Anthony Vance

For those who use EnCase for forensic analysis, a powerful and convenient means of acquiring digital evidence is over the network using Linen, a Linux-based version of EnCase Acquisition. Linen is run off of a Linux boot disk on the target computer serves the an evidence file to EnCase running on the forensic examiners computer over the network. EnCase is a Windows application, but network acquistions can be successfully performed using VMware Fusion for Mac with the following configuration.

For my setup, I have a MacBook running VMWare Fusion 2.0b1 and OS X 10.5.3. I’m running Windows XP as a VM with EnCase 6.11 installed.

Note: Because Mac’s can intelligently sense and correct the Ethernet connection when one computer is connected directly to another, a cross-over cable is not required.

1. Boot the target machine using Helix or another Linux live CD that contains LinEn.

2. Once at the Linux command line, type:

ifconfig eth0 10.0.0.1 netmask 255.0.0.0


3. On the Mac, change the IP address to 10.0.0.50 and subnet mask 255.0.0.0

4. Confirm that the Mac and PC can both ping the other.

5. On the Mac, edit the VMware Fusion boot script (/Library/Application Support/VMware Fusion/boot.sh), lines 676-681 as follows:


#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;


Change to:


#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;


6. restart VMware fusion

sudo "/Library/Application Support/VMware Fusion/boot.sh" --restart


4. Change the VMware Fusion network mode to Bridged networking

5. Boot the Windows XP VM and change the Windows VM IP to 10.0.0.2 and subnet mask 255.0.0.0

6. The target machine running Linux should now be able to ping the Mac and the Windows VM and vice versa.

7. Run Linen from the Linux Live CD on the target machine

8. From EnCase, acquire over a network cable.

Firefox is a great web browser that I’ve used since 2000 when it was named Phoenix. Now, Firefox 3 is out and it has several nice features, including a few security features that are unavailable elsewhere. For a good review of Firefox 3’s new features, see this screencast by Firefox developer Mike Beltzner. Also, here is a nice review by Walt Mossberg.

I still use Safari as my main web browser because of its PDF viewing capabilities and its close integration with OS X. However, it’s great to have developers pushing the envelope of what a web browser can be.

UPDATE 6/18/2008: I found this new Firefox 3 plugin that enables Firefox to use OS X’s native PDF kit. Now Firefox displays PDF’s inline very smoothly. One less reason not to use Firefox.

Yesterday PGP announced the availability of their Whole Disk Encryption (WDE) product for OS X next month. Although disk encryption products for the Mac currently exist (like TrueCrypt and FileVault), these solutions only encrypt part of a hard drive, such as a user’s home directory.

Full disk encryption (which is what WDE provides), on the other hand, encrypts every bit on a hard drive—in used or free space. This is important, because forensics products such as EnCase and FTK are very good at finding traces of sensitive information in unused disk space and temporary files like the swap. With full disk encryption, EnCase and FTK are ineffective if an encrypted machine is powered off.

Another reason why PGP WDE for Mac is exciting is because PGP is a highly respected security company and it’s WDE has been tested by the National Institute of Standards and Technology (NIST) to meet its Federal Information Processing Standard 140-2 (FIPS 140-2). Both the reputation of PGP and the FIPS-140 certification indicate that encryption algorithms employed in WDE have been implemented correctly. This is crucial because even secure encryption algorithms can be easily broken if implemented poorly.

Full disk encryption is a great tool for any organization to protect sensitive information. In the next year, Georgia State University will require that PGP Whole Disk Encryption be installed on every laptop, workstation, or server that stores sensitive information. If every organization followed a similar policiy, privacy breaches would not be the almost-weekly security farce that they are today.

Keeping software applications up-to-date on personal computers has always been a sore point. The best solution I have used on any platform is apt-get or aptitude for Debian-based linux distributions (which includes Ubuntu).

On the Mac, the best solution I have seen is AppFresh. It is still in beta, but it is already very useful. It scans all of the applications installed on my machine and with one click I can automatically install application updates.

I successfully completed my last course required for my Ph.D. Since I already defended my dissertation proposal, I am now officially ABD—All But Dissertation.

Last week the latest version of Ubuntu, Hardy Heron 8.04, was released. In the past, I would download an ISO file torrent and install the operating system to try out the new version.

This time, however, I visited VMware’s Virtual Appliance Marketplace. There I found a torrent file for a virtual appliance with Ubuntu 8.04 already installed and configured. I simply downloaded the file and turned it on in VMware Fusion.

This is a good example of the network effect and why VMware has a powerful market lead in the virtualization space.

One of my students, Steven Robinson, pointed me to the human-computer interaction (HCI) research of Johnny Lee of Carnegie-Mellon, who has hacked a wiimote to do some really cool HCI stuff. It makes we want to buy a wiimote and try his demos.

I received in the mail today the latest issue of Journal of Management Information Systems (JMIS), in which two of my research articles were published. JMIS is one of the top scientific journals in the field of Information Systems.

The latest issue of JMIS (Spring 2008) is a special issue on Trust in Online Environments. One of my articles examined what factors influence people to trust mobile phones as a secure e-commerce medium. The other article examines the effects of brand alliances and website quality on building trust in e-commerce websites.

I created a 15-minute video podcast to promote CIS 4000: Introduction to Computer Forensics, the class I am teaching this semester and this summer. The video shows a 6-minute presentation about computer forensics and the class, followed by a 9-minute demonstration of three computer forensics techniques.

I have a Mac running OS X 10.5 Leopard on my home network that I have made accessible from the Internet so I can remotely access it using SSH (Secure Shell) when I am away.

However, there are many popular SSH password brute force cracking tools (such as Hydra). Below is an excerpt from /var/log/secure.log on the Internet-accessible Mac showing an obvious brute force attack:

06:15:20 sshd[54623]: Invalid user jeff from 88.46.222.228
06:15:22 sshd[54625]: Invalid user irc from 88.46.222.228
06:15:24 sshd[54629]: Invalid user list from 88.46.222.228
06:15:25 sshd[54631]: Invalid user eleve from 88.46.222.228
06:15:27 sshd[54633]: Invalid user proxy from 88.46.222.228
06:17:28 sshd[54700]: Invalid user admin from 59.173.2.71
06:17:32 sshd[54702]: Invalid user admin from 59.173.2.71
06:17:36 sshd[54704]: Invalid user admin from 59.173.2.71
06:17:39 sshd[54706]: Invalid user administrator from 59.173.2.71
06:17:43 sshd[54708]: Invalid user administrator from 59.173.2.71
06:17:46 sshd[54710]: Invalid user administrator from 59.173.2.71
06:17:49 sshd[54712]: Invalid user tads from 59.173.2.71
06:17:52 sshd[54714]: Invalid user manet from 59.173.2.71
06:17:55 sshd[54716]: Invalid user creative from 59.173.2.71
06:18:00 sshd[54718]: Invalid user manet from 59.173.2.71

What I am not showing you are hundreds of similar attempts. Further, each username login attempt repeats as many as 20 times in a row, indicating that multiple passwords are being tried.

To entirely sidestep the threat of brute force password attacks, I have disabled password logins and only allow public-key authentication. Here is how you can set this up in OS X 10.5 Leopard:

1. Edit /etc/sshd_config and change the following options, removing the ‘#’ comment sign:

   PasswordAuthentication no
ChallengeResponseAuthentication no

2. Turn off Remote Login in the Sharing preference pane in System Preferences and turn it on again to restart sshd so the changes will take effect.

Now, when someone attempts to SSH to my Mac without the correct private key, she/he will see this message:

Finally, to avoid more log entries of ssh brute force password attempts, I’ve changed the default port for SSH. To my mind, this also reduces the risk of an SSH zero-day exploit.