Let us be judged by our acts!
Filesystems for the Macintosh were developed to handle the unique nature of the OS. In the beginning Apple was not a GUI based OS. In fact DOS was originally used and this was later to become Apple ProDOS. Both of these Operating Systems were very much command line driven. With the release of the original Macintosh, Apple boldly introduced the world to the Finder (the Graphical User Interface).
Apple needed a way to interact with the underlying file-system on disk. Because the GUI environment was controlled by a mouse selecting a file to open… Apple needed a way for the operating system to know which application should launch when a file was clicked on. Apple developed what became known as a forked file system. One fork (the data fork) contained the structured data while the resource fork contained the file’s metadata. Metadata at that time contained such things as the association between file/data and the application used to create the file, thumbnail previews and what type of file it was (.jpg, .tiff, .psd, etc.).
To keep track of the dual forked file, Apple needed a filesystem that could keep track of both halves of the file and have them “appear” as one. Apple developed MFS (or the Macintosh File System) to handle the storing of data on disk. The downside to this filesystem was that it was flat… meaning it did not allow for nested folders or a hierarchy or a means of organizing the data on disk. Realize… at that point in time the Macintosh was still booting from floppy disks and that in and of itself allowed users to store similar data on separate disks. Unfortunately, MFS had a upper limit on capacity (20MBs). This quickly became a problem because it was not long after the introduction of the Macintosh that hard drives as we known them today started to make their way into personal computing. Apple needed a way to address the additional space provided for in these new devices! As mentioned earlier MFS stored all files on the root level of the disk. This presented a performance problem. As anyone whose worked with databases knows… the more records that are added to a table the slower that table is to preform. Meaning anytime someone needed to access a file, the OS had to read from all files on disk. By breaking down files into groupings or directories… file searches became significantly faster. And thus HFS (or the Hierarchical File System) was born!
The problem with storage is that it grows exponentially! There was a time that a 32MB hard drive seemed exceedingly large. “You’re never going to full that thing!” Today to can’t even purchase a USB thumb drive that small. By the late 1990’s it was clear that Apple’s original filesystem design was start to show it’s age. HFS was limited to 65,536 blocks per volume (or partition). When disk capacity was small (say a 32MB hard drive) this wasn’t a problem. If you had a 1KB file and your block size was 512 bytes, it would take up two blocks of disk space without wasting disk. BUT as disk became bigger so too did the block size. On a rather small 128MB because the the block limitation the minimum block size became 2KB. The OS would write that same 1KB file to one block occupying 1KB of the 2KB block wasting 1KB in the process. Now this is a very basic illustration but now let’s imagine a 1GB hard disk… the size of the data contained in the file would not increase but the block size had too(16KB)! Thus the amount of disk wasted became greater! Apple introduced HFS Plus (or HFS Extended) with it 8.1 OS release. To address the file allocation block problem, certainly Apple would say that’s not the only reason it created HFS Plus. For a more detailed look into the technical aspects of HFS you can read Technical Note TN1150 – HFS Plus Volume Format which can be found at: http://developer.apple.com/mac/library/technotes/tn/tn1150.html#HFSPlusBasics
One thing the iPhone is not real good at is battery life when transferring data over a 3G connection.
One thing that the iPhone does really well is seek out public Wi-Fi networks.
Many of us gladly connect to “free” hot spots to save battery life BUT that presents big security risk. The iPhone really doesn’t inform you that you are associating the phone with a true AP or an ad-hoc device. One must use care with sending passwords over an “untrusted” network! While not exactly trivial to do… it isn’t exactly hard for someone to set up a rogue AP. These devices can cause you a lot of aggravation. These ad-hoc APs could be used to perpetrate a Man-in-the-Middle attack while using the hot spot. Additionally, it could be used to “poison” your phone’s browser cache, which in turn could be used to display fake Web pages or even steal data at a later time. It’s always a good idea to clear Safari’s cache after connecting to an unknown AP. So how does one go about clearing the cache on the phone?
Choose Settings > Safari > Clear Cache.
ISO (or the International Organization for Standardization) is an international body that tries to define best practices with regard to the operation of various workflows. This can be something as simple as define how to examine a HD for acceptance into courts of law to something as great as ISO 9001 (which defines the formal business practices).
One needs to understand the ISO tries to define best practice and while that may be good enough to 90% of the time… it is after all a best practice and there may be situations that require other methods for getting the job done. Forensics is all about system collection of data. If we can valid that the data was collected cleanly, if we can confirm consistent results to the acquisition, validation, extraction and reconstruction of the data then it really doesn’t matter whether you’ve used an ISO standard or NOT. BUT if one deviates from an ISO standard one needs to be able to explain to a jury in non technical terms that the above mentioned process to meticulous and in criminal cases this needs to be proven without doubt. This is not always achievable and thus stick with ISO standards may help you convince a jury though may not always be the easiest/fastest way to collect data.
As system administrators do we really have to worry about collecting evidence? Maybe not… BUT what if you’re asked by your company’s general counsel (an authorized requester) to collect all non business data (emails and files) from an employee’s laptop? AND what if you come across some adult porn. You start copying the images onto a USB thumb drive… You then find a folder on their desktop with a bunch of saved emails titled “I missed you last night”… Well that seems like personal emails… Let me copy that over… You dig around a bit more and come across label “Desktop Images” containing a bunch of JPEGs. You double click the first image and it’s a picture of a clearly under-aged minor having sex with the employee. Now what do you do? Call the attorney IMMEDIATELY! This laptop is not evidence in a criminal matter. Possible charges could include possessing child pornography and sex with a minor for starters.
Anyone who has ever watched police show knows… “Don’t touch anything… you’ll leave fingerprints behind!” Pretty basic stuff. Most of us know about bloodstains and DNA evidence. Thank you OJ! We know about carpet fibers and lost articles of clothing. We know about tire tracks. This list goes on and on but do we really know how to secure digital evidence? Well luckily for us the National Institute of Justice (part of the U.S. Department of Justice) publishes many helpful documents that can better help us understand the dos and don’ts of collecting digital evidence.
NOTE: the National Institute of Justice is research and development arm of the DOJ.
Browsing through some of the NIJ’s white papers, I came across a document that all system administrators should read… Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. It can be found at: www.ncjrs.gov/pdffiles1/nij/219941.pdf
The guide is pretty straight forward. It offers up some fairly common sense checklist combined with a lot of “Oh yeah, I probably would have forgot that” reminders.
So what did I learn from reading the guide?
Always have a digital camera with you… Sure many cell phones have cameras built in but you’ll need something with a bit more resolution. Take pictures of everything… Why not it doesn’t cost your anything!
Look around for cell phones and MP3 players… They can contain data as well as their intended purposes. Be careful though! You want to make sure that you don’t overstep the authority provided by your authorization. Even if it’s not a criminal investigation… you could violate a persons right to privacy (the 4th amendment rights) even if there’s no expectation of privacy!
There are some that say turn everything off… power down the computer. You may need to do that if files are being deleted. BUT powering down the computer may not always be the best thing to do. Check and see what’s on the screen first. What you’re looking for may be right in front of your nose.
Chapter 7 of the guide details for you the types of evidence you may need (both physical and digital) for various types of crimes! I think the real learning from going over the lists is opening your mind (Why would medical records be next to the computer?)… use our common sense (Well there’s a box a 100 SIM cards and a box of cell phones next to the computer)… keep your eyes open (Let me grab that USB thumb drive too).
The First Responders guide is a great place to start… The NIJ has plenty of other white papers if you find this one interesting. They can be found at: http://www.ojp.usdoj.gov/nij/
BTW, getting back to the opening paragraph… Always image the drive off first! Always work from a copy! You’ll change the time stamps on the originals if you don’t 
What is it they say? The right tool for the job! Indeed!
When I got my first car, it was a mess. It always needed work… in fact the Scarsdale police department knew my mom’s phone number by heart. “Mrs. Heese your kid is stuck again up by the Exxon station… Do you want us to send the tow truck?” I learned all about combustion engines that summer and I learned that there are particular tools that are designed to make some jobs easier AND having those tools could mean the difference between working on the car all weekend and driving it up and down Central Avenue! It’s no different today.
Nice story… But where are we going with this? Well… now instead of using socket wrenches and screwdrivers, its all about software packages and hardware! But that’s only half the story there’s still the human element. How do we interact with the tools we use? The ISO (or International Organization for Standardization) have put together a number of standards for how humans with computers. One in particular, ISO 9241 (Ergonomics of Human System Interaction) details various best practices from how Workstations should be layout, to postural requirements, to keyboard layouts, and even to how menu dialogues boxes should be laid out!
NOTE: A great list of other usability standards can be found at http://www.userfocus.co.uk/resources/iso9241/intro.html
I find that if my desk is cleared of all distractions I can work efficiently and effectively. But that’s only part of the equation… your workspace must be organized as well! Any effort put into organizational planning is well worth the time. A big part of this is knowing how you work. What things are required? Do you need to have a radio on or… is silence best. Best practices are everywhere these days… And for good reason! We as people know there’s no point reinventing the wheel. It functions and serves it purpose well. Sure we can always improve upon and idea… but why spend the effort trying to do the same thing people have done over and over again!
WOW… Where to start… Hard drives are the garbage dump of a computer… Sure we strive to keep our data organized but in actuality… We have zero control as to where the computer places our data on disk. Files are written to the first available sector on disk. These sectors are reversed and freed based on which files are in “use” and which have been “deleted”! In actuality no files are truly deleted until they are overwritten. Point of fact… the pointer to the file on disk is the only thing that is deleted when we empty the Trash/Recycle Bin.
A bit-stream copy of a hard disc is a more exact duplicate as to the ones and zeros on a disk. One needs to have an HD of equal or larger size than the one being copied… Some may call this a disadvantage BUT the fact of the matter is that disc is cheap. The fact is that disc size grows while the cost remains fairly constant. No real disadvantage there.
It takes disc of equal size because it includes the file/disc slack. Why is this important? Because disc storage is broken up into blocks. These blocks are finite on disc based on the file system of the OS/disc that is operating upon the disc. If the block size is 8KB and you actual file/data sizes is only 4KB…that leave 4KB of free unallocated space. There are tools that can right data to the slack space. Tricky… tricky they are. You want to be able to capture everything that is on disk… No matter what.
Because Bit-stream copies are capturing every byte of data on disk it takes longer to copy. Standard backups/mirror images are only copying the actual data and then fitting it into it block size allocation on the destination disc. One would miss the slack space… AND the “deleted” files! Bad idea.
When working in IT one needs to have a game plan… a road map so to speak with regard to fixing problems. One needs to understand what is happening and look at the problem from a number of different perspectives (Our servers’ hard drives are filling at random intervals… it’s got to be a server problem). One needs to understand what is causing the problem… more often that not… What’s changed in the environment? (Well we installed the new version of Firefox onto everyone’s machine yesterday!) Then how to go about fixing the problem? Remove Firefox from everyone’s machine? But wait… problems within IT often aren’t that straight forward… often times one cannot address the problem directly… “We need to use Firefox because our WebApp requires it” BUT wait… it’s this feature that is causing the problem! “If we turn off that particular feature it will allow most of us to use Firefox although some users could still have other problems”. We’ve provided a fix for the greater good… but is it really a fix? It depends!
Having a game plan as to how you are going to attack the problem and sticking with the game plan can make the difference… finding a workable solution! Understanding what you are looking for (and that can include data that you don’t know is there) and why can only help to keep you focused. The game plan isn’t always the same…certainly the rules are different if you’re working in a corporate environment verses a government organization. They can be different depending on whether it’s a criminal matter. You as the technical expert need to understand that the suspect has rights that cannot be infringed upon or you may find that all your hard work is inadmissible in court. Make sure you have the company’s permission, in writing, before you start poking around on other employees’ computers. Know who is authorized to give the OK to begin your work. Don’t start the work until you have everything in place.
Be Professional! Stick to what you were hired to do! It doesn’t matter whether you’re a salaried employee or a consultant! Be objective! Don’t form opinions until you’ve done your homework. Forming opinions prior to starting your work could lead you down the wrong path and waste valuable time. Keep your mouth shut… you never know what you’re going to find… Confidentiality is often equated to trust. In IT we often have more access to information than our bosses! Don’t sneak a peak and their salary information. You may not like what you find! If people can’t trust you, you’ll find yourself unemployed.
Enjoy! Be Well!
Think M*A*S*H*!
What they did was take a look at the injuries… patched them up as best they could… and then send them off based on whether they could return to active duty or further medical attention. They were in the Army and as well all know, the Army has rules for everything. Depending on the situation, decisions were based on how badly injured the soldiers were!
It’s no different corporate life! And network based incidents!
What’s going on?
Do we have a procedure to deal with this?
Who do we alert?
How do we fix the problem?
These should all be spelled out in corporate policy, employees should be tested from time to time in the proper implementation of the polices. Polices should be reviewed to make sure they are appropriate.
