Monday, May 04, 2009

Security Slugfests: Curious Full Circle Version

Some interesting bits these past weeks on the Windows security front.

[Note: all product names are assumed owned by and trademarked by their representative corporations or organizations…we are all respectful adults here (I hope!).]

Going Gumshoe

Harlan’s Windows Incident Response blog post Windows Incident Response: Tools contained a nice shout-out (Cheers!) as well as introduction to a neat new tool (to me).

Internet Evidence Finder – JADSoftware – Free tool that “…searches for Facebook chat messages and page fragments, Yahoo chat, and MSN chat messages on drives and within memory dumps”.  Given the proliferation of these type of social networking sites as well as a workplace with many users dependent on them for socializing (or other things…) having a tool geared for searching a system for usage is quite handy.

I’ve “registered” and downloaded it but haven’t had a chance to toss it at a system where I know Facebook usage is present.  Harlan’s post has some great positive feedback on it so I’m looking forward to the report results.

Harlan then dropped this Windows Incident Response: e-Evidence updates post all full of goodies!

Links are a-plenty on forensics and incident response presentations and papers.

However, from the sysadmin perspective, I really found great value in Diane Barrett’s presentation on Virtual Traces,  Being interested in local-system usage of virtualization (Virtual PC, VirtualBox, VMWare, etc.) it had a lot of great material.  I’m also interested in how the new Windows 7 XPM mode virtualization will come into play both from a forensics perspective as well as incident response.

Read Harlan’s post, view the presentation, then check the comments section on his post for some additional thoughts I left and others have responded to.  It’s a fun discussion.

Windows 7 Soup: No AutoPlay for You!

Windows 7 will bring a new security “feature”.  Turns out that the latest version of Windows 7 RC will now no longer auto-play (most) removable media such as USB drives.  CD/DVD media will still be allowed. Somehow that is seen as less of a threat-vector.  Not quite sure that is the case.

For the technicals, please see the following posts.

Improvements to AutoPlay - Engineering Windows 7 blog

AutoRun changes in Windows 7 - Security Research & Defense blog

AutoRun To Be Disabled, But Not Completely - Sûnnet Beskerming blog

Anyway, while a nice move forward, it doesn’t currently have an XP/Vista patch counterpart.

There are still lots of other solutions for XP/Vista that you can try in the meantime:

My USB Security: AutoRunGuard, Encryption options, and Forensics post details Didier Stevens’ USBVirusScan which can be configured to launch an AV application when a USB stick gets inserted. Then there was AutoRunGuard – a freeware bat-file work combined with Didier’s USBVirusScan tool. It also mentions a few auto-run threats and related issues.

For some other USB defenses for XP/Vista consider Panda USB and AutoRun Vaccine - (freeware) - Panda Research Blog provides a two-stage tool.  Stage one locks down your entire system from auto-run exploit.  Stage two renders any USB drive that the tool is applied to “inoculated” against infection by an auto-play vectoring malware infection.  Read carefully before applying.  Some could be “permanent” (at least without reformatting the removable device). 

Hype-free security bloggist cdman83 has a good analysis on that tool: How does the Panda USB vaccination work?

For the “party-line” solution, see Microsoft Security Advisory (967940): Update for Windows Autorun (fixes the not-quite working completely patch).

And finally, don’t forget about the free utility AutoRun Eater - This neat security utility provides a different take.  It runs in the system tray full-time and monitors execution of autorun files when devices are inserted or executed.  Upon discovery it first performs an analysis. If a suspicious pattern is found, it blocks execution, tosses up a dialog window, and presents the suspicious code.  Then it allows the user to block or ignore execution.  Amazingly clever.  Certainly not a cure-all, but it might very well provide a first and easy to use line of defense for non-technical users as well as experienced system administrators who don’t want to use some of the tougher/lock-down methods against blocking all autorun executions.

Nice to see Windows 7 is covered (somewhat) but we need it extended to XP and Vista (natively) as well.

Going Hatfield/McCoy

Apparently, PGP® didn’t like ElcomSoft’s booth at a recent security conference. Things got all ugly and stuff.

PGP takes action against Elcomsoft - The H Security

ElcomSoft claimed (kinda) it’s product could break PGP® encrypted systems.

PGP® say “oh no you did’nt”

And ElcomSoft say “Oh yeah we did”

The conference organizer did a take-down of a ElcomSoft booth sign…

And the gloves came off in a coldly polite blog-war.

What does “The only way to break into PGP” mean? – ElcomSoft Blog

Lies, Damned Lies, and Marketing – PGP® Blog

You Might Need a Longer Passphrase – PGP® Blog

I’ve read the materials.  I’m no crypto expert or certified security guru.  That said as far as my unsophisticated brain works here’s how I see it.  ElcomSoft has a method to go at the passphrase used by PGP® whole-disk encryption solutions which (given enough time and computing resources) can either theroretically or realistically allow entry onto a PGP® WDE system.  It doesn’t break the crypto algorithms used by PGP®.   Nor do ElcomSoft claim to do so (to the best of my reading).  They just use their software and techniques to brute-force the user’s PGP® passphrase to gain entry to the disk.  PGP® called “shenanigans” due to some technical reading about ElcomSoft’s claim.

Reminded me embarrassingly of a former presidents public statements regarding a former intern and “technically” being correct in his wordage/point but in common application, it wasn’t much different.

Anyway….before someone on one of these sides pulls out a blue-dress stashed in the closet, my take as a silly end-user and lowly sysadmin is that it is interesting that ElcomSoft does offer a tool that given enough time and power, could possibly be used by an investigator to breach a PGP® WDE system.

Of course, if you are deploying PGP® WDE in an enterprise solution and using their Universal Server configuration, then you should have access to the system’s PGP® WDE recovery token that would be sufficient to gain access to the full drive contents with no fluff or fuss.

I’m not taking sides here.  We use PGP® WDE solutions and it is a very mature and rock-solid security solution.  Good stuff.

And I’ve used some of ElcomSoft’s tools for getting into passworded/secured Microsoft Office documents and files.  It too was a mature a rock-solid security solution.

Two good products with two company leaders who feel a need to support their products.

That’s all.

While we are speaking about encryption….

TrueCrypt Hunting

Before I go any further, I must say that while we use PGP® WDE solution at work, an excellent and highly regarded Open Source whole-disk encryption solution (as well as hidden encrypted volume solutions) is TrueCrypt.

I like it a lot.  Probably the majority of users of this product use it for legitimate reasons; to secure their personal and private data from loss in the event of theft or loss of their system hard-drive(s), or to keep data from unauthorized organizations, governments, or other agencies.

However, I would imagine that some folks (tin-foil hat wearing or nefarious) might find benefit in hiding and encrypting data from law-enforcement or employers.

In these specific cases, incident responders and law-enforcement officers might need a method to try to locate these hidden and encrypted volumes for their investigation.

(Additional homework reading: IANAL but you might find context benefit in this Cyb3rcrim3 blog post: Unlawful Use of Encryption as well as these other related posts on the encryption subject for fresh legal perspectives.)

It’s one thing to identify that a disk/image contains known/visible files for review and inspection.  It’s also pretty easy to see that whole-disk-encryption has been applied to a volume or physical drive. It’s a lot harder to try to find something that doesn’t normally exist or give away its presence by design such as a hidden volume or TrueCrypt file.  Kind of an anti-forensics technique of stealth. TrueCrypt refers to this as plausible deniability.

[TrueCrypt] provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography) and hidden operating system.
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

If the investigator doesn’t know it is present, and there isn’t any clues that the subject has been using TrueCrypt, it might go completely unnoticed by average system administrators or incident responders, although I am sure trained and skilled forensic examiners might have a bit easier time knowing what to look for.

So it was with interest I spotted this post:

Truecrypt now detectable – 8 bits blog

Turns out that Forensic Innovations, Inc. has updated their forensic investigation product File Investigator TOOLS version 2.23 with a method that identifies possible hidden TrueCrypt volumes.

It doesn’t guarantee that what it finds are actually hidden TrueCrypt volumes, but it does (as claimed) highlight these areas as worth of additional focus to the investigator.  Nor does it claim to be able to break into or decrypt said TrueCrypt volumes if found.

From their company blog post: TrueCrypt is now Detectable

What’s the value in finding encrypted data, that you can’t decrypt?  It’s up to you how you leverage the information that our tool provides.  Use it to entice the encryption key from a suspect, show the withholding of potential evidence in a case or catch your employees hiding data on company computers.

Forensic Innovations, Inc. is offering their latest tool for a free-trial. So check it out if you think this might be useful.

Both the 8-bits post as well as the Forensic Innovations, Inc. post have a number of comments worth reading from TrueCrypt defenders.  It’s worth reading the comments and hopping over to a few of the TrueCrypt forum threads offered for some more contextual reading on the subject of this tool and TrueCrypt fans on just how effective they perceive it to be under specific TrueCrypt container generating scenarios.

Another freeware tool that purports a good success-rate with finding certain crafted hidden TrueCrypt volumes on a disk is TCHunt

TCHunt Quickly Find TrueCrypt Volumes – 16 Systems

The tool is free and the page has some great and interesting background info on how they have analyzed TrueCrypt volumes/patters to possibly identify them.  It’s cool stuff.

Again, your mileage may vary depending on TrueCrypt specifics. And, like in the case of the forensic product, there is a TrueCrypt forum thread on this product as well: TrueCrypt Forums :: TCHunt?

Which is what leads me back, full-circle, to JADSoftware again first mentioned at the top of this post.

While downloading that tool I saw the following: JADsoftware - EDD home page

EDD stands for “Encrypted Disk Detector” which is a command-line tool wrapped in an executable launcher.

It was just released on May 2nd, this past Saturday.

What it does

Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker® volumes.

Why use it?

EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.


  • Currently only TrueCrypt, PGP®, and Bitlocker® encrypted volumes are detected by EDD. Detection of more encryption products will be added to later versions.

How cool is that release timing in light of these other posts?

Which then just reminded me of the free ZeroView tool over at Technology Pathways:

"Ever worry that the system you are seizing uses whole disk encryption? Use ZeroViewTM freeware to find out." Burn ZeroView to a CD then pop it into the CD drive of the suspect machine and it will load into memory only and display the contents of Sector 0 allowing you to determine if whole disk encryption is employed on the suspect system. Once you know, then you can take the appropriate steps to capture and preserve the data you need.

Download link is on the page just past half-way down.

I’m sure there are some additional freeware and $ tools for looking for and detecting hidden (or not) encrypted partitions, physical drives, and files.  If you know of other legitimate and good tools, please feel free to leave them in the comments.


Happy searching!

Claus V.

No comments: