19 October 2006

Expert Advice for Computer Forensics

My MC works in Computer Forensics. In essence, he has a warrant to search a laptop computer. The laptop has been connected to a corporate system and the user had high-level administrative privileges on the network. He is in physical possession of the laptop and can start it, slave it, remove the HD and examine it remotely. The one thing I really don't want him to do is physically work on the laptop in any way other than his initial set-up, in other words, put it in an environment where he can get to it via a VPN from his own device and keep it firewalled from infecting his systems if it is contagious.

1. What kind of protection of files will my detective encounter when he cracks the laptop?
2. What tools would he typically use to gain access to passwords or other secure information?
3. How would he identify various security protocols (like encryption or file fuzzing) and how would he break through them?
4. How long would it take to gain access to the corporate network if he had the laptop in range to access the corporate wifi net?

The answers to these will undoubtedly bring up a number of others, but I've found your previous answers to questions to be most informative and enjoyable. Thank you for sharing your expertise!

If he's removing the hard drive, he has no reason to ever boot up the laptop. Use it as a secondary drive in another system, and everything is his, assuming it's your typical windows or mac box (and even most unix boxes). Only the rare system indeed has an actually encrypted hard drive.

What sort of passwords are we talking about here? Passwords to online sites? You could look through the browser cache or use the default methods (trojans, social engineering, dictionary attacks, etc). Passwords to encrypted files? The only good way to get those are the default methods. If you want to scan the entire hard drive for information that might be out there (deleted or not), I personally would use 'dd' and grep the output for a string that I expected to be near the given type of password that I'm looking for.

Note that with many things, a password is far from the only way to get into a system. Unexpired session information, for example, can do the trick.

Most encrypted files are quite obvious that they're encrypted. That's the difference between encryption and steganography -- encryption is out in the open but algorithmically scrambled. Steganography is covert encoding of information into data so that one doesn't know that the data is there. Cracking good, modern encryption (none of this 40 bit nonsense) is essentially impossible. However, there are always "tricks" for a given situation.

Example: During the early 1980s, American encryption was essentially impossible for the Soviets to crack. That didn't stop them. I had a friend who worked in SIGINT at the time, and they started realizing that the Soviets knew what was going on in US encrypted channels during American war games. How did they do it? They ignored what data they were seing. Instead, they payed attention to the patterns in transmissions -- when they started, how long they lasted for, what the back and forth was, etc. From that, they could deduce what was being sent. ;)

How long to gain access to a corporate network with a laptop that used to be on the network? Instantly, if they can log in. ;) Even easier, with WiFi, you often can just sniff passwords and/or spoof MAC addresses; it's often very poorly secured. Even if they use WEP, there's programs like AirSnort. You really need WPA or WPA-2 to have any sort of decent security. Security conferences have been known to post the passwords of people who connect to WiFi during them. ;)

Lets pretend that it's a secure wireless network. If the laptop is a "home edition", or isn't configured well, the administrator password (safe mode) will be blank by default, so they could easily use that to log in. Lets assume it's not. You can do things like replace logon.scr with cmd.exe or explorer.exe. Or you can use one of the half-million tools to get/change user account passwords .

Did I mention that Windows is really insecure? ;)

The only way to get an actually "secure" laptop out there is to use a Unix distro that has an honest-to-god encrypted hard disk. Most unix systems, by far, don't do this. Only the most paranoid actually have encrypted partitions. I once kept my mp3s and videos on an encrypted partition. It was a pain; I decided it wasn't worth it.

If the hard disk itself is encrypted, you're in trouble. You need to go back to the aforementioned possibilities -- trojans, social engineering, dictionary attacks, getting passwords from other sources and seing if they work on the hard drive, etc.

@Wayzgoose - This is not very different from a forensic project that I am working on right now. The main thing is that if any of his findings are to be used as evidence in court, then he will need to assure the courts that nothing he did has changed the content of that drive. So in all likelyhood, he would remove the drive and attach it to a write-block device - usually they act as IDE-to-Firewire devices but they proevent anything from writng to the laptop drive. He would make at least two copies of the drive, evidence bag the laptop drive and also one copy. Then he would make multiple copies of his second copy and use those for his analysis.

If he needed to run the executable code on the drive, he would probably do it from within a VM sandbox. Using a virtual machine that has limited connectivity it can't infect anything else. There are tools that would change the hardware drivers to allow the image to work well with the virtualized hardware.

This is if his data is going to court. Now this sort of analysis does not require a warrant - that is used to grab the system and bring it to him. The case i have now we are investigating an executive, but obtained the image of his drive without his knowledge. This did not require a warrant, but rather the permission of the owner of the laptop - the employing corporation.

For quick work like that, I like to use a bootable Live Linux CD based on Knoppix or Slax. Helix is an example of a forensic toolkit of open source tools that is free and very useful - I can attach a USB drive and copy the image to the USB drive wthout ever booting the laptop's os (it booted from CD). If he's a professional and/or law enforcement he is most likely to use EnCase or The Forensiscs Toolkit (TFK) as his primary analysis tool and Helix supports both their native formats. If not, Helix has a batch of tools itself.

Helix used to have a set of tools for lifting tha SAM and other password-realted files, but recent versions have removed those tools. I use another live CD called Backtrack to do that sort of work and copy them to the USB drive for later password analysis. I can crack the passwords with a dictionary attack in a short while (about 85% of the paswords) but more and more for really complex passwords, i can subscribe to a Rainbow cracking service or have the database locally - these are essentally databases of the hashed passwords to compare with what s on the disk so I just find the matching hash and I know the password. depending upon complexity, these databases can run up to a terabyte (1024 Gb) or more. These are widely available to download off the web or there are even web services that rent you the computer and database. My local law enforcement forensics lab just keeps a set on a system just for that purpose.

As to encryption, that is an interesting question. I had a chance to talk about a major FBI sting operation with some of their forensics specialists and i was curious as to how much encryption they were running into from the collected computers they were analyzing. Their answer shocked me - none at all. In this case, the criminals didn't want anything to get between them and their content. In a different case the man in Seattle accused of murdering the parents and raping and killing the brother of the girl that was rescued was a self-styled computer expert and the clipping I read had him boasting that they will need decades to decrypt the data for his possible involvement with other victims.

While not computer related, recently a mob boss was found to have used a "ceasar cypher" thousands of years old to encrypt his paper notes - not realizing how easily it could be ed today. Bruce Schneir wrote about it a while ago.

Just some extra data for you....

Interesting to know that people working in computer forensics use Knoppix! Quick question: if you're making a complete disk image, why do you need to have tools to lift the password with you? With an image, it seems you could do that back in your office when there aren't as strict time constraints.

Heh, I got a good kick out of the Bernardo Provenzano case when I first read about it, too. ;) That's what you get when you try to use a principle that you don't understand. Really, though, most people wouldn't know how to even encrypt a file if their life depended on it, let alone to use an encrypted loopback filesystem.


Phil said...

Thanks for this post. I'm studying to be a computer forensics expert and there's lots of a good information here!

Wayzgoose said...

Thanks Phil. If you are into fiction as well as the real thing, next Friday you'll be able to buy my novel "For Blood or Money" at http://www.longtalepress.com. Hope you enjoy!

Computer Forensics said...

Unluckily, after facing the RAID malfunction, several businesses give up the hope that the data is inaccessible and there is no chance of recovery. When the RAID failure occurs, most think that it is the end of line for the data- if RAID is broken then there is no method for data recovery. This is simply wrong and businesses need to understand that there are options to recover data. RAID Data Recoveryservice provider experts can fix this king of data loss problems.