Wednesday, November 25, 2009

You just gotta think outside the box...the logical box that is!

I recently ran across an article published by well-knowned security researcher Joanna Rutkowska. She prepared a very detailed article on a new attacked she calls the "Evil Maid Attack" - named after a possible "vector of attack." An attack can be launched by an infected USB thumbdrive (full .img image available on the site), which is inserted into a powered-down laptop. The laptop is booted to the USB drive, and after 1-2 minutes, the hard drive is infected with the "Evil Maid Attack." The next time the owner boots his laptop and enters his encryption password, it is captured for retrieval. The attacker simply boots the laptop a second time, again with the infected USB thumbdrive, and the password is displayed.

A full explanation for how this attack works is on her website. (hint...first 63sectors of Physical drive, locates TrueCrypt loader, launches attack to hook the TrueCrypt function that asks for the password.....)

When the image is run against anti-malware programs, the following results were obtained:
VirusTotal 1/41 (Sophos)
Jotti's 1/21 (Sophos)

Like I said.....you have to think outside of the "logical box".

Friday, November 13, 2009

Internet Evidence Finder - new release and more

Jad from JadSoftware has released v3.0 of Internet Evidence Finder. While the program has now made the move to commercial, I doubt you'll find another tools that is as effective at parsing out artifacts as does this program. The pricing ranges from $29.99 for a single licence, to $129.99 for an unlimited site licence. In the field of forensics, we pay more for add-ons.


I'm not sure where Jad finds the time, but he has added several more features. Included in the 10 new features are Limewire® ver 5.3.6 Search History, Limewire.props files, IE8 InPrivate/Recovery URLs, Yahoo!® Messenger Group Chat, Yahoo!® Webmail email, Hotmail® Webmail email, AOL® Instant Messenger chat logs, Messenger Plus!® chat logs, MySpace® chat, Bebo® chat. He includes an index.htm page to index the some the searches and made several tweaks to the existing searches. The program is FREE for Law Enforcement use (thanks Jad!).

On top of that, he has created another program called Facebook JPG finder (v1.0.0). The program will search for images, and provide details about the date/times of the file, MD5, location, and possible ID/Profile name. He qualifies the program by indicating that the user must realize that the program locates the photo and cannot guarantee the photos are from Facebook.

Oh yeah...those in Law Enforcement and may be looking for an "Incident Response/Live Analysis" scripted tool, head on over to NRDFI.net . They have been kind enough to post the law enforcement version of DriveProphet for free use. I realize that those who consider themselves "masters" of all, this program (an in fact Cofee) can be defined as scripted tools that simply automate the use of other freely available tools. You know WHAT...we aren't all as gifted as others....we occasionally need formatted and trusted tools which we are confident will do the job, in a prompt and efficient time, and punch out a nicely formatted report for our investigations. Maybe it's just me, but I simply cannot recall the commands and switches for 20-50 commands, which I like to run during incident response. FWIW....

Wednesday, November 4, 2009

Raptor - another solid tool updated...


The folks over at Forward Discovery, Inc have updated their Intel-based Mac forensic boot-cd Raptor. You will find two versions of the product, one aimed at the Intel-based processor, and the other for the PPC (beta). I personally have used the Intel-based CD and found it to work flawlessly. Although Apple has been kind enough to make the hard drives in the recent MacBook Pro more accessible, the older versions are very difficult to disassemble; particularly if you may be required to image a device in a "time-sensitive" situation (and perhaps without others knowing ....).

Raptor can image in DD, EnCase .E01, DMG or even clone to a destination drive, which can be formatted FAT32, NTFS, EXT3 or HFS+. And for those who prefer to create a pristine, original image and a lab image to analyze, you can create two simultaneous images at the same time.

I haven't had an opportunity to use the PPC version, except for testing it on a few lab models. I recall having to play with the boot options to get the disk to boot properly.

That being said, I'm very anxious to get this image burn and "take 'er for a rip." This IS a tool you should have in your toolkit. From what I've seen in the forensic community, the staff at Forward Discovery are great to deal with as well.

I'll keep you updated.........