Sunday, February 24, 2008

Miscellaneous Computer Forensic Topics

Case Study # 1

This week there was a little bitty paper released by Princeton researchers:

Lest We Remember: Cold Boot Attacks on Encryption Keys

Turns out it caused quite a buzz.

The researchers successfully defeated four popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux and even the Open Source program TrueCrypt versions 4.3a and 5.0a running on a Linux system.

At the heart of their attack success is the fact that DRAM chips still tend to retain data when a system is shut down for a brief window of time. If the chips are cooled and/or forensically inspected within the window, methods for recovery of the encryption keys may be applied and the drive unencrypted with the information.

(Literally) cool stuff.

Yes, it is does require a focused attack method as the system must already be up and running (say in a locked "hibernation/sleep" mode or grabbed and immediately applied right after a full system shutdown.

I do find it interesting in light of corporations (and some private users) turning to drive-encryption solutions to deal with data-loss from laptops and other storage devices.

Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of "canned air" dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which "everybody knew" would cause the keys to be erased.

Our results show that an attacker can cut power to the computer, then power it back up and boot a malicious operating system (from, say, a thumb drive) that copies the contents of memory. Having done that, the attacker can search through the captured memory contents, find any crypto keys that might be there, and use them to start decrypting hard disk contents.

SANS-ISC Handler's Diary picks up with the dramatic-sounding post: In memory of hard disk encryption?

As they point out, disk encryption is but one (though important) layer in the process of securing data on a portable (or non-portable) device.

Now incident responders need to add a few more questions during their pre/post loss assessment. Modifying slightly the list that ISC Handler Swa Frantzen provided:

  1. Was the sensitive data on the laptop/device encrypted?  If no, why not?
  2. Why was that data sensitive?
  3. Are there no better ways to do what that data does?
  4. Why was sensitive data stored on a portable device?
  5. Where was the absolute need to have the sensitive data?
  6. Why was the sensitive data mixed in with less sensitive data?
  7. Why was sensitive data allowed out of the organization that collected it?
  8. Why was a laptop containing sensitive data left unattended?
  9. How long ago was the laptop turned off ?
  10. Was the laptop turned off, or just asleep?
  11. What encryption product was used and does it wipe its keys from RAM upon shutdown or sleep actions?

While it gives the "bad-guys" some new techniques, it also gives forensics investigators the same techniques to consider and use during a seizure event if the target system is suspected to be using drive-encryption and acquisition of the password is suspect or impossible.

Computer forensics author Harlan Carvey mentioned in his post on this study that "...TechPathways provides a tool called ZeroView, which can reportedly be used to detect [whole disk encryption]."

There is also a PDF file from Technology Pathways that address some of the issues related to whole disk encryption detection and capture.

While most will see this as mostly an "academic/forensics" issue, I think it bodes a warning against complacency by corporate and government end-users who might have encrypted devices and let their guard down a few notches.

If an end user say, places their encrypted laptop in a "sleep/hibernation" state (say hanging out at the airport getting ready to go through screening or in a conference setting during a break) and let their guard down thinking "it's encrypted, what's the worry?" the attacker could seize the laptop while still "hot" (although locked) and use these methods to latter attack it at their convenience.

See also these related Princeton project items

Case Study #2

Harlan also posted a great introductory list of freeware forensic software/resource links this week.

Getting started, or forensic analysis on the cheap - The Windows Incident Response Blog

Provided is a nice list of links to Imaging tools, Image/File Integrity Verification, Images/Analysis Challenges, Analysis Applications, Mounting/Booting Images, Analysis Tools, File Analysis, File Carving, Browser History, Archive Utilities, AV and Related Tools, and Packet Capture and Analysis.

As I mentioned in the post comments there, I'm not a forensics guy but I do find as a sysadmin that many of the principles and methods are useful to know from a "foundations" standpoint when I am assessing a response strategy for a malware/virus infection on one of our desktop systems. It also provides me a good perspective for what to do/not do when I encounter "material" on a system that might very well be handed off to our own internal investigations division so I don't accidentally compromise something in my initial response and assessment.  Always good skills for anyone who deals with desktop support to have and be on the lookout for.

Case Study #3

I knew the LiveCD list has a number of Linux distributions that focus on workstation forensics.

These are disks that can "live boot" a target system and perform data inspection, case documentation, and other activities without touching the target system.

They should provide a wealth of good tools and activities for budding and experienced forensics experts alike to become familiar with.

Here are the project items that seem to still be (somewhat) actively maintained:

Plan-B- quoting from the developer - "Plan-B is a bootable Linux environment without the need for a hard drive, it runs entirely in ram or from the cd, based on a basic, stripped installation of Red Hat Linux and the fundamental workings of the SuperRescue CD. A list of tools and utilities are also included for projects such as: Forensics/Data Recovery, System/Network Analysis and Security Scanning, Temporary Network Device/Server, IDS / NIDS System, and Network Status Report Creation." - Security Tools, Forensics Tools, and Audit Tools.

Helix- quoting from the developer - "Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.  Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics. Helix focuses on Incident Response & Forensics tools." - CD Contents

FIRE - Forensic and Incident Response Environment - quoting from the developer - "FIRE is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment. Also provides necessary tools for live forensics/analysis on win32, sparc solaris and x86 linux hosts just by mounting the cdrom and using trusted static binaries available in /statbins." - FIRE FAQ

FCCU GNU/Linux Forensic Boot CD - quoting from the developer - "This CD is based on  KNOPPIX by Klauss Knopper. It is a remaster that I made to use at my work as a computer forensic investigator. Its main purpose is to create images copies of devices before analyse. It does not use a lot of cpu cycles for unnecessary programs, that is why it drops you to a shell right after the boot. It recognizes lots of hardware (Thanks to Klauss Knopper). It leaves the target devices unaltered (It does not use the swap partitions found on the devices). It contains a lot of tools with forensic purpose."

Penguin Sleuth Bootable CD - The boot CD is still available, however the developer is also now working on a new project, a virtualized version of the package that can also master new bootable CD versions of itself. Sounds cool! Stay tuned for more details as they develop. Penguin Sleuth Kit Details and New Penguin Sleuth Kit Statement.

PLAC - Portable Linux Auditing CD - quoting from the developer - "PLAC is a business card sized bootable cdrom running linux. It has network auditing, disk recovery, and forensic analysis tools. ISO will be available and scripts to roll you own cd."

Case Study #4

It's important to be able to clearly and accurately document your case notes during your investigations.  There are many commercial solutions on the market, and these may be intimidating for someone to consider using, both from a cost and complexity standpoint. Some of the LiveCD tools above do contain audit and documentation tools that can be used.

Just this week I became aware of two such case-note applications that can run on Windows:

Technology Pathways ProDiscover Basic Edition - (freeware) - "...a complete GUI based computer forensic software package. It includes the ability to image, preserve, analyze and report on evidence found on a computer disk drive. It is freeware and may be used and shared without charge."  It comes in both a regular system install version as well as a portable USB U3 format installer .

QCC Information Security UK - Casenotes - (freeware) - "The purpose of CaseNotes is to provide a single lightweight application program to run on the Microsoft Windows platform to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically." For more information download the PDF Quick Start Guide.  The Program does require the Microsoft .NET framework to run.  Note, you might get a registration page to complete before you reach the actual download page.  If this happens, I found that you can just leave all the fields blank and enter the captcha code only, and it will let you pass to the download page.

--QCC Casenotes spotted via the interesting Mobile Telephone Evidence blog.

Case Study #5

Tiny Apps points out that there is now a great tool that can be used to mount VMWare virtual disks and dd images under Windows.

Pretty clever stuff.

And, just by coincidence, the SANS-ISC Handler's Diary reported that VMWare has a flaw that could lead to malware on a virtual system leaking out onto the host system via shared folders. (Never a good idea have enabled in my humble opinion).

Critical VMware security alert for Windows-hosted VMware client versions - SANS-ISC Handler's Diary:

Workaround (from the VMware advisory)

Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.
To disable shared folders in the Global settings:

  1. From the VMware product's menu, choose Edit > Preferences.

  2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.

To disable shared folders for the individual virtual machine settings:

  1. From the VMware product's menu, choose VM > Settings.

  2. In the Options tab, select Shared Folders and Disable.

Happy hunting and gathering!

--Claus

1 comment:

Unknown said...

This is a great post! i'm studying to become a computer forensics expert and this post has been very helpful to me!