Hi all,
Im not a computer forensic expert as yet, as i am still doing my masters in computer forensics, so i have very limited experiance. I would like o know if there is anyone out there who has had any sort of experiance dealing with any sort of biometric device. for example a fingerprint recognition hard drive or memory stick.
scenario 1: you recover a fingerprint recognition hard drive at a suspects house, you want to analyse the hard drive but the suspect refuses to cooporate and give their fingerprint, then obviously you cant force the suspect to give their fingerprint, so do you have to get a court orer againt the suspect to get their finger print? and lets say you cant get the court order so easily how would you analyse the hard drive do you, just make an image of the hard drive and use some sort of cracking software to bypass the fingerprint encrypted password? or is their a different procedure?
scenario 2: you work in a data recovery firm, a client comes to you with a fingerprint recognition hard drive and the scanner is broken what procedure will you use to recover the information on the hard drive?
hope the uestions make sence, and someone out their can answer them.
thank you
Imran
Well I thought this through recently, as we bought a tablet setup for field evidence gathering and reporting. It has a fingerprint scanner for a login. So my first thought is what happens when your finger winds up in a bowl of chili somewhere. Or maybe an employee just dies and nobody thinks about the data until they are buried. Now you either dig them up or look for a backdoor. Good luck with part "A", it takes AOL a month to get an IP address, the finger wont wait that long. A password you can remember or write down. Sure it's a weak link in the chain. Now in our tablet the data is not actually encrypted, however in many cases it is.
Understanding a little about encryption will lead you to realize just how secure this method can be. As I mentioned above a password is the weak link. If it's short, or common enough to be memorized it's not very secure. If it's long and complex enough to be secure it has to be written down or it's forgotten. Further if my password is only numbers and four characters long that's only 10000 possibilities or 10 to the 4th. It'll be cracked in seconds by someone with the proper tools. Now if I use numbers and letters that's 36 characters possible by 4 places, or 36 to the fourth. If I make it case sensitive I'm up to 62 to the fourth. Add some symbols and the possibilities expand to possibly 100 to the fourth. Good but still not good enough. Go out to 8 places and I've got a very secure password indeed. What are biometrics limited to? Can it even be compared to a written passcode. Lets say the possible combinations are 5000 to the 50th. That's not unreasonable. That's a key we're not going to crack. For computer forensics, and data recovery in general it'll cause some problems. For law enforcement, but also in the cases I mentioned above. I suppose that individuals could be compelled by a court order to produce the finger, eye, or whatever else is required to access the data. It is however something we need to prepare for. I forsee data stored increasingly more secure, with operating systems taking care of more of it by default. It's something we'll have to get used to.
First off, I'm not aware of any hard drives that are protected by a fingerprint scanner/biometric device. I know of computer systems that are, but not hard drives.
Is the distinction important? Yes, it is. The distinction between the "hard drive", "CPU", and the system itself (of which the hard drive and CPU are components) was made when I took the EnCase intro training.
That being said, if you need to see the data on the suspect's hard drive, the biometric device will not do anything to prevent you from imaging the hard drive. From that point, since you're not booting the hard drive, biometric devices are irrelevant.
I had an opportunity a couple of years ago to look at about 6 fingerprint recognition devices. They worked pretty well, for the most part…but if you booted the system with the device unplugged, most simply resorted to a login via the console…ie, password.
For scenario two…easy. Simply get a new device, of the same model. You'd be surprised at the number of forensic analysts who contact the manufacturer of a device to get information about that device.
H. Carvey
"Windows Forensics and Incident Recovery"
hi keydet89
there are biometric hard drives check this out
Im amazed no one has still been able to answer my questions properly, i guess that there is no one out there who has any experience with these type of devices.
Imran
Duh,
item is discontinued… it looks like the scanner is attached to a box in which a hard drive is contained..
I suggest that with a hacksaw or maybe even a screw driver, the drive can be removed, and read..
imrankhan,
From the link you provided, it looks as though the biometric device simply protects the hard drive from physical and electronic access. The simplest answer to your question seems to be…just open the case.
H. Carvey
"Windows Forensics and Incident Recovery"
Sorry guys i guess that was a really bad example, so lets try again.
and also this article
so there are biometric devices out there as i said initially.
imrankhan,
Thanks for the links, but after going back and reading your scenarios again, I don't think that really changes my answer from 3 May…call the manufacturer. Forensic analysts do this all the time.
Another option is to perform you own documented, *informed* experimentation. Back in 1991, the USAF OSI was able to piece back together a 5 1/4 in. floppy that had been cut into 24 pieces, and recover the data to convict the individual. They did so after extensive *informed* experimentation with other disks. And because they documented what they did, their procedures can be followed and the results duplicated by others.
H. Carvey
"Windows Forensics and Incident Recovery"
thanks keydet89 i think i know what you are trying to tell me, correct me if i wrong, you can make a copy of the hard drive regardless of a biometric scanner, then you can just use any password crack software to bypass the passwod and retrieve the data on the hard drive.
Sorry to be a pain in the a** but i am even more confused now, so if it is so easy to retrieve the data from a biometric hard drive, as you said treat it like any other hard drive, why are manufacturers producing these devices, surly there must be more advanced security feature. and the price of these devices is astonoshing as you can see from the links i gave before.
what i think is that because these devices a reletavily new not that many people have any experiance whith then so i think it is due to this that i hae not been able to get an adequite answer.
Imran
I think you may have given part of the answer yourself. The manufacturers are bulling these up as the best security device so they can charge a lot of money for them. It is good business sense. On the other hand as they are relativly new it is still fairly uncommon in the forensic field to get one to examine. As is the way in this field when they do start coming in it is a matter of patience a perseverence and eventually if you try long enough you will get a way in hopefully
PS did you ever get a response to your placement posting