Binary Intelligence

Although I applaud the effort and think it's a good thing, this article makes me wonder if our job is going to get a lot harder in the next few years.

The world's six largest computer drive makers today published the final specifications(download PDF) for a single, full-disk encryption standard that can be used across all hard disk drives, solid state drives (SSD) and encryption key management applications. Once enabled, any disk that uses the specification will be locked without a password -- and the password will be needed even before a computer boots.

The key points of the plan closely mirror recommendations offered late last year by a bipartisan commission of computer security experts, which urged then president-elect Obama to set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks.

This story leaves a lot of questions unanswered. I am certainly curious how all of these terms are going to be defined. If a male employee gets fired, he harasses his male ex-boss online, does the employee have to register as a sex offender when sex was never a motivating factor?

New Mexico is taking another look at cyberstalking with legislation that could mean serious prison time for those who use the Internet to harass someone.

Albuquerque Mayor Martin Chavez and two state lawmakers are proposing a new state law that would bump up cyberstalking to a felony and would force cyberstalkers to register as sex offenders.

Forensics: Blackberry Curve 8310 and Incorrect EXIF Time Stamp

Great post up at Digital Bond about the inauguration security measures and how leassons learned can be applied to IT:

Just saw this story. Kudos to the guys at Forward Discovery for assisting LE. They also have an excellent Mac Forensics class if anyone's interested.

"We found a tremendous amount of Craigslist ads that were placed using that computer," said Ryan Johnson, a consultant with Forward Discovery, which was contracted to track down the electronic paper trail which wrapped up the case.

"And we also found e-mail to and from potential victims, as well as the victims who were robbed in this situation," Johnson said. "The computer evidence has shown to be be very damning."

Diggs pleaded guilty in October and received an active sentence of 38 to 55 months in prison. Byrd pleaded guilty in November and received 20 to 33 months of probation.

Next week's US presidential inauguration of Barack Obama will have one sour note for the Illinois senator. Sure, he's gonna be the leader of the free world, but the notorious BlackBerry addict will have to give up his smartphone -- and frankly, if given the choice, we'd probably choose cellphone over country. There is hope, however, as CNET outlines two Windows Mobile devices that met the NSA's seal of approval for governmental use back in 2007

NSA-approved smartphones leaves Obama with some ugly choices

Want to go to ShmooCon but don't have a ticket? I have an extra I am looking to sell off. E-mail me if you are interested, jameso@elwood.net.

The question of what is mobile computing, and how mobile computing will be used in the future keeps coming up. It was in 2000 when I went to just using laptops for all personal computing. Now, almost 10 years later I am looking to mobile devices and how they might be able to replace my laptop.

So now as we start 2009 and see that Nokia was the #1 computer make in 2008, that Palm is back with a new mobile device, and Sony is selling a computer to fit in your pocket I think it is prudent to think about how this is going to affect the devices we look at for forensics in the future.

I find that I can type almost as fast with one thumb on my N95 as I do a full keyboard, so what does that say about what devices I use? A 13 year old girl sends 14,528 text messages in one month, how fast does she type on the phone? My sister went a while with just using her iPhone as her only computing device, and did not miss her "computer" much. When I was at DefCon this year, my N95 became my primary computing device for the time, and got me by just fine.

So when working with these devices, where are the standards? We are stuck with a multitude of different devices and no clear winner on software that is best suited for investigations on these portable computers. And the issue is just going to get bigger.

The drivers are all in place to for a snowball effect to start up, and if we are not ready for it there is a good chance we will get just plowed over.

Three issues surround the use of Macs in forensics. One is getting law enforcement and forensics experts familiar with Mac OS X and its file system. Apple's computers are as popular as they've ever been, selling in record numbers. Both Blackbag and SubRosaSoft offer training and consulting on Mac-based forensics. Since many OS X apps store data in standardized and well-documented ways built in to the system, this actually helps law enforcement separate the wheat from the chaff—in other words, separating important evidence from the billions of bits filling up the average hard drive.

Forensic auditing combines advanced computer investigative work — such as data mining and analysis, combing the content of computer hard drives, and conducting in-depth Web searches — with traditional auditing and accounting techniques to investigate fraud.

General Services Administration inspector general’s office last summer rolled out a five-person team devoted to using forensic auditing techniques to dig up evidence of fraud. Other agencies, such as Defense Department agencies, NASA and the Environmental Protection Agency, are doing the same. And still other agencies are considering starting new forensics auditing teams at the urging of the National Procurement Fraud Task Force, an interagency group that promotes the prevention, early detection and prosecution of fraud.

A while back I did a presentation on why digital forensics will always win. It seems there has been so much emphasis as of late on anti-forensic tools. I had seen someone else give a presentation encouraging others to write anti-forensics software, because he was too lazy to do it. That really summed a lot of things up for me.

I won't rehash my presentation here, but I saw this article and really found it interesting. Digital images can be used to track back to their model of camera in about 90% of cases, without the use of metadata.

What else can we do that with? Would we be able to record a cell phone conversation, have special software listen to the static, popping, and hissing that we normally don't hear, and determine what kind of phone the person was using? Can we look at the computer chip and logs in a vehicle and determine their last speeds, gear shifting, braking, and similar items that might help prove what route they took at a certain time? Can we look at digital thermostats or new air conditioning systems to see how often they cycled to prove if someone (or more than one person) was home at the time, using the oven, or otherwise heating up the place?

I don't know all these answers, but the point is that there are a lot of potential pieces of evidence that exist far beyond just a computer system. I'd like to expand on this post soon and make a nice list of useful "non-traditional" evidence items. Anyone have any they'd like to share?

NYPD Wants to Jam Cell Phones During Terror Attack

In testimony today before the Senate Committee on Homeland Security and Governmental Affairs, New York Police Commissioner Ray Kelly (pictured) said he wanted to take out that "formidable capacity to adjust tactics while attacks are underway."

Good post up about the cost of a data security breach to Maine banks:

So let's see..71 of 75 institutions in Maine were affected, although 53 of those were the Hannaford incident. One in three breaches resulted in fraudulent transfers.

Greg Smith at TrewMTE has posted an interesting challenge. If you've ever done in-depth work on a SIM card, this may be right up your alley.

So does that mean a particular EF under the MF in SIM with a logical address 3F00 0000 is always going to be the CHV1 file and would the raw data from that EF reveal a user's PIN number?
.
Below are raw data extracts from three phases of SIM cards - Phase 1, Phase 2 and Phase 3 (2+) and harvested from the Master File (MF) 3F00 and an unnamed EF immediately under the MF with an addess 3F00 0000.
.
Your challenge, if you are interested, is to examine the raw data and corroborate whether the data reveals a user's CHV1 (PIN number) or not.

It is not uncommon in the course of a forensic investigation for us to have to load up some software we find an a piece of evidence and start to reverse it. That process has been very helpful to us in the past.

It does not always bear fruit, I can think of one instance a few months ago where I spent a fair amount of time reversing out a "odd" executable that Matt discovered on a system that we thought might be malware. It had all the common signs, it was packed, ran on start up, installed in a odd location, modified networking information on boot, would auto shut down if there was no network present, etc. After spending a couple of hours on it, turned out it was simply a sysadmins way of enforcing users made use of the VPN correctly, had proper route tables, and the windows firewall policy was set correct. (They just went about it in a very odd way!)

But on the other hand, at times you can get a real gem.

I have read some reports stating that "suspect malware was discovered with likely altered the ..." etc etc. From my point of view, that is bull. There should be no such thing as "suspect" malware. It is, or it is not. And it is your job to find out which it is.

Reverse the application, determine what it is doing, and document it.

Not always that easy to do however, especially when you have not done it before. On that note, I came across blog post tonight which I thought would make a great starting point for you if this is something that interest you:

Back in September a friend had pointed me to a little contest being held online called ‘The 2008 Malware Challenge‘. The Malware Challenge was created to establish a fun way for folks to get their hands dirty with reverse engineering by analyzing real world malware. The organizers of the contest realize the need for these skills in this day in age, especially for IT administrators and such to be able to keep networks safe.