Information Security News
In my postForensicating Docker, Part 1back in March (yes, I promise a Part 2 in the next couple of months, the $dayjob has slowed that down a bit), I talked a little about the AUFS layered filesystem that was used by the docker install on the system I was investigating. While I was forensicating the case I talked about in that diary, I wanted to see what the container filesystem looked like from my SIFT VM so I wrote a script to do the mounting the same way docker does (except for forensic purposes the mount is read-only). The script can be foundhere. Unfortunately, docker can use multiple storage drivers. So far, Ive adapted the script to handle two/threeof them, AUFS and Overlay/Overlay2. AUFS is the default on (older?) versions of Ubuntu, but AUFS isnt included by default in RedHat (or derivates), you would have to compile your own kernel. Overlay2 is included in newer kernels (pretty much anything after 3.18), so I suspect it may become the default at some point in the future.These are the storage drivers that handle so called Union filesystems to handle the layering. The btrfs, zfs, and devicemapper storage drivers are all block-level rather than file-level storage drivers. In effect, they require separate devices/partitions/loop-mounted files taking advantage of filesystem features such as snapshots in the underlying filesystem drivers to handle the layering. While I think I can get btrfs into the script, I havent looked at zfs and Ive had difficutly with devicemapper, so Imay not be able to get all of these. See  and " />
Having gone through all of that, for the purpose of forensication, it is important to remember that changes made within a container will all be captured in the top layer of these layered or union filesystems. To find that top layer (for docker " />
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
Unconfirmed evidence builds a strong case that an Apple iCloud account belonging to Hillary Clinton's campaign chief, John Podesta, was accessed and possibly erased by hackers less than 12 hours after his password was published on WikiLeaks.
So far, Clinton campaign officials have confirmed only the compromise of Podesta's Twitter account after it was used to urge followers to vote for Republican nominee Donald Trump. Several screenshots circulating online, however, strongly suggest that the iCloud account tied to Podesta's iPhone was also illegally accessed by people who tried—and possibly succeeded—to wipe the device of all its data. The images raise the specter that no one inside the Clinton campaign locked down the Podesta iCloud account in the hours following the WikiLeaks dump. iCloud accounts often provide a wealth of sensitive information, including real-time whereabouts, contacts, and confidential messages. Clinton officials didn't respond to an e-mail seeking comment for this post.
The screenshots began appearing on Wednesday night, less than 12 hours after a new batch of Podesta e-mails published on WikiLeaks revealed that his iCloud password was "Runner4567." Researchers can't be certain how the iCloud and Twitter accounts were compromised, but several descriptions, such as this one of now-deleted threads on the 4chan discussion board, claim participants who saw the WikiLeaks post discovered that "Runner4567" remained a working password and used it to illegally access Podesta's iCloud account.