Apr 10 2019

Computer Forensics

As regular readers remember I know a little about computers because it’s my day gig. One of the most common things I’m called on to do is Virus and Malware removal.

Almost every system has some questionable applications on it because Anti-Virus programs are picky and if you’ve installed any kind of downloaded software at all (and it’s the most popular form of distribution currently) the installer has a good chance of triggering the Heuristic warnings simply because it makes changes to your files and registry. Most working techs will let the A/V spin until it comes up with something (anywhere from 15 minutes to hours) and after exhausting your supply of chit chat and banter, when both of you are thoroughly bored, you shake your head and tsk tsk and say, “Well, it’s going to need an overnight scan.” This is simply so you can get rid of the customer and start really working.

I am excellent at this which is why I’m worth every bit of the $30 an hour I customarily charge which is quite a bargain anyway.

Now I’m not going to claim I use best practices. What I do instead is I have an A/V Master Drive with a bare bones Windows install and about 17 different kinds of Anti-Virus on it. When I’m preparing to work on a suspect machine I make a copy of it (actually have a part that does that in hardware so the Master hasn’t touched a computer since I set it up) and use that instead in case something catastrophic happens. Then I install it in my desktop, unhooking all my normal drives, update the databases and install any upgrades so the Diagnostic Machine is current.

Then I’ll yank the suspect Hard Drive, plug it in (if you do this through a USB 3.0 connection you can have all your A/V up and running before your machine even sees it) and start scanning the crap out of it.

It really is an overnight job, maybe several, but it’s not like you have to give it undevoted attention.

So that’s the way I do it because I’m lazy and Windows-centric and it’s good enough for most things. Were I serious, I’d use DEFT.

DEFT is an Ubuntu Linux based OS with a lot of live jive Forensic tools as part of the build (because it’s Linux you could pull them out of the repositories individually but it’s a pain in the ass). The Digital Evidence & Forensic Toolkit was developed in Italy and while the Five Eyes and other No Such Agencies may have better, it’s light years ahead of most State and Local Police Departments.

Download here. You burn it to a CD or DVD so there’s absolutely no possibility that a Virus can infect it, read only.

I hate to brag, but I’m fairly bright, certainly on the right side of the Bell Curve. I would expect that FBI and Secret Service Agents have above average intelligence since they’re supposed to be “special” and “elite”.

Let me tell you what you should not do with a suspect Memory Card, Thumb, or Hard Drive- just slap it in your regular old unprotected computer.

Techies Snicker at Secret Service Agent’s Mar-a-Lago Malware
by Kevin Poulsen, Daily Beast

A Secret Service agent investigating Yujing Zhang’s visit to Mar-a-Lago infected one of the agency’s own computers with the malware carried in by the unannounced Chinese national, a move that provoked wide derision Monday from computer security professionals.

“You don’t put an unknown USB into your computer,” said Chris Wysopal, chief technology officer at Veracode. “That’s in all the training everyone gets, even in your dumb corporate training. You even tell your mom that.”

Wysopal’s tweet highlighting the apparent gaffe earned more than 3,000 retweets Monday, as the computer security community executed a collective face-palm. “Whoa! Never seen that USB execution thing before!” quipped Kaspersky researcher Kurt Baumgartner. “Sounds like an agent trying to crack the case before the cyber team got there,” opined Eric O’Neill, a former FBI surveillance specialist.

In a sworn affidavit filed at Zhang’s arrest, the agency said it discovered the “malicious malware” during a “preliminary forensic examination” of the thumb drive. The new details that emerged at a hearing in West Palm Beach sound a lot more like the Secret Service just plugged the USB drive into one of its computers.

The biggest giveaway is that the review was cut short when the examining agent noticed “a file” installing itself on the agent’s machine. “He stated that he had to immediately stop the analysis and shut off his computer to halt the corruption,” testified the Secret Service’s Samuel Ivanovich, according to The New York Times. The thumb drive’s behavior was “very out of the ordinary,” Ivanovich added.

Forensics examiners don’t usually interrupt malware when it’s in the middle of giving itself away, security experts point out. “For all you know, if the thing is doing something, and you pull it out, it might detect that it’s been seen,” said Wysopal. “Forensically it makes no sense.”

“Let it run,” said Michael Borohovski, co-founder of Tinfoil Security and an intelligence-community veteran. Borohovski notes that a professional forensic environment runs within a virtual machine where there’s no concern of infection. “Watch it run. Attach a debugger. Then restore your safe snapshot and do it all over again to your heart’s content.”

The Secret Service didn’t respond to inquiries for this story.

Now “Preliminary Forensics” in this case pretty clearly means take a look for folders named “Kiddie Porn” and “Spying Stuff” or “Dr. Evil’s Master Plan To Kill All The Brown People (or Infidels or Capitalist Pigs, pick ’em), Destroy The Government, And Take Over The World”. You’d have to be an idiot to leave clearly labeled stuff like that lying around, yet people do.

I’ll leave you to draw your own conclusions.

My point is that even the dimmest of dimwits should know that you don’t destroy the evidence at a crime scene by clomping all around it in Hobnail Boots.

I thought CSI was popular.