Michael N. Dundas

Once again I have been experimenting with the Tor network.  In doing so I have set up some Tor nodes. I have received a few notifications that my computer ‘may be infected’. Google for a brief period of time requested I enter a capcha to confirm I am human.  These are all expected minor nuisances when running Tor as an exit node. My main reason for setting up Tor this time, is to obtain a better understanding of what happens to behavioural and static detection when a Tor exit node is present.

If you want privacy or anonymity on the Internet, there are many things you can do. Proxies, Tor, encrypted tunnels, compromised systems, and many other techniques are available.  None of these will guarantee you anonymity or privacy, but they each help and the more you can do the better.  There are caveats of course and in several cases while consulting I have come across scenarios where a client thought they were being anonymous but were in fact not as anonymous as they thought.  When you are trying to be anonymous, use of monitoring techniques and system checks really help.

I’ve realized that running a Tor exit node but not using it yourself gives you anonymity.  I’ve always known this inherently, but I’ve realized that it is even better than I thought.  Say you are an evil person doing something evil on the Internet.  If your activities were being tracked by your service provider due to a warrant from law enforcement or laws were put in place that required all service providers to track and retain your Internet surfing activities for a period of time, they would be recording the surfing habits of every connection that selected your Tor node as its exit node.

If they accused you of illegal activity, you could easily say that was not me, it must have been someone using my Tor node.  While this is not a guarantee the criminal would not get caught, it would increase the cost of the investigation significantly.  More investigation time, more forensics to prove that the suspect is the criminal.  Add in anti-forensics on your terminals and systems you use for the crime and the costs for investigation again will increase, forcing them to assess if it is worth the time, money, and resources required.

If countries are going to deploy the retention laws similar to the above, it will only be a matter of time before they will have to outlaw services such as Tor in order to make them effective at catching the serious criminals.  From a Tor network perspective, these laws might help increase the node count of the Tor network on the Internet which is a good thing for them.

I wonder if law makers consider these questions when suggesting these laws?

image by wchulseiee (http://www.flickr.com/photos/wchulseiee/2427418216/)

My laptop is pretty secure. I am not silly enough to think that is is 100% secure or that no one could get into it, but relative to most laptops out there it’s not too bad. There are weaknesses due to time or software requirements, but I think I am aware of most of them. I don’t encrypt the operating system (yet), but all data partitions are encrypted. It has been configured with the goal that all sensitive data and metadata  (web browser, IM, video, audio, cache, bookmarks)  is encrypted.
once data is no longer ‘required it is stored on the servers at the office and then ‘wiped’ off the encrypted drives at regular intervals .    All metadata  is wiped from the encrypted drives each weekend, which gives at most one week of metadata, assuming an attacker can get into the encrypted drives to view it. The main reason for all this is to protect customer data. I like others in my industry work with institutions and their data.  In many cases that data can be politically, financially, or image ’sensitive’ in nature if it was to get into the wrong hands.  Should my laptop ever be stolen, I want to at least make it difficult for an attacker to gain easy access to the data in a reasonable period of time.

Imagine my surprise when I was re-configuring my laptop and I discovered that my deleted file metadata had somehow been reset  to write to a different area, on an unencrypted area of my drive.  The following is a partial view of the files I discovered.  The files went back as far as November, 2008.

Trash Meta Directory on laptop

These are standard text files with information about each file that was deleted.   The information includes the original file location as well as a timestamp indicating when the file was deleted.

Trash meta data file details

Even though the actual data files were not present, there is a lot of information here.  Just from working with the data contained in the files above, one could easily determine names of files worked on, importance, directory structure of encrypted partitions, date file was deleted and more.  You could very easily put together a time line of a customer, projects being worked on, dates of project activity, useful information that can be sold, used to a competing company or party’s advantage in court, for a bid, or a competitive product or service.

There is a lot of ‘negativity’ with Anti-Forensics lately, especially in the forensics community.   Although I understand and appreciate the problems and concerns they have, I believe anti-forensics is necessary and a good thing.   It all depends on who is using it and why.  Needless to say, I have fixed the problem with my laptop, and ‘double checked’ my drive encryption and scripts to ensure correct execution.