Windows Forensics and Incident Recovery

dba599 (Mark McKinnon) submits this review of Harlan Carvey's Windows Forensics and Incident Recovery, writing "This book takes an unusual approach to computer forensics in that it deals only with live analysis of the system: the compromised computer is left powered on and everything is running. (Compare to a dead analysis, for which the computer is powered off and the hard drive's contents are then analyzed.)" Read on for the rest of McKinnon's review. Windows Forensics and Incident Recovery author Harlan Carvey pages 460 publisher Addison Wesley rating 9 reviewer Mark McKinnon ISBN 0321200985 summary Forensic analysis and incident recovery on a live Microsoft Windows is explained for the system administrator, security administrator and knowledgeable home user.

The intended audience, according to the author, is "anyone with an interest in Windows security, which includes Windows system and security administrators, consultants, incident response team members, students and even home users." The author assumes the reader is familiar with basic networking (including TCP/IP) and has some Windows administration skills. Some programming ability, though not actually required, will help out greatly with reading and understanding the many examples provided, and will let you make your own modifications (this is encouraged by the author throughout the book).

The chapter on data hiding was a real eye-opener -- it's amazing the things Microsoft has implemented as part of the operating system (and included applications) that can be used to hide things. Discovering the hidden information is talked about, as well how it is hidden. Sample topics include file attributes, alternate data streams, OLE and stenography. This is an excellent chapter with many examples; I found myself stopping after each subject to try out each of the discussed techniques.

The next chapter delves into incident preparation. Carvey addresses some of the things that administrators can do to harden their systems. He goes over the application of security policies in general, as well as intelligent assignment of file permissions. He then covers Windows File Protection and how it is implemented, and includes a perl script to implement your own file watcher. He touches briefly on patch management and anti-virus programs, then moves into monitoring. He provides quite a few scripts, and discusses other means by which you can monitor your system.

The next chapter describes tools that can be used in incident response. This chapter has quite a lot of information and took me the longest to get through, because of all the tools mentioned that I had to download and check while I was reading the book. Carvey uses a mixture of his own perl scripts and programs that can be downloaded from places like Sysinternals, Foundstone, DiamondCS and others. All of the tools used are open source (or are at least freely available). That equips the reader with a low-cost toolkit, especially important to the home user or small business owner who cannot afford to buy the commercial equivalent. Carvey does acknowledge, though, that there are quite a few commercial tools with great functionality out there.

The first part of the incident-response tools chapter deals with the collection of volatile information (processes, services, etc.); this is a vital part of live analysis. The second part deals with the collection of non-volatile information (the content of the Windows registry, file MAC times and hashes, etc.) and tools for analyzing files. Carvey also shows how some of the tools complement each other, and that there is not one almighty tool that will find all the data you need. (This is also proven by example in a later chapter when he talks about rootkits.)

The next chapter deals with developing a security methodology, and it's handled differently than in most books: the author presents the material as a series of dreams that a Windows system administrator has, showing how an individual can come up with and fine tune a methodology as incidents happen. Carvey has used this approach before in a series of articles entitled "No Stone Unturned" for SecurityFocus.com, and the creative approach appeals to me. As he moves from dream to dream, you can relate to the admin's circumstances (and mistakes), and how be and becomes better at responding to different incidents.

The next chapter talks about what to usefully look for with the tools the book has introduced. It discusses infection vectors, types of malware and rootkits, and demonstrates tools and techniques for detecting them. This is where the author makes a clear point of why you would need to run several different tools, even if some overlap. His example uses an installed rootkit; running a particular program from a previous chapter, he shows that it fails to find that anything untoward is running -- it takes another program from the same chapter to actually reveal the rootkit's presence. By cross referencing the output for both programs, you can see why you should run more then one type of analysis tool for certain areas to make sure you are not missing anything.

Finally, the author dedicates an entire chapter to his own Forensic Server Project, a two-pronged approach to live forensic analysis which uses two machines simultaneously. The first piece, the Forensic Server Module, is the listener software; this runs on a clean PC where the data will be sent from the compromised system. The other piece, called the First Responder Utility, runs several of the programs and scripts from the incident tools chapter on the compromised system . After installing everything needed for both parts of this system, I followed the author's instructions on how to run it. What a slick tool! I ran it from a couple of PCs on my home network and was able to get a lot of the information that was described in the book as well as hash values for each log file that was produced, and a general log of everything the First Responder Unit did. The whole principle of this is that when you have an incident there will be very little interaction with the compromised system, since everything is scripted to begin with.

The framework that this software constitutes is very flexible. I was able to add two new features to the Forensic Server Module and the First Responder Utility with very little code. The first addition I made was to mark all the logs as read-only on the file system after they were written from the Forensic Server module. The next addition I made was to add a perl script to scan the c:\ drive of the PC that the First Responder Utility was running on. After I made both additions, I tested everything out, and it worked great. I had my extra log files and they were all read-only. My hat goes off to the author for coming up with and including this in the book, a really nice piece of software.

You can purchase Windows Forensics and Incident Recovery from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

Your typical sharing violations

[keryeski]

I can just see the "sharing violation" and "file in use" message boxes flying everywhere.

Re:Your typical sharing violations

It is a Microsoft plot to keep the 'uptime' stats higher.

int27h

Re:Your typical sharing violations

[the_mad_poster]

Not only that, how do you mitigate the risk of losing deleted information to the creation of other files? I've analyzed HDD images up to 40GB and they're no party. It can take quite a bit of time to do a thorough analysis of the disk. It seems to me that you'd run the risk of losing important filesystem information or the contents of unlinked files. If some idiot runs degrag or something you could lose a good bit of critical fs data before it's stopped. Hell, everytime you launch an Office document it seems like a temp file is created. What happens when one of those overwrites deleted log information on the disk?

Re:Your typical sharing violations

Uh... like you said, just image the disk prior to doing the "live analysis". What's wrong with that?

Re:Your typical sharing violations

I can just see the "sharing violation" and "file in use" message boxes flying everywhere.

The solution to this is to go beneath the file system. Read raw sectors from the disk and interpret FAT or NTFS yourself. You run the risk of corrupt data if a file changes while you're reading it, but it's about the only way to snag registry files and the like while the system is up and running.

AccessData FTK Imager is capable of doing just that, and it was used for this purpose in Operation Firewall. It was also used to create disk images of mounted BestCrypt virtual drives (hint to baddies: dismount your BestCrypt virtual drives before leaving your desk).

Disclaimer: I work for AccessData.

what?

[zmollusc]

How do you keep a windoze box running long enough to do any forensic work on it?

Re:what?

The secret is leaving it at the BIOS screen for weeks on end. It's not very useful but the machine gets wicked uptime before running MS code.

Re:what?

[baadfood]

While that is intended no doubt to be amusing, I use a Win2K pro system to develop.

At times I have Diablo II running in a window, DevStudiodebuggins ome app. A couple of multi megabyte spreadsheets open in OpenOffice, And of course FireFox.

To ensure that the hardware is as unstable as possible, this runs on a dual P4, with a Matrox and an nVidia card, both dual head for a total of 4 displays - all with a mere 512Mb of RAM.

Ironically, FireFox is the real system resource hog.

I have to close it down every two weeks to free up some system memory. It does get restarted about once a month when my domain passwords expire - its the only damned way to ensure that some cached credentials dont lock me out of everything.

Re:what?

[sinan]

Dual Pentium 4 ? Who makes such a mobo ???

Re:what?

[TykeClone]

God. It's God's own motherboard.

Re:what?

[jacksonj04]

Agreed to this. Everyone says Windows is hopelessly unstable, but unless you actively try to break it then in newer versions it is difficult to reach a non-recoverable (in software) stage. Our server (W2K3) goes down monthly for patches and maintanance, with about 1% unscheduled downtime, and my desktop machine (XPSP2) will quite happily keep going for a month.

Re:what?

it's easy.

1- install linux on another pc
2- send user off to 3 months of school so they can learn how to open something in open office
3- look at the windows box during that time
4- ???
5- profit

how is this hard to understand?

Re:what?

[Loki_1929]

Indeed. I use Win2k Pro at home, myself, and I must say that ECC memory has really completed the system in terms of stability. The last time it went down was about a month ago when my Antec TruePower 550 crapped out. (ugh, almost brand new!) The last time it had been rebooted prior to that was back in May when I took some hard drives out of it for use in another machine that I was putting together just for storage, and put in that damned Truepower PSU. Before that, I couldn't tell you the last time it went down for anything. I can say with confidence that it's been at least a year since I've brought it down for software issues (or from an OS crash). I couldn't put my finger on exactly when because it's been so long that I don't remember. I abuse the hell out of it and leave it running 24/7, but it never lets me down. Mozilla and Freenet are my two biggest resource hogs.

Re:what?

[ghjm]

Then you aren't running current patches, and are vulnerable to various exploits. In order not to be vulnerable, you'll have to run Windows Update, which will require you to reboot for several of the current critical updates.

Re:what?

To ensure that the hardware is as unstable as possible, this runs on a dual P4, with a Matrox and an nVidia card, both dual head for a total of 4 displays - all with a mere 512Mb of RAM.


at least one of these cards must be PCI? could you tell me (us?) which make/model they are? I'm a major multi-monitor fan and I've always dreamt of having 4 monitors up-and-running but I don't really want to gamble with lousy cards etc. ...

Re:what?

[Gentlewhisper]

God. It's God's own motherboard.

Not only goes that asshat get 10% of our money, he saves on Xeon CPUs too!

Grrr!

Re:what?

[Loki_1929]

I run patches when I do hardware maintenance. If that means I run a few months behind the latest and 'greatest' Microsoft patches, so be it. I run a router with a stateful packet filter, an application-level software firewall, an IDS, and multiple anti-virus/anti-trojan scanners. If someone manages to get into my system and stay there, they deserve it.

Re:what?

One one hand you are telling us how stable and reliable your W2K system is and then finish your story with the other things you actually HAVE to do to keep it running without "problems" like a router with a stateful packet filter, an application-level software firewall, an IDS, and multiple anti-virus/anti-trojan scanners. Yeah, I can see how good W2K is now, thanks for clearing that up.

On a side note, is there real any technical reason you puposely avoid applying the MS patches in a timely manner and just rebooting other then to come to /. and brag about not having to shut the system down? My computer only takes about 2 minutes to shut down and reboot, seems logical to me it would not disrupt you very much. Lets be realistic, I assume you are not talking about a PDC in an enterprise environment here.

I call bullshit on your entire claim as it just does not make sense.

Re:what?

Just tape it's eyes open.

Re:what?

[Zemran]

The serious side to this is that if the system is running then is what you find a result of what you are doing or what the person being investigated did. In Britain we *HAVE* to analyse dead systems as this is the only way to say we are looking at what someone else did when the system was live. You have to image the system and work with the images as it is important not to taint the evidence in any way. Any mistake will result in a lost case. One of the stupidities of Windows is that even if you mount a drive as a slave, the first thing Windows does is write to it making any work irrelevant. You have to use an OS that allows you to easily mount RO.

Re:what?

[baadfood]

After a long search, during which I'd all but given up, this appeared on my local distributors price lists :-

Gainward Geforce FX 5200 Pro/660 PCI

Re:what?

[baadfood]

sorry. Dual XEON 1.7Ghz

Re:what?

LOL, aren't you the pisser this morning?

If you want to be "realistic" , provide an example of how you can keep ANY machine with a permanent net connection up, running, and stable...

WITHOUT a firewall, withOUT security/AV, and etc. Keep in mind that LOTS of people don't apply the "latest greatest" MS patches immedatly... Or are you just not aware that some patches have been recalled, changed, or otherwise after release?

Go ahead and call bullshit, but really, you're just being a pissant. If you want to knock Windows, how about providing some FACT instead of your argumentative, empty rhetoric?

Or is there a TECHNICAL reason? Like maybe you can't get Windows running without help?

Re:what?

[NanoGator]

"Indeed. I use Win2k Pro at home, myself, and I must say that ECC memory has really completed the system in terms of stability."

2K's pretty cool, iddn't it? I've been running Lightwave plus After Effects for several weeks straight now. Time == money is very much a fact in my line of business. I'd be the first to go running to Linux (Actually, OSX is a more likely candidate...) if Windows behaved like the anti-MS bunch imagines. Yet, rehashed BSOD jokes still get +5 funnys...

Re:what?

[Loki_1929]

"then finish your story with the other things you actually HAVE to do to keep it running without "problems" like a router with a stateful packet filter, an application-level software firewall, an IDS, and multiple anti-virus/anti-trojan scanners. Yeah, I can see how good W2K is now, thanks for clearing that up."

First of all, you pretentious and cowardly little anonymous prick, I don't have to do any of those things. I do those things because I'm paranoid about security (the smart thing to be, in my opinion), and because I don't want to deal with problems such as intrusions. Windows 2000 isn't bullet-proof 100% secure. No software ever-before written is 100% secure. My current setup isn't 100% secure. By doing the things I do, I approach 100% security. Just what OS is it that you're using that doesn't require any additional security precautions? Can it do half of what mine does? I'm the first to blast M$ for the stupid/illegal/immoral things they do, but they did a pretty decent job with Win2k.

"is there real any technical reason you puposely avoid applying the MS patches in a timely manner"

Three reasons. First of all, most of the patches are unnecessary, as they're not remotely exploitable on my current setup with the additional precautions I've already taken. Secondly, some patches cause major problems, like Service Pack 2 for Windows XP. I'd rather wait to hear about problems other people have had, rather than dealing with the problems myself. Thirdly, it's inconvenient. I work with computers all day long solving problems. The last damn thing I want to do when I get home at the end of the day (or early the next day) is to troubleshoot the sudden bizarre behaviors exhibited by my computer because some 0day patch from Microsoft is buggy'd all to hell. I also don't want to sit there waiting for patches to download and install, and then have to restart, and then restart all the programs I run 24/7, and then make sure everything's working as it should. When I get home, everything's up and running and waiting for me. That's how I want it.

"then to come to /. and brag about not having to shut the system down?"

I see; so when a Linux user laughs at how Windows users supposedly have to reboot 73 times an hour, but his computer's been up 24/7 for the past 8 years, that's "cool". When a Win2k user talks about his personal experiences with Win2k being positive, that's just silly bragging.

"My computer only takes about 2 minutes to shut down and reboot, seems logical to me it would not disrupt you very much."

You pretentiously assume that the world for others is identical to your perspective. Sorry to deflate your little ego, but other people actually do have different setups. Personally, between downloading and installing patches, then restarting, I'm looking at probably 3 - 5 minutes. For starting up all the things I start up, getting them all set up the way that I need them set up, and then checking to make sure they're all running properly, I'm looking at upwards of 30 minutes or more.

Re:FYI

Fuck you, spammer.

Hiding Data

[darth_MALL]

From article:
" Sample topics include file attributes, alternate data streams, OLE and stenography"
Should that be Steganography?

Re:Hiding Data

[micromoog]

You know, stenography. As in, typing the files on paper instead of in the computer. Makes them really hard to find later.

Re:Hiding Data

Interestingly enough, the two pictures linked in that wikipedia article have the incorrect word stenography in their filenames as well.

Re:Hiding Data

[bloodstains]

"Load the first image, apply the logical and operation with the number 3 to the image, and make the image 85 times brighter, and you get the second image."

Has anyone tried the example in the link? I'm not sure what is meant by the bolded statement in the quote from the Wikipedia article.

Re:Hiding Data

[kilonad]

I loaded it up into IDL, and sure enough, the damn thing works. Creepy. For those of you out there with a copy of IDL handy, try the following commands:

image = READ_PNG(Dialog_Pickfile(Filter="*.png"))
TV, (image AND 3)*85

Re:Hiding Data

This refers to a logical process used in most graphics applications (PSP uses effects > math), I haven't tried this method but knowing how insecure Windoze is it might just work.

Non-software solutions?

[Limburgher]

Does the book offer any comprehensive ideas beyond tools you can download and hwo to use them? I'm really more interested in knowing where an attacker's footprints are likely to be evident, not in using some sort of footprint detector. Tools are nice, but one should have basics to fall back on when tools are unavailable or untrusted. That said, the best Windows security tool is Nero. It's great for burning Debian .isos. . .:)

Re:Non-software solutions?

That said, the best Windows security tool is Nero. It's great for burning Debian .isos. . .:)

Haha!
Woohoo, that was a good one.
pop
Virtual Highfive!

Here's my method

[BortQ]

Granted I have been called crazy, but here's my computer forensics method:

Bring the computer to my office.

Administer a morphine injection.

Ask the computer about his feelings (particularly towards his parenting fab)

Administer another morphine injection (to myself this time).

Play some Diablo 2 on the computer.

Upgrade computer's video card.

Play some more Diablo 2.

Charge computer's owner some big money.

One last morphine injection for the road.

Lather, rinse, repeat and you've got one hell of a business!

Re:Here's my method

[APurplePolarBear]

Ok, you had me nodding my head right up until you started injecting morphine in to the road.

You are one sick puppy, BortQ. For shame.

Good read?

[Baron+von+Blapp]

I love books that only dish out arcane knowledge that .02% of the windows sys admin or windows security [sic] community will use once in a life time.

Cool, I love arcane knowledge *hugs his falconry for dummies book*

Live analysis.

[grub]

We had an SGI IRIX system rooted a while ago. One of those obscure machines that sat in a corner running for years, rarely updated or touched. When it was discovered that the machine was taken over the person that admin'd the machine left it exactly as is but firewalled and VLAN'd the machine from touching anything outside of a test VLAN he set up.

In February he gave us (network guys visiting his branch) a look at the machine and what he found. The machine, the root kit and the IRC bot were all left intact and running. It was pretty neat, he wrote up a lengthy port-mortem of the event.

Re:A much better book!

[Baron+von+Blapp]

You got the security part right ;)

Re:Who needs books!?

[MeerCat]

I'm willing to bet that he doesn't have a hardware drive copier that supports SATA

Really ?? How much are you willing to bet on that ??

Hmmm, I wonder if Google will predict roulette numbers for me too ;^)

Re:Who needs books!?

[datastalker]

The tool that you're probably referring to is EnCase by Guidance Software.

Re:Who needs books!?

[FyRE666]

Good grief! Are you serious? I think a "police budget" can stretch to *zero* dollars to install Linux and mount your super 31337 ReiserFS drive.

The only way you've any chance of hiding your Pr0n is by using an encrypted filesystem like CryptFS, an encrypted loopback or whatever...

Re:Who needs books!?

[SlamMan]

Because you can't pick up a SATA drive dock?

Re:Who needs books!?

[stratjakt]

I'm willing to bet that he doesn't have a hardware drive copier that supports SATA. And his software doesn't recognize reiser4 or xfs.

I'm willing to bet you're wrong. A SATA-PATA converter is 20 bucks, if thats what it takes. And even if you don't recreate the files, you can still search bit for bit for tags like "JFIF" which denote the start of a jpeg file, and then just grab the data to see what the jpeg file is of.

Believe me, linux is not beyond the long arm of the law. When the FBI raids the big warez sites, do you think those are all windows machines? They manage to get convictions.

Re:Who needs books!?

[towaz]

i'm sure most police forensics people have a copy of dd and netcat :)

Re:Who needs books!?

I thought this post looked familiar

If you're going to repost other people's posts, at least preserve the formatting, you lazy turd.

Also...

"Yet I cannot help remember one enigma. A hybrid, elusive destroyer. This is the only mystery I have not solved. The only element unaccounted for."

Re:Who needs books!?

[Grond_the_Hammer]

1) This is no "one" tool accepted in court, many tools are accepted and it is almost always the competency of the examiner and only rarely is the tool that is ever called into question. Companies like Guidance Software (makers of Encase) would like you to think that way...

2) Most dedicated computer forensic tools, especially those for examining hard drive images, can work with any filesystem from FAT12 to xfs on a RAID 5 set. Again, the burden falls on the examiner to know the proper tools/methods for examining these file structures.

3) SATA drives can be copied with any dedicated hardware copier (such as Logicube's MD5 or Solitaire), but dd combined with an SATA interface will work just fine. Any memory image (RAM, IDE, SCSI, SATA, etc.) can be imaged with just dd, even over a network.

4) "Average nerds and hackers are so far ahread of the forensics guys"...what nonsense. Computer forensic analysts are without a doubt some of the most talented people in IT period. Computer forensics is multi-discipline and analysts typically have backgrounds in engineering, programming, criminology, and languages. And why are you assuming that most computer forensics experts are in law enforcement? The best analysts are in the private sector, military, and government intelligence.

It's Steganography

[DaGoodBoy]

not stenography... Stenography is 'short hand'.

Re:Who needs books!?

DAMN I wish I had modpoints for you.

Good catch!

Re:FYI

[the_mad_poster]

Or here if you'd rather not use an affiliate link and pay someone who didn't do anything more than type a few words into a search box.

Live "Forensics"

[stew1]

"Forensics" on a live system is a misnomer. For incident response, collecting live data on open ports, running processes, logged on users, and mounted devices is useful and sometimes necessary. Investigators should be sure to check -- gingerly -- whether any encrypted volumes are mounted.

Generally, however, if there's any chance that the investigation could wind up in court, it's best to pull the plug (literally) and conduct a static analysis of the hard drive. You lose access to running processes and some live registry keys, but otherwise just about everything exists on the hard drive and is accessible through standard forensic tools.

As a forensic programmer/consultant, one of the biggest problems I run into is when J. Random Sysadmin is tasked with conducting an initial investigation and ends up rampaging through the hard drive like a bull in a china shop. If you ever find yourself in this situation, stop and get the facts. There's no better way for a sysadmin to wind up in the doghouse than to ruin a legal investigation.

Jon

(Disclaimer: I work at Guidance Software, makers of EnCase, which is the all-in-one tool that can do all of the things mentioned in the review. But not for free...)

Re:Live "Forensics"

[pbranes]

I see your point, but the extreme difficuly comes when a sysadmin should determine that something needs to be handled by the information security officer and not by himself. Here's an example:

You have an older server that has a relatively small hard drive. You get a complaint from somebody saying they can't do so and so on the server. You look on it and find that the hard drive is full. You think, oh great, somebody printed a 200mb print job again and filled up the hard drive. Well, time to reboot the server. You have just lost an enormous amount of evidence and you may never know where the pirated games, movies, and music came from.

I am a windows/linux sysadmin and when something goes isn't working right, my first thought is not *I'VE BEEN HACKED*, no its "stupid {some software}, {some company} can't program to save their life. time to restart the service or reboot". I will agree that discovering a problem at this point is too late - you're already 0wN3d. Instead of focusing on forensics, we need to focus on proactive measures - use group policies to enforce better security policies; use ntop, nmap, snort, gfi languard, and ms baseline security analyzer to check your systems; dump your linux and windows boxes to a syslog server that notifies on any irregularities; use SUS, SMS or something similar to patch all systems quickly and efficiently. If we are more proactive, then forensics will be less of an issue.

Re:Live "Forensics"

[stew1]

And that kind of an IT response (problem? reboot!) is fine, because you've got work to do after all.

However, at the point that you discover that there's been an incident, you should note what's running (ps), what's open (netstat), who's logged on, and what drives are mounted. Document everything that you do (date/time, action, reason for action), pull the plug, and call your lawyer.

Incident response is difficult as the scale of the "response" can vary so widely. Sometimes it's enough to run a virus scanner and reboot. Other times you may find you've been 0wn3d by international hackers conducting IP theft (I've seen it) and you need to proceed very carefully. And then there are the HR investigations...

My main point is simply that when geeks start to tread into the area of incident response/forensics, it's important for them to know what they're doing. When you're operating in the context of traditional IT, an IT response is okay. When you're operating in the context of an investigation, a traditional IT response is typically the worst thing you can do.

You are also very correct, though, in noting that pro-active security is where the typical sysadmin should have his/her focus. You don't want to be the sysadmin who let in the international hackers stealing all your company's intellectual property.

Jon

Re:Live "Forensics"

[JackAsh]

Jon,

I find that second paragraph interesting - doesn't that directly contradict the purpose of your Encase Enterprise Edition product? (of which my security team happens to be a happy customer, btw.?) Also, isn't there a new Live Analysis feature?

For the uninitiated, Encase is quite possibly the industry standard tool for Forensic analysis. The latest interation, Encase Enterprise Edition, allows for forensic acquisition over a live network with the installation of a 100k agent on the target machine. Ideally this agent has been predeployed to your enterprise clients which makes it so you don't corrupt data at the last moment.

-Jack Ash

Re:Live "Forensics"

[stew1]

Hi Jack -

The EEE "servlet" will not write anything to the filesystem directly. Acquisitions are made on a low-level sector-by-sector basis.

However, running *any* program on a targetted system necessarily changes it. The operating system has to allocate memory and CPU time for the process, and on any modern system that can invoke a write to the pagefile/swap area. This is just the way life is, and for corporate investigations -- which almost never go criminal -- this is more than good enough.

Whether an investigation is internal, civil, or criminal, it's important to know and follow forensic best practices. If you know an acquisition is going to be used in a criminal investigation, my understanding is that it is generally preferable to pull the plug and image the drive off-line. But that's only if you've got a trusted tech on-site to do the job at the time...

Jon

Re:Live "Forensics"

[MoralHazard]

"Forensics" on a live system is a misnomer. For incident response, collecting live data on open ports, running processes, logged on users, and mounted devices is useful and sometimes necessary. Investigators should be sure to check -- gingerly -- whether any encrypted volumes are mounted.

Why a "misnomer"? Forensics, in the usage of the phrase "computer forensics", is an extension of our usage of forensics to refer to the presentation of evidence in court. The word initially means "methods pertaining to proving a proposition by logical argument". It doesn't matter whether the collection of data is live or not, it's still "forensics".

Your statements, despite your credentials, suffers from the failing of being Windows-centric (come on "registry keys"?), and (worse, still) Encase-Centric. And your advice about pulling the plug is horrifically oversimplified.

What happens when someone's walked into your LAMPS servers through an unpatched OpenSSH vulnerability, but hasn't installed a rootkit? If you just "pull the plug", the real evidence of the intrusion goes bye-bye because none of it was written to the hard drive. You'll probably want to look at netstat, maybe take a core dump to a remote machine, and generally examine the state of the running machine. THEN, depending on the type of filesystem, you either A) pull the plug, B) issue a 'flush' and then pull the plug, or C) go through the machine's normal shutdown procedure.

Think about it: If you just pull the plug without thinking the matter through, you stand a good change of fucking things up. Yes, many sysadmins cause problems by trying to do too much work on their own, or taking steps that actually destroy existing evidence, but that's no reason to give blanket advice that can be as shitty as it is good!

The correct solution: train the sysadmins to be first responders, or at least train them enough to be capable of keeping their hands off the systems until qualified help arrives. Whether you have in-house incident response people or you hire an outside firm, make sure that your admins consult with them before moving on anything that could lead to a legal issue.

Your biases are reflective of desktop experience on Windows platforms, which is a large part of forensic work, I'll grant. But it's far from all of it, and it's actually counter-productive on many non-Windows machines. For instance: are you familiar with a thing called tmpfs? It's a RAM-based filesystem for the /tmp directory (or any other mount point, potentially) that allows seamless file-and-directory semantics but that never writes anything to disk.

Guess what? JUST ABOUT EVERY LINUX DISTRO USES TMPFS, NOWADAYS! Can you imagine how badly you would screw up investigations if you went around pulling plugs on a bunch of Linux machines, and losing the entire contents of their /tmp directories in the process? That's liable to get you in the doghouse, that's for sure!

There's no excuse for looking like an expert but giving poor advice, even if this IS Slashdot.

Re:Live "Forensics"

If you still believe disk-based analysis is real computer forensics, then you clearly are not up on current exploitation and rootkit techniques--nearly all of which leave *no* evidence on disk. The dogma of disk-based forensics needs to be cast aside--it is really only relevant for analysis of machines for child porn cases, white-collar crime, and/or legal discovery--it has little remaining use in responding to potentially compromised hosts.

The problem is that in-order to perform "Live Forensics" it must actually be automated and closely coupled with anomaly/intrusion detection for it to be effective in many cases. The companies the produce tools favored by law enforcement (remember what disk-based forensics is good for?) are in no position to build the products really needed by people and companies trying to protect their systems and cooperate with LE if there is a compromise or theft. They continue to promote disk-based forensics to commercial enterprises etc. simply because they do not have the expertise and knowledge to build the right forensic and evidence collection tools for a market beyond LE.

For those that are still incredulous:

-A process vulnerable to a buffer overflow is exploited, so the only modifications to the system at this point occur in the process memory. The inbound connection is re-used or a new connection is established outbound to retrieve additional object code that is dynamically linked into the exploited process, and still the modifications to system are in the exploited process memory and the kernel state tables. The new code linked into the process uses the administrative privileges of the exploited process to access the device interface to physical memory and dynamically patch the running kernel image to hide the exploited processes' children amongst other things--only changes are still in memory. The payload code forks and updates the kernel process tables to change the parent of the new process, so it can kill off the exploited process safely and continue to execute--still no disk evidence produced. The system now has a kernel rootkit and user process providing backdoor access to the system without generating any disk-based evidence, unless there was some swap activity. Even if the exploited process or its child was swapped out at somepoint, very few people have the skills to reverse-engineer the portions of a process that ends up in swap and realize it contains code that was not present in the original executable. EnCase and/or TCT will never find any info on this compromise.

-There are people who are quite capable of just such an attack, and the process to do it is becoming ever more automated. Once the kernel is compromised, the kernel modifications can facilitate access to files on the system without changing any attributes of the file on disk.

-Unless the attacker connects from/to an system that can lead back to them, does something really stupid like IRC from the compromised host, or uploads files that can be linked to them, the only forensic connection to them is the signature of the tools/code used to compromise and backdoor the system. If the exploit code can be captured from the exploited process, it is the equivalent of tool marks, and possibly could be linked to specific exploit code run from the attacking system.

Currently there are no tools/products that implement the truly needed level of "live forensics". Anyway, who wants to slog through a TB of disk on the network file server or DB machine when it is compromised ;/

Dominique Brezinski

Re:Live "Forensics"

[dexterpexter]

Commenting on the pulling the plug...

this is generally suggested for law enforcement who respond to a crime scene for which there is a standalone running machine and a qualified computer forensic examiner is not readily available. In the "bag and tag" process, the responding cops are then told to pull the plug (literally...not from the wall, but from the machine itself) and then bag and tag the machine. This might seem odd at first, and yes things can be lost, but the key is obtaining "forensically sound" evidence which is admissible in court.

Just as you wouldn't want the computer guy touching the dead body on the floor, you don't want the average police guy trying to do an analysis of the machine. Even if he does open a few folders and find undeniable evidence of the crime, a good crossexaminer would rip that up in court. The idea is that you allow the least amount of "tampering" as possible before the guy who knows what he is doing gets ahold of the machine.

Now, that said, if you walk in and there is an unsaved but important-looking document sitting on the desktop, you're not going to want to pull the plug. At that point, you take pictures and then have several witnesses present to try to preserve the document by saving it to an external drive. In that case, you gotta do what you gotta do.

However, the plug-pulling strategy, I can second, is a standard practice for first responders when a live, on-site replication of the machine is not possible. In that case, you really do have to pull the plug, bag, tag, and examine later.

Re:Live "Forensics"

[slash.dt]

Can you imagine how badly you would screw up investigations if you went around pulling plugs on a bunch of Linux machines, and losing the entire contents of their /tmp directories in the process? That's liable to get you in the doghouse, that's for sure

You know, all the time that I was reading the previous comments, when people talked about 'plugging the plug', I assumed that they meant the network connection, it didn't occur to me that they meant the power. Unless the process is stomping all over your fs, I would leave it running but incomunicado by preference. That would keep the evidence (unless the process was designed to delete itself if it lost network connectivity).

Re:Live "Forensics"

[JackAsh]

Thanks for the response - I agree with you in that running a program does indeed change the system, but I guess the key question is whether it is better to guarantee no changes whatsoever or risk losing volatile data (which could also be very valuable in the case on an investigation into an ongoing matter, like a hack).

We do have a forensic group on-site or near-site (quick response available). I seem to recall also that PriceWaterhouse is working with Guidance in piloting EEE as a "valid" tool for criminal investigations - I think the philosophy they are adopting is that in modern systems with 512MB and up changing 100KB of disk is preferrable to losing those 512MB...

In any event, thanks for the response, and good job. I can definitely say that every time we've needed to work with your company it's been an absolute pleasure.

-Jack Ash

Re:Live "Forensics"

[stew1]

Windows-centric? The title of the book is *Windows* Forensics and Incident Response. I guess this is Slashdot so I should expect to be flamed for being on-topic...

My top post isn't about EnCase.

As others note here, standard forensic practice -- especially when you don't know what you're doing -- is to pull the plug. That's what the DOJ says, at least.

In the example that you give, of the OpenSSH vulnerability, it's very likely that the intruder will leave filesystem artifacts. sync() runs every few seconds. Syslog keeps track of all kinds of events (not to mention shell history files!). Sure, if someone's got root they can cover their tracks completely, but we're rarely dealing with Moriarty -- usually it's Moe and his friends, Larry and Curly.

Additionally, the distinction needs to be made between forensics and incident response. That distinction is definitely murky, but it exists. When you suspect an "incident", which is usually a code word for "exploited vulnerability", yeah, gathering live data totally makes sense, and I'd do it. Once I'd gotten my data, I'd then pull the plug. For forensic software, mildly corrupt filesystems resulting from powerloss is not a big deal. But if you think about the potential for losing artifacts that is entailed from performing a clean shutdown, you can see why abrupt power cut-off is the way to go.

For example, tmpfs. Sure, tmpfs is a "RAM"-disk, but that memory is backed by swap. If I'm the kernel, I bet I'm going to see that a lot of the files in this 'tmpfs' are relatively unused -- swap them away! Now, consider what happens when you perform a shutdown. Processes are killed, users are logged out, daemons are signalled, runlevels are changed, etc., etc., etc. That sounds to me like a pretty invasive procedure, one that could very well involve lots of swapping. So then you lose tmpfs. As noted above, if I really cared about the live data, I'd capture it, as simply as possible, and then I'd pull the plug. So I'd run ps, netstat, maybe lsof, and ls -ls /tmpfs. And then the plug would be pulled.

As far as getting in the doghouse, my experience has been that it's far better to be in everyone else's doghouse but have your General Counsel love you than to have everyone else love you and be in your General Counsel's doghouse. That's the key point, really: When legal gets involved, IT doesn't matter.

cheers,

Jon

Analogy

[barcodez]

Windows Forensics
crack whore at the gynecologists

Re:Who needs books!?

[stratjakt]

Only until a judge orders you to decrypt it. And then you decide whether you want to face child porn charges, or somewhat weaker child porn charges + contempt of court charges.

If you're at the point that your hardware was siezed, you know they already have enough on you to get a warrant. The cops are just trying to make their case against you airtight, but that doesn't mean that it doesnt already float.

Re:Who needs books!?

[Spoing]

1. I'm willing to bet that he doesn't have a hardware drive copier that supports SATA.

There are data recovery shops that probably do have the necessary equipment...though I don't see a problem with taking the drive, booting off of a CD and doing a bit copy to another drive using dd.

In either case, I think your confidence level is a bit too high. The forensics software I've used has checksum ID strings for known files and uses that as the basis for finding the known parts. These checksum databases are available for Unix-like systems, not just Windows. Once accounted for, the remaining file space can be investigated for other data.

1. The real problem is that the average nerds and the hackers are so far ahead of the forensics guys in terms of knowledge about modern technology and software that they can't keep up. Hackers will always have bleeding edge tools, and police budgets can't

The average hacker vs. the average cop, no doubt you are correct. The average hacker vs. a professional data forensics expert...it all depends on how much time the forensics expert has to do the investigation.

Windows security

[rasz]

It should go to the Science Fiction book review category.

Re:Who needs books!?

[Otter]

And if the case is too small they wont bother.

As is always the case, the degree of security you need depends on how much effort anyone is going to put into compromising it. If you're a low-level pot dealer, you're probably right that your obscurity provides adequate secuity. On the other hand, if you're Osama bin Laden, I'm thinking they'll get your drive to someone who can read reiser partitions.

MOD PARENT DOWN

[pbranes]

He is just spamming with his amazon account.

Re:News Flash!!!

[satanicbyte]

Well I might on the days that I wear my tinfoil hat (to keep out the mind control waves from Microsoft), but not the rest of the time, ok??

Re:Who needs books!?

Busted!

Re:Who needs books!?

[bani]

"Then they use this software tool, which I forget the name of, which is the only tool that holds water in a court of law."

No.

It's the only tool they know how to use.

Does Timothy proof his articles?

Come on Timothy - let's start proofing those articles:

The chapter on data hiding was a real eye-opener -- it's amazing the things Microsoft has implemented as part of the operating system (and included applications) that can be used to hide things. Discovering the hidden information is talked about, as well how it is hidden. Sample topics include file attributes, alternate data streams, OLE and stenography - (you mean STEGANOGRAPHY?). This is an excellent chapter with many examples; I found myself stopping after each subject to try out each of the discussed techniques.

Oh wait, this is /. - we don't proof the articles. :-)

Re:Who needs books!?

EnCase (which by the way supports reiserfs), iLook and SMART are perhaps the three most common drive analysis tools. Dont discount forensics guys, perhaps your local pd might not have a lot of knowledge, but the fbi, air force and several other agencies all have labs developing and deploying technology to do digital forensics, and i doubt theyre hiring idiots.

Re:News Flash!!!

I was going to chide you for whining but then I saw your user number of 828276. So "satanicbyte", sit here on my lap and I'll tell you about how the big boys at slashdot play.

See, slashdot is a place for grownups. You're almost there, in fact you would have fooled many, but your whining about moderation gave you away.

For your next attempt at posting remember that the world can be mean. People may not like what you have to say and will mod you accordingly. It happens, deal with it.

OK? You want some milk and cookies before Uncle puts you down for your nap?

Re:FYI

[micromoog]

Clicking that link or modding the parent post up = making spam profitable. Friends don't let friends support spam.

Re:Who needs books!?

Haha. Another elite linux user who thinks he's lightyears beyond the technology of mere mortals like the FBI.

Whatever kid, good luck collecting all your childporn on that unbreakable paragon of security, Reiserfs. Because noone has even heard of such moon man technology!

You dink. Chances are quite good that the backend servers in your local PD are running some flavor of unix with XFS. I know this for fact because I install them for a living.

Re:Who needs books!?

[thundergeek]

That's not entirely true.

The local Computer Investigation B. has some prety sofisticated stuff, all there software is used much the same way you described in court.

There was a case a few years back here where a guy had some files on his linux box that were incriminating. He set a script to do 10 DOD wipes. That's writing 1's and 0's 7 times over the HD, X 10.

The lab was able to 1:1 the drive, then recreate every file that was saved to the HD since the purchase date.

My friend runs this lab, he said his record is 15 reformats, and still recovered data. He recently had his first SATA case, he was able to dup the drive, and, since the guy had never reformated, and was on his first linux install, he had no problems!

Remember, the NSA can ALWAYS do it, most of the time before hackers can! They in turn hand down the info (as needed) to the FBI, CIB, and finally in the form of books, like this guy did.

It wouldn't suprise me if SATA has been cracked from day 1 release to the public. And xfs, the same.

My 2cents worth, take it for face value, it's all I got.

Re:Who needs books!?

Mods, look at this, the parent is right, and the grandparent is a karma whore, please shot it down!

Mod parent up -- top post is copied

yeah, I wish I had mod points myself.

Re:Who needs books!?

I was going to blow mod points, but i'd rather rant... At my uni. we have a prof who does most of his work on networking and security. He's got a bunch of feelers into the local law enforcement bunch. One of them gets your box, and they give the prof a call. Then instead of being up against John Law and his flat feet you are up against a PHD who gets off on H4x0r!ng your box, and his students who are just itching for reason to play black hat. he'd have that SATA array singing like a canary.

Re:FYI

Fuck you and your harmless self-interest. How dare you try to benefit from others without actually harming them. You make me sick.

Re:FYI

How is this spam? He's just providing information and getting a little chunk of it. It's not like he's making numerous redundant posts.

stenography

[temojen]

Or maybe you need to type really fast to be able to analyse the system before the evidence is deleted.

Re:Who needs books!?

[stew1]

There are all kinds of ways to image a SATA drive. It's a non-issue. Worse comes to worst, we boot your system up in DOS and acquire it via crossover cable.

EnCase supports Reiser3. I don't know whether Reiser4 is so radically different from Reiser3 that we can't decode the filesystem currently, but I'm sure we could roll it out the door quickly if there was a large need. We've done it for our customers before.

We can't yet do XFS, but we could still recover quite a bit of data from unallocated. As others have noted, all you need to get an image is good old dd.

In many respects, savvy forensics investigators are far ahead of most criminals. Police forces band together to create high tech task forces, and they tend to have plenty of budget (e.g. they have their own clean rooms for manufacturing damaged hard drive parts). With all the ways that Windows and most applications leak information, it requires an extreme amount of discipline to avoid littering your hard drive with evidentiary artifacts.

It sounds like you do need a book.

cheers,

Jon

Re:FYI

Overstock.com gotcha beat.

Re:Who needs books!?

[DnemoniX]

That is why any good investigator keeps more than one tool in his kit. Personally I have a bootable windows environment that I custom build for doing work with Windows. And for a system like yours I pop out my handy bootable Linux CD. It is based off of Gentoo and has more than enough bells and whistles to handle reiser or xfs and pretty much anything else you care. If I need something more I tweak the packages and kernel and recompile. Once you have that bit for bit copy you have all the time you need to work on it. And FYI there are many many packages that "hold water" in a court of law. I will also be giving a lecture in December at a nearby university on computer forensics. Funny how arrogant attitudes like that in most cases get you busted when you think you are smarter than those doing the looking.

Windows Forensics?

[fbonnet]

Not surprising for a brain-dead OS

Re:Who needs books!?

[fubar1971]

but against someone using out of the ordinary stuff this guy is screwed. I've got serial ATA drives and reiser4 and xfs file systems. I'm willing to bet that he doesn't have a hardware drive copier that supports SATA. And his software doesn't recognize reiser4 or xfs. He would either need a different tool or he would have to send the drive someone higher up to be examined.

Man, you just the exact situation I had happen last year. My Linux email server was compromised do to a vulnerabilty in squirrelmail/UW Imap. They didn't do any damage that I could find, so I just took the email server off line, and buitlt a brand new one and hardened it. Unfortunatelly, my boss had to find out, because email was down for 1 day. Since she found out, she wanted me to report it to the Feds. I relunctantly did so. 3 Feds showed up. I handed them the drive, and they made an image of it with the device that you have mentioned. They then tried to use their SW to examine it. Guess what, it only works on WINBLOWS FORMATTED DRIVES. They couldn't see any of the data. They have since stopped investigating the case.

Re:FYI

It's UNSOLICITED "information". That's spam.

Re:Who needs books!?

Plead the fifth

OS integrated DRM and Steath "hiding" technique

[NZheretic]

Microsoft's planned Digital Right Management systems are based on the principle of locking the owner of the computer out of the ability to access sections of memory and disk space used by the DRM mediaplayer systems.

Crackers and hackers always find ways to exploit the code to access or share protected content. There is not a DRM system that has not been cracked within months of widespread release.

A stealth virus is one that, while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means that programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus's modifications may go undetected by antivirus programs.

OS based DRM systems can still successfully lock a user, and any program, even if is running under localsystem/root privilege, out of areas of diskspace and memory. Microsoft's Mediaplayer , Active-X ( used with some DRM protection ), Real's realplayer, and even Microsoft's and Sun's Java JVMs, have in the past had remotely exploitable vulnerabilities. Such enviable offers the malware creator the ability to hide the virus from any antivirus tool or live forensic analysis.

The DRM encryption offers the ability for the malware to store content, and without the keys to decode the content, it is hidden from any forensic analysis.

Re:OS integrated DRM and Steath "hiding" technique

[Tim+C]

Crackers and hackers always find ways to exploit the code to access or share protected content... The DRM encryption offers the ability for the malware to store content, and without the keys to decode the content, it is hidden from any forensic analysis.

Make up your mind. Which is it? Can the code *always* be exploited to "access or share protected content", or can malware hide itself "from any forensic analysis"?

Re:OS integrated DRM and Steath "hiding" technique

[dmaxwell]

I think what he is trying to say is that malware authors can use DRM "features" to make the investigator and sysadmin's job harder.

Re:OS integrated DRM and Steath "hiding" technique

[Deagol]

There is not a DRM system that has not been cracked within months of widespread release.

Somebody cracked the DRM system for DVD-Audio? I'd love to know where that utility is.

Or does DVD-Audio's encryption system not count as true DRM?

Serious question. Last time I checked (and I search every couple of months), nobody had cracked it yet.

Re:OS integrated DRM and Steath "hiding" technique

[norkakn]

Any clue how I can unDRM wmv files so that I can play them on a mac? (The ones that need WMP10, but that anyone should be able to view)

Re:FYI

How is this spam? He's just providing information and getting a little chunk of it. It's not like he's making numerous redundant posts.

Clearly you're new here, and don't remember the days when the first 10-20 posts in any book review were Amazon affiliate links.

Modding the linker up only supports the idea that people should fill up the discussion forums with "buy the product through MEEEEEE!!!" messages.

Re:Who needs books!?

[isometrick]

I think you may be right about the private sector, but I went to a presentation by someone in the Dallas FBI "cyber crime" unit, and I wouldn't exactly call him the cream of the crop. (Not that it means all of them sucks) The extent of his comments on analysis was the software they used. Encase was one he mentioned. The presentation included many deterrents to the technologically knowledgeable, with statements such as "Nimbda infects web pages." peppering the fairly contentless background. He seemed fairly uninterested in the deep technical aspects of his job ... he snuffed the few technical questions in the Q&A session and indicated that his division didn't have time to delve into deep technical issues.

Re:FYI

Just out of curiousity, if the affiliate link doesn't increase the price at all, why doesn't somebody like the EFF set one up so that everyone can post affiliate links to their account? I mean, you'd have to pick an org that most of Slashdot agrees with, maybe wikipedia or spread firefox, but couldn't SOMEONE benefit?

Re:FYI

[biggyfries]

you can get it even cheaper here: http://www.superbookdeals.com/cgi-bin/moreinfo.cgi ?item=2370041&SEO_TID=519713&seoid=5

("Buffalo") Bill Gates replies:

YOU DON'T KNOW WHAT PAIN IS!

I have the book

[jkitchel]

...and I'd have to say that the review was pretty thorough. I couldn't put the book down when I first got it (which would probably be true for any other self described nerd on here). Here's the link to the book's web site if you want to read anything about it. There is a sample chapter there as I'm sure there probably is on amazon or bn.com.

Don't tease us

[crisco]

Is that postmortem available online?

Re:Don't tease us

[grub]

I'm not sure. I have a spiral bound hard copy, I'll contact the author tommorrow and ask.

Re:Don't tease us

[Johnny+Doughnuts]

This is worth writing up a slashdot story for, but don't do http for the file, please make torrents instead, and host it on something like a suprnova torrent tracker. That should take the load.

Re:Who needs books!?

bullshit

Re:Who needs books!?

The FBI, that organization running on mainly 486's, that FBI?

Re:FYI

Apparently the mere act of anyone profiting from something, regardless of whether or not it harms anyone, offends some principle of some slashdotters. This principle is alien to me as I see Amazon referrer linking as harmless and innocent.

Re:Who needs books!?

[iabervon]

I've always wondered how people can claim they can 1:1 a drive that's been rewritten 70 times. I'd believe 1:71, but there's no way the tool could pick the only incriminating cycle out of 71 cycles without recovering all of them to examine. Alternatively, you could try overwriting your incriminating xfs disks with filesystems of non-incriminating images and text, and see if they quit when they find data.

Re:Who needs books!?

[stratjakt]

you mean the FIF!

Re:FYI

[the_mad_poster]

That's because you're an idiot and you don't understand the concept behind referrer linking. Since that jackasses that post those links here are only looking to waste space so they can make money, it does not benefit anyone except them to encourage the behavior. If the link had been posted in the article where it was relevant, it would have been acceptable. However, it was posted in the body of messages only as board spam, which is not.

Re:Who needs books!?

"He set a script to do 10 DOD wipes. That's writing 1's and 0's 7 times over the HD, X 10.

The lab was able to 1:1 the drive, then recreate every file that was saved to the HD since the purchase date."

I don't believe this. Either he wiped the wrong area of the drive, or the story is a scare tactic.

DMCA Vs legitimate security tools AND keys

[NZheretic]

1) The Digital Millennium Copyright Act of 1998 severely restricts the release of any tool which could be used to circumvent DRM technology.

2) Cracking the DRM code is not the same as cracking the key used to encrypt each item of encrypted content. If the key is not accessable then the content cannot be decrypted without major difficulty . If the virus/malware retains the decrypt key only in DRM OS protected resident memory, then the key is not accessable to the user. Also it is possible to construct polymorphic virus code which encrypts the decode key in the virus startup code.

Re:Who needs books!?

[rcamans]

you mean plead the filth!

Re:Who needs books!?

[winkydink]

Serious analysis would take place in the lab in DC, not in the office of some schmuck in the field office cyber-crimes unit.

False claims

You're spouting nonsense. Otherwise, provide us with verifiable sources or URLs for your statements.

fact is, after a complete format everything is lost.

Don't create urban myths.

Re:False claims

After a format? No, it's not lost.

After a wipe, maybe. You won't be able to use dd to get the data, but someone with the right tools that tears apart the original hard drive can get the data. Why do you think drives are required to be physically destroyed by melting and/or grinding when used in heavily classified areas?

Re:News Flash!!!

Posts can

have several sentances

in each

paragraph

and still

be readable. Cunt.

Google DVD-Audio crack

[NZheretic]

Your not looking hard enough.

The point is that you have a lot of very clever people trying to reverse engineer the code, which exposes code which has often undergone very little peer review. Most of the times this also exposes vulnerabilities in the decoding software, some of which are remotely or locally exploitable.

Re:Who needs books!?

Wow, I need to call your friend. If he cand recreate every file that was saved to my 20GB HD since the purchase date, I could watch again all those hundreds of gigabytes of porn that I've been overwriting with more porn!

This is bullshit.

Fear stenography as data hiding method...

[JoshMKiV]

I know, I know, it was a typo... still funny.

Windows Forensics and Incident Recovery foget it

This book is danger first rule of a breach bring system down and backup from a indepentant source. Just in case the program or person who breached has installed a del all program that could be working in background nice way to clean your tracks embed delete all in explorer.(yes there is at least one person out there who has done this)

Knoppix and other linux disks are great for this.

If you dont have a backup server it is your own fault for building networks too cheep there is a min cost of a network built correctly.

Also the backup provide provable evidence if you go to court. This is what the machine look like at day x. G4u is one of the best tools for this even nortons ghost if you can afford it is great too. Requried tools are free to do everything correctly. Note a G4u backup will let someone less have a look at the drive after Forensics who might have better skills. Note bring system down even if it is a in memory thing will stop the data leak now. Active firewall loging of connections in the linux firewall box is a good move if you think that it is in memory as it will provide the required tracking info.

Of Course Miss using the two worse programs

Ie Microsoft Office and Internet Explorer stop using them you will be suprised how stable the system becomes.

Ie FireFox pre version 1(have not tested version1 yet)has memory leaks it eats more resources over time then kills self leaving system intack A beta program allways has problems FireFox is no different.

Please note stoping using Microsoft Office is alot harder than what is sounds a lot of things load up at startup without you knowing.

Unstable with this "To ensure that the hardware is as unstable as possible, this runs on a dual P4, with a Matrox and an nVidia card, both dual head for a total of 4 displays - all with a mere 512Mb of RAM."

No way in hell try running a full install of linux with only 128 megs of ram on a Pent2 based motherboard with a pent 3 333mhz cel on it with 5 ltsp machines hanging of it and 2 2g drive raid together with software. This is lock up central it lives everyone has to take the lockups sometimes 2 and 3 mins at a time. 256 megs of ram helped a little but processor is way to small ie all programs from 6 users run on the same chip it kinda hurts. Love to see someone do this with windows.

Re:Who needs books!?

[dexterpexter]

EnCase is not free to law enforcement, though, and can be quite expensive. As far as networked machines go, this requires the Enterprise edition, which has to be previously-installed to the machine.

iLook, however, is free to law enforcement and government agencies and generates rather nice forensics reports. It doesn't have the same bells-and-whistles feel as EnCase does, but it is free and thus provides a nice tool to budget-strapped law enforcement agencies.

However, the grandparent post's attitude is one which computer forensics can rely on. As long as people believe they are invincible, then it makes the job easier. They don't realize that, essentially using free tools, you can recover deleted files from their machine and find just about anything, including stuff hidden in slack space.

Foremost is another free tool which works in file recovery. Very, very nice tool. I would say that last time we used it, we got more information out of it than EnCase, although I am not putting EnCase down by any means.

Re:Who needs books!?

[dexterpexter]

Computer forensic analysts are without a doubt some of the most talented people in IT period. Computer forensics is multi-discipline and analysts typically have backgrounds in engineering, programming, criminology, and languages. And why are you assuming that most computer forensics experts are in law enforcement? The best analysts are in the private sector, military, and government intelligence.

Exactly. From my experience, the forensic analysts I have experience with came from Computer Science and Electrical Engineering backgrounds, and are highly trained. The "average nerds and hackers" fail to realize, sometimes, that the best among them sometimes cross the road to become these top-notch forensics analysts. It is not uncommon to find an ex-blackhat pop up in the private sector years later as a computer forensics analyst. In training, they bring in the guys who were on the "other side" and teach you to think like those guys, so that you can catch them.

And the tools (iLook--which is free to law enforcement, EnCase, Foremost, etc., etc.) are fairly effective against your average case. Some people do not realize that even NASA has a computer forensics division.
It is, however, the attitude of being invincible that makes most guys all the more catchable.

As far as #1 goes, anything that doesn't fit under the Dauber rules of evidence (at least, if there is a good DA involved) will be quickly made null, but programs like EnCase certainly qualify.

Re:Who needs books!?

[kelnos]

Hmm... From the feature list:

* Mirror Copy -- Simple sector-by-sector copying for all proprietary partition types (e.g. MAC, Linux, SUN, OS6).

I wasn't aware that Linux file systems were "proprietary"...

Re:Who needs books!?

[dexterpexter]

And if the case is too small they wont bother.

This is partially true in that most crimes are taken on a "Big fish versus Small fish" basis. This is no different from traditional crime. In the case that a hacker hit a small business with very little effect, it is generally more practical for an incident response team to find out what happened, restore from a trusted backup, and then go about fixing the problem so it doesn't happen again.

However, if you're trading kiddie porn or decide to peruse your local financial institution or any other institution regulated and required by law to report hacking incidents, I will guarantee that you become a "Big Fish" fairly quickly.

And the range of forensic tools available to a good forensics analyst is likely to cover most anything you throw at it. You are correct in that local PD cyber crime units are often started by guys who have very little computer expertise and do not initially know how to get forensically-sound evidence. However, free software like iLook and expanded forensics education programs are changing that. And, if you do become a "Big Fish," you can almost bet that the guy assigned to your case knows what he is doing.

Still not true

but someone with the right tools that tears apart the original hard drive can get the data. Why do you think drives are required to be physically destroyed by melting and/or grinding when used in heavily classified areas?

This is just not true. Otherwise we would have infinite-storage drives.

And the reason they destroy drives is because they don't trust people to reliably wipe them. People forget, use the wrong software, skip a step, etc. If you were 100% sure employees would wipe drives properly, then you could wipe them and allow reuse knowing that no one could recover any useful info from the drives. But people aren't reliable: they're lazy, forgetful and sometimes downright malicious. It's cheaper to destroy the drives.

Caches?

[phorm]

Well, if you're viewing kiddy porn then I'm probably not feeling sorry for you if you're nailed anyhow - however there are other factors. I think the easiest place to get nailed is cache. Either your browser cache or whatever. Unless you're pointing *that* to an encrypted FS (or the whole thing is encrypted, which is super-high overhead) you'll probably have something in there.

The big problem I see is that you can have such things in your cache without being a pedo. How many pr0n sites advertise lolita pics, and there are fuzzy banners etc. I've had a few times where my normal pr0n-browsing misadventures have ended up with all sort of interesting popups (moz helps this, mind, but not always)... anything from animals to underage and other types of filth. Even if I haven't viewed it, the bazillion popups it spawns have probably nicely laced my browser caching will also sorts of incriminating crud.

I've always wondered if those things would be used against you, but it probably depends on how bad they want to nail you or if they just don't like you. Hopefully I'll never have to find out, and lately moz has been doing a good job of blocking the popups.

Re:Who needs books!?

When the FBI raids the big warez sites, do you think those are all windows machines?

You obviously have little to no experience in the underground scene. 99.99% of all computers used for the transfer of "warez" are running some form of windows. The reason is simple. Hacking a *nix box takes a little bit of work. Hacking a win9X/win2k/winxp box requires little more than locating an IP address and double clicking the "phreak them" icon. Admitedly that windows box must be unpatched and in a place with large amounts of bandwidth, but how many college students do you know who run linux?? Or have even heard of windowsupdate, let alone actually run it. The sad fact of the matter is the only linux boxes that are involved in warez are the boxes the hackers them selves use. Not that I have any idea or have been underground since BBSs ruled the scene.... /Razor 1911 for life

Re:Who needs books!?

I'm willing to bet that he doesn't have a hardware drive copier that supports SATA

I'm curious why you think SATA is so special that the forensics guys wouldn't be able to handle them. SATA isn't some Sooper Sekrit hardware that only Slashdot posters know about.

It's always the same

[elh_inny]

"[...]Sample topics include file attributes, alternate data streams, OLE and stenography.[...]"

People always confuse these two words,
stenography - typing fast on a weird machine,
steganography - information hiding techniques.

Dupe?

[np_bernstein]

Wasn't this posted on Tuesday?

http://books.slashdot.org/article.pl?sid=04/11/0 9/ 202220&tid=192&tid=172&tid=6

Re:FYI

Did anybody solicit your post?