Archive - Forensics RSS Feed

Logs, security, corporate culture and Splunk

August 7, 2008 in Corporate Culture, Forensics, Security with 0 Comments

I have been fortunate to attend Blackhat USA 2008 this year. I don’t usually pay too much attention to the vendors present as I am much more interested in the training, the researchers and their presentations and papers, but I usually peruse the vendor booths at some point during the conference.

I stopped at Splunk’s booth for two reasons. The first was that Alex Bewley mentioned them on his blog. I used to work for Alex at a previous company. Alex is a smart guy (in my opinon anyway), so the fact that he took the time to mention them in is worth noting. The second reason was I knew they had something to do with log management, analysis and forensics. Analysis and forensics is a big part of my job and a natural interest I have always had. It is why I like working in security.

One of the first things that caught me was the staff was genuinely nice. You could tell they were enjoying themselves and for the most part enjoyed their jobs and liked working for Splunk. It wasn’t just one or two of them either, it was all of them. They were all open honest people and this was readily apparent. It was like you were talking to real people, not a facade. Even the demo they gave didn’t feel like a sales presentation. It is really great when a company let’s employees be themselves and trusts they will do the right thing. This is all part of a companies corporate culture which is very important. Lately in talking to others, especially at this conference, I get the sense that corporate culture is getting worse instead of better. One of the main reasons I enjoy working at Sandvine and have been at Sandvine as long as I have is their corporate culture. I have no doubt our culture is very similar to Splunk. Alex also wrote a blog entry on corporate culture recently. If you are interested it can be found here.

The Splunk staff gave me a detailed tour of their software. In simple terms it can take anything ASCII, and index it. But it does so much more. You can search, create events, correlate different events, produce graphs, alerts. It is extremely configurable and easy to use. Anyone that has logs or events from any system that has the need to perform analysis on these forensically, proactively or any reason should give Splunk a try.

Splunk has taken a problem (log management) which has been around for a very long time and made it easy. No need to write custom code, scripts, and have people maintaining it along with changes, upgrades. My first job out of school was a firewall administrator for a large financial institution. One of my tasks was to automate the processing of the firewall logs, create alerts, automated responses etc. I used perl and did a pretty good job I think. However, I wish back then I had something like Splunk. It is a really well though out piece of software. I was impressed and I don’t impress easily.

“See what happens when you put a bunch of guys together that work hard and like what they do. Things get done.” — Mike Holmes

I honestly believe there is a direct correlation between Corporate Culture and good software.

Tracking people on the Internet

July 31, 2008 in Forensics, Security, Surveillance with 0 Comments

Ever wonder how you can track someone on the Internet or prove that someone did something. How do the bad guys do it? How do the good guys do it? This is an excellent example! Good investigative work and a little social engineering thrown in for good measure.

Deniable File Systems and Truecrypt

July 19, 2008 in Encryption, Forensics with 0 Comments

An interesting research paper on the vulnerabilities of using Deniable File Systems (DFS). The popular open-source package TrueCrypt is used as the primary example, although it would apply to other DFS applications.

The authors (A.Czeskis, D. J. St. Hilaire, K. Koscher, S.D. Gribble, T.Kohno, B. Schneier) note that given the current political environment in many countries today, users of DFS may think that utilizing a DFS application permits the data stored in the DFS to not be discoverable. The authors highlight how this is a false belief.

Two of the key points I found interesting were:

  1. Most applications and operating systems are not designed to preserved plausible deniability and often ‘leak’ information that reveals the existence of a DFS.

  2. Many common applications such as Microsoft Word make a copy of a file that is located in a DFS, typically in a non DFS and non encrypted location while the user is working on a file. If the application is properly closed, the file is deleted, but not securely allowing a recovery agent to extract the contents of the secret file without need to access the hidden file system.

Wear Leveling with flash drives and USB sticks

July 19, 2008 in Forensics with 0 Comments

A good two page article that describes how “wear leveling” works on flash and USB sticks. It covers static and dynamic wear leveling concepts. The article is high-level enough to grasp the concept even if you are not a file system guru.

What I find most interesting is that with this implemented in most flash drives and USB sticks, even if you are to wipe the flash drive using recommended ‘wipe’ methods, all or parts of the data could still be present and recovered.

Framing someone by planting evidence

May 13, 2008 in Forensics, law enforcement, Privacy and Anonymity with 2 Comments

I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.

Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.

I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”

Breaching Disk Encryption

April 7, 2008 in Encryption, Forensics with 1 Comment

Many of the latest operating systems including Windows Vista, Mac OS 10, and Linux now offer disk encryption to protect data against laptops and devices that are stolen or ‘prying’ eyes. There is an excellent open source disk encryption tool I have used for years called Truecrypt which is cross compatible for Linux and Windows. Disk encryption often presents a problem for law enforcement during an investigation. With the proliferation of build in disk encryption this problem is exasperated.

Some really cool research done by Princeton University on defeating these forms of disk encryption was published. The paper gets quite technical into key reconstruction and other related math, but the blog entry has a video that shows a recovery procedure, including the use of off the shelf products to sufficiently cool memory to permit data extraction.

I am going to have to try this out on my laptop.

Mobile forensics

September 27, 2007 in Forensics, Wireless with 0 Comments

I attended a law enforcement presentation this evening on new forensics software for mobile phones. I’ve attended at least a dozen of these over the last 4 years and I’ve got to say I’m really disappointed. All mobile phone forensic software I have seen to date does not image the mobile or do a actual memory dump of the mobile independent of the mobile software. The software uses the API extract a copy of the data. The data is then stored in a file or database, which then permits you to search and view the information.

Extracting data in this way you are trusting the API to properly transmit all the information you requested. Maybe the code doesn’t transmit certain fields or data. What if this data is important to the investigation? How will the investigator know? In all presentation I’ve seen, when asked how the software handles records that are marked for deletion but not yet erased from memory, the answer is the API will ignore them, so they will not be transferred over for investigation.

Since the API on the target mobile is the actual interface used to extract the data from the mobile, it is not possible to ‘prove’ that what is on the phone is exactly what is on the copy. Suppose a judge asks an investigator “please prove to me that the extraction you used for analysis, exactly matches what you find on the mobile and show me that there is no way an error or bug in the software could have caused the data to be changed.” I wonder how many people would be comfortable swearing to that under oath? I would not be.

You would have to be sure the API doesn’t change, mis-interpret data, or have any bugs. Most mobile and personal data assistants (PDA) require a password to access any of the data. By going through the API, you are required to know this password in order to gain access. This makes it much more difficult, especially if the target is not aware they are under investigation and their mobile data is being extracted without their knowledge. You can’t ask the person under investigation for the password. If the mobile is ceased with a warrant, the owner may choose to not give up the password.

I’ve been waiting for mobile forensics companies to actually spend time and money to come up with ways to extract data from the different mobiles and PDAs directly and independently of the mobile API. How to analyze memory data and memory dumps from the mobiles. Instead, I keep seeing new GUI interfaces, new ways to connect to the mobile, new ways to store and transmit the data. No work seems to be done on the individual mobiles themselves and the problem of actual extraction with chain of custody preserved for evidence handling. Very disappointing.

Page 3 of 3«123