Post on 07-Apr-2018
transcript
8/6/2019 Computer_Counter-Forensics Darren Chaker
1/12
Computer Counter-Forensics
By Rodrigo Farnham & Chris Miceli
8/6/2019 Computer_Counter-Forensics Darren Chaker
2/12
Concerns on Data
Computer seizure concerns: Image hard drive
Recover deleted files
Bypass OS file security mechanisms
Swap file, hibernation, filesystem metadata Cookies, Cache, Local Shared Objects (Flash Cookies)
Wear leveling on solid state drives
8/6/2019 Computer_Counter-Forensics Darren Chaker
3/12
Flash cookies after clearing privacy
8/6/2019 Computer_Counter-Forensics Darren Chaker
4/12
Non-holistic solutions
There is software available that scrubs sensitive datafrom system.
Less than ideal because data can remain inunexpected areas
Registry Swap
Spotlight database
8/6/2019 Computer_Counter-Forensics Darren Chaker
5/12
Concerns on Data
Live acquisition concerns Image RAM Cold boot attack
Firewire Complete memory access
Keylogger
Van eck phreaking Tamper with system
Screen Unlock
Beryl, Starcraft
8/6/2019 Computer_Counter-Forensics Darren Chaker
6/12
Preventative Measures
To Protect Data Wipe disks before usage Random fill
Shred files
Encrypt
Wear leveling Encrypt prior to use Make password harder to crack than key
English sentences have surprisingly little entropy, employcaution
8/6/2019 Computer_Counter-Forensics Darren Chaker
7/12
Data Encryption
Per-File Encryption Each file encrypted separately
Does not guarantee sensitive material secure
Filesystem Encryption
Filesystem encrypts each file Metadata unencrypted
Full Disk Encryption
Every block written to disk fully encrypted
Not a panacea
8/6/2019 Computer_Counter-Forensics Darren Chaker
8/12
Concerns on Networking
Network traffic snooping ISP asked for logs
Content providers asked for logs
Honey pots
Man in the middle attacks
8/6/2019 Computer_Counter-Forensics Darren Chaker
9/12
Preventative Measures
To Protect Network Use wireless security
WEP vulnerable to attack
WPA vulnerable with TKIP
End-to-end encryption Freenet
Darknet support
Can only access Freenet content
Plausible deniability
Encrypted data store
Gnunet
8/6/2019 Computer_Counter-Forensics Darren Chaker
10/12
Preventative Measures
Tor Onion Routing Access regular internet anonymously
Hidden services
Possible leak of identity
Flash HTTP Referrer
Timing attack
Malicious nodes
Low latency network vulnerable to timing attacks
8/6/2019 Computer_Counter-Forensics Darren Chaker
11/12
Physical Security
Always prevent physical access to resources Some cryptosystems leave instrumental pieces of code
vulnerable to adulteration.
Disable FireWire DMA
Dont leave unattended encrypted volumes mounted Best to have several rings of protection, so that
compromises arent all encompassing
8/6/2019 Computer_Counter-Forensics Darren Chaker
12/12
Questions?
Resources http://www.youtube.com/watch?v=JDaicPIgn9U
http://www.torproject.org/
http://freenetproject.org/
http://www.truecrypt.org/ Cross platform volume encryption software. Supports full disk
encryption on Windows with hidden OS capability
http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf
More information on FireWire exploits
http://www.youtube.com/watch?v=JDaicPIgn9Uhttp://www.torproject.org/http://freenetproject.org/http://www.truecrypt.org/http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdfhttp://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdfhttp://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdfhttp://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdfhttp://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdfhttp://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdfhttp://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdfhttp://www.truecrypt.org/http://freenetproject.org/http://www.torproject.org/http://www.youtube.com/watch?v=JDaicPIgn9U