ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Expert undermines hacking suspect's defence

Munir Kotadia ZDNet.co.uk

Published: 09 Oct 2003 15:10 BST

An expert witness in the case of a teenager accused of accidentally launching a distributed denial of service (DDoS) attack on a major US port said on Thursday there was no indication that evidence had been planted on the suspect's hard drive.

The defence counsel for Aaron Caffrey, who is on trial at Southwark Crown Court, had said that his client's computer could have been compromised by a hacker who had altered the system's log files -- which record how the machine is being used -- and staged an attack from the teenager's computer.

But Professor Neil Barrett, technical director at Information Risk Management and an expert witness at the trial, told the court that after examining the physical location of data blocks on Caffrey's computer, there was no evidence that the log files had been altered at a later date.

"If you edit a file after you finish writing it to disk, it results in block fractures. The block that corresponds to the edited text would be written elsewhere. The disk blocks that correspond to this file show no evidence of fracturing and were sandwiched between files that were created before and after it," Barrett told the court.

Barrett conceded that a hacker could, in theory, have planted a different log file on Caffrey's computer, but said it would be obvious that it was inserted later because of the physical position of the file's data blocks. "There is obviously a way of introducing (the file) on the computer, but not in the correct place," he said.

Caffrey's counsel questioned the validity of Barrett's evidence because the witness had not physically examined the actual hard disk from Caffrey's computer, but an image of it that was sent to him on CD-ROM. Barrett argued that this did not make a difference because the image was "forensically sound".

The case continues.