#sansforensicssummit Day1

I’m taking SEC508 at #sansforensicssummit in Washington DC through next Tuesday.
Day one covered basics of the file system. I had some serious flashbacks to dealing with hexadecimal in the JMU Masters level Infosec program. In that program we had plenty of classes using Internetworking with TCP/IP Vol.1 by Comer. Actually one of my worst courses was Forensics taught by Florian Buchholz. It was in the last semester, and we were checking out mentally (ready to graduate)
Its fun to take a week long conference on the subject. Hopefully it will stick better than the college course. I do fear that since I wont be doing forensics every day, I’ll lose a lot of this knowledge quickly.
A couple of interesting tidbits from today.
1. A single pass is good enough when disk wiping. That would save a lot of time for us if true. The instructor says the idea of wiping 7 times comes from a Guttman paper in the late 90s. It theorized an electron microscope could be used to recover if wiped less. This is purely theoretical. Never been done. Forensics people will call it a day if its been wiped once.
Of course what is technically correct isn’t always what auditors or policy requires. Trying to change that is difficult. The instructor says NIST recommends one pass. I’ve read the document he mentions. Apparently I need to re-read it because I dont recall one pass. I recall a preference for the UCSD Secure Erase which uses ATA commands to wipe. I recall degausing or destroying also preferred. I think for over right utilities they were still recommending 6+, but I will have to verify.
2. The second interesting thought had to do with “limited personal use” allowances in corporate policies. Companies don’t want to have policies they wont enforce, so they allow limited personal use. I thought the big danger in that was not defining exactly what that meant. According to the instructor, limited personal use is a forensic nightmare and a potential legal liability. The claim is that the limited personal use gives the user an expectation of privacy for that personal use. Since it is company policy it trumps the logon banner that says “no expectation of privacy”. Interesting thought, and one I’m going to have to run by legal. They took a year when I asked them to approve the login banner, so I expect to hear back from them around 2015.