Alternative Browsers Impede Investigations 720
rbochan writes "Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.""
Browser concerns (Score:3, Interesting)
Firefox and Opera may use a different method of file structure/ naming, but they *do* have a fundamental process and that process does not vary from system to system.
Um, Duh? (Score:5, Interesting)
Firefox and Opera store information on typed URLs in a different file than IE does, and the files are somewhat tough to decipher
You would think since Firefox is open-source, it would be a trivial matter to determine the format of the cache files by examining the source code.
In a word: (Score:3, Interesting)
That's one of the reasons I use Firefox, Thunderbird, Sunbird, etc...
Security by obscurity is not essentially valid, but it can be useful.
The government can't force people to organize their thoughts or ideas written down on legal pads with sworn oaths as to dates & times, why should ANY information be handed to them. I run may trace eliminators, for this purpose. I encrypt my file system. If this is going to slow them down or prevent them from gathering evidence, it's done it's job. Just another reason not to buy into the Microsoft way. (I'm not being facetious, it's true: Microsoft has an agenda to be on the side of the law, they HAVE to be lobbying quietly to get stuff like this out and laws passed to enforce it.)
"you want to frustrate law enforcement, use a Mac" (Score:5, Interesting)
A visit from the FBI
By Scott Granneman, SecurityFocus
Published Wednesday 28th January 2004 13:05 GMT
[snip]
I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble [securityfocus.com]". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI.
Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences.
I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class.
It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not.
Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.
[snip]
Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!
Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.
[snip]
Another article with the same logic (Score:5, Interesting)
Re:It's *not* rocket science, guys... (Score:5, Interesting)
Un Freakin Believable (Score:2, Interesting)
Call me paranoid, but I think that the police like MSIE because they know that if push comes to shove, that MS will gladly cooperate and help in exchange for certain 'favors' likely involving no use of non-MS products or the dropping of the next antitrust lawsuit. On the other hand, FOSS developers are far less likely to agree (and will never, ever give the government backdoors to their software).
In other words, it's easier to manipulate one fat, greedy corporation than millions of individuals.
Re:It's *not* rocket science, guys... (Score:3, Interesting)
God help these 'professionals' if a suspect's computer happens to run Linux
I remember reading a while back that when the FBI seizes a macintosh computer they ship it to the Canadian Mounties for data recovery because the FBI does not know how to recover data from macintosh computers. I don't know if that is true, but I would not be surprised.
Re:It's *not* rocket science, guys... (Score:3, Interesting)
The one thing that has always bugged me... (Score:2, Interesting)
It would be my guess that it would be fairly difficult to convince a jury that the real criminal was an "evil program" running behind the scenes. The only real hope for a defendant in such a scenario would be to find some flaw in the malware program to suggest its existence (for example, if it activated when the defendant was out of town and his/her spouse was using the machine).
It concerns me that somewhere, someday, someone might go to prison as a result of the forensic analysis of his/her computer when in fact the criminal act was committed by a third party solely for the purpose of landing his/her victim in prison.
Re:It's not the software . . . (Score:3, Interesting)
"Officer MacGruff, are you an expert in computer forensics? Can you summarize your education? Can you describe your methodology?"
This reminds me of the whole speed camera thing in AU, where they lost a major court case because, given 8 weeks, they couldn't find an expert willing to testify on the relability of hashes as MACs. Not because the testimony wasn't believed, mind, but that they didn't have any.
Re:New Firefox Ad: even the popo can't touch this (Score:3, Interesting)
Now extend that to advertising your software as creating barriers to law enforcement investigations. Conspiracy to obstruct justice in an investigation to which national security is attached?
The one thing they should not do is promote this as a feature of their browsers!
Meanwhile, with the open source browsers, this should give ideas to people who do want to hide this information to modify the source to make the information even more obfuscated and how to make attempts to use the browser itself to extract the information cause the data to self-destruct. The more unique your build, the better.
Ummm - it's not offline (Score:5, Interesting)
Their parole office will drop by periodically and check their PC. They have some sort of forensic software that does this.
I've heard some jurisdictions require that you only run Windows on your computer as a condition of your parole. Logically this translates to going back to prison for owning a knoppix cd.
There simply aren't the resources to train all parole officers in computer forensics, expose them to various obscure operating systems, or to perform regular offline analysis of offenders hard drives.
The resources are (probably) there for big cases, but when there are probably close to half a million sex offenders on parole - it's just not practical.
Re:It's *not* rocket science, guys... (Score:5, Interesting)
For example: I have a friend who works in IT for a law enforcement agency. He constantly gets calls from their computer forensics specialist asking for help on why his station won't boot. Usually it's because he overwrote his boot sector while ananyzing a drive (I don't understand either).
Unfortunately the prevailing opinion is that teaching a street cop technology is easier than teaching a tech the intracate details of law enforcement. The higher ups don't realize that any IT persons job is basically an daily investigation. I think the answer is to pair up the two, but again, none of these agencies has asked me.
Re:It's *not* rocket science, guys... (Score:5, Interesting)
Re:It's *not* rocket science, guys... (Score:2, Interesting)
A theory... (Score:3, Interesting)
After looking over the site [htcia.org], I suspect that "The High Technology Crime Investigation Association (HTCIA)" is a front; it is really a for-profit money-making venture, not a legitimate professional association, as it presents itself. For a genuine professional association, they make too strong an effort to convince us that's what they are. It would work like this: A few guys collect the attendance and membership fees, keeping a big profit for themselves. The fees are paid by governments. The conference attendees, mostly law enforcement officials, receive some stupid advice. Masquerading as a professional organization instead of a for-profit business creates good will, helping them to fleece taxpayers.
The content of the training seminars is especially suspicious. Really, how easy is it to uncover the "secret" history files of "alternative" web browsers? I timed myself, and it took me about 90 seconds using Google to work out some good keywords and find the answer. See the first link [holgermetzger.de] in my google search [google.com].
Something else suspicious about this professional training: Because the source code for Firefox is available for free to the public, which is not the case with Internet Explorer, it should be easier, not more difficult, to uncover where and how Firefox logs history.
Re:Ummm - it's not offline (Score:1, Interesting)
Browser A (IE): Used regularly for normal web surfing. Maintains a long history of "safe" websites.
Browser B (Firefox): Used occaisionally for "unsafe" web surfing. Maintains no cache at all. If asked, you installed it "to check it out, but I never use it".
(#27 on the list of things you learn when you have nosy, computer-literate roommates and/or a nosy, computer-literate SO who doesn't like pr0n.)
Re:What's a security expert worth? (Score:3, Interesting)
Re:It's *not* rocket science, guys... (Score:3, Interesting)
Right click the directory you want to un-encrypt, select properties, security, and press teh advanced button.
Select the 'Owner' tab, then add your user account and administrator as owners. Remove all other owners.
Check Replace owner on subcontainers and objects
Switch the the Permissions tab and select 'Replace permission entries on all child objects with entires shown here that apply to child objects'
Select 'OK' and go grab a doughnut...
I'm honestly not trying to aid would be 'hackers' or anything. I mostly just worry people use windows encryption thinking it's useful if their system has been compromised. It's not...
There is actualy a MS KB article out there that explains this process a little better then I did but I'm a bit lazy today.
Re:Ummm - it's not offline (Score:3, Interesting)
If you're a normal citizen, not out on parole or having to register as a sex offender or something, use whatever OS and browser you want. They haven't make this illegal yet.
If you've been convicted of child porn violations, or have to register as a sex offender, you're screwed already, and nobody's likely to really care. Our legal system has a nice habit of continuing to punish people for things like this indefinitely (in spite of the Constitution's `no cruel and unusual punishments' section) and I don't see this changing any time soon. Even if all you did was get caught peeing behind a bush.
NOBODY is going to make the police update their equipment just to give you more freedom in what OS or browser you use. (And you should be glad that they allow Windows XP, and not 95 or 3.1.)
Re:It's *not* rocket science, guys... (Score:3, Interesting)
You want a hard file format? Try Quark. SPIFSPOCSPIFSPIT, this means something to quark... but damned if anyone knows what.
(I'm not talking about xpresstags either, that's a cakewalk compared to quark's binary format)
Re:It's *not* rocket science, guys... (Score:3, Interesting)
Granted, a supposed expert who can't figure out proxy logs and cookies isn't very much of an expert, but he does have a point. I do computer forensics for one of my clients, and not only have I never run into a single case where the suspect deliberately hid their activity in the 7 years I've been doing this, but most of them are so unbelieveably stupid that they:
For the vast majority of cases I've seen, finding evidence isn't really the problem. Explaining what the evidence means to HR/Legal is MUCH more difficult.
You gotta be kidding... (Score:4, Interesting)
That said, I wonder what would prevent someone from creating a wireless fileserver and embedding it behind their drywall. Using an NFSmount or Share, an evildoer's PC wouldn't hold anything evil when the FED's nabbed it.
Realistically I bet it would though - They can do some pretty amazing things with Forensics these days, and I wouldn't be surprised if they could take a ram chip and see previous states of 0's and 1's.
Let's Play "Follow the Money!" (Score:3, Interesting)
All you have to do is play "follow the money" and it quickly sounds like Micro$oft is using the God-and-Country argument to win by default the Second Browser War. Considering how invested Micro$oft has been in the US Justice Dep't. (one of former USAG John Ashcroft's biggest campaign contributors and still heavily involved to this date) it would be unsurprising if they were the ones pulling the strings on the issuance of a statement like this.
What ought to happen is for the Dep't. of Homeland Security to proclaim Internet Explorer as the single largest cause of "electronic terrorism" because of Micro$oft's half-assed security measures.
That'd shut them up real quick...
evil! (Score:4, Interesting)
Re:It's *not* secure, guys... (Score:3, Interesting)
The point was that it's now possible to encrypt data so that other people can't read it unless they have appropriate credentials.
True story:
One of my coworkers thought NT4+NTFS was an incredibly secure platform. So I put a Knoppix CD in the drive, rebooted, mounted the NTFS partition, went to his profile directory and showed him the contents of his cookies. I then explained to him that NTFS security was cooperative, meaning that the security was based on the idea that a security flag in the filesystem would say "please don't read this file" and the operating system would respect that request. As soon as you find a way to ignore that flag then anything resembling security is out the window (pardon the pun).
Re:Ummm - it's not offline (Score:1, Interesting)
They aren't stupid (Score:3, Interesting)
At the time, I read through it and noted some "smart" things. They know about dead-mens switches etc; they NEVER boot up the PC. The drive gets removed and hooked up to a scanning system. The scan then looks for anything dodgy or the officer can browse it. If the software needs updated to include bookmarks/history from other sources, then I'm sure it's not all that big a deal to add this in. Even then, bookmarks & history? They are all too easy to clean and/or fake.
If you think the computer forensic expects boot up the PC and try to save your bookmarks to a floppy, you are sadly mistaken.
What worries me more is that computer evidence is so easilly fakeable yet is often seen as gospel by the courts. It would be easy to create "logs" showing bad activity from someone you don't like. If I ever get hastled from the RIAA, the court will be presented with "evidence" that shows the guys bringing the suit were paedophiles, just to show how ridiculus the idea of third-parties producing "evidence" from a remote system claiming you downloaded "X on date Y". The forensic guys have been trained and undoubtably have sworn and oath or signed a contract to be honest. Some anti-p2p company hasn't and it is also in there commercial interest to provide more of this evidence. Worrying times...
Re:It's *not* rocket science, guys... (Score:3, Interesting)
In Victoria is is illegal to sell X-rated material or own more than 50 X-rated titles Note it is not illegal to BUY X-rated material.. Kiddie porn is always illegal to possess or distribute.
The only places in Australia where you may legally sell X-rated materials are in the two territories; i.e. Northern Territory and Australian Capital Territory (where our nation's capital is located).