openduck

Title: Pocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment

Authors: Peter Hannay, Peter James

Abstract
Storage of sensitive and/or business critical data on portable USB attachable mass storage devices is a common practice. The ability to transport large volumes of data from the standard place of work and then access and process the data on an available PC at a different location provides both convenience and flexibility. However, use of such USB attachable mass storage devices presents two major security risks; the risk of loss of the portable storage device during transport and the risk of data remnants residing on a PC after accessing the data from the USB storage device. The latter risk is due to the way Windows and third party applications store temporary information on the host PC’s hard disk. Even if every effort is made to delete temporary information it may be possible to recover this information by using forensic data recovery techniques such as header analysis and magnetic force microscopy.

The Pocket SDV with SDGuardian provides an elegant solution to the aforementioned security risks. The Pocket SDV is a commercially available USB attachable secure hard disk drive. Features of the Pocket SDV include hardware based encryption, strong authentication, differentiated access rights and cryptographically separate partitioning capabilities. Only a user with the correct authentication credentials can gain access to data stored on the Pocket SDV, thus providing assurance if the Pocket SDV is lost. SDGuardian is a proof of concept toolkit that minimises the remnants left on a PC if it is used to process data stored on a Pocket SDV. Forensic examination of the PC, following processing of data held on a Pocket SDV with SDGuardian, should not reveal any remnants of protected data. In this paper an overview of the Pocket SDV is given and its functionality is enumerated. The motivation for SDGuardian is outlined before discussing the design, capabilities and limitations of the Pocket SDV with SDGuardian.

Files: Full Paper (PDF)

The original arpspoof utility (part of dsniff) provides an easy way to send forged ARP packets. The normal use for this utility is to intercept traffic between two hosts, such as a user and the gateway.

As part of an upcoming project I needed a way to redirect traffic from one host to another host under my control. The arpspoof utility however only allows the user to directly intercept the traffic in question. In order to address this issue I modified the arpsniff utility to enable new functionality which I call ’spoofing onto a peer’.

In order to use this new functionality the commad line switch -s is used in conjunction with the other command line parameters. For example the command line below would intercept the traffic from host 192.168.1.1 and redirect it to the mac address 12:34:56:78:9a:bc.

arpspoof -s 12:34:56:78:9a:bc 192.168.1.1

Files: arpspoof.c