7

Against dead forensics acquisition we can use disk encryption (we can use TrueCrypt for example).

I was wondering do software exists against live forensic ? Can you give me a list for windows and linux (the most popular) ?

What other ways there are to protect themselves from this type of "attack" ?

For example EnCase ® Forensic is used by law enforcement for live forensic (inter alia). http://media.govtech.net/Digital_Communities/Guidance_Software/EnCase_Forensic_for_Law_Enforcement.pdf

lzeowhzl
  • 71
  • 2
  • You might find this question relevant: http://security.stackexchange.com/questions/90697/is-my-data-safe-if-with-an-encrypted-hard-disk-i-put-windows-in-sleep-mode/90703#90703 – tlng05 Jun 29 '15 at 03:04

2 Answers2

3

I assume what you mean by "live forensics" would be what the infosec community usually refers as memory forensics, eg. taking your machine while it is active and unlocked and proceeding to dump all data from it.

The solution to your problem would be twofold:

  • First you need to have good physical security, so that attackers can't access your unlocked computer.
  • Secondly you would need to make sure that attackers can't get access to your machine remotely too. SELinux might be helpful here.

So to TL;DR it for you:

"Live forensics" requires a live system (duh). If someone has access to your live system you have already lost.

If you really worry about government agencies then you should start by educating yourself about your local laws and your (local) personal rights (as rights appear to be quite non-consistent across the globe) and make an effort to stay within their bounds.

Wolfer
  • 298
  • 2
  • 13
2

Write a program that causes an immediate shutdown if someone inserts something into a USB port when you have not first entered a password to white list that device. Make sure you use a limited account so nothing serious can be done on the computer without admin password (like the Linux command to dump contents of RAM).

Use newer DDR3 RAM as it "forgets" things within a millisecond when power is removed. For added effect somehow lock the tower case, and perhaps install a button which would cause a shutdown when opened.

Full disk encryption, make sure you use Linux.

From the book Computer Forensics for Dummies it stupidly appears to be standard practice with desktop computers to pull the power cable, and make an image of the HDD before attempting any forensics. If you followed the above steps then they will be unable to recover anything due to encryption.

Note the above is not true with servers, where advice is to shutdown normally.

Optional extra: add a script to clear RAM on clean shutdown (what Tails OS uses). Although this is not necessary if you use new DDR3 RAM, it might help you sleep better.

EDIT: Forgot to mention that in some extreme cases they could freeze your RAM with liquid air which would cause it to take hours to "forget" stuff.

k1308517
  • 1,272
  • 14
  • 27
  • 1
    A couple of example programs to shutdown when USB is inserted / yanked: [Linux](https://github.com/hephaest0s/usbkill), [Windows](http://www.trishtech.com/2015/05/usb-shutdown-yank-usb-pendrive-to-shutdown-windows/) – GreatSeaSpider Mar 29 '16 at 09:27
  • Tails OS when removed cleans RAM while it's shutting down, just modify a little for your purposes. Tails OS is best since it's a live environment (everything disappears after shutdown), you can even remove your HDD so nothing is saved! Learn some basic Linux programming to stop unauthorized USB devices being inserted. – k1308517 Mar 29 '16 at 10:24
  • @GreatSeaSpider By the way those are for REMOVING a device, in my example above it is to prevent someone INSERTING a device. – k1308517 Mar 30 '16 at 08:15
  • 1
    actually usbkill looks for any usb changes, including inserts. The windows one mentions inserting or removing storage devices, I've not looked closely enough to see if it's any usb device (such as a mouse jiggler) – GreatSeaSpider Mar 30 '16 at 12:30