Forensics

Bulletin
June 2014 | Volume - 3
Index 1

02 executive summary
eProtect
03 Online complaint portal

whatsApp forensics
05 Recovering & decrypting deleted conversations

biometric fraud
Employee attendance system fraud & RFID trick
07

encrypted document malware

Malware that encrypts your documents
10

intelligence gathering
13 Tracking Pakistan Haxor Crew

15 about us
 2
executive summary
In this issue we would like to take our readers a step ahead from
cyber security to cyber & digital forensics. In this high-tech world
variety of computer crimes that take place in small scale as well
as large scale. The loss caused is dependent upon the sensitivity
of the computer data or the information for which the crime has
been committed. So computer forensics has become a vital
part in our corporate world.
Those golden days are gone when
criminals were using only guns and other “Believe it or not
offensive equipment to commit a crime. but we all have
Now a day’s a mobile is used to connect committed some
lives, run business, and same mobile is used cyber-crimes
to commit crimes and hence it is next to intentionally or by
impossible to predict that who is actual mistake”
criminal when everyone is carrying
weapons i.e. phones in their pockets.
Someone who is carrying unauthorized guns can be declared a
criminal but what if billions of peoples are carrying same digital
weapons in their pockets?
We at CCFIS faced and solved several forensics cases that
cannot be solved by traditional pre-defined forensics
technologies and protocols. Sometimes forensics is more of a
research and behavioral analysis.
 3
eProtect
Online complaint portal
Most of the time, we don’t want to share cybercrime happened
with us with anyone and that’s why they are remain unsolved and
culprits are getting encouragement to repeat it again. To
maintain anonymity and to resolve these cases we started
eProtect initially for students and staffs of Amity Education Group.
eProtect is an online complaint portal developed by CCFIS team
for students of Amity University to report any case ranging from
cyber-harassment incident on social media to online fraud. Once
a complaint is registered CCFIS incident response team gets
notified and acts to resolves it in minimum possible time.
 4

Type Modus Operandi Incident Frequency

(Past 6 Months)

Harassing Text, IMs, Emails & Posts 4

Impersonation Fake profiles, Posing as someone else 14

Anonymous Dummy mail IDs, Proxy Servers, Hijacked 6
Emails Email Accounts
Data Recovery Virus Infection, Power Surges, Ransom 28
ware, Accidental Deletion/Format
Corporate Cases Embezzlements, Payroll Frauds, Employee 7
activity monitoring, Data Theft, Unauthor-
ized access
 5
whatsapp forensics
Recovering & decrypting deleted conversations

WhatsApp Messenger is a cross-platform

mobile messaging app which allows you to
exchange messages without having to pay
for SMS. Most of us use WhatsApp to
communicate with our loved ones.
We recently seized a mobile during an
investigation. After further analysis of mobile,
we found that all conversations were already been deleted by
user. But WhatsApp create database of all conversations and that
files still resided inside the mobile even after the conversations are
deleted. We initially tried to recover those messages from
database but the user was smart enough to delete these
databases too.
 6
Finally, we tried mobile data recovery procedure and tried
recovering WhatsApp database. After all efforts these database
were recovered but were in encrypted state. At final stage our
research and development team were able to understand the
encryption methodology and developed in house tools to
decrypt those messages.
 7
biometric fraud
Employee attendance system fraud & RFID trick

Biometric attendance
devices are used in almost
all offices. Every morning
we punch our card &
fingerprint before starting
our work and repeat the
same every day. But what
if data of these security
appliance can be manipulated? Most of the bio-metric devices
works on database authentication and comparison model.
Whenever an RFID enabled card is punched along with
fingerprint, it compares the data to original database and
authenticate the uses. Once the user is verified, a database entry
is made into ERP system that particular used punched at particular
timestamp.
Recently we resolved one biometric fraud case, in which none of
traditional forensics methodologies worked. Every day over 800s of
employee were using that biometric attendance system before
stating their work. The data from all 10 biometric devices were
saved in one central database and from there it was taken to
organization’s ERP and other departments like HR and accounts.
System administrators created rules to take automated regular
backup of everyday’s database.
 8
The fraud was came to knowledge of management when
employee was called up for a meeting and employee didn’t
showed up and mentioned that employee is not in office but em-
ployee was marked present in biometric attendance system and
everything was normal in ERP as well as all databases. Biometric
device vendor was called up and he checked all biometric de-
vices by taking 100s of sample, but everything was normal.
Management later on decided to have a forensics investigation
over this issues and case was handed over to CCFIS team for
further analysis. Initially we tested all biometric devices and realize
that everything was normal. Then we started comparing original
and backup database manually, and data were same
everywhere. We also found that few database entries were
deleted form database of both original and backup database.
After recovering those deleted database, we realized that
administrator who was in close relationship with employee
created several SQL scripts to manipulate both original as well as
backup database. This issue was resolved, management was
informed and employee was fired from office.
We thought that this was the end of investigation. But problem
started again when one busy day biometric device stopped
working and all employees were standing in line to punch their
card making chaos. Again the vendor was called, they checked
everything and blamed CCFIS forensics team that forensics
vendor CCFIS had done something with these devices. CCFIS
team again visited the premises, to investigate the issues.
 9
After investigation, we found that one sticker based small RFID
chip was pasted on side of biometric device. So whenever
anyone was trying to punch their card, the device wasn’t working
as it was busy in reading that sticker based hidden RFID chip that
was hidden on side of device and it was so small that it left
unsuspicious to everyone.

After removing this sicker RFID sticker, everything was normal like
before and system started reading and processing all the cards.
And unfortunately these stickers are available at very low price
and accessible to anyone to purchase. Even few mobiles comes
with free RFID sticker to customize according to their needs.
 10
encrypted document
malware
Malware that encrypts your documents

We all know about CryptoLocker malware which encrypts all

documents of infected system. The Trojan encrypts data on the
affected computer, switching the extensions of affected files
to .cryptolocker afterwards. It uses a weaker encryption method
than the original, so it’s possible experts may be able to regain
access to the locked files, but this won’t be an option for most
infected users.
 11
We recently handled and solved a case related of infected server
by CryptoLocker. Entire server of user was infected and all
documents hosted over the site were corrupted. Ever the
document files that were hosted on company’s website and FTP
server was infected and infected document started spreading
internally through FTP and to outside world by company’s website.
Everytime administrator tried to decrypt the document, an alert
was generated and application was demanding money to
decrypt the files. Following were the reasons why server was
infected –
 Administrator was visiting malicious sites for downloading
torrents and other stuffs on server.
 Administrator didn’t installed ad-blocker to block malicious
advertisements.
 Administrator clicked on some lucrative ads of his interested
and followed the instructions.
CryptoLocker cannot only infect server but it can infect your
systems also, recently in a blog post virus coders mentioned that
they are already working on development of CryptoLocker for
android and other handheld devices.
In order to resolve this case, we tried many different traditional
techniques. But as this version of CryptoLocker was working on
some different protocols so none of them were working. Later on
we realized that original filed were deleted by this tool and a
duplicate file of same name with .cryptolocker extension were
created for all documents hosted on server. So even if
administrator had paid the amount to the tool, he might not be to
get original documents.
 12
Our forensics team started data recovery of deleted files and
since the hard disk was in good condition, so all original docu-
ments were recovered. Unfortunately the administrator had to for-
mat his server but documents were recovered.
Same case can happen with anyone of us and in most of the
cases, tools like CryptoLocker demands some money to unlock
these documents. Most of us think that the amount which the tools
is asking is much less than cost and importance of documents and
user pays the money. But as these tools are not from trustworthy
sources and should not be trusted that even after paying the
amount, the user will get his all documents. The same scenario
happened with administrator of this company
Following are some of recommendations to avoid these types of
malwares or ransom wares –
 Instead of using internet explorer as your default browser, use
Chrome or Firefox. In your company policy forced you to use in-
ternet explorer then use the latest updated version of internet
explorer.
 Avoid clicking on lucrative advertisements. For better security
you can install ad-block plugin in your browser.
 Install original anti-virus software and update to avoid these
type of malwares.
 Also, no matter how secure your computer is, if you are not
aware then you cannot stop these types of malwares from
infecting your computers as there is always a cat & mouse
game between malwares and anti-viruses.
 13
intelligence gathering
Tracking Pakistan Haxor Crew

Intelligence is what we all need to run our business effectively. But

in our case intelligence gathering helped us in resolving one major
controversial website hacking case.

Recently one site was hacked and attack was claimed by

hacking activist group called Pakistan Haxor Crew. This case was
brought to us for further investigation. Initially we started analyzing
server logs and retrieved a number of IPs through which site re-
ceived XSS, SQL injection, null byte, bruteforce and many more
active attacks to take down the site. Later on after analyzing and
tracing IP, we came to know that all IPs were fake and attacker
used multiple proxies and tor anonymising software to perform
these attacks. So we were not able to trace the trace the actual
culprit and with provided data.
 14
After few hours, we started looking for Pakistan Haxor Crew over
different blogs and underground communities. We were able to
gather complete intelligence about the entire crew members,
their Facebook profile, their websites & blogs, sites hacked by
them, their future targets, and every possible detail they had over
internet.
With these data we were able to locate all the team member and
case was resolved by tracing IPs of their personal email ID and
Facebook login.
about us
We at Amity Innovation Incubator have established a research lab “Center for Cyber Fo-
15
rensics and Information Security”. CCFIS (www.ccfis.net) is founded on the core belief
that cyber security is a growing concern worldwide, hence it is necessary to secure and
protect our country and national technology infrastructure to safeguard future of our
country and hence citizens.
CCFIS is a research organization and part of Amity Education Group, which is India lead-
ing Education Group having 1,00,000 Students, 5 Universities and many India and Global
Campuses. We intend to create Research collaboration forum so that Internet communi-
ty can fight together against Cyber Crimes.

Noida Office: Amity Innovation Incubator, Block E-3,1st Floor, Amity University, Sector-125 Noida,
UP-201301, India, Email Id: info@ccfis.net, Phone no: +91-120-4659156

Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP - 226028, India
Disclaimer—This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of their employees,
nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or the results of such use of any information, appa-
ratus, product, or process disclosed, or represents that its use would not infringe privately owned rights.

© Center for Cyber Forensics & Information Security