| ACF2 Administration | RACF Administration |
| OS/390 Auditing & Event Monitoring | Open Systems Event Monitoring |
| Other OS/390 Security | Security Matters |
From SecurityPortal.com, 8 May 2000
May 8, 2000 - When most people think of electronic forensics the first thing that comes to mind is usually retrieving data from hard drives or similar media. Electronic forensics includes this, and much more. The amount of records stored online, and accessible to investigators is quite comprehensive. The number of "electronic footprints" left online by the average person is usually enough to track them down, and potentially prove that they committed certain actions, or even convict them if these actions were criminal. Companies are taking increasing interest in the actions of their employees online, especially since they can be held responsible for them in some cases, or because they can seriously impact a companies image. Imagine if employees of an insurance company were found to be selling medical records online for $5 a pop. In addition to investigating security incidents, online research can reveal information about a person. If you were hiring someone for a sysadmin position at a major bank you would probably do some online searches to make sure they did not advocate that the rich be turned into Soylent Green, or that they felt stealing money from large companies was justifiable if you gave some to charity.
The first place most people look for data when trying to figure out what a person did is on their hard drive(s) and other storage media such as floppy disks, Jaz drives and tape media. Deleting data from a hard drive/floppy/etc. does not actually destroy it in most cases, it simply removes the pointers to it (it unlinks the nodes in technical terms). The data is still on the hard drive in it's raw format, it just is not very easy to find. The simplest method would be to take a raw dump of the hard drive, and using various tools (such as strings, grep and so on) to search for the text you want. This is generally not too effective, but does show how easy it is. Much more advanced tools exist that use a variety of techniques to figure out what the data is, and relink it so you can access it easily. Even formatting the drive will not destroy the information, or repartitioning, the data is still there in it's raw form. Software does exist to wipe files and hard drives. It typically does this by overwriting the data multiple times with various patterns (all 1's, all 0's, alternating, then random, and so on). This is relatively time consuming however, and not 100% guaranteed. It will stop all but the most determined attackers, but if you are up against federal or international law enforcement there is still the possibility they can recover the data.
The next step up in destroying data is to use hardware based methods. A bulk eraser, basically a large electromagnet that uses a strong alternating magnetic field, can be used to rearrange all the magnetic particles (used on hard drives, floppy disks, Jaz drives, etc.) to the same orientation (all pointing the same way), thus destroying the data. However, with modern hard drives you need a relatively strong magnet to wipe them effectively, so this method is more suited for tapes and floppy disks. Due to the construction of hard drives (circular platters that spin, with high densities of information) they are relatively easy to damage, especially if the damage is intentional. Using a good drill with a metal bit and punching a hole(s) in the drive platters will make the task of recovering data significantly more difficult, and is relatively easy to do. You can also bend the platter, a good sledge hammer or a large pair of vice-grips is really all that is needed for this method. If you want to make truly sure the disk is destroyed grinding off the magnetic surface is pretty much guaranteed to destroy the data, and can also be accomplished with readily available power tools (watch those fingers though). For media such as floppies, and tape drives, where the magnetic particles are held on a plastic film, immersion in strong acids, or burning them is usually quite effective. This should not be done indoors as the fumes/smoke would be quite nasty and potentially lethal. For hard drives and other metal based media the temperatures required are quite high, using something like thermite should be sufficient. Thermite will burn through plate steel and concrete so activating some on a hard drive should result in a melted pile of slag. Unfortunately, thermite grenades require all sorts of paperwork and explanation so unless you are in the military this is usually not an option.
Recovering data from a physically undamaged disk is easy, simply hook it into another system (preferably a UNIX based system), and take a raw dump of the disk to a file. You can then mount it as a file system and play with it, without fear of damaging the original. Using something as simple as dd will do the trick. There are also a number of commercial tools, some open source ones are in the pipe, that allow you to recover deleted data, formatted disks, or even data that has been overwritten. There are commercial services that, for a few thousand dollars, will do the work for you.
The best way to protect yourself from someone recovering data from your hard drive (unless you have some thermite handy) is to use disk encryption software such as ScramDisk, PGPdisk or BestCrypt. All of these programs can be setup so that a "hotkey" (i.e. alt-F12) drops the encrypted file system immediately, just in case the FBI bursts into your bedroom. These programs use strong encryption algorithms that should be immune to brute force attacks. However, in some countries, for example Britain, you can be punished for not revealing encryption keys and saying "I forgot" won't cut it. The next step is to use steganographic software to actually hide the presence of data, usually in multimedia files that do not use all the bits, or as "random data" in unused sectors on a hard drive.
With the falling cost of storage, more and more organizations have begun to keep extensive log files of system usage. Ranging from small ISP's that record which user account logged in to which dial up line at a certain time to ISP's that use caller ID to log the phone number, to the phone companies which now all log calls (i.e. from, to, start time and finish). This information is invaluable to law enforcement. All the cable modem and ADSL companies I know of keep pretty good logs of which units (i.e. cable modems/ADSL units) were using which IP's. Nowadays chances are very good that you can, given an IP address, time, and search warrant, find the owner of the offending systems. When combined with a wiretap/raid this usually results in evidence. Some network providers have started logging such things as DNS server usage, if a certain machine "walks" through a DNS domain (tries all the common names/etc.) and then a few minutes later an attack is launched there is a strong correlation between these activities usually. Most ISP's can also make router data available which gives law enforcement a chance to track you down, if they are sufficiently determined. Sites that distribute "hacker tools" (such as rootshell.com) also maintain log files, making it possible for law enforcement to start subpoenaing these records, and then go to ISP's to get names to build list of potential suspects ("preemptive/preventive enforcement"). Most companies run www and ftp proxies, some of which are "transparent". Cisco makes one that will automatically grab outgoing requests and run them through a proxy, so users cannot avoid it. These log files can be used internally to find users visiting questionable sites.
A way around this is to use anonymous reposting services (such as Freedom Net) to anonymize and encrypt their traffic. So, even if you somehow manage to track down who is doing it (maybe because they bragged online about it) and get a wiretap for their phone/Internet service, the traffic would be encrypted and you would not be able to gather any evidence. Traffic analysis would be possible, but this is nowhere near as solid as actually logging an attack in progress.
For log files to be used in a court of law they should be cryptographically signed, preferably at a set interval during logging, there are several syslog replacements capable of this. Another technique is to print the log files out as they are collected, this is about the only guaranteed method to ensure they won't be electronically altered. However, it can consume an enormous amount of paper, and if an attacker knows about it they will flood the log files and then attack. Tampering with electronic text files that are not signed is ridiculously easy.
[Note that Consul/Enterprise Audit [now called Tivoli Compliance Insight Manager] automatically collects cryptographically signed log files and provides a secure central repository for those logs, as well as sophisticated reporting tools. -- Software Europe]
There are numerous online archives of messages, be they Usenet news or email. The primary archive for Usenet news is probably Deja (the site formerly known as Dejanews), which has a massive archive of Usenet postings. In fact, Deja attempted to get old backup tapes of Usenet news from universities in a bid to have a "complete" archive of all Usenet news. Most email lists also have online archives, usually more than one. It's like pee in a swimming pool, once it's in there you can't get it out. Additionally most companies and ISP's make regular backups of email on their servers, with a court subpoena (or sufficient legal threats) these can be made available. Web content also has a habit of being copied to other sites, since it can be easily modified this leads to potential problems with documents having your name online and potentially damaging content. How would you go about refuting such a document? Even many online chat communities (AOL, IRC, etc.) are logged, sometimes by people managing the channel, sometimes by law enforcement (it's very easy to do). If you want to say something and not have it come back to haunt you, the best move is to meet one on one with the person (so you can deny it later) and make sure there are no recording devices present. This is becoming nearly impossible with the availability of extremely small and affordable recording devices.
In addition to the normal logs and monitoring possible with most systems there are a number of software and hardware solutions that can be used to proactively monitor users and create very detailed records that can be used later on. One example of this would be KeyGhost, it's a device that logs several hundred thousand keystrokes, and allows you to dump them from the buffer into a computer. The advantage of this is you do not need to load any software onto the machine in question, and in many cases the users would not be aware of it (it comes in a keyboard model, and a keyboard cable model). There are several software packages that allow you to take snapshots of the screen ever n seconds, if someone is accused of looking at pornography during a certain timeframe you can easily refer to the screenshots, and see what they were seeing. Before you implement solutions like these make sure you are not violating any laws, and that users are aware they may be monitored. You could also put a video splitter in and record the output of the screen to a VCR, however you would need a relatively high resolution VCR, and it would not be very subtle. Just the threat of pervasive monitoring is enough to prevent many kinds of behavior (for example you can buy fake security cameras with a blinking red light to deter people). The possibilities are endless. However, a possible problem with keeping detailed records is that during the process of civil discovery (if you ever get sued) a lot of potentially damaging information could be revealed. Remember those naughty email's that were found in Microsoft's systems.
The ability to monitor people has always existed. However, with extremely cheap storage (a terabyte of disk space is now easily within the reach of most companies, let alone tape libraries) the ability to store large amounts of log files forever has made monitoring the large flows of information possible. To protect sensitive information you need to use strong cryptography, which is a red flag in many cases. Some companies have banned encryption software, and you must formerly request permission it if you want to use it. Even this leaves a person vulnerable to traffic analysis and other forms of monitoring, like new keyboards which have memory and the ability to log several hundred thousand keystrokes, that you cannot discover easily. When is the last time you took your keyboard apart and identified all the components? Other technologies like Tempest allow people to monitor what you are seeing on your monitor, from a distance and unobtrusively, your average user will not even realize they are being monitored.
Kurt Seifried is a security analyst and the author of the Linux Administrators Security Guide, a source of natural fiber and Linux security, part of a complete breakfast.
http://www.keyghost.com - KeyGhost
http://www.deja.com - Dejanews [now Google Groups]
http://www.freedom.net - Freedom Net
http://www.scramdisk.clara.net - ScramDisk
http://www.pgp.com/ - PGPdisk [now PGP Whole Disk Encryption]
http://www.jetico.com - BestCrypt
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding is dual-licensed under both ― |
||||
|
The GNU Free Documentation License |
|
A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License |
|
|
http://homepage.mac.com/antallan/eforensi.html |
|
Last updated Friday 8 August 2008 |
|
 
|
|
 
|