.

"New" tool

<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Tue Apr 29, 2008 3:04 pm

"New" tool

[quote=vnunet.com]Microsoft has built a USB thumb drive for the police that scans computer hard drives.

The Computer Online Forensic Evidence Extractor can be used in police raids to map hard drives and decrypt passwords without shutting the computer down and losing evidence.

The device was shown off at a three-day security conference for 350 law enforcement officials in Redmond, Washington.

"These are things in which we invest substantial resources, but not from the perspective of making money," Microsoft general counsel Brad Smith told the Seattle Times. "We're doing this to help ensure that the internet stays safe."

The thumb drive has 150 commands and can log hard drive activity, check on surfing history and decrypt some passwords.

Microsoft has distributed the device for free since last year, and claims that it is in use by over 2,000 officers in 15 countries.

However, Smith acknowledged that there is a financial upside for Microsoft in giving away the device, since it makes money selling ancillary software and services.

Microsoft has been holding law enforcement meetings since 2006 in an effort to educate police about cyber-crime.
[/quote]

Story
Last edited by oneeyedcarmen on Tue Apr 29, 2008 3:05 pm, edited 1 time in total.
Reluctant CISSP, Certified ASS
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Tue Apr 29, 2008 5:03 pm

Re: "New" tool

Wouldn't the introduction of a USB device potentially modify some data that will later be used as evidence? I'm thinking file access timestamps, etc. not to mention the possibility of information in the swap file being overwritten.
It would certainly give a lawyer the possibility to suggest that the filesystem had been modified by LEO and at worst, could suggest LEO planted the evidence...
CISSP, C|EH, C|HFI
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Tue Apr 29, 2008 5:51 pm

Re: "New" tool

wouldn't it depend on how the USB drive was set up. Surely if the partition with the tools on was set up like the CD partition (read only) on the Hacksaw (U3) for example , and the other partition was to log the results of running the tools. It wouldn't be that dissimilar to running tools from a CD.

I know a registry key would be created for the USB device but the first responder  or LEO would be documenting the process and tools in use anyway so that would explain that.
----------------------------------
http://synjunkie.blogspot.com
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Apr 30, 2008 3:44 am

Re: "New" tool

I'll leave the modification aspect of this tool to the forensics people, my first thought when I read this story yesterday was:
how long will it take for this 'tool' to hit the underground/mainstream?
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Apr 30, 2008 5:30 am

Re: "New" tool

From the description of the tool it doesn't sound very different from what it's possible to acheive with the U3 switchblade or hacksaw (see hak.5 forums).  obviously the tools within those kits are aimed at the attackers and are already available and in use.  The forensic tools can easily be ported over from a incident response toolkit that is also available.

I would suggest that this tool is nothing new and once again the defenders are playing catchup.
----------------------------------
http://synjunkie.blogspot.com
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Wed Apr 30, 2008 8:43 am

Re: "New" tool

[quote=SynJunkie]I would suggest that this tool is nothing new and once again the defenders are playing catchup.[/quote]

Hence the quotation marks in the title of the thread...

;D
Reluctant CISSP, Certified ASS
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Apr 30, 2008 6:12 pm

Re: "New" tool

Right. Missed those.

I need to read more carefully before posting I guess.
----------------------------------
http://synjunkie.blogspot.com
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Wed Apr 30, 2008 6:52 pm

Re: "New" tool

What exactly do they mean by "map hard drives"?

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software