There have been some very odd things going on in computer forensics over the last few weeks.
First, Microsoft’s COFEE incident response tool leaked onto the internet. COFEE had previously only been available to law enforcement organisations, so having it leak to the public kicked up a bit of storm with people trying to work out just exactly what it is capable of doing. The answer turned out to be “not very much”. Rather than being the ultimate secret backdoor that some early media reports made it out to be, COFEE is more like a glorified shell script that pulls down volatile memory to a USB stick.
Inevitably, someone released a tool aiming to disrupt COFEE’s execution. DECAF was released earlier this week, but a couple of things about it seemed a little strange. It’s website offered the tool for download, but in a binary only distribution. Perhaps it’s just me, but I find it quite hard to trust security tools that don’t release their source code. Another quirk was that the DECAF website contained an EULA for the software prohibiting reverse engineering or disassembly (Which also contained references to Skype of all things!). It all seemed to go against the ethos of full disclosure in computer security.
I downloaded a copy, and planned to play with it over this weekend (I’ve just handed in my final piece of MSc coursework for the semester today!), but there’s another twist:
The DECAF website has been updated to remove any links to the software and instead shows an odd message claiming that all copies of DECAF have been disabled, ending with a passage from the Bible!
As I’ve been writing this I’ve been listening to an interview with DECAF’s developer on the Cyberspeak podcast which seems to have been recorded before the tool was taken down. It’s interesting, but it doesn’t really make things any clearer with regard to the developers motivations or the manner in which the tool was released.
Last week I started playing with Last.fm in an attempt to stave off the boredom associated with the statistics labs that were piling-up on my desk.
If you have a strange desire to know what I’ve been listening to recently, here’s a link to my profile.
This is a pretty interesting read.
Back in August there was an article in Wired about people who decide to disappear without leaving any trace at all. As a sort of follow-up the writer decided to “disappear” himself and try to pick up a new identity for a month, with a bounty of $5000 for anyone who could track him down.
The premise is simple: I will try to vanish for a month and start over under a new identity. Wired readers, or whoever else happens upon the chase, will try to find me.
The idea for the contest started with a series of questions, foremost among them: How hard is it to vanish in the digital age? Long fascinated by stories of faked deaths, sudden disappearances, and cat-and-mouse games between investigators and fugitives, I signed on to write a story for Wired about people who’ve tried to end one life and start another. People fret about privacy, but what are the consequences of giving it all up, I wondered. What can investigators glean from all the digital fingerprints we leave behind? You can be anybody you want online, sure, but can you reinvent yourself in real life?
It’s one thing to report on the phenomenon of people disappearing. But to really understand it, I figured that I had to try it myself. So I decided to vanish. I would leave behind my loved ones, my home, and my name. I wasn’t going off the grid, dropping out to live in a cabin. Rather, I would actually try to drop my life and pick up another.
Writer Evan Ratliff Tried to Vanish: Here’s What Happened
Scotland’s Autumn Tests started this weekend against Fiji. Getting tickets was easy but I had to solve a little logic puzzle to actually get into Murrayfield.
Someone at the SRU hadn’t thought their cunning plan all the way through.
Pretty good game. I’m off to the Scotland / Australia game next week.
On the off chance that you want to read a genuinely interesting piece of science writing, here’s a New Scientist article about the Large Hadron Collider.
And for those who worry about the repercussions of digging a tunnel under the Franco-Swiss border and smashing some very small things into other very small things at very high speeds, here’s a handy RSS feed.
Throughout our forensic informatics lectures we have been somberly informed that a career in digital forensics and avoiding child pornography are, to all intents and purposes, mutually exclusive. It isn’t very nice but sooner or later anyone involved in digital investigations is going to have to deal with it at some level.
I recently had a conversation with some friends where we discussed various scenarios where “evidence” could be planted on a computer without the owner’s knowledge. We came up with a few hypothetical situations in which it would be trivial for a motivated party with a bit of technical knowledge to cause a lot of trouble for an unsuspecting victim. Especially as child pornography is nasty enough that possession alone is all that’s needed to cause some serious legal difficulties.
I was reminded of that conversation by a post on Slashdot over the weekend concerning malware which, for one reason or another, seems to do just that. One case referred to in the AP article mentions software that hit 40 sites per minute while the defendant was out of the house. That case was eventually dropped but it took 11 months and cost the defendant $250,000 in legal fees, not to mention the damage to his reputation.
I’d like to think that it would be pretty simple to determine if malware is responsible for the presence of an image or video, but that doesn’t always seem to be the case. Another thing is that these seem to be “random infections”. I find it a little depressing to think of the damage that could be done by a properly targeted attack.
Toward the end of the first year of my undergraduate degree I read a book by Neil Barrett called Traces of Guilt, which describes the author’s involvement in computer-related crime as a security consultant and expert witness. It is written as a series of case-studies showing Barrett’s involvement in criminal cases ranging from paedophilia to murder, as well as private consultancy work such as dealing with a sociopath systems administrator at a wealthy holding company.
Despite the subject matter, it is surprisingly accessible (After all, it was my mother that recommended it to me!), but still contains enough technical information to keep a computer science student interested.
I read it again recently and even though five years have gone by since I first picked it up, very little of it seems dated. It’s definitely worth a read for anyone with an interest in computer-crime.
Traces of Guilt got me thinking about computer security from the “other side”, and is probably part of the reason that I’m studying computer forensics today.
I think this is quite interesting.
From The Register:
An Australian man who set up an elaborate network of hidden cameras to spy on his flatmates has escaped jail time after police were unable to crack the encryption scheme protecting his computer.
…
But the files were encrypted, and the 39-year-old Wyllie refused to divulge the password. The inability of police to review the files – combined with the fact that a camera he used was unplugged when the raid was commenced – meant prosecutors lacked the hard evidence they needed to prove the man had secretly taped his flatmates.
I’m under the impression that RIPA could be used over here to compel a suspect to give up the password, but it’s quite hard to find information on when Part 3 of the Act has been used, so perhaps I’m mistaken.
One of the benefits of being back at university is that I can take advantage of the CIS department MSDNAA subscription. This means that those studying computer science or something similar can download licensed copies of Microsoft products like Windows XP Pro, Windows Server and Visual Studio (although not Office). Windows 7 Professional was on the list and I missed the public beta, so I thought I’d give it a go on my old laptop.
My laptop (1.73GHz Pentium M, 1 GB RAM) is just above the listed minimum system requirements so I was a little concerned about even running Windows 7, but after a week it seems to be holding up pretty well.
Installation went smoothly. The only crash I’ve had was after the first time I plugged in an ethernet cable, but after a restart Windows automatically downloaded the drivers for the rest of my hardware. A few friends of mine had bad experiences with driver support so far, so my success may just be down to having older hardware without many flashy features, but when it works, the hardware detection is pretty slick. Startup is a little slower than XP, but after logging in the system is just as responsive, with no noticeable lag in the desktop. The networking features are still a bit of a mystery to me, but they detected the multitude of proxies that are needed to do anything useful on the campus network. Which is nice!
Overall I’m pretty impressed with it so far, especially running on such relatively low-spec hardware. I’d say it’s comparable to Windows XP, but I haven’t seen anything yet that makes me want to give up my linux partition.
tl;dr – Windows 7, it’s not terrible.
