|
printable version
- js reader version
- view hidden posts
- tags and related articles
View article without comments
by repost
Friday, May. 25, 2007 at 7:59 AM
I spent today dressed up in my monkey incognito suit at the 2007 ISSA Symposium in Phoenix. There were lots of great presentations and interesting security folks to exchange information with.
One presentation was particularly informative and a bit humorous for me.
The information was presented by an FBI Special Agent on the basics of forensics. It was a very good summary - however the best part was the questions asked afterward. This is the part that made me chuckle (those of you that know how I feel about encountering encryption during an investigation know why I'm laughing).
This is a paraphrase of the conversation from my memory and the notes that I made on a drink napkin (that will teach me to not bring my laptop).
Attendee: "How do you deal with encrypted media and information during an investigation?"
Special Agent: *grimaces*
Special Agent: "For the most part encryption is a dead end for us, unless the evidence deals with a matter of National Security / Terrorism."
Attendee: "So what do you do if it involves National Security?"
Special Agent: "We don't work on it. We send it to a sister agency *cough* NSA *cough* that takes care of that for us. They have no problem dealing with such things."
Let me put this into perspective for you all based on the SA's other comments:
1) If an attacker breaks into your systems and encrypts all of your data and the damage is greater than $500k, they'll investigate but they won't recover your data. You are $%@! out of luck.
2) If you're a warez kiddy, KP connoisseur, or gang member and you encrypt your stuff and don't leave the passphrase in an easily recoverable place (and they don't recover the passphrase via social engineering or interviewing techniques), they aren't going to attempt to break your encryption.
3) If you're a terrorist, or threatening the President, or building a dirty bomb... your encrypted data will be put on a special plane and flown to the NSA in a matter of hours. It will be broken. You will be prosecuted/tortured/shot/mysteriously disappear. :-)~
Some other comments that were interesting:
The FBI still has their "mega contract" with Microsoft. They have infinite Microsoft resources to help them figure out how to get to your stuff if you've used a Microsoft encryption solution.
The FBI has particular trouble with Apple's Filevault encryption if the passphrase is of "excellent" quality. That tells me they have thousands of monkeys doing brute-force attempts on filevault sparseimage files. Interesting.
These comments made me feel better.
It would appear that I'm not the only one that gets rather pissed off when I find an encrypted file or filesystem during a forensic investigation - but I drink much better coffee.
(snip)
* * * * *
Continued at:
blogs.ittoolbox.com/security/investigator/archives/fbi-en...
Report this post as:
by just wondering
Friday, May. 25, 2007 at 3:07 PM
>If you're a terrorist, or threatening the President, or building a dirty bomb... your encrypted data will be put on a special plane and flown to the NSA in a matter of hours. It will be broken. You will be prosecuted/tortured/shot/mysteriously disappear. :-)~
How would they know that you're a terrorist, or threatening the President, or building a dirty bomb unless they had *already* broken your encryption?
Report this post as:
by you need proof?
Friday, May. 25, 2007 at 3:36 PM
Who said anything about any real evidence they may or may not have when a signature can send you to Gitmo. Welcome to terrorland.
Report this post as:
|