Digital Forensics General!

Digital Forensics General!

If it isn't a thing, can it be from now on?


Firefox can be given amnesia. You can literally disable all forms of cache in about:config.

I'm trying to do the same thing with Chromium. I thought fellow members of Jow Forums might be interested in the method I've discovered.

You can't disable disk cache in chrome outside of the command line arguments. However, this is inconsistent as opening chrome via outside links ignores the command line arguments among other problems.

If you go into your chrome profile via drive:\users\--username--\AppData\Local\Google\Chrome\User Data\Default, you can change the properties on the Cache and Media Cache folders, go to the Security tab, Advanced, Disable inheritance, and then remove all permission entries. This means chrome can no longer write to it, and thus cannot touch your media. If you try to go into the folders without security, the only way in re-enables your access and chrome's access as a result. Just check the size and file count via the folder properties instead.

This security removal works for files as well. It's the Windows equivalent to /dev/null, except the software thinks there's write access issues.

Incognito mode still caches to disk.

Yes, TAILS is even better, but that is not ideal for daily use.

I work in digital forensics. Ask me anything.

Attached: .jpg (1282x983, 761K)

Other urls found in this thread:

is3.Jow
lifehacker.com/230915/geek-to-live--hide-data-in-files-with-easy-steganography-tools
threatbrief.com/evil-maid-attack/
en.wikipedia.org/wiki/Air_gap_malware
amazon.com/Faraday-Cage-Bags-10pc-Electro-shielding/dp/B00WLI5G7G
law.cornell.edu/uscode/text
twitter.com/NSFWRedditVideo

Jesus christ, greenetext tl;dr my boy. We have the attention span of an aging goldfish.

>Remove all Security permissions on a folder or file and it blocks all writes to it
>Chrome can't touch the hard drive.
>Enable page file encryption so ram data isn't exposed on the media.
>Now incognito mode no longer leaves traces on the ssd/hdd.

clarification:
>Chrome can't write to any file or folder in your profile you disallow.

first one is a damn good idea

>fa/g/gots browse Jow Forums and every thumbnail ever displayed ends up in the medium of their ssd/hdd because of caching.
>digital forensics guy can file carve all those images back to life.

>B-B-But I was just browsing Jow Forums!

Attached: 1529883605957.jpg (767x1024, 214K)

Be a ninja, not a retarded m&m.

I like this kind of threads. Anyways I don't know what to ask you so here's a random webm from the applel thread: is3.Jow Forums.org/g/1530317234877.webm. What can you tell me about it (the file, not the comparison)?

Is that a riddle? Jow Forums strips most metadata off webm files. I don't even know when it was created. For all I know someone used a stenography tool to embed their favorite cookie recipe into it.

What the hell is the point of this? Just encrypt the fucking disk.

Elaborate

You don't want data to exist in the first place. Encrypt the disk AND browse with amnesia. Encryption doesn't solve access control. Encryption doesn't solve legal extortion. If you never leave a trace, there is no trace to protect or destroy!

Think McFly.

lifehacker.com/230915/geek-to-live--hide-data-in-files-with-easy-steganography-tools
Is this the elaboration you were asking for

Nope. I want you to tell me more about the file.

I am not doing your homework assignment, user.

>homework assignment is to analyze random webms on Jow Forums just for lulz

Jow Forums strips the metadata when it hosts files. Jow Forums also removes hidden files in it. What exactly do you want me to find?

A cute anime pic. I'm sorry that I wasted your time user I just don't know what to ask. If you are willing to you can continue on posting tips in this thread I will gracefully read them.

I meant to say thankfully but who cares

She's beautiful, isn't she?

Anyhow, encryption is useless by itself. There are so many aspects of security that nullifies the benefits of encryption!

The Evil Maid Attack is one example. Curious? Read threatbrief.com/evil-maid-attack/

Attached: untitled_drawing_by_delightfuldiamond7-dbar4yj.png (990x431, 50K)

>Investigations by Sintonen showed that insecure defaults in Intel’s AMT allow an intruder to completely bypass login credentials in any laptop in 30 seconds, which lends itself to the “evil maid” scenario. When going public with his findings in January 2018, Sintonen said that even a minute of distracting a target from their laptop is enough to enable an attacker to gain access to the target machine.

>threatbrief.com/evil-maid-attack/
On what operating systems?

The Evil Maid Attack doesn't care about what operating system you run. All systems are vulnerable!

Of course I am curious. Post some more I have plenty to read already to be honest but I'm always looking to expand my collection of articles. I kinda feel like I'm letting you down by not having anything specific to ask as you decided to spend some time here but yeah anyways who cares.

Grab a video series on Certified Ethical Hacker, SSCP, or CISSP. Torrents have it. It's great stuff.

I'm SSCP myself.

What if boot from HDD is only enabled, and no booting from USB allowed? What then?
How does the attack work? How can they run software?

The article I linked tells you steps to protect yourself from the attack, quoted here:
>Never leave devices unattended.
>Always carry with you all small peripherals, such as USB drives.
>Avoid using any unknown peripheral.
>Ensure BIOS and firmware update are applied without delay.
>Enable input–output memory management unit (IOMMU) features.
>Adopt full disk encryption.
>Enforce secure boot protection.
>Shut down devices when unattended.

Moral of the story: Physical access usually means the game is over!

Thank you pal will check that out. As I understood the attack you've linked bypasses all those fancy features like secure boot and others right?

chmod -R 000 chromium/

ok ez

Yes, because Intel fucked up.

Lmao one of the posters here was right Jow Forums truly has a weird attention span. Didn't saw that in the article first time gee what a shame.

Chromium needs access to at least a few of those files, ha.

The best way to dispose of a physical drive is with a drill. Drill through about 5 times. Bonus, works with SSDs and spinning platters alike, and it's fun.

Oh I finally got something to ask! I know that it might not exactly your kind of field but is there any kind of hash to verify the integrity of hardware and the microcode it contains?

Trusted computing models attempt this, but I don't know of any way of doing it myself. If there were a simple way to verify hardware and microcode, no such agency would have been found out a long time ago.

If an attacker has access to the hardware and can change the microcode or solder leads, all bets are off.

I'm just here bored listening to Megadeth while recovering from my vasectomy. Had it done today. It was like a dental root canal, but down below. Unrelated to forensics of course, but I will tell you the most secure way of living: never have kids. Stallman agrees.

Interesting. What if the attacker has a prolonged access to the device but let's say they don't want to mess with it by compromising the OS but rather to deal with hardware directly and probably installing some kind of a frimware directly on a chip? The reason I ask it is that i barely seen anyone discussing those possibilities as they seem to be way too time consuming and require a prolonged access to the device.
I'm no expert on security it's just questions of an amateur and I have one more. What are the most weirdest but at the same time very logical ways to transfer information that you know have heard of or encountered? To give you an example of what I mean I think you recall the bit in news when some folks introduced a concept of transferring binary code through the fan.

en.wikipedia.org/wiki/Air_gap_malware
>In general, researchers demonstrated that air-gap covert channels can be realized over a number of different mediums, including:
>acoustic
>light
>seismic
>magnetic
>thermal
>radio-frequency
>physical media

Does almost every medium known to physics count?

Damn that's cool. It's one of those "it's so obvious!" things most folks don't think about.

It's more than "It's so obvious." The reality of contemporary computer security is a validation of paranoid schizophrenics' nightmares..

cont
That is to say, your tin foil hat isn't a proper faraday cage, and high security areas use the proper faraday cage over the entire room...

Is it possible to make a proper faraday cage around let's say a USB stick or any other device that'll keep the device safe even in case of EMP exposure under load (being used)?

You don't have to make it.
amazon.com/Faraday-Cage-Bags-10pc-Electro-shielding/dp/B00WLI5G7G
Amazon is full of the stuff.

I have a feeling that if an EMP happens strong enough to hurt your electronics, you will be more concerned about the nuclear holocaust than your cat photos.

I'm just asking questions as you go. I thought about more elegant solutions that'll allow the device to remain safe even if it's connected and transferring data during something like that.
Another dumb question incoming. To my understanding to be a good specialist in your field you should obligatory assume every single possibility there is right? (from the most basic shit to the most technologically insane and complex). Do forensics carry any kind of responsibility for not detecting the things they simply can't detect due to lack of knowledge or some technology being very obscure or not? Do you have much "empty" time at work dedicated to probably improving your skills or something?
Do those acoustic-thermal methods work for example in server rooms?

It's very methodical. You just gather the evidence and recover the history. You don't assume anything. The most technologically insane and complex is usually behind 7 proxies.jpg

>In forensic science, Locard's exchange principle holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence.

I don't see why server rooms aren't susceptible.

Attached: Good_Luck_I_m_Behind_7_Proxies.jpg (800x450, 67K)

Why aren't you using Brave?
Brave has
* Tor incognito tabs
* Adware/spyware blockers built in and enabled by default
* Built in bittorrent

It's literally the botnet's worst nightmare

Too much noise to effectively utilize some methods? Not usually I guess but still.
Ah now I kinda understand. I thought about it more like a "free research" job rather than a by the book approach. I don't have any more questions though.

I am more than Brave. I am Courageous and use uBlock Origin. There is absolutely nothing in Brave that adds value beyond what addons on Chrome can accomplish.

Honest question:

Why even bother unless you have something valuable or are doing something illegal? There's no point to digital security beyond that. If someone wants to frame you for something, it's not exactly like a lack of evidence has prevented a conviction.

Why not do everything to prevent yourself from being a target instead?

>Why even bother unless you have something valuable or are doing something illegal?
law.cornell.edu/uscode/text
Yeah, please study that, assuming you are in the US. then study your state code, county code, and city code. Oh yeah you might need a JD to understand it. and you'll have to look at case law.

Assuming you lack the eternity it takes to keep track of the law, you can't know for sure what is legal. That's for courts and lawyers to decide. So bother. Bother with protecting yourself because you never know.

>Why not do everything to prevent yourself from being a target instead?
That's the point of being a digital amnesiac!

The complexity of the law or an abundance of them is actually an incredibly weak argument. Law enforcement is neither infinitely capable nor infinitely interested. Hundreds of millions of people speed up and down the road every single day without so much as a ticket. It's simply not possible to target everyone, and breaking some menial law is never going to get you targeted when there are people selling drugs, running sex rings, and embarking on murder sprees.
If the legal system or some big brother was actually interested in arresting and convicting as many people as possible for breaking any possible, trite code imaginable, and were actively engaged in doing so, AND it was as easy to break a law, be noticed, found, arrested, and convicted as you make it seem, far more people would be in jail.

>That's the point of being a digital amnesiac
Seems like an awful lot of effort to go through when you could just not break the law instead and keep valuable things physical and/or off the net.

>AND it was as easy to break a law, be noticed, found, arrested, and convicted as you make it seem, far more people would be in jail.
According to the US Bureau of Justice Statistics (BJS), 2,220,300 adults were incarcerated in US federal and state prisons, and county jails in 2013 – about 0.91% of adults (1 in 110) in the U.S. resident population. Additionally, 4,751,400 adults in 2013 (1 in 51) were on probation or on parole.

>Seems like an awful lot of effort to go through when you could just not break the law instead and keep valuable things physical and/or off the net.
I'm not breaking the law. I do everything I can to follow what laws I have time to learn.

>.91% of the population
Exactly my point. If you extend that to the global arena and remember that the highest rate of incaceration on Earth has .91% of it's population incarcerated a year, the whole idea of "You can't know what laws you're breaking," kind of falls flat. If everyone was breaking the law and the legal system was doing everything it could to put everyone possible in jail, you have a 99.09% chance of getting skipped.

>I'm not breaking the law.
I don't mean to imply you are. I assume you have something you think is valuable to protect. I don't mean to come off argumentative or antagonistic, and I think I may not be communicating as effectively as I could.

I am honestly asking you, in your opinion, if any given person should be interested in this if they aren't doing something highly illegal or aren't trying to safe guard something valuable? I only ask this because it seems like a lot of effort, but also important to consider. It's a weighing options thing.

>I am honestly asking you, in your opinion, if any given person should be interested in this if they aren't doing something highly illegal or aren't trying to safe guard something valuable? I only ask this because it seems like a lot of effort, but also important to consider. It's a weighing options thing.

Yes. Merely browsing some boards of Jow Forums, and indeed any boards where horrible things are posted, making your browser an amnesiac is worth it.

Privacy is not illegal.

>Privacy is not illegal
I 100% agree, and I think the position that only those who have something bad to hide want privacy is stupid and disingenuous. I only frame my question that way because it seems to me that minor infractions are not something that will get you arrested.

You make a good point about Jow Forums, though. Some asshole could post something highly illegal, and it would be difficult to prove to a jury that you didn't put that information on your storage on purpose.

Thank you for putting up with my inability to form sentences in an intelligible.

Do you use FTK or NCase? They taught us forensics with those tools and they seemed pretty powerful. It actually taught me more about infosec and infosys from using those tools. Learned a lot more about windows registry and Mac config files.

Attached: 1527530001260.jpg (466x700, 190K)

I have job offers for DFIR and Cyber Threat Intelligence at similarly prestigious companies. Which should I take? Which has better career options down the line?

The threat intel role will revolve around technical analysis. The IR role will be technical but responding to alerts and triaging (it sounds like 3rd like SOC).

3rd line*

...