Re: [Tails-dev] Tails forensics at SANS

Dette indlæg hører under følgende tråd:
MDet komplette tråd-træ sorteret efter dato
Mboyska den <-
M 
Slet denne besked

Besvar denne besked
Skribent: anonym
Dato:  
Til: tails-dev
Emne: Re: [Tails-dev] Tails forensics at SANS
On 29/09/2025 12.33, boyska wrote:
> Marco A. Calamari:
>> I wonder if this talk of SANS summit 2025 is already know.
>> But maybe can be of some interest to make Tails better.
>
> thanks, that's a useful read. I'm not sure I get the context, though. Do
> you have more info about the context? Am I correct in saying they assume
> all of those things:
>
>  1. they have their hands on a *running* Tails
>  2. that Tails has a Persistent Storage enabled
>  3. they don't know the passphrase of the Persistent Storage
>  4. Tails was run with an administration password
>  5. They know the administration password.
>
> ?

I skimmed it before I saw your email (so I wasn't influenced by your
analysis) and had the exact same interpretation. But I don't think there
is much need for interpretation given that on page 5 they emphasize in
red text that "Without the administrator password, you will not have
access to the filesystem", and continues "or root privileges, which can
make accessing the filesystem and or collection problematic if not
impossible". Considering this is written from the PoV of someone working
in corporate USA excessive surveillance is to be expected so it's maybe
not so unreasonable for them to assume a password/passphrase was
intercepted by hardware keylogger or video or whatever.

> Like, what's the context in which this is realistic?
> A SWAT operation which can grab your laptop before the user has time to
> unplug the USB stick?
> And if the administration password was obtained through user
> collaboration, couldn't they ask the Persistent Storage password
> instead? This would remove requirements 1 and 4.

And 3 would be invalidated, depending on how you see things.

> And why are they copying the raw device when they could copy the
> decrypted files?

Attempting to capture a raw dump is a good first step in data forensics.

> I guess there must be a rationale for all of that, and understanding it
> would help us design Tails better.

I don't think this is intended to be groundbreaking crazy stuff, but
more some pointers on how to get started doing basic data forensics vs
Tails, just so other corporate "incident responders" don't have to
reinvent the wheel.

Cheers!
Dette indlæg blev indsendt til følgende postlister:
tails-dev
Postlisteoplysninger | Naboindlæg		<-Re: [Tails-dev] Wireless Vulnerability in All USB Memory Sticks[Tails-dev] Cron <root@rsync> /usr/local/sbin/mirrorbits-last-month-stats.sh->
lists.autistici.org administreres af postmasterLurker (version 2.3)