Professional Documents
Culture Documents
Competition!
ForensicS
Win 3 brand new
books from Syngress
ISSUE 03
/ magazine
1 MAY 2010
INSIDE
/ Set up your own
Digital Forensic Lab
/ Proactive Digital
Forensics
/ Cyber Chat,
Deciphered!
/ Dissecting Malicious
Software
02
9 772042 061103
Issue 3 / £11.99 TR Media
Forensics_Ad_4-10_EMEA.indd
DF3_IFC_Ad.indd 2 1 4/26/10 17:53:31
30/4/10 9:53 AM
/ EDITORIAL
EDITORIAL
Digital Forensics Magazine is a quarterly magazine, published by
TR Media Ltd, registered in the UK. It can be viewed online at:
www.digitalforensicsmagazine.com
Editorial Board
W
Sharon Campbell, Tony Campbell, Roy Isbell, Dr Tim Watson,
Moira Carroll, Alastair Clement, Angus Marshall
ell we have another feature
Acquisitions
packed issue for you, with a look
Roy Isbell, Tony Campbell
at some interesting areas of the
Editorial
Digital Forensics profession and how
Sharon Campbell
using associated disciplines can help
News Desk
to build a broader base of evidence
Matt Isbell
for any investigation. We hope by
introducing some of the topics and Sales & Marketing
Matthew Rahman
related fields of investigation, your own
investigations and research can benefit from what you read. Production and Design
During the period since we released Issue 2 we have made Matt Dettmar (Loud Vision Ltd)
some changes that we think you will like. We have reduced the Contributing Authors
price considerably and made modifications to the website to Bill Dean, Tom Slovenski, Angus Marshall, Scott Zimmerman,
make it easier for you to navigate. We will continue to make Tim Watson, Mark Rasch, Christa Miller, Jim Wingate, Barry Hood,
Ian Kennedy, John Olssen, Paul Tew and Steve Shillingford
improvements and add features as you, the reader, provides
feedback to us via ‘360’ with How you think we can improve or Technical Reviewers
what you would like to see. Tony Campbell, Roy Isbell, Dr Tim Watson, Moira Carroll-Mayer,
Peter Jones and Joshua Talbot
We have also started the Digital Forensics Magazine ‘Blog’
(http://trmediacms.com/blog) and already those of you
who have expressed an interest in ‘Blogging’ have started Contact Digital Forensics Magazine
to provide thought provoking blogs. This, along with the Editorial
LinkedIn DFMag Group, will allow us to join up the Global Contributions to the magazine are always welcome; if you are
DFMag community for the sharing of ideas, problems or just interested in writing for Digital Forensics Magazine or would
like to be on our technical review panel, please contact us on
getting to know your peers. Anyone who has not yet joined
editorial@digitalforensicsmagazine.com
the group, just search for Digital Forensics Magazine on
Alternatively you could telephone us on:
LinkedIn and ask to join.
Phone: +44 (0) 203 2393666
I had an interesting dialogue with Chris Hargreaves of
News
Cranfield University that I thought I would share with you,
If you have an interesting news items that you’d like us to cover,
regarding the naming conventions of Digital, Computer or
please contact us on: news@digitalforensicsmagazine.com
Cybercrime Forensics. At Digital Forensics Magazine we took
Advertising
the view early on that Digital Forensics was the correct term,
If you are interested in advertising in Digital Forensics Magazine
mainly for the very reasons stated in his article for Forensic
or would like a copy of our media kit, contact the marketing team
Focus (What is this field called anyway?). Our reasoning was
on: marketing@digitalforensicsmagazine.com.
not from an academic standpoint but more from a desire
Subscriptions
to use a name that actually reflects what is happening and
For all subscription enquiries, please visit our website at
be as inclusive as possible. I take the view that Cybercrime
www.digitalforensicsmagazines.com and click on subscriptions.
Forensics is a particular area within Digital Forensics, as it For institutional subscriptions please contact our marketing
deals with crime within Cyberspace and as such provides a department on marketing@digitalforensicsmagazine.com.
boundary to the area under investigation. To me and with
Feedback
respect to the poor use of the English Language, I have Feedback or letters to the Digital Forensics Magazine editor
always found the use of the term Computer Forensics to should be sent to 360@digitalforensicsmagazine.com.
exclude those additional areas like Mobile Phone, SatNav,
CellSite Forensics etc. and as such is again a definition of a Copyright and Trademarks
boundary or area within Digital Forensics. Trademarked names may appear in this magazine. Rather than
I will stop now and let you get on with reading the many and use a trademark symbol with every occurrence of a trademarked
varied articles we have selected for Issue 3, and remember if name, we use the names only in an editorial fashion and to the
there is a topic you would like to see appear in the magazine, benefit of the trademark owner, with no intention of infringement
or would like to have a go at writing an article, we would love of the trademark.
to hear from you. Digital Edition Provider
Digital Forensics Magazine uses ZMags for its Digital Editions,
/ ROY ISBELL allowing the creation of carbon neutral publications.
Attending a Review
Seminar online
CONTENTS
/ DIGITAL FORENSICS MAGAZINE ISSUE 03
REGULARS
/ NEWS 06
12
/ 360° 09
/ COMPETITION 36
/ PRODUCT REVIEW 60
/ BOOK REVIEWS 78
/ IRQ 82
FEATURES
/ INTERPRETING EMAIL HEADERS 12
Tim Watson explans how vulnerable email protocols
can be abused and how to catch those who do it
/ PROACTIVE COMPUTER FORENSICS 19
Scott Zimmerman discusses how to gather and store
38
event-related information appropriately
/ THE FACEBOOK MURDER 24
John Olsson illustrates how text messaging can be
used for ill-means by linguistic masterminds
/ A DIGITAL FORENSICS LAB BY ANY OTHER NAME 30
Digital forensics laboratories may once have been
specialized, but increasing case complexity demands
broader capabilities across disciplines 30
/ DISSECTING MALICIOUS MALWARE 45
Modern malware is more sophisticated than it used to
be and can easily mislead the investigator...
/ MODELLING FOR OPERATIONAL FORENSICS 52
Barry Hood shows how modelling paradigms can be
used to guide a simple psychosocial forensic analysis
/ IT’S NOT ABOUT PREVENTION 57
Steve Shillingford explains why there is an urgent
need for preparedness in cybersecurity
/ TIME FOR FORENSICS 67
73
Paul Tew discusses how to understand and effectively
investigate digital time stamps
/ INTRODUCTION TO STENOGRAPHY 73
Jim Wingate shows us how to uncover hidden information
LEGAL
/ THE FOURTH AMENDMENT 38
Mark Rasch highlights how technological developments
have overtaken the Fourth Amendment
24
NEWS
Academics & Practitioners Discuss Digital Forensics
Skills & Training
6 Digital / ForensicS
Computer
forensics
Audio
visual
Questioned
documents
Mobile
phone
forensics
DF3_08_Ad.indd
LGC_Digital 8 - CB2.indd 1
A4 Ads-v5 30/4/10 13:07:45
07/04/2010 17:55:16
360°
Your chance to have your say …
O
ur readership continues to grow Internationally with
Taiwan recently being added to the list of countries where / GOING GLOBAL
DFM is being published. In addition to 360, we have also Having read issue 2, I firmly believe that this is a must-have
established other outlets for your thoughts and comments. The magazine if you are in this field. As this discipline starts to
take shape here in South Africa, I believe this publication
DFM Blog is gathering momentum and new bloggers are being will be a key source for me personally to use as a reference
added all the time along with a DFMag LinkedIn Group to help tool for my suggestions towards our national certification
spread the word, which with our Twitter feed is developing a program. Articles are written such that people, irrespective
significant following for the Magazine. We continue to get many of their specialist knowledge or lack thereof, are able to
follow and glean valuable hints. Furthermore, your decision
letters of support and as we grow as a community we hope to to be an internationally focused magazine will reap benefits
provide a platform for you all to have your say about the Digital in the long run as our global village shrinks by the day.
Forensics Community and how we develop our craft. Our thanks To this point, any country specific legislation articles will
to all our readers and visitors to the website who take the time be welcomed as I have jurisdictional responsibility for my
organization in 18 African countries and 21 other countries
to let us know what you think and how we might improve. This is across the globe.
your magazine, so we want to hear from you with ideas, articles Caldon Thomson
or just comments, both good and bad. Head: Information Security Assurance and Forensic Auditing
Standard Bank: Group Internal Audit
Send your letters and feedback to: Hello Caldon thank you for your letter and welcome to the
360@digitalforensicsmagazine.com Global DFM community. Your comments reinforce what we
were being told very early on when we started DFM, in that
there is an International requirement for the magazine. We
have passed on your comments regarding the country specific
Print version legislation to our Legal Editor and will look for those specific
I am a subscriber to both the digital version and the print legal news snippets that affect DF Practitioners around the
version of your magazine and I just wondered when the print world. We would be very interested to hear more about your
copies were due to be posted? Many Thanks National Certification Program as this is an area that is being
closely looked at, we hope to have an article about this in issue
John Lacey 4 which will highlight some of the work being done. This work
if adopted might just become an international benchmark for
Hello John, Thanks for bearing with us, (that includes DF Practitioners.
everyone who was waiting for the print version of Issue 2) we
delayed the print run of Issue 2 until we were certain that the
online version was running and all was correct with the new I included the above email correspondence to deal with the
platform. Moving forward we plan to have the print version delay our readers experienced in getting the print version for
available at the same time as the online version. Have you Issue 2. As we work to get our processes streamlined we will
read the online version? If so what did you think? be looking to make sure that the print version is available and
delivered the same day as the online version. It is probably
Many thanks for the details about when to expect the print version. going to be Issue 4 before we get this correct, however all who
So far I have only had a quick flick through, as soon as I get time I receive the print version will see an improvement from Issue 3.
am planning on reading all the articles. But from what I have seen Thank you John for your additional feedback!
it continues with all the features that were good from issue 1. I like
the way that it presents and discusses new features/techniques Computer Forensic Tools Survey
in the Digital Forensics World while also having articles that are Congratulations on the mag – great stuff! By way of
not so technical. I also like the book section towards the end. I had introduction, I’m an independent computer forensic
been looking for a while for a magazine about Digital Forensics so I practitioner in Sydney, Australia, having previously worked
was pleased to find this one, please keep up the good work. for the largest commercial computer forensic team in the
10 Digital / ForensicS
Find out how vulnerable email protocols can be abused and how to catch those who do it
by Tim Watson
/ INTERMEDIATE
E
mail started life as a novelty and has risen to
become a necessity. But the speed, flexibility
and low costs of email communication have
been turned into a weapon. From spam to spear
phishing, your inbox can place you one click away
from disaster. In fact, you don’t even need to click to
be in danger. How can you tell the good from the bad,
the genuine from the fake? How is a deceptive email
constructed and how can it be spotted? Let’s find out.
As with any form of defence, knowledge is power.
The main weakness exploited by those who send
malicious emails is the weakness of ignorance. The
fact that the vast majority of users do not have a clue
how emails work, how they are constructed and how
they get from source to destination, is both a credit to
the design of the email system, which provides a simple
and reliable communication method, with no need for the
user to understand the machinery and an opportunity for
those who do understand the system to perform nefarious,
electronic sleight of hand to deceive the trusting masses of
email users who embrace its magic.
To understand the dangers and the ways to reduce
them, we need to peek behind the curtains and discover
the secrets of the processes and protocols that make up the
modern email system. By understanding how emails work,
we will be able to spot the weak points and to discover the
Figure 1
12 Digital / ForensicS
13
/ Listing 1
From: “Digital Forensics Magazine”
<digitalforensicsmagazine@mailer.emsg-live.co.uk>
To: “Digital Forensics Magazine” <tw@mydomain.co.uk>
Date: Tue, 23 Mar 2010 10:15:09 +0000
Sender: digitalforensicsmagazine@mailer.emsg-live.co.uk
Reply-to: Digital Forensics Magazine <marketing@
digitalforensicsmagazine.com>
Subject: New Subscription Prices from Digital Forensics Magazine
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”b1_5fc6d29ab134767240d462b85f431cfa”
Message-Id: <20100323101540.527637DCB1B@.com>
--b1_5fc6d29ab134767240d462b85f431cfa
Content-Type: text/plain; charset = “utf-8”
Content-Transfer-Encoding: 8bit
Don’t forget to forward this email to people who you think will
of the sender and recipient are ‘on’ the envelope, the envelope
find Digital Forensics Magazine of interest
Add us to your contact list to make sure you can receive future is removed by the mail server and it’s only the contents of the
emails safely message that are sent to the user receiving the email. The
message headers that state who the email is from, who it’s to,
--b1_5fc6d29ab134767240d462b85f431cfa
when it was sent and the entire message body can all be made
Content-Type: text/html; charset = “utf-8”
Content-Transfer-Encoding: 8bit up by the sender and do not have to relate to the information
on the envelope. I can construct an envelope to your email
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 address today, but when you receive the email I can make it
Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/
appear that it was sent to anyone I like, from anyone I like, at
xhtml1-transitional.dtd”>
any date I like and with any contents I like. We’ll see how to do
... this shortly. For now, it is enough to worry that the weakness
in the global email system just revealed, means that you can
<h2 class=”style1” align=”left” style=”font-family:Arial,
never trust another email unless you view the source. Oh, and
Arial, Helvetica, sans-serif;
font-weight: normal; font-size: 16px; margin: 0px; padding: you’d also better worry about someone sending a forged email
0px;”> to your boss, or your partner, that appears to come from you.
Price Change Special ++ Price Change Special … <br> While HTML-based attacks are beyond the scope of this
</h2>
article, it is worth noting that the email shown in Listing 1
... contains a common, hidden extra. If you look closely you’ll see
that the plaintext section ends with the words, “Add us to your
<p>Please click <a class=”notifire_unsubscribe” contact list to make sure you can receive future emails safely”,
href=”http://clicks.emsg-live.co.uk/ profile/S-
whereas the HTML version has an extra bit of code after this
10768@7354432@1”>here</a> to unsubscribe.
</p> text, as follows:
14 Digital / ForensicS
EHLO mailer.emsg-live.co.uk
250- mail.mydomain.co.uk Hello me.mydomain.co.uk [146.
XXX.XX.XXX], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 16000000
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
MAIL FROM:<digitalforensicsmagazine@mailer.emsg-live.
co.uk>
Figure 3 250 2.1.0 <digitalforensicsmagazine@mailer.emsg-live.
co.uk>... Sender ok
RCPT TO:<tw@victim.co.uk>
every time they view the email (unless, like me, you don’t
250 2.1.5 <tw@victim.co.uk>... Recipient ok
open the HTML version of emails). In the hands of a malicious DATA
sender, this ability to make the receiver automatically access 354 Enter mail, end with “.” on a line by itself
an arbitrary web server and download an image of the From: “Digital Forensics Magazine”
<digitalforensicsmagazine@mailer.emsg-live.co.uk>
attacker’s choosing is obviously very dangerous. Of course,
To: Tim Watson <tw@victim.co.uk>
if you are communicating with a suspected criminal by email, Cc: Bank of England <cashier@bankofengland.co.uk>
the same technique can be used to help trace them. Date: Tue, 23 Mar 2010 10:15:10 +0000
We will return to the message content when we explore the Sender: digitalforensicsmagazine@mailer.emsg-live.co.uk
Reply-to: Digital Forensics Magazine <marketing@
message headers but, for now, we need to understand how to
digitalforensicsmagazine.com>
construct and how to send a forged email. Subject: New Subscription Prices from Digital Forensics
Magazine
/ SIMPLE MAIL TRANSFER PROTOCOL Message-Id: <20100323101540.527637DCB1C@mailer.emsg-
live.co.uk>
When your email client sends an email it does so by
communicating with a mail server using the Simple Mail Dear Tim,
Transfer Protocol (SMTP). The details of this protocol can be
found in RFC 5321. Although it is recommended that mail user Thanks for setting up your direct debit. We will take loads
of money from your bank account every month. If you would
agents don’t talk to mail transfer agents directly, but rather
prefer us not to then please cancel this by visiting http://
that they use a mail submission agent as described in RFC evilwebsite.com/sucker
4409, both MTAs and MSAs use the same SMTP protocol and
it is still normal for mail clients to talk directly to MTAs. Thanks,
Your mail client typically connects to the mail server using
Digital Forensics Team
TCP port 25 and receives an identification message from the
server. The client then says ‘hello’ (actually, ‘EHLO’, which 250 2.0.0 o35JZFxs008825 Message accepted for delivery
stands for extended hello) and the server responds with a list
QUIT
of services available. The client will then send the envelope
details, saying where to send the email and whom it’s from, 221 2.0.0 mail.mydomain.co.uk closing connection
and then the email data is transferred from client to server.
This data includes the message headers and the message
content and it is all treated as just ‘data’ by the mail server. Listing 2 is a dialogue between my “attacker’s machine” and
Your mail client will include several headers in the email to a mail server and Figure 3 shows the email as it appears to
show which mail client you are using, the sender’s email the receiver after it has been sent. I have highlighted in bold
address, the date and time etc. the parts of this dialogue that were added by me; the rest is
However, there is no need to use a conventional mail client. produced by the server.
If you use a low-level network tool such as netcat (http:// You’ll notice that there was no authentication needed. As
netcat.sourceforge.net/), it’s possible to directly control the long as I’m accessing the mail server from the same domain
information passed to the server. The command-line output in it will happily accept commands from me. You’ll also notice
15
16 Digital / ForensicS
/ Author Bio
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit Dr Tim Watson is the head of the
Message-Id: <20100401130811.0454D710AFF9@server.hardtec.srv.br> Department of Computer Technology at
De Montfort University and the leader
Date: Thu, 1 Apr 2010 10:08:11 -0300 (BRT)
of its computer forensics and security
Subject: Halifax Online Team Account Notification group. With more than twenty years’
Return-path: <xzznrg@yahoo.com> experience in the computing industry and
Envelope-to: tw@victim.co.uk in academia, he has been involved with
a wide range of computer systems on several high-profile
Delivery-date: Mon, 05 Apr 2010 07:39:24 +0100 projects and has acted as a consultant for some of the largest
Received: from [95.168.183.140] (helo=srv.multimedyahosting.com) telecoms, power and oil companies. Tim is a regular media
by inmx04.plus.net with esmtp (PlusNet MXCore v2.00) id 1Nyfy0- commentator on computer forensics and security.
0004Vc-A7
17
PROACTIVE COMPUTER
FORENSICS
THE SECOND PART IN SCOTT ZIMMERMAN’S SERIES ON PLANNING AND PREPARATION
In the first article we covered the reasoning behind Proactive Computer Forensics.
To recap, continuously gathering and storing event-related information appropriately –
before an incident occurs – can pay dividends in an investigation
/ INTERMEDIATE
Though the article uses excerpts from US and UK law, readers creates an account for himself, and immediately logs out, the
are encouraged to use the two provided links to acquire their amount of damage from that specific incident might not reach
own (published, freely-available) copies of the US and UK the required level of $5,000, but we will soon see that there
statutes in their entirety. are other factors involved in the damage calculations.
I
f there is a chance that a forensic investigation could 1030(a)(5)(A)(i)
result in prosecution, the evidence gathering process …knowingly causes the transmission of a program,
should include events, actions and other data points that information, code, or command, and as a result of such
are related to specific legal statutes. As a guide to identifying conduct, intentionally causes damage without authorization,
these events, we will examine two pieces of legislation: the to a protected computer;
Computer Fraud & Abuse Act from the US and the Computer
Misuse Act 1990 from the UK. A good example of item (A) is the intentional and
malicious transmission of Trojan horses, viruses, and other
/ The Computer Fraud & Abuse Act malware: the sender has knowingly transmitted a program
The Federal statute that covers computer intrusions in the with the intent to cause damage to a protected computer.
United States is US Criminal Code, Title 18, Section 1030 - However, a buffer overflow exploit would also fit the
Fraud and Related Activity in Connection with Computers. description, since the exploit itself is “information, code,
Also known as the Computer Fraud and Abuse Act, 18 USC or command” – actually all three – and is intended to cause
Section 1030 can be found in its entirety at the United States an unauthorized effect. Whether this effect constitutes
Department of Justice web site: http://www.usdoj.gov/ ‘damage’ will depend on the nature of the script and the
criminal/cybercrime/1030NEW.html. overall robustness of the system.
The entire code is fairly lengthy – about six printed pages –
but certain portions of the code will be of great interest to those
involved with computer crime and forensic investigation. In the CERTAIN PORTIONS OF THE CODE
interest of space and relevance we will not cover the entire code WILL BE OF GREAT INTEREST
in detail. The relevant sections will be addressed in the order
that they appear in the body of the code. TO THOSE INVOLVED WITH
COMPUTER CRIME AND
Section 1030(a)(4)
[Whoever] knowingly and with intent to defraud, accesses FORENSIC INVESTIGATION
a protected computer without authorization, or exceeds
authorized access, and by means of such conduct furthers 1030(a)(5)(A)(ii)
the intended fraud and obtains anything of value, unless the …intentionally accesses a protected computer without
object of the fraud and the thing obtained consists only of authorization, and as a result of such conduct, recklessly
the use of the computer and the value of such use is not more causes damage; or
than $5,000 in any one-year period;
This covers an intruder who gains access and steals data, 1030(a)(5)(A)(iii)
trade secrets, proprietary software, commercial software, intentionally accesses a protected computer without
etc. that is worth more than $5,000. If the intruder breaks in, authorization, and as a result of such conduct, causes damage
19
Items (ii) and (iii) are very similar. In fact, the only difference If an intruder compromises a machine and does not do
is the use of the word recklessly in (ii). Why draw the any damage – meaning he left the system in the same state
distinction? Both (ii) and (iii) contain intentional access to he found it – the organization that owns the machine will
a protected computer without authorization, which means still need to conduct a thorough investigation. Even if the
that the intruder achieved some level of compromise and has intruder left a polite note for the system administrators
gained access the system. Anything that the intruder does – stating that he did no damage, should the administrator take
malicious or otherwise – after this point will fall into one of the note at face value? One sincerely hopes he will not; after
two categories: acts that were committed intentionally, or acts all, if someone is ethically challenged enough to compromise
that were committed recklessly. someone else’s system, how can the system administrator be
An act committed recklessly means that the intruder did expected to believe this someone would tell the truth in the
something he did not intend to do, possibly through haste note? A reasonable and prudent individual would be quite
or carelessness: for example, he might have mistyped skeptical of this.
a command, killed the wrong process, or deleted a file
accidentally. As a result, the damage caused was not wholly 1030(e)(1)
intentional, and this intruder’s actions would fall under (ii). the term “computer” means an electronic, magnetic, optical,
However, if the act was committed intentionally, and the electrochemical, or other high speed data processing
intruder accomplished exactly what he intended to do - such device performing logical, arithmetic, or storage functions,
as rm -rf /database – the offense is covered by (iii). and includes any data storage facility or communications
facility directly related to or operating in conjunction with
1030(a)(5)(B) such device, but such term does not include an automated
by conduct described in clause (i), (ii), or (iii) of subparagraph typewriter or typesetter, a portable hand held calculator, or
(A), caused (or, in the case of an attempted offense, would, if other similar device;
completed, have caused):
This clause is useful because it expands the area of
This clause is very interesting: it states that an intruder concern beyond that of the typical desktop computer or
does not have to be successful in his endeavor; the attempt server. Firewalls, switches, routers, wireless access points,
to cause damage is enough to warrant prosecution. As a centralized storage – such as SANs – as well as PDAs and
result, any evidence related to attempted but unsuccessful Smartphone’s all fit the definition laid out above. As a result,
activity can be valuable. This may include (but is not limited event information concerning these devices may be quite
to) failed login attempts, denied attempts to access specific useful and should be captured.
files, and applications which have been run or which
someone tried to run.
1030(a)(6)
knowingly and with intent to defraud traffics (as defined in
section 1029) in any password or similar information through
which a computer may be accessed without authorization, if
1030(d)(11)
the term ‘loss’ includes any reasonable cost to any victim,
including the cost of responding to an offense, conducting
a damage assessment, and restoring the data, program,
system, or information to its condition prior to the offense,
and any revenue lost, cost incurred, or other consequential
damages incurred because of interruption of service; and
20
21
(3) It is immaterial for the purposes of this section whether the effort. This list includes, but is not limited to the following:
further offence is to be committed on the same occasion as • Account creations and deletions
the unauthorised access offence or on any future occasion. • Strange login activity, e.g. multiple failures, successes at
(4) A person may be guilty of an offence under this section odd hours or from unusual sources
even though the facts are such that the commission of the • Unusual application behaviour
further offence is impossible. • Failed attempts to access data or other resources
• Failed attempts to run programs, scripts, or commands,
An example of an action fitting clause (3) is that of an especially those which grant or require privileges
intruder who gains unauthorized access to a system – e.g. • Unexplained reboots or other strange system behaviour
using a compromised account – and then creates a privileged
account for himself before logging out. This would allow him In short, we want to learn who is doing what on a given system.
to log back in later without the potential for raising alerts by It may help to remember the five W’s used by journalists: Who,
re-using the compromised account. What, When, Where, and Why. Later in the series we will discuss
For clause (4) we may consider the same intruder who creates technical means for gathering this information.
the privileged account – or made some other modification to the In the next issue we will examine US and UK evidentiary
system to allow access – and then promptly forgets the password requirements to learn what must be done to maintain the
or access method. The facts are now that the intruder cannot use integrity of evidence. /
the access method he set up for himself, but that is immaterial
to determining guilt: he still made the system modifications with
the intent of furthering the original offense(s). / Author Bio
Scott C. Zimmerman, CISSP has been an
/ What does all this mean? Information Security consultant, presenter,
We’ve looked at some interesting legal statutes, and we’ve and trusted advisor since 1995. He has
been researching legal issues in computer
associated them with some activities commonly uncovered forensics part-time for nearly ten years,
during forensic investigations. But to what end? and is working to bridge the gap between
Here is why: we now have a better idea of the kinds of activities law and technology in this area.
that should be monitored in a Proactive Computer Forensics
Expo:Layout 1 10/03/2010 12:42 Page 2
Investigator
the
Investigator Investigator
the the
Investigator
the
4 March 2009 November/December 2009 January 2010 February 2010
www.the-investigator.co.uk www.the-investigator.co.uk www.the-investigator.co.uk www.the-investigator.co.uk
ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS
Investigator
Interview Location
the March 2010
www.the-investigator.co.uk
Embracing
Mobile and No PrideESSENTIAL READING FOR TODAY’S INVESTIGATORS
After Columbo Computer in Prejudice
SIO register signals
new era for detectives
Forensics
Also inside this issue:
The science behind
Geographic Profiling
Also inside this issue:
Combatting hate crime
Also inside this issue:
1 year old in March
PLUS: Boiler room fraud - Tattoo forensics - TICS Volume Crime Conference Review - Digital Forensics Conference Review The Rosimeiri Boxall Case • Analysis • Ne�ng a Human Trafficker • News I the
• Cash in transit robberies • Witness nvestigator
imtimidation • Witness care Investigator
the
Payphone Sex Offender Case Study - Future Digital Standards • Inves�ga�ng Road Traffic Incidents Conference • Cold Case Conference • Forensics • Cold Case Conference • Sexual abuse case study DIGITAL
Investigative interview questions - CCTV research REVOLUTION
Embracing
No Pride Mobile and
in Prejudice Computer
Combatting hate crime Forensics
Investigator
the
Investigator
the
February 2010 June 2009
www.the-investigator.co.uk www.the-investigator.co.uk
Investigator
the
Investigator
the
CID IN CRISIS?
ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS
Unlocking
the secrets of
Puzzle
over lack Exclusive CPS interview
Shannon Mathews of UK detectives
Investigator
the
Exclusive
NPIA
Interview
Investigator
the
Lights!
Camera!
1 year old in March Action!
I I
Brought to book ‘CSI effect’ could
Criminal harm investigations
Conference special report
Investigation
Uncovered
I I
Investigator Investigator
the the
Investigator Investigator
the the
No Pride
I
Investigator I
Unlocking
NPIA Location,
Location Search
in Prejudice
I I I I
Investigator
the December Update 2009
www.the-investigator.co.uk
The Investigator
ESSENTIAL READING FOR TODAY’S INVESTIGATORS
Street
Search
22
Computer Forensics
> State of the art, fully equipped computer forensics lab
in a security vetted building.
> Expert examination service
to support backlogs and
outsourcing requirements.
> Ex law enforcement
investigators.
> Fully compliant with ACPO
standards (presently
working towards
ISO 17025).
> Developers of unique
forensic software
including VFC and Forensic Analyser.
01924 220999
or e-mail: sales@md5.uk.com
/ entry
A
t just after 7pm on 25th October 2009, Ashleigh Hall, the clutches of Merseyside Police’s offender monitoring
a popular, vivacious teenager with a wide circle of system and headed to the north east. Chapman, presumably
friends left her home in Durham for the last time. She as eager to meet Ashleigh as she was to meet his ‘son’, had
was looking forward to meeting her date for the evening, almost sent her the following text:
ostensibly a teenager by the name of Peter Cartwright. They
had met on the social networking site, Facebook. ‘Peter’ was You’ll be safe with me when would you like me to come for you?
presumably too young to drive and so could not meet her in
person, but his father would be passing nearby on his way However, this text remained in the ‘Unsent’ folder of
home from work, as ‘Peter’ explained in a text: his mobile phone. I will refer to this text again later in this
article. Instead of the ‘you’ll be safe’ text, Chapman sent the
Me dad’s on his way babe he said excuse the state of him lol following, in his role as the ‘young Peter’:
He’s been at work lol he doesn’t have to come in and meet
your mum does he lol he’ll be a mess probably lol x Oh should take him 20 mins or so with sat nav x
The bit about having to meet Ashleigh’s mum amused the The elated Ashleigh replied:
young girl. She replied:
Okaii babe x and haha mad u babe x x
Okaii babe and no he doesnt lol and its okaii haha x x
While waiting, she also texted:
A little later, sure enough Peter’s ‘dad’ texted as follows:
Cnt wait to meet u babe, lyk u loads babe x x x
Hi hun its pete’s dad are you sure you dont mind me picking
you up? Pete is really looking foreward to seeing you and yes Unaware that Ashleigh was actually waiting on the street,
its ok for you to stay Chapman then texted:
Ashleigh, excited by her forthcoming date, saw nothing He just rang to say He’s round the corner so go outside x
wrong with this. She immediately replied:
No its fine i dnt mind i trust him so i trust u and thank u Quite why Peter ‘senior’ would phone Peter ‘junior’ so that he
could text Ashleigh, rather than text her himself is not known:
At the same time she sent a text to ‘young’ Peter: impractical though it undoubtedly was, it probably inspired
confidence in Ashleigh, who almost immediately replied:
How long will it take him to get here babe x x
Hes here babe x x
What Ashleigh did not know was that the dad and ‘Peter’
were one and the same individual. Hidden behind the mask So convincing was Chapman’s ruse that Ashleigh had now
of electronic anonymity was Peter Chapman, a 33-year old totally fallen for the story that she was dealing with two people,
convicted rapist and multiple sex-offender who had escaped and that it was the ‘father’ whose car she was going to get into.
24 Digital / ForensicS
yeah is his preferred form of affirmation, but in this text he uses boy about to date a girl for the first time, the word ‘safe’
yes in its conventional form. In my view, this text is intended could have been misconstrued by the recipient. It is clearly
to convey a conservative use of language, such as one might an inappropriate word to use in the context, since it could
associate with an older male. On the other hand when the have motivated the recipient, in this case a young female,
allegedly ‘younger’ Peter is communicating with Ashleigh, to wonder why the issue of safety was a concern when, as is
abbreviations are used, e.g. wanna, yeah, bout, comin. evident from her own texts, she had no such concerns. Her
One of the texts in Mr Chapman’s phone addressed to Ashleigh previous text, in fact, had read:
was the ‘unsent’ text I referred to earlier. This text reads:
No its fine i dnt mind i trust him so i trust u and thank u
You’ll be safe with me when would you like me to come for you?
Hence, it is clear that Chapman is a sophisticated user
of the texting medium: he modifies his style depending
I believe this shows a on his recipient and the message, and is able – apparently
highly linguistically aware very rapidly – to determine that a particular text might be
construed to his disadvantage. It is also apparent that he can
individual in the sense of imitate both older and younger text users. His age at the time
someone who is able to was only 32.
But Chapman was more than a successful disguise artist.
assess the potential impact After all, almost anybody can wear a disguise, but can they
of what they write wear a disguise that would convince those who know the
person whose identity is being assumed? This applies as much
to language as to a physical disguise: to assume a disguised
It can be noted that this text is entirely conventional in style. ‘voice’ and to be able to maintain it is not something most of
For example, both ‘come’ and ‘when’ are written in full. As us can do. It actually requires acute observation of language,
seen from Mr Chapman’s other texts he habitually writes ‘wen’ and an understanding of how linguistics works.
rather than ‘when’. In my view, this is clearly a text designed Chapman was able to pick up many of Ashleigh’s features in
to convey to the reader that the sender is a conservative user his short period of contact with his victim –
of language, something that is often associated with an older
texter. I suggest that using conventional language may have The use of haha: Haha….haha – He always uses ‘hehe’
some of the effect that a ‘posh’ or ‘educated’ accent used to. The abbreviation of that: thts that – He never abbreviates ‘that’
The receiver of such a text – just as the person listening to the The abbreviation of your, you’re: ur – He always uses ‘your’
‘educated’ accent – is intended to feel that the speaker, or in The two x’s spaced apart, x x: haha: p x x – He uses one ‘x’
this case texter, is a safe, establishment‑like figure. The lack of apostrophe: thts – He sometimes uses apostrophes
Equally significant is the fact that this text was not sent.
I believe this shows a highly linguistically aware individual The above illustrates Chapman’s outstanding powers of
in the sense of someone who is able to assess the potential linguistic observation. How long did he have to observe these
impact of what they write, on a particular recipient. In the features? Probably less than 10 minutes. It would probably
context of a strange man, purportedly the father of a young take most linguists that amount of time to note down the
26 Digital / ForensicS
27
28 Digital / ForensicS
COMING SOON…
Some of the great content coming up in Issue 4, out 1st August 2010
W
e are already busy planning and acquiring articles for
future issues of Digital Forensics Magazine and here is just
a taster of what is in store in Issue 4:
/ Psychosocial Forensics
Dr Barry Hood takes a look at Operational Forensics rather
than just Computer or Digital Forensics. Whereas the latter is
concerned with the gathering of evidence for prosecution or
disciplinary action the former is more concerned with gathering
evidence for the purpose of correction and improvement.
/ “Netflow” Forensics
Another in-depth piece by George Bailey. This time on the
challenges and benefits of using netflow data in digital
forensic investigations. Suggestions are provided in order
to increase the value of using netflow data as a source of
supporting evidence in digital forensic investigations
Note: DFMag may change the planned content of future issues without notice. 29
/ ENTRY
T
he fundamental mission of a digital forensics
laboratory – the legally defensible collection,
preservation, and analysis of evidence—may be
the same, but budget, staffing and governance drive how
different labs accomplish this task.
A digital forensics laboratory might handle one or more of
the following functions:
• Computer Forensics
• Video Forensics
• Forensic Audio
• Image Analysis
• Mobile Device Forensics
• Incident Response
• e-Discovery/Litigation Support
• Data Recovery
30 Digital / ForensicS
31
32 Digital / ForensicS
33
/ Space Considerations:
settingupaforensicsunit.pdf
34 Digital / ForensicS
Forensic Computing
12-month student placements
Undergraduates: Postgraduates:
August 2010–July 2011 June 2010–May 2011
COMPETITION
/ 3 SYNGRESS BOOKS to Win with
Digital Forensics Magazine Issue 3
Virtualized environments can make forensics Forensic Applications. The tool, training, and
investigation more difficult. Technological techniques from this practice are being brought
advances in virtualization tools essentially make to the public in this book for the first time. Now
removable media a PC that can be carried around Corporations, Law Enforcement, and Consultants
in a pocket or around a neck. Running operating can benefit from the unique perspectives of the
systems and applications this way leaves very experts who coined “Digital Triage Forensics”.
little trace on the host system. Virtualization and
Forensics explores all the newest methods for The field of digital and computer forensics has
virtualized environments and the implications revolved around the information stored in volatile
they have on the world of forensics. The book and non-volatile memory. Traditional forensics
begins by explaining the different types of
focused on imaging the hard drive and using
virtualization, then how virtualization affects
special tools to analyze the image from a forensics
the basic forensic process. It describes common
perspective. That works great if you know where
methods to find virtualization artifacts on dead
the evidence is, or you have a limited scope of
drives, live analysis and identify virtual activities
systems to analyze. With the push towards cloud
that affect the examination process of virtualized
environments. Finally, it will address virtualization computing, applications and data are now stored
issues such as security, data retention policies, in data centers located throughout the world. In
and where the world of virtualization is headed. addition, with the popularity of wireless hotspots,
evidence is now a moving target and in some
Digital Triage Forensics (DTF) is a procedural cases the forensic analysis needs to be conducted
model for the investigation of Digital Crime directly on the network. With technology moving
Scenes including both Traditional Crime Scenes to the “cloud” there needs to be an innovative new
and the more complex Battlefield Crime Scenes. way to identify and analyze network traffic. This
The United States Army and other traditional book focuses on this transition between systems
Police agencies use this model for current Digital through the “cloud” and to the user’s hard drive.
36 Digital / ForensicS
LEGAL EDITORIAL
Welcome again to DFM’s legal section
by Moira Carroll-Mayer
H
ello to old friends and newcomers alike from the Legal
section of Digital Forensics Magazine. In this the 3rd
issue we present a timely article on cyber searches and
forensics by Mark D. Rasch. Rasch tackles the thorny issue
of cyber forensic procedures and the construction of search
warrants for the benefit of the state or its agents in light of
the Fourth Amendment rights granted by the US Constitution.
Rasch’s searing commentary uncovers blatant overriding of
probable cause and precise specification requirements for
warrants so that general searches and warrants become the
unconstitutional norm in cyber forensics. His observations
are all the more pertinent in the encroaching cloud environ-
ment, where according to many commentators, citizens’ rights
to the protection of duly obtained warrants and the right to
challenge enabled through due notice are hazarded to an
extent never before possible. In tandem however, with their
loss, the possibility of challenge to the widespread overriding
of citizens rights by cyber investigators is being opened up
as an increasingly informed and consequently less inhibited
judiciary finds its voice. The State v. Bellar, 231 Or.App. 80, 217
P.3d 1094 (Sept. 30, 2009) exemplifies this movement, where
it was held that a search occurs when the government invades
a protected privacy or possessory interest of the defendant
such as might exist in the cloud. More broadly Rasch’s dis-
cussion is contemporaneous with related arguments on the
effectiveness of the Electronics Communications Privacy Act
and proposals for a new Cloud Computing Advancement Act. to extend and refine Bellar while from India we have news,
The gloves are clearly coming off and digital investigators had among other things, of a novel Tribunal for appealing actions
better be prepared for a fight, better still to avoid one, with during digital search and seizure as well as the consequences
the knowledge to navigate the state’s, the citizens’ and their for suspects. That immutable and ubiquitous phenomena
own rights in cyberspacial search and seizure. e-disclosure/e-discovery finds us in Singapore, which
Also presented in Issue 3 is the second of a highly country investigators will be delighted to hear has brought its
informative four part serial by Scott Zimmerman, framework more or less into line with that of the US and UK.
which considers the practicalities of computer forensic Finally, to put minds at rest, rumours of a split between US
investigations. The second instalment looks in detail at the Circuit Courts on e-discovery are put to rest in coverage of the
components of the chief US and UK legislation, respectively latest and greatest case on the subject, Rimkus v Cammarta
the Computer Fraud & Abuse Act and the Computer Misuse 2010 WL 645253 (S.D. Tex. Feb. 19, 2010). /
Act 1990, prescribing the characteristics of actions and levels
of intent that should be identifiable before investigation and
prosecution are embarked upon. The article is indispensable / AUTHOR BIO
to anyone seeking a pocket guide to the actions and intent to Moira Carroll-Mayer, Digital Forensics Magazine’s Legal Editor,
look out for when considering investigation and prosecution is a lecturer in Procedural and Substantive Law of Forensic
within the jurisdiction of the UK or US. Computing with published articles on Communication Ethics,
Not least are this issue’s News Alerts; undesignedly Identity Management & the Implications for Criminal Justice,
the Ethical Implications of Nanotechnology, and Digital
complementing the lead article by Rasch, from the Netherlands, Crime & Forensic Science in Cyberspace. Moira is currently
we report startling changes to the conduct of digital search conducting research into the ethical and legal implications of
and seizure by government agencies, similarly from the US we advanced autonomous weapons systems.
draw attention to Re Rothstein Rosenfeldt Adler which promises
37
THE FOURTH
AMENDMENT
CYBERSEARCHES, PARTICULARITY AND COMPUTER FORENSICS
The right of persons to be secure in their persons, places, houses and effects against
unreasonable searches and seizures is protected from governmental intrusion under the
Fourth Amendment to the United States Constitution, however, neither Fourth Amendment
jurisprudence or computer forensics, have kept pace with technological developments
by Mark D. Rasch
/ INTERMEDIATE
B
efore the government may search for or seize any
items to which a reasonable expectation of privacy
attaches, the government must obtain a warrant from
a neutral and detached magistrate, “particularly describing
the place to be searched, and the persons or things to be
seized.” U.S. Const., Amend. IV. This paper will discuss
how one can craft both a warrant and a forensic procedure
that will meet the Constitutional requirements that law
enforcement agents seize only that which is expressly
covered by the warrant, and for which probable cause has
been established specifying that the precise items seized are
more likely than not, evidence of a crime.
38 Digital / ForensicS
39
40 Digital / ForensicS
41
42 Digital / ForensicS
43
Modern malware is more sophisticated than it used to be and can easily mislead the investigator
by Ian Kennedy
/ EXPERT
M
ention the word ‘malware’ in a word association game
and few people would think to respond with ‘weapon’.
Malware is nearly always a means to an end in a
much bigger picture. This could be the sale of information
obtained, access to the compromised system or even the
denial of access for the right price. Visualising the computer
as the battlefield1 and a network or computer system as a
region or country then a malware attack becomes an offensive
campaign against targeted systems. Continuing with this
analogy, strategic decisions relating to how the campaign is
fought become the overall design and execution of a malware
attack. Decisions about how individual battles are fought are
tactical in nature and equate to the techniques used in the
construction and execution of malware tasks. In the midst of
this are the forensic practitioners and security researchers.
Their job is to be the weapons analysts and to reverse
engineer these virulent and at times quasi-conscious weapons
to understand their capabilities and behaviour.
It is difficult to imagine undertaking any offensive campaign
without a range of tactical weapons, each suited to different
tasks. The attacker can use a full selection of arsenal including
45
/ DESCENDING UNDERGROUND
Buying weapons on the Black Market is not new. They are there
to serve your every need, for a price. Recently appearing in the
news2, Zeus is an example of a DIY kit for building your own
customised malware. With your freshly built malware it’s not
enough to simply locate it on a couple of websites and hope for
passing surfers to get infected. You need to get it distributed to Figure 2
machines with identified vulnerabilities that can begin making
you money quickly. That’s where an Exploitation Pack comes in.
You can expect to pay around $100-250 to get your customised
malware installed onto around 1,000 machines in the UK. Three
widely used systems are Fiesta, Firepack and Sploit3. Now you
need somewhere to store all your harvested data and manage
your malware distribution. Anonymous ‘bulletproof’ servers offer
a variety of packages and typically cost around $150 per month
for hosting, with discounts for larger quantities.
46 Digital / ForensicS
/ STEALTHY MALWARE
Malware writers are crafty. Like any military organisation,
secrecy is key to protecting your assets. To this end, a variety
of obfuscation techniques are used to try and prevent prying
eyes from seeing what’s happening under the hood. The first
of these are packers.
47
/ Weapons catalogue
Malware classification used to be simple. These days much
of what is in the wild is a Darwinian blend of threats covering
multiple attack vectors. Again returning to our military
analogy, this is akin to a flanking offensive tactic. A blended
threat might, for example, launch a Denial of Service (DoS),
install a backdoor and overwrite local system files in one
attack. Multiple delivery mechanisms could be used too to
increase the success of gaining access. So a worm may arrive
by both email and a file sharing mechanism. The following list,
based upon definitions provided by VirusList52 identifies the
elements of these blended threats:
Worms
Typically, do not require human interaction to operate
Figure 5 and are classified by the propagation and/or installation
method employed. Examples of these include email, Instant
allow us to unpack (in some cases) and examine how the code Messaging, IRC and peer-to-peer file sharing mechanisms.
would execute at the OpCode level, but require time and skill
Viruses
to use. Fortunately, there are tools available to unpack the Generally require human interaction to be initiated and are
packed code for us, enabling us to re-examine the strings and classified according to their area of operation. This can be
other resources used by the code. either the file system, boot sector, macro or scripting areas.
Using ‘AspackDie’18 we can unpack the malware from its
Trojans
armour to a regular executable file. Loading this back into Classified by their action, this group of malware will typically
BinText we find references to online banking sites and the act as the mechanism for delivery of some other item such as
words ‘conta’, ‘senha’, ‘gitos do cart’ which (with the help of Backdoors, Droppers (unpacking it’s payload), Downloader
Google) in Portuguese mean ‘account’, ‘password’ and ‘card (sourcing it’s payload from online), Proxies (using a victim to
hide Internet activity) and Spies (to monitor keystrokes and
digits’, see Fig 5. screen activity).
48 Digital / ForensicS
49
A common side effect of using an emulator is that certain CPU short time frame between arrest and charge of a suspect in a
operations are not fully supported in the emulated environment39 criminal investigation. It seems that modern malware not only
40
. It is of little surprise then that malware authors use this to their comes in sophisticated armored tanks these days, but even
advantage as an indicator of an emulated system. Some malware checks nobody’s watching before firing. /
will even measure the speed of execution of certain instructions
to check for emulators and debuggers39. REFERENCES
To tackle these problem hardware emulators such as 1. Fernandez J, M., Bureau P. Optimising malware. Conference
JoeBox41 and Ether42 (which both use emulation techniques Proceedings of the IEEE International Performance, Computing, and
based upon Intel-VT) have been developed. Tools based upon Communications Conference 2006 01/01;2006:577-86.
Ether have outperformed the unpacking tools Renovo and 2. BBC News : Two held in global PC fraud probe [Internet] [cited
PolyUnpack as well as the sandbox tools Anubis and Norman. 2009 11/21/2009]. Available from: http://news.bbc.co.uk/1/hi/
/ MULTIPLE PATH ANALYSIS england/manchester/8366504.stm.
3. Erasmus J. Anatomy of a malware attack. Network Security 2009
program flow down one 5. Jotti's malware scan [Internet] [cited 2009 11/17/2009]. Available
from: http://virusscan.jotti.org/en.
branch or another 6. Sysinternals utility - Strings [Internet] [cited 2009 11/22/2009].
Available from: http://technet.microsoft.com/en-gb/sysinternals/
Executing a malware binary to perform dynamic analysis, be bb897439.aspx.
it on an emulated or native machine, present the practitioner 7. Foundstone Free Tools [Internet] [cited 2009 11/28/2009]. Available
and security researcher with another problem: how do we from: http://www.foundstone.com/us/resources/proddesc/bintext.htm.
know we have seen the entire capabilities of the binary? 8. ASPACK SOFTWARE - Best Choice Compression and Protection
Almost all executable code will make decisions directing Tools for Software Developers [Internet] [cited 2009 11/28/2009].
program flow down one branch or another. Executing a Available from: http://www.aspack.com/.
temporal virus such as Conficker.B will behave differently both 9. Dependency Walker (depends.exe) Home Page [Internet] [cited 2009
before and after a given date. 11/28/2009]. Available from: http://www.dependencywalker.com/.
To address this, approaches have been developed25 43 that 10. Yoda's Crypter [Internet] [cited 2009 11/17]. Available from:
allow a malware sample to be executed and halted when a http://yodap.sourceforge.net/.
decision instruction is encountered. A snapshot is then taken 11. PolyCrypt PE [Internet] [cited 2009 11/17/2009]. Available from:
of the system and the process is allowed to continue. When http://www.jlabsoftware.com/.
the branch is exhausted (or after a sufficient time has passed), 12. Yan W, Zhang Z, Ansari N. Revealing packed malware. IEEE
the system is rolled back to the snapshot and the data Security & Privacy 2008 09/01;6(5):65-9.
manipulated so that another branch is explored. 13. PECompact Executable Compressor [Internet] [cited 2009
11/17/2009]. Available from: http://www.bitsum.com/pecompact.php.
/ ONLINE ANALYSIS 14. Silicon Realms / SoftwarePassport / Armadillo - The Home of
Some research projects have developed into online analysis SoftwarePassport [Internet] [cited 2009 11/17/2009]. Available from:
tools available for use by practitioners and researchers alike. http://www.siliconrealms.com/index.html.
Going beyond a simple virus scan of a submitted sample, these 15. Oreans Technology : Software Security Defined. [Internet] [cited
tools virtualize a given sample and monitor its behaviour. 2009 11/17/2009]. Available from: http://www.oreans.com/.
Anubis44 (developed from TTAnalyze45) and CWSandbox are well- 16. PEiD - Packer, Crypter and Compiler detection [Internet]. Available
established projects. Commercial solutions include ThreatExpert46 from: http://www.peid.info/.
(a tool maintained by PCTools) and Norman Sandbox35. 17. IDA Pro Disassembler - multi-processor, windows hosted
disassembler and debugger [Internet] [cited 2009 11/22/2009].
/ CONCLUSION Available from: http://www.hex-rays.com/idapro/.
As we emerge from this dark underworld, we must reflect on 18. Aaron's Homepage- include AspackDie [Internet] [cited
the impact of our findings. There is much information that 2009 11/28/2009]. Available from: http://209.85.229.132/
can be gleaned from the tools at our disposal. However, for search?q=cache:zOGmZUZCz2wJ:www.exetools.com/unpackers.htm
the forensic practitioner there is on balance, more we do not +aspackdie&cd=2&hl=en&ct=clnk&gl=uk.
know about a given sample of malware than what we do know. 19. Sharif M, Lanzi A, Giffin J, Wenke Lee. Automatic reverse
It is simply not enough to change a few conditions and run engineering of malware emulators. Security and Privacy, 2009 30th
the malware, as this typically will not induce the malware to IEEE Symposium on 2009:94-109.
perform to it’s full capability. Even for the security researcher, 20. Process Monitor [Internet] [cited 2009 11/28/2009]. Available from:
equipped with the skills and time to reverse engineer code, http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
it is a huge challenge to achieve a full understanding of a 21. Wireshark · Go deep. [Internet] [cited 2009 11/28/2009]. Available
malware binary employing new obfuscation techniques, in the from: http://www.wireshark.org/.
50 Digital / ForensicS
51
MODELLING FOR
OPERATIONAL FORENSICS
PART 2: ILLUSTRATIVE USE OF MODELLING PARADIGMS
In part 1 of this article (DFM Issue 2) we looked at a number of modelling paradigms. In part 2
we will use a sample analysis to illustrate how these techniques can be used to guide a simple
psychosocial forensic analysis
by Dr Barry Hood
/ INTERMEDIATE
W
e will illustrate the process of modelling to investigate and We start in Figure 1 with a single Petri Net place node
analyse a generic incident rather than a specific one. We representing the undesirable condition (a round node) i.e. a
will take the situation of having an undesirable condition security breach or compromise. Then as any condition either is
identified and then attempting to uncover a root cause of that an assumption or arises as a result of an action, we naturally ask
condition with the emphasis on identifying psychosocial condi- the question – how does this condition arise? It arises as a result
tions rather than digital. The approach can apply to the latter as of some action A performed by some agent X, (a box node) with
well as the former as it is a domain independent approach. an arrow connecting the two, to indicate that the condition can
arise as a result of the action. This situation is thus represented in
Figure 2. We can now ask why this action took place, looking for a
condition that would enable the action to take place.
As we want to look at the psychosocial aspects of forensic
analysis rather than the digital aspects as a possible answer
to this question – That agent X was trusted and thus able to
carry out action A without hindrance. Figure 3 represents this
new situation.
In order to take the analysis further we need a model of
organisational trust. Figure 4 shows such a trust model from
Figure 1. Undesirable Condition Figure 4 of the MERIT work on insider threats see [MERIT08].
Now produce a translation of that model into our Petri Nets
model. As a final act add the relevant security zones to the
model representing the involved agencies – the Insider and
the Organisation to give Figure 5.
Trust represented by the ‘Trusted’ node in Figure 5 inhibits
monitoring activities as represented by the arrows with the
unorthodox heads. This in turn means that no behavioural
precursors are discovered, even when they are generated by
the insider’s general actions prior to the compromise action
A. This enables the perception of low risk to become true
Figure 2. How replaced by Action A by Agent X through the passage of time, so enabling the insider to be
even more trusted, which only serves to increase the level
to which they are ‘trusted’. And so on round the loop. The
behavioural precursors would be revealed by psychosocial
forensics and the technical precursors by digital forensics
after the fact and by behavioural monitoring and technical
monitoring respectively, before the fact. The former could be
done by staff awareness and reporting programmes. The latter
could be achieved through intrusion detection and auditing.
Figure 6 shows Petri nets representation of the targeted
monitoring solution in [MERIT08]. Here the trust in the insider
Figure 3. Why replaced by Trust condition
52 Digital / ForensicS
53
54 Digital / ForensicS
looking at [Stephenson04], however, the manner in which the Figure 8(a) shows the integration of Conceptual models
Petri nets and the many extensions used are radically different. (ORM) with Petri Nets and System Dynamics as proposed in
The use of Petri nets in digital forensics also aligns with the [Tulinayo09]. Figure 8(b) show this extended, to accommodate
approach to investigation presented in [Carrier04]. the security zones from this article. This two-part article has
This article has also illustrated how the system dynamics not looked at System Dynamics models, but these are used
models of [MERIT08] can be modelled in a more intuitive in [MERIT08] to derive quantitative models for the insider
action-condition model that gives a better handle of the threats, so are already known to fit in.
countermeasures and how they fit with the original situation. The ability not only to be able to move from context to
The inherently aggregation oriented basis of the system context but from paradigm to paradigm, supported by models,
dynamics models is very good at the high levels but not so is much more important for operational forensics than it is
good in determining detailed countermeasures. for digital forensics which has a much more limited remit.
Security zones, although useful for policy development, [Tulinayo09] shows how some of the integration can be done
seem less useful in forensic analysis (at least digital analysis) and we have shown here how security zones occur naturally in
where the complexity may overwhelm the model. Having said the other models.
that the identification of a large attack surface through the
identification of many entry and exit points is valuable for REFERENCES
operational forensics when such a large attack surface is itself Carrier04, Event-based Digital Forensic Investigation Framework, B.D.
at the root of the incident. Carrier and E.H. Spafford, Purdue University 2004
The work in this article goes beyond just analysis and MERIT08, The “Big Picture” of Insider Sabotage Across U.S. Critical
looks to the development of solutions as well. This ability to Infrastructures, Technical Report CMU/SEI-2008-TR-=009, Andrew P
discover solutions is also part of operational forensics, as the Moore, Dawn M. Cappelli, Randell F. Trzeciak, Software Engineering
final bullet point in the introduction states. The modelling Institute, Carnegie Mellon , May 2008
approaches documented here have the potential for meeting Stephenson04, The Application of Formal Methods to Root Cause
this requirement. The ideal situation would be that the above Analysis of Digital Incidents, Peter Stephenson, International Journal
or equivalent methods where used for requirements and of Digital Evidence, Fall 2004 Volume 3, Issue 1
design, giving forensic analysis readymade models to work Tulinayo09, Integrating System Dynamics with Object-Role
with, thus saving time and effort. This could be particularly Modelling and Petri Nets, P. F. Tulinayo, S.J.B.A Hoppenbrouwers,
important where the incident involved has large ramifications Patrick and H.A.E. Proper, Technical Paper, ICIS, Radboud University
and speed or accuracy of analysis, is of the essence. Such Nijmegen, 2009
modelling approaches have been the author’s pursuit for the
last few years in relation to wider security analysis.
We can see that the various paradigms guide both the / Author Bio
reasoning process and embed the results of analysis for further
Dr Barry M. Hood, a mathematician by
use. The models represent a logical context in which the training, has been in IT for more than 35
forensic work can be placed. Because psychosocial forensics years covering all aspects of the software
would not produce data that is relevance to a prosecution its lifecycle, including extensive involvement
with development methods. Security
direct usefulness is restricted to the operational context, in
became his exclusive activity more than
which improving the system is the motive. We believe in fact, 15 years ago; some 10 years after his first
that Petri net models enable the requirements for effectiveness involvement with the subject.
and efficacy to be met in a way that other approaches do not.
55
57
• More than 85 percent of respondents have either had a Figure 2. Survey respondents answer how long it takes to
major network incident in the past 36 months or expect to understand an security inciden
have a major incident in the coming 36 months.
• Over 75 percent of the survey participants agreed that major organization would benefit from more incident response tools,
about half of the respondents spend less than 25 percent of
92 percent of respondents their overall security budget on incident response and a quarter
do not have an effective incident response plan in place.
believe that it is important
to have network forensics Heartland, T-Mobile, Merrill Lynch and American Express
are just a few companies that have been under attack and
capabilities that can have experienced an impact to brand reputation and trust.
capture and record all This is more evidence that a breach is inevitable and can
happen at organizations one would expect to maintain
network traffic strong security practices.
While most organizations implement security strategies that
security incidents would have or have had a significant impact target prevention of a cyber attack, those same organizations
on the company’s brand and reputation. fail to understand the three pillars of an effective security
• Nearly half of the respondents say that when an attack strategy: prevention, detection and incident response.
occurs, it can take two to ten or more days to determine
the full scope of the incident. These facts are telling and Prevention. We know prevention is not a 100 percent
directly contradict the report from Input. Instead of focusing guarantee. Recent security breaches at T-Mobile, Heartland
exclusively on building higher walls and better locks, our Payment Systems, TJX Companies, Lexis Nexis, Twitter, Visa
industry should take a page out of the real (physical) world and MasterCard provide proof that prevention is not an
and start to think differently about how we battle today’s most absolute. We can also use common sense to reason that there
pressing national security threat. are endless potential attack vectors within a network; and
• 92 percent of respondents believe that it is important to portraying ourselves as capable of anticipating all of these,
have network forensics capabilities that can capture and with perfect accuracy, is to say that we can become omniscient
record all network traffic; yet only 28 percent were very in our deployments. Does anyone really believe this?
familiar with network forensic solutions. Most organizations implement many products and services
• While 76 percent feel they need to do more, and their to prevent a security incident. Network intrusion applications,
58
59
PRODUCT REVIEW
Product Purpose: A Macintosh based forensics tool analyzing iPhones. Some examples are using the same native
designed to analyze iPhones applications such as Preview and Quicktime, which are used
Product Name & Version Number: Lantern 1.0.4.0 – natively on the iPhone. Rather than developing from scratch
From Katana Forensics or adding plugins to review information from the iPhone,
Price: 295.66 Euro ($399 USD) Lantern simply leverages the native applications available in a
very natural and seamless method. When using the Lantern, it
poses the same deceivingly simplistic characteristics as other
As of the end of 2009, the Apple iPhone had grown to almost OS X applications (See Figure 1).
18% of the total smartphone market worldwide after only 2.5 A copy of the Lantern software is available from http://
years on the market. In the United States the market share for katanaforensics.com/katana-forensics-store/ and is a
the iPhone is now over 30 percent, slightly behind Blackberry’s relatively small download. If you choose to “test drive” the
42 percent. Regardless of the sector or geographic location, software before purchasing, Lantern can be obtained as a
it is likely that every digital forensics firm has been asked to free trial with limited capabilities. As with the majority of
and has likely struggled to effectively analyze an iPhone from
either a complexity or cost perspective.
There are currently various methods and software / EXIF DATA
applications that have rushed to the market to address this iPhones provide potentially valuable EXIF data in the form
need. Some methods require controversial modifications of the latitude and longitude coordinates of the location the
(“jailbreaking”) of the phone to extract the information to picture was taken. Suspect: “I was not at the victim’s house
analyze, some products have added the iPhone to their on the night the incident occurred” Investigator: “Really? Here
is a picture that you took of yourself and the other suspects
supported phones, and others have been developed
performing keg stands that we discovered on your iPhone.
specifically for the iPhone.
L
The EXIF data from the pictures indicate that the pictures
were taken between 22 and 45 minutes before the incident. In
antern by Katana Forensics was written specifically addition, latitude and longitude from the picture provides the
for OS X. This choice in application development coordinates for the victims home.”
architecture provides some implied advantages when
Figure 1
60 Digital / ForensicS
Figure 2
61
/ OSX
In the past, the development of a forensics product specific to
the OS X operating system may hinder the sales of the product
in the digital forensics marketplace. There are a couple of items
that are changing the role of Apple computers in forensic labs.
Since Apple moved to the Intel processor family, many forensics
shops actually use Apple Macintosh hardware and run Windows
natively with Apple’s bootcamp, within a virtual machine, or
both. In addition, with Apple’s market share now over 12%,
forensics labs are routinely investigating OS X and often choose
to do so with the Macintosh. With these aspects in play, most
digital forensics shops have Apple as an investigative platform.
With lantern, many of us will now have a reason to use the OS X
side of our bootcamp partition more often.
Figure 3
Below is a brief summary of the features of Lantern: file structure to facilitate deeper analysis of the third party
apps. Application data, Plists, SQL Lite databases, and other
• Call logs provide the standard incoming, outgoing, and information created and used by the third party applications
call duration information. However, Lantern also provides can be analyzed using this feature.
potentially valuable information such as whether or not a
voicemail was left and whether a call was cancelled or failed. Once you have used Lantern to logically acquire the iPhone
• The voicemail information includes the standard date, and have analyzed the data with the smooth interface, the
duration, sender, etc. Additional features of great value are reporting option facilitates the ability to produce the report
denoting whether or not the voicemail has been heard, the in any format imaginable (word, xml, pdf, rtf, html, csv, etc.).
date the voicemail was deleted, and the ability to listen to the The reporting option provides you with the category of
voicemail from the application. information you would like to report on (see Figure 3). In our
• The messages provide the expected information along with testing, Lantern does not provide the capability to bookmark
MMS support with a preview of the file. information, therefore all information from the category chosen
• Notes with the expected creation and modification times. is exported and this might be a concern for some users.
• Calendar entries with the expected information. The digital forensics field is one of complexities and we
• Internet information such as bookmarks and Internet require many different applications to successfully complete
Histories with visit times and counts. our investigations. It is refreshing to encounter a niche
• The Media tab provides all available media files with the file application that can simplify our investigations. If you have had
location, all associated metadata, and the ability to launch the issues with iPhone investigations in the past, or are frustrated
media file for review from within the application. with the cost or complexity of other tools and methods, Lantern
• The Photos tab is another very impressive method to view from Katana Forensics maybe the forensics tool for you.
pictures (See Figure 2). The Lantern application logically
structures all of the files in the left hand window with the / Post Review Note:
option to preview the picture. On the right hand side of the The following was posted by Katana Forensics on Forensic Focus
screen you are provided with the wealth of EXIF data forensics “Katana Forensics has announced that Lantern can support all
investigators have discovered from pictures taken with generations of iPhones and the new iPad, to include iPhone
iPhones. A great feature of Lantern is that all EXIF data from OS 3.2. Lantern will also release a new version that will contain
each picture is provided. improved acquisitions, additional exporting features and hashing
• The dictionary data provided by Lantern is another potential of all images. The future development roadmap will contain
source of valuable information. Some compare the iPhone parsing of backup files from Mac and PC, and Bookmarking”.
dictionary to a “keylogger” of some sorts as it maintains the
words that are often typed on the iPhone.
• Map data with information bookmarked, queries, latitude, / Author Bio
longitude, and even routes are provided. Bill Dean is the Director of Computer
• VoiceMemos are available with the ability to play them from Forensics for Sword & Shield Enterprise
Security. He has more than 13 years
the Lantern interface. of experience in the technical field, in
• On the “Info” screen of the Lantern application, there is an roles such as programmer, systems
area labelled “Open Artifact Directories”. This feature has support, enterprise systems design
great potential depending on the applications installed on and engineering, virtualisation, digital
forensics, and information security. Bill is a frequent speaker
the iPhone. As “there is an app for that”, Lantern provides and published author on the topics of digital forensics and
the ability to analyze the information from these third party electronic discovery for numerous legal associations.
apps. This area provides the acquired iPhone directory and
62 Digital / ForensicS
63
/ Cyber terrorism
/ Law from the UK and rest of the world
/ Management issues
/ Investigation technologies and procedures
/ Tools and techniques
/ Hardware, software and network forensics
/ Mobile devices
/ Training
/ eDiscovery
/ Book/product reviews
CHECK OUT
digitalforensicsmagazine.com
for all the latest news and views on the world
of digital forensics (special feature articles are
available for registered users).
How did you get into the world of Digital Forensics? With the emergence of many tools to assist the investigator
It was in 2007 that I was reading an article on the subject of Mobile how do you validate their usefulness?
Phone Data Recovery and it struck me that mobile phones were the I can only speak in regards to the Mobile Forensics side
‘future’. I could see computers literally evolving into mobile phones of things; I let the manufacturers worry about their own
and the impact these mobile devices could have in someone’s life. I validations. If little or no validation is available, that is what I
immediately sought training on the subject and travelled to Indiana will testify to on the stand.
where Mobile Forensics Expert, Professor Rick Mislan of Purdue
University, taught me. After my first 5 minutes of training, I was How do you see Mobile Forensics evolving and integrating
hooked and sought to acquire as much information that I could with related disciplines in Digital Forensics?
on the subject and soon had many private investigation networks As long as there are ‘digital’ devices and criminals, there will
and associations inviting me to speak on this new and exciting always be the need for eDiscovery, malware analysis and other
technology and how it applied to their cases. related fields. Let’s face it; at least 95% of all crimes committed
have a cell phone involved in them in some form or another.
How did you go from the investigation of mobile phones to
mobile spyware discovery? What do you think is the future for mobile phones and
In 2008, I began to receive numerous calls and emails inquiring if Digital Forensics?
I knew how to determine if a cell phone was ‘bugged’. I searched With mobile phones slated to eventually take the computer’s
all over the web and could not find one person who specialized place in many a person’s life, the threat of spyware will be
in mobile spyware examinations. To make matters even harder, ever present and ever increasing. To be able to find and/
I could not find any company that was addressing this ever or prevent an attack will be very beneficial for those who
growing and pressing threat. So I started looking for the answers have the knowledge, experience and ability to combat this
myself. Soon after, I was referred to a P.I. in Scotland by the name onslaught. This is the future. As I tell
of Ian Sweeney, who was doing his own ‘spyware examinations’. my audiences, “your cell phone will be
Ian was very gracious and literally tutored me over the your laptop on your hip tomorrow”.
Internet in what to look for and what tests to perform on a
phone. Then as time went by, I found a small company in
the USA that was developing their own proprietary malware / INTERVIEWEE Bio
scanning software. With all the knowledge I had gained, I Thomas J. Slovenski (Tom) graduated in
started offering mobile spyware examinations and became 1986 from Bob Jones University (South
Carolina) with a 4 year Bachelor of Arts
the first one in the USA to do so. Then, at the persistence of Degree in ‘Bible’. After starting out being
Rick Mislan, I became the first to train other investigators a minister he got hooked in policing and
internationally on how to find mobile spyware in any of the over later into Digital Forensics. Whilst a Police
3000 models of cell phones out there. I am proud to say that Officer and Detective, Tom became a Senior
Investigator of Internal Affairs for 5 law enforcement divisions in a
my class is not only the first of its kind, but also the very first to large metropolitan county in South Carolina. In 2002, he started
offer exclusive training manuals including a proprietary 72-page “Elite Investigations of South Carolina, LLC” and specialised in
manual dealing exclusively with the iPhone and spyware. domestic investigations and hard to locate individuals.
In 2007 Tom received training in mobile phone data recovery
and coined the term: “Cellular Forensics”. Tom changed the
How did the Specialist Network you established come about? name of his company in 2008 to “Cellular Forensics, LLC” and
Earlier this year I identified a need for my graduates to be specialised entirely in mobile forensics and mobile spyware
able to stay abreast of all the newest spyware and technology discovery. He now trains other professionals in mobile spyware
that threatened mobile security. It was from this need that I discovery with students from all over North America and abroad.
Tom started the “Mobile Security Specialists Network”, a group
started the Mobile Security Specialists Network. Now, every of international experts devoted to mobile spyware discovery
graduate of my spyware class is added to this exclusive and and eradication with members residing in UK, Japan and the
private network made up of other graduates and my own USA. Tom can be contacted at: tom@cellularforensics.com.
special group of international spyware experts.
65
BLADE
F O R E N S I C D AT A R E C O V E R Y
P R O F E S S I O N A L R E C OV E RY M O D U L E S
K E Y F E AT U R E S
SUPPORTS
W W W . B L AD E F O R E N S I C S . C O M
Digital Detective Group, PO Box 698, Folkestone, Kent, CT20 9FW.
Telephone: 0845 224 8892
TIME FOR
FORENSICS
THE IMPLICATIONS FOR FORENSICS OF TIME STAMPS
/ ENTRY
W
hether it is the ability of trees to shed their leaves / MEASURING TIME
every autumn, the diurnal flowers that open for just The progress of time is a constant that needs to be placed
an hour a day or the bat that navigates by measuring into discrete units in order to make sense of it. The passage
the time it takes an echo to reach it’s ear, it seems that of the sun through the sky marks a convenient 1 day period
there is something innately built in to the very essence of for example which can determine when to rise, find food
life on Earth that makes it able to measure the passage of and eventually go back to sleep. Our ancient ancestors
time in some form or another. It comes as no surprise then, would have had no need to define a second as accurately as
that mankind has sought to mark the passage of time in 9,192,631,770 oscillations of an atom of Caesium, as we do.
order to understand the world around him and to exploit the Today, the measurement of time falls into two broad
resources that nature offers. categories, rotational time and atomic time. Rotational time
67
A time stamp recorded on digital media is like any other data / TIME ZONES
an can be changed by both mistake or malicious intent. If you and I stand East and West of each other then our
In Unix based systems the GNU tool touch will alter file times perception of when the sun is directly overhead will differ
and in Windows timestomp.exe from the metasploit project as the Earth rotates. The difference in this perception of the
will do the same thing.
Antivirus programs will regularly change-accessed times for files.
midday point varies with the difference in distance, in fact,
A good analyst will never take time stamps for granted and if at the equator we are about 1670 kilometres apart (15
will seek to verify them whenever possible. For example, degrees of longitude) then the difference will be 1 hour. This
looking at the times embedded in a Word document will help wasn’t a problem until the advent of the railways and the
to authenticate the file times.
need to publish timetables. In the UK in 1840 ‘Railway Time’
standardised all the local times into a single time zone (which
68 Digital / ForensicS
69
/ More info
SANS Internet storm Centre
http://isc.sans.org/
A good source for a variety of statistics, for both current and
historical malware. You can even query the dataset.
ThreatExpert
http://threatexpert.com/
As well as the online analysis facility, you will find a threat
map that indicates the origins of current threats.
Figure 2. TimeLord
The combination of these factors determines the effective time is used can vary depending on the distribution, but on
start and end date for that time stamp. Lets take an example; in Ubuntu the setting can be found in the /etc/default/rcS text
the C programming language the standard time stamp is named file. The line ‘UTC=yes’ or ‘UTC=no’ tells you what you need to
‘time_t’. The majority of definitions for time_t are as a 32-bit know. On other systems you might find the same setting in the
signed integer, although the 64-bit version is beginning to make file /etc/sysconfig/clock.
an appearance. For now we will stick with the 32-bit variety. Skew is dealt with in the Linux environment by a file named
time_t has an epoch time of 1970-01-01 00:00:00 and a resolution ‘adjtime’ which maintains a list of the adjustments that have
of 1 second. Because it is signed, the possible values range from been made to the RTC, it can usually be found in the /etc/ or
-2,147,483,648 to 2,147,483,647 that equate to a time stamp /var/lib/hwclock/ directory. The appropriate adjustment is
range of 1901-12-13 20:45:52 through to 2038-01-19 03:14:07. calculated and the file is updated when setting the RTC and
Forget the Y2K bug, any operating systems or programs written in system clock from an external source.
C or C++ are likely to have a bit of a headache in January 2038. The time zone setting is to be found in the file /etc/
localtime which is either a copy of, or a link to, a file in the
/ TIME ON COMPUTER SYSTEMS /usr/share/zoneinfo directory. These files are compiled
Most computer systems these days contain a real time clock timezone files so you won’t be able to read them with a text
or RTC (sometimes called a hardware or BIOS clock). This clock editor, rather, you will have to reverse engineer them or use
has it’s own power supply in the form of a lithium battery. the tool zdump to read them.
Generally the sole purpose of this clock is to provide a time
signal for the machine as it boots up, thereafter the operating / TIME SETTINGS IN WINDOWS
system maintains it’s own system clock that is updated using Windows generally assumes the real time clock is set to
interrupts to the CPU. At intervals and on shutting the system local time. However, up to Windows XP it was possible to
down, the system clock updates the RTC.
70 Digital / ForensicS
71
DF3_72_Ad.indd 72
Ad_A4_DigitalForensics_Apress.indd 1 30/4/10
4/22/10 18:07:28
7:22 PM
/ FEATURE
DIGITAL
STEGANOGRAPHY
AN INTRODUCTION TO THE PRACTICE OF DIGITAL INFORMATION HIDING
/ ENTRY
T
hroughout history man has sought ways to / What is Steganography?
communicate secretly. One of the earliest recorded Steganography is derived from the Greek words “steganos”,
methods for doing this was the use of wax tablets by which means, “covered” or “protected” and “graphein” which
the ancient Greeks. means “writing.” When the two words are combined, the
In 480BC, Demaratus used wax tablets in an attempt to result is literally “covered writing” or “protected writing.”
warn King Leonidas of Sparta that King Xerxes I planned Essentially, steganography is a means of communicating
to lead his army into Greece prior to the historic Battle of secretly, or covertly. Over the years the art of Information
Thermopylae. Because the danger of being discovered was Hiding has presented itself in many ways, for example:
great, Demaratus hid his warning by scraping the wax off
the tablets and scribing his message directly onto the wood. • The Chinese hid secret messages on slips of paper and
Then he recoated the tablets with wax and sent the tablets baked them in moon cakes
via messenger to Leonidas. Interestingly, when the tablets • Mary, Queen of Scots, hid encrypted information in the
were delivered, no one could figure out why they had received bunghole of beer barrels
wax tablets with nothing written on them. According to The • Gaspar Schott hid information in musical symbols used to
Histories written by Herodotus, widely acclaimed as the write sheet music
Father of History, Queen Gorgo, Leonidas’ wife is purported • George Washington used invisible ink to communicate secretly
to have said, “If they would scrape the wax off the tablet, • Microdots, the size of a period, were used in World War II to
they would be sure to find the writing upon the wood.” Thus, conceal information1
the warning was delivered, but the Spartans got massacred
at Thermopylae in one of history’s greatest last stands as For a comprehensive history of secret communication from
depicted in the movie “300” starring Gerard Butler. Ancient Times to the present, the interested reader should
Demaratus’ use of wax tablets is one of the earliest and read The Code Breakers by David Kahn2.
most widely referenced uses of information hiding, a practice In the Internet era, steganography has evolved from to a
that has become known as steganography. digital form of information hiding. Accordingly, when talking or
73
74 Digital / ForensicS
75
76 Digital / ForensicS
BOOK REVIEWS
I found the book to be an interesting read, although it is
unlikely to be something you may read cover to cover. It’s
more likely that you will focus on certain chapters, and that is
probably why you would buy the book. To be honest, in parts
the book tries too hard to be everything to everyone, and
whilst it’s useful to have a lot of information in a single book,
sometimes to only have a few paragraphs on a topic isn’t
enough, and perhaps it would have been better served trying
to focus on a few areas rather than trying to do it all. Also, if
like me you are based in the UK, this book is very US focussed
and so you should consider that before you buy it.
78 Digital / ForensicS
79
81
IRQ
Angus Marshall interrupts your
train of thought with some general musings on
security, forensics and the world around us
O
n the 1st of March this year it seems that a batch of then, of course, dinosaurs no longer roam the earth and
Sony Playstation 3 consoles took it upon themselves programming has moved on to a model where most code is
to decide that it was the 29th of February. Not a huge dependent on objects/modules/units/libraries provided by
problem, you might say – after all, it’s only a games console. some third party. The “skill” now lies mainly in figuring out
It’s not as if planes were dropping out of the sky, nuclear reac- which bits of other people’s code to reuse in order to achieve
tors going into meltdown or inter-continental ballistic missiles the right results – but this means that the programmer can
deciding to launch themselves, is it? Well, no. In this case it never be entirely sure that the underlying code is actually
wasn’t a huge problem for society, but it could have been. doing the right thing the right way all the time.
For the owners of those consoles, the potential impact if Can you imagine what would happen if someone was asked
the problem hadn’t sorted itself out the following day could to investigate an attempted intrusion into a network and found
have been quite significant. Many of them had spent a lot of that their tools started reporting that the events in question
time and money playing online games and acquiring virtual happened variously on 1st March 2010, 29th February 2010, and
assets – all of which disappeared during the date problem. 33rd Octember 1877? The only option would be to assume that
There was the potential for a real financial loss due to loss of all the tools were faulty until proven otherwise and fall back on
intangible property. If more systems had been affected or the old-fashioned methods using low level tools and interpretation
problem hadn’t cured itself, Sony could have been facing a of hex dumps – if the skills to do this still exist. Worse yet, it
class-action lawsuit. would have to be assumed that the tools had always been
That, however, is the least of my worries. The bug that caused faulty and that could open the floodgates to appeals and
this is typical of the sort of thing we worried about in the late accusations of wrongful conviction galore.
1990s when the dreaded “millennium bug” had the doom In forensic work, where someone may end up in gaol and
and gloom merchants predicting TEOTWAWKI. I, myself, spent on a register of offenders as a result of evidence produced by
many months in training centres around the UK delivering software, knowing that the software consistently produces
courses on how to adapt software to get round the problem. correct results seems a pretty fundamental requirement –
The government spent millions on the Y2k taskforce and, on 1st but if we don’t know how the software is doing what it does,
January 2000 – pretty much nothing of interest happened at all. or that it is doing it consistently, can we, as responsible
Maybe it was because of all the effort put into it, or maybe we professionals, really rely on the results?
misunderstood how date-dependent systems were using data. We need to make sure that our tools are doing not just the
One critical thing that has been forgotten in the intervening right things, but ideally doing them in the right way – and that
years though is the Y2k compliance guarantee that all software they will continue doing just that for as long as we need them
and hardware vendors were supposed to provide. Paraphrasing, to. We cannot continue to rely on commercial offerings in the
it stated that products would “work correctly in the year 2000 hope that the vendors are doing the right thing. We need more
and all future dates”. Leaving aside the issues that Unix system than guarantees. We need proof and we need it now. /
32 bit clocks will roll over in 2038, the compliance guarantee
is an interesting statement – and one that seems to have
completely disappeared from products since the year 2000. / Author Bio
Does it matter? Why am I making such a fuss about it? Angus Marshall is an independent digital forensics practitioner,
Well – back in the dim and distant past, when I taught people author and researcher, currently working on the ‘fitness for purpose’
how to program, I used to include coverage of algorithms and challenge. In a past life he was an academic course leader in Digital
Forensics & Forensic Computing and still retains strong links with
how to implement them, including things like all the rules for academia, professional bodies and regulators. He can be contacted
converting from seconds, since some arbitrary point in time through his company, n-gate ltd. (http://www.n-gate.net).
into human-understandable date and time formats. Since
82 Digital / ForensicS
30/4/10 18:09:53
DF3_OBC_Ad.indd 84
2010
Ma
April
2010y
Virtualization and Forensics Phone Forensic Analysis
By Diane Barrett, Greg Kipper By Sean Morrissey
9781597495578 9781597495554
$59.95/£32.99/€40.95 $69.95/£37.99/€47.95
Ma
Order Today!
AvaiNow
2010y
lable
!
Windows Forensic Analysis Digital Forensics for Network,
DVD Toolkit, 2nd Edition Internet, and Cloud Computing
By Harlan Carvey By Clint P Garrison
30/4/10 18:24:52