Paper: “Pocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment”
Title: Pocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment
Authors: Peter Hannay, Peter James
Abstract
Storage of sensitive and/or business critical data on portable USB attachable mass storage devices is a common practice. The ability to transport large volumes of data from the standard place of work and then access and process the data on an available PC at a different location provides both convenience and flexibility. However, use of such USB attachable mass storage devices presents two major security risks; the risk of loss of the portable storage device during transport and the risk of data remnants residing on a PC after accessing the data from the USB storage device. The latter risk is due to the way Windows and third party applications store temporary information on the host PC’s hard disk. Even if every effort is made to delete temporary information it may be possible to recover this information by using forensic data recovery techniques such as header analysis and magnetic force microscopy.
The Pocket SDV with SDGuardian provides an elegant solution to the aforementioned security risks. The Pocket SDV is a commercially available USB attachable secure hard disk drive. Features of the Pocket SDV include hardware based encryption, strong authentication, differentiated access rights and cryptographically separate partitioning capabilities. Only a user with the correct authentication credentials can gain access to data stored on the Pocket SDV, thus providing assurance if the Pocket SDV is lost. SDGuardian is a proof of concept toolkit that minimises the remnants left on a PC if it is used to process data stored on a Pocket SDV. Forensic examination of the PC, following processing of data held on a Pocket SDV with SDGuardian, should not reveal any remnants of protected data. In this paper an overview of the Pocket SDV is given and its functionality is enumerated. The motivation for SDGuardian is outlined before discussing the design, capabilities and limitations of the Pocket SDV with SDGuardian.
Files: Full Paper (PDF)
No commentsPaper: “A Methodology for the Forensic Acquisition of the TomTom One Satellite Navigation System”
Title: A Methodology for the Forensic Acquisition of the TomTom One Satellite Navigation System
Authors: Peter Hannay
Abstract
The use of Satellite Navigation Systems (SNS) has become increasingly common in recent years. The wide scale adoption of this technology has the potential to provide a valuable resource in forensic investigations. The potential of this resource is based on the ability to retrieve historical location data from the device in question while maintaining forensic integrity. This paper presents a methodology to acquire forensic images of the TomTom One satellite navigation unit. This methodology aims to be comprehensive and straightforward, while maintaining forensic integrity of the original evidence. However, in consideration of the aforementioned methodology it should be noted that the defined method may not extract all potential evidence and the viability of collected evidence is dependent on future research into the analysis of said evidence. In order to address this consideration, research into this area is currently ongoing.
Demo
Get the Flash Player to see this player.
Files: Full Paper (PDF), Slide Show (PowerPoint), Demo (QuickTime)
No commentsPaper: “LIARS Phase One – A live CD system for extraction of user and owner information from laptop and notebook hard drives”
Title: “LIARS Phase One – A live CD system for extraction of user and owner information from laptop and notebook hard drives”
Authors: Peter Hannay, Andrew Woodward, Nic Cope
Abstract
Laptop and notebook theft is major issue worldwide. Many laptops are found by Police, but it is rare that the owner is able to be identified, resulting in the device being wiped and sold. This results in a reduced recovery rare for police and increased payouts for insurance companies. The first phase of the LIARS project modified an existing open source program, chntpw, and used the registry hive interrogation feature. The resulting program is run from a forensically sound live Linux CD, and outputs any relevant registry information to the screen in a text format. This paper outlines the method by which this is done, and gives information about the code modification. It goes on to talk about the next phase of the project, using file carving to examine formatted laptop drives.
Files: Full Paper (PDF)
No commentsSpoofing onto a peer
The original arpspoof utility (part of dsniff) provides an easy way to send forged ARP packets. The normal use for this utility is to intercept traffic between two hosts, such as a user and the gateway.
As part of an upcoming project I needed a way to redirect traffic from one host to another host under my control. The arpspoof utility however only allows the user to directly intercept the traffic in question. In order to address this issue I modified the arpsniff utility to enable new functionality which I call ’spoofing onto a peer’.
In order to use this new functionality the commad line switch -s is used in conjunction with the other command line parameters. For example the command line below would intercept the traffic from host 192.168.1.1 and redirect it to the mac address 12:34:56:78:9a:bc.
arpspoof -s 12:34:56:78:9a:bc 192.168.1.1
Files: arpspoof.c
No comments