Forensics on PDAs, notes from the field

[Thomas Shaddack]

On Fri, 13 Aug 2004, Morlock Elloi wrote:

> > A cool thing for this purpose could be a patch for gcc to produce unique 
> > code every time, perhaps using some of the polymorphic methods used by 
> > viruses.
> 
> The purpose would be that they do not figure out that you are using some
> security program, so they don't suspect that noise in the file or look for
> stego, right?

In better case, this. In worse case, to force the adversary to face an 
unknown, unexpected situation they aren't trained to handle.

> The last time I checked the total number of PDA programs ever offered to public
> in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be
> trivially checked for. Any custom-compiled executable will stand out as a sore
> thumb.

Until a Gentoo-like Linux distro for PDAs appears. Then custom-compiled 
code becomes quite common in that segment of consumers.

Another possible way for wrecking the set of file signatures "in the wild" 
could be releasing a product (which then would have to become popular, so 
it has to be useful) to do a function modifying the executables - may be a 
code packer (flash space is still a premium in the PDAs), may be a 
realtime patcher (for eg. protecting against some generic code exploits), 
in extreme cases may be an otherwise benign trojan or worm.

> You will suffer considerably less bodily damage inducing you to spit the
> passphrase than to produce the source and the complier.

Yes, but the same applies to your colleague. Would you like it to be easy 
for your colleague to betray you?

> Just use the fucking PGP. It's good for your genitals.

Unless the adversary beats the passphrase from your colleague and then 
comes for you.

Don't be so selfish. :)