FREE

CAPTURING INSTANT MESSAGES

SIP CALL FORENSICS ANALYSIS HACKING EXTORTION CASE

VOL. 2 NO. 2

RECOVERING IE HISTORY USING PASO

SECURITY TESTING TOOL or CYBER WEAPON
Issue 2/2012 (2) August

www.eForensicsMag.com

AMPED FIVE 2012

THE RIGHT IMAGE AND VIDEO ANALYSIS TOOL FOR FORENSIC PROFESSIONALS.
AMPED FIVE IS THE MOST COMPLETE IMAGE PROCESSING SOFTWARE SPECIFICALLY DESIGNED FOR INVESTIGATIVE, FORENSIC AND SECURITY APPLICATIONS. ITS PRIMARY PURPOSE IS TO PROVIDE FORENSIC INVESTIGATORS A COMPLETE AND UNIQUE SOLUTION TO PROCESS AND ANALYZE DIGITAL IMAGES AND VIDEO DATA IN A SIMPLE, FAST AND PRECISE WAY. AMPED FIVE IS DESIGNED AROUND OUR INNOVATIVE FAST WORKFLOW AND REAL -TIME FILTER CONCEPT TO DRAMATICALLY REDUCE THE TIME REQUIRED TO PROCESS DATA AND IMPROVES THE SUCCESS RATE OF VARIOUS CASES. FROM THE RESTORATION OF LOW QUALITY CCTV VIDEO TO FINGERPRINT ANALYSIS TO LIVE FULL MOTION VIDEO ONE TOOL CAN HANDLE IT ALL. AMPED FIVE WILL RUN ON STANDARD DESKTOP OR NOTEBOOK COMPUTERS AND DOES NOT RELY ON THIRD-PARTY COMMERCIAL PHOTO OR VIDEO EDITING SOFTWARE, PLUG-INS, SCRIPTS, OR SPECIAL HARDWARE. THIS MAKES THE TOTAL COST OF OWNERSHIP MUCH MORE MANAGEABLE AND IS JUST ONE PLATFORM TO LEARN, MAINTAIN, AND DEPLOY ON HARDWARE YOU ALREADY OWN.

Amped SRL | AREA Science Park - Building A | Padriciano 99, 34149 Trieste, Italy | T: +39 040 3755333 | F: +39 040 3755335 Amped Software North America | 4616 W Sahara Ave, STE 437 Las Vegas | NV 89102 USA | CAGE: 6CLY6 | DUNS: 968034780 Toll free: (866) 547-0099 | Tel: +1 (702) 498-0738 | Fax: +1 (702) 534-4731 www.ampedsoftware.com | info@ampedsoftware.com | twitter.com/ampedsoftware
2

 Designed from top to bottom as a purpose built self-contained tool for forensic needs Support for images, videos and live streams Integrated lossless DVR capture tool Native support for Milestone XProtect surveillance live feeds and archived files More than 70 filters for sharpening, denoising, integration, format conversion, distortion correction, image stabilization, Fourier transform, image resizing, intensity adjustments, super resolution, perspective correction... Optimized workflow for quick and scientific processing Unique concept of filters: Drop, add, delete, modify, move, copy, paste, any filter in any position. Modify any parameter of any operation in any order; the results can be applied and seen immediately, even while playing a video One solution with tools for all types of work. From CCTV to intelligence operations video or latent fingerprints and document comparisons, Amped Five can do it all

www.eForensicsMag.com

Dear Readers!
FREE
TEAM Editor: Aleksandra Bielska

aleksandra.bielska@software.com.pl

Betatesters/Proofreaders: Glen Victor, Daniel Sligar, Gabriele Biondo, Sailaja Aduri, Roshan Harneker, Olivier Caleff, Vaman Amarjeet, Danilo Massa, Nicolas Villatte, Joshua Williams, Jonathan Ringler, Cindy Brodie, Lance Reck, Steven Doan, Andrew Levandosky, Akash Rosen, Sheri Lee, Dan Dieterle, Matthew Harvey, Mada R. Perdhana, Jonathan McBride, Scott Taylor, Will Poole, Jan Tilo Kirchhoff, Roshan Harneker, Andy Gibison, Marcelo Zuniga Torres Senior Consultant/Publisher: Pawe Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Mateusz Jagielski mateuszjagielski@gmail.com DTP: Mateusz Jagielski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Ewa Dudzic Publisher: Software Media Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.eforensicsmag.com

DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Todays the day! The second issue of eForensics Free Mag saw the light of day. I hope youll find here answers to some of your questions & problems. I know there is more and more doubts and threats since technology has been constantly developing. We can assume that cyber space has no boundaries. Because of that modern reality gives us unlimited opportunities, but it also makes us unbelievably vulnerable to the actions of others. Many people are affected by cyber crime and bulling every day. To prevent unwanted intrusions sometimes we have to think ahead in the way that criminals do. Nicolas Mitter in his article presents how managers and owners of companies should prevent fraud, attacks and stealing by capturing, filtering and storing real-time data. Author discusses some legal principles which arise from using real-time forensics technologies. He shows, as well, how to capture instant messaging traffic and store it in a Microsoft SQL Database Server by using forensic tool. Carlos Cajigas shows the other non-comercial tool which can help you during your investigation. Sometimes critical evidence can be found in suspects web browsing history. The author of the article provides you with information on how to uncover such an evidence in visited sited and attempted Internet searches with the use of PASCO - easy tool which allows you to parse the browsing history of a concrete user. As we know, the attacks of cyber criminals are increasingly targeted at mobile devices. One day Jan Tilo Kirchhoffs started to receive strange calls. The caller ID showed that hes calling from his own number. He answered and heard only silence on the other end of the line. He decided to find out who the annoying intruder is. In his piece, Jan presents the process and results of conducted investigation. Most of the human discoveries or achievements are neutral. They could be of use to create good things or could become a tool for evil activities. In his article (the first in the article series), Kevin G. Coleman discusses the issue of dual-use technology. Every software or a testing tool could be transformed into cyber weapon. How to find right solution in legislation which will protect us from attacks and wont stop software developers from creating new ways to protect data and systems? The full picture of this months issue is completed by the story created by Eric Lakes in which you can find love, revenge, fraud and... cyber investigation. As we have experienced many times life writes better and more suprising scripts than Hollywood writers do. Thank you all for your great support. Enjoy reading! Aleksandra Bielska & eForensics Team

MOBILE
6. SIP CALL FORENSIC ANALYSIS
by JAN TILO KIRCHHOFF 'It all started during my 2011 summer vacation. One evening my mobile started ringing but when I finally got to it and accepted the call there was no one on the line... In this article, Jan Kirchhoff presents the investigation he conducted in order to detect the source and reason of the mysterious calls.

DATA
10. CYBER AGENTS: HACKING EXTORTION CASE
by ERIC LAKES 'This case was real and very unique from start to finish. It was <<fun>>, not only due to the content of the case, but also because of the immediate challenges that the case presented and of course we like a good challenge. In this story Eric Lakes and Sergeant Randy, investigators at Cyber Agents do their best to prove their client innocent and to outwit his smart wife.

NETWORK
16. RECOVERING IE HISTORY USING PASCO
by CARLOS CAJIGAS 'Reconstructing and examining web browsing history is a task that is required during most forensic examinations. In this article, Carlos Cajigas, presents reconstruction process in Linux Ubuntu 12.04 conducted with Paco - open source tool that you can use for free.

LAW REGULATIONS
22. CAPTURING INSTANT MESSAGES WITH PACKET CAPTURE TECHNOLOGIES
by NICHOLAS MITER 'Real-time forensic technologies, however, implicate several legal principals such as wire-tapping laws, waiver of privacy restrictions, and evidentiary rules not common with archived information. Author discusses some of these principals and provides simple examples.

28. SECURITY TESTING TOOL OR CYBER WEAPON

by KEVIN COLEMAN In this article Kevin Coleman stresses the burning need to provide clear distinction between Security Testing Tool and Cyber Weapon. His surprising remarks clearly pertain to the problem of nomenclature in the current regulatory system.

www.eForensicsMag.com

SIP CALL FORENSICS: CHASING PHREAKS ON THE INTERNET

by Jan Kirchhoff

It all started during my 2011 summer vacation. One evening my mobile started ringing but when I finally got to it and accepted the call there was no one on the line. The same thing happened again in the middle of the night, followed by another call on the next day. The caller id showed that calls were coming from my home phone number. Finally I remembered that I had configured my home PBX to forward calls to a specific SIP account to my mobile. So I got on the internet to check the logs for any strange activities.

The call log showed that the calls had indeed come in through the SIP account in question but the originating caller id had been obscured. 20.07.2011;20:35:31;00:00:24;00:00;0,000;0;58;;;43;030868765432;***;;tilo;Firma Wahl;192.168.88.63 (0A0B0C010203); 21.07.2011;01:41:13;00:00:24;00:10;0,000;0;58;;;46;030868765432;***;;tilo;Firma Wahl;192.168.88.63 (0A0B0C010203); 22.07.2011;15:39:55;00:00:32;00:00;0,000;0;58;;;1;030868765432;***;;tilo;Firma Wahl;192.168.88.63 (0A0B0C010203); 1;;Geschft;Telefon;kommend;Eigene 1;;Geschft;Telefon;kommend;Eigene 1;;Geschft;Telefon;kommend;Eigene

I decided to investigate further but wanted to get rid of the annoying calls at unpredictable times rst. I changed the conguration to forward the calls to my voicemail, which would send me an e-mail notication for each new message it had recorded. Also I congured the system to create trace les of all SIP transactions. In the following days the calls to my SIP account continued. Each time the call was accepted by the voicemail system but there was only silence in the recordings. The call was disconnected after the congured timeout by the voicemail system. So who was calling me? A quick look at one of the SIP INVITE messages at rst raised more questions than it answered. The incoming message was directed towards the public IP address of my home PBX <22:35:56.111>-RX(942 Bytes)--SIP--IP:68.233.250.164--Dest:5060--Src:5060--INVITE sip:00441913561034@88.73.81.183 SIP/2.0 But the destination number 00441913561934 did not match any of my numbers/accounts. So at least there was a conguration problem since the call was still routed by the PBX. Still this would have to wait as I wanted to nd out more about what was going on. I tried to call the destination number from my mobile but did not get anywhere. So I continued to analyse the SIP Information. Via: SIP/2.0/UDP 68.233.250.164;branch=z9hG4bKjgV0Myn7VUFW;rport From: asterisk <sip:asterisk@68.233.250.164>;tag=nnGiiC0kgk 6

SIP CALL FORENSICS CHASING PHREAKS ON THE INTERNET

These lines contain the caller id, i.e. asterisk as well as the originating IP address. To: <sip:00441913561034@88.73.81.183> Contact: <sip:asterisk@68.233.250.164> Call-ID: 5EMquzILbesxSFNJY2vh CSeq: 101 INVITE User-Agent: Asterisk PBX This line shows information on the software used by the caller, i.e. Asterisk PBX. Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, BYE The following lines give details on the requested session in SDP format. Content-Type: application/sdp Content-Length: 506 v=0 o=sip 12493 12493 IN IP4 1.2.3.4 The line directly above normally contains information on the IP address and ports to be used by the actual RTP based audio transmission. In this case the IP address 1.2.3.4 is denetly not correct, as a quick whois lookup will show you. No wonder I was not hearing anything. s=session c=IN IP4 1.2.3.4 t=0 0 m=audio 10318 RTP/AVP 10 4 3 0 8 112 5 7 18 111 101 a=rtpmap:10 L16/8000 a=rtpmap:4 G723/8000 a=fmtp:4 annexa=no a=rtpmap:3 GSM/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:112 AAL2-G726-32/8000 a=rtpmap:5 DVI4/8000 a=rtpmap:7 LPC/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:111 G726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=silenceSupp:off - - - a=ptime:20 a=sendrecv sipte_setup_ind() State:0 Callid:168 Trid:15/0xFFF9 So the incoming call was denitely not from a regular caller. In fact a bit of research on the internet showed that the INVITE message closely matched the messages sent by a VoIP testing tool called sipvicious (http://blog.sipvicious.org). But who was running this software and for what purpose? Meanwhile I had returned home which gave me better access to my PBX and the internet connection it was connected to. So I started to capture packets to see if any further information could be gained. Around the same time the number of INVITE messages coming into my PBX started to increase rst to three, than ve and nally around 20 calls in a single day. To reduce the amount of data in the packet capture I used BPF lters to capture only the INVITE messages. Also since my DSL connection had to be restarted every day I added two lines to the connection script that would create a new capture le every day: TIMESTAMP=`date -u +%Y%m%d_%H-%M-%S` tcpdump -s 1500 -c 1000 -i ppp0 udp port 5060 and (ip[0x1c] == 0x49) -w /var/log/tcpdump_${TIMESTAMP} I then extracted the originating IP addresses from several capture les running tcpdump -r tcpdump-6.cap -v |grep From: | sed s/[0-9][0-999]*.[0-999]*.[0-999]*.[0-999]*/;&; / |awk -F ; { print $2 } This yielded 5 different IP addresses owned by various hosting providers mainly in the Caribbean. The IP addresses hat been associated with different domains at some point but seemed not to be hosting any active websites just now. All of them where www.eForensicsMag.com 7

running Plesk a common webhosting platform (http://en.wikipedia.org/wiki/Plesk) and had several services including ssh and my-sql open to the internet as a quick nmap scan showed. I assumed that the servers had been hacked while the provider had left them sitting idle after the last customers contract had run out. So I contacted the providers describing my problem and asked them to check out these servers and do something about it. I never got any replies but the number of incoming calls quickly diminished. Now I had an answer to the question who (or what) was calling me. But I still wanted to gure out why. I returned to the analysis of the INVITE messages I had collected over the past weeks and quickly found that the destination numbers called by the servers where varying. There where several distinctly different destination numbers all containing 44 after a number of leading zeros. For some reason UK numbers (International code +44) have been a favorite for online scams in recent years as a Google will tell you when you search for +44 and fraud. Secondly the number of leading zeros seemed to be increasing over time for each destination, e.g. 0044123456789, 00044123456789, 000044123456789 etc. My conclusion is that the suspicious SIP calls were an automated attempt to nd a dial-through path on my PBX. Once such a path had been established the attackers could have used it to route calls to any destinations around the world. Reselling this kind of service can be a lucrative business as the incoming SIP calls are basically free and the owner of the PBX is left to pay the bill. I am just glad that the worst thing that came out of this was an unsolicited wake-up call during my holidays and not a huge phone bill ruining my holiday budget. Finally please dont try to call me, I altered the numbers in the log les and my PBX is now recongured to not accept SIP calls from unknown peers.

Author bio

Jan-Tilo Kirchhoff is working as product manager for Aastra, a leading company at the forefront of the enterprise communications market around the world. His responsibilities include the security of VoIP solutions and telecommunications systems. He is a CISSP and holds a masters equivalent degree (Dipl. Ing.) in electrical engineering from the Technical Unviersity Berlin.

www.eForensicsMag.com

CYBER AGENTS: HACKING EXTORTION CASE

by Eric Lakes

One often has to wonder about the criminals mind and how it works. Do they really think their plan is that good? Do they really think it will work and they wont get caught? Yep!!!
My name is RandyIm a cop (Da Da Da Dant). Well I used to be. I retired two years ago from a pretty decent sized city in central Kentucky called Lexington. I know, I know, I dont look old enough to be retired, but since you cant see me, youll have to trust me, I am. For the past several years I have been working on a contractor basis, with my friend and computer genius Eric Lakes in the capacity of a very exciting eld called computer forensics. Eric has been involved in computers for more than 20 years himself, so forensics seemed to be a natural t for both of us. While working with Eric and of course more than 22 years in Law Enforcement, Eric & I have come across some very bizarre cases. In all of my years in Law Enforcement, I seldom get shocked anymore by one humans actions against another but this case shocked me. It reads like a dime-store novel. Details you would have had to make up because no one would ever try this. She did! You know the phraseThere is no fury like a woman scorned? Well, this was fury, even though Im not sure about the scorned part. Who is she youre asking? Well, the Perpetrator in this case,well call her Jill, devised a plan so bazaar that you know that this case and its details have to be true. Truth, as you know, is in fact stranger than ction. This case, Im sad to say, is not ction! This case was real and very unique from start to nish. It was fun, not only due to the content of the case, but also because of the immediate challenges that the case presented and of course we like a good challenge. But it was also very serious. on my friend, read on. We were contacted by the defendants,well call him Jack, counsel in April 2006, to review electronic media on two computers: Jacks and his now ex-girlfriends, Jill. Both had been charged with serious crimes. At the beginning of this case, Jack was dating and living with Jill. At that time, they were also working for the same company, but in very different capacities. Jack was involved with the company at an upper level and Jill on a much lesser, worker-bee, level. Eventually an incident occurred at work that did not involve Jack; however, Jill was somehow implicated and separated from the company. She must have taken great offense to this. Jack and Jill had a stormy relationship from the start. One in which it appeared at least, that Jack was doing all the work and Jill was creating all the drama and spending all the money. So, after too many un-resolvable incidents between Jack and Jill, Jack nally realized that he was in love with the wrong girl and had to leave. Eventually he moved out and got a place of his own.

The Story
This is where the fun begins. Dont think for a moment that Jill was going to take being broken up with by Jack lightly, especially since she had no job and needed to pay her bills. Even after the break-up, Jill tried to maintain a relationship with Jack and since he was broken hearted, I guess he tried too. Of course it didnt last. It was during this time that on one of Jills visits to Jacks new apartment that Jill came into possession of one of Jacks credit cards, although Jack was not aware of this.

The Defendant vs. Perpetrator

They are not the same in this case. Normally you would ask, well isnt the defendant the perpetrator? Not in this case, read 10

CYBER AGENTS: HACKING EXTORTION CASE

Jill rented a lap-top computer with Jacks credit card, without his knowledge or permission. She then began doing her homework on how her new computer worked. I guess she liked it. During this time, Jill somehow, discovered that Jack was making plans to move out of state. His skills were needed by another company and he was getting ready to take a job offer elsewhere. I guess he gured getting away from her wasnt a bad idea either. Jill on the other hand, found it a very bad idea. So, Jill would have none of this. Being dumped, no more cash-cow and now hes not only moving on, but moving out of state!?!? No way. However, after hearing Jills statement and gathering information that appeared to be, at the time, inammatory against Jack, the police felt they had enough at the time and located Jack to make a Probable Cause arrest on him too. But again, this case was unique from the start. The work we performed was extra-ordinary for this case. There were pieces of the case that just did not t from the beginning. Remember, we were contacted by Jacks attorney -- a smart man. Through legal disclosure, called Discovery, the attorney was given all the evidence that the police and prosecution had against Jack. Once we were able to meet with the attorney, we were then able to review the evidence at that time, as well. Cyber Agents responsibility becomes fulminant meaning coming on suddenly or with great severity. We then met with the police and were able to make forensic images of Jacks computer hard drive and Jills lap-top computer hard drive as well as all the CDs that were found in Jills possession when the sting went down. Both the computers and CDs were recovered by the police as evidence. We used equipment that allows us to forensically secure the hard drives by Voom. The Hard Copy products are so versatile and portable that we can go off-site and perform multiple forensic images of potential evidence. Once the forensic image is made, we leave the original intact with the owner, in this case the police, then take the forensic imaged version to work within our computer lab. When a forensic image is made, all of the data remains identical and unchanged from the original hard drive. This way it upholds industry standards and any certied forensics computer examiner can see the exact same data. Very cool stuff. As far as Cyber Agents goes, between Erics 20 plus years experience in computers, being a Certied Computer Examiner, all of the various cases he has worked, all of his court testimony, prior military, being a qualied expert witness, his teaching and traveling the world and me, # 2 on this case being a retired police ofcer with 22 years of law enforcement, criminal law and investigative experience, knowing what to look for, while going through evidence, shows the reader what Jill was up against. And again, things just didnt make sense.

The plan
Jill came up with a seemingly awless plan to get back at everyone at once - Jack and the company - and make a few bucks out of the deal. So, Jill contacted Jacks boss and told him that Jack had documents, tapes and other items that could prove that the company was committing wrong doings in the industry and Jack would turn them in, unless they paid him $30,000. This was hard for the boss to believe, Im sure, since Jack was involved in an upper level with the company, but you never know, right? Money and/or love are powerful motivators, even if one doesnt need the money, and it appeared that Jack didnt. Either way, the threat was made and the boss had to do something. So of course, the boss being innocently adduced into this sordid tale - contacted the police. Together the police and the boss decided to see where this would lead. The boss told Jill that he was interested in seeing what info she or rather Jack had. The deal was set in motion. Jill was counting her cash and her revenge already. Jill gathered, what turned out to be, several useless items that were common to the company. But of course the boss did not know this. And since she was a former employee, gathering those types of items would have been easy for her. Per Jills instructions, she and the boss were going to meet at a certain place and time in a very remote, rural and somewhat mountainous area. Jill, her daughter and her daughters boyfriend got there early and waited. When the boss showed up, he was not alone. He was in the company of - you guessed it, the police. The police made an immediate Probable Cause arrest on all three suspects. The police gathered the suspects and their possessions, including the evidence against the company and all were taken back to police headquarters for questioning. Jills daughter was also a cohort, and only after their conrmation of events did Jill break-down, then stated that it was Jack that made her do it. It was he that was the mastermind of the entire operation. He was the one that gathered the information that would hurt the company - then forced her to call the boss and extort the money. This horrible tale was told through her many tears.

Now it was our turn to get to work:

After having been off-site we were able to get to work back at our lab (in Lexington) with forensic images of both hard drives and CDs. Once we were back in the lab, we retrieved a list of key words or search terms that Jack and his attorney supplied us, to help in our search for evidence on the electronic media (the hard drives and CDs). We used forensic tools called AccessData, Gargoyle and EnCase. My job was to use the EnCase software and start the searching process. We entered these terms into EnCase, the forensic software, and the software highlights any place that the specic search terms we are looking for may have been used on the computer in any context. For example, within a Microsoft Word le to an e-mail or even web sites, the software attempts to locate that key word. It is incredible. The list of hits on any search term can be incredibly long depending on how we have set up that search term. Sometimes a search term may be such a common name or combination of letters that we have to perform focused searches such as: GREP or other endings-of or leave 11

www.eForensicsMag.com

specic letter(s) out to minimize the trash or un-evidentiary search hits. The search on each term has to be very precise and can take literally days on even one small word. If we locate anything noteworthy, we bookmark the item then export it to a le, so the client can see what we have found. My ndings did not seem to bare any evidence against Jack. The information that Jill claimed Jack had against the company, was nowhere on his computer. Fortunately, Cyber Agents has several work stations in which we can use multiple licensed forensic tools on the same case but for different aspects of the case. Therefore, different agents can work the same case in different ways. This has been a very useful asset for us. Eric was working on the forensic image of Jills lap-top computer hard drive. Eric used a software package called Mount Image Pro to basically load up the EnCase forensic image of the suspect hard drive as a drive letter or physical hard drive on the examiners computer. Basically MIP is used to actually Mount a forensic image into a logical hard drive so it can be scanned with different software packages. The image looks like a typical hard drive when connected to your system but keeps it in the exact state it was forensically secured. After this process Eric then started up Gargoyle Enterprise to scan this mounted forensic image.

Indeed there can be and in some cases will be some false positives, but we as forensic examiners have seen this in many instances, so until we uncover that search hit, only then do we see what it really is. In this case the hit was on Key Loggers. Once the hit was uncovered Eric was able to go back to the forensic image and look for the particular software. Now Erics mind was racing. Once the software was located, we then had to go online and buy the software. He purchased the software, and then HASHd all the les to create the ngerprint necessary for the validation process of what was found on the suspect computer. Basically Eric compared the HASH value of the software that Cyber Agents purchased to that of what was found on the suspect computer. Eric then had to HASH out all the les on Jills computer. There it was - an exact match. Eric determined that a le came in posing as a windows update executable that had the same HASH value as the le downloaded on Jills computer. Eric then had to proceed with what the softwares function was, in addition to what the software company stated. What happened was once the unsuspecting recipient of the disguised le was initiated, the software was capturing every keystroke the end-user performed and uploaded the information to a website. The suspect would go into that website by signing in and download all the sessions that were captured. These sessions were saved as .htm, Hyper-Text Markup Language, code. As he started checking each le, Eric started up a software package called SnagIt by TechSmith - This software package lets the examiner perform many functions. Such as snapshots of digital data that could be of interest and evidentiary - or let us digital video a process or website.What he had to do was run the Scrolling Windows Image Capture function. What this is - is when the forensic examiner starts SnagIt he/ she will choose the function needed for the particulars for the case they are working. In this case there were many les that Eric had to capture and document, but this had to be done for the sake of the case. We, as forensic examiners, must turn over all stones and report everything, whether it is good or bad, for the case. The data in a case will always dictate how the case will progress, not outside human intervention. We as forensic examiners have a science to the art of performing our examinations for the client.

The above caption is a screen shot of Gargoyle Enterprise when the search is being performed on a particular case the boxes will be highlighted in a respective color as indicated. Grey (Unselected) Blue (Selected) White (Low Threat) Yellow (medium Threat) and Red (High Threat). These indicators give us, the forensic examiners, something to look at and/or for. Gargoyle Enterprise is a utility that as you can see has many uses. It can assist the forensic examiner in a variety of cases. Gargoyle Enterprise is a product by WetStone Technologies, Inc. WetStone creates what are called datasets of known software, viruses, etc . . . These datasets are imported into Gargoyle Enterprise, which scans the suspectscomputerss les and compares these values. When a comparison matches then the blue box can turn a specic color according to the threat level. 12

CYBER AGENTS: HACKING EXTORTION CASE

The screen shot above shows the choices that are given the user when starting up the SnagIt so I discovered, the hard way, that there is a lot more to computer forensics than I ever dreamed of when I rst started with Eric. I nd it fascinating and even overwhelming at times. Still challenging and exciting. Anyway, back to our work: After Eric recreated the html code, he discovered that the html code showed that the software was purchased with Jacks credit card! What?!?!? While searching through the electronic media, with forensic tools, we also continued to cross reference the evidence information given to us by Jacks attorney. While going through the photo copies of the evidence led from the police reports, we were looking through a list of Jacks possessions at the time he was arrested. We discovered that two of Jacks credit cards were not listed in the contents of Jacks possessions; the one that was used to purchase the software that was on Jills lap-top computer and the one that was used by Jill to purchase a book. That got my mind racing! I cant let Erics mind have all the fun you know. We put our heads together, and ran over endless possibilities for what we are discovering. Then this! This was amazing. Eric found another web-site that showed purchases were made using Jacks credit card. You know, the one Jill actually had and Jack didnt know it. It also showed that the delivery address was Jills, but the billing address was Jacks. Wow!! That is Credit Card Fraud and Identity Theft. Bad girl!! Eric found that within 5 days from the date that Jill purchased the software, a pseudo windows update le was sent to Jacks computer and then his system was compromised. Eric installed the purchased software on a test system to see how it worked, what the system did, and what the end-user using this software had to do to see or retrieve the data from the victims computer. Unbelievable! Every keystroke made on the compromised system is then captured, per session, and uploaded automatically to a website. All Jill had to do was log-in to that web-site and she could retrieve the keystroke info (made by Jack or any other victim computer system that was compromised) and she could see it. She saw everything he was typing. Each keystroke he made. Wow, yet again - now thats spying!! But, when the .htm le was initiated to see what its contents were the entire le was black. Eric then discovered that by running the mouse over the page, it highlighted the content area of the .htm view, and the text appeared. And in doing so, this enabled us to read the data and capture that data. Once Eric determined how and where the les were stored by the software, and then by the end-user (Jill), he extracted all the .htm code/les, reproduced the web-pages, captured the screens, and brought the results of each into the report function of AccessData Forensic Tool Kit (FTK). Now after seeing what Jill was seeing on the spy-ware website, it was all coming together. www.eForensicsMag.com 13 Thats how she did it! She devised a plan to get junk information from Jack himself and attempted to use it against him, via blackmail/extortion against the company. She buys the Spy-ware with Jacks own credit card and installs it on her own computer, and proceeds to hack and track Jack (say that three times fast). That made it easy for her to come up with bogus info against the company and make it look like she really had something. Thats also, most likely, how she found out Jack was getting ready to leave the state too. The CDs that the police gave us to forensically secure, was the captured information from Jacks computer. But what did not make sense, in the beginning, was where or how she got this information, but that became perfectly clear in the end. She could have all the junk she wanted with keystroke spy -ware. Then, with Jack out of the way, presumably in jail for something he didnt even do (thats what he gets for trying to free himself from her, I suppose), of course she spends the extorted money living very happily, criminally, ever after. Oops!! She forgot about one thingCyber Agents! Thank goodness for Jack that his attorney had heard of us. Fortunately, after the prosecutors and Jill received the ndings from Cyber Agents, she took full responsibility for all the extortion and hacking that occurred and the charges against Jack were dismissed. So there it was. So many clichs: A woman scorned. A nice guy nishing last. Heros save the day. This case was amazing! Watching and working with Eric was also amazing. At Cyber Agents, we dont jump to conclusions. We dont choose sides. The evidence is there or its not. Prosecution or Defense, Criminal or Civil, Plaintiff or Defendant. Weve worked them all! We work within our clients best interest. We work with integrity, ethics and honesty. That is what makes being a Cyber Agent really cool! And even after working this case, and seeing how it all unfolded, I am still shocked at how she could do that to someone that she was supposed to have loved and still she thought shed get away with it. You have to admit, isnt it amazing how the criminal mind works?!?!? Cyber Agents, Inc. Lexington, Kentucky - Owner/Operator Eric Lakes Lead Examiner - Eric Lakes Cyber Agent # 2 on this case Randy F. Kaplan Cyber Agent

Author bio

Eric Lakes has been involved in computers for more than 20 years. Throughout this period he has gained relevant experience in numerous elds related to Computer Analysis, Consulting and Teaching. Being sworn in as an Expert Witness in Computer Forensic Examiner and Data Retrieval in Federal, Military, Family and State Courts he has used and currently uses EnCase versions 1, 2, 2Pro, 3, 4, 5, 6, 7, AccessData Ultimate Forensic Toolkit, FastBloc FE, AccessData Password Recovery, Paraben PDA, DataPilot, R-Studio, X-Ways Forensics, Voom Products as well as other tools and utilities. He has provided afdavits as an expert listing his ndings in various cases and performed deposition consulting. He has retrieved data from various types of media: SanDisk, CD/CDRW/DVD, NAS, Servers, Hard Drives, Floppy Disks, Zip. He is a holder of numerous certicates (Certied Registered Investigator - American College of Forensic Examiners Institute (2010), Certied Computer Forensic Technician (2009) (High Tech Crime Network) (HTCN.ORG), Certied Homeland Security-III - Preparation and Response Teams Engineering and Technology (2006), Certied Basic Archery Instructor, Certied LiveWire Examiner (2006). He regularly attends conferences the CEIC (Computer and Enterprise Investigations Conference) (2012) - Conference and Labs Red Rock NV, the CEIC (Computer and Enterprise Investigations Conference) (2011) - Conference and Labs Orlando FL, the CEIC (Computer and Enterprise Investigations Conference) (2008) - Conference and Labs Henderson NV, the CEIC (Computer and Enterprise Investigations Conference) (2006) - Conference and Labs Henderson NV) and delivers speeches (Guest Speaker for Kentucky Public Advocacy - Topic - Computer Forensics (2012), Guest Speaker for JAG Conference Expert Symposium - Chicago, IL (Fall 2010), Guest Speaker for Paul Laurence Dunbar High School (eDiscovery, Digital Forensics, P2P File Sharing, Sexting, Responsible Internet Habits) (Instructor - Damian Minarik) Spring 2010, Guest Speaker for TDS Conference (LimeWire, Digital Forensics) Naval Air Station - Corpus Christi, TX 2010, Guest Speaker for TDS Conference (LimeWire, Digital Forensics) Ft Lewis, WA 2010, Guest Speaker for ITT Technical College (eDiscovery, Digital Forensics) Winter 2010). Currently he is a Digital Forensic Examiner at Cyber Agents Inc. He founded and has been working there since 1999. He has testied in article 32s, trials and hearings prior to trials either in person or telephonically.Eric has managed and maintained a lab that allows a 24hour round the clock work force for large data harvesting projects and cases.

The Most Comprehensive Exhibition of the Fastest Growing Sectors of recent years

in the Center

of Eurasia

INFORMATION, DATA AND NETWORK SECURITY EXHIBITION

OCCUPATIONAL SAFETY AND HEALTH EXHIBITION SMART HOUSES AND BUILDING AUTOMATION EXHIBITION

16th INTERNATIONAL SECURITY AND RFID EXHIBITION

16th INTERNATIONAL FIRE, EMERGENCY RESCUE EXHIBITION

SEPTEMBER 20th - 23rd, 2012 IFM ISTANBUL EXPO CENTER (IDTM)

14

THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B. IN ACCORDANCE WITH THE LAW NUMBER 5174.

www.eForensicsMag.com

15

RECOVERING IE HISTORY USING PASCO IN LINUX UBUNTU 12.04

CARLOS CAJIGAS MSc, EnCE, CFCE, CDFE

Reconstructing and examining web browsing history is a task that is required during most forensic examinations. Luckily, popular commercial tools have done a good job of simplifying the reconstruction process for us. While commercial tools simplify the process, the software often comes with a hefty price tag.

Although not as user friendly as the commercial tools, Pasco can parse the browsing history contained in the Internet Explorers index.dat le and output the results in a eld delimited manner that can be imported into the spreadsheet program of your choice. The spreadsheet can then be sorted by date to shed light on the browsing patterns of the subject in your investigation. Pasco is an open source tool that you can use for free.

The plan is to recreate the steps that will lead to data being added to an index.dat le. We will accomplish this by conducting some Internet Explorer web browsing in our own controlled environment. We will then use Pasco to examine our own browsing history. The Backtrack live DVD comes bundled with Pasco, but for the purposes of this article, I used an examination computer with Ubuntu 12.04 installed on it.

THE GOAL:

CONTROLLED ENVIRONMENT:

In order to create our own Internet Explorer index.dat le, I began by installing a new Windows 7 Home Premium Operating System on my Laptop. 16

When it came time to set the time clock, I selected Eastern Standard Time, as I am currently living in the East Coast of the US.

After navigating to time.gov, I launched Windows Explorer and opened the Penguins.jpg picture located in the C:\Users\ Public\Pictures\Sample Pictures folder.

The installation completed and I logged in as user Carlos. I gave the laptop an internet connection and opened the Internet Explorer (IE) Browser. Navigating to time.gov and opening the Penguins.jpg picture are two actions that should be recorded by the index.dat le. I then closed all windows and shut down the computer. This concludes the controlled environment part of our test. Lets move on to the next part.

INSTALLING THE TOOLS:

The tool that we will use for the examination is not included in Ubuntu by default. It can be downloaded from the Ubuntu Software Center. The tool that we will need to accomplish the task is Pasco. Lets head over to the Ubuntu Software Center for the tool. Click on the Dash Home circle, located on the top left of your screen, type in software and click on the Ubuntu Software Center icon that will appear.

The rst time that IE is launched, a Microsoft owned website opens in the background and you are welcomed with the Welcome to IE 8 screen asking you to set it up. I clicked on the Ask me Later button to avoid the set up process. A second tab immediately opened, redirecting me to another Microsoft owned website. I waited for the second tab to load, and I then closed the IE window. I closed the window, because I wanted to start our own browsing session on a separate IE window. At 12:58 pm, I launched a new IE window. The browsing window opened and the default Microsoft owned website loaded up. I then went to the address bar and typed www. time.gov/timezone.cgi?Eastern/d/-5 and pressed enter. I navigated to this website to conrm that the local time of the computer matched the current local time from time.gov.

After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type pasco and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install. www.eForensicsMag.com 17

Now open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in terminal. Now that we have the program that we need, close the Ubuntu Software Center. The next step is to prepare a working folder to receive the results from our analysis. Go to your desktop, right click on your desktop and select create new folder, name it Test.

THE EXAMINATION:
For the examination part of the test I chose to examine our Windows 7 installation by removing the hard drive from the laptop and connecting it directly to my examination computer with Ubuntu installed on it. I placed the hard drive into a USB enclosure and connected the USB cord to a previously validated USB hardware write-blocker. I then connected the write blocker to a USB port on my examination computer. If you do not nd a write-blocker handy, you do not have to use one, just remember to never connect evidence media to a computer without the use of a previously validated write-blocking procedure. From now on, we will refer to the hard drive containing the Windows 7 installation as our Test Media. Make sure your test media is connected to the computer and open Nautilus. Nautilus is the le manager for the GNOME desktop environment. You can launch Nautilus by left clicking on the folder looking icon in your taskbar. Nautilus is going to display your connected devices on the top left side of the window. My test media is the one that says 250GB Filesystem. Click on the name of your test media to mount it (if it isnt mounted already). By default, Ubuntu mounts its connected devices inside of the media folder.

Once the terminal window is open, type the following into the terminal to determine which devices are currently mounted in your system. df -h

Notice that my test media was mounted under the media folder as 464263C04263B37B. We are almost ready to use Pasco. Pasco is a very simple program to use. Pasco is used by pointing it to the index.dat and then redirecting its output to the location of your choice. An example of its usage is $ pasco index.dat > pascoresults.csv. Before we use Pasco, we need to navigate to the location where the index.dat is located on the test media. On a Windows 7 operating system the index.dat containing the browsing history is located at: /Users/<User>/AppData/Local/Microsoft/Windows/History/ History.IE5/index.dat. We will use the CD command to change directory into the desktop. Type the following into the terminal.

Replace 464263C04263B37B with the directory assigned to your test media and replace Carlos with the name of the user account that you are targeting. After doing so, press enter.

18

The dollar sign after History.IE5 indicates that History.IE5 is your current directory, exactly what we wanted. Now type ls -lh into the terminal and press enter, to see if we have an index.dat le in our current directory. LS is the list les command. The ag -l uses a long listing format, and the ag -h prints the les size in human readable format.

The le will then open and it will display the data that was parsed from the index.dat le. The nal step is to sort it by date and time. Head over to the MODIFIED TIME row and highlight the items in it.

Notice that yes, we do have an index.dat le in our current directory. Now its time to call Pasco. Type the command below into the terminal and press enter. pasco index.dat > /home/carlos/Desktop/Test/IEhistory. csv This command will point Pasco to the index.dat le and redirect its output into a le appropriately named IEhistory.csv, into our previously created Test folder on the Desktop (replace Carlos with the user you are currently logged in as). If you get your cursor back without displaying any errors, then you know that the command worked according to your input.

Mouse over to the Data tab and click on Sort.

Now open Nautilus, navigate to the IEhistory.csv le inside of the Test folder and open it with LibreOfce Calc.LibreOfceCalc is Ubuntus default spreadsheet viewer.

Select Extend Selection so that all of the elds get sorted at the same time.

When it opens, you will be asked to select how you want LibreOfceCalc to interpret the elds in your le. The options will be under the Separator Options area. I chose to have the data separated by Tab and Semicolon, by adding a checkmark next to them. After doing so I pressed Ok.

Then tell it to sort by MODIFIED TIME followed by ACCESS TIME and press Ok.

www.eForensicsMag.com

19

And thats it. Below are the results of the data parsed by Pasco in the order that the browsing occurred, sorted by the local time of the computer.

At 12:58PM, when we opened the new IE Window the default Microsoft owned website opened up (msn.com). A minute later we navigated to time.gov, and then opened the Penguins.jpg image. All of our actions were recorded by the index.dat le and parsed by Pasco in an easy to read spreadsheet.

CONCLUSION:
Pasco is an easy to use tool that can help you parse the IE browsing History of a specic user in your investigation.

Author bio

CARLOS CAJIGAS MSc, EnCE, CFCE, CDFE, A+ Carlos, a native of San Juan, Puerto Rico, is the Training Director and Senior Forensic Analyst for EPYX Forensics. Concurrently, he is employed by the West Palm Beach Police Department (FL) as a Detective/Examiner assigned to the Digital Forensics Unit with over 8 years law enforcement experience. He has conducted examinations on hundreds of digital devices to include computers, cell phones, and GPS devices to go along with hundreds of hours of digital forensics training. His training includes courses offered by Guidance Software (EnCase), National White Collar Crime Center (NW3C), and the International Association of Computer Investigative Specialists (IACIS). Carlos holds B.S. and M.S. degrees from Palm Beach Atlantic University (FL). In addition, he holds various certications in the digital forensics eld to include EnCase Certied Examiner (EnCE), Certied Forensic Computer Examiner (CFCE) from IACIS, and Certied Digital Forensic Examiner (CDFE) from Mile2. Carlos is a Florida Department of Law Enforcement (FDLE) certied instructor with experience teaching digital forensic classes. He is an active member of both the International Association of Computer Investigative Specialists (IACIS) and Miami Electronic Crimes Task Force (MECTF). Most recently, Carlos has endeavored in writing a blog for EPYX Forensics (www.epyxforensics.com/blog) that would assist other digital forensic examiners in using free open source Linux-based tools to do their jobs. He hopes to develop and implement course training in this area in the belief that there are alternatives to expensive commercial software and training. carlos@epyxforensics.com

For many years, Joe Weiss has been sounding the alarm regarding the potential adverse impact of the law of unintended consequences on the evolving convergence between industrial control systems technology and information technology. In this informative book, he makes a strong case regarding the need for situational awareness, analytical thinking, dedicated personnel resources with appropriate training, and technical excellence when attempting to protect industrial process controls and SCADA systems from potential malicious or inadvertent cyber incidents.

DAVE RAHN, Registered Professional

Engineer, with 35 years experience.

www.momentumpress.net
PHONE 800.689.2432

FOR US ORDERS:

FOR INTERNATIONAL ORDERS: McGraw-Hill Professional

www.mcgraw-hill.co.uk
PHONE: 44 (0)1628 502700

20

Securitys Not Just About Defense!

It also requires offense.
Todays attacks demonstrate a valuable lesson - companies cant stop attacks with current defenses. They will only absorb them. But what if there was a way to counteract your attacker wherever they are? And no matter what type of attack they launch or at what layer? Radwares Attack Mitigation System (AMS) provides the following, uniquely integrated capabilities: Full Protection Set: Intrusion Prevention, Web Application Firewall, anti-DoS, Network Behavioral Analysis, and Reputation Service Enterprise-Wide Security View: with built-in Security Event and Information Management (SEIM) correlation Emergency Response Team (ERT): for expert, on-site help with 24/7 operational support in the face of attack Gain an advantage over financially motivated cybercrime organizations, hacktivitists, and other malicious attackers with Radware AMS. To learn how, please contact: info@radware.com.

2011 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries.

www.eForensicsMag.com

21

CAPTURING INSTANT MESSAGES

WITH PACKET CAPTURE TECHNOLOGIES
NICHOLAS MITER

Most commercial forensic software packages focus on indexing and intelligently searching data archived in hard drives, networks, and e-mail servers. These tools work well when archived information accurately reports employee communication. However, deleted or real-time trafc is not fully recoverable with traditional search utilities. A comprehensive discovery package must capture, lter, and store real-time data to tell a more complete, and interesting story. Real-time forensic technologies, however, implicate several legal principals such as wire-tapping laws, waiver of privacy restrictions, and evidentiary rules not common with archived information. This article discusses some of these principals and provides a simple example of a forensic tool that captures instant messaging trafc and stores it in a Microsoft SQL Database Server. Many forensic toolkits support importing data from commercial database systems.

EVIDENTIARY VALUE

The probative value of instant messages and other forms of real-time communication is enormous because case participants do not anticipate that their messages and phone calls could be used against them. They will be more likely to share key insights during these conversations. Courts usually consider the probative value of relevant evidence against its prejudicial effect. Recorded communications are more reliable and truthful when the declarant doesnt know or even suspect he is being monitored. The surprise effect results in judicial efciency because case participants will have an even greater incentive to tell the truth and settle a case because the court will be more objective. Furthermore, real-time messages are often composed of short, simple concepts that can be easily separated from irrelevant messages. An irrelevant or privileged message can be redacted from a transcript, leaving information that is understood without the unredacted portions. This is important for a couple reasons. First, when traditional documents are redacted, the remaining portions are hard to read because context is missing. A jury can be confused or 22

worse mislead. An instant message, in contrast, is understood on its own without including every other instant message. Also, increasingly popular electronic discovery software that intelligently categorizes information by mood or concept must distinguish between concepts embedded in documents, paragraphs, and sentences. For instance, an entire document may have a positive, optimistic tone but one paragraph could be pessimistic. Categorizing the entire document as neutral because the pessimistic and optimistic paragraphs cancel each other out would be inaccurate. Instant messages are composed of short, discrete sentences that can easily be coded and analyzed with intelligent software without the need to distinguish between sentences and paragraphs because each message usually includes only one concept. Also, real-time communications more easily t evidentiary rules known as hearsay exceptions because they tend to include statements of intent, present sense impressions, and admissions against interest. Hearsay is an out of court statement used to prove the truth of the matter asserted. A statement like, I just wired $1,000,000 to a company in Europe is hearsay if it was made out of court and is being used to prove that I really wired a sum of money to Europe. The court would need direct evidence of the transaction because hearsay isnt admissible. Hearsay tends to be inadmissible because there are problems memorizing and recalling exactly what the declarant said. There are also concerns over truthfulness because the declarant cant be cross examined about the statement. Unless a hearsay exception applies, hearsay is generally inadmissible. Records of real-time communication are more reliable than traditional forms of hearsay because it is a perfect record of exactly what was said. There are no problems with remembering and recalling the exact statement. Recalling the exact statement is critical to understanding the context behind the statement because a statement could have more than one meaning. Recalling the precise statement helps decode what, exactly, was meant. Also, hearsay exceptions like statements of intent can easily be found in real-time communication. For

example, if an employee tells someone he intends to wire funds to complete a transaction, these statements may be admissible to prove the declarant actually wired funds.

CRIMINAL PENALTIES FOR WIRETAPPING

The criminal penalties for illegally eavesdropping or recording a conversation are severe and warrant consulting with a licensed attorney. Federal laws criminalize the capture of any communication transmitted electronically without the consent of one of the participants. They also criminalize attempted eavesdropping, conspiracy to eavesdrop, and disclosing illegally obtained information. Thus, planning to install an illegal wiretap or working on a project to install an illegal wiretap could subject all participants to a criminal liability. Also, disclosing information obtained from an illegal wiretap is also criminal. There are exceptions for law enforcement purposes. The scope of the act is criminal, however, and the exceptions pertain to law enforcement agents obtaining emergency warrants. Likewise, state governments and territories also criminalize wiretapping. Nearly all states and territories in the United States criminalize illegal wiretaps. According to the National Conference of State Legislatures, forty states require one party to consent, while twelve require all parties to consent. Some states even criminalize the failure to report illegal wiretapping. There are also several laws applicable to eavesdropping on government employees, as well as wiretapping private companies that do business with the government. A review by a qualied attorney should be performed prior to recording any real-time data.

recognize instant messages or voice over IP trafc but can be programmed to do so. The toolkit also captures images and keeps a detailed record of logged network trafc. Chaos Reader isnt as intuitive as ColaSofts CapsaFree, because it runs in Perl and does not utilize a graphical user interface. However, Chaos Reader does support many types of network trafc including IP Version 6. ColaSoft, in contrast, is easier to use, features an intuitive user interface, and automatically reassembles instant messages.

Figure 1. Log displaying pictures captured with ChaosReader ( http://chaosreader.sourceforge.net/Chaos01/image.html ) The logs from both software packages can be imported to a commercial database like SQL Server and accessed with forensic and electronic discovery toolkits. The logs must get exported to a commonly used data le format, like at les or a CSV le, and then imported with a commercial database software package. In this example, logs are imported with Microsoft Access into a Microsoft SQL 2012 database. The software in this example does not access data archived on employee hard drives. Instead, it records network trafc in real time. The location of the wiretap must be able to intercept all network trafc coming from and going to the employees in question. The wiretap must be capable of recording all data going to and from that employees systems. If the employee uses a smart phone or personal internet connection while at work, these devices may interfere with the wiretap because network trafc could bypass the wiretap. A network policy preventing employees from accessing the internet through personal devices prevents bypassing the wiretap and results in a more thorough collection of evidence. The tap should be installed in a physically secured location to preserve evidence and prevent inadvertent damage to the equipment. Inadvertent damage could cause the courts to mistakenly believe the evidence was intentionally deleted and give the court reason sanction counsel and the company. The tap should also be hidden to prevent alerting employees subject to the order that their communications are subject to a wiretap and to prevent them from accessing evidence. Ideally, the tap should be installed in a secure, hidden and remote location capable of accessing all of the employees network trafc. A network location capable of intercepting the employees trafc should be identied from network diagrams. A small ofce can easily be tapped by intercepting all incoming and outgoing communications through a router and modem. A large network, in contrast, may require identifying the locations of bridges, switches, as well as logging data to ensure accuracy, and possibly routing all trafc through custom routes.

WAIVERS FOR WORK RELATED PURPOSES

A legal waiver may provide a company with permission to record employee communication. However, it may be sufcient to waive consent from other parties privy to the communication. Also, an employee located in a single-consent state may communicate with employees in dual-consent states. While legal in the employees home state, the wiretap is criminal in the other and subjects the company to litigation risk and possible criminal liability. A wiretap pursuant to a judicial warrant, or discovery order, in contrast mitigates criminal liability. However, the wiretap should be narrow to prevent inadvertent discovery of private information and an attorney should be consulted in all cases.

EXAMPLE SETUP

There are many tools available to record network trafc and extract real-time communication like instant messages as well VOIP trafc. These tools should be placed in a location where network trafc routinely crosses. The data collected is then exported to a commercial database and analyzed with commercial forensic and electronic discovery software. The software can generate printouts of real-time communication to be reviewed and then used in trial. ColaSofts CapseFree was chosen because it is free, intuitive, and automatically assembles instant messages. ColaSoft also offers a WiFi version that captures messages in a WiFi environment, automatically decrypting trafc with a predened key. The software extracts and reassembled packets in real-time, composes instant messages, and exports data to an Excel le. There are other tools like Chaos Reader that capture and log network trafc. Chaos Reader is an extendable utility written in Perl compatible with Windows and Linux platforms. Chaos Reader offers preset lters recognizing certain types of network trafc. The utility recognizes web, internet relay chat, e-mail, and le transfers. It does not currently www.eForensicsMag.com

23

sages ColaSoft created Capsa Free, a simple packet capturing tool that can parse instant messages and web trafc. They include a free version located which can be downloaded from their website. Download and install Capsa Free on a system and place the system in a location capable of accessing network trafc. The systems network card will surreptitiously record and ltering network trafc. Start the application and begin capturing instant messages. Start Capsa Free and begin capturing instant messages. Figure 2. Where to place wiretap systems in an Ethernet Network Once a location is chosen and a wiretapping system is installed, the system should monitor, lter, and log data. Courts generally require scientic and technical evidence to be reliable. The software chosen must meet reliability guidelines as Federal Courts, in particular, may require the collection process to be proven with statistical precision. There is little margin for error, and the software and hardware platforms must be capable of performing their intended tasks and reporting expected and actual error rates. Extracted data should be stored in a secure location using mathematical checksums to verify data integrity and prevent breaking the chain of custody. Passwords should restrict unauthorized access, and logs should record the transfer of evidence from one system to another.

Figure 3. CapsaFrees Intuitive Interface Recognizes and Captures Yahoo and MSN Messages

STEP 2: EXPORT THE CAPTURED DATA TO EXCEL

STEP 1: CAPTURE THE PACKETS WITH AN EASY TO USE NETWORK MONITORING TOOL

In this example, two users are planning to steal company cars. An example system will be used to capture and store statements relating to the conspiracy to be used in trial.

Next, export the instant messages to an Excel le. Capsa Free does not support exporting les attached to instant messages like pictures, but other applications may. Chaos Reader does support exporting attachments like graphics but the messages must be manually reassembled. If Capsa Free captures instant messages and Chaos Reader stores corresponding attachments, the attachments from Chaos Reader must be manually matched with the corresponding messages from Capsa Free.

Figure 4. Exporting Instant Messages Captured with CapsaFree Select a location to save the exported messages. Capsa Free will export the instant messages. A database application like Microsoft SQL Server can then import the messages for use with most forensic and electronic discovery applications. Protect the databases integrity by limiting access, logging all changes, making frequent backing ups, and creating checksums of raw database les before migrating raw database les. The checksums verify evidence was not added or removed when the database was transferred from one system to another. In addition, modify only one database at one time. Do not allow users to add data to several databases because data could be lost. Also, do not lose database les, store them in unsecure locations for long periods of time, or give them to adverse, interested parties.

Figure 2. Employees Planning a Crime with Instant Mes24

Figure 5. Carefully Select a Secure Location to Transfer Log Files

Figure 8. Specify which parts of the log le contain database elds Link the Table to a SQL Server Database.

STEP 3: IMPORT THE DATA INTO A COMMERCIAL DATABASE PACKAGE LIKE SQL SERVER
Start Microsoft Access and create a new Table. Import the Instant Messages from Excel.

Figure 9. Specify a Table Linked to an ODBC connection Refresh the SQL Database with the imported data.

Figure 6. Importing a Log File with Microsoft Access Select the Excel le containing the instant messages. Also select the destination table in Access.

Figure 10. ODBC refreshes the table Synch the Access Table with SQL Server. Choose the correct database.

Figure 7. Add the Log File to a Table Linked to a SQL Database Specify the location of table eld names in the Excel Spreadsheet, as well as formatting characteristics like eld delimiters, and text qualiers. www.eForensicsMag.com

Figure 11. Connect to the SQL Database with the ODBC connection and update 25

Verify the instant messages were successfully added to the SQL Database.

The Most Comprehensive Exhibition of the Fastest Growing Sectors of recent years

in the Center

of Eurasia

INFORMATION, DATA AND NETWORK SECURITY EXHIBITION

Figure 12. Verify data was successfully appended in SQL In summary, installing a wiretap can easily record real-time communication and provide valuable insights at trial. A party who thought they successfully deleted archived evidence can be impeached with evidence collected real-time. In addition, the threat of recording real-time communication improves judicial accuracy and efciency by giving all parties an incentive to tell the truth and settle because they will know at the outset the courts will be more objective. These technologies also subject users to potential criminal and civil liability for illegal wiretaps, and wiretaps without a proper warrant.
OCCUPATIONAL SAFETY AND HEALTH EXHIBITION SMART HOUSES AND BUILDING AUTOMATION EXHIBITION

16th INTERNATIONAL SECURITY AND RFID EXHIBITION

16th INTERNATIONAL FIRE, EMERGENCY RESCUE EXHIBITION

Author bio

Nicholas Miter has a Juris Doctor from the University of Pennsylvania Law School, a Bachelor of Science in Computer Science from the University of Illinois at Champaign-Urbana, and has worked for innovative companies like Microsoft, Intel, AT&T, Factset Research Systems, and most recently Nuix. He has completed several Finance classes at the Wharton School of Business and served as an editor for the Journal of Labor and Employment Law.

SEPTEMBER 20th - 23rd, 2012 IFM ISTANBUL EXPO CENTER (IDTM)

THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B. IN ACCORDANCE WITH THE LAW NUMBER 5174.

26

www.eForensicsMag.com

27

SECURITY TESTING TOOL OR CYBER WEAPON

by Kevin G. Coleman

Many software and systems testing tools can be considered dual-use technology. While they are used to legitimately test software and systems, they can also be used to attack those same software and systems. Therefore, there is a growing concern about the development and proliferation of what has been referred to as Cyber Arms.
In fact, in 2011 China and Russia submitted a recommendation to the United Nations about a Cyber Arms Treaty. This topic is not new to the United Nations; it can be traced back to 2006 when the U.N. General Assembly requested that all countries submit their views on a binding conventional arms trade treaty. Currently, the UN is working on a global treaty that would regulate the international arms trade covering all conventional weapons that would promote transparency and accountability in the arms trade. An international legal denition of conventional arms really does not exist. The closest thing we could nd states that conventional arms are all weapons that are not chemical, biological or nuclear in nature. Given that broad denition, cyber weapons would have to fall under the conventional arms heading even though cyber weapons are not specically addressed. There is another big issue with this movement by the UN. There are 231 countries connected to the Internet and only 193 of those countries are members of the United Nations. Could the 38 countries not represented by the UN become sanctuaries for cyber arms dealers? That is a distinct possibility. Recently the European Union contributed to and further confused this already complex issue by their actions to control cyber weapons that negatively impact security testing tools. It states that the production or sale of devices such as computer programs designed for cyber attacks, or which nd a computer password by which an information system can be accessed, would constitute criminal offenses. If convicted, a cyber attacker would face at least two years in prison and at least ve years under aggravating circumstances (example the use of a tool specically designed to for large-scale attacks), or attacks that cause considerable damage (disrupting critical infrastructure). Many software and systems testing tools can be considered dual-use technology. While they are used to legitimately test 28 software and systems, they can also be used to attack those same software and systems. Pentesting is a technique used in evaluating the security of a web sites, computer system, networks and connected devices by simulating a cyber attack. In the hands of an attacker this would be an automated cyber attack platform. Now consider system capacity (load) testing tools. They automate the generation of a massive number of transactions used to assess and verify the capacity of a computer, server, network or entire system. A distributed denial of service (DDoS) also generates a massive number of transactions used to overwhelm the capacity of a computer, server, network or entire system. This legislation forces one to ask - how would software developers and others be able to conduct security / penetration tests and check security of our own systems or those of clients systems if they are no longer allowed to own such tools? The answer is very ugly we would have to go back to manual testing methods! I asked one security consultant about this law and his only comment was This is evil or moronic and he is far from being alone with that opinion. There is a fairly large and growing global market for these testing tools. A quick search resulted in nearly 600 such tools on the market today. Last year one analyst group forecasted the Asia Pacic region would have a compound average annual growth rate (CAGR) of 33.6 percent between 2010 and 2014. There are a number of conferences that address this subject matter and have robust vendor shows. The EU actions have many asking should this growth rate be considered as an indicator of cyber arms proliferation. Legislation or regulations that outlaw these security testing tools will cause more harm than good. The only difference between a security testing tool and a cyber weapon is the intent of those using it. It would be nearly impossible to regulate intent, but it appears they are

going to try. The EU efforts will ultimately result in the bad actors having access to automated attack capabilities (also known as cyber weapons) and system developers forced to revert back to highly costly and lesser effective manual testing methods. There is a lot at risk due to the threat of cyber attacks that target our systems. The vast majority of the efforts to date are reactive and arguably not well thought through. To be proactive, we need an effective strategy that addresses the multiple facets of cyber security and defense, and requires all countries connected to the Internet to cooperate during investigations of cyber attacks.

PC Fix

Author bio

Kevin G. Coleman is a long time security technology executive and former Chief Strategist at the Internet pioneer Netscape as well as the lead author of the Cyber Commanders eHandbook. He is Senior Fellow with the Technolytics Institute where he provides consulting services on strategic technology and security issues. He has presented/testied at the United Nations as well as multiple elements of the U.S. Congress and has briefed and instructed courses for the U.S. military and U.S. intelligence organizations. He writes a weekly blog for AOL Government on the topic of cyber intelligence and on Digital Conict at Defense Systems as well as writing for Eye Spy Intelligence magazine in the UK. Additional Information http://gov.aol.com/2012/07/09/cyber-intelligence-un-arms-treaty-what-about-cyber-arms/ http://www.infosecisland.com/blogview/20901-EU-Possession-of-Hacking-Tools-to-Become-a-Criminal-Offense.html h t t p : / / w w w. e u r o p a r l . e u r o p a . e u / s i d e s / g e t D o c . do?pubRef=-%2f%2fEP%2f%2fTEXT%2bIM -PRESS%2b20120326IPR41843%2b0%2bDOC%2bXML%2bV0%2f%2fEN&language=EN

Before you continue:

Free scan your Computer now! Improve PC Stability and performances Clean you registry from Windows errors

www.eForensicsMag.com

29

In the Upcoming Issue of

FREE

SIM/USIM Card analysis WIRELESS Forensics & More...

30

Boundless helps integrate and improve organizational ARCs Audit, Risk, and Compliance activities to safeguard reputation and fiduciary integrity

Expert Training. Entertaining Speaking. Candid Consulting.

For more information call (267) 297-0706. www.boundlessllc.com

www.eForensicsMag.com 31

32