I love stories like the one where a Mac user helped the cops apprehend her laptop thief. But, what if your laptop got pinched? Would you be prepared? Is the hard drive encrypted? Is the data backed up somewhere? Will your accumulated collection of feet pictures cause you some degree of embarrassment?
Well, the feet notwithstanding (ugh), the makers of the Lenovo Thinkpad have added an interesting feature. I thought I wrote about this at the time but, for the life of me I could find it. Ah well.
The feature (taking my methylphenidate) is a chance to brick your stolen laptop and completely piss of the jackass who purloined your loin cooker. Just send it an SMS message and bingo, she’s locked up.
From Dark Reading:
“If a hard drive is turned on and the OS is loaded, the encryption technology makes all the data on the drive available in clear text to the operating system,” Cannady says. “If someone steals my PC off my desk or off the table in Starbucks and I’m logged on and the lid is down in ’suspend’ mode, there’s a chance [the thief] could get that data — even though I have military-grade encryption technology turned on.”
Cannady says the new Lenovo feature lets you send a kill command directly to the laptop, using a mobile phone. “When the kill command is received, the PC will shut down and refuse to turn on again,” he says.
Which would mean something if you knew your system was missing in the first place. If you were unaware well, you’d be pretty much boned. Worse still if the thief happened to have a faraday cage lying around.
Still, a neat feature.
UPDATE: Received this tweet from Amrit at BigFix.
“BigFix can do that, send a “fixlet” to snap a pic using the built-in iSight camera and then email it. One of our custs sent “fixlets” to 5 stolen laptops w/a pop-up that noted the IP & said they wouldn’t call cops if they were returned. The thief called the # in the pop-up and returned the laptops within the hour”
Ah, the fun it would be to get that call.
Well, inadvertently it would seem. Data forensics wonk, Jonathan Zdziarski, indicated that when the iPhone does that cool fade out, when you switch applications, it takes a screen shot. No, there are no black helicopters here. This is apparently how the effect is achieved.
From Wired:
The phone presumably deletes the image after you close the application. But anyone who understands data is aware that in most cases, deletion does not permanently remove files from a storage device. Therefore, forensics experts have used this security flaw to successfully nab criminals who have been accused of rape, murder or drug deals, Zdziarski said.
“There’s no way to prevent it,” Zdziarski said during the webcast. “I’m kind of divided on it. I hope Apple fixes it because it’s a significant privacy leak, but at the same time it’s been useful for investigating criminals.”
I imagine it has the potential for being a privacy issue. In all fairness though, if someone already has access to your phone you’re pretty much fubar anyway.
Tags: Forensics, Data Forensics, iPhone
Didier Stevens has a quick post up about embedding eicar in PDF files.
From his site:
I like to embed the EICAR Anti-Virus test file in usual formats and less usual formats. Today, I’m publishing a PDF document with an embedded EICAR test file (eicar.txt). This PDF document has also an annotation with a JavaScript action linked to it. Clicking the annotation will export the embedded eicar.txt file to a temporary folder and launch the default editor for .txt files.
Read on.
I noticed this article written by Kyle Rankin over on Linux Journal. It provides an intro to computer forensics.
From Linux Journal:
A break-in can happen to any system administrator. Find out how to use Autopsy and Sleuthkit to hit the ground running on your first forensics project.
There are certain aspects to system administration that you can learn only from experience. Computer forensics (among other things the ability to piece together clues from a system to determine how an intruder broke in) can take years or even decades to master. If you have never conducted a forensics analysis on a computer, you might not even know exactly where to start. In this guide, I cover how to use the set of forensics tools in Sleuthkit with its Web front end, Autopsy, to organize your first forensics case.
An extensive read.
Here is a topic that seems to be heating up in the press lately. E-discovery is fast becoming an attention grabbing headline.
From GCN:
New rules for electronic data discovery during litigation, combined with the massive amount of electronic data now available in federal databases, will require closer communication between the legal and information technology departments at federal agencies and standardized processes across business units, according to panelists discussing enterprise search and e-discovery at the FOSE Conference and Exposition in Washington.
The civil rules of procedure, which went into effect Dec. 1, 2006, have “really changed the environment for the IT folks” in the last year, said Edward Meagher, deputy chief information officer at the Interior Department. “We need to start saving documents that we previously didn’t save and ensure documents are searchable and retrievable and do it very rapidly. E-mail, voice mail, instant messages, text messages — all are now in discovery [in a legal case] and so they need to be searchable,” he said. “It’s one of those issues that’s really crept up on us.”
With millions—and perhaps billions—of e-mails alone in even a single part of the federal government, searching electronic data is no small task, and the technology to do so is still a work in progress. Add to that legacy data that is no longer accessible and the relative difficulty today in searching electronic documents, combined with expectations that enterprise searches should be as easy as a Google Internet search, and compliance with e-discovery rules becomes all the more challenging.
Read on.
ed. On a completely unrelated note…it has been a lonnnng day.
Tags: E-Discovery, Computer Forensics
Um, wow. While I can fully understand and appreciate their frustration, I see this as a legal minefield. They may want this power but, I cannot fathom how they would intend to examine systems that reside in another country unless there was a reciprocal agreement in place.
From ABC (AU):
The New South Wales Cabinet has approved new powers for police designed to help them track terrorist threats, fraudsters and paedophiles through computer networks.
The proposed laws would allow police to search computers networked to those listed on a search warrant.
Police could also seize computer hard drives and memory sticks for up to seven days.
Police Minister David Campbell says police are currently only able to search computer hardware found on a premises named in a search warrant.
He says with the changes, they will be able to go a step further and search other networked computers, regardless of where they are located.
“What we know is that there are organised crime gangs who use the internet and other forms of technology to hide their crimes,” he said.
I can see their pain point. But, I think this will open a can o’ worms.
Having dealt with NATO folks in the past I can safely say that they’re a hard working and dedicated bunch. I’m pleased to see that they are rolling out Guidance Software’s EnCase product across their enterprise.
From Silicon dot com:
The system provides an immediate snapshot of any intrusions and will provide forensic-level analysis across its network, which spans thousands of miles.
Nato’s Computer Incident Response Capability (NCIRC) unit has deployed a large scale cyber defence project combining intrusion detection and prevention systems, security information and event management and automated incident response.
Ian West, director of NCIRC technical centre, said this will significantly enhance Nato’s ability to counter today’s online threats and attacks.
It’s very good software and extremely powerful. EnCase does manage to take a lot of the hand cranking out of the mix when conducting an investigation.
Hell, if they’re hiring… HA!
Tags: NATO Computer Security, EnCase, Guidance Software
From the press release:
Backbone Security, the market leader in advanced digital steganalysis tools, proudly announced their industry leading steganography application detection tool, Steganography Analyzer Artifact Scanner, passed rigorous testing by the Defense Cyber Crime Institute (DCCI) at the opening of The Computer Forensics Show today.
Developed in Backbone’s Steganography Analysis and Research Center (SARC), StegAlyzerAS is the most comprehensive and accurate steganography application detection tool available on the commercial market. Capable of detecting file and Windows registry artifacts associated with 650 steganography applications, StegAlyzerAS V3.0 is the digital forensic examiner’s tool of choice for detecting use of steganography to conceal evidence of criminal activity.
The DCCI test report states that StegAlyzerAS was able to: 1) identify the hash values of a significant number of files in the distribution libraries of a considerable number of steganography programs, 2) minimize the number of false positives by ignoring files typically associated with steganography applications but are also used in versions of the Windows operating system and popular software applications not associated with steganography, and 3) identify, with a high degree of accuracy, steganography programs that have been installed on suspect media even though only a small number of files associated with the programs currently reside on the media.
Tags: Forensics, Computer Forensics, Stego, StegAlyzerAS
If you ask, they will build it. A little different than the quote I had in mind from Field of Dreams. Still, interesting article.
From Computer World:
Start-up Packet Analytics Corp. on Monday announced a tool for searching aggregated log data to analyze traffic activity between IP-based host computers.
Net/FSE, which stands for Network Forensic Search Engine, is Linux-based server software that provides a Web interface for network managers to easily see an analytical profile of host-to-host activity based on NetFlow router data as well as log information related to the organization’s firewall, intrusion-detection systems and security information management. (Learn more about Security Information Management products from our Security Information Management Buyer’s Guide.
The Net/FSE tool was developed at Los Alamos National Laboratory by Packet Analysis co-founders Ben Uphoff and Paul Criscuolo, both former technical staff members at the lab.
“If an enterprise already has centralized logging, we can start directly searching that, and we can also act as the data-aggregation point,” said Uphoff, vice president of research, about Net/FSE.
Read on.
Tags: FBI, Network Forensics
One of the pain in the butt aspects of conducting computer forensic investigations is running into the one offs and stranger OS platforms. One of the new kids to hit the scene, iPhone, presents and interesting wrinkle. What to do if there is a need to conduct a forensic investigation on one of these iconic devices? The operating system for the the iPhone is a closed version of the Mac OS X. So, what are folks in the business saying?
From Wired:
But not every forensics expert is convinced. “The iPhone is evil,” says Amber Schroader, CEO of Utah-based Paraben, a leader in digital-forensics software development. “It’s Mac OS X, and it’s a completely closed system.”
In other words, it’s not easy for a forensics team to guarantee that the data extracted from an iPhone has not been tampered with. The result is that juries may find reasonable doubt in how that data was extracted.
Hmm, so how does one retrieve the data without altering it in the process? A quick search of the portal at Guidance Software, the makers of forensic software EnCase, revealed no hits.
Today at MacWorldExpo data recovery firm DriveSavers will reveal their service offering for recovering data from iPhones. Apparently, according to their press release, they have managed to accomplish this task but, there was no word yet on exactly how they managed to accomplish this task. “Will it stand up in court” is the real test. I guess we have to stay tuned.
Tags: EnCase, Computer Forensics, iPhone Forensics, iPhone Recovery, DriveSavers
