Forensic Blogs

An aggregator for digital forensics blogs

by

Free Password Managers – Live Testing

Banner of Free Password Managers

One of the most useful tools a person can use in their online life is a password manager. A password manager is a tool used to store records of a person’s usernames and passwords for their accounts. This can be used for any account, from email to social media. Luckily, there are many free password managers available to use. Our project at the Leahy Center is to investigate free password managers. We are ranking five password managers on their security, user-friendliness, and customizability. However, because of the time it takes to complete live testing, so far we have only tested two password managers: KeePass and RoboForm.

Current Tests KeePass Step 1: Examine the layout

At first glance, KeePass seems outdated. The interface isn’t as simple as other password managers, and there are an abundance of tabs. The options under each tab seem to go on forever. That doesn’t even include the options under the application settings! But KeePass has a secret: customization. There are dozens of plugins available for download. Plugins are downloadable software add-ons that provide extra settings for base application. All in all, KeePass is one of the best password managers for layout, but if you are not very tech minded, our team would advise you to steer clear.

Step 2: Test the creation of accounts

Creating a password can seem intimidating, but is actually a simple process. The key is to let KeePass do most of the work. To start, right click on the open window and select “Add Entry” from the menu. This takes you to a window that allows you to  add a title for the entry, a username, a URL and finally your password. Conveniently, KeePass will generate a password for you. This means you never have to worry about sufficient complexity or remembering an impossibly long password.

Once you have created the password it will appear on a table in the main KeePass window. You can also categorize your passwords through tags. On top of being able to create a password, you can also configure KeePass to automatically type in your passwords. This feature, unfortunately, requires a bit of fiddling to get working. If you are not a very techy person it will not be as easy to use.

Step 3: Use within browsers

Using KeePass in a browser can be inconvenient at times , but it is one of the most universal password managers. This is because it employs simulated key presses; you need to activate the auto type from within KeePass, but because of this it works in any browser as long as there is a text field. If you cannot get the auto type to work you can simply copy and paste the password from KeePass. However, like auto type, this requires you to keep switching between KeePass and your browser. There is a keyboard shortcut that can be applied (Ctrl-V), yet still it can be an inconvenience to keep switching. Overall, using KeePass can get tedious but its universality is unparalleled.

Preliminary Conclusion

In conclusion, KeePass is an excellent free password manager. It is open source and more secure than other free password managers. It takes advantage of simulated keypresses instead of cloud storage. There are some downsides to it though. You can’t sync your password vault across devices and it does take a bit of work to learn how to use KeePass to its full potential. While we would not recommend KeePass for widespread commercial use, if you are computer savvy and you don’t want to put your trust in cloud storage, then this would be the perfect manager for your personal use.

Verdict: Alan Turing Approves!

RoboForm Step 1: Examine the layout

RoboForm is similar to their predecessors in the organization style. Tabs along the left side display the account types and important settings, with the more advanced options in a drop-down bar at the top. This makes it easy for quick access, as more of the advanced options are underneath the drop-down bar.

However, that doesn’t make RoboForm a perfect fit; the only way to create accounts is from the browser extensions themselves. Even then, the records are only created after you sign into the account, which then RoboForm will prompt for you to save the account. The only ways to reach the Help section are available through the desktop application and by searching RoboForm’s website. There isn’t a Help section within the browser extension. This doesn’t mean that RoboForm is a bad password manager. All it means is that it is probably better to install both the browser extension and the desktop application for you to get the full experience.

Step 2: Test the creation of accounts

As mentioned previously, RoboForm will only allow you to create a record through the browser extension after you sign into an account. This can be a bit of a pain, as that means you can only create records this way. However, you can import records through the desktop application straight from a browser or other password manager, or even a CSV file. There isn’t the full range of import options available in other password managers, but it is a fair amount.

You can also launch the website from the manager, where it will autofill your data and log you in. It isn’t a revolutionary idea, but it does work. There’s also a variety of records that can be created. One special feature is that RoboForm can save records for other desktop applications. This isn’t seen as much for free password managers. The Security Center is also quite useful, telling you your password’s strength, age, and if it has been reused or is a duplicate. The feature is usually only available in paid password managers, so this is a great incentive for RoboForm!

Step 3: Use within browsers

RoboForm provides extensions for the four core web browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. There are also extensions for Internet Explorer and Safari. As for the actual use of the extension, everything works. Auto-fill works, updating passwords after a change is automatic, and there is syncing across browsers, with a customizable password generator available when you create an account. Of course, you can only create records after signing in, but you can edit your records from the extension as well as print the list of records. You can even access the Security Center from the extension! All in all, the browser extension seems more developed than the desktop application. So, if you have to pick between the desktop application and the browser extension, I recommend the extension.

Preliminary Conclusion

RoboForm is a comprehensive password manager with both free and paid versions available. However, after examining the free version, I see no need currently to upgrade from the free, as there are a great many deal of features available already. The only benefits I can see to upgrading would be cloud storage and for syncing across devices. In conclusion, RoboForm is great for people who need a simplistic password manager that aren’t worried as much about customizing their record-keeping and manager.

Verdict: Get it for Mom!

The post Free Password Managers – Live Testing appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Data Recovery Blog 2

Data on a screen, various numbers highlighted green, with a red open lock Data Is Not As “Deleted” As You Think

Here at The Leahy Center for Digital Forensics and Cybersecurity, the Data Recovery team has been hard at work searching through hard drives. These drives have been wiped using different methods in order to find any Personally Identifiable Information, or PII, that can be tied back to an individual.

At this point, ten out of the twenty eight drives purchased have been fully analyzed for the purposes of recovering data. Three drives, numbered 7, 9, and 10, all contained PII data. Drive 7 used the wiping method of DBAN, which stands for Darik’s Boot and Nuke, and is a free Linux utility. Drives 9 and 10 use the Xerase method, put forth by EPS. Both of these utilities claim to offer “secure absolute destruction”, yet how secure can they be if a team of analysts is able to recover data using tools that are freely available to the public?

The Recovery Process

For this project, we are using four “freeware” tools to recover data. These tools are SluethKit’s Autopsy, FTK Imager, Bulk Extractor, and Eric Zimmerman’s “bstrings” utility for Windows. Every drive that was purchased was run through all of these tools, not only to ensure visibility of data, but to determine if one tool has superior discovery abilities for deleted data. The tools are relatively simple to begin using, but require a bit of technical knowledge to become comfortable with. We have built a beginner-friendly user guide for how to start all four tools for acquisitions of data, which can be seen below.

Autopsy: Open Autopsy.  Fill out the stating form as needed.  Select “Add Data Source” –> “Unallocated Space Image File”.  Select the first piece of the drive. 

Wait for the image to finish scanning. This will take a while.

Bstrings: Open the command line in the folder in which you extracted bstrings. Type out the command to run it on a folder recursively to search an entire drive at once. Example:  bstrings.exe -d Disk Location > File Where Data Found Is Saved\bstrings.txt Adjust the conventions to match the image that you are working on. Bulk Extractor:  Point Bulk Extractor to the desired image Ex: HDD02.001, and a directory where you would like the output to go. Turn on all scanners by checking all of their boxes Press the ‘start bulk_extractor’ button to being the scan FTK Imager: Upload disk image from the F:\Drive into FTK Imager v3.4.0.5.  On the left hand side, click on the location i.e HD1, then select the file path (it will be the only option in the evidence tree).  Upon clicking, there will be a file list in the middle column, and a column full of text and UNICODE on the far right. This is where all of the data is.  Since there is no file system, the program pulls data haphazardly.  In FTK Imager, you can use “Ctrl + F” to search from strings, but be wary of what language you are searching in.  Select the “wrap” option as well, to ensure that if a string crosses more than one line, it will be recorded in the results. Analyze Which Data Recovery Tools Reign Supreme?

At the current point in the project, Autopsy is proving to be the most effective tool for data recovery. Autopsy has a very user friendly interface. This provides ease of access and lower frustrations when dealing with drives that have been wiped. Also, Autopsy is very thorough in the way that it searches, parsing through nearly every single file, and every bit of unallocated space. FTK Imager is a very good tool as well, yet does not have a very easy interface to work with. This is not what would be known as a “deal breaker”, but plays into our analysis as we spend a lot of time analyzing these drives, so ease of access is a crucial part. Bulk Extractor is a utility that runs off of command line, but has a GUI—or Graphical User Interface—to facilitate the process for those who are not comfortable with command line utilities. This tool runs the drive analysis as raw data, and finds everything that is on the drive, which is very helpful for data recovery. 

The last tool we have used is bstrings by Eric Zimmerman. Bstrings is a command line utility that only runs as such, making it a bit more difficult than the other tools to be comfortable with. It is ridiculously thorough, as it pulls anything and everything off of the drive that’s considered a string. However, due to CPU constraints, this tool does take the longest to fully finish, often over 24 hours. 

Image of a trophy with a 1 on it

Stay up to date with Twitter, Instagram, and Facebook by following @ChampForensics so you always know what we’re up to!

The post Data Recovery Blog 2 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Intrusion into the IoT: The Final Blog

D-Link intrusion footage screenshot Recap: Intrusion Blogs 1/2

In last month’s blog, the IoT Intrusion team hit a major roadblock with the TP-Link Kasa camera, but were able to overcome it through research into Man in the Middle Attacks. Now, armed with more knowledge than before, our team pressed on to new devices. We moved much faster this month than last. We started investigations into the intrusion of two devices, one of which we completed. These devices proved to be good subjects for investigation, but there are so many at the LCDI that we would have liked to look into. Hopefully, the end of the year does not bring the end of the project.

Picture of the D-Link DCS 5030L

D-Link DCS 5030L

After our struggles with the TP-Link, the team decided to work on a different IoT security camera: the D-Link DCS 5030L. We were originally attracted to this device by a statement that the FTC put out saying that D-Link needs to increase their security in order to market themselves as offering, “advanced network security.” This gave us hope that the device might not be secure. This proved to be true, as we were able to exploit features letting users control their camera from a browser. We were able to gain access to all elements of the camera. We were able to change the password as well as view a live feed.

Malicious Intrusion Opportunity

Through this, we were able to brainstorm all the ways a malicious hacker could use this intrusion to their advantage. They could hold the device for ransom and require the owner to pay in order to regain access. An attacker could physically break into a room that had one of these cameras in it and then upon leaving erase the camera footage from the SD card. The quick success that our team had the D-Link camera allowed us to move on to another device this month. 

picture of the WeMo Insight Switch

WeMo Insight Switch 

The next device we decided to work on was the WeMo Insight Switch from Belkin. This device showed up on our radar as a potential subject back in our initial research phase of the project. A serious issue with the device was reported by Bitdefender saying that they had discovered a vulnerability that the switch leaks out wifi passwords. This was based on research done by McAfee that found a vulnerability in the UPnP ports listening on the local network in the device. Our team wants to see what we can do with this information on the device. We have it all set up and ready to test.

The Future of IoT Intrusion

Although this may be the team’s final blog post, this is not the end of our project. We still have a few more weeks scheduled at the Leahy Center. After we attempt our intrusion on the WeMo Insight Switch, we will complete our final report. Make sure to look out for that here when it is published. As our project comes to a close, we ponder what the future may hold. We were only able to scratch the surface of this very in depth and involved line of research. That said, we hope this project laid the groundwork for future research.

Stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI so you always know what we’re up to!

The post Intrusion into the IoT: The Final Blog appeared first on The Leahy Center for Digital Forensics & Cybersecurity.