First and foremost I am in no way affiliated with MacHeist, but there is a free software giveaway over at macheist.com and I encourage you to go get your fully licensed nano bundle.
I was talking with Burns today about his desktop configuration and my own and I’ll confess I’m not really ready to adopt the multi-display situation. I don’t have any issue with multiple machines, or using a machine with multiple desktops that I can tab between, but I think having several displays would be distracting. My desktop, although slightly cluttered right this minute, consists of a 16 inch CRT which is plugged into my Debian machine under the desk, my MSI Wind U100 netbook, and my Macbook Pro. The Debian machine has no desktop or window manager – console only, my netbook is running XP Pro, and my Macbook Pro has 4 desktops utilizing Spaces.
I typically use my Debian machine to connect to machines for long-term projects via SSH using Alt-F[1-9] to segregate connections or to validate script functionality. My netbook is the least frequently used machine – when I need IE, MVLS access, evaluating some particular Windows software, or to connect using the VMWare Console to those VMWare servers still running the older 1.x VMWare Server. My Mac is my workhorse, though.
Desktop 1 has MacMail, Adium, and PicoPlay, Desktop 2 is split by 2 browsers, Desktop 3 has RDP sessions and iTerm and Desktop 4 is where I do anything else that needs to be done. I suppose it could be argued that this is not that different from using multiple displays but I don’t have to look at them all at once. I’ve been playing around with infrastructure virtualization, a technology that would allow one physical machine to paravirtualize several distinctly non-physical machines, but I don’t think I’m ready to operate a half-dozen specialized workstations just yet. I believe the configuration and management would require more time and energy than it would be worth. The notable exception, I believe, would be if I sat in the driver’s seat of a NOC and had to monitor, manage, and protect divergent networks.
Outside concern: information overload
I’ve been puttering around with a bunch of machines running Xen, getting more familiar with the LiveMigration functionality which facilitates a copy of a running virtual machine from one node to another, and generally squirreling clutter around the apartment. There is a project stub for this that I’ve been working on for probably too long, but I wanted to try and find ways to make the system more secure without installing another machine. Trusted systems, true to their namesake, tend to be insecure. Well, let’s say they resist security measures.
My mentees are very interested in completing this project, too, and naturally moving on to the next one.
This article by Larry Daniel of Guardian outlines the difference between a Computer search and a Forensic examination as it pertains to the recent US Court of Appeals ruling mentioned before. This is a new way to address what many consider a major upset for law enforcement relative to digital forensics.
This is an application that allows you to forge malicious PDF documents, the purpose of which is to develop better analytical skills and determine how these malicious PDFs are being generated. This is an educational tool but also allows you to edit and modify PDFs.
A new physical-to-virtual machine converted was released over on the sysinternals site here. This type of program, examples include the VMWare VMConverter, allow you to virtualize a running machine. The Disk2vhd differs from other kinds of converters because it clones live and uses Volume Snapshot to create the running-state VM.
If you’re looking for something like Tripwire without all the bells, whistles, and price you should check out AIDE. AIDE, or Advanced Intrusion Detection Environment, is a free and open source solution (FOSS) that you install to a machine. AIDE maintains a database of file conditions and alerts you when a change has been made. You can manually update this database when you install something or perform an update and this can function as one component of your overall system security monitor. Here is the page describing it and here is a brief installation guide over at howtoforge.com. I’ll probably put something up on the projects page shortly offering a practical application.
Today I’m installing the 32bit version of Windows 7 professional on a Sony VGN-N230E/B, an altogether unremarkable event for the most part, and I’m curious how it stacks up to the 64bit version I’m already familiar with. The most obvious difference is going to be hardware-dependent: the 32bit OS has a maximum memory threshold of 2GB and this is a negligible concern because the Laptop in question has that same threshold and is only armed with a 32bit processor.
Installation: pop in the DVD and prepare for a lengthy seige. You will have to decide if you want to upgrade or not, etc, but there is relatively little to do besides watch the progress bar move. During the installation I did some rack maintenance, answered a dozen emails, and handled an errand. Approximate wait time: 24 minutes.
Post-reboot: the usual “getting to know you” begins – choosing a username, a PC name, setting the timezone settings. Windows 7 feels pretty snappy on a 1.7GHz T2250 with 2GB of RAM and detected all the hardware present with the exception of the memory card reader, something easily remedied. Software updates automatically begin downloading, too, which was familiar.
Post-update: I installed AVG Free and Office 2007 Standard – the former to get rid of a notification and the latter because it’ll be useful to have. While I ate lunch I ran the system rating application and received a 3.1 due to the weak GPU.
I made it back from Boston yesterday by train – I had the opportunity to visit some historical landmarks and I purchased several new bow-ties. I should also disclose that Sam Adams is no cheaper in Boston, where it is brewed, than in New York.
WinDD 1.3 has been released over here. WinDD, in either arch flavor, allows an examiner to dump the memory of a Windows PC and filter out useful information about network connections, crashes, Samba connections, etc.
GeoIP is a technology that tracks an IP address to a geographic location, something I find useful if I’m dealing with a network issue and want to know where that issue originates, and a particular implementation of this technology has resulted in a, albeit incomplete, database of Wireless Access Points (WAPs) that can be searched against to determine where someone was, physically, when they connected to the Internet. There’s a great article up over here that covers this in greater detail and, since I’ll be learning a little more about GPS forensics and geolocation, this is of particular interest to me.
I am curious if systems like OnStar maintain geolocation information – to the best of my knowledge there are no forensic examiners who currently specialize in automotive computer forensics.
The US 9th Circuit Court of Appeals recently submitted a ruling that has raised some eyebrows in the digital forensics community. To summarize this bench ruling: plain view should be abandoned when processing digital evidence.
The plain view doctrine allows an officer of the law to seize evidence not specified by a warrant while executing that same warrant – this would, for example, allow an officer searching your home for illegal weapons to also seize narcotics if they were, as the doctrine phrases it, “in plain view.”
If you live in the United States your 4th amendment rights protect you from unfair searches and seizures while guaranteeing you a reasonable assumption of privacy. An example of this would be if you were using a public telephone and had the door closed – the police would be prevented from snooping in on this conversation. This protection can also be applied to searches and seizures – if you have a wallsafe in your home the police cannot search the wallsafe unless specified in the warrant.
How does this apply to digital evidence? Well, if an officer of the law is searching your harddrive for something they have been granted a warrant to search for, such as evidence of the exploitation of a child, and they happen to stray into a folder containing confidential financial records in which it is obvious you have been evading your taxes, this new ruling would require that the officer ignore this evidence. This becomes an issue for law enforcement because they are duty-bound to report all evidence of a crime. So the court recommended throwing out the plain view doctrine, allowing officers to inspect these materials. Unfortunately this precludes that evidence from being used in a trial for, in this case, tax evasion. The court has recommended, as a consolation, that third party examiners be used to segregate these types of evidence and present the warranted evidence in lieu of an officer rendering something inadmissable. Law enforcement also takes exception to this because it puts civilians in direct contact with sensitive materials and most law enforcement agencies can’t afford to keep a third party firm under retainer.
So where does it go from here? Well, the legal community is debating whether the 9th Circuit court has exceeded it’s authority. There happens to be no precedent for this sort of thing. On the other hand if Congress fails to defeat this (Congress has to reject the ruling as opposed to approving it) then it goes into effect immediately. Time really will tell but, for the time being, this is news shaking the world of digital forensics.
A hash, whether MD5 or SHA1, is just a way of demonstrating how unique a given piece of data is. For example, if you were to write all zeroes out to a disk and then take the hash that hash would be a string of all zeroes. Conversely, if you had written all ones out to the same disk, the hash would be all ones. This is an expression of how unique the data is using a mathematical algorithm to distill the data into a string. There are rules about hash values, as well:
- 2 pieces of different data cannot have the same hash
- A hash cannot be predicted
- A hash must be unique
Although there have been some recent hash collision breakthroughs in the field of mathematics there is no reason to doubt the validity of an MD5 or, the superior, SHA1 hash. This is relevant to digital forensics because when you image a physical disk and compare that image’s hash to the original you are looking at the hash to serve as verification that the data is identical. Likewise if you create a second working copy from an original disk you should be able to compare the hash of the working copy to the image as a means of verification. This logical syllogism of data comparison is sufficient to demonstrate both repeatability and integrity.
You should include, as a component of your validation protocols, a means of demonstrating the validity of your working copy or image hash as compared to an original. If you duplicate an original to 2 destinations and both of those hashes match the original you can be confident that the hash derived is correct.
In the interest of making room for new toys I made a donation of some 2500 routers, a 2900 catalyst switch, and a 4000 router to a first year IT student with a desire to master networking. I also cleared out solo, the former postfix mail server. I have about a cubic meter I can now fill with…well…let’s call them “project materials.”
I could perhaps be chastised for failing to properly explain the OSI heirarchy or the foundations of routing and switching, the general subjects relative to networking, but if it helps to motivate and inspire so be it. I never took a great deal of pleasure in routing and switching, despite the years I devoted to it, though I do believe that if you intend to work within a datacenter a knowledge of those areas is critical. For me it was a means to an end – now that I have the understanding and experience I am prepared for the next leg of the race.
Discreet Math, by the way, is not as much fun as I was led to believe – truth tables, Venn diagrams, summation, proofs: these are not the areas of math that I enjoy.
