The Secret Lives of Hard Drives
Total Page:16
File Type:pdf, Size:1020Kb
4:mag TIPS ON BREAKING INto THE FIELD MAC MALWARE. ARE YOU READY? You’ve heard THE RUMORS, BUT HOW MUCH DO YOU REALLY KNOW ABOUT... THE SECRET LIVES OF HARD DRIVES Issue 1 Q2 2013 4:HOME contents 4 events 5 editorial 6 a call to action 7 10 device and application data from ios devices 13 taking a byte out of apple computers 16 win - forensic contest 18 starting out and getting ahead 13 23 forensic 4cast awards 2013 25 pro-file 28 hard drive secrets revealed 34 4:ward Contents Pictures Courtesy of http://www.flickr.com/photos/razor512/7695485686/ http://www.flickr.com/photos/zoliblog/2214058583/ Cover Photo Courtesy of http://www.flickr.com/photos/amagill/89623319/ 28 4:mag - issue #1 Q2 2013 3 4:Take a look at EVENthe events that are coming up for every forensicator’sTS calendar AccessData Users Conference - Las Vegas, NV - April 23-25 Lee Whitfield Teaching SANS 408 - Toronto, Canada - April 29 - May 4 Subtle Enough? CEIC - Orlando, FL - May 19-22 Mobile Forensics World - Myrtle Beach, SC - Jun 2-5 FIRST Conference - Bangkok, Thailand - Jun 16-21 SANS Digital Forensics and Incident Respone Summit - Austin, TX - July 9-10 HTCIA International Conference - Summerlin, NV - September 8-11 SANS Forensics - Prague - October 6-12 Sleuthkit and Open Source Forensics Conference - Chantilly, VA - Nov 4-5 F3 Annual Workshop - Tortworth Court, UK - November 5-7 Have we missed anything? If you know of something happening and you think that it would interest other forensicators please let us know by emailing [email protected] Picture courtesy of http://www.flickr.com/photos/ter-burg/5808816530/ 4 4:mag - issue #1 Q2 2013 4:EVENTS 4:whichED often causes me to loseIT brand new theories or products focus and become upset when that are completely original. things don’t turn out exactly as Typically everything is born of planned. This magazine is one something else. of those. So, on with the first issue. We A year ago I came up with the have some great articles writ- concept; a completely free dig- ten by the best minds in the ital forensics magazine that, field (and Ken Johnson). just like the 4cast awards, is completely community driven. I love Gareth’s article on hard Life got in the way until just drives. I think that this is espe- recently. I felt the desire to get cially pertinent because we’re back into podcasting and to fo- now starting to see proof- cus on getting this magazine of-concept software coming reetings to all and wel- out for everyone to read. through showing how some of G come to the first edition of these firmware features are 4:mag. My goal is to publish once a being exploited. We will see quarter (and the occasional more of these in the coming Five years ago I persuaded special edition) with only the months I’m sure. my brother, Simon, to record best material. I want the mag- a new podcast for the digital azine to be completely free to In Sarah’s article we read that forensics community. I didn’t anyone that wants to read and Apple computers may have expect much response, the in- learn. This means that anyone had their day in the sun and, tention was, simply, to have from people with a casual in- as a result, been burned. While some fun. Little did I know the terest in forensics, to students, Mac malware is not yet main- amazing journey that awaited. to seasoned professionals can stream, it is certainly getting have access to the highest there. Here we are in 2013. The pod- quality articles available in the cast has seen great success. field. I hope you enjoy these and the Because of Forensic 4cast other articles we have com- I have travelled to amaz- I remember being a student, piled for your review. If you ing places and met some re- and then a new analyst, want- have any questions, comment, ally wonderful people. I really ing to learn and grow but the suggestions, or insults please feel a part of this community cost of the magazines and pe- send them to me at: and that is why I strive to give riodicals seemed to be quite back, hence this magazine. prohibitive. [email protected] Anyone who knows me will I’m an open source kind of Thanks for taking the time to testify to the fact that I don’t guy. I believe that knowledge read. Enjoy! like to stand still for more than is only attained because some- 5 minutes. I always have sev- one before you did the ground- Lee Whitfield eral things on the go at once work. Hardly ever do we see 4:mag - issue #1 Q2 2013 5 A CALL TO ACTION JESSE KORNBLUM LOG THE DATA SO WE CAN DO OUR JOBS It’s not just file system activ- to zero and injecting memo- ity which is deficient. Right ry resident code. Even worse now browser history logs only than destroying data, it’s pos- record the requests for whole sible for somebody to alter the pages. Many user actions, such data in question. The complete as clicks, drags, and “likes” absence of legitimate data is a are not logged. Pages which sign that something out of the involve a lot of dynamic con- ordinary has happened. But tent, for example, can be dif- when just the suspicious data ficult to reconstruct. A recent are deleted, or altered to look omputer forensic examin- article by Chad Tilbury, for legitimate, it can be a night- C ers don’t have the resourc- example, looked at extract- mare for the investigator. Not es necessary to answer the ing geolocation data, http:// all of the destruction is mali- questions we are being asked. computer-forensics.sans.org/ cious, of course. Data can be These are reasonable ques- blog/2012/04/11/big-brother- overwritten by legitimate us- tions: How did the attacker forensics-device-tracking-us- ers doing legitimate work, or get in? Which systems did they ing-browser-based-artifacts- by system administrators at- compromise? What data did part-2. The data of interest tempting to determine if an in- they get? But answering those wasn’t available in the browser cident occurred. Keeping these questions requires data which history, however, but only the data on the same computer are not found in the logs we cache. The user committed an which an attacker has compro- have. Instead we have to piece act which caused the brows- mised is making us vulnerable together answers based on er to send data over the net- to such destruction and ma- data stores never intended for work. The response was re- nipulation. In an age of cheap such purposes. With computer ceived, parsed, and displayed, and abundant storage, there security holding such a promi- but nothing was written to the is simply no excuse for losing nent position right now, we logs. An examiner working data because we didn’t have a should use this time to change on such a system would have copy of it. what is being logged and how a hard time reconstructing it’s being stored. We can pro- what the user did. Never for- The solution to these prob- vide better results, make our get that the primary purpose lems is to change the data we jobs easier, and make the com- of computer forensics is re- have our computers store and munity safer. constructing what a user did. how they store them. Answer- Sometimes that person is the ing the question “How did they victim, sometimes an attacker, Let’s pretend that we find an get in”, for example, would be sometimes both in the same unfamiliar executable on a com- much easier if we knew the case. But right now we do not promised host. How did it get time when each file on the have the resources necessary there? When did it get there? system was created, modified, to effectively reconstruct their When was it run? What did it or executed. For each process, activities. modify on the system? To an- we’d like to know when it was swer those questions we have executed, what process creat- some timestamps, a Prefetch In those cases where there ed it, any network access, and file, and perhaps a few registry is some meaningful data re- any registry and file modifica- keys, but that’s it. Worse, all of corded, it remains vulnerable tions. these footprints are stored on to both deliberate and acci- the compromised host, where dental destruction. The rise It would be foolish to record the attacker can either destroy of anti-forensics has given us these rich data on a poten- or alter them. We are currently malfeasants who understand tially compromised host. The relying on these traces for our the Prefetch directory and attacker could easily change cases. But they may not be wipe its contents during an in- or destroy all of this evidence, trustworthy, if available at all. trusion. There are automated leaving us in the same situ- tools for setting timestamps ation we are in now. The so- 4:mag - issue #1 Q2 2013 7 lution is off-host storage for Who gets to access them and In full disclosure, I have been these data. Log data is gen- when? Will employers use such involved in developing a prod- erally plain text, which com- records to monitor their own uct which records some of the presses well.