Re: Encase Forensic

On May 23, 2:08 pm, Kristian Gjøsteen <kristiag+n...@xxxxxxxxxxxx>
wrote:
David Rush <kumoy...@xxxxxxxxx> wrote:
If you knew more about how computers work, you would not be surprised.
Nor would you be worried by this particular piece of software.

OK. That's unnecessarily condescending. I've been a software
professional for 20+ years. I gave up my paranoia about the machines
some years back because I finally realized the truth behind cost/
benefit analysis of security. Now I have become aware of a new class
of threats - which is compounded by my own ignorance of the Windows
platform (which I freely stipulate). I am trying to become more
educated about the cost of protecting against those threats.

I did read both the Wired article and the the page I posted. from the
Wired article:

"In Andrus, the father did not have the password (or know how to use
the computer) but the police say they did not have any reason to
suspect this because they did not ask and did not turn the computer
on. Then, they used forensic software that automatically bypassed any
installed password."

This was mildly worrying. I can think of several ways to attack a
drive that is being shared on a network - assuming that the user has
been really negligent and not locked down his data with appropriate
passwords. But the article doesn't seem to be indicating a network-
based attack and places the focus on the fact that the black hats
bypassed any password protection. They did *not* attack the password
using a dictionary or other cryptanalysis software. Assuming that the
man in question *did* lock down his data, I am ignorant of how it may
have been attacked without physically dismantling the machine -
another option which is not mentioned in the Wired article.

Now the Encase Software description just claims to be able to acquire
data from a variety of sources. It say very little about 'how' that
data is acquired. There is this one interesting blurb:

"EnCase software has the ability to interpret all of the file systems,
over the network, for which a Servlet has been developed (currently
Windows, Linux, Solaris, AIX and OSX operating systems; support for
additional file systems is on the way). In addition, EnCase software
can also interpret a number of file systems for which there is
currently no Servlet developed."

Which seems to be so much errant marketing-speak to me. Deploying a
servlet that can read data on my drive means being able to run a
process on the machine that hosts it (or some machine that can mount
it over a network - we have discounted that possibility above). I am
not currently aware of any servlet container software that can't be
configured to prevent this kind of intrusion (although my knowledge of
servlet containers is imperfect) and in fact, without write access to
the servlet container's file system, I highly doubt that this is
possible without significant work to *allow* it in the first place.

There are other products listed by Digital Intelligence, and here I
will confess to not having pursued the matter much further on my own.
It seemed to me to be rather more economical to *ask* people who
specialized in these things than to spend a day or so researching
products that I may never have to worry about being deployed against
me or my company. I can think of one possible hardware attack that has
the properties that I have inferred (unawareness of passwords and
network access) - using a USB key with software much like the U3 drive
software that now ships on most larger keys.

So yes - physical security is, at the end of the day - the only true
security; however, the cost/benefits of various methods of attack
*are* relevant when it comes to real computer use. Perhaps I should
have posted to comp.risks also/instead. Nevertheless, realizing the
value of good crypto as a last line of defense, I thought that the
audience inn sci.crypt might know a thing or two about this.

My apologies for wasting your precious time.

david rush

.

Quantcast