Play loud rap music. On Tue, Aug 5, 2014 at 5:22 AM, doug <douglasrankine2001@xxxxxxxxxxx> wrote: > How does one suppress the noise which comes out of ones computers. How > does one suppress the noise that an individual Faraday cage makes...Each > and every component in a computer and the internet of things emits an > identifiable noise pattern. Even the variations of the phases of electric > current in the mains power supply can determine time and place of > transmission of data...such are the laws of quantum mechanics. Good > forensic tools, can take a hard disk back to the original writing and > reading, even with the best of erasure tools. > Just a thought. > ATB > Dougie. > > > On 20/07/14 08:07, coderman wrote: > >> On Wed, Jul 16, 2014 at 4:19 AM, Bluelotus <bluelotus@xxxxxxxxxxxxxxx> >> wrote: >> >>> ... >>> I wrote threads on my limited ability to perform forensics >>> >> >> for those technical, the minimum viable toolset for identifying low >> level subversive programming is: >> >> - a solid base (clean hw, clean installs, clean environment) in a >> separate location with RF shielding. (a closed metal barn out in the >> country, for example. if you're a geek you love the thought of a >> faraday closet ;) >> >> - instrumented runtime (e.g. volatility memory forensics, system >> performance profiling, all to append only storage) on any systems you >> are using as suspect to attack. >> >> - obstructed runtime (see thread on "how to hack your systems before >> someone else") - this is optional; a modified system that appears to >> be vulnerable / stock condition will exhibit undefined behavior under >> attempted enabling, sometimes. otherwise it may be difficult to >> identify a successful infection. >> >> - direct flash memory pinout rig (specs for all chips including flash >> memory associated with BIOS, integrated management controllers, >> network devices, I/O ports, keyboard, trac pad or mouse, HD/DVD/CD >> drives, graphics memory, wifi, 4g, and bluetooth wireless adapters >> will be needed you're programming an FPGA to perform reads directly >> from the flash chips. converting flash memory into high level block >> storage the next black art upward. >> >> - wide band high performance software defined radio. you will be >> building custom GNU radio blocks and running many from third party >> repositories or research projects. you are using a two stage process, >> where wide sweeps and auto ranging are applied to sample swaths of >> signal of interest to storage. then parallel processing on other >> hardware or later time (off-use-hours) extracting known / useful data >> and anomalies for further analysis. >> >> - in-line network archival, shaping, and cut-out for link to internet >> / local network. this works best as a zero visibility transparent >> ethernet bridge with ARP spoofing and ether mangling at each end. that >> does not speak IP at all. the shaping is used to squelch suspect or >> unexpected peak traffic (both a signalling system for malicious >> activity and a means to constrain the reach once compromised) >> >> >> as per the kit above, >> >> you are instrumenting a system to observe its runtime behavior on an >> external audit system. this is because the advanced attacks inject >> into processes and ring0, persisting only what is needed / chosen >> (enabling hooks). you need to capture the active payloads that are >> delivered on-demand in host memory space. >> >> you are observing the network and RF space for anomalies and >> discrepancies. for example, a wifi radio disabled yet still emitting >> into 2.4Ghz/5.xGhz spectrum. network captures also provide evidence >> to correlate with malicious memory, for example identifying a payload >> delivered over the network, with keys from volatility used to decrypt >> the encrypted communications containing the payload identified in >> memory. >> >> you are (sometimes destructively) sampling all flash memory as parts >> of advanced payloads persist outside of the OS and storage level >> interface visibility. (stealth at bus/bios level). discrepancies in >> blocks that should not have changed, executable code segments where >> not expected, strange carvings of wear leveling around "protected" >> offsets. all of these are indicators for further scrutiny and >> instruction level reversing (if corresponding to microcontroller >> programming instructions for manipulating streams read or written to >> and from device, for example :) >> >> last but not least, you are not getting attached to any hardware, >> because at any moment you may find it all suspect and have to replace >> all laptops, desktops, routers, printers, mobile devices, storage >> media, media servers, smart televisions, and god forbid you installed >> one of those intelligent thermostats. [ laugh for sanity, then go back >> and read the list, and then understand that the far end of the nation >> state malware asymptote is full of freaky exotics. i also hope you >> never hit that level of "all systems go" *grin* ] >> >> >> best regards, >> >> >> > >