Threat Intelligence

12/21/2017
01:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Digital Forensics & the Illusion of Privacy

Forensic examiners don't work for bounties. They do what is required to catch criminals, pedophiles, or corporate embezzlers, and now their important security research is finally being acknowledged.

It is difficult, if not impossible, to keep what we do online or on an electronic device private. Every action creates digital forensic artifacts — residual forensic evidence left behind when users or applications interact with an operating system. Nevertheless, the privacy myth lives on: browsers offer "anonymous modes," users can clear their history, or apps provide guarantees of "disappearing" content. Yet forensic experts have a wide range of tools at their disposal to uncover the various pieces of evidence and piece together what happened. The first attempt to put forensic research in the mainstream of security research will be a shocker to many.

While forensics has historically gone unremarked by the media, Guidance Software (recently acquired by OpenText) on Wednesday announced the winners of its inaugural Forensic Research Awards Program. These researchers include digital detectives who exposed a popular antivirus product that left behind users' long-term Web history, regardless of users' attempts to clear histories or use private browsing modes. Other research revealed IP addresses of anonymous users exposed by peer-to-peer software often deployed for pirating. There was also a major encryption vendor that left keys behind that could be recovered by law enforcement.

Vulnerability versus Forensic Research
Forensic research is a close cousin to vulnerability research. Vulnerabilities typically allow malicious code to execute or security controls to be bypassed. Forensics concentrate on the digital evidence that operating systems and applications leave behind. Both forms of research expose privacy concerns, but forensics shatters the illusion of privacy altogether. Everything leaves forensic residue: running applications, clicking files, accessing data, opening email attachments, and surfing the Internet.

Vulnerability research typically embarrasses software vendors, and gag orders are common. Vendors pay bounties to control the disclosure and patch before vulnerabilities become public. Forensic examiners don't work for bounties. They do what is required to catch criminals, pedophiles, or corporate embezzlers. Their findings are often public record in court cases — but not widely recognized in the media or elsewhere.   

The Forensic Research Awards Program was created to recognize the importance of forensics and reward researchers for their work. Consider the winner of OpenText's top research prize, Justin Bartshe, a longtime forensic examiner and an investigator with the United States Naval Criminal Investigative Service (NCIS). One of Bartshe's cases involved searching all of a user's data, encoded or not, including every system file and every nook and cranny of a user's operating system. Bartshe found URLs related to his case in a SQLite database left behind by a popular open source AV product. Despite the fact that the suspect cleared the browsing history many times, much of the long-term history still existed in the database. The AV product even records most of the browsing done in private or incognito mode.

Privacy & the Future of Forensics
An examiner at NCIS typically needs to present findings in court and defend them. Many people don't know this, but forensics is a science; defense teams often conduct their own forensic analysis to challenge prosecutors as well. Findings must be reproducible or they will be shot down in court. 

Bartshe wasn't attempting to embarrass the AV vendor or collect a bounty. His job required him to reverse engineer the AV platform's previously unknown SQLite DB to prove the conditions where it records browsing. Depending on the case, these findings can go into public record as part of prosecution. In this instance, Bartshe's research was used in a case to protect children from abuse.

Related Content

Paul Shomo is a senior technical manager for third party technologies at OpenText. A veteran of cybersecurity, Paul Shomo has spent more than 15 years as a software engineer with experience working in security and forensics, networking, and storage. Paul has spent several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I told him all that cryptomining would crash his system."
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.