tag:blogger.com,1999:blog-5808631531257292980.comments2014-03-11T10:32:34.793+00:00Computer Forensics and Incident ResponseBillhttp://www.blogger.com/profile/15956125660689343228noreply@blogger.comBlogger37125tag:blogger.com,1999:blog-5808631531257292980.post-55327284548377833802012-10-25T06:24:27.169+00:002012-10-25T06:24:27.169+00:00Great website...and cool article man...thanx for t...Great website...and cool article man...thanx for the great post...keep on posting such articles... Resources like the one you mentioned here will be very useful to me! I will post a link to this page on my blog. I am sure my visitors will find that very useful.Anonymoushttps://www.blogger.com/profile/10295854960276974131noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-71969484708732184712009-11-23T14:12:27.794+00:002009-11-23T14:12:27.794+00:00thank you very much.. the information is very help...thank you very much.. the information is very helpful.atiehttps://www.blogger.com/profile/01275007880858432735noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-14533426129657862692009-02-23T03:16:00.000+00:002009-02-23T03:16:00.000+00:00. . . "My impression was that files are decrypted .... . . "My impression was that files are decrypted and encrypted in ram, on an as used basis."<BR/><BR/>In my experience, this isn't the case, but I can't say that there isn't something out there that handles files this way. <BR/><BR/>I'm just guessing, but I'd say that it's probably really computationally expensive to do decryption this way.Billhttps://www.blogger.com/profile/15956125660689343228noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-6941460443067641962009-02-22T19:51:00.000+00:002009-02-22T19:51:00.000+00:00Thank you very much for your response.I had though...Thank you very much for your response.<BR/>I had thought that only files which are open would be exposed (possibly) and unopened files would stay in a decrypted state. My impression was that files are decrypted and encrypted in ram, on an as used basis.<BR/>Is this wrong?<BR/>Thank you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-85875672680983157292009-02-22T12:38:00.000+00:002009-02-22T12:38:00.000+00:00"can one read the data if he can hack in...?"Yes. ..."can one read the data if he can hack in...?"<BR/><BR/>Yes. Whole disk encryption only works to protect the drive when the drive is off. When the drive has been decrypted at boot, it's readable to whomever has access to the box. . .Billhttps://www.blogger.com/profile/15956125660689343228noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-26534253336199904992009-02-22T10:09:00.000+00:002009-02-22T10:09:00.000+00:00I have a much simpler question; if someone is runn...I have a much simpler question; if someone is running WDE and they are using the computer online, can one read the data if he can hack in or will it still simply appear to be random data?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-68923643224428467462009-01-15T07:12:00.000+00:002009-01-15T07:12:00.000+00:00The said file also appears to be in my D: drive......The said file also appears to be in my D: drive...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-8358899675889836392008-10-23T04:09:00.000+00:002008-10-23T04:09:00.000+00:00hm when I try it I get the error message "5: datab...hm when I try it I get the error message "5: database is locked". can anyone e-mail the solution to simfish@gmail.com? Thanks!Simfish InquilineKeahttps://www.blogger.com/profile/07717022374136073702noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-46338290772344854052008-10-14T19:17:00.000+00:002008-10-14T19:17:00.000+00:00Hi, which files .db must i open because when i try...Hi, which files .db must i open because when i try it doesn't work ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-64247596822802841852008-09-07T11:18:00.000+00:002008-09-07T11:18:00.000+00:00For dd and dcfldd, it should be "bs=4096" for memo...For dd and dcfldd, it should be "bs=4096" for memory dumps.<BR/><BR/>Interesting finding, re: file sizes, noting that win32dump and mdd.img are the same size.<BR/><BR/>Now, this was XP SP2...what about Vista? ;-)<BR/><BR/>One item of note...when I asked Kevin and Kris about this issues w/ syntax in the article, Nick told me that MS had changed "something" in XP, but never did tell me what it was.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-6662826443069315662008-09-05T12:44:00.000+00:002008-09-05T12:44:00.000+00:00The program is now availiable from Machor Software...The program is now availiable from <A HREF="http://www.machor-software.com" REL="nofollow">Machor Software</A>. Google Chrome Forensics is designed to extract the user history and much more.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-72622619903578675902008-08-25T16:10:00.000+00:002008-08-25T16:10:00.000+00:00My first assumption is differences in default bloc...My first assumption is differences in default block size in dcfldd and plain ol' dd. Have you checked the bs=x flag? How does it work with the same flags, like bs=1M?jaymcjayhttps://www.blogger.com/profile/01811333295782525169noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-11910641192158583462008-02-16T04:19:00.000+00:002008-02-16T04:19:00.000+00:00Do you know if this trick would work with TrueCryp...<I>Do you know if this trick would work with TrueCrypt's WDE?</I><BR/><BR/>No idea really.<BR/><BR/><I>Getting the last 16 bytes of the passphrase fot PGP WDE is only helpful if (a) the passphrase is short enough to bruteforce, </I><BR/><BR/>No, it's valuable regardless. Assume that the passphrase is 30 characters long and you have no recognizable pattern (e.g. words) to base your guesses on; in that case, your work would would require a bruteforce attack of ~128^14. I'd take that over ~128^30 any day of the week.<BR/><BR/><BR/><BR/><I>Imagine that the password were not "I am a Computer Geek" but rather "g4m_V3:6#OL%~nazj^IUP a Computer Geek".. just to throw you off. I find this much more likely as someone using WDE is not going to use all dictionary words anyway.</I><BR/><BR/>Most of my experience is with people in an enterprise who are forced to use WDE, granted, that's a different animal than the user who opts to use WDE, but the principle is the same as noted above. I have at least a part of your password.<BR/><BR/>While there isn't much research on password length/complexity you might look at http://world.std.com/~reinhold/passphrase.survey.asc for a reference. My experience is that passwords/phrases, event among the security conscious, tend to lean toward the easy/short end of the spectrum.<BR/><BR/>BBillhttps://www.blogger.com/profile/15956125660689343228noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-88079602421826995702008-02-13T15:13:00.000+00:002008-02-13T15:13:00.000+00:00Do you know if this trick would work with TrueCryp...Do you know if this trick would work with TrueCrypt's WDE?<BR/><BR/>Getting the last 16 bytes of the passphrase fot PGP WDE is only helpful if (a) the passphrase is short enough to bruteforce, or (b) the last 16 bytes actually contain enough meaning to guess the rest. Imagine that the password were not "I am a Computer Geek" but rather "g4m_V3:6#OL%~nazj^IUP a Computer Geek".. just to throw you off. I find this much more likely as someone using WDE is not going to use all dictionary words anyway.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-12566587468294797652007-12-30T14:47:00.000+00:002007-12-30T14:47:00.000+00:00Thanks Rossetoecioccolato!Thanks Rossetoecioccolato!Billhttps://www.blogger.com/profile/15956125660689343228noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-27021666356735636462007-12-29T04:59:00.000+00:002007-12-29T04:59:00.000+00:00Seems like I posted to the wrong message. This ma...Seems like I posted to the wrong message. This makes more sense here.<BR/><BR/>http://groups.yahoo.com/groups/forensicanalysis.<BR/><BR/>- RossetoecioccolatoAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-91733748153724850022007-12-28T17:31:00.000+00:002007-12-28T17:31:00.000+00:00http://groups.yahoo.com/groups/forensicanalysis.- ...http://groups.yahoo.com/groups/forensicanalysis.<BR/><BR/>- RossetoecioccolatoAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-82307581219950778942007-10-11T13:28:00.000+00:002007-10-11T13:28:00.000+00:00do you have the log reader available that you were...do you have the log reader available that you were coding which was able to read the internet.evt file?Ryanhttps://www.blogger.com/profile/17510316807483379651noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-30832593277562861432007-09-19T18:19:00.000+00:002007-09-19T18:19:00.000+00:00Just wanted to say this is a great blog. I study s...Just wanted to say this is a great blog. I study security and came across this looking for ways to evaluate whole disk encryption implementations from the "other end" - that is, real world experiences in compromising the software (vs. marketing claims, reviews, white papers, and source code). I hope you keep writing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-32976117294101975682007-08-10T19:48:00.000+00:002007-08-10T19:48:00.000+00:00So, I read through section 1 and 3. I guess my fir...So, I read through section 1 and 3. I guess my first response is "why would anyone go through these elaborate mechanisms for the sake of getting a password from a running and logged in computer?" Remember that the whole premise here is that the machine has to be turned on and logged in with valid credentials to begin with, before any of these simple, 318 steps even apply. <BR/><BR/>Um, I'm sorry but this product, as I understand it, was intended to ensure that lost laptops (which are presumably turned off) do not pose a threat as the data is encrypted. Is this "defeat" intended to describe how you would take a turned off laptop and defeat the password? I didn't see any mention of it beyond the obvious of brute force...good luck on that. However, if you have a running computer that has been logged in and is in the windows interface, then let me give you the 1 step method of getting a copy of the data to run forensics against all day long. It's called hooking up a USB drive and downloading the meaningful contents of the native drive. <BR/><BR/>If your trying to obtain forensic information from the box however, as this article seems to illustrate; I'd like to understand how it is that you ask, (in your kindest, big-brother-is-watching sort of way) for this person to log into WDE and the network for you so that you can take their computer for the next 30 minutes to reverse engineer this password. Riiiight. Tell you what, if you can get someone to give you a logged in and running computer, then one of two things is the case, <BR/><BR/>1. Your the CEO of fantasy land. <BR/>2. Your in the wrong profession because you can clearly sell water to a drowning man. Go find your calling in life as a salesperson instead of geeking out on reverse engineering passwords to a running, unencrypted (once you've authenticated to WDE, the drive "appears" as unencrypted) box.rynherehttps://www.blogger.com/profile/07869302494196148899noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-79165192144736813802007-07-26T09:42:00.000+00:002007-07-26T09:42:00.000+00:00Hi Eric ,Great thinking!!Do u having the list of E...Hi Eric ,<BR/><BR/>Great thinking!!<BR/><BR/>Do u having the list of Event id's and those messages of Windows Vista,<BR/>If so let me know!<BR/><BR/>Thanks,<BR/>deviUnknownhttps://www.blogger.com/profile/15952640458449377783noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-87320937982693844552007-07-25T19:25:00.000+00:002007-07-25T19:25:00.000+00:00Agreed, but something needs to be done. Generally,...<I>Agreed, but something needs to be done. Generally, in the initial moments of panic, destruction of crucial data ensues. Training in incident identification and containment procedures is paramount...even on-call services sometimes won't get there for 12- to 24-hours or more.</I><BR/><BR/><I>My experience has been that such people aren't already on-site, even in large organizations that know that the handle PII data.</I><BR/><BR/>I think we are saying the same thing here; if in different ways.<BR/><BR/>My point is that the response should be guided by responders, not as an afterthought. If you have an intrusion, we can get started on step 2 on the phone, and then move to steps 3-5 while that is going on. . . but if you move steps 4/5 in most cases, the value of an incident response and investigation is muted because evidence is destroyed/overwritten. <BR/><BR/>I completely agree that training is important, but in my experience, the folks that aren't doing this work every day (regardless of training) just aren't qualified or equipped to do everything that's needed for a through investigation and/or prosecution. I<BR/><BR/>I've spent a lot of time on the phone with administrators who are in panic mode, walking them through the steps that I need them to take early on b/c I can't respond, but in doing so, I've found that generally I'll get what I need. OTOH, I've never gotten a really successful response once the powers that be at an organization start working on their plan. Those plans rarely consider "forensic necessities."Billhttps://www.blogger.com/profile/15956125660689343228noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-12862354873140574202007-07-24T10:54:00.000+00:002007-07-24T10:54:00.000+00:00...most people aren't qualified to develop or impl...<I>...most people aren't qualified to develop or implement a plan...</I><BR/><BR/>Agreed, but something needs to be done. Generally, in the initial moments of panic, destruction of crucial data ensues. Training in incident identification and containment procedures is paramount...even on-call services sometimes won't get there for 12- to 24-hours or more.<BR/><BR/><I>...it's much more likely that a person who does this type of stuff for a living...</I><BR/><BR/>My experience has been that such people aren't already on-site, even in large organizations that know that the handle PII data.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-9079458963102331162007-07-24T10:38:00.000+00:002007-07-24T10:38:00.000+00:00All valid points, but given the general inability ...All valid points, but given the general inability of organizations to respond correctly or to even develop a plan before an incident, it's better to call for help before doing anything. In my experience, most people aren't qualified to develop or implement a plan for such an event, and take hours/days to do so, and when they implement their plans, it usually results in the destruction of evidence.<BR/><BR/>If an organization is hemorrhaging PII data as they respond to an incident (i.e. the data are actively being downloaded) it's much more likely that a person who does this type of stuff for a living is going to recognize and treat the problem well before the people on-site have finished briefing their bosses and doing their communal hand wringing.<BR/><BR/>On the other hand, I was thinking that step 2 included more consultation and assistance - that's what I get for posting for posting at an airport from my blackberry; it's hard to think when I'm typing with my thumbs.Billhttps://www.blogger.com/profile/15956125660689343228noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-37263441792844804702007-07-24T10:34:00.000+00:002007-07-24T10:34:00.000+00:00This comment has been removed by the author.Billhttps://www.blogger.com/profile/15956125660689343228noreply@blogger.com