Category Archives: Forensic

PROPOSED STATE BANS ON PHONE ENCRYPTION MAKE ZERO SENSE

 

Lock_Case
American politics has
long accepted the strange notion that just a pair of states—namely Iowa and New Hampshire—get an outsize vote in choosing America’s next president. The idea of letting just two states choose whether we all get to have secure encryption on our smartphones, on the other hand, has no such track record. And it’s not a plan that seems to make much sense for anyone: phone manufacturers, consumers, or even the law enforcement officials it’s meant to empower.

Last week, a California state legislator introduced a bill that would ban the retail sale of smartphones with that full-disk encryption feature—a security measure designed to ensure that no one can decrypt and read your phone’s contents except you. The bill is the second piece of state-level legislation to propose that sort of smartphone crypto ban, following a similar New York state assembly proposal that was first floated last year and re-introduced earlier this month. Both bills are intended to ensure that law enforcement can access the phones of criminals or victims when their devices are seized as evidence.

If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones?

Those two proposed crypto bans have put another twist in an already tangled debate: The privacy and cryptography community has long opposed any such “backdoor” scenario that gives cops access to encrypted smartphones at the risk of weakening every device’s data protections. But legal and technical experts argue that even if a national ban on fully encrypted smartphones were a reasonable privacy sacrifice for the sake of law enforcement, a state-level ban wouldn’t be. They say, the most likely result of any state banning the sale of encrypted smartphones would be to make the devices of law-abiding residents’ more vulnerable, while still letting criminals obtain an encrypted phone with a quick trip across the state border or even a trivial software update.

Crypto Has No Borders

If the New York and California smartphone encryption bans passed, a company like Apple that sells encrypted-by-defaulted iPhones would have three options, argues Neema Singh Guliani, an attorney with the American Civil Liberties Union: It could cease to fully encrypt any of its phones, contradicting a year of outspoken statements on privacy by its CEO Tim Cook.  It could stop selling phones in two of America’s richest states. Or finally, it could create special versions of its phones for those states to abide by their anti-encryption laws.

The last of those scenarios is Apple’s most likely move, says Singh Guliani, and yet would result in a “logistical nightmare” that still wouldn’t keep criminals from encrypting their phones’ secrets. She compares the laws to state-wide liquor regulations: “People will travel over the border to buy alcohol in states with the standards that suit them,” she says. If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones? “Nothing would stop those who wanted a more privacy protective phone to get one from out of state.”

In the hypothetical future where the state bills have passed, fully encrypting an iPhone might not even require buying an out-of-state device, but merely downloading out-of-state firmware. After all, it’s unlikely Apple would go to the expense of manufacturing different hardware for its phones to disable encryption in some of them, argues Jonathan Zdziarski, an iOS forensics expert who has worked with police to decrypt phones. “That would be a massive technical change to support this kind of device,” Zdziarski argues. “It would be literally cheaper for Apple to stop selling phones in California altogether.” Instead, he says, it would likely sell the same hardware for all of its devices and merely disable full-disk encryption through a different version of its firmware activated at the time of the phone’s purchase. And nothing in the current bills would prevent Apple from making the fully encryption-enabled version of its firmware available to anyone who restores their device from factory settings.

The technologically savvy will find ways to get encryption, while the average smartphone user’s data will be left more vulnerable.

In other words, that would make the New York and California crypto bans statewide bans on software, an idea roughly as practical as policing undocumented birds crossing the Mexican border. And if Apple were to try to accommodate the spirit of the law by preventing customers from restoring their phone with full-disk encryption inside California or New York, Zdziarski is confident iPhone owners could circumvent any location tracking, proxying their IP address or putting the phone in a Faraday bag to block its GPS. “This legislation is going to be technologically useless,” says Zdziarski. “Anyone who wants a device that doesn’t have law-enforcement-reversible encryption will be able to get one.”

Pressuring Congress

Neither Apple nor Google, which followed Apple’s lead last year by declaring that all devices running the latest version of Android will have default full-disk encryption, responded to WIRED’s request for comment on the California or New York bills. The office of New York Assemblyman Matthew Titone, who introduced the New York bill, tells WIRED that the state-level bill is meant to pressure Congress to follow with its own legislation. “When there’s no national legislation, states take efforts on their own to solve an issue,” says Titone’s chief of staff Chris Bauer. “That can speed the process along to make the federal government take steps.”

Skyler Wonnacott, the director of communications for the California bill’s sponsor Assemblyman Jim Cooper, offered a similar argument. “California is leading the fight…It’s got to start somewhere,” Wonnacott says. “Just because you can drive into Nevada and buy a phone or download software doesn’t mean there isn’t an issue and these phones aren’t used in crimes.”

Congress has yet to introduce legislation to limit full-disk encryption in smartphones, despite several congressional hearings over the last year in which officials, including FBI Director James Comey and New York District Attorney Cyrus Vance, warned of the dangers of allowing criminals access to devices with data they couldn’t decrypt. (Vance said at the time that New York police had been stymied by smartphone encryption 74 times in the nine months before the hearing, out of roughly 100,000 cases it deals with in a year.) A spokesperson in Vance’s office writes to WIRED that the DA’s office pushed for state legislation, and still hopes to find a compromise with device makers. “When Apple and Google announced the switch to full-disk encryption…with no regard for the effect it would have on local law enforcement and domestic crime victims, they left us with no choice but to seek legislative solutions at all levels, state and federal,” writes the district attorney’s director of communications Joan Vollero. “If the companies have a solution, we encourage them to engage in a productive dialogue.”

Constitutional Questions

But even if state laws do put pressure on Apple and Google to cave on encryption, they may do so unconstitutionally, says Andrew Crocker, an attorney with the Electronic Frontier Foundation. He says statewide smartphone encryption bans may fall under the “dormant Commerce Clause,” which gives the exclusive right to regulate commerce between states to the federal government. “States don’t have unlimited power to enact regulations to burden interstate commerce,” says Crocker. “If I’m Apple, this seems like a huge burden on my business.”

Congress, on the other hand, would have the power to ban default full-disk encryption in smartphones—though they’d do so against the advice of nearly every technical expert in the field of cryptography. In July of last year, for instance, 15 renowned cryptographers published a paper cautioning against any deliberate weakening of encryption for the sake of law enforcement. “New law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” the paper reads. “The prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.”

And Crocker reiterates that state-level bills wouldn’t be just problematic or risky, but “wildly ineffective,” as those who want encryption will easily get it from out of state—in either software or hardware form. The technologically savvy will use it to defeat police surveillance or to protect their phone from hackers and thieves, while the average smartphone user’s data will be left more vulnerable. “The ones who will actually be impacted are the less sophisticated people who don’t know how to get this protection,” says Crocker. “You’re looking at a cost that falls on innocent people, not criminals or terrorists.”

Computer Forensics on the Fly

Incident Responders regularly rely on Linux distributions like Backtrack 5R3 (which is very stable), Backtrack Reborn, Kali Linux, and SIFT – “SANs Incident Forensics Toolkit” for general purpose incident response. Although these are the most stable general purpose incident response distributions, Deft Linux is another distribution becoming more prevalent in IR Forensics Toolkits.

Deft Linux

Deft Linux is a forensics distribution of the Linux operating system, which has tools resident to it that are geared towards computer forensics and computer incident response. It also focuses on network forensics, and cyber intelligence. The version of this Linux distribution that is currently the most common in use is based on Ubuntu 11.10. To view the release, a user would get to the command line and type:

%cat /etc/lsb – release

DISTRIB_ID = Ubuntu

DISTRIB_RELEASE = 11.10

DISTRIB_CODENAME = oneiric

DISTRIB_DESCRIPTION = “Ubuntu 11.10”

This particular Deft Linux distribution is resident on top of the 11.10 version of Ubuntu. When you go to the site, It is available as an “iso” which can be used to create a live CD or you can order a live CD from http://www.deftlinux.net . You just download Deft and use an unzip program (such as winZip or 7Zip) to unzip the file. You can use an “iso” program (such as Rufus and the executable Rufus.exe) to burn the disk. Remember to change the boot order on the system before you insert your “Live CD” (for example; hit F2 as the computer boots) after you have burned your CD/DVD and you will be able to boot your distribution on any system which has a cd/dvd drive. You can even load it on a usb for usb enabled systems.

Tools and Applications

You can boot Deft on any system you want to perform forensics on. You will also be able to analyze the hard drive, capture images of that hard drive and export it to an external drive or some other form of exit storage (such as an external hard drive). You can perform Forensics Analysis utilizing a battery of tools that come in the Deft Linux suite. It comes loaded with:

Analysis tools OSINT tools

Anti-malware tools Password Recovery tools

Carving tools Reporting tools

Hashing tools Disk utilities

Mobile forensics File managers

Network forensics G Parted

Midnight Commander Mount EWF

Mount Manager Wipe

XMount..

Deft comes loaded with the typical Linux accessories, such as Apache server, Firefox, Google Chrome, MySQL server, Office utilities, Samba server and Secure Shell server (SSH). These applications are resident on top of the standard suite of Linux programs and services. You also have programs that are specific to Deft. These programs entail many forensic and incident response capabilities. Program suites such as:

We have password recovery tools like John the Ripper. It is very common to have to analyze a system that is locked due to a password. It is also common to encounter Windows users that have been locked out of their systems because they have forgotten their passwords. Deft requires the user to operate at the command line of Linux.

Password Recovery

In Deft Linux, when we process John The Ripper, the first thing we do is print the working directory.

#pwd

We locate the password list database and change to that directory…

#cd /usr/share/wordlists

In the password list database, we will use the database file that is in .gz format by default.

We clear the screen and unpack the file… for example; unpack#gunzip clyde.gz. The file is then processed and prepared for exploitation. A word count can be performed on the file as we prepare to run John The Ripper…

#john — wordlist=/usr/share/worlists/clyde.txt mypass

This runs a Brute Force password attack utilizing a password file which contains well known passwords. we can use the “format = crypt” option to force loading these as the type instead of as “loaded = passwd” hashes with two different salts. For example:

#john “–format = crypt” –wordlist=/usr/share/wordlists/clyde.txt mypass

This results in two password hashes being cracked. You then run the following command to print the passwords that have been cracked.

#john –show mypass

John The Ripper performs the operation in the workspace “.john” under the “/root” directory.

Deft Linux can also be used to access the Windows OS, change the appropriate settings and reset the password.

Systems and Network Analysis

There are many categories and programs available for analysis in Deft. G Parted gives you the ability to look at how a hard drive is partitioned which is a very common task to perform with a Linux system. We have a lot of capabilities within this distribution to support the hashing of MD5 sum, Sha1 sum, Sha256 sum and Sha512 sum. Our imaging tools give us the capability to gather, verify and manipulate all images. Our imaging tools actually will allow us to create images. We can boot the Deft distribution as a live CD and capture an image.

Deft gives us “Dcfldd”, “Dc3dd” and Cyclone which are various forms of “Dupe Disk”. Cyclone is a tool for cloning disks. It works the same way that “Dupe Disk” works. It is a command line curser interface that displays the hard drives that are available. You only need to type the name of the hard drive (s) that are installed for the partition name that you want to clone at the interface. Cyclone will perform the action for you.

Deft Linux has data carving tools available. “Photorec” allows you to recover graphics files or image files. Scalpel allows you to carve files out of a hard drive when the file may have been deleted, obscured or damaged. Data carving tools allow you to go and find the data on the drive and retrieve the file even though it is not available to the normal filesystem any longer.

Deft has mobile forensics which gives us the capability to perform forensics on mobile devices. “Ipddump” performs iPhone dumps and “Iphone Analyzer” allows you to perform iPhone analysis. “Bbwhatsapp” allows you to perform Blackberry analysis and decode Blackberry data bases. You also have a “SQLite” database browser. It is a GUI editor or it is used for “SQLite” databases. The Iphone stores a lot of data inside of “SQLite” databases. If you can retrieve the data you have a graphical way of looking at that data. You don’t have to view it in a manual format by using command line tools. If you can actually get a “SQLite” command interface, the “SQLite” database browser is extremely efficient. It aids you in opening up those databases to view which helps you manipulate them as well as executing SQL commands and queries against those databases which allows you to investigate the data in more detail.

Deft Linux comes with network forensic tools. We have WireShark (Wireshark is a network protocol analyzer for Unix and Windows) and Ettercap. Ettercap is a free, open source network security tool for man-in-the-middle attacks on LAN’s. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows.

Deft also has PDFcrack, Samdumpz, Fcrackzip (which is optimal for cracking zip files). If there is a password on the zip file this may actually be able to crack the password so you can see what is inside that zip file.

Conclusion:
Deft Linux is not as easy to use as the graphical programs that are available for computer forensics but, this program has a lot of capability as long as you learn how to use the various tools. You will get more out of the Deft tools if you study and run these applications. On the plus side; Deft Linux is a free “Live CD” that a user can download and burn. It will free the user from being tied to a forensic system. A Disk is easily carried around and can quickly be pressed into an analysis and recovery on any site. These advantages make Deft Linux ideal for targeted computer forensics analysis.