So we get paranoid about our privacy from time to time and that’s good.
What if you got raided?
There’s a protocol for the forensic first responder.
It usually follows:
1) Dump the memory.
2) Collect volatile system data.
3) Image any hard drive.
Then all your data is analyzed back at the lab. That could not end well.
Dumping the memory
Windows is running. That’s bad. A flash drive is plugged in. DumpIt is ran. Time goes by. Your memory dump is on a flash drive.
What could you have done?
- Memory dumps can only run as admin. If you’re not admin, no dump.
- Password protected accounts prevent dumps.
There’s possible known and even government-grade exploits for both these solutions. Albeit, precautions are worth still it. For every line of defense you remove a group of possible attackers.
Your first responder wasn’t able to dump your memory while Windows was running.
Your first responder collects volatile system data. Then will dump any memory possible. They could:
- Launch a bootable light weight memory dump utility. Some memory will dissipate. Some memory will get written over by this tool. The remaining memory will be dumped.
- If you’re a serious threat, a rare but possible cold boot attack.
Collecting volatile system data
This is straight forward. Tools autonomously collect data for targeted applications.
- Web history and passwords for Chrome, Internet Explorer, Firefox, and others.
- Instant messaging logs from Skype, Pidgin, Trillian, and the related.
- Windows registry hives and backups.
- Open network connections.
- Anything reasonable.
Some of this data is redundant that you’ll find in the memory dump or on the hard drive image. However, it’s captured anyways encase of encryption.
A single solution couldn’t prevent this. You would have to get scenario specific. We assume we only used convenient encryption methods.
Some convenient methods, you could:
- For web passwords, use a master password. Firefox supports this.
- Use applications and data when in an encrypted container.
- Access applications and data in an encrypted virtual machine.
The layer of abstraction for encryption is up to you. More security, less convenience. It’s a difficult compromise.
Imaging any hard drive.
Your memory has been dumped. Your volatile system data is saved. Once your first responder feels confident, they pull the plug.
Your hard drive is removed. It’s recorded by a read only hard drive duplicator. We’re done.
- If you just deleted or encrypted your data, you need to wipe free space. After all your data is still on your hard drive when it’s deleted. Just removed from its file allocation table. CCleaner is a popular tool for wiping free space.
Now there’s one crazy, theoretical, and reasonable solution to prevent this. I don’t know who’s idea, but it’s genius.
- Embed a microcontroller in the hard drive casing. This microcontroller will exchange all data passing through sata from the mother to the hard drive. On boot, this microcontroller will expect a key to be written before reading any data. This key could be modified in the motherboard’s firmware or just be some generic pattern, but motherboard specific pattern. If no key received, the microcontroller will wipe the drive. Thus when your first responder attempts to duplicate your drive, no data will be written. Afterwards, your microcontroller wipes the drive.
Back to the Lab
Your data is analyzed.
- Memory is analyzed. The Volatility framework excels here. Hopefully your encryption keys weren’t dumped.
- Any Hard drive is analyzed by government software. If your sensitive data is encrypted you’re fine, just make sure your hard drive isn’t storing sensitive information deleted from its file allocation table. Regularly wipe your free space. Collected volatile data like web history and registry are examined. Nuix Investigator seems to be the current tool of choice.
- Notably your registry and its backups contain a surprising amount of data. From users on the system, to chronological logs of applications, Windows 8 metro data, Internet Explorer web history, and other personal data. It gives sense of a user’s computing use.