Beware the LaCie iamakey!

A customer called regarding his USB device that was no longer working properly. The device is a LaCie iamakey USB drive that has the form factor of a large house key:

The LaCie iamakey USB device

The customer stated that his girlfriend kept the device on her keychain and allowed it to dangle from the front of the computer when she used it. When the device began having problems, she wrapped it in tape and continued. Eventually the drive was no longer functioning and, according to the customer, it would get very hot when plugged in.


Our company doesn't care much for the pretty packaging your drive comes in. External drive enclosures can be replaced - your precious data can't. We operate under the K.I.S.S. principle, so we work directly with the drives themselves. Plus we like taking stuff apart.

Here is the device disassembled:

The unit disassembled into its component parts.

As you can see, most of the weight or "strength" of the device is in the large square portion of the key. The portion containing the flash memory is not reinforced.

Also, when inserted into a USB port and left hanging with a weight attached, the weak point - the fulcrum of the lever, if you will - is just above the 4 contacts.


In the next photograph, we can see a hairline crack that runs diagonally through the medium:

One side of card - notice the cracked casing.

Here is the reverse side of the card. The bend in the card causes it to reflect the camera's flash unevenly:

Opposite side of card with bend highlighted.

Further examination of this card indicates that the crack runs all the way through the circuit board, severing multiple connections that were improperly mated when the card was "fixed," causing a short-circuit and overheating.

Lesson learned: When purchasing a USB device, consider all consequences if its form factor. Sure, a USB device that fits onto your key ring may seem practical. However, if we know anything about human nature, we can formulate a number of great ways to finish this sentence:

"I would normally remove it from the keychain to plug it in, but...."

Child Safety on the Internet

I’m often asked about the best methods for keeping one’s children safe on the Internet. I generally advise, “Keep your system updated and your anti-virus running.” Those are great guidelines to follow, but they’re honestly just the tip of the proverbial iceberg. I’m going to offer some simple advice here that will likely cause the reader’s mind to instantly fill with a slew of excuses about why it can’t be followed. Nevertheless, here it is: “The best way to protect your kids on the Internet is to watch them. There is no substitute for a pair of eyes.”

No parent would dream of allowing a pedophile, criminal, or any random person to spend extended periods of unsupervised time with their children. However, many parents do that very thing by allowing their children unrestricted and unsupervised access to the Internet. And those who believe their children are safe because they’ve updated their anti-virus and patched their computers are perhaps hurting more than they are helping. People with patched computers are still vulnerable because the weakest link in the security chain (the person at the keyboard) is still there. And their false sense of security often leads them to take more risks, such as letting their children use the Internet alone.

Your children see and do much more on the Internet than you know. Think back to your own youth – the things you got away with. Now throw in instant and uncensored access to any type of information, the ability to act out any fantasies with strangers, and an anonymous line of communication with literally millions of people. Imagine the trouble even good kids can get into with the environment I just described.

And externally there are continuous, unrelenting efforts to break through your system’s security and “pwn” your computer. Much is done by using weaknesses in the computer, but most is aided (usually unwittingly) by the user. Many of the hackers infecting our systems are the same “good kids” who, 20 years ago, would go out at night armed with toilet paper. These days, instead of trespassing and “harmlessly defacing” someone’s tree, they’re hacking into computers and stealing information. And they don’t have to sneak out of the house to do it – their parents grant them access to a powerful weapon to be used in the privacy of their own bedrooms.

Every case I have ever investigated involving a computer used by a teenager has contained pornography and / or sexually-explicit messages between the teen and his / her friends. And, if you follow the current Operation Antisec - the malicious hackers behind attacks on major corporations and government agencies) - on Twitter (#antisec), you will find that many of their supporters, peers, and agents are teens.

I’ve been sitting behind a keyboard for two decades now, and I’ve used a computer to talk to strangers long before the World Wide Web existed. I am aware that some will dismiss my descriptions and advice as shrill hyperbole. However, the truth is that most adults understand the “Internet Threat” the same way their young children conceptualize the word “stranger.” It is a vague, faceless construct that poses some general threat in some unknown way. Indeed, when tempted with the right candy, the average adult is more than happy to jump into the proverbial van.

(More information about how adults are duped in another article)

Shopping Around DOESN'T Pay!

Price versus Value

Next time you are at Wal-Mart or any place that processes photographs, read their money-back guarantee. I assume you'll be infuriated to read that should they fail to develop your photos correctly and thereby ruin your pictures forever, they will only be liable up to the cost of a replacement roll of film. Imagine standing at the counter listening to someone coldly explain to you that, although your memories may be worth something to you, the plain fact is that the film itself is only worth a few dollars. They're absolutely right, and it's a perfectly logical argument. How would it make you feel?

As a man, I have to admit that we are especially guilty of being more like the person behind the counter than the customer with the lost pictures. When a hard drive fails, we look directly past the years of memories. Instead, we focus on the price of a new drive. In doing so, we are focused more on price than we are on value. Currently, as I write this blog post, a 500 gigabyte hard drive costs around $65 and can hold over 100,000 full-size digital photos. I am a father of two. I couldn't look my wife straight in the eye and tell her that those priceless pictures aren't worth more than $65!

Shopping for a "Good" Deal? Please Don't.

Picture this: You have just been in a serious car accident. You lie there, injured and bleeding, waiting for the paramedics to arrive and pull you from your car. As you're being placed in the ambulance, you gather all of your strength to utter three simple words, "Please Shop Around." Right?

No reasonable person would respond this way, but what would happen if you did? Let's imagine that you instruct the ambulance driver to whisk you around:

1. ... to your house so you can look up do-it-yourself cures on the Internet
   
2. ... then to your friend, who uses herbal remedies, incense, and other "amateur" medicines
3. ... then to a Dentist, who is a Doctor, but in a different field (a Doctor is a Doctor, right?)
   
4. ... then to your Family Practitioner, who is great, but isn't trained to handle trauma cases
5. ... then finally to a Hospital with trained Emergency Room Technicians
   

What are your chances of survival? You'd either be dead or irreparably damaged before making it to step 5. In each step, you've not only let too much time pass, but you've allowed yourself to be mishandled by well-meaning, yet incompetent individuals.

The list above is completely ridiculous. However, when it comes to their lost data - which equates to lost time, memories, or profits - people do this on a regular basis. Let's look through it step by step:

1. Do it yourself - Search YouTube and Google for DIY methods from complete strangers. Start downloading various software and choosing options you don't understand. Type weird commands into the computer when you have no idea what they do. Erase some data. Stick the hard drive in the freezer or bang on it (real suggestions!). Possibly damage it completely.
   
   
2. Take it to your friend, the computer geek. He hooks it up to his computer, which, not being forensically sound, (over)writes data on the disk. Spin the drive up again, possibly causing physical damage. (No offense to geeks - we're computer geeks, too! See #5.)
   
   
3. Bring it in to work and have your IT Department look at it. Your IT Department techs are trained to handle software problems, manage the mail system, and keep hackers out of your network - not repair hard drives. More overwrites, more spin-ups, more damage.
   
   
4. Walk in to the Big Box store and give your drive to the Nerd Platoon. They will charge you over $150 for an evaluation fee. They may be "A+" certified, but that certification is for Computer Repair, not Data Recovery. They simply don't have the training or equipment to do anything more than basic file undeleting. (Technicians who have that kind of knowledge don't work for the low wages paid by the big box stores.) When they can't recover your data, they might format (erase) it. Then they will be glad to help you purchase a new hard drive.
   
   
5. Bring your drive to Austin Data Rescue. Our techs are specifically trained to recover data. We do Computer Forensics - which is the art of finding data that isn't supposed to be there anymore, or that untrained users don't realize is there. We are specifically trained and certified for this work, and because it's all we do, we're very good at it. But there's a catch.
   
   We're the best in the industry, but even we can't fix something if it's been irreparably damaged. Hard drives are extremely fragile once damaged. The tiniest scratch in the wrong (right?) place can render the entire drive unrecoverable. Shopping your drive around, allowing others to (mis)handle it, dramatically increases the likelihood that more damage will occur. This virtually guarantees that your precious work, pictures or documents will be lost forever.
   

When you've experienced a data loss, go to an expert. Skip directly to step number 5. We'll get your data back!


Joshua Harper GCFE GCFA
Lead Technician
Austin Data Rescue
9600 Great Hills Trail Suite 150W
(512) 693-7668
josh@AustinDataRescue.com

Visit http://www.AustinDataRescue.com for service.

OMG - The House is ON FIRE!

WAKE UP!

It's 3 o'clock in the morning, and you are awakened by the high pitched shrieks of the fire alarm. The house is filling with smoke. This is the real thing - the house is on fire.

Once you ascertain that every living creature has made it to safety, you realize that you have one chance to grab something and bring it with you. The question is, "What would you grab?" For most people, the answer is something related to a box of keepsakes or family pictures.

A logical followup question is, "Why?" to which most people answer "Because everything else in the house can be replaced."

The scenario above isn't some stretched allegory to make a point. Most of us have asked ourselves those two questions at some point. My next question builds upon the principle of everything else being replaceable: "How much is your data worth?"

I'm afraid many of us fail to fully appreciate the value of those little 1's and 0's. My business clients generally understand this better - data lost = money lost. But for the personal clients I'm blessed to have the opportunity to help, it can take a little work reminding them of their data's value.


Personal Data Represents Time...
...and time cannot be replaced.

When a client has lost their personal data, there is generally a temporal element to the lost information. Either the data represents years of time spent working on work or on a project, or it represents years of memories. Neither one is replaceable. The time spent to create the data will never be re-invested, and the events, situations, and people will never be the same as they were when captured in a photograph. The value of the information is so high that it cannot be quantified - that's why we call it "invaluable."

Digital Pictures are Cheap...
...so they're actually worth more!

With the proliferation of digital media has come an explosion of digital content. The fact that we don't have to run down to the developer every 24 or 36 shots means we take a lot more pictures. Even if we don't own a camera, most phones have that functionality built in. In many ways, the ease of taking the pictures, and the sheer quantity of pictures taken, has lessened their value to us. However, I'd like to point you in a different direction.

Digging through your box of old photographs is a great way to look into the past. But what are you really seeing? If you're looking at photographs taken a few generations ago, you are likely seeing a posed, staged picture. I have a picture of my grandmother as a young girl. It's a black-and-white photo of her standing next to a fence. She is stiff-looking and composed, like many posed pictures. And it's the only one I've ever seen. For ordinary folks, photography was expensive and rare, so that is likely the only picture taken at that time.

Compare that image with the pictures we take these days where photography is cheap. I bet the pictures of your family and kids show them in action. There is a dynamic, active life to the photos. They show people not as they posed, but as they really lived! To me, this makes the pictures even more valuable.


More Information in One Place = More Memories to be Lost

Imagine someone having thousands of those dynamic, full-of-life pictures from your family's past, all contained in a magic box the size of a deck of cards. Now imagine that person throwing that box in the garbage. Sad, isn't it? Yet when people fear their data is lost, they simply toss it away, or refuse to pay someone to recover it.

Unlike your computer geek buddy, or the neighborhood computer shop, Austin Data Rescue is in the business of getting people's data back. We say this all the time: "That's what we do - that's all we do." For me personally, when someone brings their failing drives or devices into our shop, I have a vested interest in recovering the data. I consider it a privilege to be able to serve others in this way. That's why, for our Standard service, if we cannot recover your data, you will not be charged.

Joshua Harper GCFE GCFA
Lead Technician
Austin Data Rescue
9600 Great Hills Trail Suite 150W
(512) 693-7668
josh@AustinDataRescue.com

Visit http://www.AustinDataRescue.com for service.

Forensicating with Interconnected VMs Part 3 - Directing Traffic

Directing Traffic

I was BSing with Mr. Rosen over some pizza a couple months back.  I described the scheme I'm about to lay out and how it was borne from my (ir)rational paranoia about The Cloud.  I told him that I had set up my system this way "because I'm paranoid that someone's going to hack in and mess up my shit." to which he replied something like, "I'd be less afraid of the that, and more afraid that I'm going to do something stupid."  Touché.  Perhaps the biggest threat to our data isn't the anonymous blob outside our network.  Maybe our data is more likely to be corrupted by the ijit sitting at the keyboard.

Whatever the motivation, I believe it's good practice to limit my evidence's exposure to the outside world.  However, to make our lives easy, some data flow is required.  In true blogger fashion, let me confuse you with a diagram before properly explaining it:

Network Traffic Flow

In this diagram, you see that the Acquisition & RAID computer has two shared folders.

The Evidence (RW) is an rw share used for dumping case data, extracted files, logs, and other data created on the Analysis machine.  It is a temporary directory - more on that later.

The Disc Images (RO) folder is a read-only share.  It contains the disc images created during acquisition that are stored on the RAID.

Over on the Analysis machine, I named two hard drives RW and RO, to follow the nomenclature used on the Acquisition computer.  Remember how I said that the Analysis computer itself doesn't do any actual analysis?  Here's why.  Each drive is fully-available to the Host OS; however, each drive is shared with the VM Clients as either read-only or read-write.  Hopefully you're seeing a pattern here.

The LAPTOP-looking icons are Virtual Machines hosted on the Analysis PC

The pattern is that each Virtual Machine has the exact same setup as the Analysis machine.  They all believe they are connecting to a Server with read-only or read-write shares.  Of course, in the case of the Virtual Machines, the network is pretend, meaning the usual bottlenecks of LAN traffic don't exist.

Simplified Workflow

This may seem overly complicated, but it's mind-numbingly simple to put together.  For me, it makes my casework organization easy.  Once it's all set up, you'll have the equivalent of multiple copies of evidence on multiple machines.  Of course, it's all imaginary - only one working copy actually exists - but I don't think these Atreyus are going to look into any magic mirrors any time soon, so our secret is probably safe.

Here's what it looks like from SIFT (Linux).  Notice that Linux thinks I have write privileges, but when I tried to write a file to the RO directory, the request was denied:

SIFT Workstation

This is how it looks to the Windows Virtual Machines:

The view from XP

With this all in place, my usual workflow is as follows:

1. Acquire the disc images with the acquisition machine, saving them to the RO directory on the RAID.
   
   
2. Access the disc image directly over the network from a VM, or copy it to the analysis machine's RO directory if I'm going to do a bunch of work with the image (keyword searches, IEF, etc.).
   
   
3. Scan, search, attack images from multiple VMs at the same time, directing all output to the RW drive.
   
   
4. Scan, search, attack output on RW drive from multiple VMs.
   
   
5. When I'm ready to archive the case, I move everything to the RW drive on the Acquisition machine.  Then it's Sneakernet time.  I access the Acquisition machine directly, and move the files either to the RO folder, or to another location inaccessible by the network.  Because, in reality, I'm just moving files from one directory to another on the same drive, this takes very little time.

Forensicating with Interconnected VMs Part 2 - Division of Labor

Unlike most forensicators, my professional background is neither in Law Enforcement or Information Technology.  My adult life has been spent working in the Railroad industry.  I'll write more on that some other time, but it suffices to say that my background causes me to approach problems differently than most.

One concept that is common on the railroad is Division of Labor.  Certain people are assigned a specific job.  That's what they do.  That's all they do.

On freight trains, the Engineer operates and is responsible for the engines, and the Conductor is responsible for the body of the train.  If you're in the rail yard and have a problem with your train, a Carman helps with car problems and an Electrician diagnoses the locomotive, a Clerk brings you your paperwork, and a Switchman or Utility Man generally lines those pesky switches for you.

Up in the control tower, the Yardmaster plans and directs the various aspects of the operation, but only a Control Operator is allowed to request signals and provide on-track protection.  Once your train leaves the yard, the Train Dispatcher (who is also a Control Operator and a Clerk) is charged with safely and efficiently moving you to your destination.

This division of labor may seem antiquated to many, but the railroad is an old industry with old habits.  "We've done it this way for 150 years," an old bastard of a manager once told a certain idealistic young Train Dispatcher who was trying to computerize a process, "...and we're not going to change it now."  Although seemingly outdated, there is some beauty in the division of responsibilities.  One person simply cannot do everything, and a person with too many tasks can never master them all.  It is this concept that I've carried into my forensics work - at least into the design of my system.


Computer 1 - The Evidence Machine

I don't trust that Windows will keep its hands off my media.  None of us do.  But thanks to great marketing by the "big boy" software vendors, most of us operate with a blind devotion to using only Windows-based tools, miring ourselves in the consequential (and reasonable) FUD that Windows is going to reach out and touch our discs every time when we plug them in.  Hardware write-blockers, like lubricating cream specifically developed to keep our big fat legs from chafing each other while we walk, represent a gazillion-dollar industry that sprang up to solve a problem that shouldn't have existed in the first place.

Because I don't trust Windows, I don't let it anywhere near my evidence media.  I have a computer that, for forensic work flow purposes, only does acquisition. Like the railroad workers described above, that's what it does.  That's all it does.  This workstation runs a forensically-sound OS (Andy Rosen's SMART Linux, which is built atop a stripped down Ubuntu).  This workstation can't play videos.  It doesn't analyze data.  It can't even access the Internet.  All it does is run SMART and save the disc images to a RAID which is directly attached via eSATA.

As far as specifications are concerned, there's nothing fancy here.  This is actually a slightly outdated computer workstation that I picked up for $140 at my local used computer shop.  (Here in Austin, we have plenty of used Dell computers previously donated to schools by the Dell Corporation available in shops.)  I added an eSata card and was good to go.  I have found that the acquisition computer doesn't need to be speedy.  Also, SMART being a slick, scaled-down distro, not much memory is required. 

Computer 2(a)(b)(c)(d) - The Analysis Machine

For analysis, I use VMware Workstation on a Windows 7 Host.  This computer is fancier - it boasts a hex-core processor and 16 GB of RAM - but I didn't take out a second mortgage to get it.  With the monitor and a few 2TB hard drives I picked up on Black Friday, this workstation cost me about $1200 to build.

It's important to note that the host system itself does no forensic analysis.  All work is performed via VMs.  This helps keep my host system uncluttered and free to do important things - like making invoices.  :-)

At any one time, I have the following VMware workstations running or paused:

• SMART by ASR Data
• BackTrack
• Windows XP Professional (for surfing the Internet - more on that in Part 3)
• SANS SIFT Workstation (Linux)
• SANS FOR-408 Workstation (Windows XP)
• SANS FOR-408 Workstation (Windows 7)

Each operating system has distinct strengths and weaknesses.  For example, one method I use for extracting binary data from pcap files only works in Windows XP.  Also, tools like NetworkMiner work best in XP, while fls, mmls, and others are Linux-based.

Each of these workstations is networked together in such a way that they can all attack the evidence together.  That's for Part 3.  Stay tuned!

Forensicating with Interconnected VMs Part 1

I don't believe that this series of posts will be particularly novel or ground-breaking.  I'm also not purporting that this is how everyone should do things.  There may be better ways to skin this proverbial cat, and I'd love to hear them!

The idea of using VMs that communicate with each other was introduced to me in FOR-508 by the fine folks at the SANS Institute.  I tip my hat to Rob Lee and Company for all of their hard work in developing tools and techniques for the entire DFIR community.

Stove Pipe Philosophy

I'm super-paranoid about the client data stored on my PC, and I have this nagging suspicion that The Cloud is out to get me.  Perhaps it won't kill me in my sleep as I imagine.  Most likely it will creep silently into my humble abode, traveling through the mysterious ether in my net, and enter through the back of my forensicator machine.  From there, it will corrupt my data, kick my dog, erase my pr0n or generally make me have really a bad day.

With that in mind, sometimes my forensicating requires that I tap into The Cloud's vast knowledge.  And although it'd be hip and "old school" to have a stove-piped Sneakernet, it's just not practical to keep all my workstations segregated from each other.

Connected, but not connected.  What to do?  See part Two!

Welcome - The Obligatory First Post

Welcome to my humble home on the Internet. With this blog, I will do my best to amuse you, inspire you, and occasionally pass along the occasional useful nugget lucky enough to form in the weird, wild universe between my ears.

I don't claim to be an expert, or particularly interesting. However, I've been known to come up with a good idea now and then. All offers subject to credit approval. Your mileage may vary. Not available in all states.