Sunday, July 11, 2010

What's next in Volume Shadow Copies...?

Having just attended a presentation by Mark McKinnon (RedWolf Computer Forensics) and Lee Whitfield (Disklabs and Forensic4cast) at the SANS What Works in Forensics and Incident Response Summit 2010, I'd like to make a few comments on the excellent presentation by Mark and Lee. 


The presentation was on Volume Shadow Copies and started with a detailed description of what is currently known about this relatively new avenue in digital forensics.  From the information presented in this 1 hr presentation, if you have not started to think about Volume Shadow Copies, you had better start paying attention in the months to come.  While the process of getting information is moderately complex, the amount of information produced by the Volume Shadow Service will eventually be one of those tasks we must not ignore.  The presentation did a live demo of the product, and gave us an idea of just what we're missing.  While the state of the file may be dependent on the quality/existence of the previous snapshots in place, Mark and Lee have developed a tools which intends to automate the Volume Shadow Copy recovery process.  Timeline to release you ask....?  The authors indicated a few months.  They appear very committed to releasing a stable and tested product.


From their new site for Shadow Analyzer, here's a small idea of what the product can recover:
Shadow Analyser eliminates the hassle of analysing Microsoft volume shadow files. It allows a digital forensic investigators to take a disk image and, using that image:
■view the contents of the hard disk drive at a point in time
■recover deleted and erased files
■extract older versions of current files
■view historic date and time information for all files, both live and deleted
■view changes to files across days, weeks, or even months
■extract complete files from volume shadow files
The authors are putting a lot of time into the development of this tool; the shear volume of information that they are finding within the Volume Shadow Copies seems to be a driving force and motivation behind getting this tool to the end-stages of development.  You can follow their development on Twitter as well at @ShadowAnalyzer  .

Keep up the progress guys.....great presentation and even greater tool !!  Oh yeah....forgot to mention, the tool will be "tri-platform" - Win, Linux and Mac.

For more information on Volume Shadow Copies, take a look here:
Into the Shadows
Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7 (pdf)
Volume Shadow Copy Forensics - the Robocopy method Part 1
Volume Shadow Copy Forensics - the Robocopy method Part 2

More to come on the Summit...it's take days to digest!

Sunday, July 4, 2010

The iPhone and Corporate Security

I have done my fair share of mobile analyses over the last 4-5 years including logical extractions of Blackberry's and both logical and physical extractions of iPhones.  With a larger number of cellular providers carrying iPhones, I am often asked to compare the Blackberry to the iPhone within a corporate domain.

While I understand that the iPhone is constantly increasing the number of "apps" that they carry, I simply cannot find a logical reason why a corporation (who presumably does not want company information/secrets shared with the world) would opt to incorporate the iPhone into it's corporate enterprise.

As recent as last week, I was reminded that many corporations will almost always opt for "availability" over "confidentiality".  While I believe that both are important, I simply do not see why a company would so severely sacrifice data integrity as to choose the iPhone over the Blackberry. 

Let's look at a few ideas with which to draw a comparison:
- the iPhone allows both a logical and full physical extraction of it's user partition.
- the iPhone password can be bypassed with a known commercial technique.
- Insofar as data, the iPhone retains vasts amount of data in relatively easy to extract/read format.  The use of EnCase and FTK to analyze a physical iPhone partition exposes just how robust the information is.

- there are no commercial techniques to bypass the Blackberry password (yes, I know about BES pwd resets, looking for IPD backups, etc).
- Blackberry does not seem to have jumped on the "app train", pushing out new apps each day. (this is good, no?)

So I ask....beyond being the "new kid with a new toy", why are companies asking about iPhones and security?

Last time I did an iPhone analysis, I mentioned to my colleagues that we ought to be classifying the iPhone analysis the SAME as a full Mac analysis.  File structure, artifacts, geo information, Internet History, Email, ....  it may just be my .02 cents, but any company with any sense of security ought to give this a very long, hard look before seriously considering an iPhone within their corporate domain.

ps...note to Apple....why has it taken you so long to realize this.  (or have you already realized it and simply believe that pushing out "apps" for the home market would be more lucrative?  (huh?))