March 16th, 2005, 02:46 AM
Hi Iam currently doing an undergraduate course and Iam researching accessing files encrypted using an open source on the fly encryption program. I have done a bit of research and discovered the obvious methods like using various forms of surveillence to steal passwords, brute force attacks etc. The documentation for this software says that it unencrypts files in RAM and there is the possibility that these files can be written to the systems paging file.
I thought that maybe you could use a computer forensics tool to recover the unencrypted files from RAM or paging file? I was wondering if someone could point me in the direction of some good resources on forensics tools as I haven't been able to find much other than developers sites.....
March 16th, 2005, 02:58 AM
Encase is an excellent program for finding data in the 'slack space' of sectors, as well as page files. As for recovering data from RAM...that isn't really an option. Not in the same way as recovering data from the hard disk. It *is* possible to retrieve data from RAM, but it depends on a lot of factors...do you have actual control of the system while the user is accessing the encrypted data, or are you installing a logger type of program that will capture their data while you are elsewhere?
More info from you can help us, to help you.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
March 17th, 2005, 02:08 AM
Thanks for the reply two scenarios:
1 covertly access computer.
Install software/hardware keylogger
Install trojan with keylogger/remote access capabilities (BO2K)
Bit stream backup of drive onto USB portable storage and forensically examine
2. steal computer
prior to theft:
remotely install trojan
Brute force attack
forensically examine drive
There is probably more but this is what I have come up with as you can see my solutions are mainly focused on stealing the password. If I had remote access to a system would I be able to access the RAM or paging file while the unencrypted files are in use or directly after? Or if I physically accesed the computer after the files had been unencrypted sometime that day but the computer had not been turned off?
Any input/direction to relevant sites would be appreciated.
March 17th, 2005, 01:28 PM
You could examin files in RAM but you need a program that can "look" into another process' memory. Usually this is not allowed by the memorymanager. A debugger might be able to do this when the conditions are right. And every now and then a bug surfaces that will allow some process to look into another process' memoryspace. Ofcourse the file in question needs to be loaded before all this is possible. All this makes it highly unlikely but not impossible.
The pagefile on the other hand can be examined when the system is turned off. You would need to boot some other OS so you can access that file. Some OSs will clean the pagefile when they're shutdown. But you can always "pull the plug" to switch the machine off in mid-flight without shutting down properly.
Does that help?
Edit: Shouldn't this be moved to the forensics section?
Experience is something you don't get until just after you need it.
March 17th, 2005, 02:39 PM
Memdump is an excellent program for grabbing the contents of memory and will essentially createa raw disk image, which other tools like encase and autopsy can read and do things like string searches on. The problem you would have is figuring out exactly where in memory things are...but something like strings can be suprisingly effective on a memdump image to grab things in memory...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
March 17th, 2005, 09:54 PM
This is exectly why there is the GPO instance, (and LPO IIRC), to clear the pagefile on shutdown. Technically I believe this overwrites the pagefile to prevent just this kind of attack. of course, this is why you "rip" the power cable out of a compromised machine rather than shut it down prior to a forensic investigation.... To try to preserve the contents of the pagefile.
The pagefile on the other hand can be examined when the system is turned off.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
April 17th, 2005, 01:54 PM
rise from your grave
Thanks for your responses....Um, I think
April 17th, 2005, 04:00 PM
You might like to look at Peter Gutmann's site:
He is well into this sort of stuff
April 18th, 2005, 07:13 AM
Thanks for the link (finally )
He does dome interesting stuff I ended up getting the info I needed though. I had to do an assignment on computer forensics at the beginning of last year and there were three books on it in my universities library. Wasn't exactly a wealth of information
April 18th, 2005, 07:43 AM
Hey emo old mate!
There are a lot of students and teachers on this site, plus a shower of pros on "active service" so to speak.................please ask IN ADVANCE of requirements, and I am sure that one or two of us will try to help