Alternative Browsers Impede Investigations 720
rbochan writes "Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.""
It's not the software . . . (Score:5, Informative)
Re:It's *not* rocket science, guys... (Score:5, Informative)
There you go, transparent encrypted directory.
Also, Truecrypt [truecrypt.org] is capable of encrypting stuff too.
Re:It's *not* rocket science, guys... (Score:5, Informative)
Cmon.. any advanced porn^H^H^H^H surfer knows to go to google, enter the url and click through google's url. That way you don't have a suspicious empty dropdown bar and you can simply delete the url and google's search url) from the history and for all intents and purposes, you never went there (just dump the cache).
I guess these guys were never married. Simply having an attentive wife teaches you that FED defeating trick. The location dropdown bar and autocomplete can be a lot of trouble.
Heh
Re:It's *not* rocket science, guys... (Score:5, Informative)
Digital forensics is performed offline. You don't run the browser software to read its history.
However, I fail to see how this would create problems for law enforcement. Most of the interesting data is readily available. And the data formats haven't changed that much since the days when Netscape was the dominant browser.
Safari's the worst of them all. (Score:5, Informative)
"Using Safari's new Private Browsing feature, no information about where you visit on the Web, personal information you enter or pages you visit are saved or cached. It's as if you were never there."
Re:It's *not* rocket science, guys... (Score:5, Informative)
Re:Another article with the same logic (Score:3, Informative)
google cache: http://66.102.9.104/search?q=cache:JMB0PlWzQEUJ:w
Re:It's *not* rocket science, guys... (Score:3, Informative)
One of my students is an Indiana State Trooper undergoing computer forensics training. Since he's enthusiastic about his classes, I get to hear about what he's being taught at all his Homeland Security-sponsored courses.
And it turns out that he's learning some pretty complex things, at least as far as examining the contents of hard drives. He has programs that can analyze Windows or *nix systems with a good level of accuracy. He talks about looking at partition tables to ensure that the drive geometry matches with the size of formatted space on a hard disk, and how to poke around in unpartitioned space or oddball filesystems or file types with a hex editor. He can dissect the contents of Linux or Windows swap space and he's fairly unpeturbed about sitting in front of unfamiliar operating systems on PC or Apple hardware.
Granted, that's one guy, but he's not really a computer nerd, just someone who has been taught to do computer forensics work. And given that he seems fairly competent, I don't think something like a Firefox History would hinder him much at all.
Re:Another article with the same logic (Score:2, Informative)
(this is satire. don't believe anything you read on the internet)
Re:New Firefox Ad: even the popo can't touch this (Score:3, Informative)
I think the correct term is "too lazy" (Score:1, Informative)
This little program is freeware and makes it extremely easy to see exactly where someone has been on IE, even after they have clicked the buttons to clean everything out.
http://www.talkaboutshareware.com/group/alt.comp.
To see where someone has been in Firefox or Opera, there is no cool little freeware app that I know of. If you open Firefox's cache folder, you'll see at the top of the list some files named _cache_001_, _cache_002_, etc. That is where the history is. Just open it in notepad and get your "page down" finger ready. There's no need to create some nifty little program if you can easily read it in notepad.
Clearing the cache in other browsers actually clears the cache. Clearing the cache in IE does not clear all histories. Hence the reason why programs like WindowsWasher exist.
The problem law enforcement actually runs into is that they can't find the secret hidden history in Opera and Firefox like they can with IE because it doesn't exist.
Want to step up your privacy another notch? Install a freeware ramdisk and put your cache in it. If the computer loses power, POOF all the cache is gone. It speeds up browsing as well since it's faster to delete files during a normal cache cleanup from ram than from the drive. The only downside is that you're limited to 32 or 64 meg in windows. Don't know how big it can be in *nix.
yes it does (Score:5, Informative)
I agree (Score:3, Informative)
You can find clues of these things though. Look at the vnc history, try pinging the broadcast address on the subnet, look in the arp cache, see if there are clues in the registry that another drive was mounted.
I suspect it would be very hard to thwarte a computer forensics expert, but i'm sure the VAST majority of petty criminals can be caught by someone with a weeks worth of training.
Yeah and then a few weeks later... (Score:3, Informative)
Yeah, it happened at work, and it was not pretty.
Re:Yeah and then a few weeks later... (Score:4, Informative)
Re:It's not the software . . . (Score:3, Informative)
Specifically, poorly trained in tech matters. (one would hope, not poorly trained in investigation/law enforcement and the kind of stuff that should be their "core competancies")
I work for a phone company, and often work with various police agencies' "special investigation" units. The officers that I deal with are usually 6-8 year veterans, and have been rotated into SI for a 3-4 year stint. When they have to deal with the interface hardware that they have at our locations, they are typically lost. They show up with dog-eared manuals, and a file full of notes from the last guy that had their job, and try to make sense of E&M signalling, or a serial interface on a Cisco box. Often these guys, while competent police officers, can't program their VCRs at home.
Fortunately, the IT guys at their offices are usually willing to help them out, and since we know that they are out of their depth, we lend a hand, as far as we are permitted (security reasons).
Re:It's *not* rocket science, guys... (Score:1, Informative)
Yes but if you really don't know how to access the data, you can:
Repeat until you have the information you need.
It's not guaranteed, but you should be able to retrieve most if not all the data using this means.
And it's not like they need to have hundreds of programs. How many browsers out there? 10?
How many countries in the world? How many law inforcement officers?
Come on. Talk about a problem.
Re:It's *not* rocket science, guys... (Score:5, Informative)
------------
#!/usr/bin/perl -w
use File::Mork;
my $mork = File::Mork->new('history.dat', verbose=> 1)
|| die $File::Mork::ERROR."\n";
foreach my $entry ($mork->entries) {
while (my($key,$val) = each %$entry) {
print "$key = $val\n";
}
print "\n";
}
------------
BTW, I do realize that your post was sarcastic... as is this one.
Works perfectly if run in the same directory as history.dat and produces output like:
ID = 388D
URL = http://www.google.com/ [google.com]
Hostname = google.com
LastVisitDate = 1125064549
FirstVisitDate = 1125064549
Name = Google
It should be left to guru perl coders making $500,000/yr or more to do fancy things like convert timestamps to dates.
I guess it's a good thing that there are no tools available for Windows that auto-clear IE history, cookies or cache files! What would law enforcement do??
Re:Mod Parent Up (Score:2, Informative)
grep '=http://' history.dat
No cat neccessary.
A good article (Score:3, Informative)
Part 1 [securityfocus.com]
Part 2 [securityfocus.com]
Re:Wait a second! (Score:2, Informative)
There are professionals at the police that don't know a bit from a byte and thus don't ever research those things. They're paid for reading through the outcome of automated searches, to solve many cases. They pay money to others to make the searchability happen.
The others realise that adding firefox to the list would double the complexity (possibly slightly more) and add a 4% increase in computers they can research. Offset by the fact that most criminals don't know that there is a thing as firefox, why would they care?
Hence this "article" which doesn't tell you anything but the bleeding obvious.
Signed, somebody who had his last day at the digital police education center (dunno the english name) last monday.