eforensics free 2.12.august

8/21/2019 eForensics Free 2.12.August

1/321www.eForensicsMag.com

RECOVERING IE HISTORY USING PASO

SECURITY TESTING TOOL or CYBER WEAPON

FREEVOL. 2 NO. 2

CAPTURING INSTANTMESSAGES

SIP CALL FORENSICS ANALYSIS

HACKING EXTORTION CASE

Issue 2/2012 (2) August


2/322

AMPED FIVE IS THE MOST COMPLETE IMAGE

PROCESSING SOFTWARE SPECIFICALLY DE-

SIGNED FOR INVESTIGATIVE, FORENSIC AND

SECURITY APPLICATIONS. ITS PRIMARY PUR-

POSE IS TO PROVIDE FORENSIC INVESTIGA-

TORS A COMPLETE AND UNIQUE SOLUTIONTO PROCESS AND ANALYZE DIGITAL IMAGES

AND VIDEO DATA IN A SIMPLE, FAST AND

PRECISE WAY.

AMPED FIVE IS DESIGNED AROUND OUR

INNOVATIVE FAST WORKFLOW AND REAL

-TIME FILTER CONCEPT TO DRAMATICALLY

REDUCE THE TIME REQUIRED TO PROCESS DATA AND IMPROVES THE SUCCESS RATE OF VARIOUS CA-

SES. FROM THE RESTORATION OF LOW QUALITY CCTV VIDEO TO FINGERPRINT ANALYSIS TO LIVE FULL

MOTION VIDEO ONE TOOL CAN HANDLE IT ALL.

AMPED FIVE WILL RUN ON STANDARD DESKTOP OR NOTEBOOK COMPUTERS AND DOES NOT RELY ON

THIRD-PARTY COMMERCIAL PHOTO OR VIDEO EDITING SOFTWARE, PLUG-INS, SCRIPTS, OR SPECIAL

HARDWARE. THIS MAKES THE TOTAL COST OF OWNERSHIP MUCH MORE MANAGEABLE AND IS JUST

ONE PLATFORM TO LEARN, MAINTAIN, AND DEPLOY ON HARDWARE YOU ALREADY OWN.

AMPED FIVE2012

THE RIGHT IMAGE AND VIDEOANALYSIS TOOL FOR FORENSIC

PROFESSIONALS.

Amped SRL | AREA Science Park - Building A | Padriciano 99, 34149 Trieste, Italy | T:+39 040 3755333 | F: +39 040 3755335

Amped Software North America | 4616 W Sahara Ave, STE 437 Las Vegas | NV 89102USA | CAGE: 6CLY6 | DUNS: 968034780

Toll free: (866) 547-0099 | Tel: +1 (702) 498-0738 | Fax: +1 (702) 534-4731www.ampedsoftware.com | [email protected] | twitter.com/ampedsoftware



Designed from top to bottom as a purpose built self-contained tool for

forensic needs

Support for images, videos and live streams

Integrated lossless DVR capture tool

Native support for Milestone XProtect surveillance live feeds and ar-

chived les

More than 70 lters for sharpening, denoising, integration, format co-

nversion, distortion correction, image stabilization, Fourier transform,

image resizing, intensity adjustments, super resolution, perspective

correction...

Optimized workow for quick and scientic processing

Unique concept of lters: Drop, add, delete, modify, move, copy, pa-

ste, any lter in any position. Modify any parameter of any operation inany order; the results can be applied and seen immediately, even while

playing a video

One solution with tools for all types of work. From CCTV to intelligen-

ce operations video or latent ngerprints and document comparisons,

Amped Five can do it all


4/324

Dear Readers!

Todays the day! The second issue of eForensics Free Mag saw

the light of day. I hope youll nd here answers to some of your

quesons & problems. I know there is more and more doubts and

threats since technology has been constantly developing. We can

assume that cyber space has no boundaries. Because of that mo -

dern reality gives us unlimited opportunies, but it also makes us

unbelievably vulnerable to the acons of others. Many people are

aected by cyber crime and bulling every day.

To prevent unwanted intrusions somemes we have to think

ahead in the way that criminals do. Nicolas Mier in his arcle

presents how managers and owners of companies should prevent

fraud, aacks and stealing by capturing, ltering and storing re-

al-me data. Author discusses some legal principles which arise

from using real-me forensics technologies. He shows, as well,

how to capture instant messaging trac and store it in a Microso

SQL Database Server by using forensic tool.

Carlos Cajigas shows the other non-comercial tool which can help

you during your invesgaon. Somemes crical evidence can be

found in suspects web browsing history. The author of the arcle

provides you with informaon on how to uncover such an eviden-

ce in visited sited and aempted Internet searches with the use of

PASCO - easy tool which allows you to parse the browsing history

of a concrete user.

As we know, the aacks of cyber criminals are increasingly tar-

geted at mobile devices. One day Jan Tilo Kirchhos started to

receive strange calls. The caller ID showed that hes calling from

his own number. He answered and heard only silence on the other

end of the line. He decided to nd out who the annoying intruder

is. In his piece, Jan presents the process and results of conducted

invesgaon.

Most of the human discoveries or achievements are neutral. They

could be of use to create good things or could become a tool for

evil acvies. In his arcle (the rst in the arcle series), Kevin G.

Coleman discusses the issue of dual-use technology. Every sowa-

re or a tesng tool could be transformed into cyber weapon. How

to nd right soluon in legislaon which will protect us from at-

tacks and wont stop soware developers from creang new ways

to protect data and systems?

The full picture of this months issue is completed by the story cre-

ated by Eric Lakes in which you can nd love, revenge, fraud and...

cyber invesgaon. As we have experienced many mes life wri-

tes beer and more suprising scripts than Hollywood writers do.

Thank you all for your great support.

Enjoy reading!

Aleksandra Bielska

& eForensics Team

TEAM

Editor: Aleksandra Bielska

[email protected]

Betatesters/Proofreaders: Glen Victor, Daniel Sligar,

Gabriele Biondo, Sailaja Aduri, Roshan Harneker,

Olivier Cale, Vaman Amarjeet, Danilo Massa, Nico-

las Villatte, Joshua Williams, Jonathan Ringler, Cindy

Brodie, Lance Reck, Steven Doan, Andrew Levando-

sky, Akash Rosen, Sheri Lee, Dan Dieterle, Matthew

Harvey, Mada R. Perdhana, Jonathan McBride, ScottTaylor, Will Poole, Jan Tilo Kirchho, Roshan Harnek-

er, Andy Gibison, Marcelo Zuniga Torres

Senior Consultant/Publisher: Pawe Marciniak

CEO: Ewa Dudzic

[email protected]

Art Director: Mateusz Jagielski

[email protected]

DTP: Mateusz Jagielski

Production Director:Andrzej Kuca

[email protected]

Marketing Director: Ewa Dudzic

Publisher: Software Media Sp. z o.o. SK

02-682 Warszawa, ul. Bokserska 1

Phone: 1 917 338 3631

www.eforensicsmag.com

DISCLAIMER!

The techniques described in our articles may only be

used in private, local networks. The editors hold no

responsibility for misuse of the presented techniques or

consequent data loss.

FREE



6. SIP CALL FORENSIC ANALYSIS

by JAN TILO KIRCHHOFF

'It all started during my 2011 summer vacation. One evening my mobile started ringing but when I nally got to it and

accepted the call there was no one on the line...

In this article, Jan Kirchho presents the investigation he conducted in order to detect the source and reason of the my -

sterious calls.

10. CYBER AGENTS: HACKING EXTORTION CASEby ERIC LAKES

'This case was real and very unique from start to nish. It was , not only due to the content of the case, but also

because of the immediate challenges that the case presented and of course we like a good challenge.

In this story Eric Lakes and Sergeant Randy, investigators at Cyber Agents do their best to prove their client innocent and

to outwit his smart wife.

16. RECOVERING IE HISTORY USING PASCOby CARLOS CAJIGAS

'Reconstructing and examining web browsing history is a task that is required during most forensic examinations. In thisarticle, Carlos Cajigas, presents reconstruction process in Linux Ubuntu 12.04 conducted with Paco - open source tool that

you can use for free.

22. CAPTURING INSTANT MESSAGES WITH PACKET CAPTURE TECHNOLOGIESby NICHOLAS MITER

'Real-time forensic technologies, however, implicate several legal principals such as wire-tapping laws, waiver of privacy

restrictions, and evidentiary rules not common with archived information. Author discusses some of these principals and

provides simple examples.

28. SECURITY TESTING TOOL OR CYBER WEAPONby KEVIN COLEMAN

In this article Kevin Coleman stresses the burning need to provide clear distinction between Security Testing Tool and

Cyber Weapon. His surprising remarks clearly pertain to the problem of nomenclature in the current regulatory system.

MOBILE

DATA

LAW REGULATIONS

NETWORK


6/326

SIP CALL FORENSICS:

CHASING PHREAKS ONTHE INTERNETby Jan Kirchhoff

It all started during my 2011 summer vacation. One evening my mo-

bile started ringing but when I nally got to it and accepted the callthere was no one on the line. The same thing happened again in

the middle of the night, followed by another call on the next day.

The caller id showed that calls were coming from my home phone

number. Finally I remembered that I had congured my home PBX

to forward calls to a specic SIP account to my mobile. So I got on

the internet to check the logs for any strange activities.

The call log showed that the calls had indeed come in through the SIP account in question but the originating caller id had beenobscured.

20.07.2011;20:35:31;00:00:24;00:00;0,000;0;58;;;43;030868765432;***;;tilo;Firma 1;;Geschft;Telefon;kommend;Eigene

Wahl;192.168.88.63 (0A0B0C010203);


Wahl;192.168.88.63 (0A0B0C010203);


Wahl;192.168.88.63 (0A0B0C010203);

I decided to investigate further but wanted to get rid of the annoying calls at unpredictable times first. I changed the configuration

to forward the calls to my voicemail, which would send me an e-mail notification for each new message it had recorded. Also I

configured the system to create trace files of all SIP transactions.

In the following days the calls to my SIP account continued. Each time the call was accepted by the voicemail system but therewas only silence in the recordings. The call was disconnected after the configured timeout by the voicemail system. So who was

calling me? A quick look at one of the SIP INVITE messages at first raised more questions than it answered.

The incoming message was directed towards the public IP address of my home PBX

-RX(942 Bytes)--SIP--IP:68.233.250.164--Dest:5060--Src:5060---

INVITE sip:[email protected] SIP/2.0

But the destination number 00441913561934 did not match any of my numbers/accounts. So at least there was a configuration

problem since the call was still routed by the PBX. Still this would have to wait as I wanted to find out more about what was going

on. I tried to call the destination number from my mobile but did not get anywhere. So I continued to analyse the SIP Information.

Via: SIP/2.0/UDP 68.233.250.164;branch=z9hG4bKjgV0Myn7VUFW;rport

From: asterisk ;tag=nnGiiC0kgk



These lines contain the caller id, i.e. asterisk as well as the originating IP address.

To:

Contact:

Call-ID: 5EMquzILbesxSFNJY2vh

CSeq: 101 INVITEUser-Agent: Asterisk PBX

This line shows information on the software used by the caller, i.e. Asterisk PBX.

Max-Forwards: 70

Allow: INVITE, ACK, CANCEL, BYE

The following lines give details on the requested session in SDP format.

Content-Type: application/sdp

Content-Length: 506

v=0

o=sip 12493 12493 IN IP4 1.2.3.4

The line directly above normally contains information on the IP address and ports to be used by the actual RTP based audiotransmission. In this case the IP address 1.2.3.4 is definetly not correct, as a quick whois lookup will show you. No wonder I

was not hearing anything.

s=session

c=IN IP4 1.2.3.4

t=0 0

m=audio 10318 RTP/AVP 10 4 3 0 8 112 5 7 18 111 101

a=rtpmap:10 L16/8000

a=rtpmap:4 G723/8000

a=fmtp:4 annexa=no

a=rtpmap:3 GSM/8000

a=rtpmap:0 PCMU/8000a=rtpmap:8 PCMA/8000

a=rtpmap:112 AAL2-G726-32/8000

a=rtpmap:5 DVI4/8000

a=rtpmap:7 LPC/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:111 G726-32/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

a=silenceSupp:off - - - -

a=ptime:20

a=sendrecv

sipte_setup_ind() State:0 Callid:168 Trid:15/0xFFF9

So the incoming call was definitely not from a regular caller. In fact a bit of research on the internet showed that the INVITE

message closely matched the messages sent by a VoIP testing tool called sipvicious (http://blog.sipvicious.org). But who wasrunning this software and for what purpose?Meanwhile I had returned home which gave me better access to my PBX and the internet connection it was connected to. So Istarted to capture packets to see if any further information could be gained. Around the same time the number of INVITE mes-sages coming into my PBX started to increase first to three, than five and finally around 20 calls in a single day. To reduce the

amount of data in the packet capture I used BPF filters to capture only the INVITE messages. Also since my DSL connection

had to be restarted every day I added two lines to the connection script that would create a new capture file every day:

TIMESTAMP=`date -u +%Y%m%d_%H-%M-%S`tcpdump -s 1500 -c 1000 -i ppp0 udp port 5060 and (ip[0x1c] == 0x49) -w /var/log/tcpdump_${TIMESTAMP}

I then extracted the originating IP addresses from several capture files running

tcpdump -r tcpdump-6.cap -v |grep From: | sed s/[0-9][0-999]*.[0-999]*.[0-999]*.[0-999]*/;&; / |awk -F ; { print $2 }

This yielded 5 different IP addresses owned by various hosting providers mainly in the Caribbean. The IP addresses hat beenassociated with different domains at some point but seemed not to be hosting any active websites just now. All of them where

SIP CALL FORENSICS CHASING PHREAKS ON THE INTERNET


8/328

running Plesk a common webhosting platform (http://en.wikipedia.org/wiki/Plesk) and had several services including ssh andmy-sql open to the internet as a quick nmap scan showed. I assumed that the servers had been hacked while the provider hadleft them sitting idle after the last customers contract had run out. So I contacted the providers describing my problem and askedthem to check out these servers and do something about it. I never got any replies but the number of incoming calls quicklydiminished.Now I had an answer to the question who (or what) was calling me. But I still wanted to figure out why. I returned to the analy-

sis of the INVITE messages I had collected over the past weeks and quickly found that the destination numbers called by theservers where varying. There where several distinctly different destination numbers all containing 44 after a number of leadingzeros. For some reason UK numbers (International code +44) have been a favorite for online scams in recent years as a Googlewill tell you when you search for +44 and fraud. Secondly the number of leading zeros seemed to be increasing over time foreach destination, e.g. 0044123456789, 00044123456789, 000044123456789 etc. My conclusion is that the suspicious SIP callswere an automated attempt to find a dial-through path on my PBX. Once such a path had been established the attackers could

have used it to route calls to any destinations around the world. Reselling this kind of service can be a lucrative business asthe incoming SIP calls are basically free and the owner of the PBX is left to pay the bill.I am just glad that the worst thing that came out of this was an unsolicited wake-up call during my holidays and not a hugephone bill ruining my holiday budget. Finally please dont try to call me, I altered the numbers in the log files and my PBX is now

reconfigured to not accept SIP calls from unknown peers.

Author bioJan-Tilo Kirchhoff is working as product manager for

Aastra, a leading company at the forefront of the enterprisecommunications market around the world. His responsibilitiesinclude the security of VoIP solutions and telecommunicationssystems. He is a CISSP and holds a masters equivalent de-gree (Dipl. Ing.) in electrical engineering from the Technical

Unviersity Berlin.
http://www.workbooks.com/http://www.workbooks.com/


10/3210

CYBER AGENTS:

HACKING EXTORTIONCASEby Eric Lakes

One often has to wonder about the criminals mind and how it works.Do they really think their plan is that good? Do they really think it

will work and they wont get caught? Yep!!!

My name is RandyIm a cop (Da Da Da Dant). Well I usedto be. I retired two years ago from a pretty decent sized city incentral Kentucky called Lexington. I know, I know, I dont lookold enough to be retired, but since you cant see me, youllhave to trust me, I am.

For the past several years I have been working on a contrac-tor basis, with my friend and computer genius Eric Lakes inthe capacity of a very exciting field called computer forensics.

Eric has been involved in computers for more than 20 yearshimself, so forensics seemed to be a natural fit for both of us.

While working with Eric and of course more than 22 years inLaw Enforcement, Eric & I have come across some very bizar-re cases. In all of my years in Law Enforcement, I seldom getshocked anymore by one humans actions against another butthis case shocked me. It reads like a dime-store novel. Deta-ils you would have had to make up because no one would ever

try this. She did! You know the phraseThere is no fury likea woman scorned? Well, this was fury, even though Im notsure about the scorned part.

Who is she youre asking? Well, the Perpetrator in this ca-se,well call her Jill, devised a plan so bazaar that you knowthat this case and its details have to be true. Truth, as youknow, is in fact stranger than fiction. This case, Im sad to say,

is not fiction!

This case was real and very unique from start to finish. It was

fun, not only due to the content of the case, but also becauseof the immediate challenges that the case presented and of

course we like a good challenge. But it was also very serious.

The Defendant vs. Perpetrator

They are not the same in this case. Normally you would ask,well isnt the defendant the perpetrator? Not in this case, read

on my friend, read on.We were contacted by the defendants,well call him Jack, co-unsel in April 2006, to review electronic media on two compu-ters: Jacks and his now ex-girlfriends, Jill. Both had beencharged with serious crimes.

At the beginning of this case, Jack was dating and living withJill. At that time, they were also working for the same compa-ny, but in very different capacities.

Jack was involved with the company at an upper level and Jillon a much lesser, worker-bee, level. Eventually an incidentoccurred at work that did not involve Jack; however, Jill wassomehow implicated and separated from the company.

She must have taken great offense to this.

Jack and Jill had a stormy relationship from the start. One in

which it appeared at least, that Jack was doing all the workand Jill was creating all the drama and spending all the mo-ney.

So, after too many un-resolvable incidents between Jack andJill, Jack finally realized that he was in love with the wrong girl

and had to leave. Eventually he moved out and got a placeof his own.

The Story

This is where the fun begins. Dont think for a moment thatJill was going to take being broken up with by Jack lightly,

especially since she had no job and needed to pay her bills.Even after the break-up, Jill tried to maintain a relationshipwith Jack and since he was broken hearted, I guess he triedtoo. Of course it didnt last. It was during this time that onone of Jills visits to Jacks new apartment that Jill came intopossession of one of Jacks credit cards, although Jack wasnot aware of this.



Jill rented a lap-top computer with Jacks credit card, withouthis knowledge or permission. She then began doing her ho-mework on how her new computer worked. I guess she likedit.

During this time, Jill somehow, discovered that Jack was ma-

king plans to move out of state. His skills were needed byanother company and he was getting ready to take a job offerelsewhere. I guess he figured getting away from her wasnt a

bad idea either. Jill on the other hand, found it a very bad idea.

So, Jill would have none of this. Being dumped, no more ca-sh-cow and now hes not only moving on, but moving out ofstate!?!? No way.

The plan

Jill came up with a seemingly flawless plan to get back at

everyone at once - Jack and the company - and make a few

bucks out of the deal.

So, Jill contacted Jacks boss and told him that Jack had do-cuments, tapes and other items that could prove that the com-pany was committing wrong doings in the industry and Jackwould turn them in, unless they paid him $30,000.

This was hard for the boss to believe, Im sure, since Jackwas involved in an upper level with the company, but you ne-ver know, right? Money and/or love are powerful motivators,even if one doesnt need the money, and it appeared that Jackdidnt. Either way, the threat was made and the boss had to dosomething. So of course, the boss being innocently adducedinto this sordid tale - contacted the police. Together the policeand the boss decided to see where this would lead. The bosstold Jill that he was interested in seeing what info she or ratherJack had.

The deal was set in motion. Jill was counting her cash and herrevenge already.

Jill gathered, what turned out to be, several useless items thatwere common to the company. But of course the boss did notknow this. And since she was a former employee, gatheringthose types of items would have been easy for her.

Per Jills instructions, she and the boss were going to meet at

a certain place and time in a very remote, rural and somewhatmountainous area. Jill, her daughter and her daughters boy-friend got there early and waited. When the boss showed up,he was not alone. He was in the company of - you guessedit, the police.

The police made an immediate Probable Cause arrest on allthree suspects. The police gathered the suspects and theirpossessions, including the evidence against the companyand all were taken back to police headquarters for questio-ning.

Jills daughter was also a cohort, and only after their confirma-

tion of events did Jill break-down, then stated that it was Jackthat made her do it. It was he that was the mastermind of theentire operation. He was the one that gathered the informa-tion that would hurt the company - then forced her to call theboss and extort the money. This horrible tale was told throughher many tears.

However, after hearing Jills statement and gathering infor-mation that appeared to be, at the time, inflammatory against

Jack, the police felt they had enough at the time and locatedJack to make a Probable Cause arrest on him too.But again, this case was unique from the start. The work we

performed was extra-ordinary for this case. There were pie-ces of the case that just did not fit from the beginning.

Remember, we were contacted by Jacks attorney -- a smartman. Through legal disclosure, called Discovery, the attorneywas given all the evidence that the police and prosecution hadagainst Jack. Once we were able to meet with the attorney,we were then able to review the evidence at that time, as well.Cyber Agents responsibility becomes fulminant meaning -coming on suddenly or with great severity.

We then met with the police and were able to make forensicimages of Jacks computer hard drive and Jills lap-top com-puter hard drive as well as all the CDs that were found in Jillspossession when the sting went down. Both the computersand CDs were recovered by the police as evidence. We usedequipment that allows us to forensically secure the hard dri-ves by Voom. The Hard Copy products are so versatile andportable that we can go off-site and perform multiple forensicimages of potential evidence.Once the forensic image is made, we leave the original intactwith the owner, in this case the police, then take the forensicimaged version to work within our computer lab. When a fo-rensic image is made, all of the data remains identical andunchanged from the original hard drive. This way it upholdsindustry standards and any certified forensics computer exa-

miner can see the exact same data. Very cool stuff.

As far as Cyber Agents goes, between Erics 20 plus yearsexperience in computers, being a Certified Computer Exami-

ner, all of the various cases he has worked, all of his courttestimony, prior military, being a qualified expert witness, histeaching and traveling the world and me, # 2 on this case -being a retired police officer with 22 years of law enforcement,

criminal law and investigative experience, knowing what tolook for, while going through evidence, shows the reader whatJill was up against.

And again, things just didnt make sense.

Now it was our turn to get to work:

After having been off-site we were able to get to work back atour lab (in Lexington) with forensic images of both hard drivesand CDs. Once we were back in the lab, we retrieved a list ofkey words or search terms that Jack and his attorney suppliedus, to help in our search for evidence on the electronic media(the hard drives and CDs). We used forensic tools called Ac-cessData, Gargoyle and EnCase. My job was to use theEnCase software and start the searching process. We ente-red these terms into EnCase, the forensic software, and thesoftware highlights any place that the specific search terms

we are looking for may have been used on the computer in

any context. For example, within a Microsoft Word file to ane-mail or even web sites, the software attempts to locate thatkey word. It is incredible. The list of hits on any search termcan be incredibly long depending on how we have set up thatsearch term. Sometimes a search term may be such a com-mon name or combination of letters that we have to performfocused searches such as: GREP or other endings-of or leave

CYBER AGENTS: HACKING EXTORTION CASE


12/3212

specific letter(s) out to minimize the trash or un-evidentiary

search hits.

The search on each term has to be very precise and can takeliterally days on even one small word. If we locate anythingnoteworthy, we bookmark the item then export it to a file, so

the client can see what we have found.

My findings did not seem to bare any evidence against Jack.

The information that Jill claimed Jack had against the compa-ny, was nowhere on his computer.

Fortunately, Cyber Agents has several work stations in whichwe can use multiple licensed forensic tools on the same casebut for different aspects of the case. Therefore, differentagents can work the same case in different ways. This hasbeen a very useful asset for us.

Eric was working on the forensic image of Jills lap-top com-puter hard drive. Eric used a software package called MountImage Pro to basically load up the EnCase forensic imageof the suspect hard drive as a drive letter or physical hard driveon the examiners computer. Basically MIP is used to actuallyMount a forensic image into a logical hard drive so it can bescanned with different software packages. The image lookslike a typical hard drive when connected to your system butkeeps it in the exact state it was forensically secured. Afterthis process Eric then started up Gargoyle Enterprise to scanthis mounted forensic image.

The above caption is a screen shot of Gargoyle Enterprise when the search is being performed on a particular case theboxes will be highlighted in a respective color as indicated.Grey (Unselected) Blue (Selected) White (Low Threat) Yellow (medium Threat) and Red (High Threat). These indi-cators give us, the forensic examiners, something to look atand/or for.

Gargoyle Enterprise is a utility that as you can see has manyuses. It can assist the forensic examiner in a variety of cases.

Gargoyle Enterprise is a product by WetStone Technologies,Inc. WetStone creates what are called datasets of known so-ftware, viruses, etc . . . These datasets are imported into Gar-goyle Enterprise, which scans the suspectscomputerss files

and compares these values. When a comparison matchesthen the blue box can turn a specific color according to the

threat level.

Indeed there can be and in some cases will be some false po-sitives, but we as forensic examiners have seen this in manyinstances, so until we uncover that search hit, only then do wesee what it really is. In this case the hit was on Key Loggers.Once the hit was uncovered Eric was able to go back to the

forensic image and look for the particular software.

Now Erics mind was racing.

Once the software was located, we then had to go online andbuy the software. He purchased the software, and then HA-SHd all the files to create the fingerprint necessary for the

validation process of what was found on the suspect compu-ter. Basically Eric compared the HASH value of the softwarethat Cyber Agents purchased to that of what was found on thesuspect computer. Eric then had to HASH out all the files on

Jills computer. There it was - an exact match.

Eric determined that a file came in posing as a windows upda-

te executable that had the same HASH value as the file down-loaded on Jills computer. Eric then had to proceed with whatthe softwares function was, in addition to what the softwarecompany stated. What happened was once the unsuspec-ting recipient of the disguised file was initiated, the software

was capturing every keystroke the end-user performed anduploaded the information to a website. The suspect would gointo that website by signing in and download all the sessionsthat were captured.

These sessions were saved as .htm, Hyper-Text Markup Lan-guage, code.

As he started checking each file, Eric started up a softwarepackage called SnagIt by TechSmith - This software pac-kage lets the examiner perform many functions. Such as snap-shots of digital data that could be of interest and evidentiary- or let us digital video a process or website.What he had todo was run the Scrolling Windows Image Capture function.

What this is - is when the forensic examiner starts SnagIt he/she will choose the function needed for the particulars for thecase they are working. In this case there were many files that

Eric had to capture and document, but this had to be done forthe sake of the case.

We, as forensic examiners, must turn over all stones and re-port everything, whether it is good or bad, for the case. Thedata in a case will always dictate how the case will progress,not outside human intervention. We as forensic examinershave a science to the art of performing our examinations forthe client.



The screen shot above shows the choices that are given theuser when starting up the SnagIt so

I discovered, the hard way, that there is a lot more to computerforensics than I ever dreamed of when I first started with Eric.

I find it fascinating and even overwhelming at times. Still chal-

lenging and exciting.

Anyway, back to our work:After Eric recreated the html code, he discovered that the htmlcode showed that the software was purchased with Jacks cre-dit card! What?!?!?

While searching through the electronic media, with forensictools, we also continued to cross reference the evidence infor-mation given to us by Jacks attorney.

While going through the photo copies of the evidence filed from

the police reports, we were looking through a list of Jacks pos-sessions at the time he was arrested. We discovered that twoof Jacks credit cards were not listed in the contents of Jackspossessions; the one that was used to purchase the softwarethat was on Jills lap-top computer and the one that was usedby Jill to purchase a book. That got my mind racing! I cant letErics mind have all the fun you know.

We put our heads together, and ran over endless possibilitiesfor what we are discovering.

Then this! This was amazing. Eric found another web-site thatshowed purchases were made using Jacks credit card. Youknow, the one Jill actually had and Jack didnt know it. It alsoshowed that the delivery address was Jills, but the billing ad-

dress was Jacks. Wow!! That is Credit Card Fraud and Iden-tity Theft. Bad girl!!

Eric found that within 5 days from the date that Jill purchasedthe software, a pseudo windows update file was sent to Jackscomputer and then his system was compromised.

Eric installed the purchased software on a test system to seehow it worked, what the system did, and what the end-userusing this software had to do to see or retrieve the data fromthe victims computer.

Unbelievable! Every keystroke made on the compromised

system is then captured, per session, and uploaded automati-cally to a website. All Jill had to do was log-in to that web-siteand she could retrieve the keystroke info (made by Jack orany other victim computer system that was compromised) andshe could see it. She saw everything he was typing. Eachkeystroke he made. Wow, yet again - now thats spying!!

But, when the .htm file was initiated to see what its contents

were the entire file was black. Eric then discovered that byrunning the mouse over the page, it highlighted the contentarea of the .htm view, and the text appeared. And in doingso, this enabled us to read the data and capture that data.Once Eric determined how and where the files were stored by

the software, and then by the end-user (Jill), he extracted allthe .htm code/files, reproduced the web-pages, captured thescreens, and brought the results of each into the report func-tion of AccessData Forensic Tool Kit (FTK).

Now after seeing what Jill was seeing on the spy-ware websi-te, it was all coming together.

Thats how she did it! She devised a plan to get junk infor-mation from Jack himself and attempted to use it against him,via blackmail/extortion against the company. She buys theSpy-ware with Jacks own credit card and installs it on her owncomputer, and proceeds to hack and track Jack (say that threetimes fast). That made it easy for her to come up with bogus

info against the company and make it look like she really hadsomething. Thats also, most likely, how she found out Jackwas getting ready to leave the state too.

The CDs that the police gave us to forensically secure, wasthe captured information from Jacks computer.

But what did not make sense, in the beginning, was where orhow she got this information, but that became perfectly clearin the end.

She could have all the junk she wanted with keystroke spy-ware. Then, with Jack out of the way, presumably in jail forsomething he didnt even do (thats what he gets for trying tofree himself from her, I suppose), of course she spends theextorted money living very happily, criminally, ever after.

Oops!! She forgot about one thingCyber Agents! Thankgoodness for Jack that his attorney had heard of us.

Fortunately, after the prosecutors and Jill received the findings

from Cyber Agents, she took full responsibility for all the extor-tion and hacking that occurred and the charges against Jackwere dismissed.

So there it was. So many clichs:

A woman scorned. A nice guy finishing last. Heros save theday.

This case was amazing! Watching and working with Eric wasalso amazing.

At Cyber Agents, we dont jump to conclusions. We dont cho-ose sides. The evidence is there or its not. Prosecution orDefense, Criminal or Civil, Plaintiff or Defendant. Weve wor-ked them all! We work within our clients best interest. Wework with integrity, ethics and honesty. That is what makesbeing a Cyber Agent really cool!

And even after working this case, and seeing how it all unfol-ded, I am still shocked at how she could do that to someonethat she was supposed to have loved and still she thoughtshed get away with it.

You have to admit, isnt it amazing how the criminal mindworks?!?!?

Cyber Agents, Inc. Lexington, Kentucky - Owner/Operator Eric LakesLead Examiner - Eric Lakes Cyber Agent# 2 on this case Randy F. Kaplan Cyber Agent

CYBER AGENTS: HACKING EXTORTION CASE


14/3214

Author bioEric Lakeshas been involved in computers for more than 20years. Throughout this period he has gained relevant expe-rience in numerous fields related to Computer Analysis, Con-

sulting and Teaching. Being sworn in as an Expert Witness inComputer Forensic Examiner and Data Retrieval in Federal,

Military, Family and State Courts he has used and currentlyuses EnCase versions 1, 2, 2Pro, 3, 4, 5, 6, 7, AccessDataUltimate Forensic Toolkit, FastBloc FE, AccessData PasswordRecovery, Paraben PDA, DataPilot, R-Studio, X-Ways Foren-sics, Voom Products as well as other tools and utilities. He hasprovided affidavits as an expert listing his findings in various

cases and performed deposition consulting. He has retrieveddata from various types of media: SanDisk, CD/CDRW/DVD,NAS, Servers, Hard Drives, Floppy Disks, Zip.He is a holder of numerous certificates (Certified Registered

Investigator - American College of Forensic Examiners Insti-tute (2010), Certified Computer Forensic Technician (2009)

(High Tech Crime Network) (HTCN.ORG), Certified Homeland

Security-III - Preparation and Response Teams Engineeringand Technology (2006), Certified Basic Archery Instructor,

Certified LiveWire Examiner (2006). He regularly attends con-

ferences the CEIC (Computer and Enterprise InvestigationsConference) (2012) - Conference and Labs Red Rock NV,the CEIC (Computer and Enterprise Investigations Conferen-ce) (2011) - Conference and Labs Orlando FL, the CEIC(Computer and Enterprise Investigations Conference) (2008)- Conference and Labs Henderson NV, the CEIC (Compu-ter and Enterprise Investigations Conference) (2006) - Con-ference and Labs Henderson NV) and delivers speeches(Guest Speaker for Kentucky Public Advocacy - Topic - Com-puter Forensics (2012), Guest Speaker for JAG ConferenceExpert Symposium - Chicago, IL (Fall 2010), Guest Speaker

for Paul Laurence Dunbar High School (eDiscovery, DigitalForensics, P2P File Sharing, Sexting, Responsible InternetHabits) (Instructor - Damian Minarik) Spring 2010, Guest Spe-aker for TDS Conference (LimeWire, Digital Forensics) Naval

Air Station - Corpus Christi, TX 2010, Guest Speaker for TDSConference (LimeWire, Digital Forensics) Ft Lewis, WA 2010,Guest Speaker for ITT Technical College (eDiscovery, DigitalForensics) Winter 2010).Currently he is a Digital Forensic Examiner at Cyber AgentsInc. He founded and has been working there since 1999. Hehas testified in article 32s, trials and hearings prior to trials

either in person or telephonically.Eric has managed and ma-intained a lab that allows a 24hour round the clock work force

for large data harvesting projects and cases.
http://eforensicsmag.com/subscribe/http://eforensicsmag.com/subscribe/http://www.cyberdin.com/


http://www.cyberdin.com/http://www.cyberdin.com/http://www.cyberdin.com/


16/3216

RECOVERING IE HISTORY

USING PASCO IN LINUXUBUNTU 12.04

CARLOS CAJIGAS MSc, EnCE, CFCE, CDFE

Reconstructing and examining web browsing history is a task that

is required during most forensic examinations. Luckily, popular

commercial tools have done a good job of simplifying the recon-

struction process for us. While commercial tools simplify the pro-

cess, the software often comes with a hefty price tag.

Although not as user friendly as the commercial tools,Pasco can parse the browsing history contained in the Inter-net Explorers index.dat file and output the results in a field

delimited manner that can be imported into the spreadsheet

program of your choice. The spreadsheet can then be sortedby date to shed light on the browsing patterns of the subjectin your investigation. Pasco is an open source tool that youcan use for free.

THE GOAL:The plan is to recreate the steps that will lead to data

being added to an index.dat file. We will accomplish this by

conducting some Internet Explorer web browsing in our owncontrolled environment. We will then use Pasco to examineour own browsing history.The Backtrack live DVD comes bundled with Pasco, but for

the purposes of this article, I used an examination computer

with Ubuntu 12.04 installed on it.

CONTROLLED ENVIRONMENT: In order to create our own Internet Explorer index.dat file, I

began by installing a new Windows 7 Home Premium Opera-ting System on my Laptop.

When it came time to set the time clock, I selected EasternStandard Time, as I am currently living in the East Coast ofthe US.



The installation completed and I logged in as user Carlos. Igave the laptop an internet connection and opened the Inter-net Explorer (IE) Browser.

The first time that IE is launched, a Microsoft owned website

opens in the background and you are welcomed with theWelcome to IE 8 screen asking you to set it up. I clickedon the Ask me Later button to avoid the set up process. Asecond tab immediately opened, redirecting me to anotherMicrosoft owned website.

I waited for the second tab to load, and I then closed the IEwindow. I closed the window, because I wanted to start ourown browsing session on a separate IE window.

At 12:58 pm, I launched a new IE window. The browsingwindow opened and the default Microsoft owned websiteloaded up. I then went to the address bar and typed www.time.gov/timezone.cgi?Eastern/d/-5and pressed enter. Inavigated to this website to confirm that the local time of the

computer matched the current local time from time.gov.

After navigating to time.gov, I launched Windows Explorerand opened the Penguins.jpg picture located in the C:\Users\Public\Pictures\Sample Pictures folder.

Navigating to time.gov and opening the Penguins.jpg pictureare two actions that should be recorded by the index.dat file.

I then closed all windows and shut down the computer. Thisconcludes the controlled environment part of our test. Letsmove on to the next part.

INSTALLING THE TOOLS:The tool that we will use for the examination is not included

in Ubuntu by default. It can be downloaded from the UbuntuSoftware Center. The tool that we will need to accomplish thetask is Pasco. Lets head over to the Ubuntu Software Center

for the tool. Click on the Dash Home circle, located on the top left ofyour screen, type in software and click on the Ubuntu So-ftware Center icon that will appear.

After the Ubuntu Software Center opens, you will see a se-arch box on the top-right corner of your screen. Type pascoand click on the install button. You will be prompted for yourroot password. Enter your root password and wait for theprogram to install.


18/3218

Now that we have the program that we need, close theUbuntu Software Center. The next step is to prepare aworking folder to receive the results from our analysis. Go toyour desktop, right click on your desktop and select createnew folder, name it Test.

THE EXAMINATION:

For the examination part of the test I chose to examine ourWindows 7 installation by removing the hard drive from thelaptop and connecting it directly to my examination compu-ter with Ubuntu installed on it. I placed the hard drive into aUSB enclosure and connected the USB cord to a previouslyvalidated USB hardware write-blocker. I then connected thewrite blocker to a USB port on my examination computer. If you do not find a write-blocker handy, you do not have to

use one, just remember to never connect evidence mediato a computer without the use of a previously validatedwrite-blocking procedure. From now on, we will refer to thehard drive containing the Windows 7 installation as our TestMedia.

Make sure your test media is connected to the computerand open Nautilus. Nautilus is the file manager for the GNO-

ME desktop environment. You can launch Nautilus by leftclicking on the folder looking icon in your taskbar. Nautilusis going to display your connected devices on the top left side

of the window. My test media is the one that says 250GBFilesystem. Click on the name of your test media to mountit (if it isnt mounted already). By default, Ubuntu mounts itsconnected devices inside of the media folder.

Now open a Terminal Window. In Ubuntu you can accom-plish this by pressing Ctrl-Alt-T at the same time or by goingto the Dash Home and typing in terminal.

Once the terminal window is open, type the following intothe terminal to determine which devices are currently moun-ted in your system.

df -h

Notice that my test media was mounted under the mediafolder as 464263C04263B37B.

We are almost ready to use Pasco. Pasco is a very simpleprogram to use. Pasco is used by pointing it to the index.datand then redirecting its output to the location of your choice.

An example of its usage is $ pasco index.dat > pascore-

sults.csv. Before we use Pasco, we need to navigate to thelocation where the index.dat is located on the test media. Ona Windows 7 operating system the index.dat containing thebrowsing history is located at:

/Users//AppData/Local/Microsoft/Windows/History/History.IE5/index.dat.We will use the CD command to change directory into thedesktop. Type the following into the terminal.

Replace 464263C04263B37B with the directory assignedto your test media and replace Carlos with the name of theuser account that you are targeting. After doing so, pressenter.



The dollar sign after History.IE5 indicates that History.IE5is your current directory, exactly what we wanted.

Now type ls -lh into the terminal and press enter, to see ifwe have an index.dat file in our current directory. LS is the

list files command. The flag -l uses a long listing format, and

the flag -h prints the files size in human readable format.

Notice that yes, we do have an index.dat file in our current

directory.Now its time to call Pasco. Type the command below into

the terminal and press enter.

pasco index.dat > /home/carlos/Desktop/Test/IEhistory.csv This command will point Pasco to the index.dat file

and redirect its output into a file appropriately named IEhisto-ry.csv, into our previously created Test folder on the Desktop(replace Carlos with the user you are currently logged in as).

If you get your cursor back without displaying any errors,then you know that the command worked according to yourinput.

Now open Nautilus, navigate to the IEhistory.csv file inside of

the Test folder and open it with LibreOffice Calc.LibreOffice-

Calc is Ubuntus default spreadsheet viewer.

When it opens, you will be asked to select how you wantLibreOfficeCalc to interpret the fields in your file. The optionswill be under the Separator Options area. I chose to havethe data separated by Tab and Semicolon, by adding acheckmark next to them. After doing so I pressed Ok.

The file will then open and it will display the data that was

parsed from the index.dat file. The final step is to sort it by

date and time. Head over to the MODIFIED TIME row andhighlight the items in it.

Mouse over to the Data tab and click on Sort.

Select Extend Selection so that all of the fields get sortedat the same time.

Then tell it to sort by MODIFIED TIME followed by AC-CESS TIME and press Ok.
http://www.momentumpress.net/


20/3220

And thats it. Below are the results of the data parsed byPasco in the order that the browsing occurred, sorted by thelocal time of the computer.

At 12:58PM, when we opened the new IE Window thedefault Microsoft owned website opened up (msn.com). Aminute later we navigated to time.gov, and then opened the

Penguins.jpg image. All of our actions were recorded bythe index.dat file and parsed by Pasco in an easy to read

spreadsheet.

CONCLUSION:

Pasco is an easy to use tool that can help you parse the IEbrowsing History of a specific user in your investigation.

Author bioCARLOS CAJIGAS MSc, EnCE, CFCE, CDFE, A+Carlos, a native of San Juan, Puerto Rico, is the Training

Director and Senior Forensic Analyst for EPYX Forensics.Concurrently, he is employed by the West Palm Beach PoliceDepartment (FL) as a Detective/Examiner assigned to the Di-gital Forensics Unit with over 8 years law enforcement expe-rience. He has conducted examinations on hundreds of digitaldevices to include computers, cell phones, and GPS devicesto go along with hundreds of hours of digital forensics training.His training includes courses offered by Guidance Software(EnCase), National White Collar Crime Center (NW3C), andthe International Association of Computer Investigative Spe-cialists (IACIS). Carlos holds B.S. and M.S. degrees fromPalm Beach Atlantic University (FL). In addition, he holds va-rious certifications in the digital forensics field to include En-

Case Certified Examiner (EnCE), Certified Forensic ComputerExaminer (CFCE) from IACIS, and Certified Digital Forensic

Examiner (CDFE) from Mile2. Carlos is a Florida Departmentof Law Enforcement (FDLE) certified instructor with experien-

ce teaching digital forensic classes. He is an active memberof both the International Association of Computer InvestigativeSpecialists (IACIS) and Miami Electronic Crimes Task Force(MECTF).Most recently, Carlos has endeavored in writing a blog forEPYX Forensics (www.epyxforensics.com/blog) that wouldassist other digital forensic examiners in using free open so-urce Linux-based tools to do their jobs. He hopes to developand implement course training in this area in the belief that

there are alternatives to expensive commercial software andtraining.

[email protected]

For many years, Joe Weiss has been

sounding the alarm regarding the potential

adverse impact of the law of unintended

consequences on the evolving convergence

between industrial control systems

technology and information technology. In

this informative book, he makes a strong

case regarding the need for situational

awareness, analytical thinking, dedicated

personnel resources with appropriate

training, and technical excellence when

attempting to protect industrial process

controls and SCADA systems from potential

malicious or inadvertent cyber incidents.

DAVE RAHN, Registered ProfessionalEngineer, with 35 years experience.

FOR INTERNATIONAL ORDERS:

McGraw-Hill Professional

www.mcgraw-hill.co.ukPHONE: 44 (0)1628 502700

FOR US ORDERS:www.momentumpress.net

PHONE 800.689.2432
http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/http://www.momentumpress.net/



Securitys Not

Just About Defense!

It also requires offense.

Todays attacks demonstrate a valuable lesson - companies cant stop attacks with current

defenses. They will only absorb them. But what if there was a way to counteract your attacker

wherever they are? And no matter what type of attack they launch or at what layer?

Radwares Attack Mitigation System (AMS) provides the following, uniquely integrated capabilities:

Full Protection Set: Intrusion Prevention, Web Application Firewall, anti-DoS, Network

Behavioral Analysis, and Reputation Service

Enterprise-Wide Security View: with built-in Security Event and Information

Management (SEIM) correlation

Emergency Response Team (ERT): for expert, on-site help with 24/7 operational

support in the face of attack

Gain an advantage over financially motivated cybercrime organizations, hacktivitists, and other

malicious attackers with Radware AMS. To learn how, please contact: [email protected].

2011 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries.
http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/http://www.radware.com/


22/3222

CAPTURING INSTANT

MESSAGESWITH PACKET CAPTURE TECHNOLOGIES

NICHOLAS MITER

Most commercial forensic software packages focus on in-dexing and intelligently searching data archived in hard dri-ves, networks, and e-mail servers. These tools work wellwhen archived information accurately reports employee com-

munication. However, deleted or real-time traffic is not fullyrecoverable with traditional search utilities. A comprehensi-ve discovery package must capture, filter, and store real-time

data to tell a more complete, and interesting story. Real-timeforensic technologies, however, implicate several legal princi-pals such as wire-tapping laws, waiver of privacy restrictions,and evidentiary rules not common with archived information.This article discusses some of these principals and provides asimple example of a forensic tool that captures instant messa-ging traffic and stores it in a Microsoft SQL Database Server.

Many forensic toolkits support importing data from commercialdatabase systems.

EVIDENTIARY VALUEThe probative value of instant messages and other forms ofreal-time communication is enormous because case partici-pants do not anticipate that their messages and phone callscould be used against them. They will be more likely to sharekey insights during these conversations. Courts usually con-sider the probative value of relevant evidence against its pre-

judicial effect. Recorded communications are more reliableand truthful when the declarant doesnt know or even suspecthe is being monitored. The surprise effect results in judicialefficiency because case participants will have an even greater

incentive to tell the truth and settle a case because the courtwill be more objective. Furthermore, real-time messages are

often composed of short, simple concepts that can be easilyseparated from irrelevant messages. An irrelevant or privile-ged message can be redacted from a transcript, leaving in-formation that is understood without the unredacted portions.This is important for a couple reasons. First, when traditionaldocuments are redacted, the remaining portions are hard toread because context is missing. A jury can be confused or

worse mislead. An instant message, in contrast, is understo-od on its own without including every other instant message.

Also, increasingly popular electronic discovery software thatintelligently categorizes information by mood or concept must

distinguish between concepts embedded in documents, para-graphs, and sentences. For instance, an entire document mayhave a positive, optimistic tone but one paragraph could bepessimistic. Categorizing the entire document as neutral be-cause the pessimistic and optimistic paragraphs cancel eachother out would be inaccurate. Instant messages are com-posed of short, discrete sentences that can easily be codedand analyzed with intelligent software without the need to di-stinguish between sentences and paragraphs because eachmessage usually includes only one concept. Also, real-timecommunications more easily fit evidentiary rules known as

hearsay exceptions because they tend to include statementsof intent, present sense impressions, and admissions against

interest. Hearsay is an out of court statement used to provethe truth of the matter asserted. A statement like, I just wired$1,000,000 to a company in Europe is hearsay if it was madeout of court and is being used to prove that I really wired a sumof money to Europe. The court would need direct evidence ofthe transaction because hearsay isnt admissible. Hearsaytends to be inadmissible because there are problems memori-zing and recalling exactly what the declarant said. There arealso concerns over truthfulness because the declarant cantbe cross examined about the statement. Unless a hearsayexception applies, hearsay is generally inadmissible.Records of real-time communication are more reliable thantraditional forms of hearsay because it is a perfect record ofexactly what was said. There are no problems with remem-bering and recalling the exact statement. Recalling the exactstatement is critical to understanding the context behind thestatement because a statement could have more than onemeaning. Recalling the precise statement helps decode what,exactly, was meant. Also, hearsay exceptions like statementsof intent can easily be found in real-time communication. For



example, if an employee tells someone he intends to wirefunds to complete a transaction, these statements may be ad-missible to prove the declarant actually wired funds.

CRIMINAL PENALTIES FOR WIRETAPPINGThe criminal penalties for illegally eavesdropping or recording

a conversation are severe and warrant consulting with a li-censed attorney. Federal laws criminalize the capture of anycommunication transmitted electronically without the consentof one of the participants. They also criminalize attemptedeavesdropping, conspiracy to eavesdrop, and disclosing ille-gally obtained information. Thus, planning to install an illegalwiretap or working on a project to install an illegal wiretap co-uld subject all participants to a criminal liability. Also, disclo-sing information obtained from an illegal wiretap is also crimi-nal. There are exceptions for law enforcement purposes. Thescope of the act is criminal, however, and the exceptions per-tain to law enforcement agents obtaining emergency warrants.Likewise, state governments and territories also criminalize

wiretapping. Nearly all states and territories in the United Sta-tes criminalize illegal wiretaps. According to the National Con-ference of State Legislatures, forty states require one partyto consent, while twelve require all parties to consent. Somestates even criminalize the failure to report illegal wiretapping.There are also several laws applicable to eavesdropping ongovernment employees, as well as wiretapping private com-panies that do business with the government. A review by aqualified attorney should be performed prior to recording any

real-time data.

WAIVERS FOR WORK RELATED PURPOSESA legal waiver may provide a company with permission to re-

cord employee communication. However, it may be sufficientto waive consent from other parties privy to the communica-tion. Also, an employee located in a single-consent state maycommunicate with employees in dual-consent states. Whilelegal in the employees home state, the wiretap is criminal inthe other and subjects the company to litigation risk and pos-sible criminal liability. A wiretap pursuant to a judicial warrant,or discovery order, in contrast mitigates criminal liability. Ho-wever, the wiretap should be narrow to prevent inadvertentdiscovery of private information and an attorney should beconsulted in all cases.

EXAMPLE SETUP

There are many tools available to record network traffic andextract real-time communication like instant messages aswell VOIP traffic. These tools should be placed in a location

where network traffic routinely crosses. The data collected is

then exported to a commercial database and analyzed withcommercial forensic and electronic discovery software. Thesoftware can generate printouts of real-time communication tobe reviewed and then used in trial.ColaSofts CapseFree was chosen because it is free, intuiti-ve, and automatically assembles instant messages. ColaSoftalso offers a WiFi version that captures messages in a WiFienvironment, automatically decrypting traffic with a predefi-

ned key. The software extracts and reassembled packets inreal-time, composes instant messages, and exports data toan Excel file. There are other tools like Chaos Reader that

capture and log network traffic. Chaos Reader is an extenda-

ble utility written in Perl compatible with Windows and Linuxplatforms. Chaos Reader offers preset filters recognizing cer-

tain types of network traffic. The utility recognizes web, inter-

net relay chat, e-mail, and file transfers. It does not currently

recognize instant messages or voice over IP traffic but can

be programmed to do so. The toolkit also captures imagesand keeps a detailed record of logged network traffic. Chaos

Reader isnt as intuitive as ColaSofts CapsaFree, becauseit runs in Perl and does not utilize a graphical user interface.However, Chaos Reader does support many types of network

traffic including IP Version 6. ColaSoft, in contrast, is easierto use, features an intuitive user interface, and automaticallyreassembles instant messages.

Figure 1. Log displaying pictures captured with ChaosRe-

ader

( http://chaosreader.sourceforge.net/Chaos01/image.html )

The logs from both software packages can be imported to acommercial database like SQL Server and accessed with fo-

rensic and electronic discovery toolkits. The logs must getexported to a commonly used data file format, like flat files

or a CSV file, and then imported with a commercial database

software package. In this example, logs are imported withMicrosoft Access into a Microsoft SQL 2012 database.

The software in this example does not access data archivedon employee hard drives. Instead, it records network traffic in

real time. The location of the wiretap must be able to interceptall network traffic coming from and going to the employees in

question. The wiretap must be capable of recording all datagoing to and from that employees systems. If the employeeuses a smart phone or personal internet connection while atwork, these devices may interfere with the wiretap becausenetwork traffic could bypass the wiretap. A network policy pre-

venting employees from accessing the internet through per-sonal devices prevents bypassing the wiretap and results in amore thorough collection of evidence.The tap should be installed in a physically secured locationto preserve evidence and prevent inadvertent damage to theequipment. Inadvertent damage could cause the courts to mi-

stakenly believe the evidence was intentionally deleted andgive the court reason sanction counsel and the company. Thetap should also be hidden to prevent alerting employees sub-

ject to the order that their communications are subject to awiretap and to prevent them from accessing evidence. Ideally,the tap should be installed in a secure, hidden and remotelocation capable of accessing all of the employees networktraffic.

A network location capable of intercepting the employees traf-fic should be identified from network diagrams. A small office

can easily be tapped by intercepting all incoming and outgoingcommunications through a router and modem. A large ne-twork, in contrast, may require identifying the locations of brid-ges, switches, as well as logging data to ensure accuracy, andpossibly routing all traffic through custom routes.


24/3224

Figure 2. Where to place wiretap systems in an Ethernet

Network

Once a location is chosen and a wiretapping system is instal-led, the system should monitor, filter, and log data. Courts ge-

nerally require scientific and technical evidence to be reliable.The software chosen must meet reliability guidelines as Fede-

ral Courts, in particular, may require the collection process tobe proven with statistical precision. There is little margin forerror, and the software and hardware platforms must be capa-ble of performing their intended tasks and reporting expectedand actual error rates.Extracted data should be stored in a secure location usingmathematical checksums to verify data integrity and preventbreaking the chain of custody. Passwords should restrictunauthorized access, and logs should record the transfer ofevidence from one system to another.

STEP 1: CAPTURE THE PACKETS WITH AN EASY TO

USE NETWORK MONITORING TOOLIn this example, two users are planning to steal company cars.

An example system will be used to capture and store state-ments relating to the conspiracy to be used in trial.

Figure 2. Employees Planning a Crime with Instant Mes-

sages

ColaSoft created Capsa Free, a simple packet capturing toolthat can parse instant messages and web traffic. They include

a free version located which can be downloaded from theirwebsite.Download and install Capsa Free on a system and place the

system in a location capable of accessing network traffic. Thesystems network card will surreptitiously record and filtering

network traffic. Start the application and begin capturing in-

stant messages.Start Capsa Free and begin capturing instant messages.

Figure 3. CapsaFrees Intuitive Interface Recognizes and

Captures Yahoo and MSN Messages

STEP 2: EXPORT THE CAPTURED DATA TO EXCELNext, export the instant messages to an Excel file. Capsa

Free does not support exporting files attached to instant mes-

sages like pictures, but other applications may. Chaos Re-ader does support exporting attachments like graphics but themessages must be manually reassembled. If Capsa Freecaptures instant messages and Chaos Reader stores corre-sponding attachments, the attachments from Chaos Reader

must be manually matched with the corresponding messagesfrom Capsa Free.

Figure 4. Exporting Instant Messages Captured with

CapsaFree

Select a location to save the exported messages. CapsaFree will export the instant messages. A database applicationlike Microsoft SQL Server can then import the messages for

use with most forensic and electronic discovery applications.Protect the databases integrity by limiting access, logging allchanges, making frequent backing ups, and creating check-sums of raw database files before migrating raw database

files. The checksums verify evidence was not added or re-moved when the database was transferred from one systemto another. In addition, modify only one database at one time.Do not allow users to add data to several databases becausedata could be lost. Also, do not lose database files, store them

in unsecure locations for long periods of time, or give them toadverse, interested parties.



Figure 5. Carefully Select a Secure Location to Transfer

Log Files

STEP 3: IMPORT THE DATA INTO A COMMERCIAL

DATABASE PACKAGE LIKE SQL SERVERStart Microsoft Access and create a new Table. Import theInstant Messages from Excel.

Figure 6. Importing a Log File with Microsoft Access

Select the Excel file containing the instant messages. Also

select the destination table in Access.

Figure 7. Add the Log File to a Table Linked to a SQL Da-

tabase

Specify the location of table field names in the Excel Spread-

sheet, as well as formatting characteristics like field delimiters,

and text qualifiers.

Figure 8. Specify which parts of the log file contain data-

base fields

Link the Table to a SQL Server Database.

Figure 9. Specify a Table Linked to an ODBC connection

Refresh the SQL Database with the imported data.

Figure 10. ODBC refreshes the table

Synch the Access Table with SQL Server. Choose the correct

database.

Figure 11. Connect to the SQL Database with the ODBC

connection and update


26/3226

Verify the instant messages were successfully added to theSQL Database.

Figure 12. Verify data was successfully appended in SQL

In summary, installing a wiretap can easily record real-timecommunication and provide valuable insights at trial. A partywho thought they successfully deleted archived evidence canbe impeached with evidence collected real-time. In addition,the threat of recording real-time communication improves judi-

cial accuracy and efficiency by giving all parties an incentive totell the truth and settle because they will know at the outset thecourts will be more objective. These technologies also subjectusers to potential criminal and civil liability for illegal wiretaps,and wiretaps without a proper warrant.

Author bioNicholas Miterhas a Juris Doctor from the University of Pen-nsylvania Law School, a Bachelor of Science in ComputerScience from the University of Illinois at Champaign-Urbana,and has worked for innovative companies like Microsoft, In-tel, AT&T, Factset Research Systems, and most recently Nuix.He has completed several Finance classes at the Wharton

School of Business and served as an editor for the Journal ofLabor and Employment Law.

16thINTERNATIONAL SECURITY AND RFID EXHIBITION16thINTERNATIONAL FIRE,EMERGENCY RESCUE EXHIBITION

SMART HOUSES AND BUILDING AUTOMATION EXHIBITION

OCCUPATIONAL SAFETY AND HEALTH EXHIBITION

INFORMATION, DATA AND NETWORK SECURITY EXHIBITION

The Most ComprehensiveExhibitionof the Fastest Growing Sectors of recent years

in the Center of Eurasia

SEPTEMBER20th- 23rd, 2012IFM ISTANBULEXPO CENTER(IDTM)

THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B.

IN ACCORDANCE WITH THE LAW NUMBER 5174.
http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/http://www.isaffuari.com/


http://www.netsense.ch/en


28/3228

SECURITY TESTING

TOOL OR CYBERWEAPONby Kevin G. Coleman

Many software and systems testing tools can be considered dual-u-se technology. While they are used to legitimately test software and

systems, they can also be used to attack those same software and

systems. Therefore, there is a growing concern about the develop-

ment and proliferation of what has been referred to as Cyber Arms.

In fact, in 2011 China and Russia submitted a recommenda-

tion to the United Nations about a Cyber Arms Treaty. Thistopic is not new to the United Nations; it can be traced back to2006 when the U.N. General Assembly requested that all co-untries submit their views on a binding conventional arms tra-de treaty. Currently, the UN is working on a global treaty thatwould regulate the international arms trade covering all co-nventional weapons that would promote transparency and ac-countability in the arms trade. An international legal definition

of conventional arms really does not exist. The closest thingwe could find states that conventional arms are all weapons

that are not chemical, biological or nuclear in nature. Giventhat broad definition, cyber weapons would have to fall under

the conventional arms heading even though cyber weapons

are not specifically addressed. There is another big issue withthis movement by the UN. There are 231 countries connectedto the Internet and only 193 of those countries are membersof the United Nations. Could the 38 countries not representedby the UN become sanctuaries for cyber arms dealers? Thatis a distinct possibility.Recently the European Union contributed to and further con-fused this already complex issue by their actions to controlcyber weapons that negatively impact security testing tools. Itstates that the production or sale of devices such as computerprograms designed for cyber attacks, or which find a computer

password by which an information system can be accessed,would constitute criminal offenses. If convicted, a cyber at-tacker would face at least two years in prison and at least five

years under aggravating circumstances (example the use of atool specifically designed to for large-scale attacks), or attacks

that cause considerable damage (disrupting critical infrastruc-ture).Many software and systems testing tools can be considereddual-use technology. While they are used to legitimately test

software and systems, they can also be used to attack those

same software and systems. Pentesting is a technique usedin evaluating the security of a web sites, computer system,networks and connected devices by simulating a cyber attack.In the hands of an attacker this would be an automated cyberattack platform. Now consider system capacity (load) testingtools. They automate the generation of a massive numberof transactions used to assess and verify the capacity of acomputer, server, network or entire system. A distributed de-nial of service (DDoS) also generates a massive number oftransactions used to overwhelm the capacity of a computer,server, network or entire system. This legislation forces oneto ask - how would software developers and others be able toconduct security / penetration tests and check security of our

own systems or those of clients systems if they are no longerallowed to own such tools? The answer is very ugly we wo-uld have to go back to manual testing methods! I asked onesecurity consultant about this law and his only comment wasThis is evil or moronic and he is far from being alone withthat opinion.

There is a fairly large and growing global market for these te-sting tools. A quick search resulted in nearly 600 such tools onthe market today. Last year one analyst group forecasted the

Asia Pacific region would have a compound average annual

growth rate (CAGR) of 33.6 percent between 2010 and 2014.There are a number of conferences that address this subjectmatter and have robust vendor shows. The EU actions have

many asking should this growth rate be considered as an in-dicator of cyber arms proliferation. Legislation or regulationsthat outlaw these security testing tools will cause more harmthan good. The only difference between a security testing tooland a cyber weapon is the intent of those using it. It would benearly impossible to regulate intent, but it appears they are



going to try. The EU efforts will ultimately result in the badactors having access to automated attack capabilities (alsoknown as cyber weapons) and system developers forced torevert back to highly costly and lesser effective manual testingmethods. There is a lot at risk due to the threat of cyber at-tacks that target our systems. The vast majority of the efforts

to date are reactive and arguably not well thought through. Tobe proactive, we need an effective strategy that addresses themultiple facets of cyber security and defense, and requires allcountries connected to the Internet to cooperate during inve-stigations of cyber attacks.

Author bioKevin G. Coleman is a long time security technology executiveand former Chief Strategist at the Internet pioneer Netscapeas well as the lead author of the Cyber Commanders eHand-book. He is Senior Fellow with the Technolytics Institute where

he provides consulting services on strategic technology andsecurity issues. He has presented/testified at the United Na-tions as well as multiple elements of the U.S. Congress andhas briefed and instructed courses for the U.S. military andU.S. intelligence organizations. He writes a weekly blog for

AOL Government on the topic of cyber intelligence and on Di-gital Conflict at Defense Systems as well as writing for Eye

Spy Intelligence magazine in the UK.

Additional Informationhttp://gov.aol.com/2012/07/09/cyber-intelligence-un-arms-tre-aty-what-about-cyber-arms/

http://www.infosecisland.com/blogview/20901-EU-Posses-sion-of-Hacking-Tools-to-Become-a-Criminal-Offense.html

h t t p : / / w w w. e u r o p a r l . e u r o p a . e u / s id e s / g e t D o c .d o ? p u b R e f = - % 2 f % 2 f E P % 2 f % 2 f T E X T % 2 b I M- P R E S S % 2 b 2 0 1 2 0 3 2 6 I P R 4 1 8 4 3 % 2 b 0 % 2 b -

DOC%2bXML%2bV0%2f%2fEN&language=EN


30/3230

In the Upcoming Issue of

SIM/USIM Card analysisWIRELESS Forensics

& More...

FREE



Boundless helps integrate and improve organizational

ARCs Audit, Risk, and Compliance activities

to safeguard reputation and fiduciary integrity

Expert Training.

Entertaining Speaking.

Candid Consulting.

For more information call (267) 297-0706. www.boundlessllc.com
http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/http://www.boundlessllc.com/


32/32

eforensics free 2.12.august

Documents