Archive for June, 2008

LinEn Network Acquisition using VMware Fusion for OS X

Monday, June 23rd, 2008

VMWare Fusion

For those who use EnCase for forensic analysis, a powerful and convenient means of acquiring digital evidence is over the network using Linen, a Linux-based version of EnCase Acquisition. Linen is run off of a Linux boot disk on the target computer serves the an evidence file to EnCase running on the forensic examiners computer over the network. EnCase is a Windows application, but network acquistions can be successfully performed using VMware Fusion for Mac with the following configuration.

For my setup, I have a MacBook running VMWare Fusion 2.0b1 and OS X 10.5.3. I’m running Windows XP as a VM with EnCase 6.11 installed.

Note: Because Mac’s can intelligently sense and correct the Ethernet connection when one computer is connected directly to another, a cross-over cable is not required.

1. Boot the target machine using Helix or another Linux live CD that contains LinEn.

2. Once at the Linux command line, type:

ifconfig eth0 10.0.0.1 netmask 255.0.0.0

3. On the Mac, change the IP address to 10.0.0.50 and subnet mask 255.0.0.0

4. Confirm that the Mac and PC can both ping the other.

5. On the Mac, edit the VMware Fusion boot script (/Library/Application Support/VMware Fusion/boot.sh), lines 676-681 as follows:


#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;

Change to:


#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;

6. restart VMware fusion

sudo "/Library/Application Support/VMware Fusion/boot.sh" --restart

4. Change the VMware Fusion network mode to Bridged networking

5. Boot the Windows XP VM and change the Windows VM IP to 10.0.0.2 and subnet mask 255.0.0.0

6. The target machine running Linux should now be able to ping the Mac and the Windows VM and vice versa.

7. Run Linen from the Linux Live CD on the target machine

8. From EnCase, acquire over a network cable.

Posted in forensics | 3 Comments »

Firefox 3 is Out

Tuesday, June 17th, 2008

Firefox is a great web browser that I’ve used since 2000 when it was named Phoenix. Now, Firefox 3 is out and it has several nice features, including a few security features that are unavailable elsewhere. For a good review of Firefox 3′s new features, see this screencast by Firefox developer Mike Beltzner. Also, here is a nice review by Walt Mossberg.

I still use Safari as my main web browser because of its PDF viewing capabilities and its close integration with OS X. However, it’s great to have developers pushing the envelope of what a web browser can be.

UPDATE 6/18/2008: I found this new Firefox 3 plugin that enables Firefox to use OS X’s native PDF kit. Now Firefox displays PDF’s inline very smoothly. One less reason not to use Firefox.

Posted in 1 | No Comments »

PGP Whole Disk Encryption comes to OS X

Tuesday, June 10th, 2008


Yesterday PGP announced the availability of their Whole Disk Encryption (WDE) product for OS X next month. Although disk encryption products for the Mac currently exist (like TrueCrypt and FileVault), these solutions only encrypt part of a hard drive, such as a user’s home directory.

Full disk encryption (which is what WDE provides), on the other hand, encrypts every bit on a hard drive—in used or free space. This is important, because forensics products such as EnCase and FTK are very good at finding traces of sensitive information in unused disk space and temporary files like the swap. With full disk encryption, EnCase and FTK are ineffective if an encrypted machine is powered off.

Another reason why PGP WDE for Mac is exciting is because PGP is a highly respected security company and it’s WDE has been tested by the National Institute of Standards and Technology (NIST) to meet its Federal Information Processing Standard 140-2 (FIPS 140-2). Both the reputation of PGP and the FIPS-140 certification indicate that encryption algorithms employed in WDE have been implemented correctly. This is crucial because even secure encryption algorithms can be easily broken if implemented poorly.

Full disk encryption is a great tool for any organization to protect sensitive information. In the next year, Georgia State University will require that PGP Whole Disk Encryption be installed on every laptop, workstation, or server that stores sensitive information. If every organization followed a similar policiy, privacy breaches would not be the almost-weekly security farce that they are today.

Posted in apple, forensics, security | No Comments »