Play loud rap music.
On Tue, Aug 5, 2014 at 5:22 AM, doug <douglasrankine2001@xxxxxxxxxxx
<mailto:douglasrankine2001@xxxxxxxxxxx>> wrote:
How does one suppress the noise which comes out of ones computers.
How does one suppress the noise that an individual Faraday cage
makes...Each and every component in a computer and the internet of
things emits an identifiable noise pattern. Even the variations
of the phases of electric current in the mains power supply can
determine time and place of transmission of data...such are the
laws of quantum mechanics. Good forensic tools, can take a hard
disk back to the original writing and reading, even with the best
of erasure tools.
Just a thought.
ATB
Dougie.
On 20/07/14 08:07, coderman wrote:
On Wed, Jul 16, 2014 at 4:19 AM, Bluelotus
<bluelotus@xxxxxxxxxxxxxxx <mailto:bluelotus@xxxxxxxxxxxxxxx>>
wrote:
...
I wrote threads on my limited ability to perform forensics
for those technical, the minimum viable toolset for
identifying low
level subversive programming is:
- a solid base (clean hw, clean installs, clean environment) in a
separate location with RF shielding. (a closed metal barn out
in the
country, for example. if you're a geek you love the thought of a
faraday closet ;)
- instrumented runtime (e.g. volatility memory forensics, system
performance profiling, all to append only storage) on any
systems you
are using as suspect to attack.
- obstructed runtime (see thread on "how to hack your systems
before
someone else") - this is optional; a modified system that
appears to
be vulnerable / stock condition will exhibit undefined
behavior under
attempted enabling, sometimes. otherwise it may be difficult to
identify a successful infection.
- direct flash memory pinout rig (specs for all chips
including flash
memory associated with BIOS, integrated management controllers,
network devices, I/O ports, keyboard, trac pad or mouse, HD/DVD/CD
drives, graphics memory, wifi, 4g, and bluetooth wireless adapters
will be needed you're programming an FPGA to perform reads
directly
from the flash chips. converting flash memory into high level
block
storage the next black art upward.
- wide band high performance software defined radio. you will be
building custom GNU radio blocks and running many from third party
repositories or research projects. you are using a two stage
process,
where wide sweeps and auto ranging are applied to sample swaths of
signal of interest to storage. then parallel processing on other
hardware or later time (off-use-hours) extracting known /
useful data
and anomalies for further analysis.
- in-line network archival, shaping, and cut-out for link to
internet
/ local network. this works best as a zero visibility transparent
ethernet bridge with ARP spoofing and ether mangling at each
end. that
does not speak IP at all. the shaping is used to squelch
suspect or
unexpected peak traffic (both a signalling system for malicious
activity and a means to constrain the reach once compromised)
as per the kit above,
you are instrumenting a system to observe its runtime behavior
on an
external audit system. this is because the advanced attacks inject
into processes and ring0, persisting only what is needed / chosen
(enabling hooks). you need to capture the active payloads that are
delivered on-demand in host memory space.
you are observing the network and RF space for anomalies and
discrepancies. for example, a wifi radio disabled yet still
emitting
into 2.4Ghz/5.xGhz spectrum. network captures also provide
evidence
to correlate with malicious memory, for example identifying a
payload
delivered over the network, with keys from volatility used to
decrypt
the encrypted communications containing the payload identified in
memory.
you are (sometimes destructively) sampling all flash memory as
parts
of advanced payloads persist outside of the OS and storage level
interface visibility. (stealth at bus/bios level).
discrepancies in
blocks that should not have changed, executable code segments
where
not expected, strange carvings of wear leveling around "protected"
offsets. all of these are indicators for further scrutiny and
instruction level reversing (if corresponding to microcontroller
programming instructions for manipulating streams read or
written to
and from device, for example :)
last but not least, you are not getting attached to any hardware,
because at any moment you may find it all suspect and have to
replace
all laptops, desktops, routers, printers, mobile devices, storage
media, media servers, smart televisions, and god forbid you
installed
one of those intelligent thermostats. [ laugh for sanity, then
go back
and read the list, and then understand that the far end of the
nation
state malware asymptote is full of freaky exotics. i also hope you
never hit that level of "all systems go" *grin* ]
best regards,
