Threat Intelligence

12/21/2017
01:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Digital Forensics & the Illusion of Privacy

Forensic examiners don't work for bounties. They do what is required to catch criminals, pedophiles, or corporate embezzlers, and now their important security research is finally being acknowledged.

It is difficult, if not impossible, to keep what we do online or on an electronic device private. Every action creates digital forensic artifacts — residual forensic evidence left behind when users or applications interact with an operating system. Nevertheless, the privacy myth lives on: browsers offer "anonymous modes," users can clear their history, or apps provide guarantees of "disappearing" content. Yet forensic experts have a wide range of tools at their disposal to uncover the various pieces of evidence and piece together what happened. The first attempt to put forensic research in the mainstream of security research will be a shocker to many.

While forensics has historically gone unremarked by the media, Guidance Software (recently acquired by OpenText) on Wednesday announced the winners of its inaugural Forensic Research Awards Program. These researchers include digital detectives who exposed a popular antivirus product that left behind users' long-term Web history, regardless of users' attempts to clear histories or use private browsing modes. Other research revealed IP addresses of anonymous users exposed by peer-to-peer software often deployed for pirating. There was also a major encryption vendor that left keys behind that could be recovered by law enforcement.

Vulnerability versus Forensic Research
Forensic research is a close cousin to vulnerability research. Vulnerabilities typically allow malicious code to execute or security controls to be bypassed. Forensics concentrate on the digital evidence that operating systems and applications leave behind. Both forms of research expose privacy concerns, but forensics shatters the illusion of privacy altogether. Everything leaves forensic residue: running applications, clicking files, accessing data, opening email attachments, and surfing the Internet.

Vulnerability research typically embarrasses software vendors, and gag orders are common. Vendors pay bounties to control the disclosure and patch before vulnerabilities become public. Forensic examiners don't work for bounties. They do what is required to catch criminals, pedophiles, or corporate embezzlers. Their findings are often public record in court cases — but not widely recognized in the media or elsewhere.   

The Forensic Research Awards Program was created to recognize the importance of forensics and reward researchers for their work. Consider the winner of OpenText's top research prize, Justin Bartshe, a longtime forensic examiner and an investigator with the United States Naval Criminal Investigative Service (NCIS). One of Bartshe's cases involved searching all of a user's data, encoded or not, including every system file and every nook and cranny of a user's operating system. Bartshe found URLs related to his case in a SQLite database left behind by a popular open source AV product. Despite the fact that the suspect cleared the browsing history many times, much of the long-term history still existed in the database. The AV product even records most of the browsing done in private or incognito mode.

Privacy & the Future of Forensics
An examiner at NCIS typically needs to present findings in court and defend them. Many people don't know this, but forensics is a science; defense teams often conduct their own forensic analysis to challenge prosecutors as well. Findings must be reproducible or they will be shot down in court. 

Bartshe wasn't attempting to embarrass the AV vendor or collect a bounty. His job required him to reverse engineer the AV platform's previously unknown SQLite DB to prove the conditions where it records browsing. Depending on the case, these findings can go into public record as part of prosecution. In this instance, Bartshe's research was used in a case to protect children from abuse.

Related Content

Paul Shomo is a senior technical manager for third party technologies at OpenText. A veteran of cybersecurity, Paul Shomo has spent more than 15 years as a software engineer with experience working in security and forensics, networking, and storage. Paul has spent several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.