 Marcus Carey of SunTzu security firm & founder of DoJoSec | The March 5th DoJoSec was the second one of their monthly briefings I have attended. Although it is almost a three-hour drive from New Jersey, these evening sessions have been worth attending. I had to miss April's session because of schedule conflicts, but plan to attend the upcoming sessions of what has been called "dinner theatre for security geeks." Since the videos of the presentations are available (embedded & linked on this page), I won't bother summarising them in detail. Just watch the videos. Rather, I'll highlight some of the things I found especially interesting in the presentations. iPhone Forensics - Walter Barr and Sean Morrissey I had heard much about iPhone forensics from Jonathan Zdziarski, so I was interested in hearing what these fellows had to say on the subject. One of the interesting aspects of the presentation was the influence of the speakers' different professional background when it came to the issue of "jailbreaking" iPhones in the course of forensic examination. Morrissey came out of law enforcement background while Bar did not. This difference was the most evident when they covered "jailbreaking" iPhones to extract evidence data. Bar saw jailbreaking as an option. Morrissey strongly insistented that jailbreaking should not be used. Besides Apple's claim that jailbreaking iPhones is illegal, the use of "hacker tools" might open up challenges in court where opposing attorneys imply one is using "criminal" or somehow suspect tools. He exhorted the audience to do forensics right so we don't have bad cases and alluded to the forensic problems in the OJ murder case. The "hacker tool" & potential for court challenges stirred up quite a lively discussion during the Q&A. Some people pointed out that valuable security/forensics tools such as Wireshark could be maligned as "[criminal] hacker tools" and yet we use them, so why avoid jailbreaking tools. The problem appears to be that jailbreaking tools don't have as strongly established reputation for constructive uses as do Wireshark, nmap, nessus, and many other dual-/multi-purpose tools. Snort - The Forensics Tool? - David Warren Because I have been dealing with malware and network analyses recently, I was particuarly interested in seeing what Warren had to say. The main thing I got was that Snort's rules features and its support for extensive text and hex pattern searches make it handy for going through packet capture data. Cyberwar is BS - Marcus J. Ranum I looked forward to hearing Marcus Ranum's take on popular cyberwar concepts. I had read his thought-provoking "Six Dumbest Ideas in Computer Security" and saw that even if I didn't agree with everything he said, his ability to make us think more deeply about security was a valuable talent. Ranum's presentation was even better than I had expected. I am not even going to bother summarising anything else from it. Just view the video. enjoy, and think! Cheers. P.S. Dustin L. Fritz has more photos from the March DoJoSec Monthly Briefing on his blog. | |
 Bar & Morrissey speaking on iPhone forensics | ||
DojoSec Monthly Briefings - March 2009 - Wally Barr & Sean Morrissey from Marcus Carey on Vimeo. | ||
 David Warren reminding us of computing in the early 1980s. Remember the TI-99/4A home computer? | ||
DojoSec Monthly Briefings - March 2009 - Dave Warren from Marcus Carey on Vimeo. | ||
 Marcus Ranum speaking on cyberwar | ||
DojoSec Monthly Briefings - March 2009 - Marcus J. Ranum from Marcus Carey on Vimeo. | ||
The posting's title sounds like a joke involving changing lightbulbs. Something like, "How many techies does it take to wipe a disk clean?...."
But, seriously, disk wiping is a valuable procedure for security, privacy, and confidentiality. A common answer to the number of writes question has been the US Department of Defense's standard seven passes. But is this really necessary for most purposes?
Heise Security reports that one pass will suffice. This is based upon the study Overwriting Hard Drive Data: The Great Wiping Controversy by Craig Wright, Dave Kleiman, Shyaam Sundhar R. S. Heise Security summarised:
Some people and organisations may have to do more than one pass because of legal and/or policy requirements until the laws and policies are adjusted to reflect the new study.
Elsewhere on the Web:
But, seriously, disk wiping is a valuable procedure for security, privacy, and confidentiality. A common answer to the number of writes question has been the US Department of Defense's standard seven passes. But is this really necessary for most purposes?
Heise Security reports that one pass will suffice. This is based upon the study Overwriting Hard Drive Data: The Great Wiping Controversy by Craig Wright, Dave Kleiman, Shyaam Sundhar R. S. Heise Security summarised:
They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.Seven passes will, of course, achieve the disk wipe after the first pass. But it will waste time with the additional passes.
Some people and organisations may have to do more than one pass because of legal and/or policy requirements until the laws and policies are adjusted to reflect the new study.
Elsewhere on the Web:
- Craig Ball of the EDD Update blog comments upon the reseach, saying "Told Ya So!"
- Craig Wright, one of the researchers, has posted some technical background about the research.
J.D. Abolins
- Music:Kiosk - ghanooneh kham shodeh blues (bent rules blues)
As police agencies have often been pushing for wider collection and cataloguing of DNA as investigatory helps, now some police officers are finding themselves at the other end of the DNA collection swab.
The New York Police Department (NYPD) is starting what some call a "DNA roundup" of its crime scene investigations detectives. The DNA cataloguing is to quickly spot DNA that may be accidental left by CSI people at a crime scene so the police aren't looking for that person based on DNA found at the crime scene. This is similar to the collection of elimination fingerprints from some crime scenes. (For example, the members of a household that was burglarised might be fingerprinted to help the police eliminate their prints from the prints of suspects. Law enforcement officers prints are also on file and, thus, any prints they accidentally left at the crime scene can be eliminated. [Note 1])
This DNA cataloguing was prompted by the complications in a recent murder investigation as police were seeking for a male suspect whose DNA was found at the crime scene. It turned it to belong to a CSI detective who washed his hands in a sink and left a small drop of his blood.
Despite the practical investigatory reasons for the DNA cataloguing, some police officers are objecting, citing privacy concerns. Rather ironic. But there are some legitimate concerns about the use of DNA for elimination purposes.
Notes:
The New York Police Department (NYPD) is starting what some call a "DNA roundup" of its crime scene investigations detectives. The DNA cataloguing is to quickly spot DNA that may be accidental left by CSI people at a crime scene so the police aren't looking for that person based on DNA found at the crime scene. This is similar to the collection of elimination fingerprints from some crime scenes. (For example, the members of a household that was burglarised might be fingerprinted to help the police eliminate their prints from the prints of suspects. Law enforcement officers prints are also on file and, thus, any prints they accidentally left at the crime scene can be eliminated. [Note 1])
This DNA cataloguing was prompted by the complications in a recent murder investigation as police were seeking for a male suspect whose DNA was found at the crime scene. It turned it to belong to a CSI detective who washed his hands in a sink and left a small drop of his blood.
Despite the practical investigatory reasons for the DNA cataloguing, some police officers are objecting, citing privacy concerns. Rather ironic. But there are some legitimate concerns about the use of DNA for elimination purposes.
- DNA can tell things that fingerprints cannot. Fingerprint can tie evidence to an individual but not tell much about the individual himself. DNA can tell much about the person's physical traits, medical conditions, and such. One concern for CSI people could be adverse impact of some of the information for job promotions or insurance. [Note 2]
- A significant difference between fignerprints and DNA is the prospect of near match familial DNA searches. If one is fingerprinted, that record applies only to oneself. With DNA, that record can place one's blood relatives in a genetic lineup. This differnce can be unsettling to many people.
- Will the original agreement for the collection & cataloguing of the DNA change without notice & consent? Could the genetic information be "repurposed"?
J.D. Abolins
UPDATED 12 Nov 2008 to add more information and notes.Notes:
- Elimination prints and DNA do not mean that the person may never be considered a suspect. They eliminate people known to have legitimately been connected with the crime scene from initial searches for suspects based upon fingerprints and DNA themselves. Should other clues appear indicating that the "eliminated" person may have commited the crime, the person will become a suspect. This could happen, say, in a burglery case where other evidence is found that a household member may have taken the items reported as stolen and comitted insurance fraud.
- The use of genetic infromation for employment and insurance purposes is addressed by some genetic privacy laws, such as the US federal Genetic Information Nondiscrimination Act (GINA) and various state laws. How well are the employment & insurance issues address is a matter I cannot cover in this post.
- Slightly off-topic: As I was searching for more information about this DNA testing, I ran into a strange, novel approach to DNA testing: "DNA spit parties" Think of nucleic acids meet social networking.
- Mood:
awake
Harlan Carvey is a very knowledgeable fellow about computer forensics, especially WIndows forensics. I've seen several of presentation at the RCFG GMU conferences. His books -- Windows Forensic Analysis and Perl Scripting for IT Security Professionals -- are worth checking out. if you are interested in computer forensics.
Also worth checking out is his Windows Incident Response blog. Even if you don't work with Windows, this blog has many good postings insights applicable beyond Windows alone. Here are couple of particular useful ones for people seeking to get into computer forensics:
1. Getting started, or forensic analysis on the cheap gives an excellent list of free (cost-free) tools. At the end, Carvey adds this important point about computer forensics: "Also, all of the technical tools and techniques are for naught if you (a) cannot follow a process, and (b) cannot document what you do." I am by no means a computer/network forensics expert but I have seen enough things to say he is quite correct.
2. Getting start, pt II isuggests using the free cheap tools as a resource for the interview process when hiring people for computer forensics work. I particularly like this:
Also worth checking out is his Windows Incident Response blog. Even if you don't work with Windows, this blog has many good postings insights applicable beyond Windows alone. Here are couple of particular useful ones for people seeking to get into computer forensics:
1. Getting started, or forensic analysis on the cheap gives an excellent list of free (cost-free) tools. At the end, Carvey adds this important point about computer forensics: "Also, all of the technical tools and techniques are for naught if you (a) cannot follow a process, and (b) cannot document what you do." I am by no means a computer/network forensics expert but I have seen enough things to say he is quite correct.
2. Getting start, pt II isuggests using the free cheap tools as a resource for the interview process when hiring people for computer forensics work. I particularly like this:
The whole point of the use of these tools and techniques as training and evaluation resources would be to get analysts thinking and processing information beyond the point of "Nintendo forensics", going beyond pushing a button to get information...because how do you know if the information you receive is valid or not? Does it make sense? Is there a way to dig deeper or perhaps validate that information, or is there a technique that will provide validation of your data?Amen!
Jonathan "J.D." Abolins
- Mood:
determined - Music:Fire of Freedom - Black 47
Much has been reported about the Princeton University research paper Lest We Remember: Cold Boot Attacks on Encryption Keys [pdf] and related matters. For now, I don't see much that I can add to the discussions. I hope to try some experiments with RAM data recovery as part of my ongoing education.
Meanwhile I came across the McGrew Security site and the msramdmp RAM imaging tool that looks useful for some RAM and cold boot experiments. There are some other interesting items on the site, including U3 thumbdrive hacking info and the GooSweep Python code for using Google for vulnerability security checks.
Meanwhile I came across the McGrew Security site and the msramdmp RAM imaging tool that looks useful for some RAM and cold boot experiments. There are some other interesting items on the site, including U3 thumbdrive hacking info and the GooSweep Python code for using Google for vulnerability security checks.
Do RAM chips dream of electric sheep while the PC hibernates?
J.D. Abolins
- Mood:
geeky
Bound to happen sooner or later....
 | Christmas Eve: Child leaves a clean glass of milk for Santa. |
 | Day after Christmas: Child sends the glass to a laboratory service. |
 | Few weeks later: Child says to the parents, "The DNA lab says that I'm genetically related to Santa! Who is he? Can we go visit him? If he's related to me, why don't I get better gifts?" |
Happy & Joyous Holidays,
J.D. Abolins
- Mood:
artistic
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
