Writing a Thumbdrive for Active Disk Antiforensics

ShmooCon IX - 2013

Presented by: Travis Goodspeed
Date: Saturday February 16, 2013
Time: 20:15 - 20:30
Location: Regency A
Track: Fire Talks

We are taught to think of a disk as a well behaved block device, in which little chunks of data are reliably written and read back. This brief but fast-paced lecture demonstrates what fancy and unexpected things can be done when a neighbor controls a disk’s firmware, violating that assumption of a block device’s good behavior. As a concrete example, I’ll present a prototype of a thumbdrive which can reliably fingerprint the intentions of its host, distinguishing between a legitimate user and a forensics lab. In the case of a forensics lab, the disk wipes itself and switches to an innocent image before anything of importance is read. Code and hardware are both open source as part of the Facedancer and GoodFET projects.

Travis Goodspeed


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats