The Broader Implications of Heartbleed

Dan Kaminsky:

It always seems like a good idea in security to emphasize prudence over accuracy, possible risk over evidence of actual attack.  And frankly this policy has been run by the privacy community for some time now.  Is this a positive shift?  It certainly allows an answer to the question for your average consumer, “What am I supposed to do in response to this Internet ending bug?”  “Well, presume all your passwords leaked and change them!”

I worry, and not merely because “You can’t be too careful” has not at all been an entirely pleasant policy in the real world.  We have lots of bugs in software.  Shall we presume every browser flaw not only needs to be patched, but has already been exploited globally worldwide, and you should wipe your machine any time one is discovered?  This OpenSSL flaw is pernicious, sure.  We’ve had big flaws before, ones that didn’t just provide read access to remote memory either.  Why the freak out here?

Because we expected better, here, of all places.

I recall the days of hearing from people that open source software was dangerous because anyone could add any code. The usual counter was that because it was open, someone would see something that was inserted that was malicious. While it doesn't look like the Heartbleed bug was introduced purposefully, the problem code wasn't found soon enough. 

The Origami Workstation

Shawn Blanc covers the Origami Workstation on his site, The Sweet Setup:

...the iPad keyboard I prefer most is the Origami Workstation. There are a few reasons:

  • It’s separate from the iPad, thus not in the way when I’m not using the iPad with a keyboard (which is most of the time for me).
  • It holds the iPad similar to how a folio or keyboard case would.
  • It works with Apple’s own bluetooth keyboard, which is an excellent keyboard.

I always keep the Apple wireless keyboard in the Origami in my backpack since I got it a few years ago. It's great to be able to use the same keyboard at home, on my desk at the office or anywhere I travel. 

Making sure the keyboard stays powered off in my bag is harder than you'd think and the velcro is pretty worn out, but when it goes I'll replace it with another one just like it. 

Well I Stand Corrected - SCOTUS to Rule on WarDriving

So I can't be sure, but I'm sure that there is a video or audio recording of me giving a talk where I flippantly remark that there really would be little reason to believe that a security issue like the legality of wardriving would ever reach the Supreme Court. 

Well what do you know? 

The biggest U.S. internet wiretapping program outside the NSA may be headed to the Supreme Court.

Google is asking the high court to rule on the legality of the company’s past sniffing of unencrypted Wi-Fi traffic in neighborhoods around the country as part of its Street View program. An appeals court last September found that the sniffing may have violated the Wiretap Act.

In a world where one man's networking tool (nmap, Wireshark, Driftnet) is classified as a weapon in some countries, getting clarity on these issues through our common law system is a good thing.

See guys? I told you that if you were patient things would work out. Now we just have to see what those ever so savvy Supreme Court justices think of all this. 

(Coverage via Wired)

Relevant to my interests...

This makes Usenet very useful for sharing information about recent happenings, for social discussions, and especially for receiving assistance about problems, such as resolving technical glitches or getting help with a diet program.

I Stand Corrected..Producing In Paper Can Be A Good Idea

If there's a hero in the Edward Snowden story, it's Ladar Levinson. 

In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.

 More over at Wired..

Consider Using GPG

It had been a long time since I'd used GPG on the Mac. At some point I updated the OS before the mail add-ons were compatible and getting everything set up was kind of a pain in the ass.

It's come a long way, as you can see from their short screencast. It really is as simple as it looks.

In a few minutes you can be up and running, even if you don't know much about how public key encryption works. If you're interested in controlling your own privacy in the content of your communications? Use GPG.

Here's my public key for jurist {at} bitninja {dot} org. You can use this to verify the authenticity of things that I publish and sign as well as sending me encrypted communications.

Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPG


iOS 7

It sure sounds like there's a lot to come in the new version of iOS. The visual design is as polarizing as was rumored and I certainly have some mixed feelings about but there's one app that really stands out as being incredible. The compass. There may be some rough edges in some other apps, but I'm pretty sure this one has achieved perfection.

 Screenshot via  iLounge

 Screenshot via  iLounge

Forensic Fundamentals - Disc Images

What is a Forensic Image?

A forensic image is a bit-for-bit copy of a digital storage container. This copy includes both data that is accessible to the user (allocated space) and that may have been "deleted" by the user but not overwritten (unallocated space). Forensic images offer stability and flexibility to an investigator that can't be found with consumer like formats. Forensic images can be mounted so that a user can browse the contents of a hard drive as if they were the original user without changing volitile metadata. They can be used to recover lots of peices of evidence using specialized tools in conjunction with commerical or open source forensic utilities.

File Formats

There are a few different file formats that one can use when acquiring a forensic image. Some formats have additional features than others, but may not be as flexible for certain tasks like recovering data from Volume Shadow Copies.

The DD or RAW format

While it may be more precise to refer to these images as RAW images, it's very common to hear them referred to as DD images. Why DD? DD is the tried and true Unix utility which has been used to make bit for bit copies of discs or volumes since the mid 1980s.

Generally, the file format is not compressed and contains no metadata about the image itself, but it can be split into multi part files. Personally, I preferred the use of more modern formats because of the compression availability but recent experience with some Volume Shadow Copy utilities that work only with DD are making me question this preference.

DD images can have a number of extensions including .dd, .raw, .00 or .IMG.

The Encase or Expert Witness Format

Generally if you're not getting a DD image from a forensic analysist then they'll likely give you an EnCase image. I think it's important to understand that while this format's common name implies the requirement of a specific piece of software, the EnCase format is supported by many different peices of software.

Encase Images can be compressed, which is a big advantage if you've got a case involving multiple computers and large quantities of data. With the price of 2TB drives coming way down, you can carry and entire office worth of compressed disc images on something that would fit into your pocket.

Encase Images can also carry user defined metadata about the image such as the name of the examiner who took the image, date of acquisition, client-matter (or case) number and some acqusition notes. Encase images ususally carry an extension of .E01.

Even if you initially acquire a disc in Encase format, but need a DD image for analysis with a specific tool, you can blow back a DD image from an Encase image using FTK Imager.

Image Acquisition

Forensic images can be acquired using a number of hardware and software tools using a wide range of techniquies. Depending on the requirements of a case, one or more techniques may be employed. The end result is the same, though. You'll get a mathematically verifiable bit for bit copy of a particular storage container.

Hardware Based Acquisition

Perhaps the easiest acquisition method for a lay person to conceptualize is acquisition with a hardware device. This disc cloner will have plugs for drives on both sides of a box, one for the original and one for the copy. Once everything is plugged in, the analyst will choose from some basic menu options and start the copy. The hardware device will only write in one direction, which protects the original evidence. When the copy is complete, the hardware verifies mathematically that the contents of the copy match the contents of the original.

Hardware imagers can either just mirror a hard drive or output to common formats like Encase or RAW.

These hardware imagers are great because they are fast and easy to use. The imager that I use will output to two drives simultaneuously which is a big time saver.

Software Based Acquisition

A similar process is acquisition using a tool like FTK Imager (FTKi). In this scenario, an examiner attaches the original drive to his computer through a write blocker of some kind. Software on his computer will then create the image on the local drive or on another external that's not write-blocked.

Software based acquisition is also used when a machine is being acquired while still turned on. This is common when there are storage arrays attached to the computer or in situations where it's important to preserve all data that resides in RAM or the investigator needs to document open network connections.

Once again, the software makes the copy and then mathematically verifies that the copy is an exact match to the original.

Network Based Acquisition

Images can also be acquired over the network using either commercial tools, or some elementary Unix commands like netcat and DD. Network based acquisition is experiencing some growing demand, although to be efficient some serious bandwidth is required. Think about how long it would take you to copy 250GB of data over the internet or across your corporate network.

Practical Use

The easiest way to work with a forensic image is to grab a copy of FTK Imager from Access Data. It's free, and incredibly powerful. If you're an attorney who merely wants to get into the data to look at some of your client documents or mount a PST for some cursory review it's image mounting feature is top notch.

Of course an analyst will use many other tools such as Encase, FTK Lab or Internet Evidence Finder but for some quick and dirty analysis FTKi can't be beat.

Introducing the Forensics Fundamentals Series

I'm happy to announce a new series of posts which will cover some of the fundamentals of digital forensics. The audience for these posts won't necessarily be my peers in the digital forensics community, but my peers within the legal profession. Hopefully it will be a good resource for attorneys who are wanting to use digital forensics more in their practice or forensic investigators who want to bring their clients up to speed with some of the basic vocabulary of the field.

The seasoned forensic investigators will likely notice that I may gloss over some of the more nuanced points, but keep in mind when reviewing these that the articles are tailored to those who want to get a grasp of the fundamentals first without getting lost in a dizzying discussion of technical details.

If there are any topics that you'd like me to cover, feel free to drop me a line.

The 2013 KCMBA Bench Bar Conference

I'd like to thank everyone that came to my presentation last Friday at the 2013 KCMBA Bench Bar and Boardroom conference. This is always one of my favorite events of the year and it was great to see some familiar faces in the audience as well as some newcomers who were looking to get a high level understanding of the role that digital forensics can play in civil litigation.

The KCMBA staff deserves a great deal of credit for pulling off a fantastic conference at a new location. The facility was great and as a presenter and attendee I felt as things went off without a hitch.

If you couldn't make it and are still interested in catching my presentation on Practical Digital Forensics, I'll be giving it at a few of the CLE events sponsored by the KCMBA and UMKC and later in the summer at SecKC. I'll post more details as the dates and times get solidified.

Friday afternoon at Bench Bar 2013