Computer Forensic Tools

A $995 tool can steal your Mac's passwords in minutes

Ready to start feeling a bit nervous about your computer's security? No? Too bad, because there is now a handy-dandy $995 tool which can steal your Mac's passwords in minutes — even if the computer is locked, sleeping, or encrypted.

The tool — an app which can run from a USB stick — is called Passware and is intended to be used as a legitimate forensic solution, but can be purchased by anyone with a thousand bucks to spare .

The reason Passware can steal passwords from a locked, sleeping, or encrypted Mac is thanks to a security flaw which — based on an Ars Technica story  — has existed for at least three years:

But wait! That says that passwords can't be accessed via software! So how is an app stealing them? By tricking a computer into dumping the contents of its RAM onto another device via FireWire. Previously this process required a great deal of technical skill and time, but thanks to the Passware kit, things got a lot easier.

Basically, Passware can cajole your computer into revealing all its secrets — including login passwords and the contents of its Keychain App — in mere minutes. All someone needs to do is plug in the USB stick with the app, tap through a few menus, plug in a FireWire cable, and catch the magic happen. It doesn't even matter if you've encrypted your data using Apple's FileVault app or another tool such as TrueCrypt. The vulnerability still exists.

So what can you do to protect yourself? Plenty, actually. According to the makers of the sneaky forensic tool, you just have to modify a habit and tweak a setting:

If someone is robbing your home while you are in it, you have bigger problems than your mac's security. On the other hand, if someone steals the mac while you are away from your home, then takes it to a hacker, this scenario might apply. I have my mac password protected and my data encrypted for this situation, but I'm not sure that this is enough.

I have a question--I have a mac, I have my profile passworded so that every time the computer goes to sleep you need a password to get back into my profile. So, if I turn the computer off at the end of the day, and the thief turns the computer back on, how does that stop him/her from getting the password? Does the RAM clear when the computer shuts down?

What I am doing now is logging out and and just closing the lid, sending the computer to sleep. When I want to log back in, I lift the screen and I see the login screen.

Computer Forensics Tools

Normally, your personal computer forensic investigator uses an instrument as a way to gather data from a system (e.g. a pc or computer network) without altering the info on that system. This part of a study, the care come to avoid altering the initial data, is a fundamental principle of computer forensic examination and several with the tools available include functionality created specifically to uphold this principle. In reality it is not always easy to collect data without altering the system in some way (including the act of shutting a computer down as a way to transport it will almost certainly cause changes for the data on that system) but a skilled investigator will usually endeavor to protect the integrity with the original data whenever feasible. To get your house this, many computer forensic examinations involve the making of a definite copy of all the so-called data on a disk. This copy is named a picture and also the means of making a photo is normally termed as imaging. It is this image that’s the subject of subsequent examination.

Another key concept is the fact deleted data, or parts thereof, could be recoverable. Generally speaking, when information is deleted it’s not physically wiped from your system but alternatively merely a mention of the positioning of the data (over a hard drive or some other medium) is taken off. Thus the information should show up though the os from the computer will no longer “knows” regarding it. By imaging and examining each of the data on a disk, in lieu of just the parts known to the os, it might be possible to get better data that has been accidentally or purposefully deleted.

Although most real-world tools are made to conduct a unique task (the hammer to hammer nails, the screwdriver to change a screw, etc.) some tools can now be multi-functional. Similarly some computer forensic tools are created with just one purpose in mind whereas others may provide a whole range of functionality. The unique nature of any investigation determines which tool on the investigator’s toolkit is easily the most right for the job on hand.

Along with differing in functionality and complexity, computer forensic tools also differ in price. A number of the market-leading commercial products cost lots of money while other tools are completely free. Again, the character in the forensic examination and the goal in the investigation will determine the best tools to be played with.

Computer forensics for dummies

Handbook of computer crime investigation, forensic tools and technology

Computer forensics, computer crime scene investigation

Computer Forensics JumpStart

EnCase computer forensics, the official EnCE : EnCase certified examiner study guide