Dailies
- Beast or Buddha
- Caoine
- Echoica
- Jina Bolton
- Lifehacker
- Overclockers Australia
- RiskAnalys.is
- Rory.Blog
- Schneier on Security
- Security Catalyst Community
- Security Ripcord
- Securosis.com
- Slashdot
- Whirlpool
Photos
Categories
- Books
- Computers
- Family
- Forensics
- General
- GTD
- Movies
- Music
- Privacy
- Profession
- Risk
- Security
- University and Studies
- Web Development
Monthly archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- December 2006
- June 2006
- May 2006
- April 2006
- March 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- February 2005
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
- April 2003
- March 2003
- February 2003
- January 2003
- December 2002
- November 2002
- October 2002
Search
The Effect of CSRF on a Forensic Investigation
Whilst I mostly agree with the issues raised in this article over at Dark Reading [Exploit Could Taint Forensics], there is one comment that really ground my gears, and I would recommend that the author/editor get their technical facts straight before publishing.
These investigations often rely on a user’s Web browser cache and history to reconstruct a user’s suspicious activity, so if the user’s machine is infected with CSRF, that data isn’t reliable and an innocent user could be mistakenly accused of wrongdoing when it was actually an attacker behind it.
My concern is focused on how a user’s machine can get infected with CSRF as if CSRF is a form of malicious software, when CSRF is not an “infectious” type of software.
I’m not going to go into what CSRF is as a quick check of Wiki is sufficient.
Regardless of this slip up, the issue of these sorts of exploits tainting a forensic investigation is a valid point. Of course, a thorough review of a user’s web history could potentially unveil the site which instantiated the CSRF attack, and highlight that the user’s web history may not be a good source of evidence in a case. This of course does not mean that this evidence is not good evidence, it just has to be reviewed appropriately.
Posted by Christian 
29 January 2008
Post A Comment