Data Security Software

Posted on | August 18, 2010 | No Comments

There are many software packages out there that claim to keep your data secure.  But if you’re not a data security expert, how can you know which claims to trust?  It’s not easy, but we have a few tips on keeping your data private and secure, and the most effective solutions are not always software based.

The first thing to do is assess what data you’re trying to protect and where that data lives and how it travels from one place to another.  Let’s say you’re worried about identity theft and so you want to make sure your passwords cannot be intercepted.  The best way to keep your passwords secure is to make sure that any time you log in to a website, you are sending traffic over SSL using a signed certificate.

If you look in your web browser, and to the left of the address bar, you should see either a padlock icon or a small bar with the domain name of your website in it.  After this you should see an “https” followed by the full address.  If you see this, traffic between your computer and this website is encrypted.  Of course, not all websites use SSL for logging into their site.  Facebook and Twitter in particular do not.  To force these websites to use SSL, simply add the “s” after “http” and it should force the website to use their certificate.  Most banks and webmail providers should automatically force you to use SSL, which is a good thing.

Now, after you’ve entered your password, is your browser offering to save it for you?  If you click yes, your password now also resides somewhere on your hard drive, most likely in plain text.  Any attacker who has access to your computer for a minute can easily locate and pull down all the passwords that you’ve allowed your browser to save.

In terms of data security software out there for your hard drive, I still recommend TrueCrypt for protecting your data-at-rest.  You can create full-disk encryption, which prevents access to your hard drive without the correct password.  Many other software packages claim to offer the same level of quality as TrueCrypt, but because they have been around so long and have consistently raised the bar for security, they get my seal of approval.

Overall, any security company claiming that they can keep your data secure with one easy download is selling snake oil.  It takes a comprehensive approach to make sure your data is protected from prying eyes.  Remember to consider all the ways that you use your data, and the multiple locations that your information can be stored.  While some data security software can help you meet most of your needs, don’t overlook the obvious and do some research before buying.

Free Computer Forensics Tools

Posted on | July 13, 2010 | No Comments

I recently came across a post that offers links to a few free computer forensics tools.  I’m familiar with most of them, but there are always new tools to try.  I’m interested in the Ubuntu guide on using a live CD, as I’ve been stubbornly sticking with the last  free version of Helix and it’s starting to get a little long in the tooth.

If you think these little utilities are handy, be sure to check out Nirsoft – they make a ton of nifty little Windows utilities that are nice to have in your toolbelt.

One other thing I’m going to check out soon is Windows Forensic Environment, which is simply a few scripts designed to allow you to create your own Windows ISO image.  I haven’t played with this one much yet, but I expect to when I get some free time next week and I hope to have a more in-depth review then.  Maybe I’ll even cover some of the other ISOs that I’ve been inspecting to replace Helix as my favorite forensic linux distro!

iPad Security Breach

Posted on | June 15, 2010 | No Comments

AT&T has confirmed that a security breach related to Apple’s iPad device has compromised names and email addresses of over 100,000 early adopters and beta testers of the new device.  It appears that the iPad security breach is limited to users who signed up and received the optional 3G coverage from AT&T.  iPad users who have the “wifi only” model are not affected.

The “hackers” (and I use that term loosely) in this case essentially found that AT&T’s website would automatically populate an email address if a serial number from a SIM card (called the ICC-ID if you want to be technical) was used in the URL.  By quickly generating “fake” SIM card numbers, the hackers were eventually able to get the email addresses associated with the devices that were sent out.

Based on the email addresses obtained, it’s safe to say that a large number of iPad 3G early adopters are big movers and shakers in their respective industries.  Email addresses from .gov and .mil domains were widespread, as well as numerous CEOs and board members of Fortune 500 companies.

The hackers behind the exposure of this security breach claim that if they had not used this exploit and then alerted the media about it, other hacker groups could have exploited this security hole with much more far-reaching effects.  I applaud their responsible efforts to notify the companies responsible for the security hole – the data obtained or the means in which it was obtained could fetch a pretty penny on the black market, and AT&T is certainly not going to pay them for this bad press.

While email addresses were the only thing exposed here, that information can be combined with other personally identifiable information (PII) to create targeted attacks on users.  As privacy concerns grow each time a company surrenders private data, the question should not be, “how do we keep this data safe?” but rather, “how do we make this data less valuable?”

Remote Data Acquisitions

Posted on | May 12, 2010 | No Comments

Remote forensics is a growing area of specialty within the overall realm of digital forensics.  There are a few things that you should know about how remote forensics differs from normal hard drive forensics.  For purposes of this post, we will treat the terms “network forensics” and “remote forensics” as the same.  Depending on the context, remote forensic acquisition can also be a catch-all term which can also describe creating a hard drive image over the network, but we will discuss that possibility in another post.

Network forensics does not rely upon the actual physical content of the hard drive, but instead upon analysis of network traffic that is being sent to other machines.  Tools for network packet acquisition can range from the simple and open-source (such as the swiss-army knife netcat) to complex, enterprise-level tools that can conduct both data acquisition and analysis.  For a forensic examiner, I recommend basic familiarity with not only netcat, but also Wireshark, nmap, and optionally Nessus (for vulnerability checks) and kismet (for wireless networks).

The above tools will help capture and analyze packets efficiently, allowing the forensic examiner to determine what packets are being sent to which computers.  Obviously if a company suspects someone of visiting nefarious websites or sending confidential data over the internet, they can’t simply ask the employee to capture their own packets!  You will want to install a network tap between the suspect and their path to the internet, so all the traffic can be monitored.  You can configure a network tap to either collect all data that passes through it, or filter it to only include certain types of traffic (such as HTTP requests) or ports (ports 25 and 80, for example).

Wireshark is one of my favorite tools for analyzing captured packets (also known as a pcap).  There are quite a few Wireshark tutorials online, and I’d recommend watching a few of them to get a feel for how best to use Wireshark, especially the powerful filtering and expressions options.  One of my favorite views is to click a packet that you wish to examine, and under the Analzye menu, click “Follow TCP Stream” – this will display the back-and-forth communication between the host and client.

I’m skimping on the details for now, but I’ll be reviewing some of my favorite tools and techniques that I discussed in some upcoming posts – I’m also working on a few tutorial-style videos to accompany them, so have patience and thanks for reading!

Cell Phone Forensics – The Basics

Posted on | May 4, 2010 | No Comments

There are so many new types of devices out there, from Droid phones to the iPhone, and from netbooks to the iPad.  The question is: how do we retrieve and analyze this data in a forensically sound manner?

Each device is different, but there are a few rules of thumb, all of which may change from the time I finish typing to the time I click the “submit” button!

For cell phone forensics, the first thing we need to figure out is what type of cell phone it is.  Sometimes the brand and model will be listed on the outside of the phone, and sometimes manufacturer data can be found underneath the battery.  This information will be helpful with the next stage, which is determining where data is kept on your phone.

On older cell phones, user data is often stored in internal memory inside the device itself.  In this case, you may need a special tool available from the manufacturer to access this data.  They can also supply you with a special cable to connect the phone to your computer’s USB port if they use a proprietary cell-phone plug.

If the data is not stored in the internal memory of the phone, it can also be stored on the SIM card.  The SIM card is increasingly used by carriers to authenticate to the cell phone network.  Data such as your phone number, contacts, and a small amount of logs and perhaps text messages are stored on the SIM card.  In order to access this data, you will need to buy an inexpensive SIM card reader.  To keep forensically sound, purchase a reader rather than a device that can read and write – this way you are assured that you do not edit or damage the data in any way.  These are available online for a pittance (less than $5), so I’d order a couple of them – they’re so tiny they are easy to lose!

Of course, not all data is stored on SIM cards – if you need call logs or text message logs going back several months, you will need to contact the cell phone carrier.

For iPhone forensics (and Blackberry forensics), I’d recommend checking out one of the numerous books on the subject.  They go into much more detail than I could possibly type here, and will give you a good overall idea of how the iPhone stores data, and what can be recovered from them.  Remember that other handheld devices like the iPod Touch can also carry valuable data (but without a SIM card), so be sure not to overlook these devices when performing a forensic collection.

I have yet to see an iPad in the wild, and I’ll admit to not having studied the specs or forensic tools available for them yet.  iPad forensics will probably be similar to iPhone forensics, but will also depend on the version of the iPad in question (wifi version vs. 3G version).

Facebook and Internet Privacy

Posted on | April 26, 2010 | 1 Comment

Facebook recently announced several partnerships with some important online and digital media companies. Facebook is trying to figure out a way to leverage all the data they’ve collected about you and the relationships you have with others. They’re calling it “Instant Personalization” and not “Selling Your Information” because one sounds better than the other. “Instant Personalization” is turned on by default, so if you do not want your personal information to be sold to other online companies, you will need to change your privacy settings.

To change your settings, click on Account, then Privacy Settings, then Instant Personalization. Uncheck the checkbox, and all is back to normal! Wait, no. It’s not really back to normal – remember, Facebook has a LOT of data about you – do you think they’re going to let you off the hook this easily? Do you think you can control every piece of data about you all by yourself? You can’t, and this is true in real life as well – your friends also know quite a bit about you, and Facebook unfortunately compels them (through an opt-in policy which most users will never look at unless you stumble across this blog) to share this information.

Apparently you can’t control all of what your friends share, so Facebook made the decision that you will have to block each application individually. And every time Facebook adds a partner that they share data with, you will have to go back to your settings and block these new companies. So far, Pandora, Yelp!, and Microsoft’s Docs.com are the three applications that you will need to block, and you can only do this on the actual application’s facebook page. For your convenience, I’ll list those here: Pandora, Yelp, Docs.com – just visit each of them while you’re logged into your Facebook account, and click “Block Application.”

There are other account settings that you should take a look at as long as you’re protecting your privacy online. Take a look at what data is publicly available about you, and what your friends can share about you (click Privacy Settings, then Applications and Websites, and Edit Settings next to “What Your Friends Can Share About You” – you might be amazed), and how to keep yourself out of search results if you don’t want to be found (click Privacy Settings, then Search).

McAfee Update causes problems with Windows XP SP3

Posted on | April 21, 2010 | No Comments

Earlier today, McAfee released an update for their antivirus software.  If you were using their antivirus product and updated using this update, I’m so sorry.

Basically, this update (called DAT 5958) marked svchost.exe, an executable file used by Windows XP, as a threat.  When a good file is labeled as a virus or some kind of threat, this is known as a false positive.  When this file is placed into the antivirus quarantine, Windows is unable to call on this program to perform essential functions, such as networking.

Fortunately, McAfee quickly disabled this update and announced a way to to that file from being quarantined.  If you follow the instructions in the link above, you will be able to restore your system to a working state.

This incident emphasizes several important aspects of computer security.  The first is not to rely upon any single point of failure.  While McAfee is a reputable antivirus vendor (even if their software is a bit bloated – it hogs plenty of system resources), it’s still capable of failure.  If you’re running McAfee, you’ve probably paid for it (as opposed to perfectly capable free antivirus solutions like Avast!, Antivir, or FreeAVG).

Of course, those solutions are prone to failure as well.  Even with advanced heuristics (study of behavior), antivirus software needs updates every day, and any update could have these sorts of problems.

Stories like this do show how responsive antivirus vendors can be once a problem starts – this had potential to affect millions of users (and did affect many thousands), yet a fix was rolled out within hours.

This is why many system administrators wait until they roll out an important update – why not wait for some other users to beta test the update before applying the patch to mission-critical systems?

Computer Forensics and Social Networking Sites

Posted on | April 20, 2010 | No Comments

SANS Computer Forensics Blog has a post about some interesting data that can be gleaned from social networking sites like Facebook, Twitter, etc.  This data will be more and more frequently targeted by law enforcement due to users’ lack of awareness regarding the privacy of their own data.  One public Facebook page, for example, can show plenty of information regarding a suspect (known associates, contacts, family, etc.), but once you layer information from multiple Facebook pages, you can create a much more detailed web of information regarding what could be an entire crime ring.  No warrants are needed, and scraping data from Facebook pages is unlikely to draw any attention to an investigation – that data is already out in the open!

Most modern sites that allow you to associate with other users (whom you probably know in real life) is ripe for plucking data from.  Often enough, this data is freely accessible and no type of warrant is needed – unless you’ve taken steps to actively restrict your Twitter account, for example, anyone with enough curiosity can find every Tweet you’ve sent, and every Tweet that has been directed at you.

When using social media for anything, treat everything as if everyone is watching.  Better yet, imagine your own grandmother reading back some of your forum posts to you…that’ll at least help you mind your manners on anonymous internet message boards!

Of course, email is slightly more secure, though there are procedures that law enforcement officials can take to get records of your email accounts as well, but those often require a warrant and are more time-consuming.  And of course, your own physical machine will be examined by a computer forensics expert in the event of a seizure, but you already know how to defend against that, right?

The point of this meandering post is to remind you that digital forensics is about more than just reading the bits off of a drive.  It’s about conducting an investigation, and often good information can be obtained much more easily than through traditional methods such as hard drive imaging.

Data Recovery Services

Posted on | April 6, 2010 | No Comments

If you’re having problems with a hard drive and are unable to access your data, you might consider a data recovery service to help you track down those important pictures or documents.  Hard drive failure is not a fun problem to have, take it from me.

You might wonder about what exactly goes on at those data recovery shops.  Do those computer experts put leeches over the USB ports and suck the data out?  Well, perhaps in the olden days, but thanks to modern technology the process is much quicker.

First thing the forensics expert is going to do is to take an image of your hard drive.  They will connect a write-blocker to the drive to ensure no data is written to it during the process of accessing your data.  Special imaging software is required to create a forensically sound image.

They will then look at this image, along with any error reports generated by the software that captured the forensic image.  The computer forensics expert can then analyze the data to determine what the problem is.

One common problem is when the master file table (MFT) becomes corrupt.  The MFT is basically a directory of where your files are located.  If your computer is unable to read this information from your hard drive, it won’t know where to look for your files!  These file tables can sometimes be recovered, in which case you’re in luck.

If the hard drive is physically damaged, the data may be very expensive to recover.  Hopefully you’re making backups on a regular basis!  Depending on the extent of the damage, you data may not be recoverable at all.

When you get your hard drive back from the shop, be sure to make a backup immediately!  Hopefully you were making backups already, but this brush with disaster should reiterate the importance of your data.

Email communication with lawyer via company-owned computer protected by attorney-client privilege

Posted on | April 5, 2010 | No Comments

A court in New Jersey recently ruled that certain communications from a personal email account accessed through a work-issued computer are protected by attorney-client privilege.  Computer forensics professionals searched the hard drive and were able to recover some of the emails from the plaintiff’s Yahoo! account.

While the company in question (the defendant) had a policy giving them the right to review all data on their computers at any time, the computer-use policy was not specific enough regarding password-protected email accounts.  In addition, the fact that the emails were sent to the plaintiff’s lawyer introduced a question of attorney-client privilege into this dispute.  The New Jersey court upheld the sanctity of attorney-client privilege in this case.

The court also ruled that the plaintiff had a reasonable expectation of privacy due to a couple of things.  First, her emails to her attorney were sent from a password-protected account that her employer could not reasonably access.  If these emails had been sent from a work-related email account, she might not have had the same expectation of privacy.

However, this expectation of privacy hinged on the fact that personal email accounts were not covered in any company-wide acceptable use policy.  In the future, expect employers to be more explicit when defining acceptable computer-use policies in corporate environments.

keep looking »

Recent Posts

• Data Security Software
• Free Computer Forensics Tools
• iPad Security Breach
• Remote Data Acquisitions
• Cell Phone Forensics – The Basics
• Facebook and Internet Privacy
• McAfee Update causes problems with Windows XP SP3
• Computer Forensics and Social Networking Sites
• Data Recovery Services
• Email communication with lawyer via company-owned computer protected by attorney-client privilege

Tags

antivirus attorney client privilege Autopsy celebrity Computer Forensics computer security Cyber Crime DAT 5958 data recovery DEFT digital evidence disk image drive-by download expectation of privacy facebook false positive firefox Guymager hard drive failure Instant Personalization Internet Privacy law enforcement lawsuit linux Live CD malware mcafee MFT Nessus noscript online banking Ophcrack Password security phishing SANS scam Sleuthkit social media social networking svchost.exe tax return twitter Webmail workplace yahoo mail

Categories

• Computer Forensics
• computer security
• Evidence Analysis
• Internet Privacy

Archives

• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010

Blogroll

• Ediscovery Trends
• SANS Computer Forensics Blog