This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.

I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).

This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.


The rantings of Craig Chapman, Computer Forensics Geek.

Lest Big Galoot be accused of souding too flippant at the undeniable benefits of “Standards” in our lives, let’s not forget an often overlooked human side of the increasing “Standardisation” of our world and those who feel the irrepressible urge to write them.

Standards make many people happy, warm and comfortable as does a nice pair of fluffy slippers and a cup of warm cocoa. This is not necessarily a bad thing. I like my cocoa and slippers as much as the next bloke. But make no mistake, standards are sometimes touted by those who feel an overwhelming need to compartmentalise theirs and other peoples lives by standardising the way in which everyone does things.

For those mother hens of the world who seem to take pleasure in writing procedures & processes for everything we do – from walking our dog off its leash in the park, to spitting on a footpath, is it more a case of process – at the expense of performance?

A recent article at CIO mag;1626336618;fp;4;fpid;51238 proposes that new network forensics standards are “crucial to the speed and fairness of the US judicial system.”

What a complete load of puffed-up, breast-beating, piffle! (more…)

It gets exciting in the security community when the challenges are thrown out. I know……I can barely get to sleep at night from the anticipation. And so it is at the moment with the; “Bet we can detect Blue Pill vs. Bet you can’t!” challenge.

In the red corner, the Bully Boy Team. (And no, that’s Peter Ferrie – not the famous Peter Fernie of and Securus Solutions fame). In the Blue corner (gees, the jokes are lame) of Blue Pill fame, the lovely Joanna Rutkowska.

Even if Joanna loses, there’s enough excuses already to see a rematch in the future. Either way, hits on both websites should shoot through the roof.

Let the best woman win!

Posted in: Forensics, Research, news

The rantings of Craig Chapman, Computer Forensics Geek.

The other day I met a couple of guys at a security conference who introduced themselves and announced proudly that they did “Computer Forensics”.  I had no reason at that stage to disbelieve them, since they were wearing some rather impressive-looking nametags, bearing the logo of a very well known global company.

After a bit of big-noting themselves, it was what they said next in relation to investigation techniques that sent my alarm bells ringing;

“We’ve just done a course on interviewing suspects.  We can tell you when someone is lying.”

“Really ?” I said, rather disbelievingly. (Gees, these guys have it 100% – something that takes good police detectives years to develop).

“Aside from your lie detector skills, how do you keep an arm’s length between your forensics role and being the interviewer of a suspect?” I asked, very curious to hear their response.

“Bah! No need to worry about that!” they replied rather boldly, as if that were a mere technicality not worth worrying about.

Unfortunately, as they might discover, the courts don’t exactly share their view on wearing both the hat of the interrogating Investigator and Computer Forensics Expert, simultaneously. See fellas, there this thing that courts are big on, it’s something known as ‘Independence’.

Nor is computer forensics simply a fancy term for checking of audit logs, as they would later try to rather incredulously argue.  Make no mistake, these guys were not computer forensics people in any form.  They were at best, a pair of audit-log-checking, boofheads calling themselves “computer forensics” people.  As the term “forensics” suggests, it also involves the gathering of evidence in a manner that is lawfully admissible to a court.  Judging by their manner, and their high degree of BS, I’d have to conclude that these gentlemen have spent far too much time watching CSI or NCIS, and very little time, if any, in an actual court or in a witness box.

Fellas, if by chance you recognise yourselves & happen to be reading this blog, here’s a really good definition of computer forensics as described at,,sid14_gci1007675,00.html

Computer Forensics:
“The application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.”

And by the way, if you’re still reading, perhaps you should remove the “Computer Forensics” label from your nametags and replace it with “Audit Log file checkers”.  Ok, it doesn’t sound as impressive, but it’s perhaps a lot closer to the truth.  and it avoids more potential embarrassment for you.


The FBI’s Operation: Bot Roast, claims to now have identified “about 1 million” botnet infected systems in the US. See also:

The announcements say all the right things, but the question as to how much substance is behind them is somewhat questionable in my opinion. The intentions may be there, so lets see what impact to botnet activity this program has. It would be interesting to know how the 1 million systems were identified. Have I missed something in my readings?

Other than that, there is some good introductory information in here for individuals and businesses alike.

Related Links:

The rantings of Craig Chapman, Computer Forensics Geek.

A couple of recent cases, including in the US have highlighted malware and trojans as an emerging problem for the computer forensics community – testing the validity of the expert evidence and calling into question the practise as a whole.

In this most recent case, problems emerged after a teacher was wrongly convicted following an
incident where her classroom PCs became infected with pop-up ads displaying pornographic images. The prosecution alleged that the pop-ups were caused by the teacher’s activity on her PC following expert testimony from a computer forensics detective.

Problems in the case emerged after the defence’s computer forensics expert successfully argued that a harmless hairstyling web site had actually re-directed the PC’s browser to pornographic sites, setting off a chain of offensive pop up ads (a sub-argument was also presented about access control).

With the benefit of hindsight, this case was perhaps more about poor forensics practises – the investigating detective was apparently not thorough enough.

But it raised a bigger issue: What about really hard-core trojans & malware? How do we prove that malware didn’t exist on a suspect’s system? Recent studies into the potential problems facing computer forensics community of malware\trojans\viruses suggests this problem is not going to go away any time soon.

Highlighting this problem, some conceptual tools developed by and Joanna Rutowska from have shown the ability already exists for
malware to defeat ‘volatile’ memory forensics. Make no mistake, this is a big threat facing computer forensics practises and its ability to withstand rigorous cross-examination in the witness box.

The really big questions facing the computer forensics community right now
must be:

- How can the trojan defence be negated? and;
- What practises can be put into place by the corporate world to assist computer forensics ?

The nitty-gritty of ‘The Trojan Defence’ is that we don’t know what we don’t know. In other words, how do we prove that something (a trojan) didn’t exist?……The mere possibility of the existence of a trojan may itself be enough for a case to be thrown out, in the absence of any corroborating evidence.

The solution? (Is there any?)

In terms of hard-drive forensics, (and even perhaps volatile memory?) the ability exists to make a ‘known good’ copy of a system prior to it’s deployment & have it locked away in a safe. In an attempt to negate the trojan or malware defence argument, the ‘known good’ copy could be dragged out of the safe & compared to the original, and forensically examined for changes to that system. Operating system active processes, dlls etc could all be mapped & compared against those of the ‘known good’ system. This practise could also be a really good tool for very quickly detecting what is going wrong with a particular system when the IT Security guys are called in following an ‘incident’, say, an intrusion where their system became owned or whatever.

In reality though, this practise is unlikely to be adopted in the short term. But I’d be very interested to learn if some companies out there are already adopting the practises of having a secured, ‘known good’ copy for forensics or IT Security purposes. Has anyone heard of this being done ?

Or, perhaps someone has some other ideas about how ‘The Trojan Defence’ argument can be (relatively expeditiously) negated in a forensic manner ?

Some good points raised in this

There’s few good companies out there that do penetration testing well and they’re generally the smaller specialist organisations (yeah, I have to mention

We still see and hear about mobs doing this work for clients and shake our heads at the results / output. There’s still guys out there running basic VA and port scans and delivering stock standard reports out of the likes of a Nessus to clients and calling it a penetration test.

It’s hard for organisations to know what questions to ask and how to compare offerings because it is such a specialised field. This article goes someway to helping.

« Newer Posts