|
Title: "New" tool Post by: oneeyedcarmen on April 29, 2008, 03:04:10 PM Quote from: vnunet.com Microsoft has built a USB thumb drive for the police that scans computer hard drives. The Computer Online Forensic Evidence Extractor can be used in police raids to map hard drives and decrypt passwords without shutting the computer down and losing evidence. The device was shown off at a three-day security conference for 350 law enforcement officials in Redmond, Washington. "These are things in which we invest substantial resources, but not from the perspective of making money," Microsoft general counsel Brad Smith told the Seattle Times. "We're doing this to help ensure that the internet stays safe." The thumb drive has 150 commands and can log hard drive activity, check on surfing history and decrypt some passwords. Microsoft has distributed the device for free since last year, and claims that it is in use by over 2,000 officers in 15 countries. However, Smith acknowledged that there is a financial upside for Microsoft in giving away the device, since it makes money selling ancillary software and services. Microsoft has been holding law enforcement meetings since 2006 in an effort to educate police about cyber-crime. Story (http://www.vnunet.com/vnunet/news/2215492/microsoft-builds-hard-drive) Title: Re: "New" tool Post by: Bogwitch on April 29, 2008, 05:03:19 PM Wouldn't the introduction of a USB device potentially modify some data that will later be used as evidence? I'm thinking file access timestamps, etc. not to mention the possibility of information in the swap file being overwritten.
It would certainly give a lawyer the possibility to suggest that the filesystem had been modified by LEO and at worst, could suggest LEO planted the evidence... Title: Re: "New" tool Post by: SynJunkie on April 29, 2008, 05:51:53 PM wouldn't it depend on how the USB drive was set up. Surely if the partition with the tools on was set up like the CD partition (read only) on the Hacksaw (U3) for example , and the other partition was to log the results of running the tools. It wouldn't be that dissimilar to running tools from a CD.
I know a registry key would be created for the USB device but the first responder or LEO would be documenting the process and tools in use anyway so that would explain that. Title: Re: "New" tool Post by: RoleReversal on April 30, 2008, 03:44:19 AM I'll leave the modification aspect of this tool to the forensics people, my first thought when I read this story yesterday was:
how long will it take for this 'tool' to hit the underground/mainstream? Title: Re: "New" tool Post by: SynJunkie on April 30, 2008, 05:30:26 AM From the description of the tool it doesn't sound very different from what it's possible to acheive with the U3 switchblade or hacksaw (see hak.5 forums). obviously the tools within those kits are aimed at the attackers and are already available and in use. The forensic tools can easily be ported over from a incident response toolkit that is also available.
I would suggest that this tool is nothing new and once again the defenders are playing catchup. Title: Re: "New" tool Post by: oneeyedcarmen on April 30, 2008, 08:43:31 AM Quote from: SynJunkie I would suggest that this tool is nothing new and once again the defenders are playing catchup. Hence the quotation marks in the title of the thread... ;D Title: Re: "New" tool Post by: SynJunkie on April 30, 2008, 06:12:05 PM Right. Missed those.
I need to read more carefully before posting I guess. Title: Re: "New" tool Post by: oleDB on April 30, 2008, 06:52:30 PM What exactly do they mean by "map hard drives"?
Powered by SMF 1.1.5 |
SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |