Contributors - CyberSecurity Malaysia

More documents

Recommendations

Info

10.ConclusionReferencesUSB removable devices are quickly becoming a “must have”.Now almost everyone has one, be it flash drives, externalhard drives or many others. It is also becoming a favoritegift for conference attendees. The medium for connectionto a PC is via the USB port.As reported in “USB devices spreading viruses” (Ref[11]), Gunter Ollmann, chief security strategist for IBM'sISS security division said, “Thumb drives aren't the onlyculprits; any device that plugs into a USB port – includinggadgets like lights, fans, speakers, toys, even a digitalmicroscope – can be used to spread malware”. Therefore,we can say that the risks get bigger each time a new deviceis USB supported.Normally, people diligently follow security practices likeencrypting sensitive information, encrypting emails,updating antivirus softwares, etc, but USB ports are alwaysleft unprotected.Use of USB ports come with risks as mentioned earlier inthis article. The risks should not be ignored and should behandled appropriately by implementing countermeasuressuitable for you and your organisation. •[1] USB Implementers Forum Website,http://www.usb.org/developers/docs/[2] Marshall Brain, “How USB Ports Work”,http://computer.howstuffworks.com/usb.htm[3] DeviceLock Website,http://www.devicelock.com/dl/[4] Safend Protector Website,http://www.safend.com/65-en/Safend%20Protector.aspx[5] MyUSBOnly Website,http://www.myusbonly.com/usb-security-devicecontrol/index.php[6] Common Criteria Portal,http://www.commoncriteriaportal.org/[7] “SanDisk Cruzer Enterprise Flash Drives EarnCertification”, October 2009,http://www.securitywatch.co.uk/2009/10/30/sandisk-cruzer-enterprise-flash-drives-earncertification/[8] FIPS PUB 140-2, Security Requirements forCryptographic Modules,http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf[9] Iron Key Enterprise Website,http://www.ironkey.com/enterprise[10] Charles Arthur, “Windows virus infects 9mcomputers”, January 2009,http://www.guardian.co.uk/technology/2009/jan/19/downadup-conficker-kido-computer-infection[11] Elinor Mills, “USB devices spreading viruses”,November 2008,http://news.cnet.com/8301-1009_3-10104496-83.html[12] Jake Shores, “USB Flash Drive Security”, May 2009,http://www.brighthub.com/computing/smbsecurity/articles/2043.aspx[13] Brett Callow, “How to Enforce a Read-Only Policy onUSB Drives”, May 2009,http://www.brighthub.com/computing/smbsecurity/articles/5995.aspx
EnCase 101How EnCase Looks at the Time of theEvidence File? [Part 2]11.IntroductionIntroduction4. After Clicking “OK” (Figure 2), the NTRegistry willappear as shown in (Figure 3).In part one of this article, I had showed how EnCaseForensic Software shows the time of the evidence based onthe examiner’s machine time zone setting. So in part two, Iwill concentrate on how to find out the evidence time zonesetting and change the EnCase environment accordingly.DiscussionHow to know the evidence time zone setting? For evidencethat does not contain the operating system, such as a pendrive, the MAC(Modified, Access, Create) time will not beinfluenced by the time zone setting of the examiner’smachine.This means that EnCase Forensic Software willshow the exact MAC time of the files when it was beingcreated inside the media (in this case, a pen drive). If theevidence contains Operating System such as a primary harddisk found in a workstation, there are two ways basically tofind out about the time zone setting:• Manual (Registry directory)• Auto (run EnScript)a) Manual1. Load the hard disk image into EnCase ForensicSoftware.2. Navigate to C:\Windows\System32\Config. Select the“SYSTEM” file.3. Right click on the “SYSTEM” file and select view filestructure. (Figure1)Figure 2: Viewing the System registry hiveFigure 3: Windows NT Registry5. When open up NTRegistry\$$$PROTO.HIV, there are2 control sets. To know which control set is beingused by the user, click on the Select folder in theTree Pane and select “Current” in the Table Pane(Figure 4)Figure 4: Directory of Windows NT registryFigure 1: Locating and opening the Systemregistry hive6. Highlight the data in the View Pane and right click.Select Go To, and view the data in Little Endianformat (Figure 5 and 6). Ensure the value is 1 forother.e-Security | <strong>CyberSecurity</strong> <strong>Malaysia</strong> | Volume 21 - (Q4/2009)
Page 1: Volume 21 - (Q4/2009)“Companies s
Page 4 and 5: 4.MyCERT 4th Quarter 2009 SummaryRe
Page 6 and 7: 6.USB PortA culprit to ICT Security
Page 8 and 9: 8.Specific device setup classes can
Page 12 and 13: 12.Figure 9: Interpreting “Active
Page 14 and 15: 14.7. A list of time zone propertie
Page 16 and 17: 16.allowing you to specify which da
Page 18: 18.Guide to Motion Compensation (Ph
Page 21 and 22: Graph 1 shows all the satisfied poi
Page 23 and 24: CyberdatingHow to Have Funbut Stay
Page 25 and 26: find them. If anything goes wrong,
Page 27 and 28: 27.What could be the threats to ena
Page 29 and 30: 29.InternetRadio Frequency Identifi
Page 31 and 32: Common Criteria andNational Cyber S
Page 33 and 34: 33.Case Study: US Government Direct
Page 35 and 36: has caused a US$2.25 million fine t
Page 37 and 38: 37.lewat sampai pada penerima ataup
Page 39 and 40: For instance TM, Malaysia’s large

Contributors - CyberSecurity Malaysia

Create successful ePaper yourself

Delete template?

Save as template?