Friday, 15 May 2009

Disable System Beep In VMWare

Is the system beep in vmware hurting your ears when linux or FreeBSD machines are reboot.
Add the following line to the .vmx file for that vmware machine.

mks.noBeep = "TRUE"

Friday, 1 May 2009

Forensics and Disk Encryption

The challenges for the computer forensics investigator have increased over the past few years.
Companies are deploying disk and volume based encryption systems.The traditional method of “pull the plug” then forensically image the hard drive is changing

Before powering down a computer, consider the potential of encryption software being installed on the computer or as part of the operating system. If present, appropriate forensic methods should be utilised to capture the encrypted data before the computer is powered down.





There are essentially two competing solutions

  • Gather the “best” evidence available
  • Allow the system to continue operation in an unhindered manner

With encrypted drives becoming more common in the corporate environment this means that without the cooperation of the suspect or a master key / password supplied by the IT department the data essentially unreadable.

Under APCO guidelines (Good Practice Guide for Computer based Electronic Evidence V.3) there are no guidelines for the collection of encrypted hard drives. Similarly the US Secret Service Best Practice Guide for Seizing Electronic Evidence V.3 makes no mention of encrypted hard drives either.

Identifying encrypted disks

It depends on how the encryption works. You may want to look for the following.
icons in the taskbar
startmenu entries
common filenames and paths (pointsec , safeguard easy , drivecrypt , PC Guardian)Looking at the MBR, most of the diskencryption software use pre boot auhtentication (for example safeguard)
Look at mounted devices in the registry, good way to determine volume encryption (for example truecrypt)


Prerequisites for live imaging

Document everything you do. Document everything you ask a trusted system administrator / information security person to do. In order to image a live system you need to be logged on as a local admin level user. The end result is the need to gather an evidential copy of a system.

A physical disk image may not be the best evidence as the data may be unreadable. Live aquaisation enables the investigator to gather volatile information such as memory, process list, network connections, open files etc.

What is live imaging

Taking a copy of a system while that system is still functioning in a live environment

Why would you image a live machine ?

Business critical systems that cannot be shut down. Shutting down systems may create legal liability for examiners through:

damaging equipment
unintentional data loss
hampering operations
Instructions that evidence gathering must be conducted using the least intrusive methods available.
Encrypted volumes

Tools

Helix (dd/netcat)
Prodiscover IR
Encase EEE/FIM
FTK

Issues surrounding imaging a live system.

The system is essentially “un-trusted”. This raises the following questions. How do we know we have collected all the original evidence on an un-trusted system? Can the machine be accessed remotely? Rootkits ?

Some options available for forensic imaging of encrypted drives.

Non Live Image

Microsoft Windows system
Capture live data, memory dump, current network connections, open files , running processes. Shut down machine normaly. Pulling the plug may cause data loss on encrypted drives.

Remove the drive

Image the drive using a forensic disk cloner such as a SOLO

Option 1

Single capture using two drives. Target and Backup
Bag & Tag the original
Bag & Tag the target
Boot suspect machine using the backup and admin level credentials
Live image of the machine

Option 2

DD capture using two drives
Bag & Tag the original
Bag & Tag the target
Restore backup dd image to a “restore drive”

Option 2A

Boot suspect machine using the “restore drive” and admin level credentials
Live image of the machine

Option 2B

Mount restore drive in VMware
Boot suspect machine using the “restore drive” and admin level credientials Live image of the machine

Image the drive with encase then follow Option 2A or Option 2B

Live Image

Microsoft Windows system
Capture live data, memory dump, current network connections, open files , running processes
Disconnect from network both wired and wireless.
Run ftkimager from a trusted cd or usb drive (having noted the serial number and other identifying features so it can be recognised in the registry if required at a later date).
Create a logical evidence file of each logical drive on a external usb hard drive (having noted the serial number and other identifying features so it can be recognised in the registry if required at a later date) ensuring you hash the drive contents.
Create a backup copy of the logical evidence files on another drive.
You may also create the two copies at the same time by connecting the two drives to the suspect machine.
Verify both target and backup images.