Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Linux tool speeds up police computer forensics (ZDNet)Linux tool speeds up police computer forensics (ZDNet)Posted Mar 7, 2008 0:01 UTC (Fri) by MattPerry (subscriber, #46341)Parent article: Linux tool speeds up police computer forensics (ZDNet)
I don't know how the law works in Australia, but in the US you're going to have to prove exactly how the software is incapable of writing to the hard drive, or else the defense is going to have a field day. I certainly wouldn't use this tool without a court-certified hardware write-blocker.
(Log in to post comments)
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 0:41 UTC (Fri) by xorbe (guest, #3165) [Link] Yeah I have a hard time believing that it's 100% impossible to get a write command to the HDD interface with just a modified kernel. Perhaps the CD also doesn't allow root access (and assuming there are no escalation holes in the kernel or SUID binaries).
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 1:30 UTC (Fri) by drag (subscriber, #31333) [Link] I think that it's more likely that it's done on the kernel-level. That they actually made a patch that removed the ability of the kernel to write to drives. With a live cdrom you should be able to eliminate all ability to write to any media, period. The only thing you would have to have write access to is tmpfs. I bet it would be useful for making images. Say you use dd to read the drive then netcat to transmit the image over a network to another machine that has read-write ability. That way you could prove in court that under no circumstances any OS other then the one used by the defendant had any ability to write to that drive. It would be demonstratable that the investigator could not write to the drive even if they tried.
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 3:33 UTC (Fri) by ncm (subscriber, #165) [Link] Except it's also, mysteriously, unable to write to the network.
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 3:51 UTC (Fri) by njs (subscriber, #40338) [Link] >I think that it's more likely that it's done on the kernel-level. That they actually made a patch that removed the ability of the kernel to write to drives. That would be the cool way to do it, but I doubt that a few random admins in Australia really want to start maintaining their own modified ATA/USB/Firewire/etc. stacks. It also is incompatible with the quote in the article that says "if for some reason a disk is writeable, the system will halt automatically", which wouldn't make sense if their kernel had no writeable state in the first place. It sounds more like they just made a livecd that mounts filesystems readonly, and also as a crude defense against "mount -o rw,remount" they added a cronjob that does "mount | grep -q rw && halt" every few seconds. Which makes sense, in context -- it sounds like the goal was to create a tool that ordinary police officers could use to quickly check for the presence of contraband material, to reduce the amount of work that skilled technicians would need to do. Those who are clever enough to convince the CD to give them a shell, remount the drives, and start modifying things, are already working back in the lab anyway :-). > I bet it would be useful for making images. Say you use dd to read the drive then netcat to transmit the image over a network to another machine that has read-write ability. That way you could prove in court that under no circumstances any OS other then the one used by the defendant had any ability to write to that drive. *cough* ...and the OS running on the machine that's actually writing out the disk image? This sounds more like gee-whiz -- not that there's anything wrong with gee-whiz! -- than real security...
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 5:58 UTC (Fri) by drag (subscriber, #31333) [Link] > *cough* ...and the OS running on the machine that's actually writing out the disk image? This sounds more like gee-whiz -- not that there's anything wrong with gee-whiz! -- than real security... The investigator can molest that all he wants. That's the entire point of making a image in the first place. Of course your going to have more then one copy. In order to investigate files he will have at some point access a copy of that file system and essentially every time you do that it makes changes. If there is any doubt to the validity of the investigater then you can get a third party to run their own investigation on his investigation by making their own image of the original, pristine drive. As far as network security goes you just do it on the physical level. ie don't connect it to any router or anything that can access any external network. The point is not so much security as audit-ability.
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 3:03 UTC (Fri) by njs (subscriber, #40338) [Link] This claim seems dubious to me. I don't know of any "court-certified hardware write-blockers" at all, yet people seem to get harddrive contents entered into evidence just fine. (Even, or especially, after the harddrives have disappeared for months into a black hole, where the police could have done just about anything to them.) This isn't really out of line with how the courts have traditionally worked, though; they just don't care that much about the sort of "proof" that mathematicians, cryptographers, etc. worry about. Note that witness testimony is admissable evidence too, and just try proving any bounds on its unreliability... somehow justice soldiers on, not perfectly, but okay.
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 5:51 UTC (Fri) by MattPerry (subscriber, #46341) [Link] > This claim seems dubious to me. I don't know of any "court-certified > hardware write-blockers" at all, Here you go: http://www.cftt.nist.gov/hardware_write_block.htm Using a write-blocker that the courts have not already recognized as tested and suitable for their purpose will only leave you to spend time and money to prove that your homemade write block worked and didn't introduce changes to the media. The defense will use that opportunity to get the evidence thrown out. I can understand using this tool if you have used an approved tool to create an image and then examine the image to find evidence. You can then use that knowledge to then use a certified tool, such as FTK, to gather the evidence for court. Again, Australia may have different rules than the US, which is the perspective that I'm speaking from. > Note that witness testimony is admissable evidence too, and just try > proving any bounds on its unreliability... somehow justice soldiers on, > not perfectly, but okay. Are you implying that computers can provide different data for each read much like a witness might not remember the exact same thing from one moment to the next? We give electronic records more weight since we assume computers to be exact. Something as small as a timestamp on a file could be important evidence for a case. If a timestamp is altered because of a faulty write-blocker then any evidence gained from said media could be suspect.
Linux tool speeds up police computer forensics (ZDNet) Posted Mar 7, 2008 16:06 UTC (Fri) by petegn (guest, #847) [Link]
And maybe just maybe it's the American system that is a bit of a joke and proved to be a bit
silly in reality , Court certified this that and tother whatever next ,The very act of READING
a hard drive will be suspect and open to challenge next ie (yet more pay for legal con men
to make them selfs rich on at double light speed ) and now we are having your crap ideas and
system forced on us over here by the labourite scumballs kept in power by the occupants of a
few small areas of the country yep I am hissed of .. :-) ..
EftE
Pete .
Lame rant Posted Mar 7, 2008 17:58 UTC (Fri) by clugstj (subscriber, #4020) [Link] It you're going to go on a rant, you should at least: 1) Have a clue what you're talking about 2) Be able to form clear thoughts 3) Have a command of the written language You appear to be 0 for 3.
|
|||||||||||