Slashdot Mirror
Alternative Browsers Impede Investigations
rbochan writes "Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.""
Firefox and Opera store information on typed URLs in a different file than IE does, and the files are somewhat tough to decipher
You would think since Firefox is open-source, it would be a trivial matter to determine the format of the cache files by examining the source code.
http://www.theregister.co.uk/2004/01/28/a_visit_fr om_the_fbi/
A visit from the FBI
By Scott Granneman, SecurityFocus
Published Wednesday 28th January 2004 13:05 GMT
[snip]
I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI.
Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences.
I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class.
It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not.
Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.
[snip]
Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!
Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.
[snip]
It's the silliest thing I've read about non-IE browsers, and how they're BAD since I read this one.
This is NOT a joke. I have dealt with some state police "computer forensics" people that were little more than a rookie cop with a "Computer Forensics for Dummies" book under their arm. It was THAT bad. They used undelete utilities and such to get a file off of a ZIP disk. Wowee. They are given virtually unlimited budgets and permission to buy practically any computer item, all in the name of security...but you can't change the fact that they are LEJA majors, not CS majors.
In some states, parole for sex offenders can require that they don't look at pornography.
Their parole office will drop by periodically and check their PC. They have some sort of forensic software that does this.
I've heard some jurisdictions require that you only run Windows on your computer as a condition of your parole. Logically this translates to going back to prison for owning a knoppix cd.
There simply aren't the resources to train all parole officers in computer forensics, expose them to various obscure operating systems, or to perform regular offline analysis of offenders hard drives.
The resources are (probably) there for big cases, but when there are probably close to half a million sex offenders on parole - it's just not practical.
I teach both networking and computer security. In my classes I have had personal experience with "Computer Crime Investigators". Most of them are officers who have gone to $20-50,000 (not exaggerating) worth of training in a few weeks that they don't understand, got a few "law enforcement only" utilities (Knoppix has better tools) that they can run. They are no better at understanding technology than your average office user. If they can't click a button in their tools and have all of the evidence discovered, analyzed and spit out in a non-technical report - they generally won't get much. Add a sprinkle of encryption and they are baffled. There are those who are quite skilled, but as with most things - they are few and far between.
For example: I have a friend who works in IT for a law enforcement agency. He constantly gets calls from their computer forensics specialist asking for help on why his station won't boot. Usually it's because he overwrote his boot sector while ananyzing a drive (I don't understand either).
Unfortunately the prevailing opinion is that teaching a street cop technology is easier than teaching a tech the intracate details of law enforcement. The higher ups don't realize that any IT persons job is basically an daily investigation. I think the answer is to pair up the two, but again, none of these agencies has asked me.
The problem is that Mozilla uses Mork to store the history, and Mork databases are more or less impossible to extract usable data from. So you don't really have much of a choice ;)
Please alter my pants as fashion dictates.
I spent 2 years doing electronic crime analysis, and as all law enforcement, the pay and conditions suck. Lack of resourses and lack of understanding the requirements to constantly update skills/knowledge adn training (from the non-technical bean counters ) make life difficult. Add this to report writing and presenting evidence in court to clueless laywers and all in all you have a shit-house job. But on the plus side, chicks dug it !!
If you are using windows (2000/XP Professional, 2003, Vista), and your a digital forensics professional, and you come accross 'encrypted' NTFS data that has been encrypted using the parents encryption method, do the followign.
... in a few minutes you should be done.
Right click the directory you want to un-encrypt, select properties, security, and press teh advanced button.
Select the 'Owner' tab, then add your user account and administrator as owners. Remove all other owners.
Check Replace owner on subcontainers and objects
Switch the the Permissions tab and select 'Replace permission entries on all child objects with entires shown here that apply to child objects'
Select 'OK' and go grab a doughnut...
I'm honestly not trying to aid would be 'hackers' or anything. I mostly just worry people use windows encryption thinking it's useful if their system has been compromised. It's not...
There is actualy a MS KB article out there that explains this process a little better then I did but I'm a bit lazy today.
Firefox is OPEN SOURCE! That means the file formats are OPEN. Microsoft IE is CLOSED SOURCE, meaning you need to reverse engineer everything to figure out where stuff lives.
That said, I wonder what would prevent someone from creating a wireless fileserver and embedding it behind their drywall. Using an NFSmount or Share, an evildoer's PC wouldn't hold anything evil when the FED's nabbed it.
Realistically I bet it would though - They can do some pretty amazing things with Forensics these days, and I wouldn't be surprised if they could take a ram chip and see previous states of 0's and 1's.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
I work in computer forensics and it isn't that goddamned hard to develop tools to process different kinds of databases, encrypted or otherwise. Besides, I'm certain that if it were in the interests of "National Security", Federal investigators could get ensure cooperation between developers of FireFox or Opera and the contractors who actually do the forensics work.
All you have to do is play "follow the money" and it quickly sounds like Micro$oft is using the God-and-Country argument to win by default the Second Browser War. Considering how invested Micro$oft has been in the US Justice Dep't. (one of former USAG John Ashcroft's biggest campaign contributors and still heavily involved to this date) it would be unsurprising if they were the ones pulling the strings on the issuance of a statement like this.
What ought to happen is for the Dep't. of Homeland Security to proclaim Internet Explorer as the single largest cause of "electronic terrorism" because of Micro$oft's half-assed security measures.
That'd shut them up real quick...
Even worse, those non-IE browsers make it really hard for police to install spyware and keylogging software on the user's computer. With IE, they just insert a little bit of code into any web page and they are done, but Opera and Firefox put up obstacles to that kind of legitimate law enforcement activity! Evil! Terrorism!