You are right. The authors of that book obviously don't have much clue about how  DNS works.

In my understanding a hacker is someone who modifies something already existing (a software, hardware or whatever) to achieve a certain goal that could not be achieved without that modification.

Related to software such a modification can consist of just adding or changing a few lines of code to change the intended behavior or correct an obvious error of a software but also let's say replacing the operating system of a device (for instance I would call replacing the OS of a Linksys WRT-54 by OpenWRT a hack).

On the other hand I would not call it a hack to write some code to exploit a vulnerability, that's just coding

Most of the time if somebody mentiones "Hacking" that equals "doing something related to security" (if done by a BlackHat it's breaking in, if done by a WhiteHat it's pentesting) for a lot of people.

In my opinion doing a hack can be related to security but not everything one can do in relation to security is hacking.

Just to prevent another misunderstanding: when I say "copy of the original image" I really mean a copy of the aquired image.

original device -> aquire an image from it -> duplicate the aquired image to get a copy to work with and store the original device and the initial image (it may seem a bit redundant, but at least you really risk nothing)

It applies only to the handling of the original device.

Sure it could happen to the image too, but to prevent that in addition to loopback-mount the image read-only set the image-file read-only (r--r--r--) before mounting it so you can be sure that nothing will be altered.

Furthermore the best you can do is to never do any analysis on the original image, use a copy of it and you're safe anyway...

You are right, it's the journal that can change the hash. Read this

But I wouldn't call that a bug, it's intended behaviour. If it wouldn't be implemented like that the journal could not guarantee the integrity of the filesystem after a crash.

I think there is a misunderstanding. To work with an already taken image in Autopsy/Sleuthkit you have to mount the image, that's right. But in that case there is no problem, it's sufficient to set the image file read only to prevent any change.

But to get the image - and that's what I was talking about - there is no need to mount the original drive (the source) so the source is under no circumstances altered by the process of taking the image.

Thats two completely different things, prevent the source from being altered by the imaging process and on the other hand taking care that the image which has already been taken will not be altered by the analysis.

An in Encase you do not mount the image, you just add it to a case. Encase takes care that the image is not altered by the analysis, so that way it is even not necessary to set the image file read only (though it does not hurt).

I mean exactly what I said.

To image a drive you don't have to mount it. Neither with encase nor any other tool like dd or others you need to mount a drive to get an image from it, so no write blocker is needed.

Yes, I saw that. After having read somewhere that it could happen I tried it with an USB pendrive with ext3 filesystem on it. The content of the filesystem as such is not altered, but obviously some changes in the journal (don't exactly know what, perhaps some update of timestamps in the journal) happens so that the hash does not match any more. It's not a problem for the data but you would have to explain what has happened in case that you have to present it in court.

If you want to image a drive you don't have to mount it anyway, so I think that shouldn't be a problem even for not so skilled people (or these that are possibly too lazy to take care of what they are doing)

BTW, even when you mount a drive read-only sometimes that may change the content that way that a hash before and after mounting will not match any more. It depends on what filesystem is on the drive, if it's some kind of journaling file system parts of the journal can change without writing to the drive.

I think I'll go for the exam by the end of the year, I'll tell you afterwards if could be possible to solve the practical without any experience.

Nevertheless I think having to complete a practical is always better then getting a cert by just completing a multiple choice test - it's far more easy to learn answering some questions only.

I wouldn't consider using a distro for forensic purposes if it would automount anything. A system has no way to differentiate between an USB Stick that I want to image from another one that I'd like to use as a storage medium, so I think it's the right way to do that by hand.

I think it is a strong pro for that distro that automount is disabled in Helix.

Foremost is an OpenSource Solution.

SQL injection means that you "inject" something into a sql query.

The function in question doesn't do any sql query, so you can't inject anything.

The only possible approach - if any - would be to test that function if there could be a possible buffer overflow. For that you need to go through the source code of tsearch2 and possibly postgres - but I don't think that this is promising...

I think there is an important point you missed when talking about the pros and cons.

I definitely agree that there is no "best operating system", each of them has strong and weak parts (personally I'm using XPpro and ubuntu on my laptop, Debian and Win2003 on the server side depending what I want to achieve).

But why using "windows ports" ? Why not the original version ? If there is a unique tool that only run's on windows I would use it without any hestiation (actually there are very little of them), but I would'nt look for a port when I can get the tool in it's native operating system.

What's the biggest point (at least for me) to use linux for pentesting ? The answer is that you get the sources for each and every tool, you can tweak and modify them as you need (and often it is necessary to do some changes, be it as simple as for instance recompiling a virus to try avoiding detection by a virus scanner - yes I know that's a windows example but I think it shows the idea ...) and it's far more easy to fully control the behaviour of your own system, to access system ressources etc (just think about the problem that nmapwin had when XPSP2 came out, a lot of options suddenly didn't work any more).

If running availabe tools is all you need (and often it can be sufficient to do that) your choice can be windows or linux, just the availabiltiy of a tool will limit your choice.

But (once again at least in my opinion) the goal of a pentest is to determine as close as possible if the system tested is vulnerable - not only if the system resists to attacks using tools acutally avaible on the net, and that is a goal you clearly cannot achieve using only windows tools.

I think that a skilled pen-tester absolutely needs to know more than one operating system, and as of now I also think that a serious pentest without having linux skills is not feasible.

They just ask you if you have some experience but there is no need for any special evidence for that.

The certification consists of two parts, a theoretical (multiple choice) test and a practical.

I think that possibly you can pass the theoretical part by just studying the offical study guide, but for the practical you need to know what you are doing (or at least know somebody who does !). You'll get a case-file on CD and have to answer questions about that case within 60 days. Sure you can try to answer every question by looking up the manuals (a bit tedious)...

And what do you get that way ? First time you'll have to do a real case you'll be caught.

to_tsquery is a function provided by tsearch2 which is a module for postgres.


So what you are doing is basically that you provide an expression ('--) to a lexical function. Even if they are not filtering the simple quote (which would be a good idea) I don't see a way to use that for sql injection because that function doesn't do any sql, as you can see in the quote above it's just intended to transform (in that case remove a letter) your input.

BTW the query in question just counts some occurences of the text you input without taking into account if it's singular or pural...