There are always going to be cases where one side or the other missed something, but more often than not the defense is going to push for any shred of reasonable doubt based on concepts rather than facts.  It's become very common for the defense to latch onto any shred of malware as possible "proof" that their client did not download that 4GB of child pr0n.  I don't care how security conscious you are, you are almost guaranteed to have some artifact of malware on your system.  There were a couple of high profile cases where the defense argument was based around files that were left behind when the system anti-virus identified a malware and disabled/removed most of the affected files.  Of course it missed some which were left behind but not functional.  The defense argued that it proved the system had been compromised at some time in the past, and it created reasonable doubt because a "hacker" could have used the machine to download the pics.  None of the timestamps lined up, but of course that's because the "hacker" changed them all.  He also arranged all of the pictures into a nice, organized set of folders.  Anyway, in this case the forensics analysts produced the same data (what was on the system) but the defense was based on their version of what that data was saying.

Actually, I have seen this.  There are at least two very well know groups (that I will refrain from naming) that will not accept you into the group, or remove you from the group, if they find out you worked as an expert witness for the defense in a criminal matter.  If you talk to the group members the prevailing opinion is that when you work for the defense, almost 100% of the time you are helping them make their case by challenging the methods or ability of another forensics analyst.  If you are attacking their methods (tools, the science behind data forensics, standard approaches, etc), then you are actually attacking the entire practice of forensics which is bad for the community.  If you attack the ability of the other analyst, then this is often viewed as a personal attack against someone that was trying to catch a crook.  I don't necessarily agree with these arguments, but I hear them a lot.  With that being said, if someone screwed up the case, then they screwed up the case.  Period.  Also, if you do your own analysis and can present evidence that is valid and relevant to the case (ex. you find out that someone's system was actually hacked into and the illegal activities might not have been performed by the system owner but by the intruder) then that should absolutely be presented in court.  However, whatever your motivation might be, as soon as you sit on the other side of the isle there are just going to be repercussions.

Just my two cents, but really make a point to pick up the education and certs.  The main reason is that if you do manage to move into forensics there is a high probability that you'll end up having to testify.  The very first hurdle you have to get through is the validation of your background.  Having the degrees/certs helps that process quite a bit.  If you don't have those on your resume then you'll probably get challenged by the other legal team, and at that point they'll cook up all sorts of questions to try and show gaps in your knowledge or understanding of the tools and methods.  (So Mr. Coolforensicsguy, please tell me every difference between the ntfs and ext3 file systems, explain the md5 checksum algorithm in detail, and inform the court why your evidence should be permissible since you used Encase but are not certified)  The caveat to all of this is if you end up in a field where you do forensics for malware.  In that role you usually are more of an incident responder rather than investigations.

You're referring to privilege escalation on a machine that you already have some level of access to?  There are a lot of tools you can use for that, but metasploit sure wouldn't be my first choice.  They plan to built it out in the future to do this via the meterpreter tool, but it still doesn't seem to be the best option.  Hell, you could just pick the relevant exploit out of:

http://www.milw0rm.com/local.php

The part that really confuses me is that someone would get an email from George Bush and it would INCREASE their level of trust...

Just my observation from various clients:

-A lot of them know what the CEH is, most consider it a good cert, but a smaller group of the more technical clients view it as a paper cert that almost anyone can study for and take without having a lot of hands on knowledge

-There haven't been many clients that know what the OSCP is, but those who do have knowledge of it hold it in fairly high regard since it is more of a hands on testing process

I am not stating my opinion for either mind-set, this just seems to be what I'm seeing at the moment.  It'd be a trade off.  Take the more well known but less techy cert, or take the less well known but more techy cert.

When you say you are working as an analyst, what exactly do you mean?  That title carries a lot of different meanings depending on your organization.  The reason I'm asking is you should first do some research to figure out what area of security you'd like to move into?  For started, do you want to be on the keyboard or do you want to be on the business side?  The guys on the keyboard have the sexier job (Ima 'l33t haxor!), but the guys on the business side might have been career options in the long run.  (CIO, CISO, CTO, IT Aduit/Risk manager, etc)  It's all dependent on where you'd like to end up.

I know this finding has caused a lot of concern or excitement depending on your job description, but be aware that there is a bit of hype around what it actually does.  Some of the analysis that's starting to come out seems to show that the use for the exploit will be somewhat situational. example:
http://it.slashdot.org/article.pl?sid=08/11/07/1312246

my bad. 

sign of the apocalypse?

http://houseofhackers.ning.com/

when you are trying to install these, are you going to the site that is hosting the software or installing it through the package manager?  (in other words, downloading a .tgz from a site or doing an apt-get?)  Before you get to far along, go into the menu bar, get to the system administration menu, and look for the synaptic package manager.  This is a GUI front end that will help you find stuff to install.  Do searches for the software you are looking for.  About 50% of it will already be supported in there.  For a pampered Windows type this is as close as you'll get to point and click.  For everything else, do a google search on "Ubuntu install [software x]"   The community is really good about posting guides for most things.

Well there's your problem... it looks like your blinker fluid is low and you need to rotate your muffler bearings.  If you have a VAX system sitting around you could put together a banyan bomb and push it through the intergoogletubes to your target.

I think the purpose of his question was to find a way to hid a program so that it was not directly observable to the user.  To do that the program would have to be hidden in the data and file structure of the trojaned data (or an alternate date stream), and the resources necessary to run the program would have to be shared in such a way that they are not directly attributable to the hidden executable.  (or hidden with a rootkit?) 

dean,
    Agree with your post, I just noticed that he seemed to be stressing the "image,video" issue.  As you mentioned, it can be straightforward to hide a file in an image, but getting to execute and run when viewed isn't trivial. 

Reading back to the original post, he wanted to hide it within a picture or video.  That changes the deal a little bit.  It is easier to hide an executable within another executable than it is to hide an executable in a picture or video.  The idea is that the .exe is already making system calls and such that you can abuse, while a video or picture is generally read from and interpreted by some other application.  There are ways to include nasty code into a video or picture so that the application reading the file gets "hacked", but this isn't the same as having a hidden program kick off in the background.  There are some ways to do this, but they are not as clean or consistent as you'd probably like.