White Paper on Incident Analysis and Forensics in Docker Environments

In this article, we describe the impact of the increased use of Docker in corporate environments on forensic investigations and incident analysis. Even though Docker is being used more and more (Portworx, Inc., 2017), the implications of the changed runtime environment for forensic processes and tools have barely been considered. We describe the technological basics of Docker and, based on them, outline the differences that occur with respect to digital evidence and previously used methods for evidence acquisition. Specifically, we look at digital evidence within a Docker container which are lost or need to be acquired in different ways compared to a classical virtual machine, and what new traces and opportunities arise from Docker itself.

Continue reading “White Paper on Incident Analysis and Forensics in Docker Environments”

Continue reading

White Paper on Incident Handling First Steps, Preparation Plans, and Process Models

We just published my Whitepaper about First Steps, Preparation Plans, and Process Models for Incident Handling, that I wrote to pass the time between Christmas and New Year. The whitepaper sums up information that I consider to be useful to prepare for IT security incidents as a conclusion from the incidents in which we supported over the past year. Continue reading “White Paper on Incident Handling First Steps, Preparation Plans, and Process Models”

Continue reading

An MLD Testing Methodology

Based on recent research in the ERNW IPv6 lab and with our MLD talk looming we’ve put together a (as we think) comprehensive document discussing how to thoroughly test MLD implementations in various components (network devices or servers/clients). We hope it can contribute to a better understanding of the protocol and that it can serve as either a checklist for your own environment or as a source of inspiration for researchers looking at MLD themselves.

Continue reading “An MLD Testing Methodology”

Continue reading

Evaluation of IPv6 Capabilities of Commercial IPAM Solutions

Originating from a customer IPv6 deployment project, in early 2014 we defined a number of requirements as for the IPv6 capabilities of IPAM solutions, with a certain focus on security-related requirements (due to the specific environment of the project). We subsequently performed a practical evaluation of several commercial solutions, based on documentation, lab implementation and vendor communication.

Continue reading “Evaluation of IPv6 Capabilities of Commercial IPAM Solutions”

Continue reading

Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region

To contribute to the current debate on IPv6 route deaggregation & “strict-filtering” performed by certain ISPs we just released a white paper on “Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region“. I will give a talk on the overall topic later today at the Routing Working Group. We sincerely hope that the IPv6 community becomes aware of the inherent issues, and that practical solutions can be found which consider & meet the needs of the different parties involved.



Continue reading

ERNW Newsletter 42: Dangers of Disabled Pre-Boot Authentication in Corporate Environments

It’s been a long time… we just published an ERNW Newsletter. Here’s the abstract:

In order to protect sensitive data on corporate laptops, most companies are using full disk encryption solutions. While native encryption products like Microsoft Bitlocker, Apple FileVault and open source solutions like TrueCrypt were already heavily scrutinized by security researchers, many popular commercial third party products are to some point still black boxes.

In this paper, we discuss Check Point Full Disk Encryption (FDE) with active “Windows Integrated Logon”. Checkpoint FDE is a software package that is part of Check Point Endpoint Security and offers full disk encryption on Microsoft  Windows and Mac OS X systems. The “Windows Integrated Logon” feature reduces total cost of ownership by disabling pre-boot authentication. Check Point themselves warn about security risk associated with using this feature.

We argue that missing TPM integration and integrity checks make Check Point FDE with activated ”Windows Integrated Logon“ highly insecure against sophisticated attackers. Furthermore, we demonstrate the extraction of AES encryption
keys on a running system and subsequent decryption of the encrypted disk. Our analysis is limited to Check Point FDE v.7.4.9 on Windows operating systems and was performed during a penetration test of an encrypted customer enterprise laptop. Therefore, we concentrate on the client architecture and ignore other aspects like enterprise management interfaces.


The document itself can be found here.

Enjoy reading & Happy Holidays to everybody



Continue reading

VMDK Has Left the Building — Newsletter

We are pleased to announce that we summarized the results from our VMDK research in our latest newsletter.

We hope you enjoy the reading and will get some “food for thought”!

The newsletter can be found at:

A digitally signed version can be found at:

Enjoy your weekend,

Continue reading

Windows Server 2008 R2 BSI-compliance

Recommendations by the German Federal Office for Information Security (BSI – Bundesamt für Sicherheit in der Informationstechnik) are obligatory for German government agencies, civil services and authorities (like recommendations of the NIST are relevant to American government agencies and authorities). They are often used as references and security best practices in other countries as well. Hence it is hard to understand why the recommendations on how to harden Windows Server 2008 based systems were published only some weeks ago and only on a preliminary draft basis (which is, obviously, better than nothing ;-)).

We at ERNW, however, did an overall baseline security approach of Windows Server 2008 R2 and Active Directory for a large German authority last year. The aim was to fullfil the requirements of the German Federal Office for Information Security without having precise technical guidelines by the BSI itself (from our side we do have guidelines of course ;-)). The hardened Windows Server 2008 R2 environment was then approved at the end of 2011 by the German BSI. Now we published the results of our overall approach in our latest newsletter [German language].

Enjoy reading!
Friedwart Kuhn

PS: There’s also a digitally signed version of the newsletter. (Because it is signed with a qualified certificate, the validation requires an appropriate validation software, for example SecSigner from SecCommerce – which is free software).

Continue reading

Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices

On Friday we released our latest technical newsletter with the fancy title “Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices”. It is the result of a field study on decommissioned mobile business devices bought on eBay and about how stored data may be extracted in different ways.

As always we love to share plenty of practical advise: At the end of the newsletter you will find the mitigating controls to securely handle mobile devices at the end of their life cycle process.

Find the newsletter here.
And a digitally signed version here.

Special thanks go to Sergej Schmidt for performing the field study.

Talking about our great team: Meet the whole ERNW crew at TROOPERS12, or even better: Dig deeper into mobile security together with Rene Graf during the mobile security workshop. There are a few slots left.

Enjoy the newsletter & hopefully see you soon in Heidelberg!

Continue reading