Drive forensics of decrypted BitLocker drive

If a drive was previously encrypted with BitLocker, but decrypted before it could be imaged, would previously deleted files be recoverable? In other words, as part of the decryption process, does BitLocker read the data in free-space (including deleted files) and decrypt/re-write to disk that data? My intuition says no and that any deleted files would either be still encrypted on disk OR be overwritten by the encrypted files being written back to disk as part of the decryption process.

Touch here for the full post on Network Security Noblemen tumblr

Why am I getting an “ncat: connection refused” error?

for my class I am working with 2 VMs within the same virtual lab. I have pinged them from one another and there is no packet loss or errors. However, when I attempt to "Create the forensic evidence file image by running:

sudo dd bs=16M if=/dev/xvda|bzip2 -c|nc 19000 

Where the IP address is the first value when running:


I am getting the following error:

ncat: connection refused 

Prior to running the initial command, I have set up a ncat listener on the other VM using:

sudo nc -l 19000|bzip2 -d|dd bs=16M of=/dev/xvdb 

I have tried changing the IP address from the inet in the eth0 line to the broadcast address, tried over multiple browsers, and physical locations with different networks. What can I do to fix this issue?

Thank you in advance.

Touch here for the full post on Network Security Noblemen tumblr

Where would you go to find out about the intersection of national security and cybersecurity.

It seems that while national security and cybersecurity are both very popular topics, the discussion of the intersection between the two per se rarely get discussed. I don't mean to imply that neither national security nor cybersecurity don't talk about one another, but writing about each doesn't seem to address the others concerns directly.

For example, India and China had a dust-up in the Galway Valley, and then India banned several Chinese apps. Does that make sense as a national security issue alone, or would the ban have happened without the Galwan Valley incident? Did the later reveals that there were many weaknesses in Indian TikTok clones have anything to do with Chinese hacking, or was it just bad luck for the Indian apps?

Any recommendations are appreciated.

Touch here for the full post on Network Security Noblemen tumblr

Is my procedure correct for remembering passwords?

New to this sub, let me know if there's a better place to post this.

  • User signs up with username and password

  • Password is hashed and salted with php's password functions and stored in a database

  • When user logs in, I use php's password_verify to check if what they typed in matches the database

If they check the remember password box:

  • Create a randomly generated token

  • Hash and salt the token and store it in the database in that user's row

  • Also store their IP address and the time at which the token was created

  • Store the unencrypted token in cookies

When they log in, if a token is stored in cookies:

  • Use password_verify to check the token matches the database

  • Check if their IP matches the database

  • Checks if the current date and time is within 14 days of the token creation date

Is this a good system or is it flawed? I'm somewhat new to this. I'm trying to make a website in PHP that has a login system. I want to make sure they stay logged in for 14 days.

Thank you very much for the help

Touch here for the full post on Network Security Noblemen tumblr

Suggestions for best US-based zeroday broker?

I'm looking for a reputable US-based zeroday broker. Does anyone have any suggestions or good experiences? Is ZDI worth it for high value exploits if you'd rather not wait 7 months for pwn2own? Also feel free to PM me if you don't want to discuss this openly, just interested in what everyone has to say.

Note: Zerodium excluded. In my experience, they've been quite shady.

Touch here for the full post on Network Security Noblemen tumblr

question about answer in /hacking thread about url dorking and payload

in this generally good and informative thread from 5 years ago it is claimed that:

BUT – if there's a 'download' link which is disabled until after you pay, and you edit it to make it 'enabled', that download link is giving you access to a different file. If you access it, you're breaking the law.

I dont know if this is true. I'm not a lawyer.

My objection is that, if a company provided a generic download link like to a paying customer, and that link was shared with a third party, how could it be possible to charge the third party with computer acts when they literally visited a publicly website link?

And in general, are there publicly accessible urls that would be strictly illegal to even access?

Lastly does all of the above also apply to post/ etc reqeusts and payload hacking? If the website i visit sends down req A to itself, and i modify the request, to say change the query from "foo" to "bar", is this strictly speaking a computer acts violation?

are we saying that the "edit and resend" button in dev console is basically a loaded gun?

I really dont know what the difference is legally between changing "foo" to "bar", vs "foo" to "\INJECTION". If they are relying on js to escape the string they havent posted yet, are they somehow "legally" protected? can I trollishly honeypot myself and sue people frivously?

Is this still a debate or these questions been fully settled?

Thanks to any lawyers who can weigh in

Touch here for the full post on Network Security Noblemen tumblr

Why aren’t passwords also hashed on the client side during authentication?

I've never understood why passwords are not hashed on the client-side for various authentication protocols that I've researched like SSH and various web authentication. From my understanding, it loosely works like this:

  1. Client establishes an encrypted connection with the server (hopefully)

  2. Client sends the username and plaintext password within the encrypted channel

  3. Server hashes the plaintext password and checks it against the hash in the database

To me this seems like it's relying entirely on the encrypted connection to secure the password in transit. With MITM attacks and state actors recording traffic + researching QC that is supposed to break these types of encryption, that seems worrisome. Knowing user behavior, an intercepted plaintext password can likely be used on many sites. It can also help determine the user's password scheme (hunter1, hunter2, hunter3, etc) so that when they increment their password you can still get in. Why does auth not work like this instead:

  1. Client establishes an encrypted connection with the server (hopefully)

  2. Client and Server agree upon a type of hash and possible a salt scheme, similarly to how they can agree upon various types of encryption in SSH

  3. Client sends the username and hashed password (Hash1) within the encrypted channel

  4. Server hashes Hash1 again however they like into Hash2, and then compares Hash2 with the hashes in their database

This prevents intercepted passwords from being used elsewhere and rehashing on the server side prevents a hash stolen from the database from being used in a PTH attack.

Why is authentication built the way it is? To be very clear, I'm not suggesting ditching any existing security measures like SSL or server side hashing, just adding this additional one

Touch here for the full post on Network Security Noblemen tumblr