Dic 31 2009

image, mount, calculate hashes: examples

Tag: 01Joaquim Anguas @ 5:46 pm

I wish you all the best for 2010!

I’ve been working in an article related to serving search warrants and I thought the following examples may be useful. They cover imaging, mounting imaged drives and calculating hashes for every file in a drive.

CASE_ID identifies the case, LOCATION_ID identifies the location where the media was seized, MEDIA_ID identifies the media device and PARTITION_ID identifies each partition into the media.

Image

This is an example for dcfldd imaging. The command calculates the MD5 hash on the fly.
See here for options’ reference.

ubuntu@ubuntu:~$ date; sudo dcfldd if=/dev/sdc of=/media/disk/CASE_ID/LOCATION_ID/MEDIA_ID.dd conv=sync,noerror hashwindow=0 hashlog=MEDIA_ID_md5.txt; date

Thu Nov 16 13:18:22 UTC 2009

4883968 blocks (152624Mb) written.
4884090+1 records in
4884091+0 records out

Thu Nov 16 15:26:34 UTC 2009

Continue reading “image, mount, calculate hashes: examples”


Dic 17 2009

Predator drone video transmission hacked

Tag: (i)realidadJoaquim Anguas @ 5:46 pm

I like how guys at boingboing put this:

1 Predator drone: $4.5 million

Intercepting video from the Predator drone’s unprotected communications link: $25.95″

Subverting technology is always way cheaper than creating it.

We can expect more (and bigger) things happen following this trend.

WSJ via boingboing.

Update: Looks like not only Predator UAVs are vulnerable. Most USA warplanes are.

Update 2: And ground robots


Dic 15 2009

COFEE vs. DECAF

Tag: 01,Informática LegalJoaquim Anguas @ 7:48 am

COFEE is a set of tools packaged into an USB drive oriented to ease the task of first strike computer evidence collection distributed by Microsoft through INTERPOL to law enforcement agencies worldwide.

It slowly made its way to the public, getting widespread when last month showed up on the web through Cryptome.

In an exercise of posing, a group of “hackers” two average joes have released antiforensics software called DECAF dedicated to reduce or kill COFEE’s effectivity.

“We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding” they declared to theregister.

Not to offend, but I say it’s an exercise of posing because this action in no way “promotes healthy unrestricted free flow of internet traffic” and recognising they may have a point in the reliance in Microsoft of law enforcement in the automation of their evidence collection, the fact is that in most cases it’s in Microsoft realm where evidences live and early, easy evidence collection is better than no evidence at all.

In any case, if they have concerns relating this product, which they may perfectly have, they’d better raise them disclosing the implications so everybody can balance the convenience of using COFEE or not.

At this point, some of you may be thinking I forgot to link to DECAF.

No, I din’t forget and neither did the guys at theregister or Wired…

Via theregister.


Dic 10 2009

Solaris vs. Solaris

Tag: SystemsJoaquim Anguas @ 8:18 pm

Most free tools used for computer forensics run on UN*X and most forensics distributions are based on Linux. At first they were based on Knoppix and later they started to use Ubuntu as a base. In the change we missed the ability to load the OS to ram. Now you need to hack it a bit to boot to ram, but I’ll talk about this some other day…

The fact is that sometimes I miss having a persistent UN*X installation.

I’ve always loved BSD flavor, partly because I’ve had good experiences with it. In 2004 we had to do video and multichannel audio transmission Montreal – Barcelona in the context of Artfutura 2004. Need to do firewall and traffic prioritization minimizing lag and without wasting the precious 100Mbps connection we got? OpenBSD + PF did the trick.

And I’ve had a long relationship with Sun operating systems since my college years, first with SUN OS and later with Solaris (you may not believe me, but once I was shutting down a SUN OS 4.1.X SPARCstation with “shutdown –g 0” and I got a message like “does it have to be now?” before the screen got black. It was an Easter Egg, I guess…)

Continue reading “Solaris vs. Solaris”


Dic 05 2009

The “Evil Maid” atack

Tag: (i)realidad,SystemsJoaquim Anguas @ 9:48 pm

German researchers from the Fraunhofer Institute for Secure Information Technology describe a method to attack disk encryption technology Bitlocker.

They present their results in a video and a paper (pdf).

Via theregister.