Tuesday, November 30, 2010

Imaging SAS drives the easy way.

Every time a came to image machines with Serial Attached SCSI (SAS) hard drives, I thought about SAS writeblocker. The problem was that there were no such things available. Live CD's, F-Responce, Live Imaging, SAS to SATA Adapters (I haven't tried this one) or SAS cards were the only options. I am glad that recently Tableau came up with one such device. It is called Tableau T6es SAS and I am just about getting one. 


Many nice things have already been said about FTK Imager 3, which is certainly my tool of the year. It even works from USB Flash drive with all these nice new features for mounting image files. Just copy the folder from "C:\Program Files (x86)\AccessData\FTK Imager" onto your portable drive and you are pretty much set.

Tuesday, November 23, 2010

iOS 4.2 has arrived!

Apple iOS 4.2 Software has finally arrived making my beloved iPhone and iPad even more functional and probably introducing new bugs/vulnerabilities.  I must admit that I have lately jumped on the Apple wagon, even right now I am typing this blog on MacBook Pro :-) .   

I still do most of the forensic work on Windows machines and only occasionally utilising Linux. 
Having a busy life lately, I have Mac(s) mostly for personal use, and the main reason for choosing Apple devices for me was it's functionality, relative security and low maintenance.

I recently attended a presentation, where several current Windows vulnerabilities/hacks have been demonstrated. These little beasts were able to disable all major antivirus solutions, even when executed with 'guest' privileges. Another logical attack vector on commercial antivirus software would be an attack on it's license, for example by corrupting the license or changing the clock to the future, making AV's license expired. Several commercial products dropped it's defences in my tests straight away. 

The funniest thing was that the above mentioned presentation was given right after a computer forensic presentation by a young and very enthusiastic  person, who was questioning the need to have a forensic machine disconnected from the Internet, while performing the examination. I simply have no time or energy to deal with possible security compromises and other issues that may arise from having my forensic machine connected to the Internet. At the end of the day I have bought these Apple gadgets to safe my time for something better than constantly fixing my home Windows computer or checking firewall and security logs on my forensic machine :-) after each forensic examination.

Monday, November 15, 2010

BranchCache - Distributed Cache Mode

BranchCache is designed to solve problems with the availability of information in remote offices with slow WAN connections.

According to Microsoft BranchCache is only supported on Windows Server 2008 R2 and Windows 7 Enterprise and Windows 7 Ultimate. The technology supports two modes: Hosted Cache and Distribute Cache.  It allows data to be cached on computers in the remote branch office and is made available to other computers in the branch.

In Hosted Cache mode, the content is cached on a Windows Server 2008 R2 content server on the remote branch network. In Distributed Cache mode the content is distributed between Windows 7 client computers on the remote branch network and no additional server infrastructure is required. When distributed mode is enabled, a client computer first receives information from the BranchCache content server at the head office. The next client computer that requests the same information from the head office only receives the (small in size) content information and actual content is obtained from another client computer in the remote branch.

Files changes are monitored by using hashes. If the client is unable to locate the necessary file in his own cache, it sends requests to the local subnet via UDP protocol and then fetches it from one of  the local client computer via HTTP/HTTPS.

Not only the actual content, but the requests and 'content information' might potentially be a good source of valuable evidence.