Re: [Tails-dev] Tails forensics at SANS

Diese Nachricht ist Teil des folgenden Threads:
MDer komplette Thread sortiert nach Datum
Mintrigeri am <-
Msegfault am ->
Nachricht löschen

Nachricht beantworten
Autor: NoisyCoil
Datum:  
To: tails-dev
Betreff: Re: [Tails-dev] Tails forensics at SANS
Looks like a huge nothingburger to me. The attack model seems to be:

1. I have physical access to a running Tails instance (otherwise I
wouldn't be able to access memory)

2. The user set an admin password (otherwise none of the discussed
tooling works)

3. The user gave me the admin password (one way or the other, otherwise,
again, none of the discussed tooling works)

This is just to dump memory. Once I dump memory and make a forensic copy
of it, I have access to whatever was in memory at the time I copied it
-- previous stuff from the running session may have already been
overwritten of course --, and I use standard analysis tools [1] to
access its contents. Great. A large fraction of the presentation
discusses how to use these tools.

Then to access Persistence:

4. The user must have unlocked Persistence during the running session
(otherwise there's no key material in memory to recover)

At which point I can recover the key from the memory dump [2], and, if I
made a forensic copy of the LUKS volume, decrypt the volume and mount it
somewhere else.


Of course a system in the state described by 1-4 is a completely open
system. If it were not for the need to make forensic copies of the
memory and the drives, everything would already be accessible to anyone
with physical access to the running session.

I would thus summarize this presentation as: "If you have complete,
unrestricted physical access to a running Tails instance (which you must
have, as I do not provide any means to gain that access), here are some
suggestions on how to make a forensic copy of it and use that copy".


Interestingly, none of what is discussed in the presentation applies
specifically to Tails, as any system with FDE (and encrypted swap) works
the same way. Even Tails being amnestic plays no role here, as the
attack model is based on the ability to dump memory, and you need a
running system to do that anyway. The only way this would have been
actually useful to "Forensic Analysis of TAILs [sic.]" is if they added
a slide in reading in all caps "DO NOT UNPLUG THE DAMN USB DRIVE!!!"


Cheers!


P.S.: After writing this email I noted there's a previous answer by
boyska essentially making the same points, to which I say I agree (duh)
and that the rationale, I think, is the need to make forensic copies
during an actual investigation, to be processed at a later time. However
I don't think this is a Tails-specific issue, but an FDE-specific issue.



[1] Which apparently have trouble with the ol' boring Debian kernel (min
24:00)? Really?

[2] The specific tool mentioned in the presentation does not exist, it
is said it would be released in October, it was not.
Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
tails-dev
Mailing-List-Info | Nachrichten um die Zeit		<-Re: [Tails-dev] Tails forensics at SANSRe: [Tails-dev] Tails forensics at SANS->
lists.autistici.org administriert von postmasterLurker (Version 2.3)