Tuesday, June 3, 2008

Techno Security Day 3

Today was an interesting day.

I started the day listening to Eric Thompson from AccessData do some damage control as a result of FTK 2's absolute failures. I found his talk to be as tasteless as the email that was sent out regarding FTK2. It was interesting that he received 1 question, which had nothing to do with his talk. More on AccessData later...

Up next after a caffeine fix was Dave Thomas from the FBI and Rohyt Belani's talk "Current and Emerging Cyber threats and the Internet".

I was a little disappointed that Rohyt used some of the same content from a 2006 blackhat talk he did as far as compromises go. Dave's portion of the talk was very interesting. He had a fantastic visual analogy for systems administrators. If you've ever seen 'ice age' there's a scene where the squirrel is attempting to plug a number of holes with various body parts. Very accurate in my opinion. Dave pretty much focused on cyber crime from the FBI's perspective - when they get called in to a corporate incident. He discussed the difficulties they have with foreign countries and the differences in breaking encryption in the US vs. Italy. In the US it's a very technologically intensive process. In Italy, they apparently grab the suspect and beat them over the head to get the key out of them. Interesting talk, especially from the perspective of the FBI.

Next up was Amber Schroader from Paraben. Her talk was "Emerging threats in digital devices".

The talk was interesting from the perspective of someone who specializes in mobile device analysis and she pretty much discussed how to deal with them in your own organization. A few good points:

Define what's required for the organization to function.
Determine how they are regulated in the organization, and and how they should be.
Determine if you are auditing these portable devices.
The mobile field is changing daily. Update your requirements frequently.

Apparently Paraben takes the stance "if it gets plugged in to our machines, then we get to make a copy of the contents". They actively monitor their systems for mobile devices and refuse to allow I-phones.

These are just a few things to consider when you talk to clients, or when devising your own internal policies regarding mobile/portable devices.

She did point out the I-Fone which I'd never seen or heard of. Interesting device..takes 2 sims, a storage card and it looks exactly like the I-Phone.

The Day ended with Marc Weber Tobias' talk on breaking medeco locks. I'd seen parts of his talk before and the discussion surrounding the M3 and biaxial locks but it's always best to see his stuff in the flesh. Playing the Tomahawks and medeco locks is not a common occurrence.

Some takeaways from his talk:

Work the problem, consider all design parameters and explore all aspects.
Ignore the so called experts.
Always believe there is a vulnerability.
The key does not unlock the lock, the key actuates the mechanism which locks/unlocks the lock.
Time is on their side. It took 18 months to crack the medeco locks. This reinforces the idea that given time as a constant, all security can be compromised.

Ok, so on to AccessData. Pay attention to this one because it may have implications for you.

I approached the AccessData booth at least 4 times without being noticed by a single person manning the booth. There were no less than 7 people there at any time I stopped by. Finally I grabbed the attention of one of the folks at the booth and asked a simple question.

"With the web based case review/external viewing capability, what are the implications of an external case reviewer, reviewing case contents from a remote location? Specifically, what are the implications of a reviewer using Internet Explorer - upon which the tool is based - caching the images of a CP case? Even with the don't store ssl pages in cache option, IE still caches the pages and wipes them when done. The potential for CP images to be cached by browser and cached in a thumbnail file exists."

There is currently no solution to this. It is now being discussed and we talked about a few potential solutions - such as using an Vmware browser appliance and secure wiping - so the case reviewers machine does not become tainted by CP images.

In addition, they are now allowing EVIDENCE outside of the forensic lab. Not in the sense of copying data, but viewing the data, which due to caching is essentially the same as copying. This is not what I would consider acceptable in the real world. The digital world needs to be treated no differently. The traditional forensic lab model has been violated by AccessData with the creation of their web based tools. This is what I'm calling Evidence Sprawl or Evidence Leakage and it needs to be treated very seriously. In addition, the images can be found outside of the database in the case temporary directory. This is not only serious from the leakage potential, but consider the case integrity implications. We know Espionage exists. If I know who the forensic company is working with I can target the potential case reviewers for compromise and jeopardize the integrity of the entire case. By extending the reach of the forensic lab, they are exposing the lab to more risk. The model of not having forensics machines connected to the internet disappears with this architecture. If you have the more advanced AccessData products consider the implications and network security architecture that must be implemented to adequately protect the case data.

I am not trashing AccessData here. I just want to make sure we all understand the implications of using their new breed of tools. When building the networks required to implement the new tools, you really need to consider the security of the 'system'. By system I mean any computer, network, or other asset that has access to or processes case data.

If you have thoughts on the FTK issues, please share them.


Anonymous said...

A couple of years ago, when I was working for a big risk consultancy firm, we considered the idea of having remote access to servers containing images and case files. It was taken for granted from day one that any machine having access to the data would have to have the same restrictions placed upon it as if it were in the origianl lab itself. Only dedicated machines could be used for viewing such data remotely and strict procedures would have to be in place to prevent evidence leakage. We also looked at dongle based security systems to prevent unauthorised access. Even then, I had doubts and the project did not proceed. I am pretty gob smacked that, from the contents of this blog, Access Data do not seemed to have given due consideration to these issues.

Anonymous said...

The comments you make are very valid, but I am suprised that you have singled out AccessData. Whilst not having seen AccessData's web based review solution it sounds remarkably similar to Guidance Software's Encase Lab Edition (actually too similar in my view that there appears to be a convergence in many of AccessData's and Guidance Software's solutions). Whilst this appears to be more than coincidential I believe that this does offer many advantages within a LE environment. Implemented correctly (e.g.: on a standalone distinct network within a large LE agency) it enables significant time and cost savings by pushing some of the review and classification of material back onto Investigators relieving computer forensic practitioners to concentrate on the technical examination. Where you have an agency spread geographically across a continent (or even across offices), there is further savings in relieving investigators of having to travel to preview material. I also believe that the best placed person to review and identify relevant material is the investigator that has an intimate knowledge of all aspects of the investigation. Whilst some argue that this amay remove the impartiality of the computer forensic examination, I believe that an experienced computer forensic examiner can identify the relevance of what Investigators have identified and offer a balanced and even alternative view where technical considerations identify the contrary.

Unfortunately it is a climate where we can no longer rely on a single computer forensic examiner to do the entire investigation, and tools which facilitate rather then inhibit this need to be embraced (albeit in a controlled and correctly implemented model).

Anonymous said...

I appreciate the concerns about evidence spread but most of the work that I do is civil rather than criminal litigation. When the issue is eDiscovery and my client may be located a few thousand miles away, I find it much easier to allow them secure access to my site than to ship disks back and forth.

In fact, a number of law firms with which I have worked use EMC's Documentum document server to host e-rooms which contain expert reports, depositions, hearing transcripts and evidence, among other things. Disclosure is restricted by formal confidentiality agreements.

I understand that there are more strenuous requirements when dealing with criminal evidence, especially CP, but I also feel that there is a tendency in computer forensics toward law enforcement concerns and not enough attention to issues related to civil or internal corporate investigation. In these latter cases, the ability to share my work with clients at remote sites is essential to providing them with efficient and cost effective solutions.

hogfly said...

If it seems like I've singled out Accessdata that's because I use their products and was at a conference they co-sponsored. It's really a matter of relevance to me. Were I willing to shell out six figures for a Guidance solution, I'd be just as concerned. Given that many people left Guidance and joined AccessData and that their products are similar is not coincidental at all, I'll agree with you there. I agree that there are numerous benefits to the distributed model. The distributed processing is a great idea as is case reviewing and other features, but not at the expense at the integrity of the case. Let's be honest, any network can be breached, including those owned and operated by Law Enforcement. The key to all of this is a "properly implemented" solution, as I have pointed out and you have agreed to. The instant officers, investigators or case reviewers operate from an untrusted network, the integrity of the case is at risk. If field laptops or other computers outside of the physical lab network are used to review cases, they should be held to same standards as a lab computer. This makes me wonder what ASCLD would have to say about this model.

hogfly said...

Anonymous #3,
Fair enough. Are you willing to guarantee the security of your site? Are you willing to bet your case, client, and reputation on it? Civil litigation and ediscovery is certainly a different world I'll grant you that. Do your confidentiality agreements cover inadvertent disclosure? Suppose the confidential documents your client is reviewing ends up on a very public website, what then? The issue I bring up is not entirely one of external reviews, but the implications of external review, specifically as it pertains to criminal proceedings, and the implementation of the distributed forensics tools. When an HR investigation turns in to a civil case, the issues are no different than I mentioned already. If the confidential documents are no longer confidential the integrity of the entire case is at risk.

The reason I think there tends to be a greater focus on law enforcement is because the stakes are arguably higher (lives are at stake in some cases), which makes the stuff we deal with in the mickey mouse civil world seem small and insignificant. Granted the civil world can affect more individuals but that's never been portrayed as important to anyone but those affected.