Forensics

Sadly, the past few weeks has left me very little time to write about my rants. The first month has already passed by and I barely realised. In truth the next 5 months are a sort of marathon in that I have three exams coming up (one of the CISM) and a thesis to finish off. On top of that, I have an ISACA presentation to give at the end of March (more details later on) and a full time job I guess I shouldn't grumble -- and I won't. My replacement eTc-3850 thin client is still for sale, so if you're interested, drop me an email. It is still boxed and never been used.

Ok, back to a good article I read on Securology here's one that struck home on a number of points. It's a little lengthy so I won't be quoting a lot of it - however the core of it revolves around the idea that a job in computer security is not all rosy as it might seem. Varied ideas tend to exist about the glory of CSI like investigations and huge pay packets however the truth is somewhat much more down to earth. The reality according to Securology exposes the following:

1. Perfect Security is not possible.
2. Most security work is really about making sure everyone else does their job "correctly".
3. Security Response jobs suck.
4. Security Operations jobs suck more.
5. Security Planning jobs are set up to fail.
6. Security vendors have to sell out
7. Pen Testers and Consultants have Commitment Issues
8. Exploit writers perpetuate the problem.
9. Security Educators either are paranoid or should be.
10. Security Media don't really exist.
11. And Security Bloggers are the worst above all.

Each section is expanded and talked about and I encourage you to read the original article (see below for source). Being a security guy myself, I would say that they are somewhat true - and kinda got me frowning - however somewhat over-stated too. It's not all bad, though ... really!

A good point comes out of point 3 - Security Response jobs suck...

... It may seem like CSI or something, but jobs that deal with responding to incidents suck. Except in high profile cases, computer forensics and true chain of custody techniques are not followed-- and if you want a computer forensics job, you'll probably have to work for a large government/public sector bureaucracy (and all the fun that goes with spending tax payers' dollars), which means you'll be primarily working on child pornography or drug trafficking cases and riding daily the fine line between public good and privacy infringements (warrantless wiretaps come to mind).

Others are aimed to put you off... and encourage you to head for a farming job!

If you're already in a security career and find yourself disheartened by the lacking options around you (because you've realized that it isn't the glamorous field you once thought), but find that you have an amazing affinity towards learning all that you can, this might be a saving grace that will prevent you from leaving everything you've learned behind and taking up a job as a dairy farmer (or some other similar job that will not require you to touch a computer)

I work in an environment where our department is very centric to several other security departments. We interact with all other departments the idea being that there is a defined separation of duties. In these cases, on the several skills of a security analyst has got to be communication. That essentially means that you must both have a technical varied background and be a people person capable of assessing (not only your needs) but also those of others. The reasons for this is obvious - you need to state your point from a security angle, balance your opinion vis-a-vis usability and be in a position to help implement/facilitate solutions that are security centric. Not an easy job -- but hey, then what are we paid for ? ... and yes it also means that to a certain point we have to be educators.

To close this article, here's Securology's ending... I sense that the writer must have been in one of his low moments - nevertheless - heads up... its not all grim.

If you hope to change the world with your career, may I suggest a rewarding opportunity teaching high school math or science in a public school system? The pay is for shite, and there will be harder days than being a security professional, but your pupils will be grateful for your job well done later in life-- even if they don't manage to get around to tell you. Besides, everyone knows Americans spend what they make-- just learn to make ends meet on a teacher's salary.

Source

Posted by Donald Tabone

Onto another interesting piece of news I stumbled upon earlier today - prick your ears - a recent study by Craig Wright; a forensic expert; show that...

...after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.

They presented their paper at ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy).

The original article correctly talks about the implications from a security point of view. Its important to bear in mind that remnants of an edited document are still present in several places such as temporary files, swap-files and who knows where else.

Really, to ensure that nothing more can be recovered from a hard disk, it has to be overwritten completely, sector by sector.

Free software out there that employ all sorts of wiping techniques from simple algo's to military grade algo's like Darik's Boot and Nuke ISO (DBAN) might no longer be neccessary as a simple tool like dd in Linux will do the job perfectly.

Echoing this post

Posted by Donald Tabone

It's been a while since I last posted something re. digital forensics mostly due to the fact that I've been cramped down by studies and work. Nevertheless, I came across this document by Brett Shavers entitled Virtual Forensics - A Discussion of Virtual Machines Related to Forensics Analysis. A brief summary of the 35 page document is quoted below.

The time of virtual machines has come and will only become more commonplace. Although a virtual machine is nearly identical to an actual computer system, there are differences that need examiners should be aware. Given the capabilities that are inherent in booting forensic images into a virtual environment, this should be the first choice in the restoration of any forensic image as it not only saves time in the restoration process, but it can be repeated as many times as needed, quickly and easily.

Early in the PDF, we get a primer on VMWare files (such as .VMDK and .VMSD files) and continues to describe the pro's and con's of using virtual machines as a forensic OS. Later, he discusses topics like using VM's for antiforensics i.e. using a good tool for bad things followed by a number of How-To's.

I cannot help but say that this is a very good read, graphically supplemented and full of valuable information whether you're wanting to learn more about VM's or analyzing a VM's for possible intrusion or compromise.

Download it here.

Posted by Donald Tabone