PRACTICAL PROTECTION

IT SECURITY MAGAZINE

Forensics

Dear Readers,
This issue is devoted to forensics. To follow up the last issue, in which we discussed ID thefts, we decided fo focus on forensics. There are several interesting articles: Mobile Digital Forensics by Rebecca Wynn, Are we ready for Digital Evidence? by Rich Hoggan, Forensic Improvisation by Isreal Torres, Best Practices in InfoSec Forensics by Gary Miliefsky and much more. Hopefully, you will find this information interesting and useful. Enjoy your reading! Karolina Lesiska

team
Editor in Chief: Ewa Dudzic ewa.dudzic@software.com.pl Managing Editor: Karolina Lesiska karolina.lesinska@hakin9.org Editorial Advisory Board: Matt Jonkman, Rebecca Wynn, Steve Lape, Shyaam Sundhar, Donald Iverson, Michael Munt DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl Top Betatesters: Rebecca Wynn, Bob Folden, Shayne Cardwell, Simon Carollo, Graham Hili. Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine. Senior Consultant/Publisher: Pawe Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Production Director: Andrzej Kuca andrzej.kuca@hakin9.org Marketing Director: Karolina Lesiska karolina.lesinska@hakin9.org Subscription: en@hakin9.org Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.hakin9.org/en Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by The editors use automatic system Mathematical formulas created by Design Science MathType

06 Basic Forensics Analysis

by Marc-Andre Meloche
Digital Forensics is mostly like the movies, the main aspect is to gather evidence or digital footprints which will help you understand any digital crimes that might have occurred inside your organization. This is used in most cases related to computer crimes. New crime vectors are now implicating the use of computers mostly. It is important now to include computers as a main possible tool for suspects.

12 Mobile Digital Forensics Cover Your ASSets (CYA)

by Rebecca Wynn
Contrary to what we wish, mobile digital forensics is made easy because we as individual like to think that no one is ease dropping, shoulder surfing, watching us type in our passwords, taking out our SIM card and copying it while we are with the boss/in the bathroom/heating up lunch, etc. This article? goal is to help you see that it is your responsibility and yours alone to ?over Your ASSets.It is broken up into sections so the reader can easily review sections that are pertinent to him/her. I have only mentioned a few tools but have referenced the NIST publications that list dozens of tools and detailed information regarding their use. Use this article as your starting point.

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

20 To Get Round To The Heart Of Fortress

by Yury Chemerkin
Cybercrime is becoming a growing threat to society. The thefts of information, crashing a website or manipulating online payment traffic are also increasing. Many organizations offer various services in the battle against digital crime, such as network or data monitors and extractions tools. It is interesting

www.hakin9.org/en

CONTENTS

mainly to authorities and financial institutions, but they are accessible to every organization.

38 Are We Ready For Digital Evidence?

By Rich Hoggan
Are we ready for digital evidence? Its a question that we need to ask more often as crimes will inevitably include forensic evidence gathered from a computer or other digital device on a more consistent basis. Similarly, we still live in a world where we think the computer and what we do on it or any digital device for that matter is irrelevant to something like a criminal case. Yet that said, an example of such a case has come about the Casey Anthony murder trial that took place here in the states just recently. Its not a case where cyber security is or was a concern, but where the computers average use such as searching the internet and uploading to social networking is seen as being malicious.

42 Forensic Improvisation
by Israel Torres
Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset. Think of it as guerrilla forensics without the idea of warfare. There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the job nicely but that would require training, planning and knowing you? need them at a moment? notice. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines).

46 Ask The Social-Engineer: Neuro-Linguistic HackingThe New Age of Social Engineering

by Christopher Hadnagy
Social engineering is nothing new. From some of the oldest stories recorded in mankind? history till today, social engineering has been used. The interesting part about social engineering is that the methods used have not changed much. Sure there is new technology and a deeper understanding of humans and psychology, but the underlining principles of social engineering are the same as they were 6000 years ago.

50 Best Practices in InfoSec Forensics Proactively preparing for and executing network forensic analysis
by Gary S. Miliefsky
This article is meant to give you a quick overview of the best practices for Information Security (INFOSEC) forensics. To get started, let? first define this subject and then dig into the tools used in this field of computer and criminal justice sciences:

www.hakin9.org/en

FORENSICS

Basic Forensics Analysis

Digital Forensics is mostly like the movies, the main aspect is to gather evidence or digital footprints which will help you understand any digital crimes that might have occurred inside your organization. This is used in most cases related to computer crimes.
What you will learn
You will be able to perform basic forensics manipulation on computers with the common open-source forensics tools. (We will not talk about the incident management process, this is a technical how-to.) You will be able to create bit-copy images of hard drives or other media for forensics analysis. You will be able to navigate and understand how Autopsy works. This is a powerful tool that will help you obtain the information you need to help you build forensics cases.

What you should know

Basic understanding of drive locations in Linux and mount points. Ability to navigate inside a Linux le system and be able to install software. Have a very meticulous mindset for detail while performing the evidence search sometime small details could be missed.

ew crime vectors are now implicating the use of computers mostly. It is important now to include computers as a main possible tool for suspects. Let me present you the scenario. You work in the financial sector, and one of the employees has been transferring credit card information on his computer at home. As a security analyst you will have to gather

evidence to find out who was this employee and how did he transfer the credit cards.

Figure 1. Write blocker from tableau (http://www.tableau.com/ind ex.php?pageid=products&category=forensic_bridges)

Figure 2. Basic ide/sata usb converter from vantec (http://www.vantecusa.com/)

www.hakin9.org/en

FORENSICS

Mobile Digital Forensics

Cover Your ASSets (CYA)
You and only you are responsible for Covering Your ASSets. No one else will do it for you. Rebecca Wynn
What you will learn
What information can be obtained from a cell phone MOBILedit! Forensic Software How to Cover Your ASSets (CYA) Security Checklists

What you should know

Basic cell phone skills

ontrary to what we wish, mobile digital forensics is made easy because we as individual like to think that no one is ease dropping, shoulder surfing, watching us type in our passwords, taking out our SIM card and copying it while we are with the boss/in the bathroom/ heating up lunch, etc. This articles goal is to help you see that it is your responsibility and yours alone to Cover Your ASSets. It is broken up into sections so the reader can easily review sections that are pertinent to him/her. I have only mentioned a few tools but have referenced the NIST publications that list dozens of tools and detailed information regarding their use. Use this article as your starting point.

to describe technologies for second generation (or 2G) digital cellular networks. Wi-Fi is a trademark of the Wi-Fi Alliance and the brand name for products using the IEEE 802.11 family of standards.

Contacts: Name fields: first, middle, last, nickname, prefix, suffix, joint name Photo and personal ringing tone Phone numbers: general, mobile, fax, video, pager, VoIP, push-to-talk Postal addresses Web pages and e-mail addresses Company, department, job title Text notes Private info: birthday, spouse, children Custom field labels Multiple fields of the same type Last modification date & time

Cell Phone What Information Can Be Obtained?

Event Logs: Incoming, outgoing, missed calls history Sent & received messages history GPRS & Wi-Fi sessions log General Packet Radio Service (GPRS) was the first data service for GSM cellular carriers. GPRS added a packet capability to GSM, which uses dedicated, circuit-switched channels for voice conversations. Global System for Mobile Communications (GSM), originally Groupe Special Mobile, is a standard set developed by the European Telecommunications Standards Institute (ETSI)

Caller Groups: List of caller groups & belonging contacts

Speed Dials: List of assigned speed dials

12

www.hakin9.org/en

FORENSICS

To Get Round
To The Heart Of Fortress
Cybercrime is becoming a growing threat to society. The thefts of information, crashing a website or manipulating online payment traffic are also increasing. Many organizations offer various services in the battle against digital crime, such as network or data monitors and extractions tools. It is interesting mainly to authorities and financial institutions, but they are accessible to every organization..
What you will learn
General forensic classication Classic and non-classic mobile forensic

What you should know

Basic knowledge about forensic

he current century describes like the application of digital technology that enhances traditional methodologies. The incorporation of computer systems private, commercial, educational, governmental, and other way life improved the efficiency of these entities. One other hand the computers as a criminal tool has enhanced their own activity. In particular, the surge of technical adeptness by the general population, coupled with anonymity, seems to encourage crimes using computer systems since there is a small chance of being prosecuted, let alone being caught. These crimes is rather classic crimes To catch criminals involved with digital crime, investigators must employ consistent and well-defined forensic procedures if possible. Writing off insider threat as a low cast risk ought to realize sternness of the problem. Threat as this kind ranges from the malicious employee (of he has and have to has the technical expertise to implant a malware (logic bomb,) in the critical system. Malicious insider is a employee (current or former), contractor, or business partner who had / has / going to have authorized access to an organizations network, system, or data in a manner that negatively affected the confidentiality, integrity, or availability. Employees also represent another significant insider threat vector. These inadvertent actions can occur because individuals have accumulated more privileges than they need for their current job functions or because

individuals may just be careless about usage and distribution of sensitive data. The result is that organizations need to defend against the malicious insider as well as the careless user. The common security vulnerabilities increase risk of insider threats is inadequate auditing and analytics: Sheer volume of audit and log data impedes forensics investigation and detection. Logging all IT activity is an important first step in combating insider attacks and todays highly distributed and complex IT environments generate massive volumes of logging data, but the sheer volume of data is very difficult to manage. Most current approaches to addressing insider threats are reactive, not predictive. This helps immensely in forensic investigations, but the problem is that the attack or theft has already occurred. Therefore, organizations should be looking for solutions that can provide more analytic and predictive capabilities that if not able to prevent insider attacks, may still identify at-risk insiders and then implement more detailed logging on those individuals in response. Delicate balance of risk versus productivity. IT managers need to balance the risk of employees need for additional access versus the lost productivity that would result if access was not granted to certain users. Many organizations also

20

www.hakin9.org/en

To Get Round To The Heart Of Fortress

push technology adds a unique dimension to forensic examination. In fact, a RIM device does not need a cradle or desktop connection to be useful. The more time a mobile device spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. The BlackBerry is an always-on, push messaging device. Information can be pushed to the device through its radio antenna at any time, potentially overwriting previously deleted data. Without warning, applications such as the email client, instant messaging, wireless calendar, and any number of third party applications may receive information that makes the forensic investigators attempts to obtain an unaltered file system much more difficult. In order to preserve the unit, turn the radio off. Make note that completely powering off the RIM will wipe data from the SRAM. Logs stored there, which may be of interest, will not survive a full power-down. If the RIM is password protected, get the password. The password itself is not stored on the unit; rather an SHA-1 hash of the password is stored and compared to a hash of what entered. The examiner only has the opportunity to guess 10 times before a file system wipe occurs to protect the data. This wipe will destroy all non-OS files. No software exists to circumvent the password protection. A direct-to-hardware solution will be required if the password is not available. Thus, the RIMs currently unsurpassed portability is the examiners greatest ally.

YURY CHEMERKIN
Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Analyst since 2009 and currently works as mobile info security researcher in Moscow. I have scientic and applied interests in the sphere of forensics, cyber security, AR, perceptive reality, semantic networks, mobile security and cloud computing. Im researching BlackBerry Infrastructure and the effects of the trust bot-net & forensic techniques on the human privacy. E-mail: yury.chemerkin@gmail.com (yury.chemerkin@faceb ook.com) Facebook: www.facebook.com/yury.chemerkin LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/ 549

www.hakin9.org/en

FORENSICS

Are We Ready For Digital Evidence?

Are we ready for digital evidence? Its a question that we need to ask more often as crimes will inevitably include forensic evidence gathered from a computer or other digital device on a more consistent basis.
What you will learn
Forensic recovery of an image les meta-data and web browsers history. Programming our own tools Discussing the impact of digital evidence

What you should know

Basic understanding of digital forensics and techniques Basic understanding of web programming using HTML and PHP

imilarly, we still live in a world where we think the computer and what we do on it or any digital device for that matter is irrelevant to something like a criminal case. Yet that said, an example of such a case has come about the Casey Anthony murder trial that took place here in the states just recently. Its not a case where cyber security is or was a concern, but where the computers average use such as searching the internet and uploading to social networking is seen as being malicious. I have attempted to create a balance between asking the tough questions as well as understanding the technical aspects of digital forensics in this article. As a result we will be going through the motions of viewing an image files meta-data with forensic tools and even making our own tool using HTML and PHP. Similarly, we will be going through the motions of viewing and analyzing the browsers history. Lastly, we will be attempting to answer the question of whether or not we are ready for digital evidence and its impact on our lives. But before we get into the core of this article, we first have to understand a little bit of the cases background. Whats interesting is the fact that it isnt a cyber incident in that its a case that involves a persons social networking life and their history of internet search terminology everyday activity for computers, digital cameras, even our cell phones. It was during a forensic investigation of the familys computers that

said evidence was found demonstrating searches were made on the internet in relation to the case. Similarly, photos were posted to multiple social networking sites while the suspects daughter was still considered missing. Ultimately though, the forensic evidence wasnt enough to get a conviction from the jury.

Figure 1. EXIF data of an image

38

www.hakin9.org/en

FORENSICS

Forensic Improvisation
Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset.
What you will learn
you will learn how to improvise your use of digital forensics

What you should know

you should know your environment as well as basic shell programming

hink of it as guerrilla forensics without the idea of warfare. There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the job nicely but that would require training, planning and knowing youd need them at a moments notice. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines). The focus of this article is using the command line (terminal, bash) tools found on a standard Mac OS X 10.7 (Lion) operating system; including a few additional optional downloads (or really rather what most geeks would have already installed anyway). Understanding how things work is always best and the best tool is the one you write yourself. Using tools someone has already written for you is certainly nice but if you cant modify them to suit your immediate needs then this

is where improvisation takes place. It certainly isnt the time to shy away from the terminal thats where all the sexy is (not the clicky-eye-candy you may be used to). The challenge: So weve been presented with 10 binary files (test0.bin test9.bin). Since they are all

Figure 1. Testbench listing

Figure 2. TermHere

42

www.hakin9.org/en

FORENSICS

Neuro-Lingustic Hacking:
The New Age of Social Engineering
Social engineering is nothing new. From some of the oldest stories recorded in mankinds history till today, social engineering has been used.

he interesting part about social engineering is that the methods used have not changed much. Sure there is new technology and a deeper understanding of humans and psychology, but the underlining principles of social engineering are the same as they were 6000 years ago. In the last 70-100 years there has been massive leaps in understanding the human psyche. What makes a person tick? Bandler and Grinder took understanding neurolinguistic programming to a whole new plain. Dr. Paul Ekman took understanding microexpressions to a new science. Then many experts who spent decades studying influence, persuasion and manipulation began to work hard to understand what makes a person act a certain way. As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole. We have interviewed radio hosts, psychologist, law enforcement, NLP gurus, dating experts and others to try and understand what each of those fields has to offer a social engineer. After studying a lot of the practices and what makes them successful we have blended a few together and are going to start a new study called Neuro-Lingusitic Hacking (NLH).

Neuro-Lingusitic Programming (NLP)

NLP is a contro-versial approach to psychotherapy and organizational change based on a model of interpersonal communication chiefly concerned with the relationship between successful patterns of behavior and the subjective experiences underlying them and a system of alternative therapy based on this which seeks to educate people in self-awareness and effective communication, and to change their patterns of mental and emotional behavior.

Neuro

This points to our nervous system which we process our five senses: Visual Auditory Kinesthetic Smell Taste

Linguistic

This points to how we use language and other nonverbal communication systems through which our neural representations are coded, ordered and given meaning. This can include things like: Pictures Sounds Feelings Tastes Smells Words

What is NLH

NLH is a combination of the use of key parts of neurolingusitic programming, the functionality of microexpressions, body language, gestures and blend it all together to understand how to hack the human infrastructure. Lets take a closer at each to see how it applies.

Programming

This is our ability to discover and utilize the programs that we run in our neurological systems to achieve our

46

www.hakin9.org/en

FORENSICS

Best Practices in InfoSec Forensics

Proactively preparing for and executing network forensic analysis
This article is meant to give you a quick overview of the best practices for Information Security (INFOSEC) forensics.
What you will learn
Forensic Basics Network Forensics Computer Forensics

What you should know

Using Syslog, Traps and Network Taps Deploying Network Attached Storage Duplicating A Hard Drive

o get started, lets first define this subject and then dig into the tools used in this field of computer and criminal justice sciences:

What is INFOSEC Forensics?

INFOSEC Forensics relates to digital forensics, which is the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection this is proactive. In addition, and most usually after a breach, computer forensics are performed by a network security professional this is reactive.

The best practices, of course, are to be as proactive as possible and plan for both scenarios one is to gather and store traffic, always looking for anomalies these can range from hacker attacks to employees leaking data and internal information to a competitor, or a malicious insider on your network the other is to have RAID, Hard Drive Mirroring, Continuous Data Protection (CDP) and at minimum, daily backups of all important company information from all network touch points so you dont have to reactively go chase down a lost or stolen laptop to analyze a hard drive, because you have the latest, closest copy of the data set stored

Figure 1. Network Forensics

50

www.hakin9.org/en

Social-Engineer.Com
Security Through Education
SE Videos Social Engineering Tool Kit The Webs First Social Engineering Framework SE Resources Free Monthly SE Newsletter Free Monthly SE Podcast

www.Social-Engineer.Com
Now offering professional Social Engineering Services Contact us today to learn more info@social-engineer.com