Results 1 to 10 of 10

Thread: computer forensics

  1. #1
    Junior Member
    Join Date
    Mar 2005
    Posts
    4

    computer forensics

    Hi Iam currently doing an undergraduate course and Iam researching accessing files encrypted using an open source on the fly encryption program. I have done a bit of research and discovered the obvious methods like using various forms of surveillence to steal passwords, brute force attacks etc. The documentation for this software says that it unencrypts files in RAM and there is the possibility that these files can be written to the systems paging file.

    I thought that maybe you could use a computer forensics tool to recover the unencrypted files from RAM or paging file? I was wondering if someone could point me in the direction of some good resources on forensics tools as I haven't been able to find much other than developers sites.....

    cheers

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Encase is an excellent program for finding data in the 'slack space' of sectors, as well as page files. As for recovering data from RAM...that isn't really an option. Not in the same way as recovering data from the hard disk. It *is* possible to retrieve data from RAM, but it depends on a lot of factors...do you have actual control of the system while the user is accessing the encrypted data, or are you installing a logger type of program that will capture their data while you are elsewhere?

    More info from you can help us, to help you.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Junior Member
    Join Date
    Mar 2005
    Posts
    4
    Hi zencoder

    Thanks for the reply two scenarios:

    1 covertly access computer.
    options:
    Install software/hardware keylogger
    Install trojan with keylogger/remote access capabilities (BO2K)
    Bit stream backup of drive onto USB portable storage and forensically examine

    2. steal computer
    prior to theft:
    remotely install trojan
    after theft:
    Brute force attack
    forensically examine drive

    There is probably more but this is what I have come up with as you can see my solutions are mainly focused on stealing the password. If I had remote access to a system would I be able to access the RAM or paging file while the unencrypted files are in use or directly after? Or if I physically accesed the computer after the files had been unencrypted sometime that day but the computer had not been turned off?

    Any input/direction to relevant sites would be appreciated.

    cheers

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    You could examin files in RAM but you need a program that can "look" into another process' memory. Usually this is not allowed by the memorymanager. A debugger might be able to do this when the conditions are right. And every now and then a bug surfaces that will allow some process to look into another process' memoryspace. Ofcourse the file in question needs to be loaded before all this is possible. All this makes it highly unlikely but not impossible.

    The pagefile on the other hand can be examined when the system is turned off. You would need to boot some other OS so you can access that file. Some OSs will clean the pagefile when they're shutdown. But you can always "pull the plug" to switch the machine off in mid-flight without shutting down properly.

    Does that help?

    Edit: Shouldn't this be moved to the forensics section?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Memdump is an excellent program for grabbing the contents of memory and will essentially createa raw disk image, which other tools like encase and autopsy can read and do things like string searches on. The problem you would have is figuring out exactly where in memory things are...but something like strings can be suprisingly effective on a memdump image to grab things in memory...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The pagefile on the other hand can be examined when the system is turned off.
    This is exectly why there is the GPO instance, (and LPO IIRC), to clear the pagefile on shutdown. Technically I believe this overwrites the pagefile to prevent just this kind of attack. of course, this is why you "rip" the power cable out of a compromised machine rather than shut it down prior to a forensic investigation.... To try to preserve the contents of the pagefile.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Junior Member
    Join Date
    Mar 2005
    Posts
    4

    rise from your grave

    Thanks for your responses....Um, I think

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    You might like to look at Peter Gutmann's site:

    http://www.cs.auckland.ac.nz/~pgut001/

    He is well into this sort of stuff

  9. #9
    Junior Member
    Join Date
    Mar 2005
    Posts
    4
    Thanks for the link (finally )

    He does dome interesting stuff I ended up getting the info I needed though. I had to do an assignment on computer forensics at the beginning of last year and there were three books on it in my universities library. Wasn't exactly a wealth of information

    cheers

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hey emo old mate!


    There are a lot of students and teachers on this site, plus a shower of pros on "active service" so to speak.................please ask IN ADVANCE of requirements, and I am sure that one or two of us will try to help

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •