[SGVLUG] capture a live computer

Tue Jul 22 09:32:57 PDT 2008

It all boils down to your level of paranoia and the value of the data on
the workstation.  When watching the first video and he said "in a moment
I'll show you how to deal with a computer plugged directly into the
wall", I thought the solution would be the vampire tap [pierced power
cable], so I was a little surprised at the solution.

It does have some pitfalls, however -- all it would take is a 1/4" wide
strip of [clear] tape around the base of the plug prongs (i.e., where
the clamp would make contact...)  If you're more paranoid than that, a
normally-open pushbutton on the bottom of the case itself would do the
trick -- picking up the case would open the circuit, and... [actually,
the motherboard's bios may help here -- there are some that support a
"case entry detection" switch, i.e., where somone has opened the case
itself, which can initiate a shutdown]

If you have a reliable (?) GPS signal within the building, a usb
receiver inside the case and a little routine to shut the computer down
if the location changes by more than a certain amount (say maybe 1/4
mile) -- you need this as the GPS system may have some built-in "jitter"
[military paranoia...] so "standing still" the location will still
fluctuate by 50-100 feet or more

Except for the last, all of these ideas I have are "once-funny's" --
once an investigator trips the shutdown mechanism, it doesn't take much
effort to figure out how to re-counter it on the next box -- the vampire
tap will counter everything from the isolated-outlet power strip through
a foreign plug/wall-wart/taped prong trap.  For a case switch, a stiff
piece of cardboard should do it [back of a pad of paper...]

But then, you need go back to my first statement -- "...level of
paranoia... Data ON THE WORKSTATION" -- if networked, and the data is on
remote drives, you raise the possibility that they'll seize/steal every
workstation but not be able to access the server itself.

[oh, and do they have a counter-technique for detecting you've unplugged
the network cable?]

> -----Original Message-----
> From: sgvlug-bounces at sgvlug.net 
> [mailto:sgvlug-bounces at sgvlug.net] On Behalf Of matti
> Sent: Monday, July 21, 2008 5:09 PM
> To: SGVLUG Discussion List.
> Subject: Re: [SGVLUG] capture a live computer
> 
> 
> 
> Hi,
> 
> > Yup, they were one step ahead each time.   Did you see the
> > other video
> > on the site about removing a wall outlet?
> 
> it's clever yet simple enough for your enforcement
> to use in the field. (i.e. NO real computer
> skills are required at this point, so even
> your meat head enforcers can use this. )
> 
> hmmm.. besides toms counter ( proximity login token + 
> password/log out on walk away) another counter could 
> be to force a lock down on the computer 
> whenever a storage device is attached or 
> the HD accessed for mass copying/backup.
> (i.e. demand a password on attaching an storage
> device)
> 
> perhaps some tricks with the USB device driver,
> forcing a password entry upon USB attachments,
> ( mouse, keyboard, storage.. )
> and a failed password results in a lockup.
> (i.e. all USB connections require a password)
> 
> best
> matti
> 
> 
> 
>       
> 