Hi all,
I noticed some interesting behaviour when playing with Helix recently. It ships with a number of cygwin tools including netcat for gathering evidence and sending it to remote systems. I started a netcat listener on my local PC and tried using Helix to capture evidence from the same PC using IRCR. Status: FAIL. Cause: the cygwin DLL loaded into memory by my bash shell and netcat listener clashed with the one on Helix so the script would not run sucessfully.

It strikes me that loading a copy of the cygwin DLL into memory can effectively break some forensics tools and could even subvert them to alter the results. Loading a poisoned cygwin DLL could  be an effective anti-forensic technique if cygwin tools are used. This is also worth knowing if you plan to use Helix or similar tools to do live examination on Windows.

Jimbob

I first noticed this running a locally-installed cygwin netcat listener (latest and greatest) on my laptop and then running IR\IRCR-NC.bat script on Helix. A simple way to reproduce this is to start a cygwin bash shell and then run one of the tools from IR\Cygwin on the Helix CD. You should see errors like this:


Pretty self explanatory.

Jimbob