Mar
21
I will be giving a presentation as an educational event organised by the ISACA Malta Chapter entitled
The Realm of Digital Forensics details of which are below:
Date: Thursday 26th March 2009
Venue: Malta Federation of Professional Associations (MFPA) Sliema Road, Gzira
Time: 16:30 to 18:30
More details can be obtained from
here.
Download the event PDF from
here.
The presentation will be available as a download after the event.
I look forward to seeing you.
-Donald
Posted by Donald Tabone
Jan
30
Sadly, the past few weeks has left me very little time to write about my rants. The first month has already passed by and I barely realised. In truth the next 5 months are a sort of marathon in that I have three exams coming up (one of the CISM) and a thesis to finish off. On top of that, I have an ISACA presentation to give at the end of March (more details later on) and a full time job
I guess I shouldn't grumble -- and I won't. My replacement eTc-3850 thin client is still for sale, so if you're interested, drop me an email. It is still boxed and never been used.
Ok, back to a good article I read on Securology here's one that struck home on a number of points. It's a little lengthy so I won't be quoting a lot of it - however the core of it revolves around the idea that a job in computer security is not all rosy as it might seem. Varied ideas tend to exist about the glory of CSI like investigations and huge pay packets however the truth is somewhat much more down to earth. The reality according to Securology exposes the following:
1. Perfect Security is not possible.
2. Most security work is really about making sure everyone else does their job "correctly".
3. Security Response jobs suck.
4. Security Operations jobs suck more.
5. Security Planning jobs are set up to fail.
6. Security vendors have to sell out
7. Pen Testers and Consultants have Commitment Issues
8. Exploit writers perpetuate the problem.
9. Security Educators either are paranoid or should be.
10. Security Media don't really exist.
11. And Security Bloggers are the worst above all.
Each section is expanded and talked about and I encourage you to read the original article (see below for source). Being a security guy myself, I would say that they are somewhat true - and kinda got me frowning - however somewhat over-stated too. It's not all bad, though ... really!
A good point comes out of point 3 -
Security Response jobs suck...
... It may seem like CSI or something, but jobs that deal with responding to incidents suck. Except in high profile cases, computer forensics and true chain of custody techniques are not followed-- and if you want a computer forensics job, you'll probably have to work for a large government/public sector bureaucracy (and all the fun that goes with spending tax payers' dollars), which means you'll be primarily working on child pornography or drug trafficking cases and riding daily the fine line between public good and privacy infringements (warrantless wiretaps come to mind).
Others are aimed to put you off... and encourage you to head for a farming job!
If you're already in a security career and find yourself disheartened by the lacking options around you (because you've realized that it isn't the glamorous field you once thought), but find that you have an amazing affinity towards learning all that you can, this might be a saving grace that will prevent you from leaving everything you've learned behind and taking up a job as a dairy farmer (or some other similar job that will not require you to touch a computer)
I work in an environment where our department is very centric to several other security departments. We interact with all other departments the idea being that there is a defined separation of duties. In these cases, on the several skills of a security analyst has got to be communication. That essentially means that you must both have a technical varied background and be a people person capable of assessing (not only your needs) but also those of others. The reasons for this is obvious - you need to state your point from a security angle, balance your opinion vis-a-vis usability and be in a position to help implement/facilitate solutions that are security centric. Not an easy job -- but hey, then what are we paid for ?
... and yes it also means that to a certain point we have to be educators.
To close this article, here's Securology's ending... I sense that the writer must have been in one of his low moments - nevertheless - heads up... its not all grim.
If you hope to change the world with your career, may I suggest a rewarding opportunity teaching high school math or science in a public school system? The pay is for shite, and there will be harder days than being a security professional, but your pupils will be grateful for your job well done later in life-- even if they don't manage to get around to tell you. Besides, everyone knows Americans spend what they make-- just learn to make ends meet on a teacher's salary.
Source
Posted by Donald Tabone
Jan
20
Onto another interesting piece of news I stumbled upon earlier today - prick your ears - a recent study by Craig Wright; a forensic expert; show that...
...after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.
They presented their paper at
ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.:
Overwriting Hard Drive Data: The Great Wiping Controversy).
The original article correctly talks about the implications from a security point of view. Its important to bear in mind that remnants of an edited document are still present in several places such as temporary files, swap-files and who knows where else.
Really, to ensure that nothing more can be recovered from a hard disk, it has to be overwritten completely, sector by sector.
Free software out there that employ all sorts of wiping techniques from simple algo's to military grade algo's like Darik's Boot and Nuke ISO (
DBAN) might no longer be neccessary as a simple tool like dd in Linux will do the job perfectly.
Echoing this
post
Posted by Donald Tabone
Jan
6
It's been a while since I last posted something re. digital forensics mostly due to the fact that I've been cramped down by studies and work. Nevertheless, I came across this document by Brett Shavers entitled
Virtual Forensics - A Discussion of Virtual Machines Related to Forensics Analysis. A brief summary of the 35 page document is quoted below.
The time of virtual machines has come and will only become more commonplace. Although a virtual machine is nearly identical to an actual computer system, there are differences that need examiners should be aware. Given the capabilities that are inherent in booting forensic images into a virtual environment, this should be the first choice in the restoration of any forensic image as it not only saves time in the restoration process, but it can be repeated as many times as needed, quickly and easily.
Early in the PDF, we get a primer on VMWare files (such as .VMDK and .VMSD files) and continues to describe the pro's and con's of using virtual machines as a forensic OS. Later, he discusses topics like using VM's for antiforensics i.e. using a good tool for bad things followed by a number of How-To's.
I cannot help but say that this is a very good read, graphically supplemented and full of valuable information whether you're wanting to learn more about VM's or analyzing a VM's for possible intrusion or compromise.
Download it
here.
Posted by Donald Tabone
Jul
28
With over a year of inactivity, the latest alpha of nUbuntu 8.04 Security LiveCD has finally surfaced.
All of the latest security and penetration tools are included to make this you’re primary pentesting livecd.
View Screenshots
Direct Download
More info on the 10 best security Live CD Distros (Pen-test, Forensics & Recover) here
Posted by Donald Tabone
Jul
25
Couple of interesting tools that seem to have been released recently:
ManTech Memory DD ManTech Memory DD captures a record of physical, or random access memory which is lost when the computer is shutdown. Released at no charge under the GPL license for government and private use, ManTech’s Memory DD (MDD) is capable of acquiring memory images from the following Microsoft® products: Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008.
ManTech’s Memory DD 1.0 acquires a forensic image of physical memory and stores it as a raw binary file. To help verify data integrity and aid in the preservation of the evidence, the information captured by ManTech Memory DD is checked by the Message-Digest algorithm 5 (MD5), the common Internet standard used in security applications. The binary file can then be analyzed using external tools to identify items of interest to the examiner... can be downloaded here
Suiche - of 'Sandman' fame released a memory dumping tool
The main difference between ManTech tool and win32dd, is that win32dd is mainly a kernel mode application — then it avoids to use user-land API to write to an output file, everything is done with native functions. Thus, it means a faster dumping… This point isn’t negligible when you have one million page to dump in one single.
Source1
Source2
Posted by Donald Tabone
Feb
27
A joint group of people from
Princeton have recently managed to prove the fact that RAM chips, when cooled to a very low temperature, can continue to retain the contents of RAM for up to several minutes after they have been physically removed from a computer.
The group, then built their own tools and programs to read off the contents of the memory after the computers were rebooted - proving that disk encryption technologies (such as Truecrypt for instance) can be defied. This is demonstrated in a video posted on youtube (see extended body of article)
The concept can also be also easily demonstrated following a simple experiment outlined on the groups page
here.
Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection. (Exceptions exist; some systems may not be protected even when powered off. Check with the developer of your disk encryption software for further guidance.)
Following up this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child) - the recently announced MacBook Air is resistant to what is now known as the "Cold-Boot Encyption Attack" simply because the machines DDR2 RAM (2gb) is soldered on and cannot be physically removed. In addition, if Apple release an EFI firmware upgrade to zero the contents of the RAM at every boot, then the MacBook
"...would become one of the only—if not the only—mainstream laptop featuring full-disk encryption that's highly-resistant to the troublesome Princeton attack."
(
source)
Microsoft also reacts to this vis-a-vis their BitLocker technology in Vista.
Ryan Naraine reports on this here.
Microsoft suggests that the most secure method to use BitLocker is in hibernate mode and with multi-factor authentication.
According to Robert Hensing, a software engineer in Microsoft's SWI (Secure Windows Initiative) team, this class of attack is not new and was actually raised at the 2006 Hack in the Box conference in Kuala Lumpur, Malaysia.
The Register also has their views on this...BitLocker, meet BitUnlocker.
A question directed to Digital Forensic experts - Is this a blessing in disguise? What's your take on it?
Update: More information on the discussion can be found
here
Continue reading "Recovering passwords from RAM"
Posted by Donald Tabone
Jul
15
Here's a book I give my thumbs up for. Excellent content, well structured and rather easy to follow and understand. Personally I find particular chapters to be a great reference. The author
Harlan Carvey has his own
blog-spot and there is also a review of this book which can be found
here.
A review...
Continue reading "Windows Forensic Analysis - Harlan Carvey"
Posted by Donald Tabone
Twitter
Forensic URL's worth bookmarking:
