Hornat }</font></LI>
</UL>
<P ></P>
<P >Suggested Links :<a href="hh3.php" target="_blank">HW issue #3</a></P>
<P ><FONT face="Arial, Helvetica, sans-serif" color=#000000
size=2>Movies : <BR>
<BR>
<I>Beautiful Mind, Spiderman , Mask (1985 - *ing Cher, Eric Sholtz)</I></FONT>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2" color="#000000">Music
: <br>
<br>
<i>Toploader (Achilles Heel), Barenaked Ladies (Pinch Me), Dave Mathews Band
(Where are you going ?), <a href="http://www.arunkoshy.cjb.net" target="_blank">Arun
Koshy (Rhythm)</a></i></font></p>
<P>
<hr>
<P > <A name=PREV></A><span class="text_head1">Editorial</span> </P>
<P ><font face="Arial, Helvetica, sans-serif" size="2"><b>[September]</b></font><br>
</P>
<ul>
<li>Seeing the whole world debate on the WAT (war against terror), the essay
entitled <a href="http://www.time.com/time/archive/preview/0,10987,1101020902-344059,00.html">"The
Terrible Logic of Nukes"</a> in the by Charles Krauthammer captures the
essence. We've come to a point where we can eloquently justify weapons of
mass destruction, hate on the basis of religion (which is man's way of dividing
god) .. </li>
</ul>
<ul>
<li>A very interesting vulnerability is discovered in Outlook Express, another
way to evade anti-virus scanners (JUST for the time being of course.. AV guys
will patch this pretty easy, just have to put another handler for split mails)
<a href="http://www.theregister.co.uk/content/55/27095.html">here</a>. </li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">The crew comes up with
a new design for the site. Its astouding, now im feeling alive. Let's get
to work! Cheers to Reso , Stat,MrC,Monk!</font><font face="Arial, Helvetica, sans-serif" size="2"><br>
</font></li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">This issue seems to be
tougher and tougher to write .. things are slowing down at one end and on
the other, its getting too fast. A decision was made to make an update on
HW #4 as #5 is getting delayed due to people needing more time with contribs.</font></li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">Guns N Roses kicks off
their "Chinese Democracy" tour ! Its good to see Axl raise hell
once again. More at <a href="http://www.gnronline.com">http://www.gnronline.com</a>
and <a href="http://www.lostrose.com">http://www.lostrose.com</a>.. rockin
as usual .. Its about time.. infact last year, Rock In Rio (RIR) was the return
for the king of the jungle. </font></li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">Decided to work on Crowds
and also get back to kernel design. Another amazing thing .. I recorded my
first guitar solo (about 5 mins of mindless acoustic strummin) .. thinkin
of putting it for public ridicule :). It remains special to me atleast cause
it's done for Rachiel -). Tentatively titled "High on Chords Seven"
.. a line taken from one of my poems.</font></li>
</ul>
<ul>
<li>The strummin evolved into a song. I think its pretty cool :).<font face="Arial, Helvetica, sans-serif" size="2">
Read more about it <a href="http://www.humancapitall.com/arunkoshy/song.htm" target="_blank">here</a>.
Incase you were wondering what I was doing all this time ;-).</font></li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">Saw Minority Report ..
another film which could be very realistic (similar to the Matrix and A.I
.. artificial, scary future).</font></li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">Brought D. Knuth's Vol
1... seems fascinating, also brought RH 7.3 (needed the next version, so had
to buy the book). The phone line remains faulty as usual.</font></li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2"> </font><font face="Arial, Helvetica, sans-serif" size="2">Found
a classic book "The Design of the Unix Operating System" by Bach..
and also got my hands on "A new kind of Science" by Stephen Wolfram
(madman or in the league of Newton ?).. okay, I admit it .. an unsatiable
appetite for collecting the <i>classics</i> be it from the present or the
past :).</font></li>
</ul>
<p><span class="text_head2">[June] </span><br>
<br>
Ayan launched a new project about which he writes...<br>
<br>
<i>AI-Bots is an event that we plan to have at the IIT Madras techfest - Shaastra.
AI-Bots is generally a programmer's game. Instead of sitting and playing a game,
you're expected to write programs to do the same thing.</i></p>
<p><i>A combat server runs which simulates a world with walls, flags, etc and
two or more robots. For each robot, there's a corresponding controlling process.
Each process can query the server for various things (player's position, game
time, status of flags, etc.) as well<br>
as issue commands to its robot (move, stop, scan, shoot bombs) through libraries
that are provided. You can write the controlling process in C or C++.</i></p>
<p><i>A beta version of the simulator is up with sample maps and robots. Check
it out at<br>
<a
href="http://aibots.sourceforge.net/"
target=_blank>http://aibots.sourceforge.net/<br>
<br>
</a></i>Also, check his <font color=#0000ff><a href="http://ayanthegreat.cjb.net/"
target=_blank>personal website</a></font> for earlier masterpieces like Keysave,
Meghdoot, Wonko, Guptachar etc. This month has been better (thank god!). Expect
a lot of updates in this issue soon!</p>
<p>PS : <br>
<br>
Looking at the mail HW received during the month, We now have a special e-mail
addy. Send all your hacking requests to <a
href="mailto:hackthis@127.52.43.7">hackthis@127.52.43.7</a> . Some of the world's
best hackers are at your service 24-7, Mail now!
<p>
<p><span class="text_head2">[May]</span><br>
"It's been a weird month of May".. these were my first words when I started
writing this time around.. then the power blew out, I went downstairs. The summer
is at its worst here and you literally feel the heat coming in from all the
directions. Couple that with my weird life peppered with exams and totally out
of control sitiuations.. its simply great :-).
<P >With nothing better to do , I started reading a small little book.. <I>Words
of Hope</I>.. here's a quote I found in it :</P>
<P ><I>The unedurable is the beginning of the curve of joy <BR>
.. Djuna Barnes <BR>
<BR>
</I>Let's test this. Atleast I want to. The moment for me is now. </P>
<P > </P>
<P ><span class="text_head1">Contribute! Learn! Discuss!</span><BR>
<BR>
<span class="text_head2">Contact:</span><BR>
You're invited to send in your entries, comments et.al for publication to <A
href="mailto:hwcol@arunkoshy.cjb.net">hwcol@arunkoshy.cjb.net</A> </P>
<P><span class="text_head2">Hot Topics (but definitely not restricted to):</span><BR>
algorithms, stuff related to systems programming and applied network security.</P>
<P><span class="text_head2">Style:</span><BR>
SWG advocates a "hands-on" approach .. Get to the code or point. Provide references
and links if necessary (especially if you're presenting a fresh perspective
on something already known).
<P>
<hr>
<p> <A name=BOF></A><span class="text_head1">Buffer Overflows: My notes<br>
</span><a href="www.arunkoshy.cjb.net" target="_blank">By Arun Darlie Koshy</a>
<P >The concept of buffer overflows should be known by everyone who wishes to
follow principles of secure programming. Many automated attacks (or say the
propagation of a wormnet) could use this technique. I have no ambitions of writing
a how-to or an authoratitive article on the subject as its already been done
by many wiser and more experienced people.</P>
<P >This article is nothing but a bunch of notes on Aleph One's seminal paper
on the subject <A
href="http://www.phrack.com/show.php?p=49&a=14" target=_blank>(Phrack #49,
Smashing The Stack For Fun And Profit)</A>. A simple attempt to lay out things
clearly for myself and I hope it helps someone who is trying to grasp the same
things.</P>
<P >Our overall aim is to be able to run code with the privileges of the current
executing process. Before we get into any of this :</P>
<UL>
<LI>remember like everything I think it will be some time (incase you or i don't
get bored with it) till we master the whole process to achieve real world
success (i.e a shout in Bugtraq :)).</LI>
</UL>
<UL>
<LI>I assume you've already tried reading up some of the classic literature
especially Aleph's paper, and are comfortable with C , Assembly<B> </B>(Even
if u've had the experience in DOS/Win32). An ideal setting would be to have
the Phrack paper alongside as I am not writing all the concepts which are
beautifullly explained in it.</LI>
</UL>
<UL>
<LI>We should have an IRC discussion on this issue in which interested members
from the SWG community get together and talk about their own experiences.</LI>
</UL>
<P><span class="text_head2">Issues, Code and Fandango on core</span><BR>
1) The first thing which needs to be understood clearly are the two pointers
to the stack (SP and BP).</P>
<P><I>" the stack pointer (SP) points to the top of the stack. The bottom of the
stack is at a fixed address. Its size is dynamically adjusted by the kernel
at run time. The CPU implements instructions to PUSH onto and POP off of the
stack "<BR>
</I></P>
<P>First thing which I've found useful in reading about a subject is to get to
the zen, avoid the details which can be intuitively applied ... all you need
to remember is that the SP is one for the whole program .. it is being constantly
used.</P>
<P>We now understand why the BP (Base Pointer, Frame Pointer etc) is used .. local
variables can be found out or "referenced" by giving their offsets from the
SP .. but as the SP itself is being constantly changed due to PUSH/POP, this
is tough for the computer to keep track off... there for we make a fixed reference
point (kind of like what happens in mechanics) by copying the value of SP into
BP before the function proceeds.</P>
<P>So every function (including main) would start with :</P>
<P class="code">push %ebp<BR>
mov %esp,%ebp</P>
<P>Here the previous BP register is saved by pushing it into the stack. Next the
value of SP is copied into BP to provide the current one for the function. This
also gives a weird difference between *nix asm format and DOS/Win32.. the left
hand side (LHS) is copied into the right hand side (RHS) (i.e move %esp, %ebp
-> esp goes into ebp).</P>
<P><BR>
2) Arguments are always handled in the calling function (i.e suppose main()
calls security() with some arguments, the arguments are stored onto the stack
before the control is passed). An example :</P>
<P class="code">void main() <BR>
{<BR>
if(security(1,2))<BR>
printf("Secure!\n");<BR>
else<BR>
printf("Cracked!\n");<BR>
}</P>
<P class="code">gdb output w.r.t to the function call</P>
<P class="code">0x8048480 <main>: push %ebp<BR>
0x8048481 <main+1>: mov %esp,%ebp<BR>
0x8048483 <main+3>: sub $0x8,%esp<BR>
0x8048486 <main+6>: sub $0x8,%esp<BR>
<B>0x8048489 <main+9>: push $0x2<BR>
0x804848b <main+11>: push $0x1<BR>
0x804848d <main+13>: call 0x8048460 <security></B></P>
<P><BR>
3) The most important thing to be kept in mind is this <B>map</B> keeping the
order in mind :</P>
<P><B>[exploitable buffer] [sfp] [return address]</B></P>
<UL>
<LI>SFP (saved frame pointer) is nothing but the BP and the return address is
what we want to change
<LI>The exploitable buffer's address is used for referencing/calculating and
the size of SFP is added to arrive at the return adress (4 bytes in 32 bit
environments like Linux,Win32).</LI>
</UL>
<P>4) Lets now do an example to make things clearer :</P>
<P class="code">#define TRUE 1<BR>
</P>
<P class="code">int security()<BR>
{<BR>
char buf[4];<BR>
<BR>
/* possible buffer overflows <BR>
strcpy(buf,string); -> and string is > 4<BR>
gets(string); -> user enters crap >
4 <BR>
*/<BR>
<BR>
return TRUE;<BR>
}</P>
<P class="code">void main() <BR>
{<BR>
if(security())<BR>
printf("Secure..\n");<BR>
else<BR>
printf("Insecure!\n");<BR>
}</P>
<P class="code">[work@swg work]$ gcc -o bufe -g tmp.c<BR>
tmp.c: In function `main':<BR>
tmp.c:14: warning: return type of `main' is not `int'<BR>
[work@swg work]$ ./bufe<BR>
Secure..<BR>
[work@swg work]$</P>
<P>Normal execution of the code results in the message "Secure.." being printed.
The map in this case is :</P>
<P>[buf] [sfp] [return address]</P>
<P>We can now visualize how a buffer overflow can happen .. buf is n bytes, incase
anything writes more than n bytes .. it will get to the regions outside and
can overwrite sfp, the return address et.al .. we're interested in achieving
a controlled overwrite on the return address. This will enable us to jump to
a particular location in memory (a part in the code itself, or the start to
some other code which we wish to execute). For this example, lets set the target
that <B>printf("Insecure!\n")</B> should be always executed.</P>
<P>Let's now power up gdb and study the executable :</P>
<P class="code">This GDB was configured as "i386-redhat-linux"...<BR>
(gdb) disas main<BR>
Dump of assembler code for function main:<BR>
0x8048470 <main>: push %ebp<BR>
0x8048471 <main+1>: mov %esp,%ebp<BR>
0x8048473 <main+3>: sub $0x8,%esp<BR>
<B>0x8048476 <main+6>: call 0x8048460 <security><BR>
0x804847b <main+11>: mov %eax,%eax
//</B>function security returns
at this address<B><BR>
</B>0x804847d <main+13>: test %eax,%eax<BR>
<B>0x804847f <main+15>: je 0x8048494 <main+36></B> //the
jump incase the function returned FALSE (0) <BR>
0x8048481 <main+17>: sub $0xc,%esp<BR>
0x8048484 <main+20>: push $0x8048518<BR>
0x8048489 <main+25>: call 0x804833c <printf><BR>
0x804848e <main+30>: add $0x10,%esp<BR>
0x8048491 <main+33>: jmp 0x80484a4 <main+52><BR>
0x8048493 <main+35>: nop <BR>
<B>0x8048494 <main+36>: sub $0xc,%esp</B> //this
is where we want to jump<BR>
0x8048497 <main+39>: push $0x8048522<BR>
0x804849c <main+44>: call 0x804833c <printf><BR>
0x80484a1 <main+49>: add $0x10,%esp<BR>
0x80484a4 <main+52>: leave <BR>
0x80484a5 <main+53>: ret <BR>
End of assembler dump.</P>
<P>First, do not get dazed by the lump of machine code .. we're looking for a
few things which we want .. just train your eyes to see that, life is really
cool if u learn to focus. </P>
<P>We see that :</P>
<UL>
<LI>the call to security() happens 6 bytes past the program entry point (i.e
main+6)<BR>
<BR>
<LI>after the function executes, we return to main+11 (i.e 0x804847b)<BR>
<BR>
<LI>we see that printf("Insecure!\n") is setup at main+36 with the following
lines :<BR>
<span class="code">0x8048494 <main+36>: sub $0xc,%esp<BR>
0x8048497 <main+39>: push $0x8048522<BR>
0x804849c <main+44>: call 0x804833c <printf></span><BR>
<BR>
<LI>But,<I> je main+36</I> is never executed as the function returns TRUE<BR>
<BR>
<LI>So our target is to change the return address from main+11 to main+36 bypassing
the normal operation, we aim to do this by changing the return address using
the overflow (actually in this example, we would just declare our own rogue
pointer). To calculate this easily, just power up ur calculator program in
hex mode and do 94 - 7b (i.e 0x8048494 - 0x804847b) which gives us 0x19 (or
25 in decimal).</LI>
</UL>
<P>Now we take a look at the function security()</P>
<P>(gdb) disas security<BR>
<span class="code">Dump of assembler code for function security:<BR>
0x8048460 <security>: push %ebp<BR>
0x8048461 <security+1>: mov %esp,%ebp<BR>
0x8048463 <security+3>: sub $0x4,%esp<BR>
0x8048466 <security+6>: mov $0x1,%eax<BR>
0x804846b <security+11>: leave <BR>
0x804846c <security+12>: ret <BR>
End of assembler dump.<BR>
(gdb) quit</span><BR>
</P>
<UL>
<LI>We see that buf[4] measures 4 bytes in length, so to reach the return address
we should get to 4+4 (buf+sfp).<BR>
<BR>
<LI>The length is actually weird to figure out due to gcc optimizations , eg.
suppose if the function was <BR>
<BR>
<span class="code">int security()<BR>
{<BR>
char buf[5]; //instead of 4<BR>
return TRUE;<BR>
} </span><BR>
<BR>
the resulting machine code (as on my system) is :<BR>
<BR>
<span class="code">(gdb) disas security<BR>
Dump of assembler code for function security:<BR>
0x8048460 <security>: push %ebp<BR>
0x8048461 <security+1>: mov %esp,%ebp<BR>
<BR>
//strange considering that even by applying the logic that it wants to be
mod 4, it should have been 8, instead 24 is set out.<BR>
<B>0x8048463 <security+3>: sub $0x18,%esp </B><BR>
<BR>
0x8048466 <security+6>: mov $0x1,%eax<BR>
0x804846b <security+11>: leave <BR>
0x804846c <security+12>: ret <BR>
End of assembler dump.<BR>
(gdb) quit </span><BR>
<BR>
Even the example given in Aleph's paper disassembles with different values.
Neways may the explanation be found later <BR>
;-).</LI>
</UL>
<P>Now we simulate a buffer overrun, having all the data which we have, we modify
the example so that we adjust the return address according to our aim :</P>
<P class="code">int security()<BR>
{<BR>
char buf[4],*poison; <BR>
poison=buf+8; //
the rogue pointer is set to 4+4 past the start of buf<BR>
(*poison)+=25; // the return
address is incremented by 25 which is the computed difference to reach printf("\nInsecure!);<BR>
printf("Im the weak link!\n");<BR>
return TRUE;<BR>
}</P>
<P class="code">void main() <BR>
{<BR>
if(security())<BR>
printf("Secure..\n");<BR>
else<BR>
printf("Insecure!\n");<BR>
}</P>
<P class="code">[work@swg work]$ gcc -o bufe -g tmp.c<BR>
tmp.c: In function `main':<BR>
tmp.c:14: warning: return type of `main' is not `int'<BR>
[work@swg work]$ ./bufe<BR>
Im the weak link!<BR>
Insecure!<BR>
[work@swg work]$</P>
<P>We see that we are successful in our attempt. A buffer overflow has been "simulated"
.. During the next few weeks, We are going to learn a lot more including actual
exploit coding, disassembling etc. Time for you to brush up on your Unix n Win32
assembler skills. SoftICE would be used in place of gdb once we go for Win32.</P>
<P>Thanks to Nipon for being a guide, constant friend and patient listener in
the most weird of times. Hang in there bro!
<P><br>
<span class="text_head1">References</span></P>
<UL>
<LI><A
href="http://www.phrack.com/show.php?p=49&a=14" target=_blank>Smashing the
Stack for Fun n Profit by Aleph One</A><BR>
<BR>
<LI><A
href="http://community.core-sdi.com/~juliano/" target=_blank>badc0ded - A repository
of links, papers on the subject</A></LI>
</UL>
<P >
<hr>
<P ><A
name=KEYS></A><span class="text_head1">Advanced Meal - A keylogger in an API<br>
</span><a
href="http://ayanthegreat.cjb.net/" target=_blank>by Ayan Chakrabarti</a></P>
<P >Its time to wrap up the keylogger. Only a couple of functions need to be explained.
These functions have nothing to do directly with keylogging but play a crucial
part in the maintenance of log files. If you have coded them yourself or atleast
tried after reading the last two parts of this article, you deserve a pat on
the back </P>
<P>Let's look at the first function, istime().<BR>
<BR>
<span class="code">int istime()<BR>
{<BR>
struct dosdate_t dt;<BR>
int dayweek;<BR>
char sdt[2];</span></P>
<P class="code"> _dos_getdate(&dt);<BR>
sdt[0] = '0' + dt.dayofweek;<BR>
sdt[1] = '\0';</P>
<P class="code"> dayweek = GetProfileInt("KBDLOG","WDY",7);<BR>
WriteProfileString("KBDLOG","WDY",sdt);</P>
<P class="code"> if(dayweek == 7 || dayweek == dt.dayofweek)<BR>
return 0;<BR>
else<BR>
return 1;<BR>
}</P>
<P>This is a simple function. It returns whether time has come to change the log
file and start logging into a new file. The criteria is that a new log file
is created every day. We check the last stored weekday and compare it with the
current week day. If they're different, then its time to change.</P>
<P>Ok, next function is getfname(). This gets the name of a new filename to which
to the active logfile is rename. Lets take a look at the code.</P>
<P class="code">void getfname(char * fname)<BR>
{<BR>
int seq,i;<BR>
char numb[10];</P>
<P class="code"> seq = GetProfileInt("KBDLOG","SEQ",0);<BR>
seq = (seq+1) % 10000;</P>
<P class="code"> strcpy(numb,"0000");<BR>
i = 0;<BR>
while(seq > 0)<BR>
{<BR>
numb[3 - i] = (seq%10) + '0';<BR>
seq/=10;<BR>
i++;<BR>
}<BR>
GetWindowsDirectory(fname,990);<BR>
strcat(fname,"\\KBDLOG\\MLQ");<BR>
strcat(fname,numb);<BR>
strcat(fname,".MQU");<BR>
WriteProfileString("KBDLOG","SEQ",numb);<BR>
}</P>
<P>This one's pretty simple as well. We maintain a value called SEQ which we keep
incrementing. And we create a file called WINDIR\KBDLOG\MLQ###.MQU where ###
represents SEQ.</P>
<P>So, that concludes our discussion. Things would get really interesting if our
keylogger could email these log files to a desired address. Well, that's next
time :-).</P>
<UL>
<LI>Read up on network programming (Pick up your Richard Stevens!)<BR>
<BR>
<LI>Check Keysave at my <FONT
color=#0000ff><A href="http://ayanthegreat.cjb.net/"
target=_blank>site</A></FONT> incase you've not done so already. </LI>
</UL>
<hr>
<P><font face="Arial, Helvetica, sans-serif" size="2"><a
name=FOREN></a><span class="text_head1">Forensics : The SWG Experiment</span><br>
</font><font face="Arial, Helvetica, sans-serif" size="2" color="#0000FF"><a href="http://www.mrcorp.net" target=_blank>By
Charles Hornat</a></font><font face="Arial, Helvetica, sans-serif" size="2">
<br>
<br>
Digital forensics is a topic that is often mis-interpreted. It is often referred
to as: "How to recover deleted files"</font></P>
<p><font face="Arial, Helvetica, sans-serif" size="2">Recovering deleted information
is simply a part of the science of forensics. It can be better defined
as finding truth with technology. An electronic forensic investigation can be
as simple as opening up the file browser and searching for a file, or complex
like recovering deleted information from a disk, or mundane like reviewing access
logs to your building. </font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">The project at SWG is a
living project, meaning it will continue to grow as new ideas, new techniques,
and new methods of <br>
hiding data are discovered. We will investigate key settings in various operating
systems, specific filesytems, tools such as "Coroners Toolkit" and
"Forensic Browser" etc.</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">The section will have tutorials
based on real life experiences. By sharing experiences, one will be able to
relate better.In addition, some of the topics presented here will coincide with
the <a href="http://www.swg.uklinux.net/cgi-bin/ultimatebb.cgi?ubb=forum&f=21">Honeynet@home
project</a>.</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Coming soon @ Securitywriters.org!!!
Also check <a href="http://www.securitywriters.org/texts.php?op=list&id=14">the
SWG library's Forensic section</a></font></p>
<p>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="unnamed1"><span class="footer"><a href="http://www.Infosecwriters.com"><font size="1" face="Arial, Helvetica, sans-serif">Home</font></a><font size="1" face="Arial, Helvetica, sans-serif">
|<a href="http://www.Infosecwriters.com/about.php"> About Us</a> |<a href="http://www.Infosecwriters.com/contact.php">
Contact Us</a> |<a href="http://www.Infosecwriters.com/privacy.php"> Privacy
Policy</a> | <a href="http://www.Infosecwriters.com/map.php">Site Map</a>
</font></span></div>
<p align="center"><font size="1" face="Arial, Helvetica, sans-serif"><span class="footer">All
images, content & text (unless other ownership applies) are © copyrighted
2003, Infosecwriters.com. All rights reserved. Comments are property of
the respective posters.</span></font></p>
</td>
</tr>
</table>
</body>
</html>
</body>
</html>