My old laptop - an IBM Thinkpad T20 - is broken. May it rest in peace. Now I acquired an IBM Thinkpad R50e, which works perfectly well under FreeBSD. The following text shall guide you through the installation of the wireless networking card. I am assuming that you are using WPA in your W-LAN.

First of all, you need to install the iwi-firmware-kmod-port. It's located in net. Once the installation has finished, add the following lines to /boot/loader.conf:

iwi_bss_load="YES"
if_iwi_load="YES"

If your W-LAN uses does not broadcast its SSID, you should enable the broadcast. Since the iwi-device has its problems with connecting to these "hidden" networks, there is no other option available.

In order to use WPA encryption, you need the wpa_supplicant. This program handles the authentication process (it's in the base system since 6.0, as far as I know). Edit the following file to suit your settings and save it as /etc/wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
fast_reauth=1

network={
    ssid="YourNet"
    proto=WPA
    key_mgmt=WPA-PSK
    psk="YourPassword"
    priority=1
}

This means you are going to use WPA along with a pre shared key. There are other options available; read man wpa_supplicant.conf if you want to know more.

To establish the connection, wpa_supplicant has to be called. After the authentication process is finished, you should be able to assign an IP address to your interface:

wpa_supplicant -iiwi0 -c/etc/wpa_supplicant.conf -B

The -B-option lets the program run as a background process. The IP address assignment and the authentication could be placed in a script if you want to do everything automatically.

Posted Sunday evening, October 8th, 2006 Tags:

Recently, I felt the urge to try out some data recovery tools I might need in the future. Fortunately, there was a CompactFlash card shipped with something I bought on eBay. This would be a safe starting point. I took an image of the card:

dd if=/dev/da0 of=~/tmp/card.img bs=8k

As a first test I decided to let Scalpel take a look at the image. The only configuration one needs is found in scalpel.conf. Here you may enter the file types / data types you are looking for. I was looking for common file types such as .DOC, .PDF etc.

Since the card image was only about 32MB, Scalpel finished quite quickly and I could take a look at the booty. It was quite startling: Without any sophisticated tools I was able to recover Microsoft Word documents containing job applications, Microsoft Excel spreadsheets (Scalpel detected them as Word documents, though) containing working hours and payrollls and some internal memos. Apparently, the card had once belonged to a boss of a German enterprise. These guys are doing database applications and (quote) "complex, highly dynamical applications" - without getting into more detail.

Well, let's say that security is not what they are very strong at. Just one side note: I won't write the enterprise's name down on this blog. If anyone feels compelled to know it, just contact me. I know that my discovery is not that exciting, but it frightens me when I think about companies "releasing" private information like this through obvious security leaks...

To compare my results, I ran "GetDataBack for FAT" (a program Sven recommended), which was able to recover the same data. Since this software is very easy to use, every Windows-using newbie might recover sensitive data from media such as CF cards, hard disks etc.

This is part one of my data recovery adventures. As soon as I have got time, I am going to try out the Sleuth Kit along with Lazarus or Autopsy.

Posted Sunday evening, October 15th, 2006 Tags:

Let's continue the analysis of the CF card. I installed the Sleuth Kit to gather more information from the image. The first step was to look for things like passwords and/or login data. dls (an utility from the Sleuth Kit) is just the right tool for this job:

dls -o 32 -f fat CF.img > CF.dls.img
strings -t d CF.dls.img > CF.str

Now I could grep the unallocated space of the image. Unfortunately, this did not yield any interesting results except the things I already knew. Using sigfind it is possible to manually look for file signatures (as well as file system signatures), but I recommend a file carver for that job. Of course I tried it nevertheless and was actually able to recover some .JPEGs, but - alas! - nothing new was to be discovered.

This is when I decided to use Foremost, another file carving utility:

foremost -t all CF.img -o output/

Using Foremost didn't provide me with any false positives. It found even more files than Scalpel but this is due to the fact that I did not add anything in Scalpel's configuration file. The results:

  • 13 Excel spreadsheets, including financial data.
  • 8 PDFs, including application letters.
  • 18 PNGs. Screenshots of their products (apparently for demo purposes).
  • 24 Word documents, including letters to customers.
  • 9 JPGs. Coporate design stuff.
  • 2 PowerPoint slideshows, dealing with internal stuff such as "How can we become better?"
  • Some executables for PocketPC devices. Apparently games.

I found some Excel tables in the unallocated disk space. They seem to be PocketExcel files and contain the grades of several persons. Apparently one of the CF card's users was a school-teacher. However, since I am not able to open these files, I can't be sure. Actually I wanted to try out Autopsy and Lazarus. But Autopsy is just a front-end for the Sleuth Kit, so I didn't need it. Lazarus comes with the Coroner's Toolkit (TCT), but Foremost had the functionality I needed, too. However, they might be worth a look.

To sum it all up: It was very creepy. If you are one of the humans on this planet that doesn't encrypt sensitive information...well...you should do it from now on.

Posted Saturday evening, October 21st, 2006 Tags: