Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/21/2017
01:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Digital Forensics & the Illusion of Privacy

Forensic examiners don't work for bounties. They do what is required to catch criminals, pedophiles, or corporate embezzlers, and now their important security research is finally being acknowledged.

It is difficult, if not impossible, to keep what we do online or on an electronic device private. Every action creates digital forensic artifacts — residual forensic evidence left behind when users or applications interact with an operating system. Nevertheless, the privacy myth lives on: browsers offer "anonymous modes," users can clear their history, or apps provide guarantees of "disappearing" content. Yet forensic experts have a wide range of tools at their disposal to uncover the various pieces of evidence and piece together what happened. The first attempt to put forensic research in the mainstream of security research will be a shocker to many.

While forensics has historically gone unremarked by the media, Guidance Software (recently acquired by OpenText) on Wednesday announced the winners of its inaugural Forensic Research Awards Program. These researchers include digital detectives who exposed a popular antivirus product that left behind users' long-term Web history, regardless of users' attempts to clear histories or use private browsing modes. Other research revealed IP addresses of anonymous users exposed by peer-to-peer software often deployed for pirating. There was also a major encryption vendor that left keys behind that could be recovered by law enforcement.

Vulnerability versus Forensic Research
Forensic research is a close cousin to vulnerability research. Vulnerabilities typically allow malicious code to execute or security controls to be bypassed. Forensics concentrate on the digital evidence that operating systems and applications leave behind. Both forms of research expose privacy concerns, but forensics shatters the illusion of privacy altogether. Everything leaves forensic residue: running applications, clicking files, accessing data, opening email attachments, and surfing the Internet.

Vulnerability research typically embarrasses software vendors, and gag orders are common. Vendors pay bounties to control the disclosure and patch before vulnerabilities become public. Forensic examiners don't work for bounties. They do what is required to catch criminals, pedophiles, or corporate embezzlers. Their findings are often public record in court cases — but not widely recognized in the media or elsewhere.   

The Forensic Research Awards Program was created to recognize the importance of forensics and reward researchers for their work. Consider the winner of OpenText's top research prize, Justin Bartshe, a longtime forensic examiner and an investigator with the United States Naval Criminal Investigative Service (NCIS). One of Bartshe's cases involved searching all of a user's data, encoded or not, including every system file and every nook and cranny of a user's operating system. Bartshe found URLs related to his case in a SQLite database left behind by a popular open source AV product. Despite the fact that the suspect cleared the browsing history many times, much of the long-term history still existed in the database. The AV product even records most of the browsing done in private or incognito mode.

Privacy & the Future of Forensics
An examiner at NCIS typically needs to present findings in court and defend them. Many people don't know this, but forensics is a science; defense teams often conduct their own forensic analysis to challenge prosecutors as well. Findings must be reproducible or they will be shot down in court. 

Bartshe wasn't attempting to embarrass the AV vendor or collect a bounty. His job required him to reverse engineer the AV platform's previously unknown SQLite DB to prove the conditions where it records browsing. Depending on the case, these findings can go into public record as part of prosecution. In this instance, Bartshe's research was used in a case to protect children from abuse.

Related Content

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.