Slashdot Mirror
Alternative Browsers Impede Investigations
rbochan writes "Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.""
Firefox and Opera store information on typed URLs in a different file than IE does, and the files are somewhat tough to decipher
You would think since Firefox is open-source, it would be a trivial matter to determine the format of the cache files by examining the source code.
http://www.theregister.co.uk/2004/01/28/a_visit_fr om_the_fbi/
A visit from the FBI
By Scott Granneman, SecurityFocus
Published Wednesday 28th January 2004 13:05 GMT
[snip]
I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI.
Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences.
I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class.
It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not.
Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.
[snip]
Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!
Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.
[snip]
It's the silliest thing I've read about non-IE browsers, and how they're BAD since I read this one.
This is NOT a joke. I have dealt with some state police "computer forensics" people that were little more than a rookie cop with a "Computer Forensics for Dummies" book under their arm. It was THAT bad. They used undelete utilities and such to get a file off of a ZIP disk. Wowee. They are given virtually unlimited budgets and permission to buy practically any computer item, all in the name of security...but you can't change the fact that they are LEJA majors, not CS majors.
In some states, parole for sex offenders can require that they don't look at pornography.
Their parole office will drop by periodically and check their PC. They have some sort of forensic software that does this.
I've heard some jurisdictions require that you only run Windows on your computer as a condition of your parole. Logically this translates to going back to prison for owning a knoppix cd.
There simply aren't the resources to train all parole officers in computer forensics, expose them to various obscure operating systems, or to perform regular offline analysis of offenders hard drives.
The resources are (probably) there for big cases, but when there are probably close to half a million sex offenders on parole - it's just not practical.
I teach both networking and computer security. In my classes I have had personal experience with "Computer Crime Investigators". Most of them are officers who have gone to $20-50,000 (not exaggerating) worth of training in a few weeks that they don't understand, got a few "law enforcement only" utilities (Knoppix has better tools) that they can run. They are no better at understanding technology than your average office user. If they can't click a button in their tools and have all of the evidence discovered, analyzed and spit out in a non-technical report - they generally won't get much. Add a sprinkle of encryption and they are baffled. There are those who are quite skilled, but as with most things - they are few and far between.
For example: I have a friend who works in IT for a law enforcement agency. He constantly gets calls from their computer forensics specialist asking for help on why his station won't boot. Usually it's because he overwrote his boot sector while ananyzing a drive (I don't understand either).
Unfortunately the prevailing opinion is that teaching a street cop technology is easier than teaching a tech the intracate details of law enforcement. The higher ups don't realize that any IT persons job is basically an daily investigation. I think the answer is to pair up the two, but again, none of these agencies has asked me.
The problem is that Mozilla uses Mork to store the history, and Mork databases are more or less impossible to extract usable data from. So you don't really have much of a choice ;)
Please alter my pants as fashion dictates.