Slashdot Mirror
Forensic Discovery
Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server. Farmer and Venema's new book Forensic Discovery is a valuable book that grounds a computer-savvy reader in the world of digital forensics.
An image of a pipe by artist René Magritte is on the cover with the caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture demonstrates that an object exists on many planes; the simple recognition of the picture initiates the belief that we are seeing something, but it is only known in representation. Surrealist painting and digital forensics coalesce in that the digital forensic investigator must think broadly and unconventionally in order to reconstruct an incident, all the time keeping in mind that often what initially seems obvious is neither real nor correct.
The material in the book is an outgrowth of a one-time seminar the authors gave in 1999 on digital forensics and analysis. At the seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection of tools for gathering and analyzing forensic data on a Unix system. TCT is heavily referenced throughout the book.
The book initially seems thin, at just 198 pages, but there is no filler and the information is presented in a fast and furious manner. Part one of the book comprises 35 pages and is an introduction to the foundations of digital forensics and what to look for in an digital investigation.
Part two (chapters 3-6) is the nucleus of the book, which quickly gets into low-level details about file systems and operating system environments. While other forensics books focus exclusively on the discovery and gathering of data; Forensic Discovery adds needed insight on how to judge the trustworthiness of the observation and the data itself. Again, the idea is that not everything is as obvious as it may initially seem. An effective investigation often requires intense analysis, where meaningful conclusions take time.
Chapter 4, "File System Analysis," notes that while computers have significantly evolved since their inception, little has changed in last 30 years in the way that file systems actually handle data.
Chapter 5, "Systems and Subversion," is particularly interesting as it deals with system startup and shutdown, from a forensics perspective. The chapter shows that there are thousands of possible opportunities to subvert the integrity of a system without directly changing a file during startup and shutdown. A crucial decision that must be made during an incident is whether to shut down the system or let it remain on-line. There are advantages and disadvantages to each approach, and the book details them.
Part three (chapters 7-8) is about the persistence of deleted file information. The authors' research reveals that data can be quite resistant to destruction. The book shows that a huge amount of data and metadata can survive intended deletion as well as accidental damage.
Forensic Discovery is unusual in that other books on forensics are often nothing more than checklists and step-by-step instructions on what to do during an incident. Forensic Discovery provides a broad framework on the nature of data and how it can be recovered for forensic purposes. By understanding the underlying operating system, the act of analyzing and dealing with a security breach becomes much easier.
The book's target reader is anyone who wants to deepen his understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. The topics are too advanced, to make it the right book for the novice system administrator. For the technical reader, though, Forensic Discovery is one of the best computer security books published in the last year. The value of the information is immense, and the extensive experience that the authors bring is unmatched.
You can purchase Forensic Discovery from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
So crimes arn't solved by old ladies finding a lipstick, some shoes and avoiding being shot!? Thats it! I'm never donating to "Help the aged" again!
I like muppets.
Where such shows deviate from reality is the unrealistic speed at which the actors are able to identify, apprehend and prosecute the perpetrators. In the real world, (unlike television, where the crime must be solved by the end of the family hour), crimes are solved with slow, deliberate and methodical steps.
Great. Now the criminals know they probably won't be caught. Good job!
Quincy, M.E.? I was two years old* when that show went off the air. Raise yor hands, Slashdotters, how many of you think of Quincy when you think of forensics?
*http://us.imdb.com/title/tt0074042/
Give a man fire, and you warm him for the night. Set a man on fire, and you warm him for the rest of his life.
Forensic Files is another great show. I guess these types of shows, while still entertaining, cater to those who prefer their gore with a little more grey matter :)
:)
CSI isn't too bad, but compared to ogrish.com, "it ain't shit"
"You're getting brutal, Sark. Brutal and needlessly sadistic."
"Thank you, Master Control"
-Sark and the MCP
Unfair comparison. The whole time issue is all based on pacing. The big time-waster when it comes to forensics is DNA analysis, as that department is generally the department that gets it in the pants when it comes to the budget.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
please
I met a young, single woman who did computer forensics for the police. She told me over dinner that while she thought her work was important, it caused her a lot of stress in her life. She said there were many times where she recovered images from the computer of a sex criminal that were really indiscribable.
She was really good looking and had a body that you normally don't find on a girl geek. But, man, I wasn't about to start dating some chick who comes home from work sobbing from prowling through gigabyes to violent sexual jpegs and avis. I guess that's why someone so damn good looking and smart was still single...
It is based on a true story isn't it? Isn't it!
Not that I would ever have anything to hide, but how safe is data on an encrypted disk, in particular linux encrypted filesystems like this? It seems to me that with a little encryption you would pretty easily foil the efforts of any local forensics people.
I Am My Own Worst Enemy
I remember Quincy quite well, and I'm only 42 (and I like my red sports car very well, thank you).
You're thinking of "Ghandi II: No More Mr. Passive Resistance". I never saw that show but I saw a commercial for it once.
>Where such shows deviate from reality is the
>unrealistic speed at which the actors are able to
>identify, apprehend and prosecute the perpetrators.
What is also unrealistic is that the CSI guys ever see a suspect. The go to the crime and spend the rest of the time in a lab or sometimes in court.
They would never ever talk to a suspect.
My problem with the CSI-type shows is that forensics analysts are more like Quincy, who rarely, if ever, interviewed a suspect or a witness, and got in major trouble when he did.
The "examiners" on CSI do everything except commit the crimes, give parking tickets and prosecute the suspects. If I could do half of what one of them does, I'd be an unstoppable law enforcement agent!
Meow. Now!
In the days of yore the torture was used much leass than people imagine. Just the threat of torture was enough to make people confess. The same goes with forensic science. A cop says: "we have your DNA and we know it's you for sure" and that's enough to make someone confess. And as long as programs like CSI keep airing people will continue to fall for it.
In fact, the fact that forensic science is 90% bull is probably one of the best kept secrets left in the Western world.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Frankly, I don't care. I don't care that in reality it would take 3-4 months to get the DNA processed because of the massive queue of other cases that need DNA processed. I don't care that real-live CSIs would never, ever, ever see a suspect or a crime scene. You can't really do a series that way. I don't have cable or sattellite so I haven't seen the show, but I doubt that even New Detectives goes without showing the suspects.
I like have interesting characters, I like a good story. That's I still read Agatha Christie novels and watch the Poirot mysteries, even though Christie cheated on a regular basis.
Just my $.02
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Gandhi, not "Ghandi." G - A - N - D - H - I.
There are reruns, you know.
Forensics==quincy. CSI is for noobs.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
I especially hate it when (this seems to predominate on CSI, but I've seen it on other shows as well) they "digitally enhance" security camera video to identify an attacker, read a license plate, etc. Usually, I can overlook it for the sake of the plotline every now and again. But, the final straw came for me a few weeks ago on CSI when they had an ATM security cam and the pulled a reflection off of the pupil of the third person in line and enhanced it to ID the criminal (second in line) who was facing away from the camera. They literally took a single grey pixel from the video and "enhanced" it to a beautifully rendered, studio-lit 8"x10" black and white portrait of the criminal.
And, oh yea, if you put deer feces into an NMR, it's not going to spit out a graph with a bunch of peaks on it and print below the graph: "deer feces". On the other hand, I'm not sure which is worse...when they do that with the NMR, or when they NMR identifies 50 compounds in a sample, all with names like "n-methyl hydride deoxynitrate", and the CSI goes, "Oh, yea, those are the major components of plumber's grease that was used between 1970 and 1978 in the Western United States." They might as well have the NMR spit out a graph with a caption: "The bus driver did it! The motorcyclist was only his *accomplice*."
Then, of course, there's the small issue of unlimited budget. If real CSIs solved crimes like they do on TV, they'd be spending somewhere between $15M and $50M per case. :-)
but have you considered the following argument: shut up.
$39.99.
Though, in all honesty, CSI was not the first to do this. IIRC, "Blade Runner" did something like this with the photography enhancement scene.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
The thing I hate most about CSI is when they zoom in on digital photographs or video tapes from crappy security cameras. Sure getting DNA results in 6 minutes is a little bit of a stretch used to get the crime solved in less than 3 months, not presenting evidence that isn't there.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Yup, there's really nothing quite like stumbling upon a crime scene. Looks good, smells good, no nightmares or traumatic flashbacks. So get your Vapo-Rub and 35mm camera and come on down to "Forensic Discovery!"
Phhhht. Spelling Nazi...
Though, in all honesty, CSI was not the first to do this. IIRC, "Blade Runner" did something like this with the photography enhancement scene.
But in Blade Runner, it was cool as all hell, one of the coolest scenes in the movie.
For starting out. (Will they have Phishing For Dummies next?)
One line blog. I hear that they're called Twitters now.
Sounds like she needs some consoling.
Well, it was that "some" in "some consoling" that I wasn't sure about. How much? She's telling me on the first date that she's under tremendous stress. I appreciate her honesty and respect her for that but I suspect that if she feels the need to divulge that on a first date, the level of consoling is likely to be more than "some". That's what I was worried about. To be dating a girl with a face and a body like that who knows her way around computers like a pro and who is doing a job that is clearly a service to mankind sounds like a geek's wildest dreams come true. But therein lies the problem: this is the kind of girl who most of us would fall head-over-heels for. I was afraid of getting really wrapped up in her and then having to endure of heartache of having her crying in my arms once a week or more. Or having her push me away in bed because she had seen something at work that had turned her off of sex for the next two weeks. You can call me an ass or a dumbshit but seriously think about it for a moment. This was going to be a major emotional roller-coaster for me.
I'm reminded of some poor sap here on slashdot who was telling us what it's really like to have a nympho girlfriend. It sounds great until you are presented with the reality of the situation, namely, that she absolutely needed sex every time he put his arm around her. Look, I still think that woman I dated was very desirable on many, many levels but I also think I did the right thing by stopping that relationship before I got sucked into her work as well.
Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server.
SATAN was also known as SANTA to those sensitive to sacrilegious references. Also, it's TCP Wrappers.
Hi all,
Noticed that this post was hovering around 30 posts, and so i thought i would toss in some relevent tidbits that are pretty interesting.
I graduated with a CS degree, and now i run a data warehouse, and architect an enterprise java application. Things are going well, but as many of us are aware, it may not be going so well for everyone that just graduated...
case in point - a buddy of mine got a good job out of school, but it isn't great, not like what we all pictured when we signed up in the midst of the boom 5 years ago! About a month ago, an old friend of ours called up and said he had positions available for Forsenic Scientists (paid bank). I kept asking what portion was related to CS or technology, and he kept replying - NONE! The only part is the ability to methodically research details and clues! Can anyone say.... debugging?!
Anyways... i started to think about it, and compared with some of the criminal justice majors i know, CS grads really are more capable to handle that kind of stuff. Just like abstract puzzles, RPGs, and even some of the "lock-picking" articles i have been seeing. Anyone have a simliar tale? Anyone know of a school that has a curriculum that tailors to that kind of profession?
Thanks! ~tim
This poster is totally incorrect. I have served as a computer forensic expert in both civil and criminal cases, and can tell you this poster does not understand the process. For example, the prosection and defense may find an impartial examiner or use two examiners and make two copies of the seized disk or disks. Forensic tools with copy capabilities such as EnCase will make a bit-for-bit copy (including non-allocated sectors, file slack space, etc) of the disks and perform an MD5 checksum over the contents.
I now perform my work on the copy. Any results I obtain can be demonstrated in court, as can the fact that the MD5 hash is the same and that my disk is still identical to the other party's copy.
If chain of evidence is maintained, I should get the disk as it was when it was seized. Once I have it and copy it, it is effectively tamperproof, because of two persons each having a copy, the MD5 hash, additional checksums built into EnCase copy structures AND the fact that we can always recompare our copy to the original to determine it is still bit for bit.
The scientific validity of computer forensic methods can be subjected to a Frye or Daubert hearing, where scientific experts can defend the method. EnCase has already been through these hearings and no credible argument has been advanced against its validity.
If you competent defense counsel or civil counsel, this should not be a concern.
References? Evidence? Even CSI is a better authority in my mind than someone who provides no information to back up his claims. At least I know CSI did some research into making the investigative process look realistic.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
unlike television, where the crime must be solved by the end of the family hour
Have you thought about what you're (implicitly by your implied criticism] asking for?
Which is it you want, an "episode" that lasts three months? A season that consists of the same 20-ish (or whatever number) episodes it does now, only randomly scattered across the episodes in the order in which they "really occurred"? On every scene change, white text on the bottom of the screen that says "[random time period] later"?
It's like asking for "total realism" in science fiction... you are aware that faster than light travel is, at best, totally unproven and most likely completely impossible? (Save the discussion on the possibility of FTL for sci.physics, please, this is just an example.)
So many fan-boy types ask for things that if they got them, they'd hate even more. I for one am glad the characters aren't making constant references to the amount of time something is taken, and I for one am glad that when they dig through an entire day of garbage in Los Vegas, they show about ten seconds of walking around, followed by the necessary discoveries. Are you seriously asking them to show the five or six hours it might have taken in real life? You feel free to watch it, I can guarantee I wouldn't.
You're telling me that it takes longer than an hour to solve a crime? I've been to football games -- I know that what's on the TV is what's actually happening in real time. If it's on the TV, it must be real.
Besides, who wants to watch a show where they uncover one clue a week, or get a subpoena, or nothing happens that week? Surprisingly, people don't want to watch real life when they turn on the TV (and don't even try to say that reality TV has anything to do with real life).
https://www.eff.org/https-everywhere
Robert Morris Sr. once told an audience that cryptanalysts in real life follow the rule "look for plaintext, it shows up in the darnedest places".
F'rinstance: suppose you're in the Middle East but you've carefully stored all your images of women without veils onto an encrypted volume. Suppose you looked at them one day. JPEG files typically open into a web browser. No matter how encrypted your stash was, the images are still sitting in the browser cache.
Today's crypto is as strong as your passphrase(*). Could that passphrase have somehow gotten swapped out? Then anyone who can open your swap file can get the contents of your encrypted volume.
(*) *IF* it's implemented correctly. You can take a perfectly good crypto algorithm and completely wreck its security by using a bad source of random numbers (Netscape), reusing keys (Venona), reusing initalization vectors (WEP), or any of many other errors.
I've got lovely news for you: Unless you are able to watch a computer from the time it is put on the network to the time that removed for evidence collection, you can say *VERY*LITTLE* about what someone may or may not have done with that computer.
Here's a little story from several years back. A friend of mine who was doing deployed support for one of the armed services used an account at a major American university, which he was authorized to used, to download/store updated cisco images due to limited bandwidth contraints at the tip of the spear where he was working. Well, as it turns out that particular university's computer systems was {c,h}acker infested (due to a certain VIP's daughter attending that institution at that particular point in time). His password was sniffed (this was in the days when ssh was not that wide spread) and his connections to that university's computers were hijacked on a fairly regular basis (he thought his lousy connections were due to all the sat. hops his packets were taking to get from ship to shore).
Well, about 6 months after this started, he got a little visit from a few "computer crime investigators". The experience was enlightenting, but not in a positive way. After he was presented with the "evidence", which consisted of bogified last log... I'm sorry, there is no host called swedish.chef.bork.bork.bork), he told the investigators that he felt that his telnet sessions might have been hijacked and he was told "that is only a theoretical attack and is not possible". The investigators then proceeded to tear his life apart (forced out of a job, seized all his work tools, searched two residences including one belonging to a foreign national for which they had neither permission or a warrant, froze his savings, initiated a tax audit, got him kicked him out of his house, interviewed family, friends, coworkers, boss/boss' boss telling them that he was a criminal about to be put away for a very long time, etc.) It took him almost 10 years to recover from the ignorance of some LE investigator turned "computer investiagor" who thought telnet session hijacking was "only theortical" because he didn't realize that hunt and jugernaut hand been in wide distribution among the cracker community 10 months prior to the investigation. The "forensics" that were used is this investigation were nothing short of fraud. I believe that computer forensics investigators should be bonded and licensed so that they can be sued into oblivion in the event of malpractice.
So, the next time your are forced to interface with *ANY* "computer investigator", remember, that nothing they say, do or "discover" has anything to do with reality/"The Truth"(tm), so much as it has *EVERYTHING* to do with what they think they can get away with in court with a jury of your "peers".
This is a tradition going back to "Columbo" - where there were at least five episodes whose outcome was determined by six-foot-tall blowups of low-quality photographs, and the amount of detail not only didn't get worse, it became MUCH better, in the blown up pictures.
Isn't that why we have those
"MONDAY 11:30AM"
captions on almost each scene? Doh? I remember reading one that said "TWO MONTHS LATER" on Law&Order. Again, i didn't RTFA, but I think the article submitter should be clearer on what he means by "fast".
DoctorMabuse,
:). One of my customers is large enough to have their own copy, and access to iLook if needed.
:)
I also use EnCase when I do forensics work, and prefer the SHA-1 hash features in it
However, the procedural work that has to be done before an evidence disk gets into my hands is just as, if not, more important than the actual evidence. Even when it comes to log files, I have to follow a very firm set of procedures, starting with the md5 checksum of the files, before I even start. I also have to only work on the copies.
However, I like EnCase for one other reason. They'll provide their own experts for you if required in your case. Even though the file system analysis is not as complete as iLook in some regards, it's still a really good product that provides the whole package.
And, EnCase Enterprise Edition can examine live systems now
I always roll my eyes when they find an unknown body and they say they'll "identify it through dental records." Sure, if you think you've found Joe Schmoe's body, you can get Joe Schmoe's dental records and see if they match the unknown body. But if all you have is an unknown body, it's not like you can enter its dental info into some giant dental database and come up with an ID.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
Yeah, but since Blade Runner is science fiction I think we can be a bit more forgiving. Who knows just how much resolution that little photo had anyway?
for the slashdot crowd (no offensive, please), people don't watch shows or movies like this for educational reasons. they are dumb, they like things dumbed down. christ, we work in an industry that equates technical knowledge with sorcery. trying to argue the validity of CSI or any other "forensic" show is pointless...people just don't know enough about IT to make informed decisions...nor do they care. so why not just pat yourself on the back and be happy that their ignorance equals your job security? trying to explain why something isn't feasible to non-IT people is like trying to break the news that Santa doesn't exist to a child. it just won't sink in for a long, long time.
people are dumb, television proves that.
It's called a series of copper wires coiled about all my harddrives connected to a power supply. When it hits the fan or my case is opened improperly then the circuit is completed and the giant electromagnet is made around every HD. Might not have the flash of burning platters, but I would love to see somebody try to recover a single disk inode pointer from that massive magnetic scrambling.
Finer details to ensure total cleansing left out, but it isn't hard to guess when you have the basic concept.
So you insert your planted evidence before making a copy or hash mark for comparison then send it out to be verified by another source that your planted evidence was there.
This vindicates you how exactly you crooked piece of filth?
You just don't like your line of work's dirty laundry being aired, you are all about making prosecution numbers and getting kickbacks. You are anti-justice...if you are even telling the truth about your alleged line of work history.
You do know that experts have been recommending against using MD5 for security for almost a decade now, right?
Is anyone else disturbed that santa is an anagram for satan?
The Economic Crime Institute was created to support Utica Colleges Economic Crime Investigation (ECI) bachelors degree. Utica College has been the North American leader in economic crime study since 1988, when the ECI major was first offered.
http://www.ecii.edu/education.html
The Dutch police has a huge database of all kinds of (child pornography) pictures. Of each picture they have a hash. When they confiscate the pc of somebody who is suspected of having child pornography, the first thing they do is run the hashes against the pictures on the system. This saves them from having to look at all those pictures, they can now focus on the unknown ones. Great thing is also that the hashes are admissable in Court as evidence.
Use Adsense for Charity
The focus of computer forensics is twofold: first is the attempt to determine whether a breach has occurred and to stop the perpetrator; second is prosecution of the offender, if the breach was a criminal activity.
Computer Forensics does not always involve "breaches". The field is far larger than looking into some hacked host. It often is used where there is no hacking or trespass involved. Typically in determining the use of IT with traditional crimes.
That would be from UHF, the comedy from Weird Al Yankovik. Funny stuff. Funny, funny stuff. I would whore and post an Amazon link or an IMDB link, but why? I have faith in your ability to find it. Alos look for the Conan send-up, the "Badges? We don't need no stinkin' badges!" spoof, and my favorite: Spatula City! Truly a cult classic. Do yourself a favor and buy/rent this puppy. I found it at Wal-Mart (*gasp*! The Horror!) for $10. Worth every penny.
is it that bad seein a hot chick again? if i see a hot chick walkin down the hall i dont say "repost"
god forbid you suspend belief for an hour
and pretend the earth is flat
just shut up and enjoy, plenty of cute guys/chicks
I used to work at a company where one of the products was the software that produced those hashes (and also scanned networks for the material). There was an isolated room full of people who had to sit all day preclassifying the stuff.
Someone, somewhere, has to look at it in order to judge it.
I wish people would talk about the work of The Grugq who got fired from @stake after publishing an article in Phrack Magazine. He will be talking in Jakarta, Indonesia at BCS2005 in March, Blackhat Singapore and Amsterdam in in April. (and he will probably never speak in USA because he embarasses and ridicules the profession and ... the FBI.
Depending on the hash method, can't different strings/files sometimes result in the same hash?
I'd assume that if you nailed somebody with 10+ hashes you've got them, but 1-2 matches might be false positives?
Also on the hash front, wouldn't any simple alterations to the file (format conversion, brightness/contrast adjust, resize, etc) break the hash? Perhaps even an "echo 1 >> somefile" would kill it?
Useful, certainly, but likely with some flaws/pitfalls.
Although your post was informative an insteresting, it doesn't really address the grandparent's issue. Although the procedure you describe will certainly gaurd against tampering by the examiner, what's to stop the police from tampering with the files on the disc before handing it over to you? Or, as he mentioned, why couldn't they just insert files using their keylogging software (as the grandparent suggests). By the time you, the forensics expert got the disc, it would already have the files on it. Although your analysis would be correct, and agree with the second expert, evidence tampering clearly took place, and false evidence could be admitted.
This is the same as if a police officer planted marijuana at a crime scene. Although a forensics expert could tesity that is was real marijuana, and the expert did not tamper with it, it is still a plant (no pun intended).
Stupid like a fox!
After reading the review of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake after writing a Phrack Article in which he exposed numerous flaws in The Coroner's Toolkit by Dan & Wietse. Before you read this book, check out the video (bittorrent) of The Grugq on The Art of Defiling and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 in Jakarta, in April at Black Hat in S'pore and Amsterdam and at HITB2005 Bahrain.
I am in New York City. Does anyone know of any courses or programs where one can learn about computer forensics?
Thanks,
Adam