Came across this interesting article today about a new anti-forensics tool that can basically add a bunch of stuff into memory to obfuscate what an attacker has really been up to, or even plant evidence to implicate someone else! Interesting stuff, I'm looking forward to hearing more about it!
I've been quiet on the blog since relocating to Japan, and had started a bunch of posts that I never finished. Rather than finish them all, I'm going to start recapping on the stuff I found interesting over the last few months, and then move on to hopefully a more regular schedule.
Following up my previous Flash Forensics post, there is another paper [pdf] from some local researchers over in Perth that describes how the 'garbage collection' algorithms that purge data from the drives can wipe valuable forensic information - even when the drive was attached to a PC with a write-blocker!
It seems that the increasingly common use of flash/SSD drives is going to cause headaches for investigators and end users - not always deleting data when you want it gone, and sometimes removing data when you may want it kept (bearing in mind that forensically recovered data may be used to show innocence as well as guilt)!
This is an area of research worth keeping an eye on...
I recently came across a couple of interesting articles on the difficulty of securely wiping data from solid state disks.
Both articles are based on a paper [pdf] from a University of California team that tested sanitizing both an entire disk and individual files on SSDs using standard ATA commands.
The outcome? Full disk sanitization was usually (but not always!) effective, while single file sanitization "consistently fail(ed) to remove data from the SSD".
Interesting stuff!
With SSDs rapidly dropping in price, and becoming more and more common in a wide vaiety of devices (especially portable devices) the paper is well worth a read for those tasked with protecting sensitive data from loss.
After recently reading and learing about the requirements for setting up a Forensic laboratory, I did a little more research into the subject and came across a fairly recent article on csoonline.com entitled "How to Build Your Own Digital Forensics Lab - for Cheap". While the article is fairly brief and doesn't go into issues such as chain of custody or the capture of volatile data, the author does provide some cool tips on making a usb device read only and points to some free tools for imaging a suspects disk.
The article also has a link to the handy little "Secret Service's Best Practices For Seizing Electronic Evidence, Pocket Guide for First Responders" [pdf] which has tips such as photographing the screen before powering off a suspect machine and performing the power-down by yanking the power cord (and where appropriate removing the battery). For servers in a business it recommends not yanking out the power cord, but calling a pro and restricting access to avoid damaging the system, disrupting legitimate business and (of course!) reducing the potential for officer and department liability.
It's a cool little guide and an intersting insight into law enforcement procedures.
A recent article on Networkworld.com mentions how difficult it can be to recover information from smartphones and game consoles.
I can imagine smartphones are particularly difficult, given the constantly changing nature of the hardware in use and the proliferation of mobile operating systems such as Windows Mobile 7, Android, iphone OS, WebOS and BlackBerry OS. The modified or custom file systems can also be challenging as I've read that the xbox360 uses FATX and that the PS3 uses a proprietary version of ext2.
However a particular quote from the article that caught my eye was ""You can take a Wii onto the Internet and it doesn't save sites or browser history....If you type in a Web address and surf, 10 minutes later there's no record of it." Intrigued by this comment, a bit more digging came up with this paper [pdf] on Wii Forensics.
Dr Turnbull highlights the lack of internal storage (excluding the 256MB flash memory) and proprietary file system as being some of the difficulties in Wii Forensic analysis. The paper makes for interesting reading.
I'm a big fan of virtualization, and have seen first-hand how much of a 'game changer' it has been when it comes to infrastructure. With my recent studies of Digital Forensics I wondered how does virtualization 'change the game' when it comes to forensics?
In my so-far brief researching, there seems to have been a bit written about the use of virtualization in forensic analysis. The paper entitled 'Virtual Forensics' [pdf] from ForensicsFocus.com is an interesting start, discussing VMs as a target and the use of VMs to make analysis easier. This presentation from 2005 is boldy titled "Virtual Machines: The Ultimate Tool for Computer Forensics" while this paper [pdf] claimed that "the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence" and suggests that a hybrid approach of using a standard forensic image along with a VM for analysis is the best approach.
There also seem to be plenty of ready to run virtual machine images or appliances to assist the forensics practitioner, but what happens when the target machine is a VM?
This article from cio.com mentions one of the potential problems is that VMFS (VMWare's file system used to store the 'guest' virtual machine images) is not well understood. A virtual machine is simply files on a disk, but when you want to capture a forensic image of a VM do you simply capture the 'disk files' (eg: vmdk file, NVRAM file, etc) or do you need the underlying host storage volume (the VMFS partition) to capture metadata (such as the last accessed time etc)?
The sheer size of the VMFS partition may also cause problems (think multi-terabyte LUNs), along with the fact that vmfs partitions may be shared amongst many guest VMs, which may cause problems if a forensic investigator is only authorized to investigate a single machine.
With continuing explosive growth of server virtualization and now the increase in interest in desktop virtualization it will be interesting to see what changes (if any) will be required for digital forensic investigators in the near future.
Forensics Focus had an article about some software that "Decrypts TrueCrypt Hard Disks in Minutes". A pretty impressive & scary claim! Wondering how it works? I was too, so a quick visit to the manufacturers website gives some details on how the software works for HDD decryption:
Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using Passware FireWire Memory Imager (included in Passware Kit Forensic), or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd.
Overall Steps
* Acquire a memory image of the seized computer
* Create an encrypted disk image (required for BitLocker only)
* Run Passware Kit to recover the encryption keys and decrypt the hard disk
So there is no gaping hole in the full disk encryption of bitlocker or truecrypt, the software extracts the keys from the forensically captured physical memory while the encrypted volume is mounted. This just further highlights the importance of being able to perform a live acquisition of the physical memory when the use of encryption is suspected...
I was speaking with Microsoft Tech Support recently about some disk performance issues and an interesting point came up. On large NTFS volumes, the Enhanced Write Filter performance can be sped up by making a registry change to disable the last access date/time stamps. This disables the last access information written to each file as it is accessed, resulting in faster disk read-access:
In the Registry, create HKLM\System\CurrentControlSet\Control\FileSystem\Disablelastaccess and set to 1.
(you can also run an fsutil command in Windows 7/2008: fsutil behavior set disablelastaccess 1)
Microsoft like this idea so much, that the default setting in Windows 7 and Windows Server 2008 is to have the last access disabled (something I have verified on my Windows 7 laptop and in a Windows Server 2008 Standard VM).This has interesting repercussions for security and computer forensics personnel. If nothing else, if left with the default settings, it removes a tool from the investigation arsenal.
During my current Digital Forensics study I recently stumbled across a guide from Microsoft entitled the “Fundamental Computer Investigation Guide for Windows" which is a download containing the basic Microsoft guide, a sample Internal Investigation Report, a sample Chain of Custody document and a sample Impact Analysis document.
Although at 55 pages the guide isn't going to make you a Forensics guru, as a free starters guide it hits all the main points we've learnt so far - initially assessing the situation, obtaining authorization, reviewing any policies or legal restrictions, bieng thourough and methodical in the assessment, acquisition of data, analysis of the data and reporting on the findings. It also contains an applied scenario to tie together all the points previously discussed (set at the Woodgrove Bank - an organization, along with Tailspin Toys and Contoso, that will be all too familar to those who've done a few Microsoft exams).
The tools referenced in the guide are generally all included in the OS or free sysinternals tools, such as filemon, portmon, process explorer, etc, although EnCase and FTK are mentioned for performing a bit-wise acquisition.
While Microsoft do get bashed about alot of things (and security in particular), I am always surprised about the sheer amount of material they generate and freely distribute. If you deal with Windows and aren't familiar with the sysinternals tools, I recommend checking them out.
I'm currently studying Digital Forensics and a recent bit of google-inspired research lead me to one of the big stories of late last year (which I vaguely remembered) where a Microsoft forensic tool designed for use by law enforcement called COFEE (Computer Online Forensic Evidence Extractor) was leaked on the internet.
Given the prevelance of computer-based crime and the level of skill required to perform proper forensic analysis, it makes sense for Microsoft (or someone else) to develop a simple-to-use wrapper for what apparently was a number of common forensic tools available elsewhere on the internet.
The reaction to the leak seems to have been mixed, with Microsoft claiming they weren't bothered by the release of the software, although noting it is licenced for use by Law enforcement only, to someone developing a counter-forensic tool called (of course..) DECAF. What was the thinking in creating this counter to COFEE? One of the developers said:
"We saw Microsoft released COFEE and that it got leaked, and we checked it out," the man said. "And just like any kid's first day at the fair, when you walk up to that cotton-candy machine and it smells so good and you see it, it's all fluffy – just so good. You get up there and you grab it and you bite into it, it's nothing in your mouth.
"That's the same thing we did with COFEE. So, knowing that and knowing that forensics is a pretty important factor, and that a lot of other pretty good forensic tools are getting overlooked, we decided to put a stop to COFEE."
This arguement seems fairly disingenuous as COFEE seems to hardly have been aimed to replace any existing tools, but to simply make them easier for a less-well trained law enforcement operator to use in order gather crucial forensic evidence. The fact the tool was released by Microsoft probably had more to do with creating a counter-tool than noble thoughts of 'better tools being overlooked'.
No matter what the task, there is almost always a 'better tool', whose use might not be desirable because of cost, complexity or the expert knowledge required to operate it. Much of the history of software innovation has been designed around making complex tasks easier so more people can perform them, Windows being the prime example as it took desktop computers from the realm of geeky hobbyists to mainstream use in businesses and in homes. While simplifying (or as some may call it 'dumbing down') tasks may grate the nerves of the some, it is an inevitable and in many ways, desirable end goal.
Affinity Health in the US has had to notify @400,000 customers and staff of a potential data breach. A firm suffering a data breach? "Nothing new there!" you say.
In this case though, the method the data was lost is a little more unusual (as was the method of discovery). You see, CBS was investigating the ticking "digital time bomb" of office photocopiers and purchased 4 copiers. Upon removing the hard drives and running a forensic tool over them they found confidential police data on 2 machines, construction plans and payroll data on a third and on the fourth - patient information from Affinity Health.
A quick search on datalossdb shows a few entries for fax machine breaches (mostly by sending a fax to the wrong number), but only one entry for copiers - the Affinity Health breach.
The CBS article asks, "Has the industry failed..to inform the general public of the potential risks involved with a copier?" to which the President of Sharp Imaging says "yes".
They do point out all the major manufacturers offer 'encryption options' or security packages, but without providing any information on what percentage of buyers are willing to pay the extra dollars.
Here's a thought - include it by default! Make it impossible to buy a digital photocopier without encryption or secure deletion!
I think it was in the Mitnick book "Stealing the Network" (or perhaps it was in "The Art of Intrusion") that a hacker stealthily entered a network and took control of a digital copier.
In the meantime, what does you organization do with it's old copiers when the lease ends or they end-of-life?
7:35 PM
Justin
, Posted in