http://www.elearnsecurity.com

http://www.coliseumlab.com

4 www.hakin9.org/en www.hakin9.org/en 5

Forensics

4

team

Editor in Chief: Ewa Dudzicewa.dudzic@software.com.pl

Managing Editor: Karolina Lesińska karolina.lesinska@hakin9.org

Editorial Advisory Board: Matt Jonkman, Rebecca Wynn, Steve Lape, Shyaam Sundhar, Donald Iverson, Michael Munt

DTP: Ireneusz PogroszewskiArt Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl

Top Betatesters: Rebecca Wynn, Bob Folden, Shayne Cardwell, Simon Carollo, Graham Hili.

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine.

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzicewa.dudzic@software.com.pl

Production Director: Andrzej Kuca andrzej.kuca@hakin9.org

Marketing Director: Karolina Lesińska karolina.lesinska@hakin9.org

Subscription: en@hakin9.org

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/en

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

The editors use automatic system Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear Readers,This issue is devoted to forensics. To follow up the last issue, in which we discussed ID thefts, we decided fo focus on forensics. There are several interesting articles: Mobile Digital Forensics by Rebecca Wynn, Are we ready for Digital Evidence? by Rich Hoggan, Forensic Improvisation by Isreal Torres, Best Practices in InfoSec Forensics by Gary Miliefsky and much more. Hopefully, you will find this information interesting and useful.

Enjoy your reading!Karolina Lesińska

PRACTICAL PROTECTION IT SECURITY MAGAZINE

06 Basic Forensics Analysisby Marc-Andre Meloche Digital Forensics is mostly like the movies, the main aspect is to gather evidence or digital footprints which will help you understand any digital crimes that might have occurred inside your organization. This is used in most cases related to computer crimes. New crime vectors are now implicating the use of computers mostly. It is important now to include computers as a main possible tool for suspects.

12 Mobile Digital Forensics Cover Your ASSets (CYA)by Rebecca WynnContrary to what we wish, mobile digital forensics is made easy because we as individual like to think that no one is ease dropping, shoulder surfing, watching us type in our passwords, taking out our SIM card and copying it while we are with the boss/in the bathroom/heating up lunch, etc. This article? goal is to help you see that it is your responsibility and yours alone to ?over Your ASSets.It is broken up into sections so the reader can easily review sections that are pertinent to him/her. I have only mentioned a few tools but have referenced the NIST publications that list dozens of tools and detailed information regarding their use. Use this article as your starting point.

20 To Get Round To The Heart Of Fortressby Yury ChemerkinCybercrime is becoming a growing threat to society. The thefts of information, crashing a website or manipulating online payment traffic are also increasing. Many organizations offer various services in the battle against digital crime, such as network or data monitors and extractions tools. It is interesting

4 www.hakin9.org/en www.hakin9.org/en 55

CONTENTS

mainly to authorities and financial institutions, but they are accessible to every organization.

38 Are We Ready For Digital Evidence?By Rich HogganAre we ready for digital evidence? It’s a question that we need to ask more often as crimes will inevitably include forensic evidence gathered from a computer or other digital device on a more consistent basis. Similarly, we still live in a world where we think the computer and what we do on it or any digital device for that matter is irrelevant to something like a criminal case. Yet that said, an example of such a case has come about the Casey Anthony murder trial that took place here in the states just recently. It’s not a case where cyber security is or was a concern, but where the computer’s average use such as searching the internet and uploading to social networking is seen as being malicious.

42 Forensic Improvisationby Israel Torres Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset. Think of it as guerrilla forensics without the idea of warfare. There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the job nicely but that would require training, planning and knowing you? need them at a moment? notice. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines).

46 Ask The Social-Engineer: Neuro-Linguistic Hacking-The New Age of Social Engineeringby Christopher HadnagySocial engineering is nothing new. From some of the oldest stories recorded in mankind? history till today, social engineering has been used. The interesting part about social engineering is that the methods used have not changed much. Sure there is new technology and a deeper understanding of humans and psychology, but the underlining principles of social engineering are the same as they were 6000 years ago.

50 Best Practices in InfoSec Forensics – Proactively preparing for and executing network forensic analysisby Gary S. Miliefsky This article is meant to give you a quick overview of the best practices for Information Security (INFOSEC) forensics. To get started, let? first define this subject and then dig into the tools used in this field of computer and criminal justice sciences:

www.hakin9.org/en6

FORENSICS

www.hakin9.org/en 7

Basic Forensics Analysis

New crime vectors are now implicating the use of computers mostly. It is important now to include computers as a main possible tool for

suspects.Let me present you the scenario. You work in the

financial sector, and one of the employees has been transferring credit card information on his computer at home. As a security analyst you will have to gather

evidence to find out who was this employee and how did he transfer the credit cards.

Digital Forensics is mostly like the movies, the main aspect is to gather evidence or digital footprints which will help you understand any digital crimes that might have occurred inside your organization. This is used in most cases related to computer crimes.

What you will learn…• You will be able to perform basic forensics manipulation on

computers with the common open-source forensics tools. (We will not talk about the incident management process, this is a technical how-to.)

• You will be able to create bit-copy images of hard drives or other media for forensics analysis.

• You will be able to navigate and understand how Autopsy works. This is a powerful tool that will help you obtain the in-formation you need to help you build forensics cases.

What you should know…• Basic understanding of drive locations in Linux and mount po-

ints. • Ability to navigate inside a Linux �le system and be able to in-

stall software.• Have a very meticulous mindset for detail while performing

the evidence search sometime small details could be missed.

Basic Forensics Analysis

Figure 1. Write blocker from tableau (http://www.tableau.com/index.php?pageid=products&category=forensic_bridges)

Figure 2. Basic ide/sata usb converter from vantec (http://www.vantecusa.com/)

www.hakin9.org/en12

FORENSICS

www.hakin9.org/en 13

Mobile Digital Forensics – Cover Your ASSets (CYA)

Contrary to what we wish, mobile digital forensics is made easy because we as individual like to think that no one is ease dropping, shoulder surfing,

watching us type in our passwords, taking out our SIM card and copying it while we are with the boss/in the bathroom/heating up lunch, etc. This article’s goal is to help you see that it is your responsibility and yours alone to Cover Your ASSets. It is broken up into sections so the reader can easily review sections that are pertinent to him/her. I have only mentioned a few tools but have referenced the NIST publications that list dozens of tools and detailed information regarding their use. Use this article as your starting point.

Cell Phone – What Information Can Be Obtained?Event Logs:

• Incoming, outgoing, missed calls history• Sent & received messages history• GPRS & Wi-Fi sessions log

• General Packet Radio Service (GPRS) was the first data service for GSM cellular carriers. GPRS added a packet capability to GSM, which uses dedicated, circuit-switched channels for voice conversations.

• Global System for Mobile Communications (GSM), originally Groupe Special Mobile, is a standard set developed by the European Telecommunications Standards Institute (ETSI)

to describe technologies for second generation (or 2G) digital cellular networks.

• Wi-Fi is a trademark of the Wi-Fi Alliance and the brand name for products using the IEEE 802.11 family of standards.

Contacts:

• Name fields: first, middle, last, nickname, prefix, suffix, joint name

• Photo and personal ringing tone• Phone numbers: general, mobile, fax, video, pager,

VoIP, push-to-talk• Postal addresses• Web pages and e-mail addresses• Company, department, job title• Text notes• Private info: birthday, spouse, children• Custom field labels• Multiple fields of the same type• Last modification date & time

Caller Groups:

• List of caller groups & belonging contacts

Speed Dials:

• List of assigned speed dials

“You and only you are responsible for ‘Covering Your ASSets’. No one else will do it for you.” – Rebecca Wynn

What you will learn…• What information can be obtained from a cell phone• MOBILedit! Forensic Software• How to Cover Your ASSets (CYA)• Security Checklists

What you should know…• Basic cell phone skills

Mobile Digital Forensics – Cover Your ASSets (CYA)

www.hakin9.org/en20

FORENSICS

www.hakin9.org/en 21

To Get Round To The Heart Of Fortress

The current century describes like the application of digital technology that enhances traditional methodologies. The incorporation of

computer systems private, commercial, educational, governmental, and other way life improved the efficiency of these entities. One other hand the computers as a criminal tool has enhanced their own activity. In particular, the surge of technical adeptness by the general population, coupled with anonymity, seems to encourage crimes using computer systems since there is a small chance of being prosecuted, let alone being caught. These crimes is rather classic crimes To catch criminals involved with digital crime, investigators must employ consistent and well-defined forensic procedures if possible.

Writing off insider threat as a low cast risk ought to realize sternness of the problem. Threat as this kind ranges from the malicious employee (of he has and have to has the technical expertise to implant a malware (logic bomb,…) in the critical system. Malicious insider is a employee (current or former), contractor, or business partner who had / has / going to have authorized access to an organization’s network, system, or data in a manner that negatively affected the confidentiality, integrity, or availability. Employees also represent another significant insider threat vector. These inadvertent actions can occur because individuals have accumulated more privileges than they need for their current job functions or because

individuals may just be careless about usage and distribution of sensitive data. The result is that organizations need to defend against the malicious insider as well as the careless user. The common security vulnerabilities increase risk of insider threats is inadequate auditing and analytics:

• Sheer volume of audit and log data impedes forensics investigation and detection. Logging all IT activity is an important first step in combating insider attacks and today’s highly distributed and complex IT environments generate massive volumes of logging data, but the sheer volume of data is very difficult to manage.

• Most current approaches to addressing insider threats are reactive, not predictive. This helps immensely in forensic investigations, but the problem is that the attack or theft has already occurred. Therefore, organizations should be looking for solutions that can provide more analytic and predictive capabilities that if not able to prevent insider attacks, may still identify at-risk insiders and then implement more detailed logging on those individuals in response.

• Delicate balance of risk versus productivity. IT managers need to balance the risk of employees’ need for additional access versus the lost productivity that would result if access was not granted to certain users. Many organizations also

Cybercrime is becoming a growing threat to society. The thefts of information, crashing a website or manipulating online payment traffic are also increasing. Many organizations offer various services in the battle against digital crime, such as network or data monitors and extractions tools. It is interesting mainly to authorities and financial institutions, but they are accessible to every organization..

What you will learn…• General forensic classi�cation• Classic and non-classic mobile forensic

What you should know…• Basic knowledge about forensic

To Get Round To The Heart Of Fortress

www.hakin9.org/en36 www.hakin9.org/en

push technology adds a unique dimension to forensic examination. In fact, a RIM device does not need a cradle or desktop connection to be useful. The more time a mobile device spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. The BlackBerry is an always-on, push messaging device. Information can be pushed to the device through its radio antenna at any time, potentially overwriting previously „deleted” data. Without warning, applications such as the email client, instant messaging, wireless calendar, and any number of third party applications may receive information that makes the forensic investigator’s attempts to obtain an unaltered file system much more difficult. In order to preserve the unit, turn the radio off. Make note that completely powering off the RIM will wipe data from the SRAM. Logs stored there, which may be of interest, will not survive a full power-down. If the RIM is password protected, get the password. The password itself is not stored on the unit; rather an SHA-1 hash of the password is stored and compared to a hash of what entered. The examiner only has the opportunity to guess 10 times before a file system wipe occurs to protect the data. This wipe will destroy all non-OS files. No software exists to circumvent the password protection. A direct-to-hardware solution will be required if the password is not available. Thus, the RIM’s currently unsurpassed portability is the examiner’s greatest ally.

YURY CHEMERKIN Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH.Information Security Analyst since 2009 and currently works as mobile info security researcher in Moscow.I have scienti�c and applied interests in the sphere of forensics, cyber security, AR, perceptive reality, semantic networks, mobile security and cloud computing. I’m researching BlackBerry Infrastructure and the effects of the trust bot-net & forensic techniques on the human privacy.E-mail: yury.chemerkin@gmail.com (yury.chemerkin@facebook.com)Facebook: www.facebook.com/yury.chemerkinLinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/549

To Get Round To The Heart Of Fortress

www.hakin9.org/en38

FORENSICS

www.hakin9.org/en 39

Are We Ready For Digital Evidence?

Similarly, we still live in a world where we think the computer and what we do on it – or any digital device for that matter – is irrelevant to something

like a criminal case. Yet that said, an example of such a case has come about – the Casey Anthony murder trial that took place here in the states just recently. It’s not a case where cyber security is or was a concern, but where the computer’s average use such as searching the internet and uploading to social networking is seen as being malicious.

I have attempted to create a balance between asking the tough questions as well as understanding the technical aspects of digital forensics in this article. As a result we will be going through the motions of viewing an image file’s meta-data with forensic tools and even making our own tool using HTML and PHP. Similarly, we will be going through the motions of viewing and analyzing the browser’s history. Lastly, we will be attempting to answer the question of whether or not we are ready for digital evidence and it’s impact on our lives.

But before we get into the core of this article, we first have to understand a little bit of the case’s background. What’s interesting is the fact that it isn’t a cyber incident in that it’s a case that involves a person’s social networking life and their history of internet search terminology – everyday activity for computers, digital cameras, even our cell phones. It was during a forensic investigation of the family’s computers that

said evidence was found demonstrating searches were made on the internet in relation to the case. Similarly, photos were posted to multiple social networking sites while the suspect’s daughter was still considered missing. Ultimately though, the forensic evidence wasn’t enough to get a conviction from the jury.

Are we ready for digital evidence? It’s a question that we need to ask more often as crimes will inevitably include forensic evidence gathered from a computer or other digital device on a more consistent basis.

What you will learn…• Forensic recovery of an image �le’s meta-data and web brow-

ser’s history. • Programming our own tools• Discussing the impact of digital evidence

What you should know…• Basic understanding of digital forensics and techniques• Basic understanding of web programming using HTML and

PHP

Are We Ready For Digital Evidence?

Figure 1. EXIF data of an image

www.hakin9.org/en42

FORENSICS

www.hakin9.org/en 43

Forensic Improvisation

Think of it as guerrilla forensics without the idea of warfare. There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the

job nicely but that would require training, planning and knowing you’d need them at a moment’s notice. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines).

The focus of this article is using the command line (terminal, bash) tools found on a standard Mac OS X 10.7 (Lion) operating system; including a few additional optional downloads (or really rather what most geeks would have already installed anyway). Understanding how things work is always best and the best tool is the one you write yourself. Using tools someone has already written for you is certainly nice but if you can’t modify them to suit your immediate needs then this

is where improvisation takes place. It certainly isn’t the time to shy away from the terminal – that’s where all the sexy is (not the clicky-eye-candy you may be used to).

The challenge: So we’ve been presented with 10 binary files (test0.bin – test9.bin). Since they are all

Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset.

What you will learn…• you will learn how to improvise your use of digital forensics

What you should know…• you should know your environment as well as basic shell pro-

gramming

Forensic Improvisation

Figure 1. Testbench listing Figure 2. TermHere

www.hakin9.org/en46

FORENSICS

www.hakin9.org/en 47

Neuro-Lingustic Hacking: The New Age of Social Engineering

The interesting part about social engineering is that the methods used have not changed much. Sure there is new technology and a deeper

understanding of humans and psychology, but the underlining principles of social engineering are the same as they were 6000 years ago.

In the last 70-100 years there has been massive leaps in understanding the human psyche. What makes a person tick?

Bandler and Grinder took understanding neuro-linguistic programming to a whole new plain. Dr. Paul Ekman took understanding microexpressions to a new science.

Then many experts who spent decades studying influence, persuasion and manipulation began to work hard to understand what makes a person act a certain way.

As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole.

We have interviewed radio hosts, psychologist, law enforcement, NLP gurus, dating experts and others to try and understand what each of those fields has to offer a social engineer.

After studying a lot of the practices and what makes them successful we have blended a few together and are going to start a new study called Neuro-Lingusitic Hacking (NLH).

What is NLHNLH is a combination of the use of key parts of neuro-lingusitic programming, the functionality of microexpres-sions, body language, gestures and blend it all together to understand how to hack the human infrastructure. Let’s take a closer at each to see how it applies.

Neuro-Lingusitic Programming (NLP)NLP is a contro-versial approach to psychotherapy and organizational change based on a model of interpersonal communication chiefly concerned with the relationship between successful patterns of behavior and the subjective experiences underlying them and a system of alternative therapy based on this which seeks to educate people in self-awareness and effective communication, and to change their patterns of mental and emotional behavior.

Neuro This points to our nervous system which we process our five senses:

• Visual• Auditory• Kinesthetic• Smell• Taste

LinguisticThis points to how we use language and other nonverbal communication systems through which our neural representations are coded, ordered and given meaning. This can include things like:

• Pictures• Sounds• Feelings• Tastes• Smells• Words

ProgrammingThis is our ability to discover and utilize the programs that we run in our neurological systems to achieve our

Social engineering is nothing new. From some of the oldest stories recorded in mankind’s history till today, social engineering has been used.

Neuro-Lingustic Hacking:The New Age of Social Engineering

http://www.netclarity.net

www.hakin9.org/en50

FORENSICS

www.hakin9.org/en 51

Best Practices in InfoSec Forensics

To get started, let’s first define this subject and then dig into the tools used in this field of computer and criminal justice sciences:

What is INFOSEC Forensics?INFOSEC Forensics relates to digital forensics, which is the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection – this is proactive. In addition, and most usually after a breach, computer forensics are performed by a network security professional – this is reactive.

The best practices, of course, are to be as proactive as possible and plan for both scenarios – one is to gather and store traffic, always looking for anomalies – these can range from hacker attacks to employees leaking data and internal information to a competitor, or a malicious insider on your network – the other is to have RAID, Hard Drive Mirroring, Continuous Data Protection (CDP) and at minimum, daily backups of all important company information from all network touch points so you don’t have to reactively go chase down a lost or stolen laptop to analyze a hard drive, because you have the latest, closest copy of the data set stored

This article is meant to give you a quick overview of the best practices for Information Security (INFOSEC) forensics.

What you will learn…• Forensic Basics• Network Forensics• Computer Forensics

What you should know…• Using Syslog, Traps and Network Taps• Deploying Network Attached Storage• Duplicating A Hard Drive

Best Practices in InfoSec ForensicsProactively preparing for and executing network

forensic analysis

Figure 1. Network Forensics

Security Through EducationSocial-Engineer.ComSocial-Engineer.Com

The Webs First Social Engineering Framework

SE Resources

Free Monthly SE Newsletter

Free Monthly SE Podcast

SE Videos

Social Engineering Tool Kit

Now offering professional Social Engineering ServicesContact us today to learn more

info@social-engineer.com

www.Social-Engineer.Comwww.Social-Engineer.Com