Forensics Fear

by Anonymous Chi-Town Hacker

A couple of years ago, I started a job working with a forensics software company.

Their product is probably the best software on the market by far, but the company just released a new product that has made me question whether I want to stay in this position.  This software has the potential to allow Big Brother to search our computers, without us knowing it.

Allow me to explain: In the old days if someone did something wrong, we would go out and black bag the computer, bring it to a lab, and use a forensic tool to extract data for a warrant.  This technique is still used today by many companies.

However, technology now allows a forensic examiner to avoid the need to go to the physical location.  The examiner can use tools to go over the Internet to search for and retrieve all the data for the warrant.  This is being done a lot more, as it is much more cost-effective this way.

Now, a forensics examiner has the ability to put a Piece of Code (POC) on every computer in a given company and to extract data from all suspects in question at one time.  If you have 10,000 computers and you are looking to see how someone leaked the Q3 data early, no problem: nine clicks of a button, and you're done.

Almost every Fortune 1000 company is either using or thinking about using this tool.  Try to Telnet to port 4445 of your workstation and see if you connect to anything.  This is the default port, but the company can change it to anything they want.  If you connect, then there is nothing on the computer that you can do which I can't tell or show you at a later time.

The default process name is enstart.exe, but this can be hidden or renamed.

This software is unreal.

How Does It Work?

Essentially, the POC runs as a rootkit on every workstation and server.

The forensic tool connects to the POC with a GUI, secured with PKI PGP authentication.  The forensic POC runs underneath the operating system, so you can look into anything the OS is doing.  Also, because it is not OS-dependent, hidden directories, embedded code, changed files or even other rootkits will be detected instantly.

It also has the ability to see volatile memory, which means that processes, current users, and network ports can all be seen in real time.  If you are running a Trojan in memory, then it will be found.  If you are using Netcat or bifrost, it will be found.

What Else Can It Do?

Because the POC is underneath the OS, it has the ability to act on all 10,000 computers at once.  It can wipe sectors, kill processes, and close ports.

There is also a plugin for IDS to make it easier to weed out false positives.  If a server is being hit with an attack, the IDS can tell the tool to go to the computer in question and to collect evidence on whatever is happening.

It can look at a computer, compare it to a previous search, and see if anything has changed.

What's The Big Deal?

Imagine what could happen if the government put this POC on every new computer to come out in 2008.

Every government agency is already using this software.  Another issue would be if someone figures out how to use the POC on these computers.  Hello, unlimited power!  Imagine having full access to every server, workstation, and laptop in a Fortune 50 company.

Although this company has been very good to me, I feel it is not right that such knowledge - and knowledge is power - is given to watch over us.  You are now aware of the tools being used to see you.

How Do I Stop the Tool or Make It Harder for the Tool to See What I Am Doing?

Simple security measures can be taken, for example:

• Full-disk encryption is a great start, but your company policy may prohibit this.
• Look into the SanDisk U3 encrypted drive.
• Consider VMware with encryption, putting /boot on USB.
• Investigate bootable CD's with encrypted USB.
• Learn new anti-forensics techniques and tools, such as Sam Spade and touch.

I hope this will help educate you.