M Isbell

About M Isbell

News Editor at DFM

Solid State Drives and TRIM

Posted on 13 March 2011 by M Isbell

Here is an interesting analysis of an SSD performed and reported by Alex Golding. You can find his blog at http://dig-forensics.blogspot.com/

-----------------------------

Solid State Drives are getting increasingly more affordable and therefore increasingly more common, especially with expensive laptops having them built in. If you’re not familiar with them; they basically use flash memory instead of magnetic disks; hence the name. They don’t need an arm to move across the disk reading the data so the seek times are much better and therefore they read data much faster than a normal hard-disk. They have a few different utilities which are meant to speed up the drive, I won’t go too technical but TRIM is one of these functions and when a file is deleted the area the file is stored is wiped to allow for quicker write speeds later.
Seeing as I just bought a Solid State Drive I thought it would be a good idea to check TRIM was working: I found a couple of utilities to get me started. The first thing to do was to launch the Computer Management program: This is obviously with Windows 7 as TRIM is supported by the OS without any fiddling around. Ubuntu will require further research. With Computer Management open you choose the drive in question and enter its properties menu.

In this case it is disk 0. The drive is only a 64gb drive due to lack of funds, its used primarily as an OS drive with the majority of programs also installed. It doesn’t half fly though! Remember to right-click on the Disk and not the partition. From here navigate to the details tab and choose Hardware Id’s from the drop down menu.

As you can see from the screenshot there is a long list of information but the end of each entry is key, in my case there is “0006”, this refers to the firmware number. As drives get newer all will have TRIM enabled by default but in my case it was essential to check the firmware supported it, and it does. The next thing to do is to run a command within command prompt to determine whether its enabled within Windows 7 (It should be). You need to launch the prompt as administrator otherwise the command won’t work. Easiest way to do this is search for cmd in the start menu and right-click run-as administrator and press yes/continue to the UAC. Once you have done this the following command needs to be entered:

fsutil behavior query disabledeletenotify

If it is set to 0 then TRIM commands are enabled, set to 1 and they are disabled. So Trim is enabled.

I also came across some software which supposedly tells you if TRIM is supported by the drive but I’m unsure if it just checks the drive type so in my opinion this is a better way of checking, but if you want to have a play the software is called “CrystalDiskInfo” available here: http://crystalmark.info/software/CrystalDiskInfo/index-e.html

Anyway now for the forensic side of it all. I took two drives, my main drive which is only 6 months old and the fastest HDD other than raptors – the F3 1TB and the c300 64GB. The fact that the drives are different sizes doesn’t matter here as there’s plenty of space free on each drive. I created two identical files with the word “TESTER” flooded until the file was 548KB. I saved this to the root directory of the main partition on each drive. I previewed the drives within EnCase with the files not deleted to ensure that they were visible as normal which they were:

SSD:

HDD:

As you can see they are visible. I then removed the drives from the case and proceeded to delete both files from the drives using shift-delete to permanently delete them without entering the recycle bin. From deleting the files to adding the drives back into encase the whole process took 30 seconds. In this case both files were visible as deleted files:
SSD:

HDD:

The interesting thing was that even though the file was deleted from both, the SSD entry had the data wiped from where the file supposedly was whereas the HDD entry had the data intact. I searched the SSD for the word TESTER. But nothing was found. About ten minutes had passed in this time so I decided to add the devices back into encase and see if the file was still visible as a name for both. Low and behold the file had disappeared from the SSD and remained on the HDD.
SSD:

HDD:

This indicates that in the 30 seconds the entire file was wiped, it was interesting to see that in the first 30 seconds the file name was still visible but with no content this is almost useless. The HDD behaved as expected as it doesn’t support TRIM. After 10 minutes the file name was completely gone and I imagine it disappeared shortly after the device was added to EnCase. In theory all TRIM is handled in exactly the same way as it’s a call from the operating system which handles the blocks on the drive being wiped and not like garbage collection which is initiated solely by the firmware of the drive. It bares great significance to forensic acquisition as it’s not something that’s going to go away, it greatly improves write-speeds on SSD’s and could eventually be used on USB pen drives as they function in a very similar way.

(10396)

Diary of a Student – Part 3 – 19th February 2011 – Businesses and Web Systems

Posted on 19 February 2011 by M Isbell

Well it’s certainly been a busy few weeks starting the new semester and I thought it time to let you all know how things were going.

Following on from my previous post, I can tell you that the second part of my Fundamentals assessment went very well and I’m quite confident about the results. A few simple questions about Public and Private GPG keys and some bizarre plain text TCP communications made the test fairly enjoyable. Well, as enjoyable as any test can be I suppose.

All my coursework has been handed in for Semester 1 and I am pleased with the results that have been returned so far. I am on my way to getting those 3 letters after my name!

Semester 2 pretty much kicked off as soon as the assessments were all finished so there has not been much of a break but it has started with some highly interesting topics.

Secure Web Systems looks set to be particularly interesting. While it is slightly more security focused, it does involve learning some PHP and basic web development, which I enjoy a lot and have already dabbled in a little bit.

The culmination of this module shall bring the most terrifying assessment to date – a pen test. Thank goodness I bought those books on SQL and PHP! Hopefully, though, everything will go smoothly and I’ll come out the other side with some valuable knowledge.

Digital Evidence and Incident Response is following on from Forensic Tools and Techniques nicely, with some Virtual Machine Acquisitions and use of various Sysinternals tools. We are already learning much about CIRT and CSIRT teams, and how they operate which has been eye opening if I am honest. A bit more live Forensics is going to be thrown in along with Network Forensics, so all in all, it should be a fun module.

Advanced Topics in Forensics and Security is pretty much like Ronseal, it does exactly what it says on the tin. We will be looking at current research being conducted in both fields and will also receive some guest lectures from the Researchers involved.

By now I imagine you’re wondering why the title of this post is Businesses and Web Systems. Well, among the four modules of Semester 2 is “Professional Practice and Responsibilities”. Now, if you’re like me, then you will take one look at that title and think, “That sounds a bit strange for a Forensics course.” However, the first two lectures have probably been some of the most enjoyable so far.

The main premise of the module is to understand the fundamentals of a business, how IT operates within the business as a support or service function and how Digital Forensics and Security form part of this. In addition we are looking at the various roles that digital forensics and security have within the overall security operations and not just the post event analysis, lastly we will be putting all of this together to develop our own fake businesses and must apply the various laws and policies to make them successful.

In groups of four we will work over the semester building up our research into Business so that, when we face the dreaded DMU Dragons Den, we will be able to present to them, a company that has the beginnings of being highly successful and worth investing into. Who knows? Maybe our businesses will become real some day. The Presentation also assesses our business plans and our communicative skills so it should be a bit of fun.

I will keep you informed as to how our business, currently under the temporary name of Four Candles Forensics and Security Ltd, gets on.

That’s all for this post, really just an intro to the second Semester and what I will be getting up to. I’ll try not to leave it so long before the next post!

For now, I wish you all well.

(592)

Diary of a Student – Part 2 – 25th January 2011 – Assessment Time!

Posted on 27 January 2011 by M Isbell

Apologies for my slightly late entry, my weekend was filled with coursework and Christmas 2 with my girlfriend’s family (don’t ask!).

The past week or so has not really been very exciting, mainly finishing coursework and revising for the exam that took place last Friday, I’ll get to that shortly.

Firstly, the coursework! That one word that every student runs in fear from. Luckily, it’s not been too bad this time around. I started last week finishing up a 5000-word essay on Computer Ethics that I quite enjoyed. It was interesting researching and learning the history of Computer Ethics and the various issues surrounding it over the last 60 years or so. Who’d have thought a Second World War Mathematics professor could have predicted the ethical issues of modern day technology? I am, of course, referring to Professor Norbert Wiener, who taught Maths and Engineering at MIT during the 1940’s. It was certainly some research well worth doing as it has helped me to understand more about the issues surrounding not only Computing, but Forensics and Computing too!

My other main focus last week was revising for my exam on C Programming and Operating Systems. Joy of joys. Now if there’s one thing I knew I would struggle with, it was going to be programming. After the mock, I had been seriously worrying about that part of the test and it was definitely the hardest part of the real exam. The 300-line program almost drove me to insanity but, with some perseverance (and a little bit of divine intervention, I think), I managed to figure out all but the last tweak that would enable the program to print out what I needed it to. The operating systems part of the test was much better, locating partitions and their block addresses and block sizes, finding partitions within an extended partition and working out how much unallocated space there was on the disk, a few simple commands in the terminal and I was there! (Hurrah..!)

I briefly mentioned, in my last post, a report about a malware sample that I had to statically and dynamically analyse and identify through various means of sandboxing. That piece of work is also now finished and I’m going to play around in Adobe Illustrator creating a nice fancy front cover for the report, because I’m sad like that.

Other than that and the exam, not much else to report, although there was a slight mishap with some lost Tools and Techniques Workbooks, which, as luck would have it, were lost in the post over Christmas thanks to all the wonderful snow. Luckily, I managed to redo them thanks to a last minute email from my tutor and once again enjoyed the tasks of password cracking and hiding techniques such as Steganography, Alternate Data Streams and Bit Shifting.

I may sound a bit weird to some but I am really enjoying all that I am learning on the course to date, which is kind of the point, I know. I think I always felt the subject was going to frazzle my brain completely, with me coming from a Science degree onto a Computing one. Luckily, the teaching has broken me in gently with only a few hiccups along the way. With that, I conclude this weeks (well, last weeks) student diary entry. I am still keen to hear what you all have to say on the ethical issues I mentioned last week; in fact, I am very keen to hear any thoughts on the subject so post away.

Next post I’ll let you know how my second Fundamentals of Forensics and Security exam has gone (Cryptography and Networking – fun times!), for now I hope you have a very enjoyable week.

(586)

Perfect Storm for Cyber Attacks

Posted on 17 January 2011 by M Isbell

World leaders have been told today that a coordinated cyber attack could have catastrophic consequences.

The report, released today, claims that we are fast approaching the time where cyber weaponry and cyber attacks is becoming ‘ubiquitous’.

While it is clear that singular attacks cause much damage and detrimental effect to systems, a coordinated series of events could have consequences, the likes of which have yet to be seen by the current society.

The report has been produced ‘on the heels’ of the attacks by the hackitivist group, Anonymous, who targeted companies such as Visa and Mastercard in protest to their repsonse to the controversial Wikileaks debacle.

Robert Chapman, CEO of Firebrand Training, says:
“We train professional Ethical Hackers to protect the nation’s IT systems. It is becoming more apparent that an Ethical Hacker’s job is beyond protecting their company’s interests. They are protecting the safety and financial interests of the whole nation.”

“The Government has clearly indicated that it intends to tackle the very-real threat of cyber attacks head-on. A key enabler for this is to introduce more Ethical Hackers. Surely we’d prefer an Ethical Hacker to find a vulnerability in our IT systems, before a terrorist does?”

“As the ‘Hacktivist’ group Anonymous has recently demonstrated, major corporations – such as MasterCard, Visa and Amazon – can very quickly be sabotaged. If an organisation isn’t protected in the first instance, it must act quickly to put things right – these kind of companies can lose thousands of pounds for every second that they are down”

“In today’s world of natural and terrorist disasters, we can’t afford for IT systems to fail. Imagine an incident, where the emergency services can’t be contacted, or safety processes can’t be initiated. It’s unthinkable.”

It is becoming clear that the risks of such attacks are increasing and a coordinated attack will probably become innevitable.

(837)

Diary of a Student – Part 1 – 15th January 2011 – Of Ethics and Exams

Posted on 15 January 2011 by M Isbell

Welcome to the first entry in my ‘Diary of a Student’ covering my exploits through the next 8 months whilst I study to earn a Masters of Science degree in Forensic Computing.

To bring you up to date, I have been studying the MSc programme since September of last year after completing a BSc in Forensic Science in May. It has certainly been an eye opener from learning basic programming in C to reverse engineering malware samples. The first semester has already taught me much about the forensic process and the science behind computers.

The most enjoyable module to date, albeit a difficult one, has certainly been Live Forensics and Reversing, giving me a basic understanding of assembler language and live forensic techniques. I am currently finishing my final piece of coursework for the module, which involved the forensic analysis of a malware sample, both static and dynamic. Creating my own sandbox and following the processes and actions of the malware, I have managed to discover the nature of the malware and identify it. All that’s left is to finish my investigative report!

First week back at University following the 3-week Christmas vacation and, it’s assessment time! Much of the week occupied by Mock Exams, Coursework and, a full Investigation of a USB device using whichever tools I care to choose, I chose EnCase 6.17 and FTK.

Wednesday – Great fun, best part of the week! A session on Computer Law and Ethics, we discussed the various ethical theories and practices behind computing and forensic computing (all the way from Weiner to the Universities very own ethical researcher, Professor Stahl). Proceeded to have our own debate on issues surrounding Forensic Computing, great discussion around:

Would Forensics benefit from a Licensing body and how would this affect the current processes and procedures?
Wikileaks – Julian Assange – villain or victim?
The ethics of RIPA .

Debate lasted well over 90 minutes and, as I was thinking of ideas for my first blog posting, I thought it would be good to get all who read this to put forward a short statement of their thoughts and feelings on the aforementioned topics.

Next week, it’s more exams and hand-ins (joy of joys); I’ll let you know how it goes.

(581)

Digital Forensics to the rescue – recovering critical data after a format and reinstall!

Posted on 23 December 2010 by M Isbell

Pete Membrey, an author for Digital Forensics Magazine describes how to recover all your lost critical data should you ever have to reinstall an Operating system or reformat your hard drive.

Here’s a little snippet:

It happens to all of us – sooner or later we lose data. Sometimes it’s important, others not, but rest assured it will happen. Even the most careful of us who take backups with something akin to religious fervor occasionally make mistakes. And so it was that I got a phone call from a very upset young lady who had just lost six months worth of work.

Her company had decided to refresh her PC and told her to drag and drop everything of importance on to the network share. This she did, but was unaware that some of the items had not been copied and were in fact just shortcuts. The weird thing though (or maybe not, I’m not a Windows expert) is that whilst some Excel files copied perfectly fine, one or two copied as shortcuts – and those of course were the important ones. After the copy had been made, the PC was whisked away, formatted and given to another colleague. A few hours later my friend discovered that her spreadsheet was no more and meanwhile her colleague was busy working away on her new machine.

So we have a spreadsheet on a machine that has been formatted, has had Windows reinstalled and is currently in use. The chances of recovering the data weren’t all that great but the work was sufficiently important that it was worth a try. I told her the first thing to do was get hold of the original PC, turn it off and make sure no one goes near it. Most operating systems continue to write data to the disk even if they’re otherwise idle. This is actually a good thing as it tends to make the machine more responsive – but that last thing I wanted was for the part of the disk containing the spreadsheet to get over written.

You can read on at Pete’s blog.

(573)

Battling Cyber Threats

Posted on 4 December 2010 by M Isbell

Today, virtually every area of life depends on a cyber infrastructure that is vulnerable to attack. According to a recent report by the Center for Strategic & International Studies, sensitive U.S. military and civilian networks have been “deeply penetrated, multiple times, by other nation-states,” and hackers employed by terrorist and criminal organizations are a constant and serious menace. In an August 2010 survey by Symantec, of 1580 private businesses in industries such as energy, banking, health care, and other areas of critical infrastructure, more than half reported politically motivated cyber attacks, averaging 10 attacks in the past 5 years.

Computer security experts say the United States faces a radical shortage of highly skilled cybersecurity professionals who can prevent and combat such attacks. One federal official has estimated that there are only 1000 cybersecurity experts in the United States who have the deep technical knowledge required to safeguard national security; tens of thousands are needed, he believes.

Read on at Science Careers (05/12/10)

(1134)

Firebrand raises money for Movember

Posted on 1 December 2010 by M Isbell

Here is the team at Firebrand Training raising money for ‘Movember’. We were pleased to hear that they successfuly raised a considerable amount of money for charity.

James Lapwood said,

“We raised more than £1,500 – and managed to grow some ridiculous facial hair in the process. I can’t bring myself to shave my Mo off this cold December morning!”

(962)

New Windows zero-day flaw bypasses UAC

Posted on 1 December 2010 by M Isbell

A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.

Read on at Naked Security (01/12/10).

(738)

Time for the Whole Nation to Become Hackers

Posted on 29 November 2010 by M Isbell

EC-Council and Firebrand Training have teamed-up to offer a webinar that teaches you how to become an ethical hacker. With the rate of cyber attacks doubling every year, IT security has become a valuable profession. Many in the role of Ethical Hacker now demand a six-figure salary.

The UK Government recently raised the threat-level of attacks on computer networks to ‘Tier One’ – the highest ranking possible. Testament to this, in a month of extreme spending cuts, the Government is to boost the Intelligence Services’ budget by £1billion, solely to tackle cyber terrorism.

The United States Department of Defence has endorsed EC-Council’s Certified Ethical Hacking course to equip its cyber-defenders across the United States for the attack on cyber crime. Jay Bavisi, President of EC-Council, explains: “From emerging markets to developed economies, governments and organizations are spending a whole lot more to train their citizens and workers so as to build sufficient capacity of information security workforce to meet increasing needs.”

Firebrand Training delivers EC-Council’s Certified Ethical Hacker course across Europe. Robert Chapman, CEO, explains: “Firebrand has trained hundreds of Ethical Hackers over the past decade. However, major companies – and indeed individuals – still refuse to see the very real threat of cyber criminals.

“Cyber crime is a time bomb, ticking towards a very real issue that could cause significant impact to millions.”

The three-hour webinar will highlight the latest security threats, and explain how businesses – and public bodies – can beat them. The technologies, tools and programs used by today’s hackers will be scrutinised, and it will be explained how these can be used to beat cyber criminals at their own game.

This is just a taste of the five-day course offered by EC-Council and Firebrand. In fact, the tools learned on the full Certified Ethical Hacking course are so powerful, that every student must sign an agreement to ensure that they are not used illegally.

Jay Bavisi concluded: “The recent Stuxnet incident serves a grim reminder to governments and businesses globally. There are powers out there that are building their arsenal of cyber-weapons that can bring whole industries – if not countries – to their knees.”

The First Look at Certified Ethical Hacking webinar takes place on Thursday 9 December. Registration is open to anyone, by visiting www.firebrandtraining.co.uk/ceh-webinar

(837)