On Wed, Jun 27, 2001 at 06:50:42PM +0100, Michael D. Barwise, BSc, IEng, MIIE wrote: > Thanks Neil, but the purpose is to make use of a tool which does only one > job and is so transparently simple that it can be accepted by non-technical > people in court as valid for legal purposes. After all this *is* forensics! No > way could you defend a complex system like Linux on this basis, > particularly taking into account the way is has been developed. Huh? There is definitely a major screw loose here somewhere. From what I've seen, the OS is largely irrelevant and md5sum and dd are parmontly defensible BECAUSE of their simplicity. In fact, in discussions at the quarterly FBI Infragard meeting here in Atlanta, it's been discussed and generally accepted by the experts that dd is one of the most popular of the forenisic snapshot tools. I just got back from the FIRST (Forum of Incident Response Security Teams <www.first.org>) annual general meeting. There were two forensic related tutorials at that week long conference and both presented it as generally accepted that dd was one of the BETTER and more popular tools for doing exactly this and far superior to things like Ghost and a few other specific proprietary tools targeted at forensics because, unlike those others, it was simple and made clean independently verifiable (md5sum, sum, crc - your choice) images of drives from device to device or over a network. If you can't defend and support something as bone head simple as that, how are you going to even begin to explain log traces or IDS results. How would you defend the results from analysis such as done by The Coroner's Toolkit? Simple fact is that if you can't support and defend dd as independently verified by other utilities, then you probably have no business in court in any case (pun intended). If you depend on ONE proprietary tool which can not be externally verified or confirmed, THEN you set yourself up to be challenged. "Well, how do you KNOW that was an exact copy? Because the vendor told you so?" That's like a Microsoft salesman telling you that Windows is "secure". Right. With dd (or cp or other tools) you can take an exact image snapshot and then use your cryptography tools of choice (like md5sum or a sha1sum or [yuk] sum or any combination of all of them) to perform independent verification. Those cryptographic hashes become part of your chain of evidence for end-to-end verifiablity. Now, if you are challenged, you are not dependent on ONE utility but all of them would have to be corrupt in the same way. Want to eliminate the OS, do it from Linux, FreeBSD and OpenBSD independently. Chances of them ALL lying in the same way are pretty remote. MD5 hashes or SHA1 hashes are pretty tough to beat. They rank right up there with genetic evidence in terms of probablities of collisions and false matches. With the md5sum of the original drive in hand, you can go into court and easily argue that the image of that drive with the exact same md5sum is identical to the drive itself with a chance of 1 in 2**128 of it being wrong. That's independent verification of the validity of your images and validation of your methodology. You don't convince a jury by being stupid. You convince a jury by being convincing. I've been on both sides of that fence and been a jury foreman at the Federal level. Worst thing you can do is treat the jury like they are stupid (even if some are). In the case I was foreman on, both parties had their own attorneys as their own worst enemy. If the plaintiff had even had a shadow of a case, we would have ripped the defendant a new one just based on the lame exhibits and evidence their lawyer came up with. It was a case of "he who was the least STUPID won". One of the challenges we face in high tech forensics is being able to present evidence to a non-technical jury in a convincing manner. There is no doubt about that. You don't accomplish that by going in there and trying to tell them "well, I don't know how this works, but I ran this and the black magic in this little box popped out with this". Juries are also not biologists or geneticists, but they are still convinced by genetic information. They don't have to be high tech uber geeks to be convinced by well prepared high tech cyber forensic evidence. But you have to be skilled and convincing. A corrolary to that is that you have to understand your tools. If you don't, the time to learn is NOW, not when you are facing a jury with nothing more than a salesman's glossy about his new fangled forensic hingis that lets secretaries solve all crime and no need for any of that other complicated stuff. > Mike Barwise > Computer Security Awareness > "Addressing the Human Equation in Information Security" > > Mike, > > > > this may be real redundant information, but that stardard unix utility dd > > will do exactly what you;re talking about, and if you're using something > > linux or freeBSD, the source code is completely avaiable. > > > > just something to ponder. > > > > Neil > > > > Once upon a time, Michael D. Barwise, BSc, IEng, MIIE, then known as mike, > > said... > My ideal disk copier would be a very basic PC, probably one of > > those > compact industrial single-board ones, with a truly blank target > > disk and a > spare port, running nothing except a custom-written native > > application > which does nothing except read literal sectors from one hard > > disk to > another (no OS). This application would be booted from floppy > > disk to start > the copy process. The required code, if written in > > assembler, would be so > small that it *could* be verified and certified > > by anyone competent to read > the source code. > > The reason we don't use > > disk imaging software is probably that we don't > know and can't find out > > what it is doing in detail (that's proprietary > information). Many disk > > imagers compress their archives in an unspecified > manner, and many use > > file-level copying, which both alters the layout of the > copy and omits > > free and deleted space, losing a useful source of evidence. > > Mike > > Barwise > Computer Security Awareness > > "Addressing the Human Equation > > in Information Security" > > > > >Thanks Marian > > > > > >At last someone > > is asking the right questions. > > > > > >My view is that one should > > ideally *never* try to carry out a disk > > >imaging > > in > > >place on > > a suspect computer. > > > > Yes, you are right, but you know it is not > > possible in many cases. > > > > >I would go equipped with a dedicated > > clean > > >"imager" PC onto which the suspect drive can be connected. This > > need be > > >no more than a simple PC with a spare IDE (and possibly a > > spare SCSI) > > >port and a power cable splitter. As it would never be > > used for anything > > other > > >than imaging, it could be kept clean and > > certified. > > > > This is the right place for the next "right" question: > > > > > > What is the "clean and certified" computer? > > > > Computer is > > allways "sophistical" machine and each program, driver, > > system,... > > > > must be cerified to clearly state that all computer is cerified. > > > > Certification in forensic science is not only technical, > > but the > > juridical proces. I have some (not pleasant) experience with > > > > certification ;-( > > The best way for success cetification (no matter > > what certificaction > > criteria you have) > > is to certificate as simple > > device as possible. For this reason I have > > next (may be) "right" > > question: > > > > Why a HW disk imaging tools (HW disk duplicators) are > > not used? > > > > They have all advantages (except price ;-). > > > > Simplicity, speed, safety, electronic signature, they need not so high > > > > qualify oeration and handling... > > > > > > > >Michael D. Barwise, BSc, > > IEng, MIIE > > >Computer Security Awareness > > >tel +44 (0)1442 266534 > > > > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing the > > Human Equation in Information Security > > > > > > ____________________________________ > > Marian Svetlik > > Principal > > Consultant > > > > Risk Analysis Consultants > > Narodni 9, 110 00 > > Praha 1 > > Czech Republic > > > > Tel.: +420 2 220 75 352 Fax: > > +420 2 242 28 273 > > mail: svetlikat_private http://www.rac.cz > > > > > > > Michael D. Barwise, BSc, IEng, MIIE > Computer Security Awareness > tel +44 (0)1442 266534 > http://www.ComputerSecurityAwareness.com > > Addressing the Human Equation in Information Security > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 16:38:20 PDT