[TriLUG] Presentation & question follow-up

[Matt Frye]

My presentation from the March 10, 2005 meeting can be found here: 

http://www.mattfrye.net/march2005_tct.pdf

There was a question about using TCT on image based systems, on which
I had promised to provide more information.  Specifically, virtual
machines may be used to capture activity down to the actual machine
code instructions, but on a practical level, it is not possible on
general purpose computers given all their peripherals, etc.  However,
increased "trustworthiness" can be achieved with image based systems
because they are not subject (not directly, anyway) to the laws of
physics, e.g. bad disks, etc.

Special care should be taken however, after a malicious attack, to
keep malware confined to the vm "partition*."  If hostile software can
recognize it's virtual environment, it may be able to exploit bus in
the implementation of the virtual monitor and escape confinement.

Chapter 6 of Forensic Discovery (see recommended reading in the pdf)
addresses Malware Analysis Basics.

* Not a concise word in this case.

Please let me know if I owe you a follow-up.  Incidentally, the Red
Hat Magazine article to which I referred during my presentation, and
which provided the basis for much of my research, is now available
online.

http://www.redhat.com/magazine/005mar05/features/security/

Matt Frye