Mendeley for the win...again

At the moment I am in New Mexico trying to relax and recharge for a very tough year coming up. Once I sat down and began to outline all the things I need to do to prep for dissertation proposal, I realized that my entire scholarly library was in disarray. Although I have been diligent in adding references to the library as time has passed and organizing them logically based on course or project, I have been completely unorganized in preparing the references for anything beyond these small and somewhat limited scopes.

That had to change before Spring. Why wait any further and let's get it done. The first thing I noticed was the culmination of duplicates in the library, actual duplicate bibliographic entries and PDF attachments. Mendeley solves this quickly with the find duplicates, this allowed me to merge similar or same references with ease and at the same time do a quick scan to make sure that any entries were in the correct format or assigned reference type (journal or references or book, etc). This reduced my library by some 40 entries which also reduced my account storage use by several mega bytes.

The second step was to look at my groupings. I had originally placed things in large scope categories like cloud computing, forensics, network security, etc. I found this to be somewhat useful at the time. As my studies in the program have progressed and my list of references increased, I found that this is no longer as advantageous. It took roughly four hours to go through each and every reference in my list, but I reduced the total count to just over 150 sources in my library. I also took the opportunity to reorganize them into the sections and sub-sections of my current draft proposal, this will make it easier to fill in gaps in articles I am missing as well and help organize for comprehensive exams in 2013.

I will suggest a few things that I learned in the process of the reorganization:

1. Any research methodology articles, especially seminal ones should be broken down into qualitative and quantitative approaches. I was able to organize the design science approaches into the appropriate sub-groups in order to facilitate easier search visually.
2. Make a legal section and use it. I used this section to keep the things like congressional acts, laws, court cases, government reports (especially the Bureau of Justice Statistics). All of these the are quite common for both the fields of Information Systems (think HIPPA) and Criminology.
3. It is uncommon but it happens at times that a citation is needed from a reference source, say a dictionary. I added a reference section to include things like Webster's and Oxford's English dictionaries. 
4. In regards to courses I am teaching at UT Arlington, I've made a section for articles I want students to use in the course of their instruction. 
5. Mark missing articles. There are several ways to accomplish this goal, and Mendeley allows the end user to facilitate this per the user's preferences.
6. Tags!!!! I cannot stress how important tagging your articles in the sense of searching for related information. I am still working on adding tags to the articles I have, but this is one of the reasons I added things to groups visually, it allows me to look through and add tags as I have time.

I know this is a lot of information, but  this is the culmination of several hours of cleanup and work in Mendeley over the last few days. Hopefully it will help you out.

Scholastic Wind-Down

Wow what a semester both at UT Arlington and at Dakota State University. At the beginning of the semester I took and passed the CISSP exam. All in all it was not an easy exam in that almost every question of the 250 was situational in nature. I received notification a few weeks ago that I passed endorsement as well. This is excellent as I was using this as an opportunity to begin preparing for my comprehensive exams in Fall 2013.

In addition I learned a great deal about design science approaches to research, specifically artifact creation. I will be working on this more in the Spring of 2013 while trying to get an article out the door. We will see how it goes. I would like to have some basic things completed before comprehensives in 2013, mainly publish an article in a conference or journal, finish my textbook, which at this stage is in outline format, complete the work necessary to get the certificate program for UT Arlington launched, and prepare my dissertation proposal outline by Summer. I am teaching three courses in the Spring and taking two myself, but the coursework and deliverables I'm working on are both security related, so hopefully it will be a recap for me.

I was able to go to my first graduation as a faculty member last Saturday night and it was amazing. I realized my jaw hurt on Sunday morning due to all the smiling I did as our students walked across. I was awesome to get to see these students achieve their degrees. I cannot wait until Spring to get to see more of these people, who I have the honor to get to see almost daily, achieve their academic and professional goals.

Full Disk Encryption & TrueCrypt

I have been working diligently on the selection topic to the dissertation process and I would say that it is starting to come together. Although I'm still having some trouble narrowing a topic to something specific, I would say I'm on the right track.

In the literature I've been pouring over as of late, I have discovered a trending issue, the use of full disk encryption. This all started with a mandate that all UT Arlington issued laptops be subjected to full disk encryption. Reading more I learned that they were using WinMagic to complete this UT mandate. I have never used WinMagic, but it is cross platform and seems to be well received in the security community.

This lead me (of course) to search for open source options, and to check up on the progress of TrueCrypt. The last time I looked at TrueCrypt there were some issues in using the restore functionality but these have been resolved. The community is strong and support is well maintained for an open source project. Cross platform has always been a standard for this group and it's good to see that has been maintained as well. TrueCrypt does exactly what it states, full disk encryption (although it does do more than these basic functions).

This leads me to the issue at hand. How are investigators to know when full disk encryption is being utilized in a search and seizure? The current best practices for most electronic seizure states to turn off the power and transport. When you disable power to a machine running FDE, you reset the encryption state, and unless you can get the key through forensic means or by compelling (legally compelling) the owner, what you have is a fully encrypted disk. This is not weak encryption I might add. TrueCrypt uses what the industry considers adequate and strong encryption (link takes you to the encryption supported). Unless an investigator notes the use of FDE, then the investigation to files and logs may very well end badly at the seizure scene.

This is the same argument that Casey and  Stellatos make in the paper "The impact of full disk encryption on digital forensics" (Casey & Stellatos, 2008). They argue quite well that the use of full disk encryption could effectively hamper an investigation quickly. This issue leaves only a few possibilities.

1. React and treat all electronic devices as though FDE were enabled and running
2. Modify the best practices to incorporate FDE analysis
3. Compel FDE makers to supply a back door
4. Compel users to release the key

There are of course issues with 3 & 4, mainly that back doors to algorithms are generally bad and would compromise the integrity of the software and its legitimate use. Compelling users to release a key when software can create fake volumes or separate information when supplied a second key are becoming more available (See Grover 2004). One would have to prove in court that the defendant was not cooperating, which would be difficult to show in that case.

Obviously 1 & 2 are the easiest to enable and utilize, but getting the necessary training and use to practitioners is already an issue, which is only being compounded by increases in security. It leaves a lot open for discussion. I'm interested in studying this further from a process, technical, and legal standpoint. 

Bibliography:

Casey, E., & Stellatos, G. J. (2008). The impact of full disk encryption on digital forensics. SIGOPS Oper. Syst. Rev., 42(3), 93-98. doi: 10.1145/1368506.1368519

Casey, E., Fellows, G., Geiger, M., & Stellatos, G. (2011). The growing impact of full disk encryption on digital forensics. Digital Investigation, 8(2), 129-134. doi: 10.1016/j.diin.2011.09.005

Grover, D. (2004). Dual encryption and plausible deniability. Computer Law & Security Review, 20(1), 37-40. doi: 10.1016/s0267-3649(04)00007-x

TrueCrypt Icon by Flashhack @ deviantart
http://flakshack.deviantart.com/art/TrueCrypt-Flurry-Icon-274705836

BackTrack 5 & Sleuth Kit

The more I use BT5 the more I am falling in love with it. As a set of tools and resources it is by far one of the most complete I have ever seen. I really wish I had stumbled across it prior to this year instead of building my own loads and distros all this time.

One of the more useful things I have done this year is to replace my aging desktop at home. It took months to build as I acquired the parts necessary for the machine I wanted (as compared to the machine which would accomplish the goal). Now that it is completed and working, I have begun setting up my tools again and getting things organized as I normally operate. I have added BT5 in a VirtualBox environment to this suite of tools. Now that I have seen the offensive and monitoring capability of the BT5 suite, I need to look into the Live CD and its set of forensics tools. I would really like to move my digital crime course to more hands on and more of a lab environment for the students. I'm trying to find a way to do this both realistically and systematically at the same time. The hands on items of interest I am currently doing in the course seems to be not only very popular among the students, but also seems to be the most retained knowledge throughout the semester, which is somewhat straightforward.

I need to just set aside some time to see how many (if any) videos and tutorials already exist for Sleuth Kit and PTK. Both of these tools are on BT5 and several other Live disks. I would not be difficult to create 10-20 laptop drives as a project for using these tools and from what I'm reading in the academic journals, a team based approach seems to work better and produce more interaction. At the same time the course has been moved from an 8am to a 2pm course, I'm sure that alone will inspire more interaction.

For those of you who are not familiar with BackTrack 5 or The Sleuth Kit (TSK), just click the links.

BackTrack5 Install

I recently came into a mode of downtime for a few days and decided to finally install backtrack5 on a Lenovo X201 laptop. I burned the disk early on this semester but between my own students and my deliveribles at DSU, it sat on my desk at home collecting dust until this last weekend.

Out of the gate I hit the dreaded black screen. It took about an hour to find the right combination of grub tweaks to get it to boot and launch X. From there I will have to say that an i5 and 8GB of RAM is sheer overkill for this distribution. I did like the number of tools loaded into the live disk and the ease of use of the Ubuntu based apt installer made it easy to get the extra tools I wanted in my load. This left some testing of the tools to see if they performed any better than the windows versions.

For the most part I was pleasantly surprised at how well everything worked. I did find that the wlan0 adapter was not talking well with ssidsniff even when calling the adapter explicitly in the argument tags. Small issue really and I fully admit that in the short amount of time I did not try Kismet. I was able to quickly pull off an (on my own network of course) arp poisoning MITM attack using SSLStrip which I had seen demonstrated from the BlackHat tutorials and a few YouTube links prior. I was really impressed at how many tools were available to the user for security concerns. Nessus, OpenVAS, and  Snort were full installs with some of my more favorite tools such as Nikto and Ettercap.

I have to say that I'm sad I did not pick up this distribution earlier. BT5 is great and it would have saved me all those hours configuring my previous Ubuntu installs with tools had I just moved to this instead. I will also say that it is likely that the Lenovo hardware on this is what caused most of my issues. I will play around with it a little more this week before my summer courses get crazy and perhaps get it going in a VirtualBox environment although having real adapters in place of bridged mode NICs is always nicer.

Getting to files from a ClockworkMod backup in OSX

I use ClockworkMod to backup my EVO. It's nice because I have the space and backups are something everyone should do at some point, especially if you are rooted and like to play in the OS. This functionality is provided by ClockworkMod, which has all sorts of features which I will not go into here, but suffice to say it's worth it to install.

This bring up the question of retrieving information from the backups though. How does one go about this, especially in an OSX environment. Well we need to discuss a few things first, before diving into the solution. Android OS as well as ClockworkMod uses YAFFS (yet another flash file system). When clockworkMod backs up these files and directories, it saves them in the .IMG format. This is not to be confused with the NDIF files of old on Classic Mac OS. They will not mount directly. You will need to convert the file system first. Let's discuss this part now.

You will need to go to the following Google Code Site for UnYAFFS. Download the unyaffs.c; unyaffs.h, and unyaffs files. Save these files to your local drive somewhere (downloads will work fine). From here open up the terminal application and cd to your downloads directory (or the directory to which you saved your files).

From here you will need to gcc make the unyaffs application. This is simple enough but just for grins we will go through it. Type the following into the terminal command line interface.

sudo gcc -o unyaffs unyaffs.c

This created an executable in your folder. You will want to copy this to your /sbin directory (so that you can execute it without having to put in a full path). If you don't know how to get to your /sbin, you can use the finder and "Go to Folder" under the go menu, just type /sbin. Screen shot included.

Just drag and drop the unyaffs exec to the /sbin directory. Of course you can copy directly to the /sbin in command line if you wish. Now go back to terminal and navigate to your yaffs .img disk image. Use the following command structure to extract all the files in the disk image.

unyaffs diskImage.img

This will begin the extraction process. When you see a message in terminal "end of image", the extraction is complete. This was tested in OS X 10.7.2 and I assume it will work in most distros of Linux. 

General Org Gripe

I'm not sure why I cannot seem to find a good tool to help keep all the daily life organized. I have become more and more reliant on calendars, online file storage, and email clients as time has progressed in this academic venture. Dropbox, EndNote, Evernote, and Gmail are now more intertwined with my life than ever before.

I still cannot seem to find one tool to rule them all and stay on a desktop. I need EndNote (Mac or PC), Evernote is web-based (and I love it). Gmail is on my phone and Dropbox is useful for all sorts of issues. I still have this nagging problem of use-ability across all these products. Dropbox beats Google Docs for ease of use, but Docs kicks tail for organizational capability and storage space. Outlook on Mac kills when dealing with multiple EWS clients, but cannot seem to have the same functionality on the Windows side. The iPad rocks as long as I don't need to print or have multiple screens. Add to the need to have all of this mobile and I'm in a small rut. I think mail and calendars are my biggest gripe. I love being able to get multiple exchange accounts on one client without having to rely on VPN connectivity for each of them. I live by my Google Calendar, but integration between outlook and Google Calendar is for PC only, where I lose the EWS functionality in outlook. I would just rely on the iPad for calendar functions, but then what to I rely on when I'm on a desktop or laptop (lets face it, tablets and pads are no real substitute yet for the major applications like SPSS and SAS).

It would also be nice if Google had a utility to mimic Dropbox cross platform.

I need to get this crap squared away before comps and proposal time.