Transcript The Untraceable Criminal

MISY : Intro. To Info. Assu.
Assignment # 2
Name: Hadeel Al-Eisa
ID: 200801009
About the Paper
 Introduction
 The model, formula, policy used
 Conclusion
 Recommendation

Author:
Tracy Lafeir
 Journal Name:
The Untraceable Criminal
 Publication:

Eastern Michigan University, Information
Assurance, Program Information and
Students Resources.

December 2008
The paper discusses a story of a criminal
and how did he use technology and
information assurance to cover his
crimes.
 In this paper, I will introduce
technological tools he used.

He quietly flicks a switch mounted in the
driver’s side door panel.
 He closes the lid of his now deactivated
laptop and prepares to be arrested.
 The authorities, however, could not
retrieve any data that they could use for
a prosecution.


Windows XP embedded
Windows XP Embedded is an operating system
designed with specific use devices, such as kiosks and
ATMs. Windows XP embedded uses a similar kernel
codebase as Windows XP Home and Professional,
making its included technologies compatible with those
operating systems, as well as Windows Server 2003.

EWF driver (enhanced writer filter)
This driver interrupts writes to any protected drive,
instead storing those writes in an overlay. This overlay
can be stored on the system drive, the registry, or in
memory.
Types of EWF modes:
Disk mode – EWF stores its overlay on unpartitioned space on
writable disk drive.
RAM Mode – EWF stores its overlay in write mode, but requires that
the overlay configuration be written to the host disk.
RAM Reg mode – As the only mode compatible with versions of
Windows other than XP embedded, is RAM Reg mode.

Embedded Devices and Linux
Numerous consumer electronic devices on the
market today run Linux derived firmware. Thanks
to economies of scale, these devices actually
contain considerable processing power.
- Linksys WRT-54g router
- The Western Digital Netcenter
Linksys WRT-54g router
 Depending on the model, The Linksys WRT router contain
a CPU capable at running at speeds from 125 MHz CPU
to about 240 MHz, with RAM ranging in capacity from 8
megabytes all the way to 32 megabytes.
 The WRT router contains flash storage ranging from 2
megabytes to about 8 megabytes.
The Western Digital Netcenter
 It is a Network Attached Storage Device, with
capacities ranging from 160 gigabytes to 500
gigabytes.
 This device contains 32 megabytes of RAM, as
well as 16 megs of flash storage.
 A 10/100mb Ethernet port links the device to the
LAN.
Portable Applications
- AppV. AppV is an Application Virtualization program.
- Used to create applications that run in a ‘virtual
sandbox’ thus not requiring a full installation on the
host OS.




a hypothetical criminal had created a mobile data center
using the outlined technologies.
Forensics investigators were unable to locate any evidence
of a crime, due to the lack of general knowledge of what
can be accomplished when combining these technologies.
Because of his knowledge and planning, all it took for John to
evade capture was a flick of a simple switch.
John will go unpunished, free to commit his horrendous
crimes, and puzzled investigators will continue to pour over.







When the inverter was powered off, the UPS would immediately
signal both desktops to execute a series of commands and power
off.
The first command, a custom executable, was designed to telnet
into the three Netcenters, and executes a shell script.
The Netcenter’s shell script then wiped the NVRAM, and over wrote
the sectors of the hard disk which held the initial encrypted
archives, as well as the File allocation Tables.
The desktops then launched TFTP sessions to the router located in
the car, as well as the router located in the home that he was
stealing internet access from.
The TFTP session then uploaded garbage data to both routers.
Once the TFTP upload was complete, the routers rebooted,
effectively killing them.
The last step of the shutdown process was to trigger a complete
power off of the UPS device.
The whole process occurred in under a minute.


With the advent of inexpensive embedded
devices, and the release of new software never
before imagined, scenarios such as the one
mentioned will unfortunately become more
common.
It is now important than ever to stay ahead of the
criminal, understanding industry trends, and
understanding these new technologies before
those with less honorable intentions do.
The use of diagrams would be helpful to
explain the process how jones deleted
all the threads of his crime.
 The idea will be explained better if it was
not introduced as a story.
 Everyone should be aware of the use of
technology in information assurance.

Thank you










“Enhanced Write Filter.” MSDN: Microsoft Developer Network. 18,
October 2006
<http://msdn.microsoft.com/enus/library/ms912906(WinEmbedded.5).aspx>
“Installing EWF” Granturing. 3, December 2007
<http://granturing.blogspot.com/2007/12/this-guide-is-based-offmy-original-ewf.html>
“TrueCrypt – Free Open-Source On-The-Fly Encryption. 1,
December 2008. TrueCrypt Foundation.
2, December 2008 <http://www.truecrypt.org>
“Microsoft Application Virtualization” Microsoft Corporation. 23,
September 2008.
2, December 2008
http://www.microsoft.com/systemcenter/appv/default.mspx
“DD-WRT Wiki” DD-WRT, 4, June 2007
2, December 2008 <http://www.ddwrt.com/wiki/index.php/Main_Page>