Firstly, IA(definately)NAL, but I have had some data forensics training (to the standards required by UK courts, apparently), but I personally haven't been involved in any real data-recovery, I needed the full training in case I get involved further down the line (analysis of file-systems, data structures etc.).
As you pointed out, the key to the whole business is to try and prove that the data has not been tampered with in any way. Here's (roughly) our procedure for dealing with the data recovery task.
Take a camera and photograph everything before you start.
Have a good notepad for a journal and write down everything that you do and why and sign each page.
If the machines are running and the data is believed to exist on the HDD, not in RAM, (if the data is in RAM, then you have a problem) then power the machines down, do not shut them down cleanly, just hit the button - this is to prove that the shutdown procedure did not change anything on disk.
Next, take a byte-for-byte image of the HDD(s). We do this onto an MO disk hanging off the parallel port, using software from a bootable DOS floppy. Also, use fresh disks - do not break the cellophane seal until you are about to insert them into the drive. OK, MO is expensive but it's not gonna get accidentally corrupted and cannot be modified/wiped without using a proper drive. I suppose now that DVD-RW is coming down in price, it might be more convenient to use that. Make sure that the system does not boot off the HDD (for the same reason you don't shut the machine down cleanly).
The software we use generates a set of floppy disks containing digital signatures of the content of the MO disks. Two copies of these floppies are generated and placed in tamper evident bags. One copy stays with the owner of the data, one copy goes with us. The bags are signed by both parties to sprove acceptance that the image was generated fairly.
The MO disks are properly labelled and treated as evidence (with all the signing in & siging out stuff).
When we come to analyse the data, the MO disks are restored onto a blank HDD in a machine in a specially secured room on our site. All work is done on the copy on the HDD (which can be re-restored at any time). The signed diskettes can be used as proof that the copy of the data on the MO disks hasn't changed since the image was taken.
I think that's about it. The key technologiecal bits are the digital signatures, the use of media that can't be externally modified and the use of an imaging system that is guarranteed to not modify the host drive. The other thing needed to make the evidence stand up is the journal - this is vital.
Err... Correct me if I'm wrong but I found that 'firewire == better ethernet' satement to be a tad misleading. Ethernet is a system designed for sharing resources and information between a number of computers. Firewire is designed primarily for connecting peripherals to said computers. Also Ethernet now goes upto a gigabit, so it isn't slower. I would bet that, if you tried to use Firewire instead of ethernet, you would stumble across a lot more problems. If you wanna get shot of collisions, use token ring or FDDI.
Well, Nintendo, Atari and Sega sat still while Sony decimated their market.
Why? Because the PSX is far more open than any of the other consoles available. Sega ahven't even learned their lesson with the gimmickcast. I currently count two decent games for it. I know, cos I have 'em here.
Atari is (just about) dead in the water and Sega are struggling. Maybe there's a moral here?
From what I remember, the problem stems from X's dealings with fonts. They are drawn as a special internal image type known as a glyph. Glyphs are only 1-bit bitmaps. The fix for this is at the X protocol level.
Maybe X11 6.6 will fix this. Maybe it's an even bigger prob and we have to wait for 7.
Note: I'm no expert on X but this is the gist of a conversation about this I heard a while ago.
When Nvidia announced it's Linux support, I rushed out to buy myself a nice, new shiny TNT2 Ultra thinking that, OK it's a lot of money, but at least I'd have some proper support. By this time I'd already been bitten bwhen I bought an SB Live.
I feel betrayed by Nvidia in this respect, I was tricked into buying their card if this is all the 'support' they were planning all the long. It's quite ironic that the card I thought was gonna be unsupported (the SBLive) now has creative throwing time, money and other resources at making open drivers (and a 3d sound API). Whilst the card I bought because I thought I'd get decent drivers is as closed as Windows!
One tyhing you seem to be forgetting is that, once you have an account with them, you can use their email interface like NSI is trying to phase out. All I have to do is send a specially formatted and PGP signed email to them (Just like Nominet). of course, I have this is all script driven so registering a domain is now only a five minute task:)
The company I work for is registered with Nominet. To register a domain, we fill in an e-mail form, PGP sign it and send it to their 'automaton'. Five minutes later, we get an automatic confirmation that the name is in their database and available to be replicated throughout their nameservers. The whole process usually take 1-2 hours. Even better is the wrapper script I've written arounf the mail bit that means that I basicayyly input what name we want, what it's for and then our PGP passphrase. You cannot get any easier or quicker. Needless to say, modifications and transfers are just as easy. NSI, register.com and just about every other registration service I have seen can learn a lot from Nominet!
I believe one of the major reasons behind Linus writing the first linux kernel is the same motivation behind a lot of open/free development today... 'to see if I can'. In fact, ha has ststed that it started as a little project to learn i386 assembly code. This is the driving force behind all software development (the learning experience) and this is the reason why there are so many projects that seem to be aiming at similar goals. Unfortunately, many people see this as a bad thing because it presentsthe image of a fragmented community. However, I can only see it as a good thing. It builds onfidence and a sense of achievement in the individual developer and, equally importantly, different developers have different ideas of how things should be done. These differences can make two 'similar' programs have radially different designs and features. These differences, in turn, can be analysed by another developer looking for inspiration to produce an even better program.
If Solaris had been free, then Linux would have still been written. It might have not snowballed as much as it did and we might al be using Solaris. OTOH, Linus might have used some of the design ideas from Solaris to produce a kernel that far outshines both today.
Surely, by this 'Virtual Fingrprinting System' I must be a secret (so secret even I didn't know) member of ULG. Based on the following facts:-
I Have at some time or another created graphical images displayed on a web-page. Obviously showing that I, like ULG & HFG, create images in a similar way.. with a grphics package..
I have used both Unix and NT. Obviously showing similar patterns in OS usage. .
Most damning of all.. I frequently use 'freehand' HTML!
OK, none of my work has ever appeared on any of ULG's cracks bit it's damning evidence, I'm sure you you must agree, so I'm off now to hand myself into the authorities.
C'mon, If he's gonna make accusations that HFG==ULG, he should have better evidence than this!!
Yeah, OK, I was in a rush last night and Sun's server seemed to be going really slowly for me (prob. something to do with a large download I was attempting at the time). So I've got to apologise for jumping to the wrong definitaion of 'IP'. OTOH, most of my argument still holds true.. releasing a full system (Java, StarOffice) under SCSL has some eneits to developers as that whole system is useful and 'free' (I don't want to get into license wars). However, releasing only a component in this manner does not apear to help anyone other than Sun. I don't know that much about proceessor design but, it appears to me, that you would still need a lot of other information, bus interface technologies etc. to make much use of it as a discrete system. Like I said, I don't know too much about this field so I can't be sure wether all this type of information has been released.
I must question the whole point of releasing this code. Put simply, it is fairly useless to the bulk of developers. The solaris IP stacks are (well, should) be better than the current Linux ones.. at the very least, they should be threaded. So the initial reaction is 'Yes! We have a stable threaded IP stack to put into the Linux kernel'. There's just one problem.. If I'm right in believeing that the SCSL is incompatible with the GPL, only two things can be done with this code.... third-party developers can develop improvements to the code for Sun to roll back into Solaris (bet those developers would be happy).. or someone could make a start on a SCSL OS (highly unlikely). So what's the point? All we can seemingly do with this code is free QC work for Sun. It kinda reminds me about all the fuss MS made over the 'release' of it's IPv6 stacks. Anyone remember that?
I may not have the most knowledge in this field but I always assumed that the majority of exploits were based on buffer overflows that allow the cracker to execute arbitrary code supplied whilst overflowing said buffer. The code that would then be executed would not necessarily depend on a CLI or plenty of ports open. Therefore, I can't understand how not having a CLI or plenty of TCP/IP applications make a web server intrinsicly more secure. Can anyone enlighten me?
I've just (last week) finished my CS degree at Teesside and I correctly guessed that the course was to take place there before I read the BBC article. The Uni has a very strong grounding in general computing but especially in software engineering and graphical applications. They ran one of the first 'visualisation' courses in the country and have their own VR labs - damn those admins never did let me run Quake in there:(. As always, there will be teething trouble for the first group of students to go through but they will get things sorted. As for a Uni environment being too academic, all of Teesside's full-time computing degrees have a mandatory year's work-placement as part of the course. They also have excellent links with the computing industry throughout the company - they have already had people working on major games (on placement from the visualisation courses). So give them a break and see what happens!
Oh Pleeeassee! I've gotta defend Teesside and M'bro having lived here for most of my life I know a reasonable amount about it and I think it's great. *Everyting* you need/want is here and the prices are reasonable as opposed to down South where you need a mortgage for a beer!
If it's a 'cleanroom' implementation (or even jsut from specs), surely a 'wrapper' is just an emulator??
Think about it....
In America at least (I'm not sure about over here in the UK, but what's that got to do with it?), there is precedent that emulators are legal. Nintendo and Sony can't be both wrong;).
3D/FX are making a big mistake if they think that this will, in any way help their market share. They have mde all the wrong decisions since the Banshee.
They are not letting other manufacturers (such as Diamond) use their chips. Sure, 3DFX know their chips, but can they make/market a board???
Jumping on the open source 'bandwagon' with their half-hearted Banshee and GLIDE 'announcements' (IE. when someone else has done all the work) was transarent to anyone with their eyes open.
GLIDE was in a damned good position to become the defacto standard for 3D on Linux. They control the GLIDE 'standard'. With their crackdown on the emulators, they are denying themselves that market.
The OpenSource community can come up with something equally as fast, more functional and better (X-platorm) than GLIDE if need be. 3DFX have provided that need.
I was certain that I was gonna upgrade to a VooDoo3 but now I'm not at all certain.
Why do the games companies insist on putting in lame protection? The only, thing protection now accomplishes is to annoy legitimate users and keep the pirates in business.
For instance, I have purchased the game 'Thief'. Unfortunately the protection takes advantages of undocumented features and incorrect data that they have planted in the file-system of the CD. Basically what gets returned to the game is undefined in any specs. My CD-ROM drive does not return what their copy-protection is expecting.
Eidos tech support have been zero help as they "are only aware of a few users with this problem" and "we have to have copy protection to protect us against pirates". How many users have to have a problem before it becomes 'worthwhile' to look at it? I know that Thief has been cracked and, from Eidos' attitude, my only option is to get a pirate version. That is what copy 'protection' does.
It has also had another effect. I can no longer be certain that their games will not use undocomented features that my not work on my machine, so I can't take the risk to buy them.
Slashdot Mirror
As you pointed out, the key to the whole business is to try and prove that the data has not been tampered with in any way. Here's (roughly) our procedure for dealing with the data recovery task.
- Take a camera and photograph everything before you start.
- Have a good notepad for a journal and write down everything that you do and why and sign each page.
- If the machines are running and the data is believed to exist on the HDD, not in RAM, (if the data is in RAM, then you have a problem) then power the machines down, do not shut them down cleanly, just hit the button - this is to prove that the shutdown procedure did not change anything on disk.
- Next, take a byte-for-byte image of the HDD(s). We do this onto an MO disk hanging off the parallel port, using software from a bootable DOS floppy. Also, use fresh disks - do not break the cellophane seal until you are about to insert them into the drive. OK, MO is expensive but it's not gonna get accidentally corrupted and cannot be modified/wiped without using a proper drive. I suppose now that DVD-RW is coming down in price, it might be more convenient to use that. Make sure that the system does not boot off the HDD (for the same reason you don't shut the machine down cleanly).
- The software we use generates a set of floppy disks containing digital signatures of the content of the MO disks. Two copies of these floppies are generated and placed in tamper evident bags. One copy stays with the owner of the data, one copy goes with us. The bags are signed by both parties to sprove acceptance that the image was generated fairly.
- The MO disks are properly labelled and treated as evidence (with all the signing in & siging out stuff).
- When we come to analyse the data, the MO disks are restored onto a blank HDD in a machine in a specially secured room on our site. All work is done on the copy on the HDD (which can be re-restored at any time). The signed diskettes can be used as proof that the copy of the data on the MO disks hasn't changed since the image was taken.
I think that's about it. The key technologiecal bits are the digital signatures, the use of media that can't be externally modified and the use of an imaging system that is guarranteed to not modify the host drive. The other thing needed to make the evidence stand up is the journal - this is vital.Err...
Correct me if I'm wrong but I found that 'firewire == better ethernet' satement to be a tad misleading. Ethernet is a system designed for sharing resources and information between a number of computers. Firewire is designed primarily for connecting peripherals to said computers. Also Ethernet now goes upto a gigabit, so it isn't slower.
I would bet that, if you tried to use Firewire instead of ethernet, you would stumble across a lot more problems.
If you wanna get shot of collisions, use token ring or FDDI.
Why? Because the PSX is far more open than any of the other consoles available. Sega ahven't even learned their lesson with the gimmickcast. I currently count two decent games for it. I know, cos I have 'em here.
Atari is (just about) dead in the water and Sega are struggling. Maybe there's a moral here?
Maybe X11 6.6 will fix this. Maybe it's an even bigger prob and we have to wait for 7.
Note: I'm no expert on X but this is the gist of a conversation about this I heard a while ago.
When Nvidia announced it's Linux support, I rushed out to buy myself a nice, new shiny TNT2 Ultra thinking that, OK it's a lot of money, but at least I'd have some proper support. By this time I'd already been bitten bwhen I bought an SB Live.
I feel betrayed by Nvidia in this respect, I was tricked into buying their card if this is all the 'support' they were planning all the long.
It's quite ironic that the card I thought was gonna be unsupported (the SBLive) now has creative throwing time, money and other resources at making open drivers (and a 3d sound API). Whilst the card I bought because I thought I'd get decent drivers is as closed as Windows!
One tyhing you seem to be forgetting is that, once you have an account with them, you can use their email interface like NSI is trying to phase out. :)
All I have to do is send a specially formatted and PGP signed email to them (Just like Nominet).
of course, I have this is all script driven so registering a domain is now only a five minute task
Yup,
The company I work for is registered with Nominet. To register a domain, we fill in an e-mail form, PGP sign it and send it to their 'automaton'. Five minutes later, we get an automatic confirmation that the name is in their database and available to be replicated throughout their nameservers. The whole process usually take 1-2 hours.
Even better is the wrapper script I've written arounf the mail bit that means that I basicayyly input what name we want, what it's for and then our PGP passphrase. You cannot get any easier or quicker.
Needless to say, modifications and transfers are just as easy. NSI, register.com and just about every other registration service I have seen can learn a lot from Nominet!
This is the driving force behind all software development (the learning experience) and this is the reason why there are so many projects that seem to be aiming at similar goals.
Unfortunately, many people see this as a bad thing because it presentsthe image of a fragmented community.
However, I can only see it as a good thing. It builds onfidence and a sense of achievement in the individual developer and, equally importantly, different developers have different ideas of how things should be done. These differences can make two 'similar' programs have radially different designs and features. These differences, in turn, can be analysed by another developer looking for inspiration to produce an even better program.
If Solaris had been free, then Linux would have still been written. It might have not snowballed as much as it did and we might al be using Solaris. OTOH, Linus might have used some of the design ideas from Solaris to produce a kernel that far outshines both today.
Are you testing the full CF package or just the Linux 'stub'?
- I Have at some time or another created graphical images displayed on a web-page. Obviously showing that I, like ULG & HFG, create images in a similar way
.. with a grphics package.. - I have used both Unix and NT. Obviously showing similar patterns in OS usage. .
- Most damning of all
.. I frequently use 'freehand' HTML!
OK, none of my work has ever appeared on any of ULG's cracks bit it's damning evidence, I'm sure you you must agree, so I'm off now to hand myself into the authorities.C'mon, If he's gonna make accusations that HFG==ULG, he should have better evidence than this!!
... Sun could just compile and distribute their own distribution. The GPL guarrantees their right to do that.
Yeah, OK, I was in a rush last night and Sun's server seemed to be going really slowly for me (prob. something to do with a large download I was attempting at the time). So I've got to apologise for jumping to the wrong definitaion of 'IP'.
OTOH, most of my argument still holds true.. releasing a full system (Java, StarOffice) under SCSL has some eneits to developers as that whole system is useful and 'free' (I don't want to get into license wars). However, releasing only a component in this manner does not apear to help anyone other than Sun.
I don't know that much about proceessor design but, it appears to me, that you would still need a lot of other information, bus interface technologies etc. to make much use of it as a discrete system. Like I said, I don't know too much about this field so I can't be sure wether all this type of information has been released.
I must question the whole point of releasing this code. Put simply, it is fairly useless to the bulk of developers. .. If I'm right in believeing that the SCSL is incompatible with the GPL, only two things can be done with this code .... third-party developers can develop improvements to the code for Sun to roll back into Solaris (bet those developers would be happy) .. or someone could make a start on a SCSL OS (highly unlikely).
The solaris IP stacks are (well, should) be better than the current Linux ones.. at the very least, they should be threaded. So the initial reaction is 'Yes! We have a stable threaded IP stack to put into the Linux kernel'.
There's just one problem
So what's the point? All we can seemingly do with this code is free QC work for Sun. It kinda reminds me about all the fuss MS made over the 'release' of it's IPv6 stacks. Anyone remember that?
I may not have the most knowledge in this field but I always assumed that the majority of exploits were based on buffer overflows that allow the cracker to execute arbitrary code supplied whilst overflowing said buffer.
The code that would then be executed would not necessarily depend on a CLI or plenty of ports open.
Therefore, I can't understand how not having a CLI or plenty of TCP/IP applications make a web server intrinsicly more secure. Can anyone enlighten me?
I've just (last week) finished my CS degree at Teesside and I correctly guessed that the course was to take place there before I read the BBC article. :(.
The Uni has a very strong grounding in general computing but especially in software engineering and graphical applications. They ran one of the first 'visualisation' courses in the country and have their own VR labs - damn those admins never did let me run Quake in there
As always, there will be teething trouble for the first group of students to go through but they will get things sorted.
As for a Uni environment being too academic, all of Teesside's full-time computing degrees have a mandatory year's work-placement as part of the course. They also have excellent links with the computing industry throughout the company - they have already had people working on major games (on placement from the visualisation courses).
So give them a break and see what happens!
Oh Pleeeassee!
I've gotta defend Teesside and M'bro having lived here for most of my life I know a reasonable amount about it and I think it's great. *Everyting* you need/want is here and the prices are reasonable as opposed to down South where you need a mortgage for a beer!
Think about it....
In America at least (I'm not sure about over here in the UK, but what's that got to do with it?), there is precedent that emulators are legal. Nintendo and Sony can't be both wrong
3D/FX are making a big mistake if they think that this will, in any way help their market share. They have mde all the wrong decisions since the Banshee.
I was certain that I was gonna upgrade to a VooDoo3 but now I'm not at all certain.
BTW, I've a nasty suspicion that the UF and SegFault things are real - it's been building up to this for a month or so.
These actions can be performed on the horizontal or vertical axis or both!
For instance, I have purchased the game 'Thief'. Unfortunately the protection takes advantages of undocumented features and incorrect data that they have planted in the file-system of the CD. Basically what gets returned to the game is undefined in any specs. My CD-ROM drive does not return what their copy-protection is expecting.
Eidos tech support have been zero help as they "are only aware of a few users with this problem" and "we have to have copy protection to protect us against pirates". How many users have to have a problem before it becomes 'worthwhile' to look at it? I know that Thief has been cracked and, from Eidos' attitude, my only option is to get a pirate version. That is what copy 'protection' does.
It has also had another effect. I can no longer be certain that their games will not use undocomented features that my not work on my machine, so I can't take the risk to buy them.