InPrivate Browsing; Fancy or Flawed?
For those of you that didn’t catch it on the wire, Internet Explorer 8 Beta 2 was released this week. As a forensic examiner I have a natural interest in any product released to the general public that is expected to see wide usage. Internet Explorer is one those products. What caught my attention was new functionality called “InPrivate Browsing”.
Here’s what Microsoft has to say about this functionality: “InPrivate Browsing prevents Internet Explorer from storing data about your browsing session. This includes cookies, temporary Internet files, history, and other data” . Ouch, when implemented right a feature like that could wreak havoc to us forensic dudes, so one could be inclined to think 
But did Microsoft implement it correctly?
Initial tests we conducted show it didn’t, which is strange. Didn’t it state that this function prevents data from being written? Well, it doesn’t, which is good for us forensic folk, but bad for you if you trust this feature to provide you with your desired level of privacy.
I browsed several sites using the InPrivate function, used several search engines and to top it of logged into my online (SSL protected) banking website and transfered my monthly rent. Traces of this activity were easily recovered from the disk using both a simple Hex editor, Pasco and FTK.
It’s true some records are not written to the index.dat history file, namely the host records. This results in the user seeing an empty history overview in the browser. However, all other records related to a visit to a specific website are written to the index.dat file. Keep in mind that most websites are built-up of tens of separate webpage elements, filling up the Index.dat file quickly.
What’s worse, in contrary what Microsoft states, the temporary Internet files cache is used, files are written to disk but after closing the browser the cache is cleared/deleted. Not erased. Oopsss. Unless I use some sort of erase/wipe tool information on my browsing session is all there.
Of course it would still be fairly easy to recover the cached files using carving techniques, but one could argue that this is not something a regular user would or could do. I disagree. Just a simple Google query in search for data recovery tool yields almost 1.5 million results. We’re not talking quantum physics here.
Microsoft plays down the story, stating that the privacy of regular users is protected, at least against other regular users. Maybe so, but I would not rely on this feature too much until we know more.
On a side note: I did find information about the wire transfer (my monthly rent), which surprised me. And in case you are wondering, the traces were not part of the pagefile but located in freespace.
I’m not done with IE8, expect an update when I’ve had some more time to chew on this.
Forensics in space?
Two days ago the website SpaceRef.com told us ‘NASA Discovers Computer Virus Aboard the International Space Station‘. Somehow a computer virus made it to at least one of the Space Station not critical computers. This might seem like a small thing because it wasn’t an important computer. But then again, we all know how dangerous a space virus can be, if you have seen Independence Day of course.
The SpaceRef website states: Theory is virus either in initial software load or possibly transferred from personal compact flash card.
Well, only a theory is not enough, is it? This sounds like a very good reason to do a full forensic investigation. Send an investigator to space, that might be quite a challenging job.
So NASA, if you are looking for a forensic investigator: Just contact us
Shortinfosec Computer Forensics Competition
Another competition! Shortinfosec is hosting a computer forensics competition. This one is about analyzing a disk image for incriminating evidence.
More info can be found on:
http://www.shortinfosec.net/2008/07/competition-computer-forensic.html
No rewards on this one, but like stated before: Challenges are a great way to see what the status of your current knowledge is and you also might learn something from it.
F-Secure Reverse Engineering Challenge
F-Secure is having another one of their Reverse Engineering Challenges. The current challenge can be found on http://www.khallenge.com/ Previous challenge files can be found on: http://www.f-secure.com/security_center/asm.html
The contest started on Friday 1st of August 2008 at 12:00 and is already almost over as it ends on August 3rd 2008 at 11:59 (EET). By the time of this writing you can’t win the prices anymore as two people already solved the last round. But that shouldn’t spoil the fun in participating in it of course. Challenges are a great way to see how good your current knowledge is and you also might learn quite some new things.
Ok, back to level 2!
Beware what you travel with
Multiple news sites tell the story of the USA now being able to detain the laptops (or any other electronic device) from travelers. The Policy Regarding Border Search of Information states:
Officers may detain documents and electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location.
What does this mean for a traveling Forensic Investigator? At first, how are you going to do your job when your electronic friend is being held for investigation. What is a “Reasonable period of time”, maybe you can pick it up again when you are leaving?
And if it is being detained, what data is on it? Of course you should never have any case data on your own laptop, right? But what if you have a new case and you did a quick investigation on the secured evidence with your own laptop? There might be some traces left in the slack and free space. Let’s hope the data doesn’t contain any references to terrorist acts, it might be a long stay then instead of a short trip.
Or, what if you just made a forensic copy for a case and you are traveling with that copy to deliver it in your own lab for your investigation. If the hard disk with the forensic copy is being detained how does that look on your chain of evidence? Not to think of the data that might be on a just newly imaged evidence item.
Of course if you keep thinking about it there will be a lot more consequences when your items are being detained at the border. But then again, why would a good Forensic Investigator be stopped at the border for such a investigation? Oh well, as long as they don’t take my PSP.
TomTom forensics
The guys at GPSForensics.org are posting more and more info on their webpage regarding this very new and challenging field within IT forensics. Their latest is a very practical document on TomTom forensics.
WORM and hashing
Two interesting and IMO partly related postings were made in the previous days: Sandisk made a press-release about their new write-once-read-many (WORM) storage card, and Jesse Kornblum wrote a blog posting about updates and new features for his hashing tools.
Gmail account protection
How many cases have you done that involved possible unauthorized access to a webmail account? Probably quite a bit, if your client base and caseload is a bit similar to ours. Remember, this isn’t just about the average home user whose Hotmail account got hacked by guessing the secret question; there are numerous examples of people who (for a variety of reasons) use their personal webmail occassionaly or on a regular basis for receiving and sending workrelated e-mail.
These cases are often hard to solve: there are of course some tricks with using ‘digital traps’ to catch the person who is viewing the inbox, but such mechanisms don’t always work in the current world of spam-protection. And if you are doing bad things, you might be looking out for traps 
The webmail providers are often very reluctant to provide any information on when and from where an account was accessed, even when the requester is the owner of the account.
Inverse keylogger
If you (like we once did) get a case where you have to explain ‘random mouse movements and keyboard inputs’, you might want to check for the following device:
http://www.thinkgeek.com/gadgets/electronic/a11e/
It should not be too hard to notice (who would miss some sort of PCB connected to their USB port… ), maybe they should try and put some more effort into hiding it. Real keyloggers, like the ones from KeyGhost are far harder to detect…
Anyway, this device was not the cause in our case, nevertheless a fun thing to stumble upon (thanks to TB).
Literally make history with Firefox 3
I reckon most people will have seen the news that there is a new major release of ‘the other’ web browser, Mozilla Firefox (no browser wars please ). The release of version 3 of this web browser was hyped up with an attempt to make it to the Guinness Book of Records, with a world record for the highest number of software downloads in 24 hours. “Make history with Firefox” was the slogan, but I will take a look at a way to literally make history with Firefox 3. Browser history, that is.
Read more