Defense Against the Black Arts of Forensics

by Alex

In our modern security climate, it is quite obvious that there's a need to protect our data.

There are plenty of guides and papers about anonymizing your presence on the net and general OPSEC.  This article is about neither.

This will be about protecting your computer and the information contained within.  Regardless of whether you're a journalist, activist, everyday man, or you just read a guide about how to become a Dark Net drug dealer, you have a need for protection.  Depending on what information you store on your computer, some of these instances might be a bit too extreme.

The initial step should come as no surprise and, hopefully, this is already implemented.

If not, you'd do well to remedy it today.

Full-Disk Encryption (FDE) is a great first step.  Let's assume you use Linux and/or UNIX; today's installers often provide you with the option of easy FDE.  If not, then there are plenty of guides on the net on how to do it with CLI, the Arch Linux wiki for example.  There are also options available for Microsoft Windows if you really must use it (BitLocker and GuardianEdge as examples).

One of the most common attack vectors against FDE is to extract the key from a RAM-dump (if you exclude breaking bones!).

Most law enforcement agencies in Sweden try to perform a warm-boot attack on running systems.  Although, when necessary (and possible), a cold boot attack is done instead.  Sometimes neither is performed, but that is another story.

A warm-boot attack in a nutshell is rebooting a running system into a live OS specifically tailored to contaminate the RAM as little as possible (i.e., small size) and then dumping the content of the RAM.

Now, as annoying as this might be for some, in the BIOS we should disable the possibility of booting from anything except the hard drive(s) as well as adding password protection for the BIOS.  While it is still possible to plug in a hard drive and boot from it, most people tend to use USB-HDDs and/or CD-ROMs for this task.

Now our weakest link is the CMOS battery.

We can remedy that by adding a layer of physical security to it.  Whether you glue or solder the CMOS battery to the board, it's really up to you.  The purpose of this exercise is two-fold.  It will increase the amount of time it would take to perform the swap and should leave visible traces if the battery was tampered with should someone physically remove it.

For those RAM types that are susceptible to cold boot attacks, I recommend soldering them stuck and/or gluing them in place.  There are scientific papers on why some types of RAM are not vulnerable to cold boot attacks, but why take the risk on the chance that they are wrong and/or are paid to lie?

Neither of these are foolproof, but it takes time and effort to circumvent them and that is exactly what we want.

Unless the attacker opens up the case to inspect the guts of the computer, these protective solutions will be found after a reboot.  That means that the clock is ticking for the content of the RAM.  Now the examiner will need to perform countermeasures to be able to boot the live OS.  It is still possible that the content from the RAM will be disclosed, but this will, at the very least, add a possibility of failure to retrieve it.

If your computer is found running and unlocked, an examiner/intruder will most likely connect a medium of sorts to the computer with his/her forensic tools.

Big mistake.

A daemon/process should be running whose function is to identify devices that are connected to the computer.  If a device isn't on a whitelist (example: MAC based whitelist for USB devices), the computer should shut down and/or wipe RAM right away.

Another interesting target to acquire is your cellular phone.

I will not write in detail about this, but it is still worth mentioning how phones (often) are preserved in a forensic investigation.  Usually the phone is put into a Faraday container to avoid a remote wipe from the owner.  This can be used to our advantage.

It wouldn't be difficult to write an application that pairs with a cellular phone over Bluetooth and/or tracks specific cellular towers.  In fact, variations of these programs already exist for various platforms.  Regardless of whether you write your own or not, your goal should be to perform a shutdown and/or RAM wipe any time the connection is broken.

FireWire is another troublesome attack vector.

While it is possible to mitigate attacks over FireWire on a software level (by uninstalling/blocking the SBP-2 driver), the reality is that with sufficient privileges, you can still reinstall/enable them.  So, I propose that you buy epoxy and fill the FireWire port up until it pours over.  No one uses FireWire anyhow, right?

Now you might believe I only dress in tinfoil and live in a bunker residing far from the city, but that is far from the truth.

It is very hard to defend against a threat that has physical access, which means extreme measures are needed to mitigate the threat.  While these proposed remedies will not make your data completely secure, without (any of) them, the risk is far greater that the information will be leaked.

In these times where information is king, you should take appropriate precautions and make sure no one can readily and easily access your data.