[SGVLUG] capture a live computer
Emerson, Tom (*IC)
Tom.Emerson at wbconsultant.com
Tue Jul 22 09:32:57 PDT 2008
It all boils down to your level of paranoia and the value of the data on
the workstation. When watching the first video and he said "in a moment
I'll show you how to deal with a computer plugged directly into the
wall", I thought the solution would be the vampire tap [pierced power
cable], so I was a little surprised at the solution.
It does have some pitfalls, however -- all it would take is a 1/4" wide
strip of [clear] tape around the base of the plug prongs (i.e., where
the clamp would make contact...) If you're more paranoid than that, a
normally-open pushbutton on the bottom of the case itself would do the
trick -- picking up the case would open the circuit, and... [actually,
the motherboard's bios may help here -- there are some that support a
"case entry detection" switch, i.e., where somone has opened the case
itself, which can initiate a shutdown]
If you have a reliable (?) GPS signal within the building, a usb
receiver inside the case and a little routine to shut the computer down
if the location changes by more than a certain amount (say maybe 1/4
mile) -- you need this as the GPS system may have some built-in "jitter"
[military paranoia...] so "standing still" the location will still
fluctuate by 50-100 feet or more
Except for the last, all of these ideas I have are "once-funny's" --
once an investigator trips the shutdown mechanism, it doesn't take much
effort to figure out how to re-counter it on the next box -- the vampire
tap will counter everything from the isolated-outlet power strip through
a foreign plug/wall-wart/taped prong trap. For a case switch, a stiff
piece of cardboard should do it [back of a pad of paper...]
But then, you need go back to my first statement -- "...level of
paranoia... Data ON THE WORKSTATION" -- if networked, and the data is on
remote drives, you raise the possibility that they'll seize/steal every
workstation but not be able to access the server itself.
[oh, and do they have a counter-technique for detecting you've unplugged
the network cable?]
> -----Original Message-----
> From: sgvlug-bounces at sgvlug.net
> [mailto:sgvlug-bounces at sgvlug.net] On Behalf Of matti
> Sent: Monday, July 21, 2008 5:09 PM
> To: SGVLUG Discussion List.
> Subject: Re: [SGVLUG] capture a live computer
>
>
>
> Hi,
>
> > Yup, they were one step ahead each time. Did you see the
> > other video
> > on the site about removing a wall outlet?
>
> it's clever yet simple enough for your enforcement
> to use in the field. (i.e. NO real computer
> skills are required at this point, so even
> your meat head enforcers can use this. )
>
> hmmm.. besides toms counter ( proximity login token +
> password/log out on walk away) another counter could
> be to force a lock down on the computer
> whenever a storage device is attached or
> the HD accessed for mass copying/backup.
> (i.e. demand a password on attaching an storage
> device)
>
> perhaps some tricks with the USB device driver,
> forcing a password entry upon USB attachments,
> ( mouse, keyboard, storage.. )
> and a failed password results in a lockup.
> (i.e. all USB connections require a password)
>
> best
> matti
>
>
>
>
>
More information about the SGVLUG
mailing list