How To Build Your Own Password Cracker With A Disassembler And A Little Vm Magic presented at HITBSecConf Malaysia 2008

by Matthew Geiger,

Tags: Security Legal Forensics

Summary : Presentation Title:Presentation Abstract:The burgeoning popularity of full-disk and volume-based encryption is posing a swiftly growing challenge to forensic investigators. Adapting to this challenge will require a re-engineering of the process for acquiring digital evidence, from the legal framework applied to the tools and techniques used. In a growing number of cases, the acquisition of digital forensic evidence in criminal cases will bear a strong resemblance to the process used by criminals to break into computer systems. Although this trend has precedent in the world of law enforcement xe2u20acu201c where police enter buildings by force and employ locksmiths to crack safes xe2u20acu201c it represents a sea-change in the digital forensic arena.The presentation will address the implications for the forensics community, as well as the techniques and skills that investigators need to develop. Case examples will illustrate key points. And, to highlight the type of new approaches necessary, we will demonstrate the creation of an ad-hoc password-cracking tool using an equally ad-hoc reverse engineering approach. We’ll then employ the tool in a virtual machine environment to recover a forensic disk image from a system that uses full-disk encryption.About MatthewMatthew Geiger is a forensic specialist and researcher at CERT. His recent work has focused on data acquisition from encrypted devices, on counter-forensic tool performance and on creating new utilities for live-system forensics. He has assisted and advised U.S. federal security agencies in a number of high-profile computer investigations.Prior to joining CERT, Matthew worked as a digital forensic analyst in the private sector, where he led investigations involving corporate fraud, network intrusion, proprietary data theft, corruption and official misconduct for clients that included Fortune 500 companies. His professional background also includes network security design and implementation, incident response and security assessment. Matthew holds an MS degree from Carnegie Mellon University. His professional accreditations include the SANS Institute’s GCFA forensic certification.