Tuesday, February 26, 2008

Computer forensics podcasts

While computer forensics blogs are quite easy to find, podcasts are somewhat conspicuous by their absence - not altogether surprising, of course, given the effort required to produce something worth listening to. In fact, the only one I listen to anything like regularly is Bret and Ovie's CyberSpeak, and despite being very enjoyable, even that doesn't always concentrate on purely forensic issues.

Does anyone have any other recommendations for computer forensic podcasts? Please leave a comment and I'll add them to the relevant links page for others to see.

Friday, February 22, 2008

Cold Boot Attacks on Encryption Keys

Already generating some discussion in the forums and elsewhere on the web is the recently released paper "Lest We Remember: Cold Boot Attacks on Encryption Keys" from researchers at Princeton University. The researchers' main finding is that data remains in DRAM for longer than generally expected. Furthermore, this period can be extended significantly by cooling the memory chips in question (a somewhat unsophisticated but effective methodology of achieving this cooling effect being the use of an inverted "canned air" canister!)

In addition to the paper, there is also a YouTube video:



In terms of the underlying principles involved, there's nothing particularly new here. Data retention in memory has been known about and discussed for a number of years. The paper is interesting, perhaps even important, for a number of reasons though. Firstly, the extent to which data remains available and the ease with which the window of recovery can be extended will be surprising to many. Secondly, in addition to the main finding the paper also discusses techniques used to reconstruct data where some amount of decay has occurred - potentially crucial in the recovery of encryption keys. Thirdly, it addresses one of the key challenges facing forensic examiners as the use of BitLocker and products such as TrueCrypt continues to grow.

As many commentators have already mentioned on news sites or blogs (including the researchers' own blog) the threats to security or opportunities for forensic analysis are highly dependent on a variety of factors - the state of a machine, the particular implementation of BitLocker in use, the speed with which cooling can be applied etc. In the real world, this would seem to represent a fairly limited threat to anyone who has had their laptop stolen by an opportunist thief, although situations where a device has been specifically targeted for the data it may contain are a different matter. I think it's much more interesting to consider the forensic possibilities and implications. How long will it be before this type of consideration becomes an integral part of our thought processes when preparing to seize a suspect device? What effect will existing legislation have on your actions? Why didn't I invent this technique when I cleaned my keyboard after having that sandwich for lunch?

Food for thought indeed...

Thursday, February 21, 2008

YouTube and the power of the dark side

Sharp eyed visitors may have noticed the addition of a Videos link to the Resources menu on the left hand side at Forensic Focus. The link is to a page of YouTube videos related to computer forensics - some instructional, some news reports and some...um...other (such as "Cat Fancy".) I hope they're somewhat educational or at least mildly diverting. Needless to say please feel free to recommend further additions to the page.

You may notice that the top video is slightly larger than the rest. In theory this should be a sort of automated player which delivers a selection of computer forensics related videos by itself without needing me to specify them individually (the basic idea being that it picks up on keywords supplied when I set it up.) Well, that's the theory. In practice it doesn't seem to work too well - either it displays no videos at all or the ones it does show are unrelated to the subject area. Maybe the technology will improve, though, so I'll leave it in place for the time being.

An unexpected benefit of the poor targeting, though, is that it's introduced me to Chad Vader. I'm sure most of you cool cats have already seen this successful viral video series but for those who haven't, here's episode 1.

May the force be with you!

Friday, February 01, 2008

Lance Mueller's blog...and funny T-Shirt quotes!

Lance Mueller's blog - Computer Forensics, Malware Analysis & Digital Investigations - is definitely one of the better ones out there. Updated frequently, highly detailed, nicely illustrated (i.e. lots of pretty pictures) and with some newly posted forensic practicals it's a great resource to add to your blog tracker, especially if you're an EnCase user.

On a less serious note, don't miss this thread in the forums where we've been trying to come up with some suitably amusing quotes for a CF club fundraiser. I have to admit I like Harlan's suggestion, despite the somewhat disturbing imagery it conjurs up ;-)