Ask the computer forensics (and general computer security) guy

Miscellaneous and Personal Stuff I Must Share
41

I’m not entirely sure what to make to the TrueCrypt situation. I think probably the developers got tired of the project and just wanted to stop updating it. They saw that BitLocker and other tools were viable alternatives and said, “You know what, we’re doing this for free. Fuck it.” And then decided to announce that in the most ham-handed way possible. I think they could (should) have said something along the lines of “We are ending support for this project and will not be providing any more updates. Because we will not be providing security patches in the future, you are strongly encouraged to migrate to other products, such as…”

An independent audit of TrueCrypt code found some poor coding practices leading to possible exploitable vulnerabilities, but to my knowledge no one has found any evidence of weakness in the encryption nor any evidence of “back doors” that would allow easy decryption by the government.

As with any unsupported software, you should probably migrate away from it, but I don’t think there is any immediate danger of your TrueCrypt volumes being easily cracked.

I really wish the developers had put a little more thought into their announcement. Dropping a vaguely threatening warning on users with no notice is kind of a dick move.

42

Yeah, those are tough situations. Luckily the VP over our department is a great advocate. We’re quick to have machines wiped if they get infected, and our VP backs us up. Our VP has done a good job of establishing a security culture. It’s quite a luxury compared to other places I’ve worked.

We have to work off hours sometimes, but it’s really not bad. It’s pretty rare that I work more than about 40 or 45 hours a week. If there is a big, Brown Trousers incident, then we’ll work off hours, but those are thankfully rare for us. And, earlier in the year I had to do a bunch of prep work for the Legal team for a big lawsuit, so I had to scramble to get my findings to them before the court date. But, for the most part, I’m really an 8-to-5 guy. I know it’s worse in other companies, especially in the defense or energy industries, or companies with a highly negative public image. But I really can’t complain. I think I worked longer hours when I was a DBA.

43

What’s your procedure if you were to discover material that is itself illegal to possess? E.g. child porn, government classified documents outside of a secured system, etc.? Do you notify police immediately? Do you delete it and write up your findings? I know you can get decades in prison and a lifetime on the sex offender registry just for knowingly possessing CP without intent to do anything specific with it but possess it - how would you handle finding it? Do techs who find it commonly end up traumatized?

44

We have a policy outlining what to do if someone finds illegal material in the course of an investigation. I consulted with an FBI guy who’s locally prominent in the security community in my town and wrote the policy based on his input. If I encounter something like child porn, I immediately stop the investigation. I definitely do not delete the material or make copies. There are some people at my company who are authorized to contact the local authorities on behalf of the company. I get hold of one of them, explain the situation, and await instructions. If they say, “Hey, send me a copy of what you see,” I respond, “Nope! But you can come to my desk or I can share my screen with you.” Any media I copy the material to could be seized, so I want to limit the exposure. Of course I would make a copy if a LEO asked me to, but I just don’t want to start passing out copies around the office. I let my boss know that I’ve informed the right folks who will be contacting the authorities, but I don’t share the content with my boss or anybody else in my department.

At least, that’s what the policy is. Thankfully I’ve never had to test it. I don’t think I personally know anyone who found child porn unexpectedly during a corporate investigation. I know people who’ve worked those kinds of cases as private consultants, but I’ve never really talked to them about how they reacted to it.

45

Would you hire yourself if you did not have the expensive wallpaper? I mean industry certifications ?

46

I’m not sure. If I were hiring someone for my position, I’d probably want to see either a decent forensics certification or a reference from someone who could vouch for the candidate’s experience. Forensics is partly technical work, partly procedural consistency, and partly writing. I’d want to be comfortable that the candidate understood evidence control, knew how to present evidence effectively, etc., and didn’t just know how to use the tools. To get the CCE, you have to pass three practical exams, where you’re given forensic images and you have to present your findings to an experienced examiner. So, it demonstrates a basic level of competence with the technology, processes, and reporting. I guess if I could be comfortable that someone had those skills without the certification, I’d probably hire them.

47

How are you, or computer forensics investigators in general, evaluated as to performance? Have you ever felt that you had to meet a “quota” and that if you didn’t nail at least X offenders (hackers, porn downloaders, insider traders, double agents, people who watch cat videos all day instead of working, whatever) per month you’d be fired?

48

Can employers see the contents of emails that I send out under my personal email address (not my business one)?

How far back in one’s browsing history can be searched? Let’s say I was curious as to how strychnine is made and read some articles online about it 10 years ago- then tomorrow someone in my office drops dead of it (not by my doing). Will the cops be pounding on my door?

49

We don’t have a quota for the number of people we find doing bad stuff. I think that would lead to some perverse incentives. We’re evaluated on things like the elapsed time from the point that the incident happened until we discovered it; the elapsed time from the occurrence to the time we contain it (e.g., resolve the malware, kick out the intruder, recover the data, etc); and the time it takes to close an incident (produce final reports, etc.) We’re also evaluated on how much “coverage” we have – how many systems do we monitor and how many logs are being collected in our central log analysis tool. Our biggest push is to drive down our time-to-identify. The most awkward conversations are when my VP comes to me and says something like, “We just heard from a customer that our data is [someplace it doesn’t belong]. Why didn’t we know about this?” Too many of those conversations and I probably would get fired.

And, this being a corporate environment, we’re evaluated on the same things everyone else is – teamwork, how well we follow the rules, whether we show up on time, whatever.

50

Do managers ever seed evidence into systems in order to test if you can find it? E.g. you find evidence that Sally in R&D sent some confidential diagrams to cooldood1@aol.site, you report this, and a manager pats you on the back and says that he had that set up intentionally to test you, cooldood1@aol.site is my address, good work! In other words, some kind of reverse sting operation.

51

If you access your personal email from your work PC (like you fire up your browser and go to mail.yahoo.com and start emailing away), then it is technically possible for your employer to see the contents if they have the right tools in place to do so. At my employer, we could monitor employees when they go to their personal webmail services, but we don’t. We just block those services.

It depends on lots of things. When you did the search, were you at home, at your employer, at the library? Were you logged in to your Google account while you did the search? The search provider and ISP(s) that carry the traffic will retain logs for some period of time. Depending on where you were connected at the time, the providers’ logs might point to an IP address that might be hard to link to you, or relatively easy to link to you. I don’t mean to be evasive. There are just a lot of variables, so it’s hard to give a short answer.

Then there’s the question of the browser history on your PC. How far back does your local history go, did you clear it, if so can any remnants be recovered?

Say you’re sitting at home, on a PC you own personally, getting internet service from your ISP. You Google “how to make strychnine”. Traces of the search will wind up in your browser history and cache. Google uses encryption now, so your ISP can’t see your search terms, but of course Google can. So Google sends you a bunch of results, including www . HowToKillWithStrychnine . com. You click that link. Your PC sends a request to a DNS server, which is probably run by your ISP. Your PC gets the DNS result and you get to the webpage. The webpage drops temporary files into your browser cache.

So, potential sources of evidence are your PC, Google’s logs, the logs on the DNS server, and the server logs at www . HowToKillWithStrychnine . com. It’s anyone’s guess how long those logs retained. Google might hold on to logs for 10 years (I really have no idea), but the other entities probably don’t. Logs take up a lot of space, and if they’re not relevant to your business you don’t keep them around.

Anyway, when your coworker keels over, the cops aren’t going to have easy access to any of this information. They’d have to go to multiple private companies and request logs in the hopes of finding something relevant. Or they’d have to get authorization to seize your PC and examine it. I’m not a cop, but I would think they’d need other reasons to suspect you before going to the trouble and expense of trying to resurrect your searching history from years prior. When your coworker dies, I don’t think the cops are going to immediately think, “Let’s get the search history of everyone the victim knew, going back 10 years.” It’s just really impractical, since you’d have to request information from lots of different service providers. It would also be a shitload of data that some poor bastard would have to sift through. And, I imagine the court might balk at a request like that. More likely, they’d have some other reason to suspect you, and as they were digging into your activity, they’d eventually seize your PC and go from there.

52

We do something like this. We have internal testers who break into systems to see if the systems are vulnerable and to test our response. Our testers don’t impersonate users and send emails from their accounts (for various reasons). But they might exploit a vulnerability in a server, grab data, and send it to my boss saying “Neener neener neener!” or something like that. Then we have to respond as though it was a real breach.

53

What are the best ways to enter the field? If you already have IT experience, is getting a cert in IT security or forensics a good path? What would you recommend for someone who isn’t already in IT who wanted to become a computer forensics expert? Become a cop first, then go back to school for IT? Become a help desk tech, developer, QA, whatever first and then go back to school for forensics?

Do you do work with private investigators? How well integrated are computer forensics experts and PI’s, generally? I know that in a lot of cases, PI’s are going to be greatly restricted in terms of what they can do with respect to computers - it’s not like a PI can just up and drop malware on a target’s computer. At least not legally.

54

Actually, I suspect that they did put some thought into their announcement, and it had the desired result of getting attention and increasing the likelihood that somebody would create something similar on a firmer foundation (the last being why they didn’t just release the project for somebody to fork).

Getting back to the thread topic: How much of your work involves cleaning up after somebody did something big-red-capital-Superman-“S” stupid?

55

I’m not sure how the law enforcement path works. Some folks I know were cops for a while then moved into private industry and got some IT training, and ultimately forensics training. But if you want to do forensics** for **the cops, I’m not sure how they get people. I don’t know if they’re more likely to train their cops to do forensics or go out and get forensics people who don’t have a LE background.

Anyway, if you wanted my job, you’d probably want to first spend some time in a system admin or network admin type of role, getting a good foundation of IT infrastructure knowledge. Then spend some time in a security role (security analyst, firewall administrator, etc., but not an audit or compliance role, which are usually not technical enough). While you’re doing that, get some training in forensics. You might be able to get your employer to pay for it (I did!).

In the corporate world, we don’t deal with PIs too much. I have dealt with them a little when I did some private consulting. Most of the PIs I met were former LE or insurance types who were not trained in computer forensics. So, they contract that work out to dedicated forensics firms.

Interestingly, many states require computer forensic examiners to be licensed Private Investigators. This applies if you are a firm selling forensic services to clients. To my knowledge, no state requires that in-house corporate investigators like me have a PI license. But when I was doing some moonlighting for a small forensics firm, I had a PI license. Sadly, the license did not come with a house trailer and a gold Firebird. Anyway, the PI license requirement is the subject of a lot of controversy within the forensics community. On the one hand, computer forensics folks don’t really share much in common with traditional PIs. On the other hand, we’re providing evidence for legal proceedings and the state has an interest in regulating us.

I still want my gold Firebird.

56

A lot of it. Like we had one guy who wanted to back up his work (read: source code he developed while working for us), so he uploaded it to Google Code (Dumb Thing #1) and accidentally made it public (Dumb Thing #2). Whoops! Or the people who install cool utilities they find online and we see them banging against the firewall when the adware tries to talk to the control server. For a while we were catching a lot of people posting photos of their workspace to Pinterest or Facebook (“Here’s me bored at work!”) where the photos also showed sensitive data on paper or on the monitor. So, yeah, a big part of my job is traced back to someone not thinking.

57

What about using the flush command?
ipconfig /flushdns

If wanted to be private about sites I went to on a pc at work.
Given I have admin rights on the client pc.

58

Your local DNS cache stores the names and IP addresses of hosts you’ve recently connected to. Typically the DNS cache stores this information for a few minutes before it expires. While the name-IP pair is in the cache, you get the DNS information from the cache instead of from the DNS server. Once you clear the cache, you have to make DNS requests to the server (because the cache is now empty).

So… The DNS cache doesn’t really provide privacy; it’s just a shortcut for the machine making a DNS query. DNS caches only live for a short time. If you clear the cache, if anything you’re creating slightly **more **traces because you’re forcing your PC to send DNS requests to the server more often than it would otherwise.

Also, if you’re at work, you’re probably going through a proxy or other logging mechanism, so DNS is not you main worry.

Bottom line: if you want privacy, do it at home, not from your work PC.

60

Zombie spam reported.