If you would like to interact with me regarding a post, please leave a comment with your thoughts, or a comment with a link to your own post on the subject. Please note that I hardly ever engage in back-channel discussions regarding anything I post here. However, to address the post I will note I was addressing the validity of having a network-level forensic solution in terms of “system-level” anti-forensics. If there are any questions or issues with my clarified beliefs feel free to post them here and I will happily address them. If you’re relying on a host to reliably report its security posture, you are bound to be disappointed. That means any host in this subnet can contact any host on the Internet and vice versa. It allows hackers to access data, continuing the user’s sessions on their e-mails or internet tracking history. In this case, an HVM hypervisor is able to intercept and control access to the physical memory by way of its exception conditions.

As a result, anyone can access the network if it is not actually enabled. The new class is Network Security Monitoring 101. From the overview: Is your network safe from intruders? You may also want to consider employing a remote network monitoring service to ensure that you have the required experts who can respond, at any time, to a network security issue. The only blog-related issue you may notice in the coming months involves a review of old blog posts. If detection of an HVM rootkit is difficult and impractical, actually procuring a forensic copy of an active HVM rootkit may very well be impossible. C. It uses FIN messages that can pass through firewalls and avoid detection. They come in different size and shape for both commercial and personal uses. I can assure you that I can ask Richard and some other experts and come up with radically different inputs.

Yes, Richard might have a experience worth more than my grannie or someone who knows little about information security, but Richard and some other security expert? Furthermore, I am happy to report that Dark Reading, being ever concerned with the accuracy of their article, has changed the quote to more accurately reflect EMA and my beliefs. Several years ago we passed the point where suspected compromised hosts could be trusted to accurately report their own integrity to tools running on the victim. The only other forum in which I might engage in a running discussion is a mailing list. One might point to the fact that there are no known HVM rootkits in the wild. I am considering revisiting all of my old posts for several reasons, so those of you who subscribe via RSS might see old posts republished. Since opening the blog to comments several years ago I’ve enjoyed hearing from blog regulars and plan to continue reading your replies to my posts.

For roughly five years I’ve used this blog as a personal yet technical forum, but intentionally did not write about my workplace. Two years ago during the rise of the public Windows kernel-mode rootkit, I wrote Rootkits Make NSM More Relevant Than Ever. I started the blog on 8 January 2003, so in four months it will be five years old. Third, I’d like to add proper titles to old blog entries that lack that feature. I detest bookmarks since they quickly become unmanageable, lack context, and do not include my reaction or synthesis of the subject at hand. I’ve blogged while working as an incident response consultant for Foundstone, a technical director for ManTech’s Computer Forensics and Intrusion Analysis division, an independent consultant with TaoSecurity, and now director of incident response for General Electric. I certainly agree that network forensics can be attacked and/or circumvented. Obviously a look at network traffic will not be 100% conclusive, but it will give you a trustworthy vantage point for very little investment of resources. From a network perspective the traffic could be associated with the wrong system.