Hakin9 EXTRA Forensic 03 2011 Teasers1 | Gsm | General Packet Radio Service

.

.

kuca@hakin9.pogroszewski@software. This issue is devoted to forensics. Michael Munt DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski ireneusz. All rights to trade marks presented in the magazine are reserved by the companies which own them.hakin9. concerning the results of content usage.com.org Marketing Director: Karolina Lesińska karolina. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.org Publisher: Software Press Sp.dudzic@software. crashing a website or manipulating online payment traffic are also increasing.pl Top Betatesters: Rebecca Wynn. I have only mentioned a few tools but have referenced the NIST publications that list dozens of tools and detailed information regarding their use. such as network or data monitors and extractions tools. New crime vectors are now implicating the use of computers mostly. Bob Folden. To create graphs and diagrams we used program by The editors use automatic system Mathematical formulas created by Design Science MathType™ 06 Basic Forensics Analysis by Marc-Andre Meloche Digital Forensics is mostly like the movies.lesinska@hakin9. express or implied. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa. Donald Iverson. you will find this information interesting and useful.PRACTICAL PROTECTION IT SECURITY MAGAZINE Forensics Dear Readers. Hopefully. The thefts of information. mobile digital forensics is made easy because we as individual like to think that no one is ease dropping. Steve Lape. This is used in most cases related to computer crimes.lesinska@hakin9.org Editorial Advisory Board: Matt Jonkman. 12 Mobile Digital Forensics Cover Your ASSets (CYA) by Rebecca Wynn Contrary to what we wish. DISCLAIMER! The techniques described in our articles may only be used in private.org Subscription: en@hakin9. z o. Simon Carollo.pl Managing Editor: Karolina Lesińska karolina.pl Production Director: Andrzej Kuca andrzej. 20 To Get Round To The Heart Of Fortress by Yury Chemerkin Cybercrime is becoming a growing threat to society. shoulder surfing. Best Practices in InfoSec Forensics by Gary Miliefsky and much more. Use this article as your starting point. To follow up the last issue.hakin9. Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Many organizations offer various services in the battle against digital crime. in which we discussed ID thefts. Are we ready for Digital Evidence? by Rich Hoggan. ul. Shyaam Sundhar. It is important now to include computers as a main possible tool for suspects. local networks. Graham Hili. All trade marks presented in the magazine were used only for informative purposes. This article? goal is to help you see that it is your responsibility and yours alone to ?over Your ASSets.com.com. SK 02-682 Warszawa. etc. the main aspect is to gather evidence or digital footprints which will help you understand any digital crimes that might have occurred inside your organization.org/en . Without their assistance there would not be a Hakin9 magazine. Rebecca Wynn.org/en Whilst every effort has been made to ensure the high quality of the magazine.o. Enjoy your reading! Karolina Lesińska team Editor in Chief: Ewa Dudzic ewa. Shayne Cardwell. Bokserska 1 Phone: 1 917 338 3631 www. There are several interesting articles: Mobile Digital Forensics by Rebecca Wynn. watching us type in our passwords. taking out our SIM card and copying it while we are with the boss/in the bathroom/heating up lunch. the editors make no warranty.dudzic@software. It is interesting 4 www. Forensic Improvisation by Isreal Torres.It is broken up into sections so the reader can easily review sections that are pertinent to him/her. we decided fo focus on forensics.

There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the job nicely but that would require training. Yet that said. Similarly. 50 Best Practices in InfoSec Forensics – Proactively preparing for and executing network forensic analysis by Gary S. Miliefsky This article is meant to give you a quick overview of the best practices for Information Security (INFOSEC) forensics. 42 Forensic Improvisation by Israel Torres Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset.org/en 5 . social engineering has been used. To get started. 46 Ask The Social-Engineer: Neuro-Linguistic HackingThe New Age of Social Engineering by Christopher Hadnagy Social engineering is nothing new. let? first define this subject and then dig into the tools used in this field of computer and criminal justice sciences: www. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines). an example of such a case has come about the Casey Anthony murder trial that took place here in the states just recently. but the underlining principles of social engineering are the same as they were 6000 years ago. Sure there is new technology and a deeper understanding of humans and psychology. From some of the oldest stories recorded in mankind? history till today.hakin9. we still live in a world where we think the computer and what we do on it or any digital device for that matter is irrelevant to something like a criminal case. Think of it as guerrilla forensics without the idea of warfare. but they are accessible to every organization. 38 Are We Ready For Digital Evidence? By Rich Hoggan Are we ready for digital evidence? It’s a question that we need to ask more often as crimes will inevitably include forensic evidence gathered from a computer or other digital device on a more consistent basis. planning and knowing you? need them at a moment? notice.CONTENTS mainly to authorities and financial institutions. It’s not a case where cyber security is or was a concern. but where the computer’s average use such as searching the internet and uploading to social networking is seen as being malicious. The interesting part about social engineering is that the methods used have not changed much.

You work in the financial sector. the main aspect is to gather evidence or digital footprints which will help you understand any digital crimes that might have occurred inside your organization. • You will be able to navigate and understand how Autopsy works. As a security analyst you will have to gather evidence to find out who was this employee and how did he transfer the credit cards. Let me present you the scenario.com/) 6 www.org/en . This is used in most cases related to computer crimes. • Ability to navigate inside a Linux �le system and be able to install software.tableau.) • You will be able to create bit-copy images of hard drives or other media for forensics analysis.hakin9. • Have a very meticulous mindset for detail while performing the evidence search sometime small details could be missed. This is a powerful tool that will help you obtain the information you need to help you build forensics cases.FORENSICS Basic Forensics Analysis Digital Forensics is mostly like the movies. N ew crime vectors are now implicating the use of computers mostly. Basic ide/sata usb converter from vantec (http://www.com/ind ex. Figure 1.php?pageid=products&category=forensic_bridges) Figure 2. this is a technical how-to. It is important now to include computers as a main possible tool for suspects. What you should know… • Basic understanding of drive locations in Linux and mount points. What you will learn… • You will be able to perform basic forensics manipulation on computers with the common open-source forensics tools. and one of the employees has been transferring credit card information on his computer at home. Write blocker from tableau (http://www.vantecusa. (We will not talk about the incident management process.

video. nickname. shoulder surfing. department. No one else will do it for you. This article’s goal is to help you see that it is your responsibility and yours alone to Cover Your ASSets. Contacts: • • • • • • • • • • • Name fields: first. children Custom field labels Multiple fields of the same type Last modification date & time Cell Phone – What Information Can Be Obtained? Event Logs: • • • Incoming.org/en . joint name Photo and personal ringing tone Phone numbers: general. mobile. Wi-Fi is a trademark of the Wi-Fi Alliance and the brand name for products using the IEEE 802. outgoing. fax. watching us type in our passwords. is a standard set developed by the European Telecommunications Standards Institute (ETSI) Caller Groups: • List of caller groups & belonging contacts Speed Dials: • List of assigned speed dials 12 www.FORENSICS Mobile Digital Forensics – Cover Your ASSets (CYA) “You and only you are responsible for ‘Covering Your ASSets’. last. • Global System for Mobile Communications (GSM). circuit-switched channels for voice conversations. spouse. job title Text notes Private info: birthday. VoIP. mobile digital forensics is made easy because we as individual like to think that no one is ease dropping. missed calls history Sent & received messages history GPRS & Wi-Fi sessions log • General Packet Radio Service (GPRS) was the first data service for GSM cellular carriers. originally Groupe Special Mobile. pager.” – Rebecca Wynn What you will learn… • • • • What information can be obtained from a cell phone MOBILedit! Forensic Software How to Cover Your ASSets (CYA) Security Checklists What you should know… • Basic cell phone skills C ontrary to what we wish. taking out our SIM card and copying it while we are with the boss/in the bathroom/ heating up lunch.11 family of standards. push-to-talk Postal addresses Web pages and e-mail addresses Company. which uses dedicated. Use this article as your starting point. It is broken up into sections so the reader can easily review sections that are pertinent to him/her. etc. prefix.hakin9. GPRS added a packet capability to GSM. • to describe technologies for second generation (or 2G) digital cellular networks. middle. I have only mentioned a few tools but have referenced the NIST publications that list dozens of tools and detailed information regarding their use. suffix.

system. Most current approaches to addressing insider threats are reactive. Many organizations also • • 20 www.FORENSICS To Get Round To The Heart Of Fortress Cybercrime is becoming a growing threat to society. These inadvertent actions can occur because individuals have accumulated more privileges than they need for their current job functions or because individuals may just be careless about usage and distribution of sensitive data. These crimes is rather classic crimes To catch criminals involved with digital crime.…) in the critical system. The thefts of information. It is interesting mainly to authorities and financial institutions.hakin9. but the problem is that the attack or theft has already occurred. IT managers need to balance the risk of employees’ need for additional access versus the lost productivity that would result if access was not granted to certain users. but the sheer volume of data is very difficult to manage. let alone being caught. the surge of technical adeptness by the general population. Malicious insider is a employee (current or former). such as network or data monitors and extractions tools. may still identify at-risk insiders and then implement more detailed logging on those individuals in response. Many organizations offer various services in the battle against digital crime. educational.org/en . contractor. governmental. Logging all IT activity is an important first step in combating insider attacks and today’s highly distributed and complex IT environments generate massive volumes of logging data. not predictive. Threat as this kind ranges from the malicious employee (of he has and have to has the technical expertise to implant a malware (logic bomb. investigators must employ consistent and well-defined forensic procedures if possible. This helps immensely in forensic investigations. Delicate balance of risk versus productivity. but they are accessible to every organization. The result is that organizations need to defend against the malicious insider as well as the careless user. seems to encourage crimes using computer systems since there is a small chance of being prosecuted. commercial. Writing off insider threat as a low cast risk ought to realize sternness of the problem. crashing a website or manipulating online payment traffic are also increasing. The common security vulnerabilities increase risk of insider threats is inadequate auditing and analytics: • Sheer volume of audit and log data impedes forensics investigation and detection. The incorporation of computer systems private. In particular. Employees also represent another significant insider threat vector. coupled with anonymity.. What you will learn… • General forensic classi�cation • Classic and non-classic mobile forensic What you should know… • Basic knowledge about forensic T he current century describes like the application of digital technology that enhances traditional methodologies. or data in a manner that negatively affected the confidentiality. organizations should be looking for solutions that can provide more analytic and predictive capabilities that if not able to prevent insider attacks. and other way life improved the efficiency of these entities. or business partner who had / has / going to have authorized access to an organization’s network. Therefore. or availability. integrity. One other hand the computers as a criminal tool has enhanced their own activity.

If the RIM is password protected. This wipe will destroy all non-OS files. mobile security and cloud computing. will not survive a full power-down. get the password. and any number of third party applications may receive information that makes the forensic investigator’s attempts to obtain an unaltered file system much more difficult. rather an SHA-1 hash of the password is stored and compared to a hash of what entered.com/yury. E-mail: yury. I have scienti�c and applied interests in the sphere of forensics.com/) in 2010.facebook.hakin9. wireless calendar. the greater the chance is that it will more accurately reflect and tell a story about that person. applications such as the email client. I’m researching BlackBerry Infrastructure and the effects of the trust bot-net & forensic techniques on the human privacy.com (yury.chemerkin LinkedIn: http://ru. A direct-to-hardware solution will be required if the password is not available. Information can be pushed to the device through its radio antenna at any time.chemerkin@gmail. turn the radio off. potentially overwriting previously „deleted” data. The BlackBerry is an always-on. the RIM’s currently unsurpassed portability is the examiner’s greatest ally. push messaging device. cyber security. Information Security Analyst since 2009 and currently works as mobile info security researcher in Moscow. The more time a mobile device spends with its owner. instant messaging. Without warning.com) Facebook: www. a RIM device does not need a cradle or desktop connection to be useful. In order to preserve the unit.To Get Round To The Heart Of Fortress push technology adds a unique dimension to forensic examination. semantic networks. Make note that completely powering off the RIM will wipe data from the SRAM. The examiner only has the opportunity to guess 10 times before a file system wipe occurs to protect the data. YURY CHEMERKIN Graduated at Russian State University for the Humanities (http://rggu. perceptive reality. At present postgraduate at RSUH. which may be of interest.linkedin.org/en . AR. Thus.chemerkin@faceb ook. Logs stored there. The password itself is not stored on the unit.com/pub/yury-chemerkin/2a/434/ 549 www. In fact. No software exists to circumvent the password protection.

we will be going through the motions of viewing and analyzing the browser’s history. an example of such a case has come about – the Casey Anthony murder trial that took place here in the states just recently. What’s interesting is the fact that it isn’t a cyber incident in that it’s a case that involves a person’s social networking life and their history of internet search terminology – everyday activity for computers. It was during a forensic investigation of the family’s computers that said evidence was found demonstrating searches were made on the internet in relation to the case. It’s not a case where cyber security is or was a concern. we will be attempting to answer the question of whether or not we are ready for digital evidence and it’s impact on our lives. we still live in a world where we think the computer and what we do on it – or any digital device for that matter – is irrelevant to something like a criminal case. Figure 1. As a result we will be going through the motions of viewing an image file’s meta-data with forensic tools and even making our own tool using HTML and PHP. But before we get into the core of this article.hakin9. even our cell phones. Lastly. What you will learn… • Forensic recovery of an image �le’s meta-data and web browser’s history.FORENSICS Are We Ready For Digital Evidence? Are we ready for digital evidence? It’s a question that we need to ask more often as crimes will inevitably include forensic evidence gathered from a computer or other digital device on a more consistent basis.org/en . we first have to understand a little bit of the case’s background. but where the computer’s average use such as searching the internet and uploading to social networking is seen as being malicious. I have attempted to create a balance between asking the tough questions as well as understanding the technical aspects of digital forensics in this article. Similarly. EXIF data of an image 38 www. Yet that said. the forensic evidence wasn’t enough to get a conviction from the jury. Ultimately though. • Programming our own tools • Discussing the impact of digital evidence What you should know… • Basic understanding of digital forensics and techniques • Basic understanding of web programming using HTML and PHP S imilarly. Similarly. photos were posted to multiple social networking sites while the suspect’s daughter was still considered missing. digital cameras.

There is a myriad of ready to burn LiveCD/DVD/USB forensic toolsets that suit the job nicely but that would require training. Testbench listing Figure 2. Such ready to run toolsets come in all flavors from free to commercial and all handle various techniques to get all kinds of information from all kinds of places inside all kinds of machines and all kinds of operating systems (including virtual machines).bin).org/en . Understanding how things work is always best and the best tool is the one you write yourself. including a few additional optional downloads (or really rather what most geeks would have already installed anyway).7 (Lion) operating system.FORENSICS Forensic Improvisation Forensic Improvisation is the concept to capture important intelligence using the available tools at hand and not necessarily the desired toolset. Since they are all Figure 1.bin – test9. Using tools someone has already written for you is certainly nice but if you can’t modify them to suit your immediate needs then this is where improvisation takes place. bash) tools found on a standard Mac OS X 10. The challenge: So we’ve been presented with 10 binary files (test0. What you will learn… • you will learn how to improvise your use of digital forensics What you should know… • you should know your environment as well as basic shell programming T hink of it as guerrilla forensics without the idea of warfare. The focus of this article is using the command line (terminal. TermHere 42 www.hakin9. It certainly isn’t the time to shy away from the terminal – that’s where all the sexy is (not the clicky-eye-candy you may be used to). planning and knowing you’d need them at a moment’s notice.

What makes a person tick? Bandler and Grinder took understanding neurolinguistic programming to a whole new plain. In the last 70-100 years there has been massive leaps in understanding the human psyche. Then many experts who spent decades studying influence. ordered and given meaning. This can include things like: • • • • • • Pictures Sounds Feelings Tastes Smells Words What is NLH NLH is a combination of the use of key parts of neurolingusitic programming. law enforcement. Let’s take a closer at each to see how it applies. Programming This is our ability to discover and utilize the programs that we run in our neurological systems to achieve our 46 www. social engineering has been used. and to change their patterns of mental and emotional behavior. Sure there is new technology and a deeper understanding of humans and psychology. gestures and blend it all together to understand how to hack the human infrastructure. but the underlining principles of social engineering are the same as they were 6000 years ago. As an ardent student of the sciences and arts that make up social engineering. dating experts and others to try and understand what each of those fields has to offer a social engineer. Paul Ekman took understanding microexpressions to a new science. persuasion and manipulation began to work hard to understand what makes a person act a certain way. Dr. psychologist.hakin9. Neuro This points to our nervous system which we process our five senses: • • • • • Visual Auditory Kinesthetic Smell Taste Linguistic This points to how we use language and other nonverbal communication systems through which our neural representations are coded. We have interviewed radio hosts. body language. I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole. T he interesting part about social engineering is that the methods used have not changed much.FORENSICS Neuro-Lingustic Hacking: The New Age of Social Engineering Social engineering is nothing new. After studying a lot of the practices and what makes them successful we have blended a few together and are going to start a new study called Neuro-Lingusitic Hacking (NLH). Neuro-Lingusitic Programming (NLP) NLP is a contro-versial approach to psychotherapy and organizational change based on a model of interpersonal communication chiefly concerned with the relationship between successful patterns of behavior and the subjective experiences underlying them and a system of alternative therapy based on this which seeks to educate people in self-awareness and effective communication. NLP gurus. From some of the oldest stories recorded in mankind’s history till today. the functionality of microexpressions.org/en .

.

which is the monitoring and analysis of computer network traffic for the purposes of information gathering.hakin9. Network Forensics 50 www. Traps and Network Taps • Deploying Network Attached Storage • Duplicating A Hard Drive T o get started. The best practices. computer forensics are performed by a network security professional – this is reactive. let’s first define this subject and then dig into the tools used in this field of computer and criminal justice sciences: What is INFOSEC Forensics? INFOSEC Forensics relates to digital forensics. are to be as proactive as possible and plan for both scenarios – one is to gather and store traffic. Continuous Data Protection (CDP) and at minimum. Hard Drive Mirroring. In addition. of course. always looking for anomalies – these can range from hacker attacks to employees leaking data and internal information to a competitor. or intrusion detection – this is proactive. legal evidence. or a malicious insider on your network – the other is to have RAID. because you have the latest. closest copy of the data set stored Figure 1. and most usually after a breach.org/en . What you will learn… • Forensic Basics • Network Forensics • Computer Forensics What you should know… • Using Syslog.FORENSICS Best Practices in InfoSec Forensics Proactively preparing for and executing network forensic analysis This article is meant to give you a quick overview of the best practices for Information Security (INFOSEC) forensics. daily backups of all important company information from all network touch points so you don’t have to reactively go chase down a lost or stolen laptop to analyze a hard drive.

Social-Engineer.Com Security Through Education SE Videos Social Engineering Tool Kit The Webs First Social Engineering Framework SE Resources Free Monthly SE Newsletter Free Monthly SE Podcast www.Com Now offering professional Social Engineering Services Contact us today to learn more info@social-engineer.com .Social-Engineer.

Sign up to vote on this title
UsefulNot useful