Ah I see, a student.
All very interesting posts. But another factor to consider would be privacy/security. Having the evidence changed is one issue and can be answered by back tracking with the original hashes as explained very fully within the previous posts.
But, considering the area we work in, privacy is obviously an issue. So, for me, unauthourised access is just as big an issue. I would never want to make the call to the client explaining how their evidence had leaked out into the public domain.
But, considering the area we work in, privacy is obviously an issue. So, for me, unauthourised access is just as big an issue. I would never want to make the call to the client explaining how their evidence had leaked out into the public domain.
Agreed.
In the situation that I described, unauthorized intrusion is practically impossible. But extrusion is a different matter which is why we go to great pains to block unauthorized outgoing traffic. In fact, most of the IR problems that I have seen in the past few years have not been intrusion issues but issues caused by too little concern for what goes out of the enterprise or what comes in via browsers or e-mail.
A report from Microsoft showed that when users were given a browser which warned about the possibility of malware from visiting a site. 88 percent ignored a warning about BearShare and continued to download the file, 68 percent ignored a warning concerning ZangoSearch Assistant amd 23 percent ignored warnings about a Trojan downloader.
That is why, from my perspective, the biggest threat to putting your analysis systems on the Internet will come from sloppy practices on the part of the users. This is why locking down applications and monitoring user activity is so important.
Ah I see, a student.
I thought the same when I saw the initial post.
Nothing wrong with that Chrism.
seanmcl - do you (or anyone) have a link for Carrier's paper that you refer to? The need for falsifiability in science was Karl Popper's big thing (the philosopher of science). This is a very smart application of that principle. Excellent post.
seanmcl - do you (or anyone) have a link for Carrier's paper that you refer to? The need for falsifiability in science was Karl Popper's big thing (the philosopher of science). This is a very smart application of that principle. Excellent post.
I have a PDF of the paper. PM me your e-mail address and I'll send it to you.
Thank you.
a question by the defence could be "Could anyone of have hacked in and changed the data?", and you would have to answer with a yes, and then explain encryption to the Judge/Jury…
Does anyone use VPN in their environment? and if you don't, why?
That same question can be (and in fact it is) raised for a variety of cases in both civil or criminal litigation, not just for a forensic environment. Imagine lawyers questioning a public company's financial statements because the finance team used the VPN.
Asking that if using VPN remote access could result in your case results being challenged is the wrong question. In fact using VPN may be even more secure than what you think since you open an encrypted tunnel from the client to the local LAN where all users have access - this is the typical architecture in most entities. You can configure a VPN to actually allow only specific users in a group to a specific subnet in the LAN - where your forensic workstation resides.
In regards to your main question, you seem to ignore the concept of layered security. Even if you get break into the server and managed to exploit the OS or DB, the forensic software has user access controls at the application level, and may also have them at the case/project level as well.
Unless you are not using an image in your analysis, how can you change an image without changing the hash value?You may want to redefine the objective of your research.
Some great points being made here. I would extend the scope of this from VPN's to the entire network infrastructure. If, for example a remote user uses a Wi-Fi connection this must be properly secured otherwise the VPN could be compromised. Your network is only as secure as the weakest point.
VPN's are used right across large commercial corporations where highly sensitive information is being accessed, from medical reports through to banking data etc
In the current climate of austerity our forensic focus should be to embrace technology where it has been proved to be successful and help reduce lab operating costs.
A properly configured VPN would surely stand up to any subsequent risk assessment.
Some tips would be to
- Use the strongest possible authentication method for VPN access
- Use the strongest possible encryption method for VPN access
- Implement and enforce a strong password policy
- Block the use of other VPNs and remote-control software while connected to your VPN