Hard Drives, Encryption, Forensics and Privacy Simson L. Garfinkel Associate Professor, Naval Postgraduate School June 16, 2011 http://simson.net / 1
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Hard Drives, Encryption, Forensics and Privacy
Simson L. GarfinkelAssociate Professor, Naval Postgraduate SchoolJune 16, 2011http://simson.net/
1
NPS is the Navyʼs Research University.
Location: " Monterey, CACampus Size: "627 acres
Students: 1500 US Military (All 5 services) US Civilian (Scholarship for Service & SMART) Foreign Military (30 countries)
Schools: Business & Public Policy Engineering & Applied Sciences International Graduate Studies Operational & Information Sciences
2
A forensic success story
http://www.sanluisobispovacations.com/
City of San Luis Obispo Police Department, Spring 2010
District Attorney filed charges against two individuals: Credit Card Fraud Possession of materials to commit credit card fraud.
Defendants: Arrested with a computer. Expected to argue that defends were unsophisticated and lacked knowledge.
Examiner given 250GiB drive the day before preliminary hearing. Typically, it would take several days to conduct a proper forensic investigation.
4
bulk_extractor found actionable evidence in 2.5 hours!
Bulk_extractor found: Over 10,000 credit card numbers on the HD (1000 unique) Most common email address belonged to the primary defendant (possession) The most commonly occurring Internet search engine queries concerned credit card
fraud and bank identification numbers (intent) Most commonly visited websites were in a foreign country whose primary language is
spoken fluently by the primary defendant.
Armed with this data, the DA was able to have the defendants held.
5
Digital Forensics in Five Minutes
http://www.flickr.com/photos/avlxyz/4330225648
“Forensics” has two meanings.
fo·ren·sics n. (used with a sing. verb)
1.The art or study of formal debate; argumentation.
2.The use of science and technology to investigate and establish facts in criminal or civil courts of law.
(American Heritage Dictionary, 4th Edition)
Deciding some disputes requires the use of physical evidence: Fingerprints DNA Handwriting Polygraph
Judges and juries can't examine physical evidence and make a determination. They don't have the expertise. Evidence may be open to interpretation.
Courts settle disputes, redress grievances,and mete out punishment
8
Forensic experts interpret scientific evidence.
US Courts employ an adversarial process. Each side hires its own experts. In some cases, the court may hire a third expert for the judge.
9
Even photographs may require interpretationWhen were these photographs taken? Were they faked?
10
Even photographs may require interpretationWhen were these photographs taken? Were they faked?
http://www.hoover.org/publications/digest/3531641.htmlhttp://www.newseum.org/berlinwall/commissar_vanishes/
11
Even photographs may require interpretationWhen were these photographs taken? Were they faked?
12
Digital Forensics applies this process to computers and digital artifacts.
13
!"!#$% & % '( ) ' * & +,-% & . $ ' '
& " ' . /, ' !. .(-",$ '0(-1)(-2, ' '
1 345 ' 2("%6 # . & "5 ' 76",'89:';<<;' 3!5,',%=;'
!
!
"#$!%$&'()*$+)!,-..$(,!.(/*!'+!"#$%&'($)&!*(+$#!,&-.(,/&-!+$#$0&+&#)!"#1,$-),(/)(,&0!!
"#$($!1,!213$,&($'3!&$(4$&)1/+5!$,&$41'667!'*/+8!*1+/(1)1$,5!)#')!9:!&('4)14$,!6'4;!
)('+,&'($+470!!"#1,!($,-6),!1+!'))/(+$7,!&$(4$1<1+8!)#')!&('4)14$,!'($!-+.'1(0!!"#$!%$&'()*$+)!3/$,!
+/)!$*&#',1=$!4'($$(!3$<$6/&*$+)5!'+3!)//6,!./(!&$(./(*'+4$!'&&('1,'6!'($!3$.141$+)0!!>,!'!
($,-6)5!'))/(+$7,!41)$!&//(!?&$/&6$!*'+'8$*$+)@!A7!,-&$(<1,/(,0!
!
2&/)".#!3*"&1-!$,&!$#!&4),&+&56!/,")"/$5!&5&+&#)!/.!)#$!%$&'()*$+)B,!31<$(,1)7!461*')$0!!"#$7!
#'<$!,18+1.14'+)!'-)#/(1)7!1+!($4(-1)*$+)5!#1(1+85!&(/*/)1/+5!&$(./(*'+4$!'&&('1,'65!4',$!
',,18+*$+)5!'+3!4'($$(!3$<$6/&*$+)0!!"#$!C$4)1/+!D#1$.!2/(;./(4$!1,!+/)!31<$(,$!'+3!)-(+/<$(!1,!
6/20!!"#1,!&'))$(+5!4/*A1+$3!21)#!)#$!8$+$('667!6/2!'))$+)1/+!)#')!)#$,$!*'+'8$(,!&'7!)/!,)'..!
4'($$(!3$<$6/&*$+)5!6$'3,!*1+/(1)1$,!)/!&$(4$1<$!'!6'4;!/.!'3<'+4$*$+)!/&&/()-+1)1$,0!
!
"#$!%$&'()*$+)B,!'))/(+$7!2/(;./(4$!1,!+.,&!%"7&,-&!)*$#!)*&!8929!5&0$5!:.,;1.,/&E!!FGH!
.$*'6$5!4/*&'($3!)/!FIH!1+!)#$!J0C0!6$8'6!6'A/(!&//65!'+3!KLH!*1+/(1)75!4/*&'($3!)/!KMH!1+!
)#$!6'A/(!&//60!!"#$!%$&'()*$+)B,!'))/(+$7!2/(;./(4$!1,!'A/-)!$-!%"7&,-&!$-!)*&!1&%&,$5!
0.7&,#+&#)!5&0$5!:.,;1.,/&5!2#/,$!'))/(+$7,!'($!FGH!.$*'6$!'+3!KNH!*1+/(1)70!
!
<","#0!"-!-&,7"#0!).!+$;&!)*&!=&>$,)+&#)!&7&#!+.,&!%"7&,-&E!!#1($,!1+!MIIK!2$($!OIH!.$*'6$!
'+3!MKH!*1+/(1)70!!P+!&'()14-6'(5!)*&!?)).,#&6!@&#&,$5A-!<.#.,-!B,.0,$+!"-!$#!"+>.,)$#)!
)..5!./(!1+4($',1+8!31<$(,1)70!!9/+/(,!Q(/8('*!#1($,!1+!MIIK!2$($!NFH!.$*'6$5!4/*&'($3!)/!OLH!
/.!)#$!6'2!,4#//6!8('3-')1+8!46',,5!'+3!FIH!*1+/(1)75!4/*&'($3!)/!MKH!/.!)#$!46',,!/.!MIIK0!
!
R1+/(1)1$,!'($!-"0#"1"/$#)56!(#%&,C,&>,&-&#)&%!"#!+$#$0&+&#)!,$#;-0!!"#$7!4/*&(1,$!/+67!
SH!/.!T4'($$(U!CVC!'))/(+$7,!'+3!KKH!/.!,-&$(<1,/(7!>,,1,)'+)!J0C0!>))/(+$7,0!!W/*$+!
4/+,)1)-)$!FKH!/.!CVC,!'+3!FSH!/.!,-&$(<1,/(7!>JC>,0!!>*/+8!XCYKL!'))/(+$7,!1+!)#$!
Z1)18')1+8!%1<1,1/+,5!*1+/(1)1$,!4/*&(1,$!KKH!/.!+/+Y,-&$(<1,/(,!'+3!NH!/.!,-&$(<1,/(,5!'+3!
2/*$+!4/*&(1,$!FSH!/.!+/+Y,-&$(<1,/(,!'+3!FFH!/.!,-&$(<1,/(,0!
!
D"#.,")"&-!$,&!-(E-)$#)"$556!+.,&!5";&56!).!5&$7&!)*&!=&>$,)+&#)!)*$#!:*")&-0!!P+!MIIK5!)#$!
'))(1)1/+!(')$!2',!O[H!#18#$(!'*/+8!*1+/(1)1$,!)#'+!2#1)$,0!!"#$($!2',!+/!31..$($+4$!1+!($4$+)!
'))(1)1/+!A$)2$$+!*$+!'+3!2/*$+0!
!
"#$($!'($!'6,/!,)')1,)14'667!-"0#"1"/$#)!,$/&!$#%F.,!0&#%&,!&11&/)-!/+!'!+-*A$(!/.!9:!/-)4/*$,5!
1+46-31+8!,)'()1+8!8('3$5!4-(($+)!8('3$5!&(/*/)1/+,5!'+3!4/*&$+,')1/+0!!\/(!$]'*&6$5!)#$!'<$('8$!
*1+/(1)7!XC!'))/(+$7!1,!4-(($+)67!I0O!,)$&,!6/2$(!)#'+!)#$!'<$('8$!2#1)$5!'+3!)#$!'<$('8$!2/*'+!
1,!I0F!,)$&,!6/2$(!)#'+!)#$!'<$('8$!*'+5!4/+)(/661+8!./(!,$+1/(1)75!8('3$5!'+3!4/*&/+$+)0!
!
^',$3!/+!)#$,$!.1+31+8,5!2$!($4/**$+3!)#')!)#$!%$&'()*$+)!)';$!)#$!./66/21+8!'4)1/+,E!
!
G4&,/"-&!?@C!$#%!=?@C5&7&5!5&$%&,-*">!)/!,)($,,!)#$!1*&/()'+4$!/.!31<$(,1)7!'+3!)#$1(!
4/**1)*$+)!)/!1)0!!Q-A61467!4/**1)!)#$!%$&'()*$+)!)/!&'(1)7!A/)#!1+!31<$(,1)7!/-)4/*$,!T$0805!
4/*&'('A6$!($&($,$+)')1/+!')!'66!6$<$6,U!'+3!1+!'))1)-3$,!T$0805!_/A!,')1,.'4)1/+U!'*/+8!'66!
3$*/8('!8(/-&,0!!P3$+)1.7!6$<$(,!./(!4#'+8$5!./4-,1+8!/+!>>X,!T2#/!'($!31<$(,$U!'+3!
C$4)1/+!D#1$.,0!!P*&6$*$+)!)('1+1+8!/.!6$'3$(,!)/!13$+)1.7!)#$1(!(/6$!1+!,#'&1+8!2/(;!461*')$!
1,,-$,!'+3!1+!$..$4)-')1+8!4#'+8$0!
!
!
June 2007
S M T W T F S
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
There are five basic steps to digital forensics.1.Preparation (you, not the data)2.Collection (the data)3.Examination4.Analysis5.Reporting
—Electronic Crime Scene Investigation Guide, National Institute of Justice
14
The “CSI Effect” causes victims and juries to have unrealistic expectations.On TV: Forensics is swift. Forensics is certain. Human memory is reliable. Presentations are highly produced.
TV digital forensics: Every investigator is trained on every tool. Correlation is easy and instantaneous. There are no false positives. Overwritten data can be recovered. Encrypted data can usually be cracked. It is impossible to delete anything.
15
The reality of digital forensics is less exciting.
There are lots of problems: Data that is overwritten cannot be recovered. Encrypted data usually can't be decrypted. Forensics rarely answers questions or establishes guilt. Forensics rarely provides specific information about a specific subject Tools crash a lot.
Traditionally this didnʼt matter, because: Most digital forensics were used to find child pornography. When the pornography was found, most suspects plead guilty.
16
There are many ways to conduct a forensic investigation.Examiner looks for evidence of a crime to support a conviction: Financial records of fraud. Photographs of a murder. Threats sent by email. Evidence of a conspiracy. Child pornography.
Examiner looks for intelligence to support an investigation: Associates & accomplices. Geographical locations. Tools, techniques, modus operandi, operating procedures
Examiner looks for artifacts of an intrusion: New vulnerabilities and exploits. Evidence of how intrusion was done, who did it.
17
Today there is a growing digital forensics crisis.
Tools designed to let an analyst find a file and take it into court...
… don't scale to today's problems.
We have identified 5 key problems.
18
Problem 1 — Increased cost of extraction & analysis.
Data: too much and too complex! Increased size of storage systems.
Cases now require analyzing multiple devices—2 desktops, 6 phones, 4 iPods, 2 digital cameras = 1 case
Non-Removable Flash
Proliferation of operating systems, file formats and connectors—XFAT, XFS, ZFS, YAFFS2, Symbian, Pre, iOS,
Consider FBI Regional Computer Forensic Laboratories growth: Service Requests: 5,057 (FY08) ➔ 5,616 (FY09) (+11%) Terabytes Processed: 1,756 (FY08) ➔ 2,334 (FY09) (+32%)
19
Web Images Videos Maps News Shopping Gmail more ! [email protected] | Web History | Settings ! | Sign out
Shopping results for 2tb drive
WD ElementsDesktop 2 TBExternal harddrive - 480 (421)$110 new80 stores
SeagateBarracuda LP 2TB Internalhard drive - (101)$105 new165 stores
WD CaviarGreen 2 TBInternal harddrive - 300 (58)$99 new117 stores
SamsungSpinPointF3EG DesktopClass 2 TB (8)$108 new44 stores
WD CaviarBlack 2 TBInternal harddrive - 300 (404)$169 new125 stores
2 Tb Hard Drive - Hard Drives - ComparePrices, Reviews and Buy at ...Jul 26, 2010 ... 2 Tb Hard Drive - 1037 results like theWestern Digital Green, Western Digital 2TB ElementsExternal Hard Drive - Black, ...www.nextag.com/2-tb-hard-drive/search-html -Cached - Similar
WD Caviar Green 2 TB SATA Hard Drives (WD20EADS )Physical Specifications. Formatted Capacity, 2000398MB. Capacity, 2 TB. Interface, SATA 3 Gb/s. UserSectors Per Drive, 3907029168 ...www.wdc.com/en/products/products.asp?driveid=576 -Cached - Similar
Amazon.com: LaCie 2TB USB/FireWire HardDrive: ElectronicsThe LaCie Bigger Disk Extreme with Triple Interfaceoffers the highest hard drive capacity available, packingan unprecedented amount of storage into a ...www.amazon.com › ... › External Hard Drives -Cached - Similar
News for 2tb driveOWC provides a closer look at iMac's SSD slot -20 hours agoIt's $2449 for the 27-inch Core i3 iMac with a256GB SSD and 1TB hard drive, and $2560 forthe same system with the SSD and 2TB hard
2tb drive Search
Advanced searchAbout 3,500,000 results (0.32 seconds)
EverythingShopping
News
More
Web Images Videos Maps News Shopping Gmail more ! [email protected] | Web History | Settings ! | Sign out
Shopping results for 2tb drive
WD ElementsDesktop 2 TBExternal harddrive - 480 (421)$110 new80 stores
SeagateBarracuda LP 2TB Internalhard drive - (101)$105 new165 stores
WD CaviarGreen 2 TBInternal harddrive - 300 (58)$99 new117 stores
SamsungSpinPointF3EG DesktopClass 2 TB (8)$108 new44 stores
WD CaviarBlack 2 TBInternal harddrive - 300 (404)$169 new125 stores
2 Tb Hard Drive - Hard Drives - ComparePrices, Reviews and Buy at ...Jul 26, 2010 ... 2 Tb Hard Drive - 1037 results like theWestern Digital Green, Western Digital 2TB ElementsExternal Hard Drive - Black, ...www.nextag.com/2-tb-hard-drive/search-html -Cached - Similar
WD Caviar Green 2 TB SATA Hard Drives (WD20EADS )Physical Specifications. Formatted Capacity, 2000398MB. Capacity, 2 TB. Interface, SATA 3 Gb/s. UserSectors Per Drive, 3907029168 ...www.wdc.com/en/products/products.asp?driveid=576 -Cached - Similar
Amazon.com: LaCie 2TB USB/FireWire HardDrive: ElectronicsThe LaCie Bigger Disk Extreme with Triple Interfaceoffers the highest hard drive capacity available, packingan unprecedented amount of storage into a ...www.amazon.com › ... › External Hard Drives -Cached - Similar
News for 2tb driveOWC provides a closer look at iMac's SSD slot -20 hours agoIt's $2449 for the 27-inch Core i3 iMac with a256GB SSD and 1TB hard drive, and $2560 forthe same system with the SSD and 2TB hard
2tb drive Search
Advanced searchAbout 3,500,000 results (0.32 seconds)
EverythingShopping
News
More
Problem 2 — RAM and malware forensics is really hard.
RAM Forensics—in its infancy RAM structures change frequently (no reason for them to stay constant.) RAM is constantly changing.
Malware is hard to analyze: Encryption; Conditional execution; Proper behiavor of most software is not specified.
Malware can hide in many places: On disk (in programs, data, or scratch space) BIOS & Firmware RAID controllers GPU Ethernet controller Motherboard, South Bridge, etc. FPGAs
20
The One Laptop Per Child Security Model
Simson L. GarfinkelNaval Postgraduate School
Monterey, CA
Ivan KrsticOne Laptop Per Child
Cambridge, MA
ABSTRACT
We present an integrated security model for a low-cost lap-top that will be widely deployed throughout the developingworld. Implemented on top of Linux operating system, themodel is designed to restrict the laptop’s software withoutrestricting the laptop’s user.
Categories and Subject Descriptors
D.4.6.c [Security and Privacy Protection]: CryptographicControls; H.5.2.e [HCI User Interfaces]: Evaluation/methodology
General Terms
Usability, Security
Keywords
BitFrost, Linux
1. INTRODUCTION
Within the next year more than a million low-cost laptopswill be distributed to children in developing world who havenever before had direct experience with information tech-nology. In two years’ time the number of laptops should riseto more than 10 million. The goal of this “One Laptop PerChild” project is to use the power of information technologyto revolutionize education and communications within thedeveloping world.
Each of these children’s “XO” laptops will run a vari-ant of the Linux operating system and will participate ina wireless mesh network that will connect to the Internetusing gateways located in village schools. The laptops willbe equipped with web browsers, microphones and camerasso that the students can learn of the world outside theircommunities and share the details of their lives with otherchildren around the world.
Attempting such a project with existing security mecha-nisms such as anti-virus and personal firewalls would likely
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.SOUPS 2007 Pittsburgh, PACopyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00.
Figure 1: The XO Laptop
be disastrous: soon after deployment, some kind of mali-cious software would inevitably be introduced into the lap-top communities. This software might recruit the million-plus laptops to join “botnets.” Other attackers might tryto disable the laptops out of spite, for sport, as the basisof an extortion attempt, or because they disagree with theproject’s stated goal of mass education.
Many computer devices that are seen or marketed as “ap-pliances” try to dodge the issue of untrusted or maliciouscode by only permitting execution of code that is crypto-graphically signed by the vendor. In practice, this means theuser is limited to executing a very restricted set of vendor-provided programs, and cannot develop her own software oruse software from third party developers. While this ap-proach certainly limits possible attack vectors, it is not asilver bullet, because even vendor-provided binaries can beexploited—and frequently are.
A more serious problem with the “lock-down” approach isthat it would limit what children could do with the laptopsthat we hope to provide. The OLPC project is based, inpart, on constructionist learning theories [15]. We believethat by encouraging children to be masters of their comput-ers, they will eventually become masters of their educationand develop in a manner that is more open, enthusastic andcreative than they would with a machine that is locked andnot “hackable.”
Problem 3 — Mobile phones are really hard to examine.
Cell phones present special challenges. No standard connectors. No standard way to copy data out. Difficult to image & store cell phones without changing them.
How do we validate tools against thousands of phones? No standardized cables or extraction protocols.
NIST's Guidelines on Cell Phone Forensics recommends: "searching Internet sites for developer, hacker,
and security exploit information."
How do we forensically analyze 100,000 apps?
21
Pervasive Encryption — Encryption is increasingly present. TrueCrypt BitLocker File Vault DRM Technology
Cloud Computing — End-user systems won't have the data. Google Apps Microsoft Office 2010 Apple Mobile Me
—But they may have residual data!
Problem 4 — Encryption and Cloud Computing " " make it hard to get to the data
22
Home Documentation Downloads News Future History Screenshots Donations FAQ Forum Contact
News
• 2010-07-19TrueCrypt 7.0Released
• 2009-11-23TrueCrypt 6.3aReleased
• 2009-10-21TrueCrypt 6.3Released
[News Archive]
Donations
T r u e C r y p t
Free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux
Main Features:
Creates a virtual encrypted disk within a file and mounts it as a real disk.
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
Encrypts a partition or drive where Windows is installed (pre-boot authentication).
Encryption is automatic, real-time (on-the-fly) and transparent.
Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
Encryption can be hardware-accelerated on modern processors.
Provides plausible deniability, in case an adversary forces you to reveal the password:
Hidden volume (steganography) and hidden operating system.
More information about the features of TrueCrypt may be found in the documentation.
What is new in TrueCrypt 7.0 (released July 19, 2010)
Statistics (number of downloads)
Site Updated July 31, 2010 • Legal Notices • Sitemap • Search
Secureencrypted USBBuy safehardware basedUSB drive 1 GB to32GBwww.altawareonline.com
256-bit AESencryptionProtect your datawith encryptionsoftware. Freehow to guide.Datacastlecorp.com/encryption
StorageCrypt v3.0Encrypt and password protect usb flashdrive , external hard drivewww.magic2003.net
Problem 5 — Time is of the essence.
Most tools were designed to perform a complete analysis. Find all the files. Index all the terms. Report on all the data. Take as long as necessary!
Increasingly we are racing the clock: Police prioritize based on statute-of-limitations! Increasingly operations require turnaround in days or hours.
23
These problems are getting worse.
Problem 1 — Increased cost of extraction & analysis. Problem 2 — RAM and malware forensics is really hard. Problem 3 — Mobile phones are really hard to examine. Problem 4 — Encryption and Cloud Computing make it hard to get to the data. Problem 5 — Time is of the essence.
Solving these problems will be hard: The problems are hard, but look easy to outsiders. Vendors have no incentive to make devices forensics-friendly.
—Forensics Friendly makes it easy for customers to move their data! Itʼs easier to write malware than analyze it.
24
Related Documents
