SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a simple air pump connected to an industrial computer to pop a balloon. The computer's program called for the pump to stop before the balloon burst. But O Murchu had loaded the Stuxnet worm onto the machine, which let him order the pump to keep going. That, he says, shows what can happen when bad guys gain control of industrial systems: "Imagination is the limit."

According to an industry expert, talking on background, there have been nearly a half dozen serious cyber events in the past decade related to industrial controls security. This expert talked about the seriousness of the threats to power supplies, water systems, energy delivery systems, and a myriad of other systems, with industrial control vulnerabilities. The expert expressed concerns about how many of these industrial controls were never designed with security in mind. Making matters worse, universities are not doing enough to teach security to the next generation of controls engineers to design more secure industrial controls.

The same shortage of expertise and skills may be developing in industrial controls forensics and incident response. In a related story (see News below) the National Security Agency and the Department of Defense are going to work with the Department of Homeland Security to provide information security expertise to private industry when under attack. We have already heard in other reports about the shortage the Feds have in finding enough information security personnel. Are there enough trained forensics and incident response professionals to go around?


  • BlackJack Forensic Tool, by Crucial Security This item was mentioned previously on the blog, but now we have more details about the Crucial Security division of defense and communications contractor Harris Corporation's new forensic tool called BlackJack. The SANS Forensic Blog interviewed a spokesperson from Crucial Security this week about this new forensic tool. The tool is designed to speed the extraction of forensic information, and has some interesting applications for covert infiltration - exfiltration.

    BlackJack consists of two components. One component is a USB thumb drive that is designed to quickly extract targeted data from Windows and Linux computers. The second component is windows-based software that allows an examiner to pre-program the USB drive for targeted data and file types.

    BlackJack Forensic ToolBlackJack Forensic Tool

    With the BlackJack system, all a non-skilled team member needs to do is get physical access to the target systems. Plug in the drive, and re-boot the system. If the system boots to the USB drive (more on that in a moment), BlackJack will scan for the target materials. If it finds the materials, a red light on the device indicates that the data was found, and a copy of it is moved to the USB drive. The data is then encrypted with a key located on the Windows software back in the lab. If the target does not have the data, a green indicator light displays. That last feature could help with multiple target systems, when there is uncertainty regarding which system contains the target information.

    One challenge : Getting the target system to boot to the USB drive. Unfortunately, there are many variations in PCs to get them to boot from a USB. It might take some time to actually get the system to boot from the USB, burning valuable time. This tool might work best in a situation where the examiners can discover the make and model of the target systems in advance. According to the Crucial Security spokesperson, BlackJack only works on Windows and Linux systems. It will not work on Mac, or mobile devices.

    I have arranged for an hands-on review of the BlackJack, and that review will post here, on the SANS Forensic Blog.

  • ElcomSoft Phone Password Breaker The RIM Blackberry handsets, when used with the Blackberry Enterprise Server, are known to have very strong security. The data on the device is encrypted with strong crypto, so forensic extractions are not very useful. But, what Vladimir Katalov President of ElcomSoft has discovered is most interesting: If a user backs-up their device data to a desktop PC, the security implementation by RIM is very poor. Using the ElcomSoft tool, it is possible to break the weak encryption, and access the data that originated on the handheld device. Read all the details in this posting by Mr. Katalov.

Interesting Reads:

  • No such thing as cyberbullying - So says blogger Anil Dash, who argues that the word has been invented to help parents, school administrators, and the media duck responsibility for teaching kids civil behavior. Read his commentary here. Others have commented that there is a growing "cyberbully industry" of consultants that try to get grants and other funding due to the alarm bells sounding.
  • Peeing in a cup is so 1990s — When there's a company that will crawl through social network to help your employer discover who you really are. Psychological profile, criminal tendencies, gratuitous use of slang popularized by drug culture, you name it. Pre-crime forensics? Read more here.
  • Fun finder or stalker tool? The website monitors social networking sites to help dudes locate gatherings of women. But blogger Jason Stamper conducted an experiment that points out the dangers women might face when they publish all the details of their daily lives.


  • Incident response and forensics services, too? According to the "In a break with previous policy, the military now is prepared to provide cyber expertise to other government agencies and to certain private companies to counter attacks on their computer networks, the Pentagon's cyber policy chief, Robert Butler, said Wednesday." Read more here.
  • Free on bail - A contractor who did some work for Fannie Mae is looking at a maximum 10-year prison sentence after planting a logic bomb that would have brought down 5,000 servers had it not been discovered. Lessons about the importance of logs, segregation of duties, and keeping track of which employer is responsible for "passthrough" employees. Read more here.
  • Mobile Forensic Consultant's Gold Mine — Explosive growth of mobile devices leads to security risks as workers use their own devices to store and transmit work data.
  • What did he know, and when did he know it? At least one IT staffer in the Lower Marion School District waxed fondly about the remote tracking capabilities on the laptops issued to students who later sued the district for spying on them. Last week, the school district settled with two families with children that went to the school. Settlement amount? $610,000. Um, exactly how expensive is good security governance, risk and compliance?


  • Creative forensics skills tricks golddigger to "fall" for own husband posing as rich guy - And he found out where his golddigging wife was living, after she took off with their son. His scheme — posing on Facebook as someone she would find "attractive" (i.e. wealthy). Father and son are reunited. How many forensic uses can one find by leveraging the information posted on social networking sites?

Coming Events:

Digital Forensics Case Leads for 20101021 was compiled by Ira Victor, G7799, GCFA, GPCI, GSEC, ISACA, CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of The CyberJungle, the nations first live radio news talk show on security, privacy and the law, Saturdays 10a-12noon PT/ 1p-3p ET. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime International Association.