The science of computer forensics

This week, I am introducing some tools used in computer forensics and investigations. This will probably be so much “ho-hum” to those of you already in the trade, but I thought this would be of interest to other TechRepublic members.

As usual, I have linked to specific products that I’m familiar with. Some readers have previously expressed concern that it represents unfair advertising. All I can say is that I don’t get paid for linking to anyone, but have personally found that I learn faster when pointed to actual products with specifications and prices to refer to.

Feel free to suggest other such products in the comments section.
HotPlug

The HogPlug device basically allows a running computer to be seized and brought back to a computer forensic lab for further study — without having to first shut it off.

Assuming a suspect could be caught by surprise when using his terminal, it is a means to effectively circumvent any disk encryption as well as login passwords or biometric schemes that might be in place.

Used together with a fully-charged UPS, the connectors are slipped into place when the system is still running. When main power is switched off, the power load will be transparently switched over to the UPS. The entire system — with the UPS, can then be loaded onto a trolley to be carted off.

Extrication from a power strip is literally a plug-and-switch event. For systems plugged directly into a wall socket, some dismantling of the face place is required. Check out the demonstration video at the top for the power strip method, or click here for the advanced method — it’s quite fascinating, really.
Write protection devices

As their name suggests, write protection devices actively prevent the writing of data onto the attached hard disk. It works on the hardware level by directly blocking write commands — be it while duplicating the data or performing a forensic analysis.

You can also use it as a way to protect your portable hard disk when transferring files to an unknown or hostile environment.

The DriveLock line supports data protection and enables blocking hard drives of various kinds such as IDE, laptop drives, Serial ATA and flash cards connected through a computer’s P-ATA interface, PCI Card, USB, and FireWire ports.

ICS sells a whole bunch of write-protect devices for various hard disk interfaces. This ranges from SATA to IDE and even compact flash readers. You can check it out here.
Mouse Jiggler

This nifty little device represents yet another reason why screen saver passwords are a flimsy deterrence at best. When plugged into a USB port, it emulates a mouse, albeit one that moves autonomously.

The movement effectively prevents a system from automatically switching to a screen saver, or from going into suspend mode.

Wiebetech sells two versions, including a “Slow Jiggler” in which the mouse movement is barely perceptible. With it, an investigator is able to continue working simultaneously from a real mouse. There is also a “Fast Jiggler,” whose only use is as part of a practical joke.

The Mouse Jiggler was originally designed to be used in tandem with the HotPlug to seize computers.
Network Taps

As the name suggests, a network tap allows an investigator to sample all traffic on a network while remaining undetected. These phantom devices are not addressable and are designed with the sole role of replicating transmission streams out via a monitoring port. Physical access to the actual cables is required, though. Network tapes are generally available for both copper and fiber solutions and for networks of varying speeds.

Do note that some higher-end network switches come with a “monitoring port” that can be used to the same effect.

catch this at http://blogs.techrepublic.com.com/security/?p=437&tag=rbxccnbtr1 !