Documente Academic
Documente Profesional
Documente Cultură
IT SECURITY MAGAZINE
Forensics
Dear Readers,
This issue is devoted to forensics. To follow up the last issue, in which we discussed ID thefts, we decided fo focus on forensics. There are several interesting articles: Mobile Digital Forensics by Rebecca Wynn, Are we ready for Digital Evidence? by Rich Hoggan, Forensic Improvisation by Isreal Torres, Best Practices in InfoSec Forensics by Gary Miliefsky and much more. Hopefully, you will find this information interesting and useful. Enjoy your reading! Karolina Lesiska
team
Editor in Chief: Ewa Dudzic ewa.dudzic@software.com.pl Managing Editor: Karolina Lesiska karolina.lesinska@hakin9.org Editorial Advisory Board: Matt Jonkman, Rebecca Wynn, Steve Lape, Shyaam Sundhar, Donald Iverson, Michael Munt DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl Top Betatesters: Rebecca Wynn, Bob Folden, Shayne Cardwell, Simon Carollo, Graham Hili. Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine. Senior Consultant/Publisher: Pawe Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Production Director: Andrzej Kuca andrzej.kuca@hakin9.org Marketing Director: Karolina Lesiska karolina.lesinska@hakin9.org Subscription: en@hakin9.org Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.hakin9.org/en Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by The editors use automatic system Mathematical formulas created by Design Science MathType
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
www.hakin9.org/en
CONTENTS
mainly to authorities and financial institutions, but they are accessible to every organization.
42 Forensic Improvisation
by Israel Torres
Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset. Think of it as guerrilla forensics without the idea of warfare. There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the job nicely but that would require training, planning and knowing you? need them at a moment? notice. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines).
50 Best Practices in InfoSec Forensics Proactively preparing for and executing network forensic analysis
by Gary S. Miliefsky
This article is meant to give you a quick overview of the best practices for Information Security (INFOSEC) forensics. To get started, let? first define this subject and then dig into the tools used in this field of computer and criminal justice sciences:
www.hakin9.org/en
FORENSICS
ew crime vectors are now implicating the use of computers mostly. It is important now to include computers as a main possible tool for suspects. Let me present you the scenario. You work in the financial sector, and one of the employees has been transferring credit card information on his computer at home. As a security analyst you will have to gather
evidence to find out who was this employee and how did he transfer the credit cards.
www.hakin9.org/en
FORENSICS
ontrary to what we wish, mobile digital forensics is made easy because we as individual like to think that no one is ease dropping, shoulder surfing, watching us type in our passwords, taking out our SIM card and copying it while we are with the boss/in the bathroom/ heating up lunch, etc. This articles goal is to help you see that it is your responsibility and yours alone to Cover Your ASSets. It is broken up into sections so the reader can easily review sections that are pertinent to him/her. I have only mentioned a few tools but have referenced the NIST publications that list dozens of tools and detailed information regarding their use. Use this article as your starting point.
to describe technologies for second generation (or 2G) digital cellular networks. Wi-Fi is a trademark of the Wi-Fi Alliance and the brand name for products using the IEEE 802.11 family of standards.
Contacts: Name fields: first, middle, last, nickname, prefix, suffix, joint name Photo and personal ringing tone Phone numbers: general, mobile, fax, video, pager, VoIP, push-to-talk Postal addresses Web pages and e-mail addresses Company, department, job title Text notes Private info: birthday, spouse, children Custom field labels Multiple fields of the same type Last modification date & time
12
www.hakin9.org/en
FORENSICS
To Get Round
To The Heart Of Fortress
Cybercrime is becoming a growing threat to society. The thefts of information, crashing a website or manipulating online payment traffic are also increasing. Many organizations offer various services in the battle against digital crime, such as network or data monitors and extractions tools. It is interesting mainly to authorities and financial institutions, but they are accessible to every organization..
What you will learn
General forensic classication Classic and non-classic mobile forensic
he current century describes like the application of digital technology that enhances traditional methodologies. The incorporation of computer systems private, commercial, educational, governmental, and other way life improved the efficiency of these entities. One other hand the computers as a criminal tool has enhanced their own activity. In particular, the surge of technical adeptness by the general population, coupled with anonymity, seems to encourage crimes using computer systems since there is a small chance of being prosecuted, let alone being caught. These crimes is rather classic crimes To catch criminals involved with digital crime, investigators must employ consistent and well-defined forensic procedures if possible. Writing off insider threat as a low cast risk ought to realize sternness of the problem. Threat as this kind ranges from the malicious employee (of he has and have to has the technical expertise to implant a malware (logic bomb,) in the critical system. Malicious insider is a employee (current or former), contractor, or business partner who had / has / going to have authorized access to an organizations network, system, or data in a manner that negatively affected the confidentiality, integrity, or availability. Employees also represent another significant insider threat vector. These inadvertent actions can occur because individuals have accumulated more privileges than they need for their current job functions or because
individuals may just be careless about usage and distribution of sensitive data. The result is that organizations need to defend against the malicious insider as well as the careless user. The common security vulnerabilities increase risk of insider threats is inadequate auditing and analytics: Sheer volume of audit and log data impedes forensics investigation and detection. Logging all IT activity is an important first step in combating insider attacks and todays highly distributed and complex IT environments generate massive volumes of logging data, but the sheer volume of data is very difficult to manage. Most current approaches to addressing insider threats are reactive, not predictive. This helps immensely in forensic investigations, but the problem is that the attack or theft has already occurred. Therefore, organizations should be looking for solutions that can provide more analytic and predictive capabilities that if not able to prevent insider attacks, may still identify at-risk insiders and then implement more detailed logging on those individuals in response. Delicate balance of risk versus productivity. IT managers need to balance the risk of employees need for additional access versus the lost productivity that would result if access was not granted to certain users. Many organizations also
20
www.hakin9.org/en
YURY CHEMERKIN
Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Analyst since 2009 and currently works as mobile info security researcher in Moscow. I have scientic and applied interests in the sphere of forensics, cyber security, AR, perceptive reality, semantic networks, mobile security and cloud computing. Im researching BlackBerry Infrastructure and the effects of the trust bot-net & forensic techniques on the human privacy. E-mail: yury.chemerkin@gmail.com (yury.chemerkin@faceb ook.com) Facebook: www.facebook.com/yury.chemerkin LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/ 549
www.hakin9.org/en
FORENSICS
imilarly, we still live in a world where we think the computer and what we do on it or any digital device for that matter is irrelevant to something like a criminal case. Yet that said, an example of such a case has come about the Casey Anthony murder trial that took place here in the states just recently. Its not a case where cyber security is or was a concern, but where the computers average use such as searching the internet and uploading to social networking is seen as being malicious. I have attempted to create a balance between asking the tough questions as well as understanding the technical aspects of digital forensics in this article. As a result we will be going through the motions of viewing an image files meta-data with forensic tools and even making our own tool using HTML and PHP. Similarly, we will be going through the motions of viewing and analyzing the browsers history. Lastly, we will be attempting to answer the question of whether or not we are ready for digital evidence and its impact on our lives. But before we get into the core of this article, we first have to understand a little bit of the cases background. Whats interesting is the fact that it isnt a cyber incident in that its a case that involves a persons social networking life and their history of internet search terminology everyday activity for computers, digital cameras, even our cell phones. It was during a forensic investigation of the familys computers that
said evidence was found demonstrating searches were made on the internet in relation to the case. Similarly, photos were posted to multiple social networking sites while the suspects daughter was still considered missing. Ultimately though, the forensic evidence wasnt enough to get a conviction from the jury.
38
www.hakin9.org/en
FORENSICS
Forensic Improvisation
Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset.
What you will learn
you will learn how to improvise your use of digital forensics
hink of it as guerrilla forensics without the idea of warfare. There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the job nicely but that would require training, planning and knowing youd need them at a moments notice. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines). The focus of this article is using the command line (terminal, bash) tools found on a standard Mac OS X 10.7 (Lion) operating system; including a few additional optional downloads (or really rather what most geeks would have already installed anyway). Understanding how things work is always best and the best tool is the one you write yourself. Using tools someone has already written for you is certainly nice but if you cant modify them to suit your immediate needs then this
is where improvisation takes place. It certainly isnt the time to shy away from the terminal thats where all the sexy is (not the clicky-eye-candy you may be used to). The challenge: So weve been presented with 10 binary files (test0.bin test9.bin). Since they are all
Figure 2. TermHere
42
www.hakin9.org/en
FORENSICS
Neuro-Lingustic Hacking:
The New Age of Social Engineering
Social engineering is nothing new. From some of the oldest stories recorded in mankinds history till today, social engineering has been used.
he interesting part about social engineering is that the methods used have not changed much. Sure there is new technology and a deeper understanding of humans and psychology, but the underlining principles of social engineering are the same as they were 6000 years ago. In the last 70-100 years there has been massive leaps in understanding the human psyche. What makes a person tick? Bandler and Grinder took understanding neurolinguistic programming to a whole new plain. Dr. Paul Ekman took understanding microexpressions to a new science. Then many experts who spent decades studying influence, persuasion and manipulation began to work hard to understand what makes a person act a certain way. As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole. We have interviewed radio hosts, psychologist, law enforcement, NLP gurus, dating experts and others to try and understand what each of those fields has to offer a social engineer. After studying a lot of the practices and what makes them successful we have blended a few together and are going to start a new study called Neuro-Lingusitic Hacking (NLH).
NLP is a contro-versial approach to psychotherapy and organizational change based on a model of interpersonal communication chiefly concerned with the relationship between successful patterns of behavior and the subjective experiences underlying them and a system of alternative therapy based on this which seeks to educate people in self-awareness and effective communication, and to change their patterns of mental and emotional behavior.
Neuro
This points to our nervous system which we process our five senses: Visual Auditory Kinesthetic Smell Taste
Linguistic
This points to how we use language and other nonverbal communication systems through which our neural representations are coded, ordered and given meaning. This can include things like: Pictures Sounds Feelings Tastes Smells Words
What is NLH
NLH is a combination of the use of key parts of neurolingusitic programming, the functionality of microexpressions, body language, gestures and blend it all together to understand how to hack the human infrastructure. Lets take a closer at each to see how it applies.
Programming
This is our ability to discover and utilize the programs that we run in our neurological systems to achieve our
46
www.hakin9.org/en
FORENSICS
o get started, lets first define this subject and then dig into the tools used in this field of computer and criminal justice sciences:
INFOSEC Forensics relates to digital forensics, which is the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection this is proactive. In addition, and most usually after a breach, computer forensics are performed by a network security professional this is reactive.
The best practices, of course, are to be as proactive as possible and plan for both scenarios one is to gather and store traffic, always looking for anomalies these can range from hacker attacks to employees leaking data and internal information to a competitor, or a malicious insider on your network the other is to have RAID, Hard Drive Mirroring, Continuous Data Protection (CDP) and at minimum, daily backups of all important company information from all network touch points so you dont have to reactively go chase down a lost or stolen laptop to analyze a hard drive, because you have the latest, closest copy of the data set stored
50
www.hakin9.org/en
Social-Engineer.Com
Security Through Education
SE Videos Social Engineering Tool Kit The Webs First Social Engineering Framework SE Resources Free Monthly SE Newsletter Free Monthly SE Podcast
www.Social-Engineer.Com
Now offering professional Social Engineering Services Contact us today to learn more info@social-engineer.com