I need to answer this Q for an assignment. Any help is appreciated
Question 5: Computer Forensics
Recently a toolkit known as ?The Defiler?s Toolkit? has been released
to allow attackers erase electronic evidences from victim hosts. Write
a 1-page management summary for your management on how this toolkit
works and how it mitigates the efforts of a computer forensics
investigator during host investigation. (Approximately 1 - 2 page
answer)

The Defiler's Toolkit is a set of programs that is designed to prevent
forensics investigators from identifying what activities were
performed by a hacker by limiting the quality and quantity of forensic
evidence left behind.  The current Toolkit targets the Linux Ext2fs
filesystem.  The Toolkit allows hackers to hide data and/or destroy
data while making it difficult to determine that these actions have
taken place.

Data hiding occurs when the attacker associates good blocks with the
bad block inode in order to store data by marking a section of the
host's hard drive as being bad.  Normally, the bad blocks inode
identifies blocks that do not function properly, so The Coroner's
Toolkit (a forensics tool used to recover deleted files and examine
deleted directory entries) will not look in the bad blocks.  The only
clue to the forensic investigator that something has happened is that
the drive appears smaller than before, but it is difficult to
determine what has been stored on the hard drive.  Data can also be
stored in the ext3 journal file and in directory files.  Such
techniques can be used to store virtually any kind of data a hacker
desires.

Two programs are included in the toolkit to facilitate data
destruction.  Normally when a file is deleted, only the data is
removed, leaving the metadata (inodes and directory entries) intact. 
Directory entries normally make it possible for a forensics
investigator to identify deleted filenames and their sizes.  Necrofile
uses deletion time criteria to remove the metadata from the inodes,
making it more difficult for a forensic investigator to determine that
a file has been deleted.  Klismafile identifies directory entries for
deleted filenames and eliminates them.  Through combined use of these
two programs, the hacker removes the obvious evidence that data has
been deleted, making the forensic investigator's job much more
difficult.

To overcome these difficulties, experts advise using TASK, a more
recent descendent of The Coroner's Toolkit, when conducting a
forensics investigation.  Examining blocks of hard drives that are
marked bad is also an important step when trying to identify hacker
activities.  Hidden data can provide leads regarding the hacker's
identity and objectives.

For more details regarding inodes, directory entries, and other
aspects of UNIX file systems, see "To the Art of Defiling" by the
grugq http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/bh-asia-03/bh-asia-03-grugq/bh-asia-03-grugq.pdf

Additional Reference: "Breaking News-The Latest Computer Attacks and
Defenses" by Ed Skoudis, Predictive Systems, June 6, 2003
http://www.counterhack.net/UFL.ppt

Search Terms: "The Defiler's Toolkit"

Sincerely,

Wonko

Very good, thanks for helping me and giving me very good web links

Hey i got another question on ICAT tool posted too. Maybe u can take a
look and help too.

Thks a lot, u save my "skin"