Open Source and the Digital Forensics Lab

March 18, 2009

A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs.  In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.

At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.

Here is a summary of the “Seven”, the original article is here:

  1. Case Management: Although designed for CRM functions, SugarCRM actually makes a great inexpensive case management system.  It has the added advantage of allowing you to maintain a local copy instead of “the cloud”.
  2. Acquisition: The flexibility of “dd” for everything from imaging to memory and file carving makes it the number one contender in this category.  If you must have a MS based solution then you can also try FTK’s Imager lite (not mentioned in the original article).
  3. Analysis: Brian Carrier’s work on The Sleuth Kit with the optional graphical front-end of Autopsy is very worthy of support (tip of the hat to Dan Farmer and Wietse Venema for their original work on “The Coroner’s Toolkit”).  TSK has the added benefit of being scriptable (I use shell or PERL to get the job done).  You can check out TSK here.
  4. Miscellaneous: Stegdetect for dealing with steganography, Ophcrack for system passwords, Foremost or Scalpel for scriptable file carving.
  5. OS support: Linux.  You have access to libraries for NTFS, HFS++, etc. as well as everything you need for MS documents via OpenOffice 3.0. I have had great success with Ubuntu and variations (Mint).
  6. Virtual Platforms: At the time I wrote the article VMWare was offering their player and pre-made virtual systems for download.  If you are running off of a Mac you can use Parallels (not free, but very inexpensive) to run various pre-builds of Linux.  Even more compelling is Live View, which allows you to virtually mount and run a dd image without modifying the underlying image.  You can find Live View here.
  7. Mobile Acquisition and Analysis: Helix is no longer free, but those guys at e-fense  have given so much value to the rest of the world for so long via Helix that I say “Good on them!”.   You can also check out Backtrack 3 – just be aware that you run the risk of altering data if you boot up incorrectly with Backtrack.

What are some other “Can’t miss tools”?  Drop a comment in and tell the rest of us.

1 Comment | Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

Kwame Kilpatrick Asks Skytel for $100M

March 10, 2009

It is being reported that Mayor Kwame Kilpatrick is going after Skytel for the release of the text messages that led to the settlement of the police whistleblower lawsuit against him.

(source: The Detroit News)

It appears that the grounds for this action is the Stored Communications Act.  As a non-attorney I am guessing that this will boil down to a few factors:

  1. Was the police department involved in the production of the text messages (4th amendment),
  2. Was the contract with Skytel to provide messaging services, or storage/retrieval and reporting?

The Stored Communication Act does differentiate between a provider of services, and a provider of storage, so the Skytel contract wording will likely make a difference.

With all of the Kwame Drama aside, this could actually be interesting for providers, contract attorneys, e-discovery and forensics folks as well.

Here is a reference to another case with similar characteristics:

Quon v. Arch Wireless

Leave a Comment » | Admissibility | Tagged: , , , , | Permalink
Posted by inforensics

Firewire Target Mode and Other Apple Goodness

March 5, 2009

When performing information forensics on Apple platforms we have a few options for acquisition:

  • Firewire Target mode
  • BackTrack or Helix 3 (tested on intel platforms – works great, some caveats, though)
  • Pull the drive and do your thing!

Here is an article that describes yet another use for Firewire target mode.  It is good to be reminded of the flexibility available through some of these features:

Macworld: “Firewire target disk mode to the rescue

While I am at it, here is some more wonderful Mac goodness:

TUAW: “Keyboard Shortcuts During Mac OSX Startup

Somewhat related to the Firewire target mode discussion above.

Download YouTube (in HD as well) using Safari or FireFox

(Also useful for other streams).  Make sure to use the “HD” format so you can get .mp4 format in iTunes – otherwise you will need an FLV player.

Teleport: Control Multiple Macs With One Keyboard Mouse (Mac-centric Synergy-like program)

I have long used Synergy, but if you watch your logs you quickly realize that Synergy on a Mac is very “chatty”.  This is a good stand in for Mac only control.  If you need multiple OS support, then Synergy is for you.  Here is a Synergy version that is friendlier to Macs.

Are there any “Can’t live without them” features I have left out?

Leave a Comment » | Tools and Tips | Permalink
Posted by inforensics

YouTube Struggles With a Wretched Hive of Scum and Villainy

March 5, 2009

Information Week Article: “YouTube Wrestles With Scammer-Generated Content

InformationWeek reports that YouTube is “struggling” with posted videos showing such things as stolen credit cards, PINs, etc.  They go on to talk about how difficult it is to screen video content.

A single line mentions that meta-content can be used for screening (searching for keywords that can identify the content), but a YouTube spokesman goes on to say that they rely “on our community to know our community guidelines and flag content that violates the guidelines.”

First of all, the type of community that will be looking for that niche content isn’t going to be all that quick to flag it.

Secondly,  how hard would it be to build a signature base of meta-word and behavioral screening to remove the largest portion of objectionable (illegal) content?  Here are a few ideas to think about as you read the article – feel free to post your own:

  • Spam assassin for content anyone?  Use the meta data to help weight the red flag.
  • Watch topics that users post to/visit and use this to weight a flag.  For instance, a little old lady that is concerned about “poodles” and “identity theft” will not affect the weight as much as someone looking for “Free credit card numbers” and “MS Windows licenses”.
  • Use Natural Language Processing techniques to identify and weight actual posts (remember the “StupidFilter“?).

I realize full well that these techniques can be gamed just like anything else, but it seems to me that they are viable, not so hard to implement (I use components of them in my work – although the scale is different!), and a darn spot better than relying on the crooks to report themselves!

Leave a Comment » | Inforensics Opinion | Tagged: , , , , , , | Permalink
Posted by inforensics

Government Denies FOIA Request For .gov Domain List

March 4, 2009

Information Week Article

I was sure that the concept of “security through obscurity” had been thoroughly debunked by now, evidently not.

A recent Freedom of Information Act request for a list of .gov domain names was denied by the GSA.  You should know this about me: I am all for state secrets – I think that, realistically, a government must have secrets.  This is perhaps an argument for another day.

Given the nature of DNS, cached DNS, etc. how long do you think before some of these “hidden” domains show up anyway?

Let’s be clear:  I really don’t think this is a huge deal, but it can be a source of mental fun for the rest of us.  So here is a “wake up it is hump day” mental exercise for you (This WILL be graded, you WILL need to know this for the test!):

What would be a more effective “security through obscurity model” for the government to use, while still listing the required domains?

I will start the ball on this (and therefore open myself up to immediate criticism!):

  • Register the domains as normal, but do not use obviously descriptive names: Instead of “trackingPrivateCitizens.gov” you might use “TPCProject.gov”, you may even consider using a completely sanitized CRC32 version: 13201934.gov  (Free Vidoc Razor T-shirt if you can figure that one out).
  • Keep an internal, classified document that maps out the “sanitized domains” with their true descriptions.

How would you set out to discover these “hidden” domains?

  • We will assume zone transfer is not available (Could be a big assumption).
  • Build a database of known domain names.
  • What next?

Feel free to post any ideas – or chide me for wasting your time and making you read this cruft!

Leave a Comment » | Inforensics News | Tagged: , , | Permalink
Posted by inforensics

The Top 5 Biggest Infosec Lies

March 2, 2009

I have compiled a list of what I believe are the biggest lies told by and about infosec.  Let me know if you have an addition to the list!

5. There is no evidence that the data has been misused….

This lie is typically told by a company that has just had their digital posteriors handed to them.  The first question that I want to ask upon hearing this one is:

“So… wait… you were completely unable to detect the intruders that were playing around in your own systems for 3 or 4 months, but now all of a sudden you can tell across the entire globe if the information is being misused?”

4. It was a sophisticated attack….

The biggest problem is deciding if this lie is being told by the party that was breached, or the media.  For some reason the media classifies everything as “hacked”, even when it isn’t.  You can add to this that the party that has been breached has two things working against it:

1.  Who wants to admit they were breached by something stupid?  If you are going to be breached you want it to be the most sophisticated, complex attack known to man.

2. The “mouthpiece” for the organization that was breached likely doesn’t understand the technical issues themselves.

3. Of course it is secure – the (Military/Law Enforcement/Government) uses this, so it has to be….

I was asked by a client to sit in a product demonstration not too long ago, and the vendor’s mouthpiece kept harping on the fact that “This is so secure, NASA uses it!”.  They were more than a little crestfallen when I demonstrated for them that they were sending their username/password in Base64 decoded format for the entire world to see – and then the page was moving to SSL encryption (on an expired certificate).

The lesson here?  Just because no one has questioned it, doesn’t make it secure.

2.We have “Insert favorite technology here” so we know we are all set….

My first response to this usually is: “Tell me/Show me the specific policy/procedure that your favorite technology is in place to support.  What about the policy and procedure that governs support of the technology?”  The largest portion of the time an organization is completely unable to do this simple exercise.

Infosec technology that does not support policy and procedure is pretty much meaningless – at best you have wasted money, at worst you have created yet another attack vector through a mis-managed, poorly understood device.

1.  We are compliant with (HIPAA, GLB, Sarbannes-Oxley, PCI, etc.) so we know we are secure….

Ummm… so was Heartland….  Do we really need to go down this road?

Leave a Comment » | Inforensics Opinion | Tagged: , , , | Permalink
Posted by inforensics