Cybersecurity Insights & Analysis

Is it time we take counter forensics seriously?

So you’ve installed a firewall and installed an intrusion detection system. But let’s not neglect the all-to-common scenario of an attacker having physical access to your machine. In this insights article, we’ll explore how to secure your endpoints from malicious tampering.

On first glance, you’d be forgiven for thinking that this is an article about evading the law. It isn’t. Countering computer forensics is a vital component to any cybersecurity strategy, arguably just as important as having a firewall installed and market-leading end-point detection software. Whilst security professionals often focus on network based attacks against I.T systems, it’s important that we don’t forget physical security in the process.

Take the following scenario, for instance. You’re travelling to London on an important business trip, accompanied by your work laptop. You have a few hours to spare and decide to work from one of the capital’s many vibrant and trendy coffee shops. As you finish your latte, you decide to visit the bathroom, leaving your laptop behind at your table.

The risk is obvious, but you default to the zero-risk illusion that by having a password on your operating system will be enough to prevent a malicious actor extracting any information from your device. 

As you leave the bathroom and return to your desk, you notice that, to your horror, your laptop is no longer where you left it. You can say goodbye to your laptop – and all the sensitive information contained within it. 

This scenario illustrates why incorporating a counter-forensic policy in your overall cybersecurity strategy is vital to the overall safety and security of your clients’ sensitive information. It needn’t be said that leaving a laptop – or any computing device for that matter – that contains sensitive information unattended is asking for trouble. Stealing a computer can be lucrative.

Computer forensic software isn’t limited to law enforcement agencies; cybercriminals can use the same techniques to extract information from your computer, even if you have a password on your operating system. It can be surprisingly trivial to forensically examine the contents of a hard drive, yet there are several preventative measures you can take to secure your assets from attack.

That’s why in this insights article we’ll be exploring what you can do to prevent someone forensically inspecting your device, what attack vectors are available to attacks.

What is full disk encryption?

If we were to recommend a gold standard for protecting your laptop, we’d default to full-disk encryption. With full disk encryption, the majority of your disk will be encrypted, meaning an attacker won’t be able to see the contents of your disk. I say majority, because the swap partitions and master boot record may be left unencrypted.

The benefits of encrypting your harddrive are two-fold: when an attacker goes to extract information from your hard drive, they’ll be met with jibberish that cannot be understood without the decryption key. Secondly, encryption also has integrity control, meaning that it’s more difficult for an attacker to tamper with or modify your files. 

Whilst there are several attack vectors against full disk encryption – all of which will be explored in this article – the technology remains the current gold standard in protecting your physical device from being attacked. 

How can I encrypt my hard drive?

Whilst many modern computers now come with SEDs, or self-encrypting drives, there are still plenty of computers in the wild that don’t have this feature. Furthermore, by default, Windows 11 comes with Bitlocker; automatically providing full disk encryption. The downside? Windows holds the encryption key. This can be useful, however, as in the event that you lose your encryption key, Windows will keep a backup for you. However, to attain true privacy and security, we recommend encrypting your hard drive using Veracrypt.

Veracrypt allows you to select a cipher (or even combine ciphers) including the recommended AES, Blowfish, Two fish, and Serpent. We recommend using 256-bit keys to future-proof your keys from quantum computers; a genuine and emerging threat to cryptosystems.

If you’re using Linux, we recommend using LUKS; the standard encryption technology that is used when installing a new Linux operating system.

Attacks against full disk encryption

Despite the obvious necessity of full-disk encryption, there are are several attacks that can be used to bypass the encryption and gain access to your files. Most of these attacks are advanced, and it’s unlikely, although not impossible, that they’ll be used in the wild.

If your adversary is GCHQ, for example, you should note that they are genuinely skilled at cracking encryption algorithms – it’s their job. However, there are several encryption algorithms that are yet to be broken, and we have no evidence that they have been compromised. For the purposes of this article, we’ll assume that you aren’t being targeted by one of the alphabet agencies, and your primary adversary are cyber criminals looking to make a quick buck, or hostile actors engaged in industrial espionage. 

Attack 1: Evil Maid Attacks

Evil maid attacks, also known as “evil maid syndrome,” are a specific type of physical security attack that targets computers or other electronic devices when they are left unattended. The attack scenario involves an adversary gaining unauthorised access to a device by tampering with it while in physical possession. The term “evil maid” refers to a hypothetical scenario where a hotel maid, for example, has access to a guest’s room and seizes the opportunity to compromise the guest’s device.

Here’s an overview of how an evil maid attack typically unfolds:

  • Physical Access: The attacker gains physical access to the target device. This can occur when the owner leaves the device unattended in a hotel room, office, or any other location where unauthorised individuals can gain entry.
    Tampering: The attacker modifies or manipulates the device to install malicious software or hardware. This could involve inserting a USB drive, attaching a hardware keylogger, or tampering with the device’s components.
    Compromise: The attacker’s goal is to gain persistent access to the device or extract sensitive information. They may install spyware, keyloggers, or backdoors that allow them to collect data or remotely control the compromised device. In the case of a keylogger being installed, it’ll record your keystrokes, and thus extracting the password you set on your encrypted drive.
    Covering Tracks: After the attack, the attacker removes any evidence of tampering, leaving the device in a seemingly normal state. This can make it difficult for the owner to detect the intrusion.
  • Evil maid attacks pose a significant threat to individuals and organisations, particularly those dealing with sensitive information. They highlight the importance of physical security measures, such as locking devices when unattended, using encryption to protect data, and regularly inspecting devices for signs of tampering.

 

To mitigate the risk of evil maid attacks, some security measures include:

  • Secure Boot: Enable secure boot mechanisms to detect any tampering attempts during the device’s startup process.
  • Physical Security: Use physical security measures such as locking devices in a safe or using secure storage when unattended, especially in vulnerable environments like hotel rooms.
  • Regular Inspections: Routinely check devices for signs of tampering, including changes in hardware components, unexpected software behaviour, or the presence of unfamiliar devices connected to ports.

 

By implementing a combination of physical security practices and technical safeguards, individuals and organisations can reduce the risk of falling victim to evil maid attacks and protect the integrity of their devices and sensitive information.

Attack 2: Knowledgeable Evil Maid Attacks

Knowledgeable evil made attacks are predominately an academic exercise however could be employed by serious, well-resourced adversaries. This occurs when an adversary knows where specific files can be located on the disk, and can modify the encrypted bits thus compromising security. This type of attack, similar to an evil-maid attacks, can be used to install keyloggers.

Attack 3: Cold boot attacks

A cold boot attack is a type of security exploit that targets the data remnants left in a computer’s random access memory (RAM) after the system has been powered off or restarted. The attack takes advantage of the fact that data stored in RAM can persist for a brief period even after the power is cut off, due to the slow decay of electrical charges in the memory cells.

Here’s an overview of how a cold boot attack typically works:

  • Access to Powered-Off System: The attacker gains physical access to a computer that is either powered off or in a powered-on but locked state, such as a sleeping or hibernating mode.
  • Retention of RAM Contents: The attacker quickly cuts off power to the system, preventing the RAM from being wiped and allowing the contents to remain intact for a short duration (typically a few seconds to a few minutes, depending on factors like temperature).
  • Freezing or Rebooting the System: To prolong the retention time of the data in RAM, the attacker may cool down the RAM modules using methods like freezing them with compressed air or liquid nitrogen. Alternatively, they might quickly reboot the system into a specially crafted bootloader or external device to preserve the RAM contents.
  • Data Extraction: Once the system is powered on or the RAM is transferred to another device, the attacker extracts the data remnants from the RAM, potentially obtaining sensitive information such as encryption keys, passwords, or other confidential data.
  • Cold boot attacks are particularly effective against full disk encryption (FDE) systems because the encryption keys are often stored in RAM while the system is running. By capturing and extracting these keys, an attacker can potentially decrypt the protected data even if they do not have the original credentials.

 

Mitigating cold boot attacks involves implementing several security measures:

  • Encryption Key Security: Protect encryption keys by storing them in dedicated hardware modules (e.g. Trusted Platform Modules or secure enclaves) or using key separation techniques to minimise their exposure in RAM.
  • Secure Boot Process: Ensure the integrity of the boot process by utilising secure boot mechanisms that prevent the execution of unauthorised or tampered bootloaders.
  • Memory Overwrite: Implement memory overwrite mechanisms that securely wipe sensitive data from RAM when powering off or restarting the system.
  • Physical Security: Maintain physical security of the system to prevent unauthorised access and tampering.

 

By combining these measures, organisations and individuals can reduce the risk of data compromise through cold boot attacks and enhance the overall security of their systems.

Attack 4: Shoulder surfing

Shoulder surfing refers to when an attacker views you entering the decryption key and remembers it. Once the opportunity presents itself, they’ll then access the computer using the same password you used. 

An attacker installing a hidden camera and watching you enter your decryption password is a genuine threat that must be taken into account. If you’re on the move, look out for potential hiding places that a camera could reside within, perhaps even purchasing a bug sweeping kit could be useful to that end.

Conclusion

Hopefully, upon reading the article, you realise that counter-forensics isn’t limited purely to criminals looking to evade law enforcement. Counter-forensics should be a part of every and any security strategy to eliminate the gaping hole often found an organisation’s security posture: devices left unattended. 

Remember, that encryption is only as strong as the weakest link, and simple operational security mistakes (such as leaving your device on and in boot unattended) will eliminate any advantages that you gain from it.

Hey! Can we make it official? 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe 😇

More Cybersecurity Insights & Analysis

Fifteen Steps to maximising firefox privacy 🔒✅

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity. 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me 😇

Access free subscriber only content 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties 😇

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.