Slashdot Mirror
Alternative Browsers Impede Investigations
rbochan writes "Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.""
As a criminal defense attorney specializing in computer crimes, I can say authoritatively that the investigators are typically poorly trained. Most that I have dealt with are not IT or CS degree holders. In fact, the norm is for it to be a police officer who has taken a 2 week course in Encase, nothing more. Their knowledge of operating systems is lacking to say the least. Of course, this can result in some poor schmuck being convicted for something he didn't do, both because the cops don't know any better, and the juries - who typically take the word of the police as gospel down here in Arizona, know even less and rely on the uninformed testimony of law enforcement.
If you're using windows (2000/XP Professional), right click on the directory you want to use encryption. Then select Properties, on the general tab click on Advanced and tick Encrypt contents to secure data.
There you go, transparent encrypted directory.
Also, Truecrypt is capable of encrypting stuff too.
Here's the best part - "One specific challenge with Firefox and Opera is identifying which Web addresses have been entered manually as opposed to having been clicked on in a hyperlink"..
Cmon.. any advanced porn^H^H^H^H surfer knows to go to google, enter the url and click through google's url. That way you don't have a suspicious empty dropdown bar and you can simply delete the url and google's search url) from the history and for all intents and purposes, you never went there (just dump the cache).
I guess these guys were never married. Simply having an attentive wife teaches you that FED defeating trick. The location dropdown bar and autocomplete can be a lot of trouble.
Heh
Oh come on, it's nearly impossible to find the URL history! Ctrl-H is a very, very complex cracking method.
Digital forensics is performed offline. You don't run the browser software to read its history.
However, I fail to see how this would create problems for law enforcement. Most of the interesting data is readily available. And the data formats haven't changed that much since the days when Netscape was the dominant browser.
From Apple's website:
"Using Safari's new Private Browsing feature, no information about where you visit on the Web, personal information you enter or pages you visit are saved or cached. It's as if you were never there."
Or in Mac OS X, go to System Preferences, click on the Security button that looks like a house with a padlock dial on it, then click the button that says Turn on FileVault. It'll take probably an hour to encrypt your hard drive in 128 bit encryption depending on computer speed and hard drive size, leaving you with a transparent encrypted directory.
moox. for a new generation.
site /.-ed.w w.danaquarium.com/article.php%3Fstory%3D2005020905 570523+
google cache: http://66.102.9.104/search?q=cache:JMB0PlWzQEUJ:w
I find it hard to place much credence in that article.
One of my students is an Indiana State Trooper undergoing computer forensics training. Since he's enthusiastic about his classes, I get to hear about what he's being taught at all his Homeland Security-sponsored courses.
And it turns out that he's learning some pretty complex things, at least as far as examining the contents of hard drives. He has programs that can analyze Windows or *nix systems with a good level of accuracy. He talks about looking at partition tables to ensure that the drive geometry matches with the size of formatted space on a hard disk, and how to poke around in unpartitioned space or oddball filesystems or file types with a hex editor. He can dissect the contents of Linux or Windows swap space and he's fairly unpeturbed about sitting in front of unfamiliar operating systems on PC or Apple hardware.
Granted, that's one guy, but he's not really a computer nerd, just someone who has been taught to do computer forensics work. And given that he seems fairly competent, I don't think something like a Firefox History would hinder him much at all.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
(this is satire. don't believe anything you read on the internet)
I was conned by an old man in a cloak. It turns out those *were* the droids I was looking for.
killing mice, performing experiments on them, western blots and such, in other words hard core terrorist activity...
IE stores multiple copies of a history. Some get removed when you clear your cache. Some do not.
f reeware/messages/316790.html
This little program is freeware and makes it extremely easy to see exactly where someone has been on IE, even after they have clicked the buttons to clean everything out.
http://www.talkaboutshareware.com/group/alt.comp.
To see where someone has been in Firefox or Opera, there is no cool little freeware app that I know of. If you open Firefox's cache folder, you'll see at the top of the list some files named _cache_001_, _cache_002_, etc. That is where the history is. Just open it in notepad and get your "page down" finger ready. There's no need to create some nifty little program if you can easily read it in notepad.
Clearing the cache in other browsers actually clears the cache. Clearing the cache in IE does not clear all histories. Hence the reason why programs like WindowsWasher exist.
The problem law enforcement actually runs into is that they can't find the secret hidden history in Opera and Firefox like they can with IE because it doesn't exist.
Want to step up your privacy another notch? Install a freeware ramdisk and put your cache in it. If the computer loses power, POOF all the cache is gone. It speeds up browsing as well since it's faster to delete files during a normal cache cleanup from ram than from the drive. The only downside is that you're limited to 32 or 64 meg in windows. Don't know how big it can be in *nix.
Actually it does suck, and I say this as an OS X fan. I don't want my home directory encrypted. Why should I encrypt my mp3s and photo collection? But I do want the option of encrypting a folder. The amount of data that really needs encryption is tiny compared to the amount of stuff on my hard drive.
Hide a linux lapatop with wireless in a closet somewhere and use vnc to access it. Hell, just use a disk on your neighbours wlan.
You can find clues of these things though. Look at the vnc history, try pinging the broadcast address on the subnet, look in the arp cache, see if there are clues in the registry that another drive was mounted.
I suspect it would be very hard to thwarte a computer forensics expert, but i'm sure the VAST majority of petty criminals can be caught by someone with a weeks worth of training.
Yeah, it happened at work, and it was not pretty.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Yes but if you really don't know how to access the data, you can:
Repeat until you have the information you need.
It's not guaranteed, but you should be able to retrieve most if not all the data using this means.
And it's not like they need to have hundreds of programs. How many browsers out there? 10?
How many countries in the world? How many law inforcement officers?
Come on. Talk about a problem.
Yep, you're right zerblat. I went to search.cpan.org and did a search for Mork. And I have to agree law inforcement couldn't possibly come up with a perl prog like this one:
------------
#!/usr/bin/perl -w
use File::Mork;
my $mork = File::Mork->new('history.dat', verbose=> 1)
|| die $File::Mork::ERROR."\n";
foreach my $entry ($mork->entries) {
while (my($key,$val) = each %$entry) {
print "$key = $val\n";
}
print "\n";
}
------------
BTW, I do realize that your post was sarcastic... as is this one.
Works perfectly if run in the same directory as history.dat and produces output like:
ID = 388D
URL = http://www.google.com/
Hostname = google.com
LastVisitDate = 1125064549
FirstVisitDate = 1125064549
Name = Google
It should be left to guru perl coders making $500,000/yr or more to do fancy things like convert timestamps to dates.
I guess it's a good thing that there are no tools available for Windows that auto-clear IE history, cookies or cache files! What would law enforcement do??
You do realize that the 'cat' in this case is redundant, right? Grep will open files you specify, as follows:
grep '=http://' history.dat
No cat neccessary.
/. zen: Imagine a Beowulf cluster of Beowulf clusters...
Part 1
Part 2
The article doesn't say that.
There are professionals at the police that don't know a bit from a byte and thus don't ever research those things. They're paid for reading through the outcome of automated searches, to solve many cases. They pay money to others to make the searchability happen.
The others realise that adding firefox to the list would double the complexity (possibly slightly more) and add a 4% increase in computers they can research. Offset by the fact that most criminals don't know that there is a thing as firefox, why would they care?
Hence this "article" which doesn't tell you anything but the bleeding obvious.
Signed, somebody who had his last day at the digital police education center (dunno the english name) last monday.