Friday, August 20, 2010

'Web 2.0' as evidence

by Sean McLinden

In a recent intellectual property case for which we were retained, among the electronically stored information (ESI) that the plaintiff sought for production were internal company blogs and wikis used by the defendant’s developers to discuss new product ideas, as well as the design and coding of the alleged offending application. Included in the discovery were sites created using Microsoft® SharePoint® and MediaWiki software (and others). The discovery order was crafted with the typical “readily accessible” and “native format” language that seems totally irrelevant to sites which maintain dynamic content.

Due to the nature of the business, none of the sites for which production was requested was required to be managed in accordance with standards for business compliance such as Sarbanes-Oxley or the European Union Data Protection Directive. All were informal sites created by the development team to support collaboration with other team members. It is arguable whether there was any affirmative “duty to preserve” since it appeared that the developers were totally unaware of any intellectual property concerns related to their work.

Thus, the issues that arose during production were two-fold: What constituted “readily accessible” in sites in which the content is frequently changing and for which point-in-time recovery (PiTR) solutions do not exist? The producing party’s view was that snapshots of the current site with resolution and recursion on internal links to one level of depth was sufficient, but how to produce those snapshots in a form which was reasonably complete but did not constitute a hardship for the producing party? Initial attempts using various web crawlers were abandoned after the output far exceeded the volume of space actually occupied by the site itself! And given that the site content is, at least in part, database driven, what is the impact of continued site use, after the alleged point of infringement, on the database contents?

As for “native format”, how does one handle those sites which convert uploaded content from one form to another using processes which are undocumented and proprietary? Even if the conversion process is well documented, what assurances exist that metadata will be preserved? Many Content Management Systems support import/export programs which convert documents from their native format to a format more easily viewed from the Web (e.g. PDF or HTML). In many cases, valuable metadata is removed by the conversion process...

Read more at or discuss here.

Wednesday, August 18, 2010

Scalability: A Big Headache

by Dominik Weber

Dominik Weber
About the Author

Dominik Weber is a Senior Software Architect for Guidance Software, Inc.

In this month's installment, I will take a break from a specific problem and talk about a fundamental issue with deep forensics: Scalability.

Scalability is simply the ability of our forensic tools and processes to perform on larger data sets. We have all witnessed the power of Moore's law. Hard drives are getting bigger and bigger. A 2 TB SATA hard drive is to be had for much under $100. With massive storage space being the norm, operating systems, and software is leveraging this more and more. For instance, my installation of Windows 7 with Office is ~50GB. Browsers cache more data and many temporary files are being created. After Windows Vista introduced the TxF layer for NTFS, transactional file systems are now the norm, and the operating system keeps restore points, Volume Shadow Copies and previous versions. Furthermore, a lot of the old, deleted file data will not get overwritten anymore.

This "wastefulness" is a boon to forensic investigators. Many more operating and file system artifacts are being created. Data is being spread out in L1, L2, L3 caches, RAM, Flash storage, SSDs and hard drive caches. For instance the thumbnail cache now stores data from many volumes and Windows search happily indexes a lot of user data, creating artifacts and allowing analysis of its data files.

That was the good news. The bad news is that most of this data is in more complex, new and evolving formats, requiring more developer efforts to stay current. For instance I am not aware of any forensic tool that analyzes Windows Search databases - not that I had time to look (if you know of such a tool, post in the forum topic, please - see below). Worse than that is the need to thoroughly analyze the data. Traditionally, the first step is to acquire the data to an evidence file (or a set thereof). The data must be read, hashed, compressed and possibly encrypted. All this does take time, despite new multi-threaded and pipelined acquisition engines appearing (for instance in EnCase V6.16). High speed hardware solutions are also more prevalent. Luckily, this step is linear in time, meaning that a acquiring a full 2TB hard drive will take twice as long as a full 1TB drive. Note that unwritten areas of hard drives are usually filled with the same byte pattern (generally 00 or FF) and these areas will compress highly, yielding faster acquisition rates.

Read more at or discuss here.

Single Sign On

by Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Calling something a “Holy Grail” is an interesting term – the intended meaning is well known to most of us – i.e. something miraculous that will solve all of your problems. However given that it’s supposedly a cup, bowl or dish hardly links it sensibly to password management – none the less, Single-Sign-On ( henceforth in this article as SSO to save me from RSI ) is supposedly the “Holy Grail” of Authentication.

SSO is the answer to the dilemma that we were left with at the end of the last article – we want complex passwords, difficult to break ones, that change often, on all the systems that a user has access to … A rather entertaining (if a little dated now) paper from Microsoft tells us that each user has 25 accounts that require passwords, and types, on average, 8 passwords a day – and this is a paper about web-browsing habits, not including primary logons to machines or other work legacy systems. What is more interesting is that each user, on average, has 4.5 passwords each used on 3.9 websites (I love averages – how else can you have ½ a password and .9 of a website !). Looking through some other literature suggests that some people manage way, way more than this – with this particular user dealing with 97 separate and distinct password protected systems.

This was recognized as an issue a long time ago, well before we needed to remember our E-bay, Amazon and Twitter passwords. Project Athena at the Massachusetts Institute of Technology (MIT) started in 1983 and developed the Kerberos SSO protocol. Kerberos, named after the three headed dog of Greek mythology (Harry Potter fans please note – it was called Kerberos before “Fluffy” ), operates on the principal of an authentication server that you authenticate to once with your password, and, assuming you get that right, it grants you a “ticket” that you can take to any other service that identifies you and confirms your authentication. The good news is that all of this happens behind the scenes and all you have to do is remember one password. To be fair, it’s a little bit more complicated than that with some quite fun encryption ideas with regard to authentication of source and time stamps to prevent replay attacks. However, it is, in my opinion at least, the daddy of all SSO – so much so that Microsoft Active Directory authentication is, at least almost, Kerberos. (If you want to know a bit more, you can read this, but I can’t claim that you’ll be awake at the end of it. It can be quite enlightening, if you like that sort of thing (and I do), to watch a WireShark trace of a Kerberos exchange, WireShark has quite a good built in understanding of the protocol and you can see various tickets moving around the system – you can also have a go at recording and replaying them to see if the time stamps really do work … Kerberos also has an interesting sideline in identifying machines to other machines, effectively allowing SSO between clients and servers as well as wetware users...

Read more at or discuss here.

Tuesday, August 10, 2010

Authentication and Authorisation

by Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Authentication and Authorisation (please notice the “s” is _not_ a spelling error!) are fundamental to information security – identifying who a user is (authentication), and what they are allowed (authorised) to do allow us to restrict access to data in such a way that only the rightful permitted people can access, modify or copy it. It seems in the current day and age, we have a habit of lumping the two together with the term “Identity and Access Management” – but personally, I think that it is wise to remember that they are separate and distinct processes, handled at different times and by different parts of the computer that you are using.

Let’s start off with Authentication – the “prove who you are” part. Authentication can be performed in certain ways – typically these are described as: something you know, something that you have or something that you are – each one of these is called a “factor” and, logically, combine two or more of them and you have “multi-factor” authentication. The password is an example of the first of these “factor” types, although there are other things, such as the questions you answer for your password reset (the name of your first pet goldfish, your favourite teacher at school, how many warts you have between your toes, that kind of thing). The things that you have are things like smartcards or dongles, whereas the things that you are include all of the biometric measurements – fingerprints, voice recognition and the like. Each of them has their inherent issues – people forget things, lose things, and, rather frighteningly, people can have bits of them taken – numerous examples abound in film – “Angels and Daemons” springs to mind as the most recent, but I recall “Thunderball” also makes use of the concept.

However, by far the most common, cheapest and familiar form of authentication is the password. Passwords are something that are now ubiquitous – if you have a computer & an internet connection, you have a password. Most operating systems implement them in some form now by default, usually for elevation of privileges to an administrative account - those of us that have been using UNIX or its derivatives for the last few decades (or indeed some earlier multi-user operating systems) can all have a good laugh now and congratulate Microsoft and Apple for having caught up. They’ve been around a lot longer than that though, I did a little research and I could certainly find written references as to the use of passwords as far back as the Roman legions, and I’ve every confidence that they were in use well before that in some form or another. The Roman implementation of passwords was exemplary though, and, quite frankly, something that many modern password implementations could learn from – controlled distribution, frequent changes and traceability of distribution. If you are interested there is more to be found here (

The commonality of passwords has created a unique problem (and opportunity from a Forensic viewpoint) that people have terrible memories for things, especially where there is little in the way of context to give them a clue, so they tend to use the same password multiple times. Where, as professionals, we have the capability to enforce certain technical restrictions on the user (password length and complexity requirements, change durations, non-repeatability etc.) we quickly find that the user subverts the process one way or another – the most ubiquitous being the dreaded post-it note! I’d like to draw your attention to the “professional” intelligence agents operating until recently in the US, a 27 character password, having been committed to memory could have been a significant issue for the Forensic Officers, however, having it written down alongside the computer … well, need I say more ?


Friday, August 06, 2010

UK student competition: Win free training on "Investigating Connection Records" course

UK students - Win a free* place on the "Investigating Connection Records and Introduction to Cell Site Analysis" Training Course in Birmingham (UK), 23rd – 24th August 2010 provided by Sam Raincock Consultancy.

To enter you MUST be a current UK student studying for a BSc, MSc or PhD in a computer science, information security, engineering or computer forensics discipline. You must not be in full or part time employment in a professional role or have obtained a job offer in such a role.

Competition Details

As a telecommunications and computing forensic specialist, one of the biggest challenges is to learn how to write simply and succinctly so your reports/articles can be understood by all.

With this in mind, to enter you need to prepare an article, no more than 1,000 words, discussing one of the following topic areas:

- Mobile telephone examination methodology.
- Testing forensic tools.
- Encrypting confidential data.
- Investigating Internet activity on a computer.
- Social engineering and information security.

You may provide a summary of the topic area or select a sub-topic on which to concentrate your article. The article should be in a language and style suitable for a non-technical layperson. Your chosen topic should not discuss software products and should be entirely your own work. Articles containing information copied from other sources and not appropriately cited will be instantly disqualified.

The article will be assessed by Samantha Raincock for technical accuracy, readability, structure and the general chosen topic area. One overall winner will be selected and the author will receive the training prize as well as their article being published on Sam Raincock Consultancy’s website. All decisions are final.

Closing date for submission is by 12:00 (noon) BST on 16th August 2010. The article should be emailed to in Word format.

* One free training place is available. Recent graduates (2010) without a job offer may apply. The prize will include two days of training and all training materials. It does not include accommodation, subsistence or travel costs. The prize is non-transferable and is only valid for the investigating connection records training course on 23rd – 24th August 2010 in Birmingham. There is no alternative prize. You will need to provide proof of your student status and your identity. In the unlikely event the training course is cancelled the prize will become null and void and SRC will not be responsible for any costs incurred.