.

Helix and Cygwin

<<

jimbob

Post Tue Sep 22, 2009 4:29 am

Helix and Cygwin

Hi all,
I noticed some interesting behaviour when playing with Helix recently. It ships with a number of cygwin tools including netcat for gathering evidence and sending it to remote systems. I started a netcat listener on my local PC and tried using Helix to capture evidence from the same PC using IRCR. Status: FAIL. Cause: the cygwin DLL loaded into memory by my bash shell and netcat listener clashed with the one on Helix so the script would not run sucessfully.

It strikes me that loading a copy of the cygwin DLL into memory can effectively break some forensics tools and could even subvert them to alter the results. Loading a poisoned cygwin DLL could  be an effective anti-forensic technique if cygwin tools are used. This is also worth knowing if you plan to use Helix or similar tools to do live examination on Windows.

Jimbob
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Sep 22, 2009 7:22 am

Re: Helix and Cygwin

Thanks jimbob.  I hadn't seen that behavior before.  I have had issues with RAM acquisition and just general compatibility issues with certain machines.  Which version of Helix did you run your test on?
~~~~~~~~~~~~~~
Ketchup
<<

jimbob

Post Tue Sep 22, 2009 8:06 am

Re: Helix and Cygwin

I first noticed this running a locally-installed cygwin netcat listener (latest and greatest) on my laptop and then running IR\IRCR-NC.bat script on Helix. A simple way to reproduce this is to start a cygwin bash shell and then run one of the tools from IR\Cygwin on the Helix CD. You should see errors like this:

      9 [main] ? (6104) e:\IR\Cygwin\nc.exe: *** fatal error - system shared memory version mismatch detected - 0x8A88009C/0x2D1E009C.
This problem is probably due to using incompatible versions of the cygwin DLL.
Search for cygwin1.dll using the Windows Start->Find/Search facility
and delete all but the most recent version.  The most recent version *should*
reside in x:\cygwin\bin, where 'x' is the drive on which you have
installed the cygwin distribution.  Rebooting is also suggested if you
are unable to find another cygwin DLL.


Pretty self explanatory.

Jimbob
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Sep 22, 2009 10:50 am

Re: Helix and Cygwin

Jombob, that looks interesting.  I will have to try this out.  I am reading the error message as an issue with the version of the cygwin1.dll as well as it's location.  I am guessing that if the versions on the Helix disc and your laptop match, it will take care of the error, but it's only a guess.
~~~~~~~~~~~~~~
Ketchup

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software