| DFIROnline, Bitlocker library, and SysInternals Updates |
[May. 15th, 2012|09:06 am] |
I will be giving a talk at 8pm EDT this Thursday on storytelling in computer forensics as part of the DFIROnline series, http://www.writeblocked.org/dfironline.html. The results of your work are useless unless you can convey them to somebody else. Along with formal reports and testimony, storytelling can be a great way to communicate. This talk will explore some of the aspects of storytelling and how they can be applied to our field.
Continuing with the links on Bitlocker Disk Encryption, there's now an open source library for handling such volumes. I haven't tried it out yet, http://code.google.com/p/libbde/
Finally, Mark Russinovich has updated some of the popular SysInternals tools, including AutoRuns, Strings, and LiveKD, http://blogs.technet.com/b/sysinternals/archive/2012/05/14/updates-autoruns-v-11-3-livekd-v-5-2-strings-v-2-5-and-trojan-horse-mark-s-sequel-to-zero-day-available-for-pre-order.aspx. |
|
|
| Free program for decrypting Bitlocker protected volumes |
[May. 3rd, 2012|06:27 am] |
Romain Coltel has published a tool called Dislocker for decrypting and mounting Bitlocker protected drives on OS and Linux, http://www.hsc.fr/ressources/outils/dislocker/. The program can use FUSE to mount the drives on the system, or optionally decrypt the drive wholesale. It can use a recovery password (i.e. the string of digits), an external key file (BEK), or a clear key. I haven't had a chance to test it yet, but it's great to see a Free solution! Thanks Romain! |
|
|
| Decrypting Damaged BitLocker Protected Volumes |
[May. 1st, 2012|10:55 am] |
Recently I had the chance to examine a Windows 7 system protected by Bitlocker Drive Encryption (BDE). While I was ultimately successful in recovering the encrypted drive, the case showed me how some of my 2009 paper on BDE [1] was inaccurate or omitted pertinent information. The remainder of this post corrects and fills in the gaps of that paper and provides some details about the changes Microsoft has made to Bitlocker since it was published.
Before getting started with those details, I have to credit Nitin and Vipin Kumar for posting details and source code for reading Bitlocker protected volumes [2]. Their work was invaluable when writing the original paper, and proved so again in this case.
First, in my paper I was incorrect when I stated the size of the Full Volume Encryption Key (FVEK) was always 512 bits. As Kumar and Kumar note, the size of the key varies based on the algorithm being used. The FVEK is 512 bits if either of the Elephant diffuser modes is used. But if they are being used, the key is the same size as the encryption strength. That is, when working in AES128 mode the FVEK is 128 bits, and when in AES256 mode, the FVEK is 256 bits.
Second, when the Elephant diffuser is not in use, each sector is encrypted and decrypted using AES in CBC mode with the initialization vector set to all zeros. The sector number has no impact on the encryption process. As a side note, the practical effect of this decision is that identical sectors will appear identical in both ciphertext and plaintext. Whether or not that's a practical advantage for an attacker is debatable, but my personal recommendation is to use one of the Elephant diffuser modes.
Third, my paper did not specify how Windows would deal with a BDE protected volume if the volume header becomes damaged. My current case involved such a damaged drive and I now have an idea of how Windows handles this situation: it doesn't. Neither BDE nor the repair-bde [3] program were able to make heads or tails of the volume. I had to write a custom program, "Scarlet", which could decrypt the volume [4].
Finally, the changes in Bitlocker version two are documented in my presentation on BitLocker to go [5]. These include things like the new metadata format and passwords as volume protectors.
[1] Jesse Kornblum, Implementing BitLocker Drive Encryption for Forensic Analysis, Journal of Digital Investigation, 2009, (5)3,pp. 75-84. http://jessekornblum.com/publications/di09.html.
[2] Nitin and Vipin Kumar, Analysis of Window Vista Bitlocker Drive Encryption, http://nvlabs.in/
[3] Microsoft Corporation, How to use the BitLocker Repair Tool to help recover data from an encrypted volume in Windows Vista or in Windows Server 2008, 2010, http://support.microsoft.com/kb/928201.
[4] Why Scarlet? Because frankly, I don't give a damn how you get the keys, but you have to have the keys to decrypt the drive. Margaret Mitchell (novel) and Sidney Howard (screenplay), Gone with the Wind, Warner Brothers pictures, 1939.
[5] Jesse Kornblum, BitLocker to Go, DoD Cyber Crime Conference, 2010 http://jessekornblum.com/presentations/dodcc10-1.pdf. |
|
|
| Ask the Guru, Computer Forensics Storytelling |
[Apr. 23rd, 2012|02:42 pm] |
I have joined the Twitterverse! Look for me at https://twitter.com/jessekornblum and please be kind to the new guy.
My company, Kyrus, is hosting an "Ask the Guru" forum. If you have a question about anything in computer forensics or computer security, please drop us a line! We will answer your questions as they come in.
It seems my post on calling for storytelling in computer forensics has earned me a spot on DFIROnline. I'll be on the show on May 17th, talking about the different kinds of stories, how they can be told, and you can learn to tell better ones. See you then! |
|
|
| Windows Internals 6 |
[Apr. 9th, 2012|12:15 pm] |
According to the email, my copy of Windows Internals sixth edition has shipped! |
|
|
| sdhash version 1.8 released, compiling on OS X |
[Apr. 6th, 2012|07:29 am] |
The latest version of sdhash, Vassil Roussev's similarity program, has been released. The new code is version 1.8 and has been ported to C++. I haven't had a chance to test it out yet, but this version adds a flag to generate hashes from a specified list, adds an API, and fixes a minor bug.
The new code doesn't compile out of the box on OS X, but here's how to do it. Version 1.8 relies on the c++0x standard, which means you may need to update your C++ compiler. On my system, for example, I had to use a C++ compiler installed via MacPorts' gcc44 package. You'll also need to make a change to the Makefile. The lines CC = g++
LD = g++ should be changed to: CC = g++
LD = $(CC) After that, the commands I used were:
$ sudo port install gcc44
$ wget http://roussev.net/sdhash/sdhash-1.8.zip
$ unzip sdhash-1.8.zip
$ cd sdhash-1.8
$ make CC=/opt/local/bin/g++-mp-4.4
$ ./sdhash
sdhash-1.8 by Vassil Roussev, Candice Quates, Mar 2012
[...]
References: |
|
|
| Tell a Story |
[Apr. 5th, 2012|07:49 am] |
I would like to put a slightly different spin on the recent calls for case studies. Yes, please share what you've been working on. But don't think of it as a "case study". Case studies are dry and dull. I did this, then this happened, and after examining nine thousand registry keys there was data under HKCU/Software/Microsoft/Windows/CurrentVersion/NobodyReads/ThisFar/Without/FallingAsleep.
Instead, tell us a story.
Humans are story tellers. From the beginning of our history we have told stories and eagerly listened to them. We have recognizable archetypes present in our tales: the hero, the wise old man, the trickster, and the warrior. You can see them in Odysseus. You can see them in Star Wars.
A technical description of an exciting subject, such as tracking airplanes in real time using a software radio and Google Earth [1], can be made as dry as dust.
The best stories both entertain and educate. They may be followed by an appendix of technical details, but they have a story, with characters. You are star of your investigations. What did you do? What did you see? What were you thinking and feeling? Tell us!
Do you want to change minds? Tell a tale. All of the scholarly articles in the world didn't have the same impact as The Jungle [2]. Use the power of words. Nobody objected to lean finely-textured beef. But within a month pink slime was off the market.
Do you enjoy the TED talks? They convey fantastic scientific information in story form. The science of happiness is based on statistics and studies, psychology and pharmacology. But when told as a story, it begins with a happy baby unicorn [3].
Protect your clients, hide their details. Change the names to protect the innocent. But when you do change those names, remember Dragnet. The show famous for giving you "just the facts", is, in fact, a marvelous example of stories told well.
References: - Receiving Mode-S Beacons with the Universal Software Radio Peripheral
- Upton Sinclair, The Jungle
- Shawn Achor, The Happy Secret to Better Work
|
|
|
| Friday Links |
[Mar. 30th, 2012|11:14 am] |
Three links for your Friday: - There's a great post on the Carbon Black blog about the efficacy of anti-virus products over time. They've explored how long it takes for A/V software to detect malicious software, if ever.
- There have been some exciting developments regarding parsing Windows SuperFetch files. SuperFetch was introduced in Windows Vista. The system "learns" when you typically run certain programs and loads the resources necessary to run them into memory just before they are needed.
Last October ReWolf published some details about the SuperFetch files, including how they're compressed the structures they contain. We still don't know how to intprete these data for forensics, but it's a step closer to meaningful analysis!
- Nick Stone has published a new tool, DeepDigest, a Qt-based GUI program based on the md5deep suite for recursive hashing. I haven't had a chance to test it out, but Nick has said it's only supported on Linux for now. (Seriously, test before you run. It could work flawlessly. It could erase your hard drive and play Bee Gees songs.) I'm really glad the code in md5deep is being used in other projects. Hooray for open source!
|
|
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| [ |
go |
| |
earlier |
] |
| |
|
|
