Difference between pages "Research Topics" and "Operating System Password Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(New page: ==Unix/Linux Password File== Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file...)
 
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
+
==Unix/Linux Password File==
 +
Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.
  
Many of these would make a nice master's project.
+
{| class="wikitable" border="1"
 +
|-
 +
!Username
 +
|The user's username
 +
|-
 +
!Password
 +
|Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
 +
|-
 +
!UID
 +
|The numeric user ID of the user
 +
|-
 +
!GID
 +
|The primary numeric group ID of the user
 +
|-
 +
!GECOS Field
 +
|This is a text field which may contain information about the user such as name and contact details
 +
|-
 +
!Home directory
 +
|The user's home directory
 +
|-
 +
!Shell
 +
|The user's Unix shell
 +
|}
 +
<pre>
 +
user1:x:600:600:User 1:/home/user1:/bin/bash
 +
user2:x:601:601:User 2:/home/user2:/bin/bash
 +
admin:x:602:602:Admin Account:/home/admin:/bin/bash
 +
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
 +
someguy:x:604:604:Someguy:/home/someguy:/bin/bash
 +
</pre>
  
=Programming/Engineering Projects=
+
The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.
  
==Small-Sized Programming Projects==
+
===Unix Crypt===
* Modify [[bulk_extractor]] so that it can directly acquire a raw device under Windows. This requires replacing the current ''open'' function call with a ''CreateFile'' function call and using windows file handles.
+
The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.
* Rewrite SleuthKit '''sorter''' in C++ to make it faster and more flexible.
+
  
==Medium-Sized Programming Projects==
+
<pre>
* Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
+
jim@localhost ~
** Automatically pull out the strings
+
$ crypt hello
** Show histogram
+
S84xRArsM.gtk
** Detect crypto and/or stenography.
+
</pre>
* Extend [[fiwalk]] to report the NTFS alternative data streams.
+
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
+
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
+
* Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.
+
  
==Big Programming/System Projects==
+
In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.
Most of these are large systems that could be split up into several small projects.
+
===Carvers===
+
Develop a new carver with a plug-in architecture and support for fragment reassembly carving. Take a look at:
+
* [[Carver 2.0 Planning Page]]
+
* ([mailto:rainer.poisel@gmail.com Rainer Poisel']) [https://github.com/rpoisel/mmc Multimedia File Carver], which allows for the reassembly of multimedia fragmented files.
+
  
===Correlation Engine===
+
<pre>
* Logfile correlation
+
jim@localhost ~
* Document identity identification
+
$ crypt xx hellohel
* Correlation between stored data and intercept data
+
xxiHMKqoMTDuc
* Online Social Network Analysis
+
  
===Data Snarfing===
+
jim@localhost ~
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
+
$ crypt xx hellohello
* Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
+
xxiHMKqoMTDuc
* Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login
+
</pre>
  
===Anti-Frensics Detection===
+
===Salts===
A pluggable rule-based system that can detect the residual data or other remnants of running a variety of anti-forensics software
+
Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult.
=== Timeline analysis ===
+
* Mapping differences and similarities in multiple versions of a system, e.g. those created by [[Windows Shadow Volumes]] but not limited to
+
* Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
+
===Imaging Disk Farms===
+
How do you image an active file system?
+
===Audit===
+
How do we improve Audit capabilities?
+
  
=Reverse-Engineering Projects=
 
== Application analysis ==
 
* Reverse the on-disk structure of the [[Extensible Storage Engine (ESE) Database File (EDB) format]] to learn:
 
** Fill in the missing information about older ESE databases
 
** Exchange EDB (MAPI database), STM
 
** Active Directory (Active Directory working document available on request)
 
* Reverse the on-disk structure of the Lotus [[Notes Storage Facility (NSF)]]
 
* Reverse the on-disk structure of Microsoft SQL Server databases
 
  
== Volume/File System analysis ==
+
===MD5/SHA1===
* Analysis of inter snapshot changes in [[Windows Shadow Volumes]]
+
* Add support to SleuthKit for [[FAT|eXFAT]], Microsoft's new FAT file system.
+
* Add support to SleuthKit for [[Resilient File System (ReFS)|ReFS]].
+
* Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
+
* Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
+
* Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
+
  
==EnCase Enhancement==
+
NIS
* Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)
+
 
+
 
+
 
+
=Research Projects=
+
==Medium-Sized Research Projects==
+
* Develop an image processing program that can reliably detect screen shots. (Screen shots are useful to find on a hard drive because they can imply the presence of a remote control or surveillance program.)
+
* Develop improved techniques for identifying encrypted data. (It's especially important to distinguish encrypted data from compressed data).
+
* Quantify the error rate of different forensic tools and processes. Are these rates theoretical or implementation dependent? What is the interaction of the error rates and the [[Daubert]] standard?
+
 
+
==Research Areas==
+
These are research areas that could easily grow into a PhD thesis.
+
* General-purpose detection of:
+
** Stegnography
+
** Sanitization attempts
+
** Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
+
* Visualization of data/information in digital forensic context
+
* SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;
+
 
+
=See Also=
+
* [http://itsecurity.uiowa.edu/securityday/documents/guan.pdf Digital Forensics: Research Challenges and Open Problems, Dr. Yong Guan, Iowa State University, Dec. 4, 2007]
+
 
+
__NOTOC__
+
 
+
[[Category:Research]]
+

Revision as of 05:58, 19 June 2008

Unix/Linux Password File

Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.

Username The user's username
Password Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
UID The numeric user ID of the user
GID The primary numeric group ID of the user
GECOS Field This is a text field which may contain information about the user such as name and contact details
Home directory The user's home directory
Shell The user's Unix shell
user1:x:600:600:User 1:/home/user1:/bin/bash
user2:x:601:601:User 2:/home/user2:/bin/bash
admin:x:602:602:Admin Account:/home/admin:/bin/bash
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
someguy:x:604:604:Someguy:/home/someguy:/bin/bash

The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.

Unix Crypt

The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.

jim@localhost ~
$ crypt hello
S84xRArsM.gtk

In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.

jim@localhost ~
$ crypt xx hellohel
xxiHMKqoMTDuc

jim@localhost ~
$ crypt xx hellohello
xxiHMKqoMTDuc

Salts

Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult.


MD5/SHA1

NIS