It has been a "gray" area in forensic acquisitions if we should turn a system off or not. If we look at certification exam requirements, we have to pull the plug on client OS and turn the system off with OS commands if it is a server.
In today's computers, we have 4GB or more memory that was the size of a hard drive not too long ago. In a few years back, if someone said, "I've thrown an 8GB hard drive into the trash since I thought it was not important" would have landed investigators in jail. We can not make those kind of decisions anymore just because we did it in the past.
The memory is a wealth of information in malware investigations and dealing with encryption. This also shown in the new tool "Elcomsoft Forensic Disk Decryptor". http://www.elcomsoft.com/efdd.htm
The documentation mentions how it recovers the master key from live memory or from the hibernation file.
"By analyzing the hibernation file (if the PC being analyzed is turned off);
By analyzing a memory dump fie
By performing a FireWire attack (PC being analyzed must be running with encrypted volumes mounted)."
Now, if that is the case, then turning the system off will lose this information and you can wait for weeks, if you're lucky, to crack the password for BitLocker, PGP or TrueCrypt.
Why not just include into the methodology and certification exam requirements to at least consider the option of capturing the memory before turning the system off. I like the option of forcing the hibernation file to update and then pull the plug if necessary.
powercfg.exe -h off
powercfg.exe -h on
This way, you can turn your system off and still have the memory to analyze.
"Drawbacks?" You might ask.
I believe digital forensics is just like any other science discipline is based on pattern recognition, risk management, and process control. Therefore, we have to look at any drawbacks in this method. Since the Hiberfil.sys file will be as large as the physical memory in the system, you will overwrite, 8GB in this case, unallocated space. Thus, if you plan to data carve for previously deleted files, this might destroy evidence that can be just as much devastating to your case. So, a light weight memory dump utility ( fau's dd, mdd, or winen ) might be the answer to this dilemma. The main idea is to consider this option when encryption is suspected or as a standard collection methodology.
Thursday, December 20, 2012
Sunday, December 2, 2012
Cell Phone in Faraday Bag! Why?
As we test tools and technology in our ITDF 2320 course, we never know what information we can discover. This week, we've tested the cell phone protection by placing them in Faraday bag and multilayer of antistatic bags.
To our surprise, even though the Faraday bag work fairly well in some cases and not at all in others, in all cases the mesh on the Faraday bag interacted with the smart phone screen. In one case, the movement of the bag over the screen caused the email client to open and to check one of the emails to be checked. In most cases, just random movement was noticeable as the phone moved around in the bag.
It might be strange to call a Faraday bag a protection mechanism when it causes more changes than just placing the phone in airplane mode and carrying it in a paper bag.
To our surprise, even though the Faraday bag work fairly well in some cases and not at all in others, in all cases the mesh on the Faraday bag interacted with the smart phone screen. In one case, the movement of the bag over the screen caused the email client to open and to check one of the emails to be checked. In most cases, just random movement was noticeable as the phone moved around in the bag.
It might be strange to call a Faraday bag a protection mechanism when it causes more changes than just placing the phone in airplane mode and carrying it in a paper bag.
Subscribe to:
Posts (Atom)