Malta Info Security - Forensics

Security LiveCD Distros

nospam@example.com (Donald Tabone) — Mon, 28 Jul 2008 15:41:33 -0700

With over a year of inactivity, the latest alpha of nUbuntu 8.04 Security LiveCD has finally surfaced.
All of the latest security and penetration tools are included to make this you’re primary pentesting livecd.

View Screenshots
Direct Download

More info on the 10 best security Live CD Distros (Pen-test, Forensics & Recover) here

Forensic memory dumpers for Windows

nospam@example.com (Donald Tabone) — Fri, 25 Jul 2008 09:33:14 -0700

Couple of interesting tools that seem to have been released recently:

ManTech Memory DD ManTech Memory DD captures a record of physical, or random access memory which is lost when the computer is shutdown. Released at no charge under the GPL license for government and private use, ManTech’s Memory DD (MDD) is capable of acquiring memory images from the following Microsoft® products: Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008.

ManTech’s Memory DD 1.0 acquires a forensic image of physical memory and stores it as a raw binary file. To help verify data integrity and aid in the preservation of the evidence, the information captured by ManTech Memory DD is checked by the Message-Digest algorithm 5 (MD5), the common Internet standard used in security applications. The binary file can then be analyzed using external tools to identify items of interest to the examiner... can be downloaded here

Suiche - of 'Sandman' fame released a memory dumping tool

The main difference between ManTech tool and win32dd, is that win32dd is mainly a kernel mode application — then it avoids to use user-land API to write to an output file, everything is done with native functions. Thus, it means a faster dumping… This point isn’t negligible when you have one million page to dump in one single.

Source1

Source2

Recovering passwords from RAM

nospam@example.com (Donald Tabone) — Wed, 27 Feb 2008 09:37:00 -0700

A joint group of people from Princeton have recently managed to prove the fact that RAM chips, when cooled to a very low temperature, can continue to retain the contents of RAM for up to several minutes after they have been physically removed from a computer.

The group, then built their own tools and programs to read off the contents of the memory after the computers were rebooted - proving that disk encryption technologies (such as Truecrypt for instance) can be defied. This is demonstrated in a video posted on youtube (see extended body of article)

The concept can also be also easily demonstrated following a simple experiment outlined on the groups page here.

Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection. (Exceptions exist; some systems may not be protected even when powered off. Check with the developer of your disk encryption software for further guidance.)

Following up this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child) - the recently announced MacBook Air is resistant to what is now known as the "Cold-Boot Encyption Attack" simply because the machines DDR2 RAM (2gb) is soldered on and cannot be physically removed. In addition, if Apple release an EFI firmware upgrade to zero the contents of the RAM at every boot, then the MacBook

"...would become one of the only—if not the only—mainstream laptop featuring full-disk encryption that's highly-resistant to the troublesome Princeton attack."

(source)

Microsoft also reacts to this vis-a-vis their BitLocker technology in Vista. Ryan Naraine reports on this here.

Microsoft suggests that the most secure method to use BitLocker is in hibernate mode and with multi-factor authentication.
According to Robert Hensing, a software engineer in Microsoft's SWI (Secure Windows Initiative) team, this class of attack is not new and was actually raised at the 2006 Hack in the Box conference in Kuala Lumpur, Malaysia.

The Register also has their views on this...BitLocker, meet BitUnlocker.

A question directed to Digital Forensic experts - Is this a blessing in disguise? What's your take on it?

Update: More information on the discussion can be found here
Continue reading "Recovering passwords from RAM"

Windows Forensic Analysis - Harlan Carvey

nospam@example.com (Donald Tabone) — Sun, 15 Jul 2007 19:04:00 -0700

Here's a book I give my thumbs up for. Excellent content, well structured and rather easy to follow and understand. Personally I find particular chapters to be a great reference. The author Harlan Carvey has his own blog-spot and there is also a review of this book which can be found here.

A review...
Continue reading "Windows Forensic Analysis - Harlan Carvey"

Digital Forensic Resources

nospam@example.com (Donald Tabone) — Mon, 01 Jan 2007 12:00:00 -0700

Forensic URL's worth bookmarking:

F3 - The First Forensic Forum
Forensic memory dumping intricacies
This is a Forensics Wiki devoted to information about digital forensics
Forensic Acquisitions Utilities
A wealth of information on Steganography
Spyhunter home of StegSpy
Outguess home of Stegdetect
Live-Forensic-CD based on Knoppix
Darik's Boot and Nuke for wiping hard-disks
Computer Forensics - Prof. Dr. Daniel Hammer
The Open Source Digital Forensics site
WinHex is in its core a universal hexadecimal editor
Computer Forensics News and Information
Computer Forensic Store

Reverse Hash Lookups

http://md5.benramsey.com/
http://www.md5crack.com/
http://rainbowcrack.com
http://passcracking.com

last updated: 6-12-07