Frozen keys

slightly older bit of new
"Already generating some discussion in the forums and elsewhere on the web is the recently released paper "Lest We Remember: Cold Boot Attacks on Encryption Keys" from researchers at Princeton University. The researchers' main finding is that data remains in DRAM for longer than generally expected. Furthermore, this period can be extended significantly by cooling the memory chips in question (a somewhat unsophisticated but effective methodology of achieving this cooling effect being the use of an inverted "canned air" canister!)"
thats not what i whated to disscuss but as you can see i have discovered a video of the process in action

the orginal paper click here

NEWS Access Data FTK 1 and FTK2

Access Data wrote: The release of FTK 2 has created much more confusion than we had anticipated, so we would like to take a moment to once again clarify a very important point. FTK 2 is not meant to be a replacement for FTK 1 for all customers. While some customers will likely see FTK 2 as a superior solution and make the move, some will no doubt prefer the simplicity and minimal hardware requirements of version 1.

It is for that reason that we are committed to not forcing our customers to choose between the two. Not only does every dongle of FTK 2 ship with a full working copy of FTK 1(both solutions can be utilized at the same time), but we are continuing to support and develop FTK 1. A new version of FTK 1 will be released shortly with some powerful new features, and there will be additional new releases in the future.

We acknowledge there are challenges with FTK 2, such as slow processing, complex installation and GUI response issues. We are very well aware of these issues and diligently working on addressing them as quickly as possible. Over time, as we learn to take greater advantage of the power that a database-driven approach provides, we believe the vast majority of the customer base will transition. However we are not now, nor do we plan to in the future, forcing customers in one direction or the other. There are situations in which a database-driven solution is better and situations in which a memory-based solution is best. Therefore we are enabling you with both, and will allow you to decide when to use each.

We appreciate the continued feedback and support. We know we have not made it the easiest transition and for that we apologize. It is nobody’s fault but our own as the product manufacturer. So Access Data is committed to making FTK 2 easier to use and to providing continued customer support and educational resources for those who are interested in them.

NEWS Micro$oft close the lid on rummors

To put a lid on bloggers' speculation about police getting "backdoors" to Windows security, Microsoft is starting to hush up on the subject. In an e-mail to BetaNews on Friday, a spokesperson described COFEE as a "customizable framework."

Despite releasing a few more facts on Friday about a controversial new tool for police officers, Microsoft has now vowed to stay mum on the "exact methods" used by COFEE (Computer Online Forensic Evidence Extractor), as well as about what kinds of passwords -- OS or network, for example -- COFEE might be able to crack.

"Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed," a Microsoft spokesperson wrote, in an e-mail to BetaNews on Friday.

On the other hand, Microsoft's expanded statement to BetaNews on Friday did add some new information to the public pool of knowledge about a tool already distributed to 2,000 police around the globe.

For instance, the spokesperson described COFEE on Friday as a customizable framework, "operating from a USB storage device, that law enforcement can use to leverage publicly available forensic tools and access information on a live Windows system."

Microsoft went on to say, "Microsoft's COFEE works by being plugged into a running system where a user has already logged on. It enables law enforcement to expedite the evidence gathering process by automating over one hundred different commands that would otherwise have to be typed by hand. COFEE saves the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab."

In earlier accounts, COFEE had been variously explained as either a set of software tools or a series of about 150 commands.

As previously reported, COFEE controversy started last week when some bloggers started rumors that Microsoft was handing out "backdoor keys" to Windows security. The blogs got sparked by an article published in the Seattle Times based on an interview with Brad Smith, Microsoft senior VP and general counsel. Last week, Smith gave a talk at a law enforcement conference in Seattle, where he characterized COFEE as a "Swiss army knife for law enforcement officers."

In the Times article, reporter Benjamin J. Romano wrote that COFEE can "decrypt passwords and analyze a computer's Internet activity as data stored in the computer" -- words that soon touched off tirades among several incensed bloggers.

In an update to his article, Romano said a Microsoft spokesperson had later written to him describing COFEE as "a compilation of publicly available forensics tools, such as password security auditing technologies."

Although an initial statement to BetaNews contained no mention of the password tools, a second e-mail from Microsoft provided the information that COFEE does "include password security auditing tools." Subsequently, last Thursday, BetaNews asked Microsoft to identify the kinds of passwords that might be audited or recovered by police using COFEE -- Windows OS passwords, network passwords, or application passwords, for example.

We also asked Microsoft whether the password security auditing tools mentioned by Microsoft are being premiered with COFEE, or whether they are tools which are already readily available elsewhere. Although Microsoft declined to provide more answers to this inquiry specifically, the company's response did shed a little bit more light on what COFEE is, who uses it, and how it was created.

---

What follows is the full text of Microsoft's final answer on COFEE

I have the following comment to share in regard to your follow-up question. Please note this will be all we have to share about COFEE.

COFEE (Computer Online Forensic Evidence Extractor) is a framework for first responders to customize a set of common forensic tools. It is a framework operating from a USB storage device that law enforcement can use to leverage publically available forensic tools and access information on a live Windows system. COFEE works by being plugged into a running system where a user has already logged on. It enables law enforcement to expedite the evidence gathering process by automating over one hundred different commands that would otherwise have to be typed by hand. COFEE saves the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

COFEE is designed for use by law enforcement only with proper legal authority. It does not contain new forensic tools, but rather is an easy to use, automated forensic tool at the scene. COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret "backdoors" or other undocumented means.

Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed.

History of the Tool:

* Microsoft believes that global public-private sector partnerships are essential to successfully fighting cybercrime in the Web 2.0 environment. Using technology, strategic partnerships, and a foundation of trust, our goal is to turn the positive opportunities which are created by Web 2.0 technologies against the cybercriminals trying to exploit them. COFEE is part of the tools and training that Microsoft provides to law enforcement around the world. It is designed to be used only in circumstances where proper legal authority has been given, such as a court ordered warrant. COFEE is reserved specifically for law enforcement.

* COFEE was first conceived in 2006 by Anthony Fung, formerly of the Hong Kong Cybercrime Police Unit, as a way to simplify the collection of critical volatile evidence at computer crime scenes. With important support from both Microsoft and fellow law enforcement personnel, COFEE achieved a limited release in the summer of 2007 and is now used by forensic examiners in countries the world over."

This can mean many things but we are left to speculate about MS venturing in to the DF world and with MS planning the Windows FE(Foresic Edition)should we start to Prepare our court notes about the Bugs and BSOD that it will no doubt have but yet hide any usefull inforamtion about.

ill keep on with Backtrack, Helix, autopsy and sleuthkit, and for the times i do have to use MS FTK and paraben (mobile phone examinations)

NEWS Crimeware in the Middle - Zeus (its not me honest)

Virtual greed, or response rate optimization? The idea of converging phishing emails with embedded exploits and banking malware is nothing new, in fact phishers realizing that combining attack approaches can increase the chance of achieving their objective which in this case is either logging the authentication process or hijacking it, often forget that the phishing email could have succeeded without the embedded malware or exploit, which in many cases would have triggered an alarm.

Yesterday, Uriel Maimon posted an overview of the convergence of Rock Phish emails with Zeus, a crimeware kit used to deliver banking trojans :

"The Trojan that was used in this attack belonged to the "Zeus" family of malware. Zeus is a nefarious type of Trojan for multiple reasons:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. This means that the Rock group did not need to develop new skill-sets to write Trojan horses; they just purchased it on the open market. In the past 6 months RSA's Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other -- making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the "Remember this password?" checkbox?)... And the features-list goes on. As I look upon this blissful union of fraud and crime technologies, I can only envy the criminals who can find such coupling. Looking forward to my next birthday, I can only hope that I will have the opportunity to find such partnership in my own life (and maybe give my mother one less reason for disappointment)."

We cannot talk about Zeus unless we compare it to another such crimeware kit serving banking trojans, in this the Metaphisher kit. Metaphisher is particularly interested because of its much more customized GUI, it's modular nature, allowing its sellers to lower or increase the price depending on which modules you'd like included, and which ones you'd like excluded, where a module means a preconfigured fakes, TANs, and phishing pages for all the banks in a country of choice. Moreover, despite that both, Zeus and Metaphisher are open source, and therefore malicious parties visionary enough to build communities around their kits in order to enjoy the innovation brought by multiple parties, Metaphisher has a bigger community next to Zeus, considered as the MPack in the web malware exploitations kits, namely a bit of an outdated commodity that is of course still capable of doing what does best - hijacking E-banking sessions and logging them to the level of impersonation.

How are the authors of Zeus describing the kit themselves? Here's a description :

"ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not):

Bot: - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).

- There has its own process, through this can not be detected in the process list.
- Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.
- Difficult to detect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
- Nevid ekvaristiki for antivirus, Bot body is encrypted.
- Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.
- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
- All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).
- Detecting NAT through verification of their IP through your preferred site.
- A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will apply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
- Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):
- Intercepting POST-data + interception hitting (including inserted data from the clipboard).
- Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).
- Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.
- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
- Customizable TAN-grabber for any country.
- Obtaining a list of questions and answers in the bank "Bank Of America" after successful authentication.
- Removing POST-needed data on the right URL.
- Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.
- Receiving certificates from the repository "MY" (certificates marked "No exports" are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.
- Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.
- Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.
- Keeps contents Protected Storage at first start the computer.
- Removes S ookies from the cache when Internet Explorer first run on a computer.
- Search on the logical disk files by mask or download a specific file.
- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim's computer in real time, the computer must be located outside the NAT.
- Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).
- Socks4-server.
- HTTP (S) PROXY-server.
- Bot Upgrading to the latest version (URL new version set in the configuration file)."

What's most important to keep in mind in regarding to these crimeware kits, is that the sellers are shifting from product-centered to service-centered propositions, and while an year ago they would have been selling the kit only, today they've realized that it's the output of the kit in terms of logged stolen accounting data that they're selling. Committing identity theft and abusing stolen E-banking accounting data is already a service, compared to the product it used to be.

NEWS update on COFEE

its not back doors its just standard stuff (ie helix) but put on a USB thumb drive and has some extra GUI and easier to use for your average plod

"As a follow up, the COFEE tool is undergoing some final revisions and is due to be released to LE via the MS LE Portal in the near future. Local media are reporting that it may be distributed as early as Friday. You can access the presentation covering the tool on the portal. It is designed to provide forensic response on live systems, and they will be adding the capability in the near future to get a DD-type ram dump on Vista systems also. Another note of interest, MS is developing "Windows Forensic Environment" (Windows FE), which will be comparable to Helix, allowing
forensic analysis off of a read-only bootable CD... No clear word yet on its release, but it will also appear on the portal. "(the press release i got at work this afternoon)

if you like this idea you can try something similar here
http://www.davekleiman.com/computer-forens...training-files/
there a few usb forensics kits (all free)

NEWS MS release COFEE

Microsoft first released the toolset, called the Computer Online Forensic Evidence Extractor (COFEE), to law enforcement last June and it's now being used by about 2,000 agents around the world, said Anthony Fung, senior regional manager for Asia Pacific in Microsoft's Internet Safety and Anti-Counterfeiting group. Microsoft gives the software to agents for free.

continued
http://news.yahoo.com/s/pcworld/20080430/tc_pcworld/145318

(haven't seen them yet my-self but i'm thinking MS version of helix, ill fill you in when we get the in to office)

Personal bio-meterics on laptop

well i just got a new laptop nothing to flash core2duo 2gig ram but i never noticed when i got that it has a finger print scanner, hey its quite the addon removes the need to remember long password etc only been playing with it for about an hour but it seems to work quite well under Vista OS haven't tried under unix yet but i cant find any drivers for it yet