Abr 27 2011

Cluster positioning as a code

Tag: Informática LegalJoaquim Anguas @ 6:04 pm

To provide an additional layer of evasion, two-fold plausible deniability can be used to provide the covertly communicating parties two chances to deny the presence of hidden information. In their first attempt, the parties simply deny the very existence of hidden data. If the first approach does not succeed, they still have the option to only reveal the less sensitive information and deny the presence of any other hidden data on the medium as
in Anderson et al. (1998); McDonald and Kuhn (1999); Pang et al. (2003).»

Paper: «Designing a cluster-based covert channel to evade disk investigation and forensics» Hassan Khan, Mobin Javed, Syed Ali Khayam, Fauzan Mirza; Elsevier’s «Computers & Security» 30 (2011) p 35 -49

Via Schneier on Security

Via New Scientist

Mar 02 2011

Reliably Erasing Data from Flash-Based Solid State Drives

Tag: Informática Legal,SystemsJoaquim Anguas @ 9:53 am

Our results lead to three conclusions: First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs. This third conclusion leads us to develop flash translation layer extensions that exploit the details of flash memory’s behavior to efficiently support file sanitization. Overall, we find that reliable SSD sanitization requires built-in, verifiable sanitize operations.»

Full paper

From USENIX via The Register.

May 02 2010

lawful interception / lawful spying and FRE

Tag: Informática LegalJoaquim Anguas @ 9:14 pm

Recent news have taken lawful interception to (some) media exposure.

That LEA, NSA and other agencies may be using interception and/or spying to gather intelligence is no surprise to no one.

To do so, there has to be many actors intervening, including operating system vendors, network hardware manufacturers, network providers, TTP, etc, who may release proprietary secret knowledge about their systems in order to keep a competitive advantage with the considered «bad guys».

But reading FRE 702 and 703 (and the excellent notes here and here) one wonders in his infinite ignorance, if evidence collected using bleeding edge lawful interception techniques (those that use to be proprietary and secret) ever surfaces in trial, how is it going to stand?

Mar 29 2010

Certifying lies

Tag: (i)realidad,Informática LegalJoaquim Anguas @ 7:54 pm

Packet Forensics is a firm that provides products and services to enterprises, network operators, law enforcement and defense and intelligence agencies.

It was mostly unknown, but lately it is gaining some focus because of a product of them that may be circumventing SSL.

See Wired (or Gizmodo) and arstechnica for more information. This paper from Christopher Soghoian and Sid Stamm explains the techniques they may be using.

P.S: Do not waste your time searching for the product on their website, it is not listed there.

Mar 14 2010


Tag: (i)realidad,Informática LegalJoaquim Anguas @ 9:48 pm

Decafme, the guys behind DECAF, the anti-COFEE tool, have released a new version of it.

I must admit that I missed the importance of the initiative when I said it was «an exercise of posing» here, at least in the effects that this tool may have in shaping the way computer evidence is acquired.

Not that I use any tool to collect evidences while the target computer is on, but if I did I would be worried the next time I used one because the new version of DECAF can apply the same actions it did when detected COFEE to any tool it may have a signature for.

The guys at DragonJar make a brief summary here, and you may get some more information here.

Dic 15 2009


Tag: 01,Informática LegalJoaquim Anguas @ 7:48 am

COFEE is a set of tools packaged into an USB drive oriented to ease the task of first strike computer evidence collection distributed by Microsoft through INTERPOL to law enforcement agencies worldwide.

It slowly made its way to the public, getting widespread when last month showed up on the web through Cryptome.

In an exercise of posing, a group of «hackers» two average joes have released antiforensics software called DECAF dedicated to reduce or kill COFEE’s effectivity.

«We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding» they declared to theregister.

Not to offend, but I say it’s an exercise of posing because this action in no way «promotes healthy unrestricted free flow of internet traffic» and recognising they may have a point in the reliance in Microsoft of law enforcement in the automation of their evidence collection, the fact is that in most cases it’s in Microsoft realm where evidences live and early, easy evidence collection is better than no evidence at all.

In any case, if they have concerns relating this product, which they may perfectly have, they’d better raise them disclosing the implications so everybody can balance the convenience of using COFEE or not.

At this point, some of you may be thinking I forgot to link to DECAF.

No, I din’t forget and neither did the guys at theregister or Wired…

Via theregister.