Microsoft Resource Monitor Quickstart (by Tony Fortunato)
LMTV Weekly Tech Forum (WTF) - February 5, 2014

Have you ever locked yourself out? (by Casey Mullis)

Have you ever locked yourself out of your house or car? It happens in life by mistake as we go through our walk in life. Have you ever locked yourself out of your files or data? The ones that have can relate to this. I have set a password on a file and a week or two later forgot what I set the password to. I did some research and found a way to either recover the password or just bypass it all together.

What we cannot afford is to lock ourselves out of is a suspect hard drive. There are options out there to make sure we do not do that.

Data lock

Encrypted Disk Detector (EDD) is developed and put out by Magnet Forensics. We obtained permission to use and deploy this tool in Win-UFO, which is free for use as well. Win-UFO has partnered with Caine and has been put in the new version as the live side tool and Caine being the boot side.

What is EDD and what is it used for? I quote from Magnet Forensics web site.

EDD: What it does

Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker® volumes.
(Version 2 released April 22, 2013)

How investigators use EDD

EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.

Supported Encrypted Volumes

Currently, EDD detects TrueCrypt, PGP®, Safeboot, and Bitlocker® encrypted volumes, and we’re adding to this list with each new release. EDD is available for download now — completely free of charge.

End Quote…

As a computer forensic analysis you may be called to go to a crime scene and look at computer(s) on scene. When you get there you find the computer turned on. The old school of thought is pull the plug and look at a dead box. This does not work in today’s world as you very well may lock yourself out of the evidence.

What, you did not know that complete hard drive encryption was now readily available to everyone in the world? What, you keep getting told that no one does this? Well you do now and that is why we share information and help each other get the job done. If no one does it then why is it a big thing on the internet?

If we stick to the old school of thought and pull the plug and bring back to office or to pull the hard drive on scene; then you very well may have locked yourself out of the evidence. You cannot just look under “My Computer” and say “Oh it is not encrypted.” There very well maybe a hidden partition that is encrypted that you are not seeing. Remember in the computer age, nothing is as it seems.

In today’s world all you need is internet access and you can find out how to do anything. It is not like years ago when only a select few had the knowledge of computers. YouTube has made it easy to learn about many things. Sharing ideas good or bad has never been so easy in 2014. Enter Magnet Forensics with EDD and Win-UFO.org.

Win-UFO deploys EDD on the reporting side of the program. When you run Win-UFO we have set it to collect the data regarding hard drive encryption via EDD. You do not need to do anything. No need to know command line, we do it for you. This is only one thing we do on the front end for you. We will write more about the tools in Win-UFO s we go along.

Every time things change in life, we have a hard time changing with it. Think back with finger prints and or DNA. They had their issues getting off the ground as well. No one knew what it was and pushed back on it. Computer forensics is at that stage and we need to come together to bring it all together for tomorrow.

Hard drive encryption is very well used and there are many resources out there for people to use these methods to hide their data. Do not fall in to that trap and do not let the evidence get away. We are starting a gofundme page to help keep Win-UFO and Lin-UFO up and going here in America. Win-UFO has been downloaded over 4000 times. I those who downloaded it so far donated ten dollars, then we would have what we needed to keep it going. Please consider donating to Win and Lin-UFO at http://www.gofundme.com/6g321w

Thank you for stopping by and I hope this helps you to know about one more thing Win-UFO is doing on the front end for you. Check out Magnet Forensics and all the great things they offer to the world.

Casey

 

 

Author - Emory Mullis has been in Law Enforcement for roughly 19 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

 

Comments