Slashdot Mirror
Windows Forensic Analysis
Don Wolf writes "Computer forensics is a rapidly growing discipline and an even faster growing business. Whether it's the natural progression of technological science pertaining to crime or perhaps the digression of a few elite information security professionals, computer forensics is every so slowly gaining credibility in the otherwise PhD dominated field of criminal science. Computer evidence continues to be showcased in some of the most high-profile and controversial court cases in history, from the murder case of Lasie Peterson to the multi-billion dollar Enron scandal. Whether society will allow it or not, computer forensics geeks will play pivotal roles in the prevalence of justice." Keep reading for the rest of Don's review.
Windows Forensic Analysis DVD Toolkit
author
Harlan Carvey
pages
416
publisher
Syngress
rating
9
reviewer
Don Wolf
ISBN
9781597491563
summary
Incident Response and Cybercrime Investigation Secrets
While on the road to computer forensic enlightenment I realized early on that many parallels existed between computer forensics and incident response. A number of great authors have published books on incident response, one of which is a gentleman by the name of Harlan Carvey. So when a friendly but cleverly personalized bookstore email rolled in with Harlan's newest book showcased, I thought it might be worthwhile to see what he's been up to.
The book titled "Windows Forensic Analysis", takes a hands-on and in-depth approach to forensic discovery of Windows systems. Some may scoff at the mere suggestion that a point-and-click operating system necessitates the granular analysis of forensics, but make no mistake, beyond Windows' simplicity are numerous complex elements, sometimes cryptic, and many undocumented.
Always looking for a tip here and there, I found more Windows forensics tips here than I have anywhere else. While I've read only about half-a-dozen books on operating system forensics, this one stands out because the material is clearly drawn from the author's experience which, in my opinion, lends real credibility to the book. Granted, technical books are always reviewed for accuracy and truthfulness, but this one carries its own weight with the sheer amount of tips and real-life sidebars. No hash tables, no unnecessary screen dumps, and certainly no reprinted Microsoft documentation. The author does a great job on footnoting and includes plenty of links to additional information. Additionally, there are sections dedicated for FAQ's, as well as "tools and traps".
Having read the book through, I can tell you it flows well from chapter to chapter and continues to draw you in, somewhat unusual for a technical reference — when was the last time you were drawn into a textbook? I'm not sure how one decides to organize the chapters, but I suspect it was not a random decision. Looking back I can see that there is a logical order to the chapter sequence, perhaps suggesting an order in which to forensically process a Windows computer. The book starts with 'live' response, followed by memory analysis, registry analysis, file analysis, and finally rootkit detection — analysis in order of volatility I suppose.
I've heard a lot of praise regarding this books chapter on registry analysis, some claiming it to be worth the price of the book alone. Don't be mislead to believe that it is the crux or single focus of the book, it's not. In my opinion the reason the chapter stands out is because most forensics analysts I've met aren't particularly strong in the area of registry analysis and therefore may find the chapter a revelation. It's true, the chapter is strong and offers exceptional insight, however, I found the book to be almost equally weighted chapter by chapter.
I personally found the chapter regarding memory analysis to be a stand-out. RAM has the potential to store a ton of evidence, however, it's always been viewed as extremely volatile. Not only is it likely to be flushed with a power-cycle, but it's also susceptible to be purged simply through the normal actions of a computer user, or in our case, forensic analysts. I was happy to see a good section on the pros and cons of dumping the many different areas of physical memory. The author proves that there is life after a reboot and demonstrates how to recover at least partial RAM contents from various areas.
Overall there is plenty of theory, plenty of technique, and plenty of command-line examples. On the subject of command-line examples, the author provides a great collection of scripts and examples on the accompanying DVD. The examples all appear to work as describe, a rarity given the many possible computer configurations, just the same the author is thoughtful enough to point out possible exceptions and explanations when there is an opportunity for a particular command or technique to fail.
If I can quote a comment made by one of my associates, he said "The book provided more than just tips and techniques, it provides food for thought and helps one develop their own personal approach to Windows forensics". I totally agree. Furthermore, I found that while I learned a few new things, I also finished the book with lots of questions in mind. Is that a shortcoming of the book? No. Based on the detailed coverage of the book, I was able to identify my own shortcomings and areas I need to explore further. If you want to pursue Windows forensics and already have a good understanding of the principals and ethics of computer forensics, I highly suggest starting with this book.
You can purchase Windows Forensic Analysis DVD Toolkit from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The book titled "Windows Forensic Analysis", takes a hands-on and in-depth approach to forensic discovery of Windows systems. Some may scoff at the mere suggestion that a point-and-click operating system necessitates the granular analysis of forensics, but make no mistake, beyond Windows' simplicity are numerous complex elements, sometimes cryptic, and many undocumented.
Always looking for a tip here and there, I found more Windows forensics tips here than I have anywhere else. While I've read only about half-a-dozen books on operating system forensics, this one stands out because the material is clearly drawn from the author's experience which, in my opinion, lends real credibility to the book. Granted, technical books are always reviewed for accuracy and truthfulness, but this one carries its own weight with the sheer amount of tips and real-life sidebars. No hash tables, no unnecessary screen dumps, and certainly no reprinted Microsoft documentation. The author does a great job on footnoting and includes plenty of links to additional information. Additionally, there are sections dedicated for FAQ's, as well as "tools and traps".
Having read the book through, I can tell you it flows well from chapter to chapter and continues to draw you in, somewhat unusual for a technical reference — when was the last time you were drawn into a textbook? I'm not sure how one decides to organize the chapters, but I suspect it was not a random decision. Looking back I can see that there is a logical order to the chapter sequence, perhaps suggesting an order in which to forensically process a Windows computer. The book starts with 'live' response, followed by memory analysis, registry analysis, file analysis, and finally rootkit detection — analysis in order of volatility I suppose.
I've heard a lot of praise regarding this books chapter on registry analysis, some claiming it to be worth the price of the book alone. Don't be mislead to believe that it is the crux or single focus of the book, it's not. In my opinion the reason the chapter stands out is because most forensics analysts I've met aren't particularly strong in the area of registry analysis and therefore may find the chapter a revelation. It's true, the chapter is strong and offers exceptional insight, however, I found the book to be almost equally weighted chapter by chapter.
I personally found the chapter regarding memory analysis to be a stand-out. RAM has the potential to store a ton of evidence, however, it's always been viewed as extremely volatile. Not only is it likely to be flushed with a power-cycle, but it's also susceptible to be purged simply through the normal actions of a computer user, or in our case, forensic analysts. I was happy to see a good section on the pros and cons of dumping the many different areas of physical memory. The author proves that there is life after a reboot and demonstrates how to recover at least partial RAM contents from various areas.
Overall there is plenty of theory, plenty of technique, and plenty of command-line examples. On the subject of command-line examples, the author provides a great collection of scripts and examples on the accompanying DVD. The examples all appear to work as describe, a rarity given the many possible computer configurations, just the same the author is thoughtful enough to point out possible exceptions and explanations when there is an opportunity for a particular command or technique to fail.
If I can quote a comment made by one of my associates, he said "The book provided more than just tips and techniques, it provides food for thought and helps one develop their own personal approach to Windows forensics". I totally agree. Furthermore, I found that while I learned a few new things, I also finished the book with lots of questions in mind. Is that a shortcoming of the book? No. Based on the detailed coverage of the book, I was able to identify my own shortcomings and areas I need to explore further. If you want to pursue Windows forensics and already have a good understanding of the principals and ethics of computer forensics, I highly suggest starting with this book.
You can purchase Windows Forensic Analysis DVD Toolkit from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I stumbled across this guide to deconstructing a C++ exception.
http://blogs.msdn.com/slavao/archive/2005/01/30/363428.aspx
Lots of this is applicable to any platform, not just Windows.
Looking at the title I thought it's about forensic analysis of why my windows died.
However I did have a friend who ended up working for the feds 'Internet Crimes Division'. I.E. Child Porn. There are a lot of neat tools out this, write blockers and whatnot.
:)
However, what I am really writing to say is that people used to ask him what he did for a living, and he'd respond:
"Oh, I'm in the child porn business."
Guys who are in that line of work tend to have rather dark senses of humor
Most of the time, the person doing the analysis is the crooked cop who placed the bogus "evidence" on the computer in the first place, or the same person who is then going to try to "find" that "evidence" in a laboratory situation.
Anyone who believes there is even *ONE* honest law enforcement agent in the entire U.S.A, probably even the entire world, is incredibly naive.
--Signed... an unfortunate victim of a crooked cop who planted bogus evidence on my computer systems after perjuring himself on affidavit's to get search warrants for them... who was never held accountable for that perjury even though it was blatant, and would have been obvious to anyone who had bothered to read it... showing clearly that the judge did not bother reading all 27 pages... again.. the fact that it was 27 pages was so that the judge WOULDN'T bother to read the whole thing.
Exactly that type of nonsense can be found in nearly every piece of paperwork filed by any prosecutor or police officer.
..getting certified in your local area? Texas, for example, requires you have a P.I. license for computer forensic work, but online resources on how to actually GET one are mighty scarce...
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
If you look at all the requirements to getting a P.I. license in Texas, you can't help but come to the conclusion that a very powerful law enforcement political lobby has over the years carefully and craftily influenced and "engineered" the legislation in such a way that there seems to be overt intent that the whole P.I. industry to be owned, operated, and staffed by former or retired cops, to the exclusion of everyone else. The laws don't explicitly prohibit someone coming from a non-former-law-enforcement career from getting their P.I. license, but the barriers to entry in the field are structured such that it is almost totally impractical for someone who's not an ex-cop to actually achieve getting their license.
In other words, the whole P.I. industry has been hijacked in order to make it become a protected, lucrative, cushy-job, 2nd-career market for retired cops to get rich, and the "good ol' boy" network now keeps it that way.
Encrypt early, encrypt often (and do it properly).
"Whether society will allow it or not, computer forensics geeks will play pivotal roles in the prevalence of justice."
If society won't allow something, it wouldn't play a pivotal role.
- It's not the Macs I hate. It's Digg users. -
And I can say without a doubt that Windows is a huge boon for anyone wanting to dig up dirt on anything anyone else does. That class, which was a 400 level State University class taught me every registry key and every hiding place Windows uses to record everything the user does. Its scary.
I have a strong background in security, networking, PCs/desktop (going all the way back to WFW 3.11), servers, databases, firewalls, IPS, etc, and was looking at adding Forensics to my skillset. I'm genuinely interested in the topic and think I'd be good at it if I put my mind to it, but I get the impression that it is its own microcosm of specialties that excludes being involved in other activities. (In other words, to be really good (and employable) at Forensics, I'd need to be -just- a systems forensics guy that also keeps up-to-date on almost EVERY new exploit as they're released and how they impact the end-system.)
So what I suppose I'm asking is: could some currently-employed Forensic guys/gals (or the people that are looking to hire them) please talk about what they think makes a good Forensic Engineer and who should/should not get into the field.
Forensics is for finding out/proving what a given person did or didn't do, it's not for tracing a crime to a person. To trace down such an event, you'd have to look through server logs, subpoena ISPs for who had which IP when, get a warrant to search their computer, then you'd use forensics to see if they really did it.
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
It seems to be an effort for PIs to grab a new market and ensure their exclusive access to a market. (I know - police can do this, but I'm talking about making a profit doing it.)
It could also lead to a market grab for ex-police to take over the whole P.I. market itself, for themselves, as SC is no doubt looking at what had happened in TX and other states that have gone down that road.
Nothing like serving as a city cop for 20 years, retiring with that pension, then going into your next career in an artificially protected P.I. market and making an easy six figures or more a year without having to deal with hepatitis infected scumbags on the street shooting at you.
As the reviewer mentions, forensics and IR work is a quickly growing field. The company I work for does quite a bit of this sort of thing, and even in cases where you would expect not to find much on a disk image, you almost always do. Out of 4 recent clients that we've performed this sort of work for, 3 of them had either prefab or custom malware floating around in their environments - real nasty stuff. The fourth had big fat rootkits installed all over the place. Kind of speaks volumes about the differences between where companies think they are, and what's really going on.
-- http://www.criticalassets.com
I'm not even going to RTFS...
Just a couple weeks ago I was a juror in a child pornography case, I was in the unique position of being the only geek on the jury in this case that was all about computer evidence.
The case was simple, the defendant had been caught by his wife viewing the explicit material, the wife took the computer tower to the police along with several floppy disks (this was 6 years ago). The defendant had deleted all the materials, but the forensics expert found the recently viewed material still on the hard drive.
The computer forensics expert detailed how he recovered the material, by imaging the hard drive and recovering the access dates. The floppies also contained some explicit materials, again which were deleted but then recovered, apparently it was impossible to recover the access dates on the floppy files, the forensic expert testified that some of the dates were in fact accurate, and some not, when from my brief overview, it was obvious that most of the dates were innacurate, so basically the forensics expert screwed up and didn't know what he was talking about in regards to the dates recovered from the floppy.
The interesting part of the case was that the defendent was charged with 53 counts of "sexual exploitation of children, possession" (having child porn) and 2 counts of "sexual exploitation of children, creating, making, or preparing". Those last 2 counts were charged because the defendant copied the pictures onto a floppy disk, not because he filmed it or put it on a website, he was making a backup of the files. I'm relieved to say that the jury agreed that making a backup of the files is not the same as "creating, making, or preparing", but we did find the guy guilty for possession.
For anyone thinking about getting into this field, you're likely to have to view a lot of really f*ing disgusting photos, then look at them closely and document everything about those photos. You really are going to need a good stomach for viewing that stuff, I know I probably couldn't do it because just seeing the photos submitted as evidence was enough to almost make me sick, I couldn't imagine having that guys job and have to be exposed to those things all the time.
Physical memory analysis is an up and coming challenge for many law enforcement agencies. How can you guarantee that a suspect's computer was not infected by some bad memory-only malware? Current tools only address the hard drive and what it contains. There has been a lot of research into physical memory analysis over the past few years:
Rootkit.com: has been researching physical memory for years http://www.rootkit.com/newsread.php?newsid=130, but in a slightly different context (hiding vs finding).
BlackHat Talks:
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf
http://www.blackhat.com/presentations/bh-usa-07/Butler_and_Kendall/Presentation/bh-usa-07-butler_and_kendall.pdf
Papers: http://www.stormingmedia.us/50/5037/A503754.html
FatKit: http://www.4tphi.net/fatkit/
Contests: The Digital Forensics Research Workshop is running a Challenge to see who can create the best linux physical memory analysis tool: http://dfrws.org/2008/challenge/index.shtml
Now the commercial world is entering the fray: http://www.hbgary.com/hbgary_responder_datasheet.pdf
I'm looking forward to using some tools that don't require me to keep a notebook of esoteric command lines and a usb key full of dependencies. Not to mention some report friendly output. Should be a good year!
When a writer doesn't appear to know that the past tense of "mislead" is "misled", I tend to take a jaundiced view of the rest of what is said. It may all be terribly astute, but I'll take my chances on ignoring it and waiting to see the opinions echoed by someone I can respect.
Lassie Peterson? What, Scott killed the dog, too?
Momentarily, the need for the construction of new light will no longer exist.
Ouch dude, sorry to hear that - I've done more than my fair share of computer evidence seizures and the procedure in my country leaves no room for planting evidence anywhere.
1. md5sum the suspect drive image
2. dd it to an acquisition drive
3. md5 the acquired image and the checksums must match
4. All of this with you and your lawyer and the plaintiff's lawyer (if applicable) present so that you can make notes of the md5sum, the size of the image, the drive serial number and so on.
The acquired image is left with the police and any analysis must be done on an exact copy. Any planting of evidence by any party would show up in court.
--- Hot Shot City is particularly good.
Or suppose that the evidence is planted before or during seizure, before any lawyers get involved. When only one or two cops are coming to pick up someone's equipment, it is highly likely that evidence can be planted without getting noticed.
md5summing or not, all the trust is placed in the prosecutor's lab. There are too many opportunities for wrongdoing.
Encrypt your drive. When they demand the keys, get your lawyer to demand that a defense expert be involved in the extraction portion of the evidence gathering.
Not specific to computer evidence, government mooks have been planting drugs this way for decades. This is why you should know how to handle a search/seize warrant. The cops who show up are going to try to shove you out and leave them to do whatever they want on their own, largely by claiming that they can and getting in your face. They're lying. You're entitled to make them stand on the doorstep while you wait for a witness to arrive and observe them, and if they don't, or do anything out of sight of the witness, it's an illegal search and the whole lot is inadmissible in court (probably; some local laws are flawed, check yours).
Usual "reasonable" limits apply: you can call over your neighbour, you can't wait an hour for somebody to drive over from the next city.
To be fair, half of that is regular old stupidity and incompetence, rather than actual corruption. Lawyers and police are much the same as everybody else: most of them are idiots who are not capable of doing their job correctly.
This is EXACTLY what happened.
They showed up to execute the warrant, the officer in question was inside alone "securing the premesis" for 15-20 minutes, then once the premesis was "safe" a SANS computer expert working for the local university (read: DUPE used to lend the whole charade a shred of credibility.) was brought in to "safely shut down the equipment."
This respondent is absolutely right.. trust is given the police and the prosecutor's office (not to mention the courts) and is, in most cases, grossly misplaced!
For those who would call me a coward for not putting my name to this: I guarantee they'd come after me AGAIN with some bogus nonsense if I went waggling my name about.
He is a sick bastard, an addict; For him, obliterating people's lives & families is every bit as addictive as any drug. He isn't fighting his addiction either.. he revels in it.
and the word of the anonymous coward is to be taken as gospel truth.
at least on Slashdot.
the geek who brings this attitude into court has two strikes against him even if can make the argument plausible in his own case.
How exactly does encrypting your drive protect you from evidence-planting? You forget about external drives and CDRs that may be found lying around...
The review author mentioned that he'd read other good books on computer forensics, could anyone offer a small list of titles for starting a small but good library in this field? I'm not likely or especially interested to get into the forensics field, but there have been more than a few occasions where some applied knowledge about computer forensics would've been helpful. I'm gonna take a look at this book, but a pointer to something related to Linux, MacOS, or anything else that'd be useful would be appreciated as well.
Patient Info:
CPU: Dual AMD dual core Opteron 276 processors.
Sound Card: SoundBlaster Audigy II
Video Card: ATI Radeon 8800 GT
Memory: 4 GB PC 2700 ECC-Registered.
Hard Disk: 2x 500GB, 1x 200GB
Power Supply: 550W
Notes: Prior to death, subject complained of memory loss, cognitive difficulty after recovering from sleep mode, frequent lock-ups, severe lethargy after sleeping, confusion and sluggishnes when completing complex tasks. Previous medical history notes several near-fatal seizures, necessitating the "re-learning" of basic functions on several different occasions. Cause of seizures is as yet sill unknown, as episodes appeared to happen seemingly at random, usually during inopportune moments. Previous physician notes that resuscitation of the patient was long and time consuming. Resuscitation was further complicated by the fact that the patient was revied in a "hypnotized" state, refusing tto cooperated with medicall staff unless the correct 16-digit alphanumeric "key" was spoken to them, with the key changing after each resuscitation.
Previous Treatments Administered By Last Attending Physician:
Prescribed one (1) copy of Linux, but patient refused.
Time Of Death: 0832, 0901, 1055, 1129, 1344, 1508
Method Of Death: Fatal Error
Cause Of Death: Windows
Precedures performed in determining occurence of death:
Subject was BSOD on arrival
Unresponsive to verbal stimuli: (shouting, cursing)
Unresponsive to Sensory stimuli: (hitting, smacking with keyboard)
Additional Notes / Instructions:
As Coroner, it is recommended that the law enforcement agencies involved with the death of the subject investigate Mr. William Henry Gates III, and Steven Anthony Ballmer. Both subjects have known employment at Microsoft Corp. It has been determined by the Office Of The Coroner that a product known colloquially as "Windows", which was/is compiled, manufactured, and sold by Microsoft, while under the direct supervision and control of Mr. Gates and Mr. Ballmer, despite widespread reports of patients expiring from complications and/or adverse reactions after ingesting "Windows".
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Ahh yes, another over generalization brought to us by a fellow slashdot user. I think you are the naive one if you believe 1 crooked cop is representative of the whole.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
How hard is it to slipstream a Knoppix CD with truecrypt and all of your codecs, open the case of your laptop and disconnect the hard drive (just in case), pull the battery out of your laptop so you can just pull the plug and have instant off, find a hotspot to download your porn at, boot up on the Knoppix CD, create an encrypted truecrypt volume in RAM to download your child porn directly into, download the porn, dismount the truecrypt volume, insert a USB flash drive to copy the truecrypt volume to, then just hit the power button?
Now you have covered your bases and have no record of the password anywhere, not even mistakenly written to a swap file, and if you want to view your porn, you just boot up on the live CD again and copy the truecrypt volume from the flash drive into RAM, disconnect the flash drive (again, just in case), view your porn all completely in RAM and when you're done, just pull the plug and poof, all evidence gone.
I don't understand why people can't just take simple precautions.
The soylentnews experiment has been a dismal failure.
A business client of mine had every computer in his home taken (I believe 5) on charges of child porn being downloaded from his cable IP address. Then the police said they found 4 videos on a PC and kept pressing for him to admit his wrong doing. Luckily he was past law enforcement, and had a lawyer, so he didn't lie. Long story short - 3 months of hassle and all charges were dropped, all equipment returned, and police admitting there were no files found.
Open wifi along a busy road was most likely to blame.
It's good they didn't plant evidence while trying to get a confession.
He's decided to not pursue anything against the authorities involved, just the public knowledge of the allegation alone would destroy his business and livelihood.
There are cases where the use of MD5, which is considered broken quite thoroughly, will get the case thrown out of court. See Bruce Schneier's blog entry about the MD5 defense. Time to upgrade your hash algorithm. Some smart lawyers are able to use the fact that MD5 is broken to make a judge believe that the evidence could have been doctored to produce an MD5 collision with planted evidence.
Actually, the defendant did have some software to completely erase data hidden on a hard drive, but because his wife took the tower halfway through him viewing the stuff, he got caught with it. Plus this was 6 years ago when the guy was running windows 95 on his HP, I don't think he really knew much about this stuff.
Well... I have much to say....
First of all, I think it is unfair to say that all Police officers plant evidence. There are some really decent and intelligent LEOs out there. And.. There are some really indecent and dumb LEOs out there too..
In my field (and Digital Forensics is my field), there is too much room for error to automatically assume that because someone has CP on their machine, they must be guilty of the criminal act of possessing it, or because they may have had in in a shared folder they must be guilty of promoting it with criminal intent. I think the really "computer literate" people here know what the possibilities are. Between the ignorance of the "dumb cops", and the ignorance of the average computer user that just uses his or her computer for checking email and browsing the Internet, there is MUCH room for an innocent person to get caught up in a scenario where they are facing jail time for something which they are not criminally culpable of. And this is why we need GOOD Forensic Examiners on both sides of this issue. Now before you belabor this paragraph with arguments, learn what "criminal intent" means, "mens rea" means, and understand that "ignorance" is not a negative word and nor does it equate to guilt; as a matter of fact, often times it proves just the opposite.
Now I am not sure that requiring a Forensic Examiner to have a P.I. License is the right way to go. The average P.I. that has managed to get into the Computer Forensics field is going to have less than 10 years of experience, and in most cases with this becoming a booming industry, less than 5 years; now. How can these guys expect to hold a candle to people like Brian Carrier, Dan Farmer, and Andrew Rosen, who would have a hard time getting the required hours that most states expect to grant a P.I. License? So, in requiring that P.I. License for Forensic Examiners, we have eliminated the most skillful examiners from working very critical cases; that can have life altering effects on people. By requiring Computer Forensic Examiners to have a P.I. License we are forsaking TRUE skill for control of the digital forensics industry. This is not very comforting to me.
The scariest thing about a criminal prosecution for CP related charges, is to have a "computer illiterate Jury" that can be swayed by a load of crap for a Prosecutor and/or the ignorance of a Detective. This is why a GOOD Forensic Examiner will not only know how to properly conduct a Computer Forensic Examination, but also how to explain what he or she has done in layman's terms, where a Jury can understand it. It should not be taken so lightly that the allegations that a Law Enforcement Officer might make could take 20 years of a person's life away from them.
R U Digital?
1. Publish glowing book review on site read by millions of nerds/geeks
2. Include link to Amazon with a referrer tag
3. Profit!
Thanks for helping me figure out step 2! Is this Slashdot's doing or the submitters?
SWM seeks new sig for a brief fling
I've always had an interest in getting into computer forensics field but do not wish to become a police officer. Is that the only way? What would be a basic roadmap toward a career in this field (for somebody that already has a CS degree)?
every BSOD tells a story. this is because Windows is connected to the Underworld. the diabolic and maddening part is a BSOD on Manson's computer, for instance, may reveal the details of one of Henry VIIIs death orders, or one of Saddam's.
if this is supposed to be a new economy, how come they still want my old fashioned money?
good comment.
i have seen way toooo many clueless people run forensics tools expecting to find the smoking gun.
the tools are like 15% of the job.
it is smartness and more to really make it work.
sorry scriptkiddies!
yeah, but when quantum crypto starts shipping, crypto as we know it will be worthless.
Strictly speaking, quantum cryptography really has nothing to do with it. Quantum cryptography has more to do with detecting when a conversation has been overheard. It's useful for transmitting session keys--if the session key conversation was overheard, just don't use those keys. If it wasn't overheard, it's fairly safe to proceed. Quantum cryptography, thus, aids in symmetric key exchange (key exchange, in general, being the hardest part of cryptography between two people--a problem solved by asymmetric keys in classical computing.)
The advent of quantum computing has ramifications on breaking cryptographic keys, however most people don't really understand what this means.
Symmetric key attacks can be made faster with quantum computing, but it's not a significant enough increase to make symmetric key encryption worthless. It's not nearly the same beast as using Shor's Algorithm to factor the products of primes (rendering asymmetric key algorithms close to useless). As such, increasing the length of your symmetric key is useful against a quantum computing attacks, whereas increasing your asymmetric key length doesn't help much*.
Of course, we're talking about planting evidence here. There aren't quantum computers in existence (that we know of) that can run Shor's Algorithm to factor commonly used asymmetric key sizes. It will be a long time (if ever**) before quantum computers are ubiquitous enough that local police departments have access to them. When a resource like quantum computing is scarce enough, it's fairly hard to abuse without someone noticing.
* It can help if they don't have a quantum computer large enough to factor the primes you used.
** The known applications of quantum computing are extraordinarily small in number, and unless they increase substantially, it's unlikely that there will be a consumer market for them. That's not to say that a consumer application will never be found, of course.
true.
but who would use 50,000 megabit keys to deal with the quantum threat?
Don, We really appreciate your kind review, and I believe the publisher of this book and Harlan's new book, Perl Scripting for IT Security Professionals will appreciate it as well.
Dave Kleiman
I actually worked with Harlan in which we were supposed to be doing actual forensics...which is why I think that the fact that he keeps on writing books about it is hilarious. Ask him how much experience doing forensics he actually has.
>>The scariest thing about a criminal prosecution for CP related charges, is to have a "computer illiterate Jury" that can be swayed by a load of crap for a Prosecutor and/or the ignorance of a Detective
^ I completely agree with that, I was worried throughout the trial that I would have to educate the jury on simple terms they used in the trial and how the defendant was found with the CP on his computer. Luckily though, it was pretty much moot, since it was obvious that he intentionally was viewing the material, and even admitted as much to his wife. I believe the only reason they plead not guilty was because of the 2 "creating, producing, making" charges (you can't plead guilty to some and not to other charges in this state). So, it never came to discussing technical details in the end. What annoyed me was that the defending lawyer admitted to not knowing anything about computers, and if he had known even a little, he could've tried to create more reasonable doubt in his closing arguments, his defense in the end was pretty weak.