A

CE TA WI
The Quarterly Magazine for Digital Forensics Practitioners LL RA
PH NT
ON UL
N!
EA AC
NA HIN
LY ES
SI
S E
KI
T

ISSUE 11
MAY 2012

DATA THEFT
Jonathan Grier explains how to carry out an investigation, when 9 772042 061127
02

no artefacts exist, using his stochastic forensics approach Issue 11 / £14.99 TR Media

/ REGULARS / FROM THE LAB / INTRODUCING / Book Reviews

robservations, 360, Image Metadata for Cyber Warfare & INCLUDING The Basics
news, irq & more… Effective Data Mining Covert Channels of Digital Forensics
DF11_IFC_Ad.indd 2 20/04/2012 10:33
 / EDITORIAL

EDITORIAL
Digital Forensics Magazine is a quarterly magazine, published by
TR Media Ltd, registered in the UK. It can be viewed online at:
www.digitalforensicsmagazine.com

Editorial Board

A
Roy Isbell, Alastair Clement, Scott C Zimmerman, Rob Lee,
Angus Marshall & Sean Morrissey
recent news article about flying Acquisitions
cars set me to thinking about the Roy Isbell, Sean Morrissey, Rob Lee & Scott Zimmerman
current limitations/boundaries or
Editorial
lack of boundaries in digital forensics. Roy Isbell
Traditionally forensics was about finding
News Desk
evidential artefacts that can be used Matthew Isbell
to help law enforcement prosecute
Sales & Marketing
offenders or by defence lawyers to prove
Andrew Nicholson
the innocence of their client. These days
Production and Design
it is much more and includes investigating cause and effect as
Matt Dettmar (www.freelancemagazinedesign.co.uk)
the many uses of technology continues to expand.
Contributing Authors
In the mad rush to use technology as an enabler, the first
Angus Marshall, Brian Cusack, Rob Harriman, Rob Lee,
casualties are often security and safety. Naturally this comes
Scott C. Zimmerman, Sean Morrissey, Glen Edwards, Jonathan
from the desire to make things happen; security and safety Grier, Andy Swift, Kevin North, Ollie Whitehouse, Matthew Isbell,
are often seen as blockers to this ideal and often add a level of Jim Wingate & Juneown Park
cost and complexity that is considered a stifling of innovation Technical Reviewers
and progress. I do not subscribe to such short-termism. All Dr. Tim Watson, Scott C. Zimmerman, Sean Morrissey, Rob Lee
too often the blinkered cut costs to speed up development or & Angus Marshall
production only to find that they have to pay a greater amount
subsequently. Then there is the developer who just wants to CONTACT DIGITAL FORENSICS MAGAZINE
make it work, no matter what the cost. Editorial
Take the ubiquitous motor vehicle; this has become ever more Contributions to the magazine are always welcome; if you are
complex as more technology is added to improve on braking, interested in writing for Digital Forensics Magazine or would
steering, engine management and such like. Add to this mix like to be on our technical review panel, please contact us on
the SatNav, Bluetooth, WiFi and communications both Car-to- editorial@digitalforensicsmagazine.com
Car (V2V) and Car to Infrastructure (V2X) and you have a heady Alternatively you could telephone us on:
environment rich in potential with regard to digital information. Phone: +44 (0) 844 5 717 318
Next we move on to our humble dwellings, once the mud News
huts protecting us from the wind and rain; now they are awash If you have an interesting news items that you’d like us to cover,
with technology rich in information and set to become even please contact us on: news@digitalforensicsmagazine.com
richer. The so-called “Smart” houses of the not too distant Advertising
future will provide a wealth of information for investigations. If you are interested in advertising in Digital Forensics Magazine
When considering a timeline investigation we already use or would like a copy of our media kit, contact the marketing team
on: marketing@digitalforensicsmagazine.com.
CCTV and alarm systems for artefacts, now consider if you can
tell when lights were turned on and off, does the pattern and Subscriptions
time fit with the investigation? For all subscription enquiries, please visit our website at
www.digitalforensicsmagazines.com and click on subscriptions.
It is in this vein that we continue to look for interesting and
For institutional subscriptions please contact our marketing
informative articles on the expanding and challenging world
department on marketing@digitalforensicsmagazine.com.
that we call Digital Forensics. Following the more focussed issue
Feedback
10 on mobile phones, issue 11 has an interesting mix covering
Feedback or letters to the Digital Forensics Magazine editor
a number of disciplines and activities; Chinese Cell Phones,
should be sent to 360@digitalforensicsmagazine.com.
Stochastic Forensics, WPS, Botnets, Password Cracking and
Covert Channels is a heady mix and once again shows the broad
Copyright and Trademarks
nature and diversity of the digital forensics profession. Trademarked names may appear in this magazine. Rather than
I hope you enjoy the latest issue of Digital Forensics use a trademark symbol with every occurrence of a trademarked
Magazine and remember we are always happy to hear from name, we use the names only in an editorial fashion and to the
you via 360 or if you want to “Get Involved” you can follow benefit of the trademark owner, with no intention of infringement
the various links from the website or contact us at of the trademark.
editorial@digitalforensics magazine.com Digital Edition Provider
Digital Forensics Magazine uses ZMags for its Digital Editions,
/ ROY ISBELL allowing the creation of carbon neutral publications.

DF11_03_Editorial.indd 3 25/04/2012 13:27

DF11_04_Ad.indd 4 15/04/2012 17:29
 / CONTENTS

CONTENTS
/ DIGITAL FORENSICS MAGAZINE ISSUE 11

REGULARS
/ NEWS
/ ROBSERVATIONS
06
14
09
/ 360° 26
/ LEGAL EDITORIAL 29
/ APPLE AUTOPSY 45
/ COMPETITION 56
/ BOOK REVIEWS 80
/ IRQ 82

FEATURES
/ Let Me In 09
Glen Edwards’ guide for how to avoid an investigation
being delayed or, at worst, stopped
/ Stochastic Forensics 16
How to prove or disprove that data has been stolen
/ WPS Insecurities AND False Prophets 22
In this article, Andy Swift looks at the WPS facility and
analyses the vulnerability it presents
/ Meet the DF Professionals 36
An interview with Chip Off researcher, Jim Swauger
/ Chinese Cell Phone AND Digital Forensics
A look at the increase of mobile phones in China
40
16
/ Imaging and Write Blocking on a Mac 46

40
How first responders and examiners should handle
the imaging of both old and new Macs
/ BotNets 57
Brian Cusack and Junewon Park investigate the enemy
/ Covert Channels 62
Matthew Isbell takes a look at covert channels
/ CYBER CHAMPIONS
Educating youngsters about the digital world
71
39
LEGAL
/ China’s Evidentiary Requirements 30
A look at legal system in the People’ s Republic of China

FROM THE LAB

71
/ image Forensics 51
Ollie Whitehouse explains how to deal with large
quantities of forensically acquired image data

DF11_05_Contents.indd 5 25/04/2012 13:26

 / NEWS

NEWS
EnCase Version 7 released with extra features

Since the last issue of Digital Forensics

Magazine, the leading software solution for
Digital Forensic Investigations, EnCase, has
been upgraded to version 7.
Guidance Software, the company behind
EnCase, has explained that the latest version
of EnCase Enterprise is designed to help with
the growing computer investigation needs of
commercial enterprises and government organisations for
governance, risk and compliance.
EnCase version 7 also comes packed with integrated
smartphone support, a revamped user experience and brand
new, powerful template-driven processing. Being dubbed as
the most powerful and easiest to use version of EnCase, the
software was debuted at the 2012 RSA conference.
Victor Limongelli, president of Guidance Software explained
that, “EnCase Enterprise has long had a dominant market
position with Fortune 100 firms, but recently we’ve seen a
boom in demand – new EnCase Enterprise customers tripled in
2011 – which tells us that the addressable market for remote
forensics is growing beyond just the world’s top companies.
EnCase Enterprise version 7 is aimed at simplifying
enterprise investigations through automation and enhanced
functionality, allowing the examiner to complete remote
forensics in a timely and effective manner.” Russia to hold ISPs responsible for illegal file sharing
The key features of version 7 include:

• Comprehensive Device Support – in addition to the robust file Illegal file sharing is still a growing issue in the realm of
system support that EnCase Enterprise is known for, version Cyber Crime. While previous attempts to target individual
7 delivers integrated support for Apple, Blackberry, Android, file-sharers has failed, authorities and copyright holders have
Windows Mobile and other smartphone and tablet devices. been forced to lay the blame elsewhere.
• Expanded Encryption Support – The software provides The battle against illegal file sharing is continuing globally
additional support for file- and disk-based encryption, as well and it has been seen as routine to witness Internet Service
as all new integrated Passware support to quickly identify Providers (ISPs) being drawn into the debate and treated as
files locked by passwords and to decrypt TrueCrypt files. the sole reason for the existing problems.
• Enhanced User Experience – The EnCase Enterprise user One nation that has been described by many as a haven for
interface has been redesigned to have the same simplicity as cybercrime and illegal file sharing is Russia. However, it may
using a web browser, with ability to quickly zoom-in on data seem that this is all about to change. Recent reports from
of interest in an all new system and volatile data viewer. Russia explain that authorities are soon to put more pressure
• Fast, Powerful Performance – New caching capabilities make onto Internet Service Providers whose networks are being
opening and browsing case data faster and more efficient. used to conduct copyright offenses and share illegal material.
• Support for Governance, Risk and Compliance (GRC) Although the networks provided by ISPs give the users
Products – EnCase Enterprise supports compliance concerns access to a wealth of legal material and services, it was
by allowing activity to be stored in Windows event log files never going to be long before these networks were used for
to trigger auditing function in SEIM tools. The software malicious and nefarious purposes. There is no evidence to
provides comprehensive logging of operations and allows suggest that the ISPs advertise the availability of the illegal
Active Directory integration for user authentication. material, and indeed no suggestion is being made, but there

6 Digital / ForensicS

DF11_06-07_News.indd 6 25/04/2012 13:27

 / NEWS ROUND-UP
FIRST ACCREDITED COURSE IN THE UNITED STATES
Marshall University (MU), in West Virginia, has
become the first University to receive accreditation
for its Digital Forensic program in the United
States. The award, presented to the University
by the Forensic Science Education Programs
Accreditation Commission, was announced on
April 2nd at a press conference. Dr Terry Fenger,
director of the Forensic Science Center at MU, explained
how the center does more than just train graduate students
in Forensic Science, bur also trains law enforcement
professionals and assists the police across the whole
nation. The Center is located in the South Side of the city
and offers a “multi-faceted program” including education
in forensic science, training for professionals and advanced
scientific analysis. In an industry that is still very young,
this accreditation shows a step forward in the development
of standards to judge the effectiveness of courses and
certifications within the United States.

STUDENTS HELP SOLVE CYBERCRIME CASE

A group of Eastern European cybercriminals has been
brought to justice with the aid of a Computer Forensics
professor and a group of his students. Gary Warner,
Professor at the University of Alabama in the United States,
played a key role in what is now known as Operation
Trident Breach, after pinpointing a Trojan that was being
used to collect banking data from small and medium sized
American companies. The data was then used to steal
money that was transferred to “money mules” based in
are current claims stating that the ISPs use the existence of the US before being transferred to the main perpetrators.
such illegal networks as a ‘plus point’ when marketing their The scheme allowed the group of hackers to collect more
various products. than $70million before the FBI, in cooperation with other
international agencies, finally located and prosecuted the
The Interior Ministry’s cyber crime department has stated individuals responsible. The FBI has acknowledged that
that, in advance of any action against ISPs, nationwide checks Social Media was highly effective in helping to capture
are being carried out into the use of the local networks, with some of the Money Mules.
results being released in May.
NEW HMRC CYBERCRIME TEAM TO TACKLE TAX FRAUD
A statement from three ISPs who spoke to Vedomosti.ru Her Majesty’s Revenue and Customs (HMRC) in the UK has
describes how none of them are aware of any investigations recently revealed new plans to create a team of forensic and
currently underway. Anyone who is prosecuted for direct security professionals that will proactively tackle tax fraud
being carried out by organised groups of criminals. The
copyright infringement in Russia can face a sentence of up to
National Cyber Security Program will fund the team enabling
6 years imprisonment. the recruitment of experts, analysts and investigators who
This method of blaming and encouraging ISPs to spy on will protect the UK Exchequer from increasingly sophisticated
their users has been seen elsewhere in the world recently with methods aimed at its repayment systems. HMRC is also
planning to deploy new technologies that will provide
the failed attempt to bring SOPA, the Stop Online Piracy Act,
investigators with real-time intelligence of criminal activities.
into legislation in the US. The team will play a key role in the defence of the UK economy
It would seem that the idea of making ISPs and websites where cyber criminals are constantly finding new and more
responsible for their users actions is becoming very popular sophisticated methods of obtaining data that would otherwise
be unavailable to them. The UK Government continues to
in political circles and we may see more similar action being
regard Cyber Security as a top priority and has recently put
taken around the world in the coming year. another £100,000 towards the budget for cyber security, on
SOPA failed to be enacted in the USA after it was voted a top of the £650million that has already been allocated to fight
breach of an individual’s privacy and was seen by many as a against cyber-attacks up until 2014.
deceptive way for governments to spy on their citizens.

DF11_06-07_News.indd 7 25/04/2012 13:27

DF11_08_Ad.indd 8 15/04/2012 17:29
 / FEATURE

LET ME IN
An outline of how incident responders
can get into a locked system
by Glenn Edwards
/ ADVANCED

I
n the field of Incident Response (IR), time is of the / Unlocking a Dead System
essence and a locked system may cause an investigation The system is not running so why would you need to unlock
to become delayed, or even worse, over. For the purpose it? We as incident responders cannot always fully prepare
of this paper, a locked system should be considered either for an engagement, and sometimes we do not even have
a live or a dead system that requires authentication on the all of the necessary details. With that being the case, what
Operating System (OS) level. Over the years there have been a if you need to boot up the target hard drive during or after
few tricks to get around this type of restraint, however, some an investigation? An example use case would be if you
methods are not maintained by the community, do not work are investigating a check fraud case and you need to open
because of system updates, or the responder is simply not the commercial application on the system that contains
aware of them. evidence in a proprietary format. You could boot it up using
The intent of this article is to inform the IR community “LiveView” or put it in a spare desktop, but what happens if
of current techniques available to overcome these types of you are prompted with the Windows logon screen? Do you
situations while also providing a brief technical overview of have credentials?
what each technique involves. Although this paper includes
techniques that will also work on Macintosh and Linux / Kon-Boot
platforms, the primary focus of this paper will be unlocking a If you are able to reboot the target system and
Windows system. Windows is still the most dominant platform consideration #1 is not of concern, then Kon-Boot[1] should
on the market and is what an incident responder is most likely be the first tool you turn to. Kon-Boot is a tool that can
to encounter. be loaded onto a floppy disk, USB stick, or CD/DVD, and
when the target system is physically booted from it, it will
/ Considerations allow you to bypass the authentication at the OS level.
In order for the techniques outlined in this paper to While it was originally a project created for Linux systems,
successfully work, there are some considerations to be made it has evolved to work on both 32 bit and 64 bit versions of
and requirements to be met, these are: Windows as well.
When the target system is booted from Kon-Boot, it first
1. Since some of the following techniques involve resetting enters a pre-boot environment that then loads itself into
a user’s password, any files the user had encrypted with memory and proceeds to hook into the BIOS. Here, it modifies
the Windows Encrypting File System (EFS) will be lost. This the Windows kernel to not require a password at the Windows
should only be a concern if the original credentials/private logon screen. Since this is all done in memory and prior to the
EFS key(s) were not exported prior or if the technique used OS loading, this technique does not alter the file system of the
does not make a permanent system change. target system. If your patching is successful, you should be
2. Will you have physical access to the system? presented with a screen similar to Figure 1.
3. Can you reboot the system?
4. Does the target system have Full Disk Encryption (FDE)?

For the second part of this paper; dealing with a live system,
there are other limitations that need to be considered aside
from the list previously stated above, these include:

5. Lack of a FireWire port on the target system;

6. Whether or not an expansion slot (PCIe, ExpressCards etc.)
is accessible on the system (as an alternative for a missing
FireWire port);
7. Whether or not the 1394 stack is disabled on the target system;
8. How much Random Access Memory (RAM) it has;
9. What OS and patch level the target system has.
Figure 1. Kon-Boot boot-up screen

DF11_09-12_Let Me In.indd 9 25/04/2012 13:29

 / FEATURE

/ PASSWORDS
One of the ultimate decisions you need to make is whether or not
you need the user’s password. To help in your decision tree, here
are some key examples of when and why it is a good idea to do so:

• The target system has EFS

• The users’spassword is used or believed to be used on other
systems/accounts
Figure 2. Sticky Keys pop-up • The user’s password is used or believed to be used for their
hard drive, BIOS or FDE password
• The user’s password is used to encrypt other files such
/ Sticky Keys as ZIP/RAR/7zip archives, PGP/TrueCrypt containers or
Have you ever accidentally hit the Shift key 5 times and turned password safes like KeePass
on the Sticky Keys feature? • In order to correlate with other logs and prove the users
credentials were the ones used to log into somewhere else
Sticky Keys is an accessibility feature within Windows (bank, email, ssh, ftp etc.)
meant to aid users who are unable to hold down two or more
keys at a time. This feature is enabled by default on Windows
installations and is therefore highly reliable as another * If you are getting an ‘Access Denied ‘error you need to
option. change this file’s ownership and permissions
By switching the Sticky Keys application with a command
prompt on the system, we can take advantage of this feature 4. Restart the system and press the Shift key 5 times
and reset a local user’s password or create a new local user. 5. A command prompt should now pop up and allow us to add
There are two different ways this can be accomplished: via a a new user or reset an existing users password:
Windows installation disk, or from a Linux Live CD/USB. If you
choose to use a Windows installation disk: • List the local users
> net user
1. Go to recovery console > command prompt • Reset an existing accounts password
2. Create a copy of the Sticky Keys application > net user <username> <new password>
• Create a new account
> copy c:\Windows\system32\sethc.exe c:\Windows\ > net user /add <username> <password>
system32\sethc.bak > net localgroup administrators <username> /add

3. Replace the Sticky Keys application with a copy of 6. If this is not being done on a cloned copy/virtual image of the
command prompt system then remember to revert the Sticky Keys application

> copy /y c:\Windows\system32\cmd.exe c:\Windows\ > copy c:\Windows\system32\sethc.bak c:\Windows\

system32\sethc.exe system32\sethc.exe

Figure 3. Stick Keys replaced with Command Prompt

10 Digital / ForensicS

DF11_09-12_Let Me In.indd 10 25/04/2012 13:29

 Figure 4. Ophcrack successfully cracking Windows hashes

/ Ophcrack 4. Change into JTR’s directory

Ophcrack[2] is a free open source program that cracks both LAN $ cd /pentest/password/john
Manager (LM) and NT LAN Manager (NTLM) hashed Windows
passwords by using rainbow tables. A rainbow table is a pre- 5. Run JTR against the file containing the password hashes and
computed table consisting of all possible combinations from a if successful your output will be similar to:
predefined character set which utilizes a time-memory tradeoff
for reversing hashing functions, such as LM and NTLM. There are $ john ~/sam.txt
still many environments where the weak LM hashing function is Loaded 2 password hashes with no different salts (LM DES
in use for backwards compatibility and because of this, Ophcrack [128/128 BS SSE2])
may be a great solution for you to use if you are able to reboot T123 (admin:2)
the system and need to obtain a user’s password. T123 (cert:2)
Ophcrack can be downloaded as a full installation as well MYSECRE (admin:1)
as in the form of a LiveCD; the latter of which will suffice for MYSECRE (cert:1)
the purposes we are focusing on. The LiveCD comes in two …snipped…
versions, XP and Vista/7, and both already contain some basic
rainbow tables (other tables[3] are available for download). / Unlocking a Live System
When you boot the target system from the Ophcrack LiveCD, There may come a time when you are presented with a locked
Ophcrack will load the hashes from the SAM file located on the system and are unable to shut it down because the volatile
Windows partition and attempt to crack them. If successful, data is imperative to your investigation, it has Full Disk
you will be presented with a screen similar to Figure 4. Encryption (FDE), or maybe it is a critical server. Whatever the
Notice that the hashes for both of the users are the same, reason may be, what would you do?
which means once you crack one, you crack both. If these Most modern techniques for unlocking a live system rely on
hashes were utilizing a ‘salt’, both hashes would differ even the IEEE 1394, or FireWire interface. FireWire is a serial bus
though their passwords are identical, making it harder and interface that allows for fast data transfer. The reason it is able
more time consuming to crack identical passwords. to achieve this and why we care about it for Incident Response
is because FireWire provides the ability to read/write directly
/ BackTrack to a systems memory through Direct Memory Access (DMA).
BackTrack[4] is a Linux-based penetration testing distribution By doing so, we are able to bypass the systems Central
which can be installed on your system or booted from a Live Processing Unit (CPU) and OS to circumvent any restrictions,
CD/USB. BackTrack has been around for years and is popular which would otherwise prohibit such ability.
among security professionals because it incorporates several
useful tools into a single distribution. A common way for an
incident responder to utilize Backtrack is to crack the targets / CONSIDERATIONS
systems password hashes by booting the target system into Having the ability and knowledge to unlock a live system may
BackTrack and using bkhive, samdump2 and John the Ripper make you feel like a magician but there are some considerations
that need to be addressed prior to your investigation.
(JTR) in the following way:
• When you first attempt to unlock a live system with Inception
1.Mount the target systems Windows partition you should use the “-n” or no-write option. By doing so
$ mkdir /mnt/<dir> you will perform a dry run and see if you find the correct
signature/offset to unlock the system without writing
$ mount –t <type> /dev/<partition> /mnt/<dir> –o ro
anything back to the target system.

2. Copy the system hive • While similar methods have been around for years, the legality
$ bkhive /mnt/<dir>/WINDOWS/system32/config/system ~/key.txt of actually performing incident response by utilizing FireWire’s
DMA has not really been tested. The best thing to always follow
is the practice of being ‘forensically sound’ and having someone
3. Dump the hashes from the SAM hive else be able to reproduce the results you were able to find –
$ samdump2 /mnt/<dir>/WINDOWS/system32/config/SAM ~/key. which becomes questionable with this method.
txt > ~/sam.txt

11

DF11_09-12_Let Me In.indd 11 25/04/2012 13:29

 / FEATURE

/ Inception
While the concept of using FireWire to bypass the Windows / Extend your arsenal
Lock Screen has been discussed and presented since 2004, libforensic1394 also provides the ability to dump the memory of a
a recent release of a tool called Inception[5] (formally known live system. Besides being able to unlock a live system on the fly,
the libforensic1394 library also provides a means for live memory
as FTWAutopwn[6]) provides a more stable and reliable
dumping. While there is not a formal script yet written for the
means than previous tools, such as Winlockpwn. This is public, the author of the library presented some insight of how
because it incorporates a new open source library called to do this in his paper[11]. The only requirement missing is a little
libforensic1394[7] which uses the new Juju FireWire stack knowledge in python and a target system to perform this on.
and allows you to present a Serial Bus Protocol 2 (SBP-2)
unit directory with original FireWire bus information from
your machine to the target system.
Inception is actively maintained, which means its author / AutomatiON
is constantly adding new features, bug fixes, and more Instead of remembering what commands need to be entered,
reliable unlocking techniques. This tool works great for what files need to be downloaded and what packages are
required, why not leverage the simplicity of Bash scripting and
Windows XP SP0-3 and Windows 7 x86 SP0-1, however, it automate the process.
may be a hit or miss if you are trying it on Windows x64 I wrote a setup script [8] for use with BackTrack v5; for use
systems at the time of writing this. This is because the with other distributions some slight modifications might be
method it uses relies on the signature it is patching to be at required. Additionally, it was written for use with a non-
persistent system (Live CD/USB) as well as a system with a
a specific offset and on 64 bit systems the offset address is persistent configuration. If you are going to run this script on
less stable and more likely to change. If the signatures and a non-persistent system, Internet access is required unless
offsets within the configuration file are not working for your the files/packages required are downloaded prior and stored
scenario and you have some disassembly knowledge, you on some other removable media, which would then have to be
configured in the script as well.
can load the specific msv1_0.dll version into a disassembler
and determine the signature/offset combination that you
need to add to Inception.
In Windows, the Dynamic Link Library (DLL) msv1_0.dll
(Located in %SYSTEMROOT%\System32\) is the Microsoft
Authentication Package that is responsible for validating
a user’s password. Within this DLL is a function called
MsvpPasswordValidate that is responsible for performing a
comparison between an entered password and the correct
password. Inception patches this comparison to say that
the correct password was entered regardless of what or
if anything was entered at all. Since this is all done in
memory, the patching is not persistent and restarting the
system will restore to its normal authentication. In order to
use Inception there are some files/packages, which need to
be downloaded and installed on your system but to make / Conclusion
things easier I wrote a simple bash script that can be, found The goal of this article was to inform you, the incident responder,
in Appendix I. of ways to unlock both a live and a dead system so if you find
Once you have your system properly configured and DMA yourself in either scenario, you will have the knowledge and
access to your target system, choose which target you want to ability to continue your investigation. It is equally important to
unlock and if you are successful you will see a screen similar know all of the available techniques that can be used in case one
to Figure 5. does not work or is not feasible due to other limitations. /

/ Author Bio
Glenn P. Edwards Jr. is a Senior
Consultant with Foundstone’s
Incident Response practice
where he specializes in Incident
Response, Digital Forensics and
Malware Analysis. Glenn holds a
M.S degree in Digital Forensics
from the University of Central
Florida as well as a B.S. degree
in Information Security and
Privacy from High Point University.

Figure 5. Windows 7x86 SP1unlocked from FTWAutopwn

12

DF11_09-12_Let Me In.indd 12 25/04/2012 13:29

DF11_13_Ad.indd 13 15/04/2012 17:18
 / ROBSERVATIONS

ROBSERVATIONS
Is Anti-Virus really dead?
by Rob Lee

A
year ago, I decided to find out if anti-virus really is dead
by creating a realistic attack scenario based upon the
experiences of a group of instructors at SANS and some
independent experts, who also reviewed and advised on the
attack “script”. We created an incredibly rich and realistic
scenario across multiple windows-based systems in an
enterprise environment. This scenario will be used for some
examples in the new courseware that I am planning.
The purpose is to give students real file-system and memory
images that they can examine in class to detect, identify, and
forensicate APT-based activities across these systems in class.
The aim is to give students who attend the course “real world”
data to analyze. The goal is to create attack data to use in our
courses at SANS so that our students could have a direct feel / What? Nothing?
for what it is like to investigate advanced adversaries. What is bundled into this suite? Anti-virus, Anti-spyware,
This past week, we ran through the exercise. I had a team of Safe surfing, Anti-spam, Device Control, Onsite Management
attackers mimic the actions of an advanced adversary similar (McAfee Endpoint Protection). I also separately purchase their
to the APT. Having seen APT tactics first hand, I scripted the desktop host intrusion prevention piece and built that into
exercise but also wanted to create a realistic environment that McAfee EPO and deployed that across my environment as well.
would mimic many organizations home enterprise networks. The point is not to embarrass anyone, that isn’t the intent of
Over the week, I learned some very valuable lessons by being the exercise. However, trying to create a realistic environment
able to observe the attack team first-hand. More in future articles, with enterprise tools deployed is. As a result, we knew we
but the first question I had on my list was: “Is AV really dead?” had to include real world implementations of some of the
best tools money can buy. In the end, this isn’t about trying to
/ So, Is AV Really Dead? shame anyone. It is about reporting, “What happened?” and
Over the years, I knew that it can be circumvented, but until I “What did we notice?”
helped plan out and execute this exercise I was exposed to the To help understand how this might have happened, many
truth first hand. In many incidents over the years (including have asked for the details of the network and the attack.
many APT ones), we and other IR teams have found that AV
detected signs of intrusions, but they were often ignored. I / The Windows Based Enterprise Network
expected at least some of those signs to exist this past week • Full auditing turned on per recommended guidelines
while running through the exercises we were creating. I had • Users are restricted to only being a user
hoped differently, but after a week of exploiting a network using • Windows DC set up and configuration didn’t tighten
the same APT techniques that we have seen our adversaries down the network more than what is expected in real
use, I think it paints a very dark picture for how useful AV is in enterprise networks
stopping advanced and capable adversaries. This isn’t an anti- • Systems installed and have real software on it that is used
AV or HIDS write-up, but to give you something to think about (Office, Adobe, Skype, Email, Dropbox, Firefox, Chrome)
when it comes to what we are blindly looking for. I would never • Fully patched (Patches are automatically installed)
recommend someone go without it, but it is clear that in order • Enterprise Incident Response agents (F-Response Enterprise)
to find and defend against advanced adversaries we need to do • Enterprise AV and On-Scan capability (McAfee Endpoint
more than rely on AV. Protection — Advanced Suite )
To be honest, I actually had some hope for some of the • Firewall only allowed inbound 25 and outbound 25, 80, 443.
enterprise level AV and HIDS products (In this case, McAfee • The “APT actors” have hit 4 of the systems in this enterprise
Endpoint Protection) to catch some of the more basic techniques network. (Win2008R2 Domain Controller, Win764bit,
we used (as I wanted the artifact to be discovered by attendees), Win732bit, WinXP).
but AV proved easy to circumvent by my team. While I’m sure • Users have been “using” this network for over a year prior
many of these products stop low-hanging fruit attacks, we found to the attack. That way, it looks and feels real. These users
that we basically did whatever we wanted without our enterprise have setup social media, email, Skype, etc. Each character
managed host-based AV and security suite sending up a flare. user has a ‘backstory’ and a reason to be there working.

14 Digital / ForensicS

DF11_14-15_Robservations.indd 14 25/04/2012 14:24

 / Bad habits we included and commonly see in
most enterprise networks:
• Local Admin User (SRL-Helpdesk) found on each system
with the same password
• A regular user with local admin rights on an XP machine.

/ Malware Used (non-public):

• C2 Beacon — Port 80 C2 channel encoded in XMLRPC traffic.
Meterpreter backend — Malware detected on Microsoft
Security Essentials due to payload, but not in McAfee’s
products (I know -- odd!). The beacon would beacon every X
seconds over port 80.
• C2 Channel — Custom Meterpreter Backed based Figure 1. Spearphishing Attack Super Timeline
executable. Will connect out over port 80. It doesn’t
have persistence or a beacon interval. Must be started
to connect.
THE GOAL WAS TO CREATE ATTACK
DATA TO USE IN OUR COURSES
/ Malware Used (Public)
The evasion technique is pretty simple, wrap the executable
AT SANS SO OUR STUDENTS
into a python script (you can also use perl and Ruby) then COULD HAVE A DIRECT FEEL FOR
insert it into a good executable or export to a new one.
WHAT IT IS LIKE TO INVESTIGATE
• Poison Ivy — Straight export to Python Array. Pretty sad that ADVANCED ADVERSARIES
it worked actually. This is where I had hoped to create some
alerts that I would have had to suppress. / Conclusion
• Psexec — Not malware We used a combination of custom crafted malware and
• Radmin — No encoding needed. Is this backdoor OK? well-known malware such as Poison Ivy, metasploit, and
• mimikatz — No encoding. Again, another location hoping to more. We used simple AV evasion to get around it and we
suppress some alerts so we could find them in the “system NEVER turned it off.
forensics” piece of the exercise.
RESULT = NOT A PEEP from AV!
/ APT Attack Phases
This exercise and challenge will be used to show real Yes it was installed correctly as it did detect the un-
adversary traces in network captures, host systems, memory, armoured metasploit payload quickly and killed it (a test to
hibernation/pagefiles etc. And through the week none of the make sure it DID in fact work as I became worried it really
defences we had put in place did not matter what-so-ever. didn’t work or was setup wrong). I would gladly let anyone
It was quite simple to evade any detection. Our APT “team” from McAfee look at our setup to make sure we didn’t make
consisted of John Strand and Tim Tomes. a mistake, but I followed their guide to the letter and used
recommended settings when installing the product. I also
• Phase 1 — Spearphsing attack (with signed Java Applet have found a lot of clients with incorrectly installed Enterprise
attack — public) and malware C2 beacon installation products, so it is clearly possible I mundged something up
(custom malware — encapsulated port 80 http traffic and during the install. If we are wrong, then we are wrong and we
POISON IVY) can go back and do run through it again after we apply their
• Phase 2 — Lateral movement to other systems, malware suggestions as we have it snapshotted inside an ESX server.
utilities download, install additional beacons, and obtain I was actually anticipating it would find at least ONE thing we
domain admin credentials did. Nothing was found.
• Phase 3 — Search for intellectual propery, profile network, If anyone needs just a little proof that you are using AV
dump email, dump enterprise hashes products to mainly defend against low skilled attackers, then
• Phase 4 — Collect data to exfiltrate and copy to staging there it is. I asked that the attack team use skills learned in
system. Rar up data using complex passphrase most Penetration Testing courses. They didn’t use anything
• Phase 5 — Exfiltrate rar files from staging server, perform really advanced, which is one of the reasons many argue
cleanup on staging server that even the “Advanced Persistence Threat” isn’t really that
advanced. We also made many mistakes during the attack,
In the end, we will have created authentic memory captures however even then; nothing was found and nothing was
on each box, network captures, malware samples, in addition automatically blocked. If this were a real compromise, we
to full disk images with Restore Points (XP) and VSS for (Win7 could have been on this network for months or years prior to
and Win2008) machines. anyone finding us. Just like in the real world. /

15

DF11_14-15_Robservations.indd 15 25/04/2012 13:29

 / LEAD FEATURE

INVESTIGATING
DATA THEFT WITH
STOCHASTIC FORENSICS
A new approach to forensics lets you reconstruct activity, even if it leaves no artifacts.
By Jonathan Grier

/ ADVANCED

Y
ou must find out if Roger walked off with our data.” / No Artifacts, Yes Forensics?..!
This mandate, handed to me by my (very nervous) Conventional wisdom tells us the thought of forensics without
client, was all I had to work with as I walked into artifacts is absurd. Forensics works by reconstructing data from
my office Monday morning. My client, a large company artifacts, and, if we have no artifacts, we have no forensics.
headquartered in Manhattan, was very concerned about Roger However faced with my client’s growing panic, I had no choice but
(not his real name), a high level employee who had recently to challenge this conventional wisdom. In doing so, I developed a
been forced to leave the company. Days after Roger’s ousting, method I call Stochastic Forensics, which let me crack this case.
rumors began to circulate that, before leaving, he walked off A stochastic process is, by definition, something unpredictable,
with data which was potentially very, very damaging to them; but unpredictable in a precise way. Think of the molecules in
damaging enough to put them into a fit of panic. My task was a gas: we can’t predict how any individual molecule will move
to find out of if these rumors were true. and shake; but by accepting that randomness and describing it
Insider data theft is much harder to forensically investigate mathematically, we can use the laws of statistics to accurately
than external penetrations. External penetrations leave predict the gas’s overall behavior. Physics underwent such a
the digital equivalent of broken windows, which all good paradigm shift in the late 1800s, moving from the traditional
forensics experts know how to identify. Insider data theft, Newtonian view of fully determined particles to a new paradigm,
however, often leaves no traces: the insider is authorized to pioneered by Ludwig Boltzmann, of unpredictable individual
use the data, routinely using it every day. Whether they’re particles from which predictable properties nonetheless emerge.
stealing it or just using it to do their job, their access is, from Could digital forensics be in need of such a paradigm shift as well?
the computer’s perspective, technically indistinguishable. As these thoughts turned in my head, I thought of using
Copying a file is a routine operation, forensically similar to access timestamps. Operating systems store the time of each
simply reading it. Indeed, as I did my background research for file’s last access, updating it every time the file is opened. The
this case, I saw that all experts had agreed: copying files on timestamp is simply a date and time: it doesn’t tell you who
a standard Windows system leaves no artifacts [REF: Carvey]. opened it, why, or how. Individual timestamps consequently
I was faced with one question: Is forensics possible when no tell us very little; but perhaps, when taken as a whole and
artifacts are left behind? analyzed statistically, they may have quite a bit to tell us.

Figure 1. Project Aurora

16 Digital / ForensicS

DF11_16-20_Stochastic Forensics.indd 16 25/04/2012 13:32

 / Solve an Easier Problem emergent properties: routine access is selective: some files
The mathematician George Polya used to advise: “When faced are opened and others ignored, whereas copying typically
with a problem you can’t solve, there is an easier problem copies an entire folder, including all its contents. Routine access
which you can: find it.” Taking Polya’s advice, I decided to first is temporally irregular, with activity occurring in spurts and
explore a simpler scenario: breaks, whereas copying proceeds continuously until complete.
Imagine watching someone using a computer. Over their Routine access is randomly ordered, whereas copying follows a
shoulder, you can see they’re using a particular folder, but you strict recursive descent. Finally, routine access may open a file
can’t see what they’re doing with it. Now, they leave the room, without opening its parent folder, whereas copying will always
and, as a forensic examiner, you’re asked to determine if they open a parent and then its children.
copied it or simply used it routinely. Where do you begin?
Look at the Project Aurora folder in Figure 1. Let’s imagine / Works In Theory, Fails in Practice
that the person you watched was an engineer, using this Excited with this theoretical breakthrough, I dashed off to
folder to do his work. He opened the top folder (Project my lab to do some experiments. Surprisingly, none of these
Aurora) at 9:13AM, immediately opened the Engineering emergent properties of copying showed up! Remembering
subfolder, then its Tests subfolder, and then finally opened the Yogi Berra’s quip “In theory there’s no difference between
Vibration.xls spreadsheet. After looking at the spreadsheet for theory and practice. In practice, there is,” I set out to
a few minutes, he opened the McarthySmith Word document determine why copying didn’t behave as I expected.
at 9:17AM. Since this file was on Word’s list of recent files,
he didn’t need to open any folders to get to it. Finally, after
spending a few minutes looking at the Word document, he ALTHOUGH I HAD BEEN HIRED TO
opened the Blueprint.dwg CAD file at 9:21. If you plotted the INVESTIGATE DATA THEFT, WHAT
access timestamps of all those files and folders, you’d see
what looks like a random pattern. MY CLIENT REALLY NEEDED WAS
Now imagine that instead of doing all that, he instead TO NEUTRALIZE IT
copied the Project Aurora folder to a thumb drive. What
pattern would you see? At 9:13, when he started the
copy, Windows would open the Project Aurora folder to
enumerate its contents. It would first find the Engineering
subfolder, and so it would open that as well. Windows
would proceed to drill down through the Engineering
folder’s contents, opening and copying each file it finds.
After spending a few seconds copying those files, Windows
would return to the next subfolder of Project Aurora, and
descend through it likewise. If you plotted those access
timestamps, you’d see a very unique pattern, showing each
folder and file being opened one after the next, in order,
with no pauses in between.
This is an amazing point! While no single timestamp tells
us anything of value, when we look at many of them, patterns
emerge which identify copying. In fact, there are four such
Copying vs. Routine Access Table

17

DF11_16-20_Stochastic Forensics.indd 17 25/04/2012 13:32

 / LEAD FEATURE

COPYING A LARGE FOLDER / Experimenting with

CREATES WHAT I CALL A CUTOFF timestamps is tricky!
CLUSTER: A POINT IN TIME WHICH Modern operating systems are tuned for speed, using
several tricks to speed up timestamp updates. For instance,
NO SUBFOLDER HAS AN ACCESS they can cache a timestamp update in memory, writing it to
disk later. If you examine the live system, it might report
TIMESTAMP LESS THAN (HENCE A the value in memory, but if you pull the plug and image the

CUTOFF), AND MANY SUBFOLDERS disk, you’ll get the older timestamp. Experimenters should
always do a full operating system shutdown and then pull
HAVE AN ACCESS TIMESTAMP timestamps directly from the disk. Also, systems vary in
their timestamp precision: some systems may only be
EQUAL TO (HENCE A CLUSTER) accurate to within 1 hour!

After research and reverse engineering, I hit a breakthrough: Fortunately, more digging managed to save the day.
copying a file in Windows doesn’t update its access timestamp Although Windows doesn’t update a file’s timestamp when
at all! Unlike Unix platforms, where the copy command works copying it, it does update a folder’s timestamp. CopyFile() can
in userspace by opening a file, reading its data, and writing it only be used to copy a single file at a time. To copy an entire
to a new one, Windows provides a CopyFile() system primitive. folder, the copy command must open the folder, enumerate
The CopyFile() primitive doesn’t involve a user level read, and its contents, and copy each one individually. Enumerating
hence doesn’t update the timestamp at all. Was all lost? Was a folder’s contents is done via a standard read. I reran my
my method just another nice theory of no practical value, at experiments, this time only plotting folders’ timestamps and
least as far as Windows is concerned? not files. Voila! The emergent patterns appeared precisely.

Figure 2. Histograms

18 Digital / ForensicS

DF11_16-20_Stochastic Forensics.indd 18 25/04/2012 13:32

 / Saved by Stochastic Forensics opened even once in the last year. This pattern, with a few
So far, I was tackling an easy problem, where I had the luxury of items getting lots of activity and most items getting very little,
examining the computer immediately after the alleged copying is surprisingly ubiquitous: researchers have found it in wealth
may have occurred. Now it was time to tackle the hard problem, distribution, word usage, and book sales [REF: Newman]. It’s
where weeks and months had passed since the time of copying. known as a heavy tailed distribution.
Timestamps are notoriously ephemeral: only the single most Using these two observations, let’s imagine examining
recent access time is preserved. The data in my case was used the engineer’s computer once again. This time, however,
heavily every day, and I could be sure that it had been accessed a month has elapsed since they copied the Project Aurora
hundreds of times since the alleged copying. Each subsequent folder. We’ll find that all of the copied subfolders have
access would overwrite the previous timestamps. Would any timestamps greater than or equal to the time of copying;
patterns of timestamps still remain? none have a timestamp less than the time of copying.
Putting on my thinking cap, I made two observations. First, Moreover, if the folder in question is large, we’ll find a lot
when a timestamp is overwritten, it’s not changed arbitrarily. of subfolders that haven’t been opened at all since the time
Barring system malfunction or tampering, a timestamp’s of copying. These subfolders will have timestamps equal to
value can only increase, never decrease. If a file is opened the time of copying.
on July 3rd, it will never have a timestamp less than July 3rd, That is, copying a large folder creates what I call a cutoff
no matter how many times it’s subsequently opened. The cluster: a point in time which no subfolder has an access
second observation I made is that activity on a file system is timestamp less than (hence a cutoff ), and many subfolders
not distributed uniformly. A few files get most of the activity, have an access timestamp equal to (hence a cluster). To test
while most files are hardly touched. Farmer and Venema, in this, I returned to my lab and built a simulator of a filesystem.
their landmark book Forensic Discovery [REF: Farmer], report I ran it for 300 simulated days, opening files and folders
that the vast majority of files on a typical server haven’t been randomly according to the heavy tailed pattern reported by
Farmer, Venema, and others [REF: Vogels. REF: Mitzenmacher].
At the end of 300 days, I plotted a histogram of the access
/ Identifying Cutoff Clusters timestamps, and saw the exact heavy tailed shape predicted
Standard tools like Sleuth Kit and EnCase can extract a list (see Figure 2). I then ran the simulator again, this time
of access timestamps, but eyeballing that list won’t catch a instructing it to copy the folder on day 200. After that, the
cutoff cluster. Instead, I train examiners to use a method I call
simulator continued opening files for another 100 days. When
“Filter & Plot.”
I plotted the results, I saw a beautiful cutoff cluster on the
Step 1 date of copying, sticking out like a sore thumb).
Select several parent folders you wish to examine. You should
include several control folders in addition to the folders you
suspect may have been copied. For each parent folder, create a WE CAN’T PREDICT HOW ANY
list of the access timestamps of all its child folders and files.
INDIVIDUAL MOLECULE WILL
Step 2
Split each of these lists into two sublists, one of folders and MOVE, BUT WE CAN STILL USE THE
one of files. For reasons explained in the article, timestamps
of folders and files need to be analyzed separately. This is
LAWS OF STATISTICS TO PREDICT
especially important on Windows. THE GAS’S BEHAVIOR. COULD
Step 3 FORENSICS DO THE SAME?
Remove entries from each list that a typical copy operation
might skip. This includes hidden and system files, files
whose names begin with a dot character, NTFS alternate data I then plotted my client’s actual data, taken from several
streams, and files that the copying user didn’t have privileges different folders. Most of the folders showed a standard
to open. Be creative here, because every case requires heavy tailed distribution. My mouth dropped, however, when
different filtering. I plotted one particular folder and saw a giant cutoff cluster.
Step 4 This folder was the very one that Roger was suspected of
For each list, plot an access timestamp histogram. The x access stealing. Only one other folder showed a cutoff cluster on
should show dates, and the y access should show the number a different date: this subsequently turned out to be due to
of files or folders with access timestamps on that date. authorized copying.
Step 5
Typical folders will have a standard heavy tailed shape. / Think Like Sherlock, Not Aristotle
However, if you find a folder with a large spike at one point, It would have been a grave mistake for me to have wrapped
with minimal values prior to the spike, you’ve found a cutoff things up at that point and exclaimed “Roger did it!” The
cluster! Finding a cutoff cluster doesn’t prove data exfiltration,
cutoff cluster was startling, especially considering that the
of course. You now need to look for other possible causes,
compare the plots of control folders, and most of all, zero in other folders didn’t have any. But it was by no means proof
your investigation on the date of the cluster. that Roger stole the data. Perhaps it wasn’t even caused by
copying, but by backup software or even grep -r.

19

DF11_16-20_Stochastic Forensics.indd 19 25/04/2012 13:32

 / LEAD FEATURE

/ Q&A / Forensics as a Deterrent

Does a cutoff cluster prove that someone stole data? While we normally think of using forensics after the fact, I’ve
No. Before drawing any conclusions, you should: had good results using it as a deterrent. When your employees
1. Check other folders to see if they also have cutoff clusters. If know you can detect data theft, you can deter would-be
they don’t, the cutoff cluster demands investigation. thieves from even trying. A good deterrent requires teamwork
2. Experiment with system software in use on the computer, between forensics professionals and human resources,
like backup software, antivirus, search and indexing. Likewise, legal, and managerial staff. Employees must be aware of the
check if recursive Unix tools like grep are in use. Determine if detection capability, and investigators must be alerted to the
these might be the cause. first signs of trouble. Surprisingly, it’s often the most effective
3. Most importantly, thoroughly investigate the time of the way to solve tough security challenges.
cluster. Something very unusual happened then, and it’s your
job to find out what.

I brainstormed other possible causes besides copying. the dark about how much we knew. Avoiding an
Testing their backup software and antivirus, I found that outright confrontation, he simply made sure Roger was
running them didn’t update access timestamps. Neither scared and confused. With Roger worried, the attorney
did their search system. Grep would have, but there was made it clear that if the data disappeared, Roger would
no system with it installed, and no techies in the office who be okay, but if it ever surfaced, they’d come after him with
would know how to use it. Moreover, the cutoff cluster was everything they have. With that job done, my client and
very unique, occurring in only one other large folder known Roger were able to settle their grievances, and the stolen
to have been copied legitimately. Eventually I became data was never heard from again. /
confident that the cluster was indeed caused by copying. But
who did it? & why? REFERENCES
Carvey, Harlan. Windows forensic analysis DVD Toolkit. 2nd ed.

WITH ROGER WORRIED, THE Syngress Publishing; 2009. Carvey writes explicitly “I’ve received a
number of questions... asking about data exfiltration... there are no
ATTORNEY MADE IT CLEAR THAT IF apparent artifacts of this process... Artifacts of a copy operation... are

THE DATA DISAPPEARED, ROGER not recorded in the Registry, or within the file system, as far as I and
others have been able to determine.”
WOULD BE OKAY, BUT IF IT EVER Farmer Dan, Venema Wietse. Forensic discovery. Addison Wesley

SURFACED, THEY’D COME AFTER Professional; 2004.

Mitzenmacher, Michael. A Brief History of Generative Models for
HIM WITH EVERYTHING THEY HAVE Power Law and Lognormal Distributions. Internet Mathematics, Vol.
1, No. 2. (2004), pp. 226-251.
It’s for times like this that I have a sign in my office: Newman, MEJ. Power laws, Pareto distributions and Zipf’s law.
“Think like Sherlock Holmes, not Aristotle.” Digital forensics Contemporary Physics Vol. 46, Iss. 5, 2007. This is the best detailed
investigators are, after all is said and done, investigators, and introduction to heavy tailed distributions I know of.
it’s investigation that’s called for. The cutoff cluster gave me Vogels, Werner. 1999. File system usage in Windows NT 4.0. In SOSP
a precise point in time. I investigated that time, using both ’99: Proceedings of the seventeenth ACM symposium on Operating
digital means and good ol’ fashioned legwork. Who was in the systems principles. New York, NY, USA: ACM.
building then? What were they doing? One clue led to another,
and, like an old suit, once I had grabbed hold of one thread,
many others soon unraveled. / Author Bio
Jonathan Grier has been an independent security consultant
/ Forensics is... useless for over a decade. He has conducted forensic investigations,
Pablo Picasso once remarked: “Computers are useless. They performed security audits, trained programmers in secure
application development, and advised clients on data
can only give you answers.” As I continued investigating, I
security. Jonathan has consulted for clients in health care,
eventually assembled strong evidence pointing to Roger. Yet telecommunications, construction, and professional services,
I knew that answers alone wouldn’t help my client. Although and taught classes sponsored by the US Department of
I had been hired to investigate data theft, what my client Defense Cyber Crime Center. He has forensically investigated
really needed was to neutralize it. And it’s here where a employee dishonesty, network break-ins, data theft and
good attorney (which my client thankfully had) becomes an industrial espionage. An active researcher, Jonathan has
developed new methods used in forensics and application
invaluable partner.
security. The FBI, Microsoft Press, the Journal of Digital
My client’s attorney confronted Roger. He presented Investigation, Symantec, and the US Department of Defense
Roger small bits of specific evidence about his activities, have all featured his work. Jonathan can be reached at
demonstrating our ability to reconstruct them forensically. jdgrier@grierforensics.com.
Yet he made sure to not reveal everything, keeping Roger in

20 Digital / ForensicS

DF11_16-20_Stochastic Forensics.indd 20 25/04/2012 13:32

DF11_21_Ad.indd 21 22/04/2012 13:23
 / FEATURE

WPS INSECURITIES
& FALSE PROPHETS
There has been a lot of conversation throughout the start of this year among
the security community about what WPS is and how it has provided hackers
world wide with a simple and effective way to gain access to previously “secure”
WiFi networks. Firstly we will be taking a closer look at the WPS technology
itself, the protocols that make it up and what it’s fundamental issues mean for
individuals and organisations alike. For those who are unfamiliar with WPS we
begin with a brief introduction to the technology itself…
By Andy Swift

/ ADVANCED

W
iFi Protected Set-up or WPS, as it is more commonly routers up in a secure fashion and also in many cases as a
known, is a standard that was created in 2007 by the convenient way to quickly and securely add devices to their
WiFi alliance. Their goal was simple: to provide secure networks, usually via the touch of a button located on the
and easy step-by-step router configuration for the average front of the router.
home user. It is interesting to read the original WPS specification from
WiFi enabled routers are now of course rolled out by most the WiFi alliance and to note in particular that security was
ISP’s as part of a standard Internet package, their popularity never really the main goal of the project, what appears to have
has effectively skyrocketed over the last few years to a point taken it’s place is a notable emphasis on providing a clean and
where WiFi enabled routers are now of course considered to user friendly experience to configuring a router.
be common place in the majority of households.
Unfortunately beyond a basic understanding of such
technology, the majority of home users are blissfully unaware
(through no fault of their own) as to the inner workings of a
WiFi router let alone how to configure it correctly and securely.
On many household routers the WPS feature leaves the
factory enabled by default; it should be noted that to qualify
for certification under the WiFi alliance, which in itself has
become a major selling point for home WiFi routers, the
feature must be present and enabled by default. Its likely then
that most home users will see WPS as an easy way to set their Figure 2. Protocol Exchange Key

Figure 1. Protocol Exchange

22 Digital / ForensicS

DF11_22-24_WPS Insecurities.indd 22 25/04/2012 13:34

 / WPS is a Good Idea!
So far, WPS would seem to be a great idea; an easy and / WPS data
effective way to configure and add devices to your home If you have a WPS router nearby you can indeed “sniff ” the
network that even the technically challenged would find to be traffic using Wireshark, and observer traffic patterns similar to
the figure below. If you don’t have a WPS enabled router (that
a somewhat trivial task. However, one should note that when is yours!) nearby to play with, there is a handy example file on
creating a system to simplify a complex task more often than the “wireshark wiki” you can download and open:
not simple is rarely the best practise or indeed secure. http://wiki.wireshark.org/SampleCaptures
Roll forward to December 2011 and a critical flaw was
published to the public regarding the way users authenticate
to a WPS enabled WiFi router. The flaw was identified and
reported by Stefan Viehböck, who noted that when accessing
the WPS service a user only needs to enter the 8 digit pin
associated with the device (which is typically printed on the
side of the router) to add devices to their network.
As many readers will have noted already the
implementation of this technology is somewhat baffling; For
example why are we encrypting everything on the network
using proven and effective encryption technologies such as
WPA or WPA2 with (presumably) super secure pre-shared
keys when the network can in actual fact can be accessed and
devices added using a simple 8 digit PIN code?
BRUTE FORCING THE PIN CODE IN A
CRUDE ONLINE WAY IS INDEED BY
/ Getting Down to the Maths
For those readers interested in the maths, an 8 digit PIN
FAR THE LESS TIME CONSUMING
code in this case can be represented by 107 or to put it METHOD, AND COULD TAKE AS
bluntly 10,000,000 possible digit combinations; the security
conscious currently thinking 8 digits could be cracked in a
LITTLE AS A FEW MINUTES TO GAIN
bearable amount of time given enough processing power, are ACCESS TO A “SECURE” NETWORK
in for a further treat.
As some of the better mathematicians among us may have Theoretically then one would simply have to look out for
spotted there are 107 possibilities and not 108 as you might the emergence of the EAP-NACK message and note where it
well expect given 8 digits, this is indeed due to the fact that occurs in the sequence to work out if they have successfully
the last digit of the 8 is in actual fact not a random digit at all, guessed the first half of the PIN.
but a checksum digit used for checking the correctness of the
7 previous digits making this the easiest digit to predict as it / Practical Brute Forcing
will either be true or false, in fact if we consider brute forcing Of course, various tools have predictably surfaced over
the PIN code we would obviously assume this digit to be true the last few months to exploit this issue, (such as Reaver
100% of the time. developed by Tactical Network Solutions in Maryland) that will
make short work of the WPS vulnerability by attempting every
/ That’s Bad & It Does Get Worse combination of the PIN in a brute force style attack, and most
Worrying though this is, Viehböck went further in his investigation, PIN’s can and will undoubtedly be cracked in around 2 to 4
informing us that the registrar (as shown below) actually submits hours using this rather crude but effective method.
the 8 digit PIN in two separate segments of 4 digits. Many suggestions have also been made by the security
This of course means that now there are only around 10,000 community that offline cracking may also be possible, by this
possibilities for the first segment and because one digit from the of course I am talking about the practice of capturing wireless
second segment is indeed a checksum, it rounds up to a nice total communications (in this case a WPS handshake) and decrypting
of only 11,000 possible combinations to crack the PIN code. the associated digits via brute force techniques offline away from
So why was this simple error ever made and accepted by the original site. This method while theoretically possible, could
so many reputable manufacturers? Also why are only 4 digits potentially be no more than a waste of time; to explain further, an
checked at any one time? The answer becomes apparent attacker would have to wait for a legitimate WPS communication
when observing the protocol in use in Figure 1. The key to to occur, typically these are rare and by design users of the ”push
understanding the protocol in Figure 1 is shown in Figure 2. button to connect” style feature that is WPS, will only ever use it
As we can see at no point in the entire exchange is the once and perhaps not again for any number of months if at all.
complete 8 Digit PIN checked, in fact we can see that starting In short then brute forcing the PIN code in a crude online way is
at M4, the first half of the PIN is checked, if this fails at any indeed by far the less time consuming method, and could take as
stage because the PIN is incorrect an EAP-NACK message is little as a few minutes to gain access to a “secure” network, and
sent back to the client. indeed most efficient, so; how hard can it be?

23

DF11_22-24_WPS Insecurities.indd 23 25/04/2012 13:34

 / FEATURE

This question can probably be answered with a brief tutorial:

/ EAP-NACK Response
1. Get yourself a copy of Backtrack freely available from So what’s an EAP-NACK Response? Put simply in the terms
http://www.backtrack-linux.org/ of WPS it is the response packet sent back to any client that
2. Get yourself a WPS enabled WiFi router, I have used a Linksys is requesting to join the network with an incorrect PIN code.
WR54GS for this feature, but for a larger list of vulnerable After receiving this packet the client will then have to start
the communication sequence again.
routers check the following publicly maintained document: The big issue is that EAP-NACK responses can be sent twice
https://docs.google.com/spreadsheet/ccc?key=0Ags-JmeLM within the standard communication sequence, firstly just after
FP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c#gid=0 the M4 packet and secondly after the M6 packet, so armed
3. Once your all set up, boot up Backtrack and create a with this information the following conclusions can be drawn:
monitoring interface on your wireless card by using the If the attacker receives an EAP-NACK message after sending the
following command: M4 packet, it becomes obvious that the 1st half of the PIN was
incorrect and the next guess should be sent.
# airmon-ng start wlan0
If the attacker receives an EAP-NACK message after sending the
M6 packet, then the 2nd half of the PIN can be seen as incorrect.
Of course replacing wlan0 with your wireless card name, you
can verify this has worked by typing in ifconfig and checking
that you have a monitor mode interface called mon0 or similar. The key factor in all of this would appear to be down to one
thing: simplification for the everyday user. And what’s more,
4. Now we have a monitoring interface to monitor wireless this is by no means the first (or I dare say the last) time this
network traffic, we should be ready to run the following type of error will be made.
command and start the brute forcing process, where the
“-b 00:01:02:03:04:05” part is to be replaced with the MAC / Conclusion
address of your target wireless router: As the world we live in becomes more complex, and
specialist technologies work their ways into everyday life
# reaver -i mon0 -b 00:01:02:03:04:05 (WiFi, RFID Banking Cards, Satellites etc) there’s a need for
the technologies to become accessible and usable to all,
Once this process is started it is simply a matter of time, unfortunately there is one key word missing here, and that is
it could be minutes or hours before the correct PIN code is “understood” and as long as this key word is missing from the
guessed in full. equation, technologies like WPS or similar in principle to WPS
will always crop up from time to time in an attempt to make
So, what does this all mean to the unsuspecting home user? our lives easier, but not help us understand how they work
Well put simply any vaguely “secure” WiFi network (and by that or should be configured. A key fact to keep in mind is that
I mean WPA or even WPA2) that has been configured (or comes when making complex things easier to use, there will always
with) WPS will have unknowingly rendered the aforementioned be an element of risk involved be it from the user or from the
secure encryption protocols irrelevant as the network can now technology itself as in this case.
be accessed by breaking a simple 8 digit PIN number. It would therefore seem that WPS is somewhat of a false
prophet in many respects, some may be tempted to argue
/ How Can We Fix It? that in some ways users would be better off learning how to
The flaws uncovered in the WPS protocol are quite illogical secure their WiFi networks for themselves, but understanding
and there are a number of suggested fixes some of which are these technologies and how to configure them correctly takes
entirely trivial, here are a few simple suggestions to get started: time and considerable effort for a complete novice. However
perhaps the core fact here is that technologies such as WPA/
• It has already been mentioned that at no point is the WPA2 are complex for a reason: they are hard to break unlike
entire 8 digit PIN checked, if this was implemented after a simple 8 digit PIN code. /
M4 packet or thereabouts then the amount of possible
combinations for the PIN will be increased dramatically and
the attack will become far more time consuming. / Author Bio
• A sensible lockout should be implemented (it should be Having studied Forensic Computing at
noted this has been introduced in a number of routers but DeMontfort University, and undertaking
by no means the majority) where the attacker is locked out subsequent training with the Tiger/
Check schemes, Andy is currently
after ‘x’ amount of attempts. Once again this will greatly
working as a Penetration Tester with
delay (but not nullify) the attack. Convergent Network Solutions in London
• Disable WPS altogether. Abandoning this technology is a providing security consultancy to variety
shame, after all let’s not forget the WiFi alliance set out with of high profile clients specialising in Network Security,
the best of intentions; however good ideas do not always Website Applications and Social Engineering.
result in good implementations as is the case here.

24 Digital / ForensicS

DF11_22-24_WPS Insecurities.indd 24 26/04/2012 10:16

DF11_25_Ad.indd 25 15/04/2012 17:30
 / LETTERS

360°
Your chance to have your say…

H
ere at Digital Forensics Magazine we welcome feedback
and are using email and social media to allow you to let / LinkedIn, Twitter
& DFM Blog
us know your thoughts along with providing interesting
news stories or links to technical articles that will be useful to
investigators. The following is just some of the activity from The membership of LinkedIn and followers
of @DFMag on Twitter continues to grow and the
the social media facilities. Send your letters and feedback to:
discussions and problem solving that is going on, we are
360@digitalforensicsmagazine.com encouraging the posting of jobs
and that the members make use
of the promotions facility.
Letters & Emails
(ISC)2 CPE Points
Hi DFM, I’m just writing to enquire about CPE points for (ISC)2. Since the original agreement (ISC)2 have placed additional
On the 2nd February I renewed my annual subscription to requirements on Digital Forensics Magazine and their
DFM and included my CISSP number. I know it make take a subscribers who wish to claim their CPE points.
few weeks for the points to show up, but I would have thought (ISC)2 now requires its members to validate their learning
that they should have been there by now. experience in order for them to be awarded five (5) CPE
Craig Jones hours for subscribing to (ISC)2- approved magazines such
as Digital Forensics Magazine. Validation can be conducted
Hello Craig, thanks for either by providing a short quiz on the topics covered by
your email. When we the magazine or by the member writing a brief summary of
received your note not more than 150 words.
we realised that this If the member takes and passes a quiz, we at Digital
was not the first time Forensics Magazine will submit five (5) CPE hours to (ISC)2
this subject had been on the member’s behalf. However, if the member writes the
raised and thought brief summary, he/she has to upload it to the (ISC)2 website
it was about time and claim the CPE hours. Like any other CPE hours, members
that we explained will be required to provide the necessary documentation or
the process that information regarding this particular CPE claim when audited.
we are required In order to support this we will be creating a download
to run and what is section on the members only section of the website. There
required of those who are we will be placing the latest information from (ISC)2 along
applying for the CPE Points with notes on the process and the questionnaires that will be
as a result of subscribing to created for each issue.
Digital Forensics Magazine. I hope that this has clarified the situation not only for Craig
Digital Forensics Magazine is listed as an but for all of you who are members of (ISC)2 who subscribe to
“(ISC)2 CPE Submitter” and as part of the submitter agreement Digital Forensics Magazine. We would encourage anyone who
we are required to submit the following so that the subscriber has any questions regarding the process to get in contact via
can be allocated their CPE points: 360 so that we can ensure the information we are providing is
meeting the needs of subscribers.
• (ISC)2 Member Identification Number
• Last Name If you think you can contribute in any way to the magazine or to
• First Name any of the discussions taking place via social media, please make
• Number of CPE points claimed. sure that you join the groups and follow us as appropriate.

26 Digital / ForensicS

DF11_26_360.indd 26 25/04/2012 14:27

DF11_27_Ad.indd 27 15/04/2012 16:12
 Cell
site
analysis

Computer
forensics

Audio
visual

Questioned
documents

Mobile
phone
forensics

Understanding the digital picture

MP3 players, mobile phones, laptops, As part of the UK’s largest independent For the complete picture visit
Blackberries, SatNavs, printers, CCTV, provider of forensics services, our digital www.digital.lgcforensics.com
digital cameras and more. and document investigators take a
holistic approach that draws on a whole LGC Forensics
These are the tools of a modern society,
range of innovative and traditional Tel: +44 (0)844 2641 999
painting a digital picture of our everyday Email: d&df@lgcforensics.com
methods to reveal high quality digital
lives in images, emails and text. What
and documentary evidence that will
can they tell us about someone’s PLEASE QUOTE REF: DFM0410
stand up in court. Using the latest
behaviour and movements? How can IN ANY CONTACT
forensic techniques, we will work
we combine and present this evidence
closely with you to establish the facts,
to support reliable verdicts in criminal
applying years of forensics experience
and civil proceedings?
and understanding to uncover and
follow all potential lines of inquiry.

© LGC Limited, 2010. All rights reserved. 2456/OR/0210

DF11_28_Ad.indd
LGC_Digital 28 - CB2.indd 1
A4 Ads-v5 15/04/2012
07/04/2010 17:36
13:07:45
 / LEGAL EDITORIAL

LEGAL EDITORIAL
Apple’s trademark kerfuffle with Proview intensifies…
by Scott C Zimmerman

I
n the previous issue of this illustrious magazine, the Legal
News section included a titbit about a Chinese company
called Proview International that was pursuing litigation
against Apple Computer for alleged trademark infringement.
At the time it seemed like an unusual twist on the sort of
intellectual property suits taking place elsewhere in industry,
but the story has become rather more complicated since then.
To refresh the reader’s memory:
“…Proview International sold what they described as the
“global trademark” for IPAD to Apple in 2006. However, for
reasons not entirely clear, the firm has claimed that the “global”
portion of that description does not actually include China.”
More information has come to light recently, though one
may argue for or against it providing much additional clarity.
Part of the issue stems from the naming disparity between
two countries: mainland China is properly called “the People’s
IN FEBRUARY 2012, PROVIEW-
Republic of China”, or PRC. Taiwan, on the other hand, is CHINA AND PROVIEW-TAIWAN
properly called “the Republic of China”, or ROC. We shall not
be discussing the friction this nomenclature continues to
FILED A JOINT SUIT IN SANTA
cause between the two countries, but it is a salient point for CLARA, CALIFORNIA AGAINST
one specific reason: Proview International has offices in both
China and Taiwan. Apparently the primary issue is that the
APPLE, THIS TIME ALLEGING
Taiwan branch of Proview sold the “worldwide rights” to the THAT APPLE HAD CREATED A
IPAD trademark to Apple, and the China office of Proview is
arguing that the Taiwan branch did not have the right to do
SHADOW COMPANY SIMPLY AND
so. As a result, Proview-China has claimed that the agreement SOLELY FOR THE PURPOSE OF
inked between Apple and Proview-Taiwan is neither valid nor
enforceable in China.
BUYING THE IPAD TRADEMARK
In their recent complaints, Proview-China has claimed that
they own the rights to the product name “IPAD”, since they had The situation is unlikely to improve in the near future.
created a product with that name in the year 2000. They further In February 2012, Proview-China and Proview-Taiwan filed
claimed that Apple should be barred from selling the new iPad a joint suit in Santa Clara, California against Apple, this
3s in China until the trademark issues were resolved. Naturally time alleging that Apple had created a shadow company
this set a rather contentious tone for future talks: Apple is keen simply and solely for the purpose of buying the IPAD
to sell a great many iPad 3s in China, and a blanket restriction trademark. This alleged company was called “IP Application
on them doing so would put a noticeable crimp in their China Development”: by naming the company thus, it appears
operations. In this observer’s opinion, it appears that Proview- the goal was to present an easily-explainable reason why
China believes they have Apple over the proverbial barrel and another firm would want to buy the rights to the name of a
will be able to extract money from them as a result. long-defunct product. The Proviews, however, allege that
I was careful in the last sentence to use ‘extract’ rather than the purported buyers did so “with the intent to defraud
‘extort’, but one might make a case either way. It seems a bit and induce the plaintiffs to enter into the agreement”. This
telling that Proview-China waited until the imminent release appears to mean “If we had known Apple were behind it, we
of the iPad3 to make this particular set of statements. The would have held out for more money”.
Shenzhen (Guangdong Province) branch of Proview sent an While I am completely in favour of trademark owners
open letter to a variety of resellers, encouraging them to stop legitimately defending their intellectual property, the Proview-
selling Apple products. Specifically, the letter said “Anybody China litigation efforts seem to be only a cash grab by a
who continues to [sell Apple kit] will be seen as intentionally company in grave health.
infringing rights and the company will adopt the most severe I hope you enjoy the Legal Section and I would love to hear
measures by taking legal action”. Well, there you go. your thoughts and comments via 360. /

29

DF11_29_Legal Editorial.indd 29 25/04/2012 14:29

 / LEGAL FEATURE

CHINA'S LAWS
An overview of China’s evidentiary requirements.
by Scott Zimmerman

/ INTERMEDIATE

A
stute readers of DFM may already have noticed the “documentary evidence” for a recovered financial spreadsheet
overall global feel to issue 11; this is no accident. While or “conclusions of expert witnesses” where a forensic examiner
we have covered UK and US law in past issues of the documented his or her process for recovering deleted files and
magazine, the fact remains that – not surprisingly – the laws the results thereof. In this way, the categories can cover a broad
in those two countries are rather more similar than they are range of topics without going into excessive detail.
different. The two systems’ shared heritage is the basis for the
similarities, rather like the similarities in domesticated dogs Article 64 A party shall have the responsibility to provide
and in wolves. However, the time has come to look at a legal evidence in support of its own propositions. For the evidence
system that is not deeply rooted in English Common Law: that cannot be obtained by any parties or their litigation
we’re going to take a look at evidentiary requirements under representatives because of some realistic reasons or for the
the legal system in the People’ s Republic of China, or PRC. evidence that the people’s court considers necessary for
adjudicating the case, the people’s court shall investigate
/ CIVIL PROCEDURE LAW IN THE and collect such evidence.
PEOPLE’S REPUBLIC OF CHINA
Since this publication is devoted to coverage of digital As in other legal systems, those wishing to bring a particular
forensics, one of the chief areas of concern vis a vis law is the case must have evidence to hand to bolster the claim(s) that
rules that govern the acquisition, handling, admission, and they wish to make. The second part of the article seems
verification of evidence. In the PRC, the matter of evidence to indicate that if a party cannot bring evidence
is described in a document titled “General Principles of the due to a “realistic” reason, the government,
Civil Law of the People's Republic of China”; it is available i.e. the People’s Court, reserves the option
in full at http://http://shhsfy.gov.cn, which is the web site to perform its own investigation and
of the Shanghai International Platform for Maritime Legal gather the evidence it feels is
Information. Oddly enough the entire document is only necessary to be able to make an
twenty-four pages long – fairly short for a description of a informed and correct decision.
system of civil procedure, however we will be focusing only An example of this might be
on Chapter 6 – Evidence. The Principles document is broken an individual who does not
down into individual articles that describe particular concepts. wish to deliver any sort of testimony or other sort of information
The numbering system isn’t tied to the chapter boundaries, so as part of the proceedings. In this case, the government may be
Chapter 6 does not start on e.g. Article 60. able to compel the individual to provide a statement, to hand over
Article 63 Evidence shall be classified as follows: evidence, or to perform some other action which will permit the
work of the Court to proceed unimpeded.
1. documentary evidence; If article 64 were not plain enough, Article 65 makes the
2. physical evidence; point very clearly indeed:
3. audio and visual material;
4. testimony of witnesses; Article 65 The people’s court shall have the authority to obtain
5. statements of involving parties; evidence from any relevant units or individuals, and such units
6. conclusions of expert witnesses; and or individuals may not refuse to provide evidence. The people’s
7. transcripts of inspection and examination. court shall verify and determine the validity of documentary
evidence provided by relevant units or individuals.
Any of the above-mentioned evidence must be verified
before it can be taken as a basis for finding a fact. The second portion of article 65 is quite interesting: if the
It is clear that the list is designed to include all manner of Court takes the matter upon itself to collect and make use of
evidence, from the traditional eyewitness report to business documentary evidence, the Court itself will be responsible
records to items seized or recovered at a crime scene. Unlike for verifying the validity – here, meaning the usefulness and
the UK and US counterparts, there is no specific calling out of relevance to the court proceedings – of such evidence. One
computer evidence. However, one might make the case that can also reasonably expect that the validation will extend to
such evidence could fall into one or more categories, such as establishing and verifying provenance of such items as well.

30 Digital / ForensicS

DF11_30-32_Legal Feature.indd 30 25/04/2012 13:37

 It is important to note that only documentary
evidence is addressed in Article 65. If the reader
refers to Article 63, he will be reminded that there are
several other types of evidence that are not included,
e.g. physical evidence. It is in these cases that the individuals;
be they police officers, expert witnesses, or transcribers; are
responsible for attesting to the veracity and relevance of the
evidence they provide. Only when the Court gathers its own
evidence will they be responsible for the validation.

IT IS POSSIBLY A BIT TELLING THAT

THE GLOBAL NATURE OF INCIDENTS
AND INVESTIGATIONS IS MORE AP
PARENT IN CHINA THAN IT IS IN
EITHER THE UK OR THE US
Article 66 Evidence shall be presented in the court and
cross-examined by parties, however, evidence that involves
state secrets, trade secrets, or individual privacy shall not
be presented in an open court session.

This line item is similar to those in the statutes of the US

and the UK. Cross-examination and questioning is permitted
and generally expected of and from both sides. Matters
that may be considered classified (e.g. Top Secret) in a
particular jurisdiction may be handled somewhat differently.
An example here would be holding the court’s proceedings
in a secured area that is accredited for the storage of such
information, while ensuring the individuals involved are
cleared to view such information; this will prevent the need
to reveal state secrets in court.
The “trade secrets” clause is interesting,
since there are currently so many
Intellectual Property-related actions
underway around the world. From
the wording one may infer that
the trade secrets would not
be exposed in open court
unless the detail of such
information formed the
basis of the case at hand
– and then, the inclusion
of such information
would likely be kept to
the minimum required to
establish, refute, and/or
evaluate the validity of the
claims being brought.
We shall skip Article 67,
which indicates that documents
that are notarized according to the
correct procedure will be accepted by
the court, and will instead move to Article 68.

31

DF11_30-32_Legal Feature.indd 31 25/04/2012 13:37

 / LEGAL FEATURE

Article 68 Any document submitted as evidence shall be by extension the protection of the integrity of said evidence.
the original one. Physical evidence shall also be original. Fortunately there is one more item for us to cover.
If it is truly difficult to present the original document or
physical evidence, then duplications, photographs, copies, Article 74 Under circumstances where there is a likely-hood
or extracts of the original evidence may be admitted. that evidence may be destroyed, lost or too difficult to obtain
later on, any litigation participants may apply to the people’s
Any digital forensics examiners in the audience may be court for the preservation of the evidence. The people’s court
scratching their heads at the first sentence in this article. Fear may also take initiative to preserve such evidence.
not – please do continue to parse the item and pay particular
attention to the “truly difficult” clause. In the realm of computer It will probably be clear to many readers that this article is
forensics, an examiner may make a very compelling case that very light on details. There are no prescriptive directions, only
presenting the original evidence would be “truly difficult” and a very broad and descriptive bit of guidance. However, even
the bar would have been met for the submission of duplicates, this rather vague wording can be applied effectively to the
photos, or other copies. Incidentally, this item bears a striking process of digital forensics.
resemblance to Article 1003 of the US Federal Rules of Evidence. Many, if not all, of the evidentiary requirements developed
However, Article 68 goes on to state the following: under English Common Law systems deal more precisely with
the collection, handling, and maintenance of evidence to ensure
If a document in a foreign language is submitted as its integrity is unimpeachable. The reason for this is obvious: if
evidence, a Chinese translation shall be appended. the evidence cannot be shown to be exactly as it was when it
was collected, and if it cannot be shown to be collected properly,
This may prove to be a rather weighty requirement. So then the evidence; no matter how useful it potentially might
much of the content of a given document, e.g. a contract, be to a case, will be of greatly diminished import during court
may depend on particularly nuanced words, and such proceedings. Worse still, the evidence may not be admissible at
detail may be quite literally lost in translation. However, the all in such an event. The PRC statute we see here basically says
wording of this item seems to leave the door open for expert that if there is a good chance the evidence could be damaged,
witnesses on both sides to examine the originals as well as lost, or stolen between collection and trial, it can be handed over
the translations, and then come to an agreement on content. to the People’s Court for safekeeping. In other words, both parties
It is possibly a bit telling that the global nature of incidents can transfer their evidence to the court, and the court will assume
and investigations is more apparent in China than it is in either responsibility for maintaining the integrity of the evidence. In a
the UK or the US: neither of the Anglocentric statutes calls out computer forensics case, the court would need to ensure that the
translations as explicitly as the PRC statutes do. hard drives and other media were stored appropriately, that they
The next few rules are straightforward and will not benefit were not used or powered up, etc. The court also reserves the
significantly from additional exposition, so let us move on to option; as they might do during a high-profile case, to order the
Article 73. evidence transferred from both parties into the Court’s care.

Article 73 When inspecting or examining physical evidence / CONCLUSION

on site, the inspector must show his credentials issued by Readers who recall the descriptions of the US and UK
a people’s court. The inspector and examiner shall prepare evidentiary rules in previous DFM issues will likely be
a written record for the circumstances and results of the somewhat surprised by the approach taken by the PRC. It is
inspection or examination. The inspector, examiner, the important to note that the statute covered here was ratified
party concerned and the invited participants shall affix their on 01 January 1987; ages ago in the technology world. Your
signatures or seals to the record. author spoke at a digital evidence conference in 2009, and
there was a group from the PRC in attendance. If memory
Article 73 seems to indicate that search and seizure of serves, there was an effort underway at the time to translate a
physical items at a “site”; presumably a crime scene, must much newer version of China’s rules of evidence into English,
be conducted by a qualified individual who has already been but it is not clear whether this was ever published. If and when
accredited by the Chinese government. This is in noticeable it becomes available, you may be able to read about it here. /
contrast to the US and UK rules of evidence which state
that evidence must be handled appropriately, must be
documented, and so forth but do not state that the individual / Author Bio
handling the evidence must be authorized by the government Scott C. Zimmerman, CISSP has been an
to do so. One might reasonably infer that this is a cultural Information Security consultant, presenter,
and trusted advisor since 1995. He has
difference, or one might also infer that the PRC statute [as
been researching legal issues in computer
written] assumes the individual collecting the evidence would forensics part-time for nearly ten years,
be a police officer or similar. and is working to bridge the gap between
Those reading this article may have notice the conspicuous law and technology in this area.
lack of a certain topic thus far; handling of evidence itself, and

32 Digital / ForensicS

DF11_30-32_Legal Feature.indd 32 25/04/2012 13:37

 VENDOR INDEPENDENCE
the difference

ASSESSMENT | GUIDANCE | MANAGEMENT

CALL | +44 (0)1274 736223 | TODAY

www.ecsc.co.uk

DF11_33_Ad.indd 33 15/04/2012 17:36

 / LEGAL NEWS ALERT

LEGAL NEWS ALERT

Apple settles with iPhone 4 customers over antenna issues

When the iPhone 4 was released, quite a few customers noticed

immediately that call quality and functionality depended greatly
on how the user gripped the device. Holding the phone one way
resulted in normal service; holding it a different way resulted in
poor performance. This behaviour was traced to the layout of the
internal antennas installed in the iPhone: when the user held the
case a certain way, the internal antennas could come into contact
with one another – i.e. become “bridged” – which greatly reduced
the wireless performance. Warner Brothers vs Hotfile vs
Apple’s first response to the slew of customer calls was to say the Electronic Frontier Foundation
essentially “You’re holding it wrong”. As one might expect, this
was not the answer the callers wanted to hear, and Apple took an
unusually strong public relations hit. To make up for the incorrect In 2011, Warner Brothers Entertainment sued Anton Titov;
answer to the questions, Apple agreed to provide iPhone 4 owner and operator of the file-sharing site called Hotfile, for
owners with gratis protective Bumper cases; these cases would copyright infringement for making Warner Brothers material
prevent the user from accidentally bridging the antennas. available for download; the entertainment firm insisted that
Now Apple have agreed to another form of recompense: all copyrighted material be removed from Hotfile’s systems.
users who did not accept the Bumper case will be eligible for Mr. Titov then countersued Warner Brothers for requesting
a $15US settlement as a result of a class action suit brought takedown of materials for which Warner Brothers did not own
against the firm. Users who wish to become part of the the copyright. Under the Digital Millennium Copyright Act
settlement group can go to https://www.iphone4settlement. (DMCA), copyright holders may only request actions be taken
com for more information. Please note that Apple does not against their own property; in other words, for example, Sony
operate the web site, though it does contain some links to Music would not be permitted to request action regarding the
Apple offerings (e.g. technical support). Conversely, users who property of the Miramax movie studio since they (Sony) do not
would prefer to receive the Bumper case may still do so. hold copyright on that material.
The Electronic Frontier Foundation (EFF) filed an “amicus
curiae” brief with the United States District Court in Miami,
/ Yahoo! Sues Facebook for Florida to lend its support to Mr. Titov. An amicus curiae, or
copyright infringement simply amicus brief, as they are often called, allows a party not
In March of 2012, Yahoo! Brought a copyright infringement
actively involved in a given legal action to express its opinion
suit against Facebook, alleging that operators of the social and to provide support to the party with which it is in agreement.
networking site had committed ten different infractions in the Amicus curiae is generally translated as “friend of the court”; one
area of “methods and systems for advertising on the Web”. The might liken the idea to that of a character witness.
suit was filed in the Federal court in San Jose, California (near
Silicon Valley). According to the allegations, Facebook had not
In their brief, the EFF stated that they objected to the
been receiving good financial results from their advertising process that Warner Brothers used to identify alleged
efforts; the suit further alleges that Facebook appropriated copyright infringement. They indicated that Warner Brothers
Yahoo! advertising methods; without licence or recompense and used a completely automated process that checked only
they [Facebook] are now making money through advertising by
improperly using Yahoo!’s intellectual property. the file names when attempting to identify the content; the
EFF points out that the process apparently had no human
oversight, and as a result the findings were wildly inaccurate.
In the words of the EFF: “Warner claims that these were simple
“mistakes,” and that it cannot be held accountable for its
misrepresentations because, in essence, its system design
does not allow for a deliberate lie. Warner gets it exactly
backwards: the problem is that it does not appear that its
system could have provided a sufficient basis for Warner to
form the requisite good faith belief.”

34 Digital / ForensicS

DF11_34_Legal News.indd 34 25/04/2012 13:38

 Reviewing the latest
sports highlights

Attending a Review
Seminar online

Put your time to better use. In pursuit of your (ISC)²®

certification, attend an Official (ISC)² CBK® Review Seminar
live online, in person or on site. You’ll ready yourself for an
(ISC)² exam by refreshing your knowledge in information
security. You’ll also send a message to peers and current
employers that you’re in this game for real.
Learn more at www.isc2.org/reviewseminar

Look for an (ISC)2 Authorized Education Provider.

DF11_35_Ad.indd 35 15/04/2012 17:38

 / MEET THE PROFESSIONALS

MEET THE DF
PROFESSIONALS
Jim Swauger
Interviewer: Roy Isbell

I
was intrigued by the article submission we received with the fact that I come from a family of law enforcement
regarding Chip Off Forensics and wanted to find out more officers, led me seek a career involving both the justice system
about the person who was actively doing this work. So and computers. Shortly after graduating from college, the
I decided to interview the author and to find out some more Ohio Attorney General established one of the first U.S. state
about Jim Swauger and his work. computer crime units. Although computer forensic degrees did
not yet exist back then, I was fortunate to have the right mix
/ Interviewee Bio of education, aptitude and luck of being in the “right place at
Jim currently lives in Lebanon, Ohio, a small, historic town the right time” which allowed me to start my career in digital
central to the metropolises of Columbus, Cincinnati and forensics as an original hire to this new unit. Since then, my
Dayton, Ohio with his wife and son. He is an avid sports interest and excitement for the profession has only grown
fan and outdoorsman, and enjoys cheering his alma mater stronger as technology evolves.
University of Cincinnati Bearcats at both football and
basketball games. Cooking and reading are a personal What is the size of your company and what aspects of digital
retreat; which is unfortunately declining as the world of digital forensics are you investigating?
forensics continues to creep into that time! We are currently very small with two partners and three
associates who contribute to our cases. Although we have
/ Professional Background been in business since 2000, most of our growth has occurred
Jim started in the digital forensics field back in 1997 working during the last three years as we have seen a significant
for the Ohio Attorney General’s office with the Ohio Bureau of increase in requests involving cellular phones and other
Criminal Investigation Computer Crimes Unit. While there, he mobile devices. So far this year, we are seeing a pretty
assisted local, state, and federal law enforcement agencies even split between computers and mobile devices cellular
with the investigation and prosecution of felony cases phones. We work all types of cases including civil and criminal
involving advanced technologies. After 8+ years of public engagements, employment investigations and private or
sector work, he spent 3 years as the lead technical security domestic matters.
investigator for a top-10 U.S. financial institution. Deciding
to embrace his entrepreneurial side, Jim began his current How did you get into the field of Chip Off Forensics?
position full-time as a partner with Binary Intelligence, LLC. To Several years of frustration, disappointment and aggravation
quote Jim “The sum of my experience to date has allowed me of not being able to extract deleted data from many cell
to gain a great deal of experience and knowledge in both the phone models started me down the chip-off path. I was
public and private sectors, which has been vital in my current exasperated with commercial tools, flasher boxes and
role”. With Binary Intelligence, Jim provides both consultation service software utilities; in most cases the recovered data
and expert witness services related to digital forensics, high- was very limited and, even when successful, I found the
tech investigations and electronic discovery. He has worked methods to be convoluted and inconsistent. In 2009 while
with a diverse client base that includes individuals, attorneys, working a civil case I became particularly disturbed after
HR professionals and Fortune 500 companies. I accidently “bricked” a client phone as I was trying to
Over the course of his career Jim has acquired several download the flash data with a service utility. That situation
certifications including Computer Forensics Certified Examiner motivated me to really began thinking about chip-offs as
(CFCE); CISSP; Digital Forensics Certified Practitioner (DFCP); a potential panacea that might allow for the consistent
EnCase Certified Examiner (EnCE). Jim is also a licensed extraction of almost any device. I started researching tools
professional investigator in the State of Ohio. and techniques but really couldn’t find any material of note
regarding chip-offs. Things did not progress much past the
What got you into the world of Digital Forensics? initial exploration stage until several months later when I
I grew up in the 80s during the personal computer renaissance received a call from a prosecutor who needed to extract text
age and, thanks to a Commodore 64, really developed a messages from a physically broken cell phone. The phone
strong interest in computer technology. That interest, coupled could not be repaired and, given the importance of the data,

36 Digital / ForensicS

DF11_36-37_Meet the Professionals.indd 36 25/04/2012 13:38

 I did not want to simply give up. So, I decided to go ahead What do you see as some of the challenges facing digital
and purchase some basic tools and experiment on a bunch forensics in the future?
of like-model phones purchased from eBay. Even though I Generally speaking for all types of devices and storage media,
never got a perfect full read of all of the flash memory from I anticipate increased use of effective encryption and data
that particular phone, I was able to read a large percentage sanitization technologies. I also think more and more stored
of the data and recover hundreds of text messages that data will be pushed out into the cloud where it can be difficult
were critical to the case. My work on that case is what really to obtain access to.
convinced me that chip-offs were something I wanted to be
become more aggressively involved in. How do you think we can overcome some of these challenges?
Hopefully some of the more brilliant researchers will be able
How did you research Chip Off Forensics and what problems to continue to identify implementation weaknesses that will
did you encounter? overcome some of the encryption challenges. I’m not sure
Initially, I set up a makeshift basement lab and spent many what the answer is in regards to getting access data stored
nights removing chips and trying to read them using a in the cloud, but it seems providers are increasingly reluctant
universal programmer. I had some basic electronic skills to produce data. Perhaps not so much in response to law
and was comfortable with a soldering iron but it didn’t take enforcement but, in the civil arena, we have found that many
long to figure out that cleanly pulling BGA chips was going providers refuse to produce records when served with a civil
to take more expensive equipment, plenty of patience and court order. I suspect this issue will need to be resolved with
lots of practice. Many of the first chips I worked on were litigation or legislation.
damaged during removal; some had obvious damage such
as the pads coming off the chips whereas others appeared
fine but had internal problems. I also found out that the SEVERAL YEARS OF
chips needed to be re-balled before the programmer could FRUSTRATION, DISAPPOINTMENT
make a reliable connection.
Re-balling was something that I struggled with for some AND AGGRAVATION OF NOT BEING
time until I eventually met and started working with a rework ABLE TO EXTRACT DELETED
technician. Things really began to take off once I had access
to the proper equipment and skilled technician to partner DATA FROM MANY CELL PHONE
with. Together we spent many days over many months testing MODELS STARTED ME DOWN THE
various techniques to reliably remove and clean the chips. We
are still constantly refining techniques, and I consider every CHIP-OFF PATH
case an opportunity to further research analysis methods.
Right now we are focusing our testing on different Blackberry Do you think that Chip Off Forensics will become mainstream
models and are really encouraged by the amount of deleted or remain a specialist field?
data we are recovering. A little of both. I believe that as word spreads about
successful chip-off cases and, as we run into more devices
How widespread do you think this aspect of Digital Forensics using flash memory, more forensic investigators will recognize
is globally? that chip-offs are a feasible option when other methods fall
Currently, I think it is rather limited. If you search the Internet short. In this regard I see the practice becoming mainstream
you’ll find that there are only a handful of commercial labs with investigators increasingly seeking out the assistance of
that actually advertise chip-off services. I know there are a few chip-off specialists to help extract the raw data. I do not see
government and law enforcement labs that perform chip-offs a rush of labs looking to bring chip-off capabilities in-house;
but they are generally not widely publicized. However, I do at least not in the near future. Given the small percentage
believe that the level of awareness about chip-offs and their of cases where a chip-off is warranted, many labs would
potential is increasing. not process enough devices to get a reasonable return on
investment. I believe we will eventually see several specialized
What do you see is the future for this work/research? government and commercial labs performing the basic chip-off
I see lots of opportunity for training and tools. In addition to extraction services in which they handle the chip removal,
the actual chip extraction process, there is a definite need for read the chip and then provide the raw data back to the
resources to support the actual data analysis. I think we will submitting agency for analysis. /
see training focusing on how flash memory works, particulars
of various device file systems and interpretation of the many My thanks to Jim for his time, if you would like to find out
operating system and application data structures. I also think more about Chip-Off Forensics you can go to the website at
forensic tool vendors will increase R&D in the area of flash http://www.binaryintel.com
memory analysis so, whether the data is acquired by chip-
off or other means, investigators will have access to more
examination tools.

37

DF11_36-37_Meet the Professionals.indd 37 25/04/2012 13:38

DF11_38-39_Ad.indd 38 23/04/2012 12:24
DF11_38-39_Ad.indd 39 23/04/2012 12:24
 / FEATURE

CHINESE CELL PHONES

& DIGITAL FORENSICS
In this article, we explain why investigators need to understand the macro trends in
the cell phone industry driving the incorporation of more Chinese chipsets in phones
and the challenges that they present to examiners. We also lift the lid on Tarantula,
a new analysis system developed to analyze problematic Chinese “white box” cell
phones and, increasingly, the legitimate branded phones based on Chinese chipsets.
by Kevin J North

/ INTERMEDIATE

Hercules had to defeat a hydra as one of his 12 labours. / Simple Beginnings

It was a monster with 9 heads, and if Hercules smashed Chinese cell phones came into existence as a result of China’s
one head, two more would take its place. For mobile unparalleled manufacturing base fuelled by abundant, low-
forensic investigators, Hercules’ hydra takes the form of cost labour, a flood of international investment, a robust
Chinese cell phones. More specifically, knock-off phones, supply chain, and the world’s largest market. In southern
known internationally as “white-box” or “clone-phones” China, manufacturing plants dominate the landscape and the
and “Shanzhai” (pirated goods) in China, have taken world city of Shenzhen is the epicentre of the cell phone industry.
markets by storm. In 2011, over 800 million cellular mobile More specifically, Shenzhen’s North Huangqiang Street is
devices in close to 40,000 models were manufactured in China’s major hub for mobile phone commerce.
China. Approximately half of those were exported to world In the early 2000s, a Taiwanese integrated circuit (IC)
markets, comprising of more than 30% of the global cell manufacturer, MediaTek launched an innovative business
phone market.

40 Digital / ForensicS

DF11_40-43_Chinese Cell Phones.indd 40 25/04/2012 14:31

 strategy in China, offering hardware packages called “systems legitimate manufacturer. White box phones
on a chip” (SoC) for wireless communication devices. This often adopt famous brands that have nothing
development opened the door for small, entrepreneurial to do with the cell phone industry like Adidas or
teams with as few as 4 people to design and contract Marlboro and manufacturers are opportunistic,
manufacture, cell phones. building a phone around available parts until they run out;
Entrepreneurs, both legitimate and illegitimate, then moving on to the next opportunity. The transient and
leveraged these hardware packages and the manufacturing shadowy nature of the industry frustrates any standardization
environment to rapidly produce even relatively small runs for hardware or software found in these phones.
of phone designs. Hundreds of small companies known as While IDH’s customize the phones they develop, the
independent design houses (IDH) in Shenzhen alone churn core features such as screen resolution, Bluetooth, media
out white box phones with a dazzling array of features; many capability or network support are determined by the
useful, some highly creative, and others entirely fake. The specifications of the SoC (chipset) they decide to use.
fastest producers can get from idea to market in less than 30 For roughly ten years, the hardware packages from the
days compared to months or years for larger international top Chinese chipset manufactures were closed platform,
cell phone companies. With near unlimited demand offering only feature phone capability. In mid 2011,
domestically and a foreign market hungry to participate however, a major shift occurred with the introduction of
in the digital revolution but often unable to buy expensive Chinese chipsets supporting Android. The driving force
branded phones; China has become a world leader in mobile of white box innovation is really at the hands of the SoC
phone production, rivalling even their more established manufacturers, and they are meeting market demands with
western counterparts. cutting-edge chip sets able to run smart phone operating
While not produced with quality in mind, white box systems, albeit at a higher price than the ultra low cost
technology is attaining a level of complexity that is nearly state feature phones that still flood the market.
of the art. Knock off makers follow industry trends to take
advantage of the accomplishments of legitimate technology
developers. White-box devices have advanced rapidly from
CHINA HAS BECOME A WORLD
simple feature phones to include the same high end features on LEADER IN MOBILE PHONE
popular international brands, and now smart phones.
High-end clones can be visually nearly indistinguishable
PRODUCTION, RIVALLING EVEN
from the legitimate phones that they mimic, including popular THEIR MORE ESTABLISHED
iPhone and Blackberry handset models. In many cases the
knock-offs use components from the same sub-suppliers as the
WESTERN COUNTERPARTS

41

DF11_40-43_Chinese Cell Phones.indd 41 25/04/2012 13:38

 / FEATURE

In some cases, white box phone manufacturers like

Tianyu or Oppo have become so sophisticated and so well / Inside the Chinese Chip Market
established as producers that they eventually “go legit” with Approximately 800 million Chinese chipped cell phones
their own brands. More mainstream brands like HuaWei, ZTE, entered the global market in 2011, making up nearly 35% of
TCL and Lenovo are some of the largest brands using the devices worldwide. Given the rapid increase in prevalence,
Chinese chipsets in their phones, selling their phones through popularity and sophistication of these devices, it is important
to know who makes the chipsets that allow them to operate.
China’s three largest carriers. As the industry leaders, the companies below will shape the
future of white-box mobile devices.
/ Barriers to Analysis
The non-standard nature of Chinese phones makes them vexing Top White-box Chip Makers:
to mobile forensics examiners. They are often built on unique • MediaTek (MTK): (Approximate Market Share 60%)
or modified operating systems with modifications that may MediaTek develops chips for everything from GPS systems to
only exist in a certain production run of a handset model. Until HDTVs. MediaTek is the world’s second largest producer of
recently all white box phones were embedded platforms, not semiconductors to the cell phone industry, after Qualcomm.
• Spreadtrum: (Approximate Market Share 30%) As the second
open source, and many contain distinct file system structures. largest white-box chipset manufacturer, Spreadtrum has its
Another hindrance to forensic analysis is the absence of sights set on MediaTek and has doubled its market share
standards for hardware such as data cables. Even though the over the past decade.
cables that come with these phones may look the same as the • Infineon Technologies: (Approximate Market Share 5%) A
spin-off of Siemens AG in 1999, Infineon made its name by
cables that come with Android or iPhone handsets, the wiring providing semiconductors to the automotive, industrial and
is often different. This is sometimes a deliberate strategy by multimarket sectors before entering the cell phone industry.
manufacturers to maximize accessory sales. Unfortunately • M-star Semi Conductor: (Approximate Market Share 5%)
it also impedes the task of the digital forensics investigator, Split from System General Technology in 2002, MStar
specializes in mixed-mode integrated circuit technologies.
as it can be difficult to establish compatibility between these MStar is known in China as “Little-M”, contrasting the firm
phones and forensic analysis tools. with “Big-M” – MediaTek.
While standard logical cell phone tools use synchronization
to extract data, white box manufacturers typically block
synchronization features. Even when the hardware
is compatible, phone manufacturers may disallow
synchronization through the software as a means of
simplifying the devices. (The transfer of media files is typically
supported however).
The barriers to analysis of white box phones come down
to one core issue, the absence of industry standards.
Unfortunately, hundreds of millions of cell phones are
circulating in worldwide markets that are so cheap they are
nearly disposable, that accommodate multiple SIM chips,
function across national borders, and are inherently difficult to
analyze, making them perfect for criminal activity and a huge Mstar are racing to develop chipsets to serve this market
challenge for investigators. and Chinese phone manufacturers like Huawei, ZTE, TCL, and
Lenovo are designing smart phones. Even non-Chinese brands
/ A Global Issue like Motorola and Alcatel are incorporating Chinese chipsets in
Further compounding the threat, these phones are quickly some of their less expensive smartphones and in India, Spice
internationalized, moving from China to Southeast Asia, the Mobile and Micromax are designing smart phones around low-
Middle East, Africa and beyond. They may be flashed and cost Chinese chipsets. Strategy Analytics predicts that the sales
re-flashed with new software, exacerbating the problem of of lower cost smart phones will triple from 191 million phones
tracking the devices with issues like non-unique IMEI numbers in 2012 to 551 million phones in 2016, with 75% being exported
and IMEI numbers that do not relate to manufacturing origin to emerging markets. So whether they are in feature phones or
or phone model. Certain countries like the United Kingdom smart phones, Chinese chip based phones are here to stay.
prohibit by law the changing of IMEI numbers, a practice that
is commonplace with white box phones. / It’s Not About Phones; Its About Chipsets
If you think the adoption of smart phones will make the Fortunately, even in the face of all these hindrances to
Chinese phone problem go away, think again. Market research analysis, there is a light at the end of the tunnel for mobile
firm, Strategy Analytics, reports that while the US is still the forensic professionals. Even with tens of thousands of handset
largest smartphone market overall, China overtook the US models on the market, over 90% of the chipsets at the heart
as the largest market for smartphones retailing below $ 170 of these devices are designed and built primarily by four
(the fastest growing segment of the market). Major Chinese firms: Spreadtrum, Infineon, MStar and MediaTek (MTK). The
chipset manufacturers; MediaTek, Infineon, Spreadtrum, and concentration of manufacturers enables forensics technology

42 Digital / ForensicS

DF11_40-43_Chinese Cell Phones.indd 42 25/04/2012 13:38

 analyze data and evidence from them. Integrating Tarantula
with Logicube’s data extraction device, CellXtract, provides
added functionality that will give law enforcement, military
and government agencies an unparalleled solution to address
the thousands and thousands of phones, including legitimate
brands and white box, manufactured with Chinese chipsets.”

/ Looking Forward
There is no doubt that cell phones based on Chinese chipsets
will continue to present a challenge to investigators for the
foreseeable future. MediaTek, Spreadtrum and other IC
manufacturers are not only vying for position in the Chinese
developers to focus their efforts on tools that can physically market, they are also making headway in the global market by
analyze the chipsets on which the phones are designed. signing deals with the world’s top cell phone manufacturers.
International mobile forensic companies are working on Feature phone chipsets that have been utilized by Chinese
technologies to address the growing problem of phones based IDHs for years, such as Mediatek’s MT6226 or MT6253 are
on Chinese chipsets. At the forefront of this effort is EDEC showing up in low cost handsets from international firms like
Digital Forensics with Tarantula, currently the only forensic Motorola and Alcatel.
tool that can extract and decode data from all 4 major Chinese With the core strength of cell phone hardware
chipset manufacturers (comprising about 90% of all phones manufacturing achieved, Chinese chipset manufacturers are
that include Chinese chipsets), In addition to decoding data now expanding their reach to include a wider range of mobile
such as phone book contacts, call logs, and SMS messages, device types. MediaTek’s smartphone chipset, MT6573, and
Tarantula acquires deleted data, PIN lock codes and IMEIs Spreadtrum’s SC8810 are capable of supporting Android
(both current and historical, if present) from most chipsets. tablets, a device category previously dominated by Western
In demonstrations to the state police forces in Australia, IC firms. Both companies are working to create chipsets that
Jason Hanel, Owner of Task Intelligence, a security and support Japanese and Korean networks, another category
investigation firm located near Canberra, Australia, invited previously served by international players. The landscape of
them to bring their own Chinese phones. In all cases, Tarantula mobile devices is shifting as Chinese chipsets manufacturers
has succeeded in getting data. Phones purchased whilst in evolve at unprecedented speed.
Singapore and Indonesia were also tested with good results. To be prepared for all potential scenarios, forensics
In addition, Cellebrite’s UFED CHINEX is a connectivity kit for its investigators need to ensure that they are trained in the
UFED Physical Analyzer. Chinex is capable of physical extraction latest acquisition methods for the latest devices. By the same
of critical data from a subset of phones based on MediaTek token, forensics tool developers will need to remain vigilant
chips. Micro Systemation’s XRY system is capable of logical data and cooperate with one another to remain at the forefront of
extraction from a subset of several hundred Chinese phones. Chinese chip technology.
Oxygen Forensics recently updated their proprietary Oxygen While there are many factors that make analysis of Chinese
Forensic Suite 2012 to support MediaTek phones and Logicube built devices exceedingly difficult, the silver lining is that there
has announced that it has a licensing agreement with EDEC is a whole industry rising to these challenges. The best way
allowing it to integrate Tarantula into its own CellXtract product forensic investigators can prepare for the future is to pay careful
allowing it to do physical analysis on Chinese phones. attention to industry trends and seek out the appropriate
educational programs to ensure that they are as well versed in
/ Industry Cooperation this emerging field. The bottom line is that Chinese technology
While there may be competition between the leading is here to stay, so we might as well adapt to it. /
developers of digital forensics tools, there is also a good deal
of cooperation and collaboration. As much as executives want
their products to outsell the competition, they recognize the / Author Bio
need to provide effective tools to as many law enforcement as Kevin J. North is an American freelance
possible. This was evidenced in March of this year, eDEC and journalist who specializes in the fields of
finance and technology. He is a graduate of
Logicube announced that they were partnering to combine
Monmouth University in West Long Branch,
Tarantula software with CellXtract hardware. The finished New Jersey, with a Bachelors Degree in
product is slated to debut at this year’s Techno Security & Public Relations and Journalism. Currently,
Digital Investigations and Mobile Forensics Conferences in Mr. North resides in Santa Barbara,
Myrtle Beach, South Carolina, USA. California, where he writes and edits articles related to digital
forensics, automotive safety technology and financial advice
In a release regarding the partnership, Logicube Executive
for investors. In addition to his work as a journalist, Mr. North
Vice President and COO Farid Emrani stated, “Our digital serves as a consultant to the health and wellness, web design,
forensics customers are encountering large quantities of these entertainment, and data acquisition industries.
types of phones, creating an urgent requirement to extract and

43

DF11_40-43_Chinese Cell Phones.indd 43 25/04/2012 13:38

DF11_44_Ad.indd 44 22/04/2012 13:32
 / APPLE AUTOPSY

APPLE AUTOPSY
The State of Apple
by Sean Morrissey

T
hings have seemed to change under the stewardship
of Mr. Tim Cook, Chief Executive Officer of Apple.
Unlike his predecessor, Mr. Cook seems to be willing
to negotiate a solution to the patent wars with its supplier/
competitor Samsung. However will this change the stance
between Apple and Google? Steve Jobs wanted to go to all out
war and “Thermo Nuclear” on Google. So, how does one hurt
Google? You hit them where it hurts: revenue.
In the patent suit against Google brought by Oracle, Google
made four times in revenue from iOS devices than its own
Android OS. Since the inception of the 2G iPhone in 2007, iOS
has carried Google maps and Google’s search engine. Apple Tim Cook was the one that created the Apple supply chain
did purchase two mapping companies, and now with iOS 5 engine, one like no other company. He needs Samsung more
came ‘Siri’. So if Apple decided at one point to drop Google that patents. Google? Now that may be a bigger fish to fry.
maps and searching, how does that factor in to Google’s bottom Manufacturers have been uneasy since the acquisition of
line? Google has always been an advertising company with Motorola, even with the mighty hand of Google attempting to
Android being just another vehicle to generate more revenue put those worries to rest.
and then add to this mix, the patent wars. Interestingly enough If Google starts to label Motorola phones as Google phones,
it seems to want to settle with Samsung, but no mention of this that will be an interesting move, and what will Samsung, LG,
in reference to Motorola. So, will Tim Cook placate and settle HTC, and others do? Look to Microsoft? Even though Samsung
with Samsung, which is important to Apple’s supply chain, or has publically stated that it is not interested in purchasing the
continue to do battle? I think he will deal. ailing RIM, would they look at it when that day comes? Palm
is also out there now in the open source world. Grab that and
do it right unlike the miserable way HP attempted to use that
OS? At the end of the day, there are options for those outside
of Google. Apple could pull the plug, and what will Google do
then? Time will tell and we will all see the outcome of what
Steve Jobs intended. To that end and to add more fuel to the
fire, Apple released another amazing product.
The new iPad, Apple’s third generation iPad; with
the stunning retina display, which is really amazing.
You’ve noticed it on the iPhones but on an iPad it is truly
marvellous. This generation iPad includes the upgraded A5
X chipset. Unlike the A5 from previous versions this version
is on graphic steroids. The iPads have a commanding lead in
the Tablet market.
There have been some gains from those like the Amazon
fire, which is a departure from the traditional android. If you
didn’t know any better, you wouldn’t know it was android.
Also add a price of $199 and you’ve created a tablet that
has gained traction in the market place. Apple has seen this
coming and there have been rumours that they are “testing” a
7-inch mini iPad, not to compete with Amazon but to add to its
domination of the tablet market.
Not just a new iPad is enough for Apple, now it appears to
be looking at how to change one more industry, the Television.
Will it be something that once it is released, that causes the
market to take a pause? Steve Jobs revolutionized 4 industries
why not add one more? /

45

DF11_45_Apple Autopsy.indd 45 25/04/2012 13:39

 / FEATURE

IMAGING AND WRITE

BLOCKING ON A MAC
Whether it is an older Mac (Power PC) or a newer Mac (Intel),
all can be imaged in the same manner as PCs. The only difference
is how first responders and examiners handle these devices…
by Sean Morrissey
/ ADVANCED

T
oday we have Mac Pro’s, MacBook Pros, iMacs, and 1. Boot the Mac and hold down the “option” key. Then the
MacBook Air; all of which have differing levels of Mac Boot screen appears;
complexity. The device that has caused a degree of 2. Select the Windows CDROM and press “Enter”; this will
consternation to a number of forensic analysts when it first begin the boot process with WinFE;
came out was the MacBook Air. A departure from the standard 3. Once boot process is completed the Boot Process Complete
platter hard drive to a flash memory drive provides challenges screen is seen;
unlike other Mac devices, the MacBook Air also has the ability 4. Once a successful boot is achieved, check to ensure
to add a USB Drive. that you can see the disks. To do this, from the
The first MacBook Air had a 1.8 inch 4200 rpm hard drive command prompt type “DISKPART” “Enter” then type
with a zif connector allowing us to use the same adapter “list volumes”. You should see the EFI Partition along
as we used for iPods; it was therefore easy to remove with the external Hard Drive. Next we have to make the
and image these older MacBook Air devices. The newer external drive writeable;
MacBook Air has a solid-state drive with a “mini PCie” 5. From the command prompt type “select volume 2” make
connector; this connector is often mistaken for the “micro sure it’s your external hard drive;
PCie” connector. 6. type “ATTRIBUTES DISK CLEAR READONLY” hit enter;
So, how does one image these devices? There are 7. type “”ASSIGN LETTER=Z”;
numerous tools and methods available. Encase Portable 8. type “Exit”. You are now ready to start imaging the drive.
and MacQuisition are viable paid-for alternatives for To do this we bring up FTK Imager lite and from the
imaging the MacBook Air; however I like free tools for command prompt:
imaging and there are many tools that can image any Mac 9. type “ cd \”;
for free, including Windows FE with Access Data’s FTK 10. type “”cd TOOLS”;
Imager Lite. 11. type “FTK Imager Lite” this will then bring up the familiar
interface of FTK Imager.
/ Imaging the MacBook Air 12. From the File Menu, select “Create Image”
Connect an Apple Super Drive and one 500GB External USB 13. The next menu will ask, Physical, logical, etc. Select
Hard Drive to your device, in our demonstration we are using a “Physical” and hit next.
13”MacBook Air (256GB SSD). 14. Here you will see the SSD as seen in the next figure, seen
as physical drive “0”;
15. Select Finish;
16. From the next menu select “add” then “Next”;
17. Since this is a NTFS formatted drive we can keep this as a
single segmented dd, therefore select RAW (dd) in the next
menu, then press “Next”.
MacBook Air Flash Drive

DISKPART List

46 Digital / ForensicS

DF11_46-49_Write Blocking on a Mac.indd 46 25/04/2012 14:40

 18. The next screen will ask for case specific information. Fill Raptor however can now identify and image the newer
out the appropriate areas; MacBook Air devices, so you don’t have to open up the Mac
19. You now require to point FTK to your destination drive. and take out the SSD to image. There aren’t any known
Remember we gave the external drive, drive letter “Z”. So adapters at present, however there is a solution for those
in the destination Path type “Z:\”; that want to do it that way, which we will discuss later in
20. Under “image name” give your image a name for example this article.
“MacBook Air”; So if you want to image a MacBook Air with a Linux boot
21. Also in the Segment size, delete the default 1500 and place a disk such as Raptor it is now an alternative solution. Raptor
“0” This will keep the dd image as a single segmented file; is a boot disk that I’ve used since its release; developed by
22. Press “Finish”, the FTK Imager will then start the Forward Discovery it is freely available and you can burn
imaging process; a disk from the ISO distributed from their website, http://
23. Once completed Exit out of FTK Imager and WinFE. forwarddiscovery.com/. After discussing the imaging of a
MacBook Air with Ryan Johnson of Forward Discovery, he was
/Linux Boot Disk – Raptor happy to make himself available to demonstrate how to create
There is a more conventional way to image these new solid a bootable USB drive.
state drives for the MacBook Air than using the WinFE+FTK; Before you start you will need a 4 GB USB drive as a
the old standby Linux Distro’s like Forward Discovery’s Raptor minimum. Using a Windows machine, go to http://www.
for example. Most people in the Mac Imaging community have linuxliveusb.com/ and download the live USB utility. You can
known about Raptor but when the first MacBook Air’s came off then create a bootable USB with the Raptor ISO as seen in the
the line, there wasn’t a procedure or an adapter for this new following steps,
“Cat” drive. I had to quickly devise a method of imaging these
because one came into the Lab that where I was working at 1. Step 1, point to the USB device that you are going to use;
the time. At that time, WinFE+FTK Imager and Encase Portable 2. Step 2, leave the default setting;
were the only viable options. 3. Skip step 3;
4. Step 4, if you need to reformat the drive, select Format the
key in FAT 32
5. Step 5, click on the thunderbolt and the app will create the
bootable USB for you.

Once you have created your bootable USB drive you can
proceed to image your MacBook Air. Using either the DVD or
USB Raptor will work fine. If you’re using the DVD, I suggest
getting an “Apple Superdrive”. The newer MacBook Air has
Thunderbolt, USB and 2 USB ports. The older MacBook Air
had only one USB requiring the use of a USB Hub. Connect
the super drive to one USB port and the External destination
drive on the other; this is the same configuration as discussed
earlier. Now again thanks to Ryan at Forward Discovery there
is a trick to using Raptor and boot.
Turn on the MacBook Air while holding down the “alt/option”
button, the MacBook Air Option Start screen will appear.
Using either the USB or DVD option select “Windows” from
the DVD or USB icon in the boot option screen. Next is the
little trick; from the boot option screen in Raptor select “Boot
Raptor”. On the bottom of the screen there is a command
line interface that you need to edit with the following,
“nomodeset”, this should be inserted prior to the double
hyphens. See Figure 14 for an example.
Raptor will then boot and from the main screen of Raptor,
select “Raptor Tools”
The interface for imaging is simple an easy to use. Prior to
imaging you will require a wiped and formatted disk to write
the image to, you can use Raptor to do both, and my volume of
choice is HFS+. No need to segment the image as it is needed
for oher volumes such as FAT 32. As I tend to examine Mac
devices with a Mac, using HFS+ is preferable. Once you have a
formatted disk, go to the “Image” tab and follow these steps,
Linux Live USB Creator

47

DF11_46-49_Write Blocking on a Mac.indd 47 25/04/2012 13:40

 / FEATURE

Raptor Installer Boot Menu Select Raptor Tools

1. First select the volume you wish to image and make sure The enclosure has eSata, FireWire 800/400 and USB 2.0/1.1
you image the whole disk by selecting the device which connectors. A combination of the enclosure and traditional
includes “/dev/sda”. write blockers will do the job. We will be discussing “Write
2. Then select what type of image are you going to use, E01, blockers” later in this article.
dmg or dd (dd and dmg are exactly the same, I just don’t
have to rename the image from .dd to .dmg when using a / Imaging All The Other Macs
Mac), and change the 2000 in the Segment file to 0, you There are several ways to image the raw disk of a Mac such as
don’t want a segmented .dmg on a Mac. The segmentation the “Target FireWire/Thunderbolt Disk Mode” that has been
is necessary when imaging to a volume such as FAT. available on Macs for many years, effectively turning the Mac
3. So, after selecting in this case, a “.dmg”, I then select the into a Big FireWire disk drive. To place a Mac into FireWire
volume where I will image to. You also have an option to Disk mode, boot the Machine and hold down the “T” button.
verify the image, which I recommend should be done as well. A FireWire or Thunderbolt symbol will be seen on screen
4. Lastly give the image a filename and hit start. Once if successful. To image the disk there are many tools and
completed, you should lock and mount the image on a Mac command line methods available.
and begin your examination. Nearly all forensics analysis The command line options are binaries such as DCFLDD
on a Mac can be done completely without the use of any and DC3DD, freely available from SourceForge. The tools are
automated tools. variants of the standard “dd” command. The following are the
download locations of these command line utilities.
As stated previously there isn’t a known adapter for the SSD
of a MacBook Air, however there is a hardware alternative to 1. dcfldd – http://sourceforge.net/projects/dcfldd/
solve this problem for those that do want to disassemble the 2. dc3dd – http://sourceforge.net/projects/dc3dd/
MacBook Air and image the SSD traditionally. Other World
Computing has an enclosure that has the adapter built into Note: make sure that you destination disk is formatted HFS.
it. The enclosure isn’t cheap, but it does the job and can This will be important so that there won’t be a need to split
be found at: http://eshop.macsales.com/item/Other%20 the image.
World%20Computing/SSDAPEPMQ/
To image the device, open a terminal from the destination Mac:

1. Run the command df -h

2. This will show all the mounted disks, which shows disk0
(your hard drive) as the hard drive on a Mac. When you
plug in anther disk it will have a device name with a
corresponding number such as disk1.
3. Attach your external disk that you intend to image to the
Mac and execute df-h a second time. You will then see “/
dev/disk1”.
4. Therefore any subsequent device such as your evidence
drive would be “/dev/disk2”

Prior to any imaging; disk arbitration needs to be dealt

with. The “diskarbitration” (deamon) is what needs to be shut
off to stop the auto mounting of volumes on a Mac. This is
very important if you don’t have access to a write blocker. A
Imaging with Raptor Toolbox

48 Digital / ForensicS

DF11_46-49_Write Blocking on a Mac.indd 48 25/04/2012 13:40

 free tool called disk arbitrator is a free utility that will disable
diskarbitration and allow the forensic examiner to mount
volumes read only or read/write. The download for this free
utility is at:

https://github.com/aburgh/Disk-Arbitrator.

1. Start the Disk Arbitrator Application

2. Make sure that you have activated the Application by
checking the “Activated” box towards the bottom
3. Test the write blocking by adding a flash drive to the
imaging Mac; Disk Arbitrator should see it however it will
be greyed out or “Not Mounted”. Once tested make sure Tableau FireWire WriteBlocker
you detach the flash drive.
4. Place the Target Mac into FireWire Target Disk mode by The Mac operating system “Lion” provides full disk
starting up the Mac and holding down the “T” button. encryption, however there are ways to deal with this as
5. Using a FireWire cable, attach the Target Mac to the well. With full disk encryption, one needs to image the
Imaging Mac. RAM of which until recently was next to impossible. A free
6. In Disk Arbitrator highlight the disk in reference to your utility “Goldfish” allows the imaging of RAM from a FireWire
target device. The example in Figure 19 shows Disk 1 as the connection. The utility is free to Law Enforcement at http://cci.
evidence disk. Hit Mount from the menu bar, ucd.ie/goldfish.
7. After selecting “Mount” another dialog box appears. Make
sure that “read-only” is selected and the Path can be / Write Blockers
anything, but use “/Volumes”, then select ‘Mount’. There aren’t any specific “writeblockers” for the Mac. If you
remove the hard drive from any Mac including the MacBook
Using the “dc3dd” binary from the command line, open Air, all can be attached to conventional writeblockers
the terminal application and from the command line, type manufactured by various vendors, except for one
the following, writeblocker, which can be used while a Mac is in FireWire
target disk mode. The FireWire write blocker is manufactured
“Dc3dd if=/dev/rdisk2 conv=sync,noerror bs=512k by Tableau. The Forensic FireWire Bridge T-9 is a write
hash=md5,sha1 progress=on of=/device/image.dd” blocker that can be utilized during imaging using FireWire
Target Disk Mode.
The main items of the command line that are critical are “if ” All the others created by CRU Dataport, Tableau, ICS, and
INPUT FILE “of ” OUTPUT FILE. The output file is the path of others use conventional adapters and writeblockers for the
where the image will be written too. rest of the Mac line, if the drives are remove from the system.
Your “if=/dev/rdisk2”, means you will image the “rdisk” Imaging Macs isn’t a daunting task; a hard drive on a Mac
complete raw disk of your evidence drive. As one can see isn’t any more special than those found in windows and
that there isn’t a split command. This will create one dd file the Mac allows for easy free imaging using the FireWire/
that can then be forensically analysed on a Mac by simply Thunderbolt disk mode. This overcomes the fear of tearing
renaming the extension. This will be discussed later. into a Mac in order to remove the hard drive for imaging. This
Note: Remember to disable “diskarbitration” by disabling mode as discussed earlier can also overcome the problems
from the top menu bar as seen below, and the quitting the encountered with the MacBook Air. There are many ways
application as well. to image Macs, some are paid for but most are free. Some
Lastly there are options for removing the hard drive from require pushing a few buttons, some are command line, but
Mac devices. If you are interested in this iFixit and other both are effective and have been used for years. /
websites have great walkthroughs on taking Macs apart
and getting to the hard drives. Imaging with commercially
available write blockers and free tools, such as FTK Imager / AUTHOR BIO
from Access Data are windows alternatives to imaging Macs. Sean Morrissey is presently employed
Finally, we have to deal with “File Vault”. File Vault is a user by Paradigm Solutions and assigned
as a Computer/Mobile Forensic
level encryption that can be employed on any Mac. There are Analyst, in the Department State
tools and techniques in cracking the “Keychain” on a Mac, Computer Investigations and Forensics
which will allow you to find the password for the user volume. Division. Sean was an Instructor of
Depending on the version of OS X you can sometimes get Forensics at the Defense Cyber Crime
Center, a former Law Enforcement Officer and U.S. Army
lucky and find the password in plain text in the sleep image. Officer. He also authored Mac OS X, iPod and iPhone Forensic
By simply doing a “grep” search for either “password” or Anaylsis and the upcoming book iOS Forensic Analysis.
“long password” you can find the password.

49

DF11_46-49_Write Blocking on a Mac.indd 49 25/04/2012 13:40

DF11_50_Ad.indd 50 16/04/2012 18:14
 / FROM THE LAB

IMAGE FORENSICS
The challenge when dealing with large quantities of forensically acquired
data, of quickly identifying relationships whilst augmenting with open and
closed source intelligence sources is daunting. This is particularly true if
your goal is to abstract the data to allow forensics investigators to work with
the information rather than learning specific forensic tools or data formats.
by Ollie Whitehouse

/ ADVANCED

I
n this article we’re going to walk through how Recx [7] and Image Authentication System (Nikon) the
solved the problem of allowing intuitive data access, implementations don’t always stand up to scrutiny. Elcomsoft
visualization and relationship identification specifically for example, managed to successfully bypass Nikon’s Image
in the case of photographic image forensics. The article will Authentication System [8] in April 2011. As a result, it’s
first review the metadata embedded within an image; before important to keep in mind that anti-forensics as a field of
looking at how to first extract and finally visualize and link study continues to progress; and as it does, there is potential
the data with other sources. for misuse of image metadata by the more technically savvy.
The quantity of useful information available within EXIF and
/ Digital Image Metadata the other similar standards is vast. To a forensic investigator
The subject of digital image forensics and its associated there is useful information embedded within images that may
metadata is a well-documented area of study. Articles that be beneficial to an ongoing investigation, such as:
cover this subject include ‘Digital Still Camera Forensics’[1] by
Kevin Cohen (2007) for example deal with forensic acquisition • Make and model of the device that took the photograph.
from cameras and the post analysis of the acquired data. • Time and date the image was captured.
In summary, when dealing with digital pictures there is a • Device software version that can indicate the mobile device
potential wealth of embedded information, depending on firmware version.
the device or software used to produce the image. Image • GPS co-coordinates of the photograph (geo tagging) (altitude,
metadata is typically stored in three common formats: direction and speed can also sometimes be included).
• GPS time the photograph was taken.
• Exchangeable Information File [2] (EXIF) format • Any software used for post modification.
• IPTC Information Interchange Model [3] (IIM) • Device serial number (mobile devices don’t include this to-date).
• Extensible Metadata Platform (XMP) [4]
There is obviously considerable benefit from the extraction
For camera originating images the most common format is and analysis of this metadata during an investigation. Being
EXIF, although at times you may see others. Common forensic in a position to leverage this information to identify or group
tooling such as Encase, iLook and viaForensics allow access to photographs based on time, date, location, device type or
the image metadata, although typically only in text form. a specific device has obvious investigatory uses. Numerous
It’s important to point out that whilst there are standard examples of software exist within the open source community,
EXIF metadata tags that are extremely useful the EXIF which can be used to retrieve metadata. A good example of
standard also documents the concept of maker notes [5]. a mature open source extractor is Exiv2 [9]. Exiv2 is capable
Maker notes allow hardware and software vendors to add of handling all three of the common formats (EXIF, IPTC and
custom metadata to images inside of the EXIF construct. In XMP), is cross platform, easy to use and has good support for
the case of photographs, these additional tags can sometimes custom maker notes.
contain information valuable to the forensic investigation. For
example, some vendors embed the device serial number as a / Extracting the Metadata
maker note. Typically, serial numbers are most often seen on Off the shelf forensic software packages can already extract
high-end devices and to date never seen on mobile phones. some image metadata. However, being able to inspect the data
The integrity of the metadata should also be considered. with minimal abstraction is often useful; this is especially true if
EXIF provides no mechanism for either integrity validation or you want to integrate this data into a data mining solution.
general tamper resistance. While there have been designs [6] For example if we take an image from the Internet and
for systems to reduce the likelihood of image modification and retrieve, using Exiv2 [9], all of the EXIF, IPTC and XMP
commercial products such as Kodak Picture Authentication metadata we can extract the following:

51

DF11_51-54_Image Forensics.indd 51 25/04/2012 13:40

 / FROM THE LAB

Exif.Image.Make Ascii 6 Apple Within the extracted data, there are three distinct image
Exif.Image.Model Ascii 7 iPhone time stamps:
Exif.Image.Orientation Short 1 top, left
Exif.Image.XResolution Rational 1 72
Exif.Image.DateTime Ascii 20 2009:08:03 16:06:13
Exif.Image.YResolution Rational 1 72
Exif.Photo.DateTimeOriginal Ascii 20 2009:08:03 16:06:13
Exif.Image.ResolutionUnit Short 1 inch
Exif.Photo.DateTimeDigitized Ascii 20 2009:08:03 16:06:13
Exif.Image.DateTime Ascii 20 2009:08:03 16:06:13
Exif.Image.ExifTag Long 1 171
Exif.Photo.FNumber Rational 1 F2.8
And one GPS based time stamp:
Exif.Photo.ExifVersion Undefined 4 2.21
Exif.GPSInfo.GPSTimeStamp Rational 3 16:06:00.3
Exif.Photo.DateTimeOrigina Ascii 20 2009:08:03 16:06:13
Exif.Photo.DateTimeDigitized Ascii 20 2009:08:03 16:06:13
Exif.Photo.FlashpixVersion Undefined 4 1.00 We also see the GPS co-ordinates that the image was taken at:
Exif.Photo.ColorSpace Short 1 sRGB
Exif.Photo.PixelXDimension Long 1 1200 Exif.GPSInfo.GPSLatitudeRef Ascii 2 North
Exif.Photo.PixelYDimension Long 1 1600 Exif.GPSInfo.GPSLatitude Rational 3 51deg 30.06000’
Exif.Image.GPSTag Long 1 321 Exif.GPSInfo.GPSLongitudeRef Ascii 2 West
Exif.GPSInfo.GPSLatitudeRef Ascii 2 North Exif.GPSInfo.GPSLongitude Rational 3 0deg 7.48000’
Exif.GPSInfo.GPSLatitude Rational 3 51deg 30.06000’
Exif.GPSInfo.GPSLongitudeRef Ascii 2 West
Although the extracted information is useful, it raises the
Exif.GPSInfo.GPSLongitude Rational 3 0deg 7.48000’
question of how best to use that data to maximize the value?
Exif.GPSInfo.GPSTimeStamp Rational 3 16:06:00.3

/ Reverse Geocoding
Iptc.Envelope.CharacterSet String 3 <%G
Iptc.Application2.RecordVersion Short 1 2
Iptc.Application2.Copyright String 20 ® Jeremy Quinn 2009
Converting captured GPS data into longitude and latitude can
Iptc.Application2.City String 6 London be useful if you’re interested in reverse geocoding. Reverse
Iptc.Application2.CountryName String 7 Britain geocoding simply refers to the process of converting longitude
Iptc.Application2.Caption String 23 Gosh! I’m late for tea! and latitude into a place with varying degrees of resolution.
Iptc.Application2.Keywords String 9 Afternoon The common resolutions used in reverse geocoding include:
Iptc.Application2.Keywords String 12 Architecture
Iptc.Application2.Keywords String 7 Big Ben • Specific address
Iptc.Application2.Keywords String 7 Britain • Road
Iptc.Application2.Keywords String 7 British • Town or city
Iptc.Application2.Keywords String 8 Building
• County or state
Iptc.Application2.Keywords String 4 City
• Country
Iptc.Application2.Keywords String 6 Clouds
Iptc.Application2.Keywords String 7 Culture
The GPSLatitude and GPSLongitude fields embedded within
Iptc.Application2.Keywords String 10 Government
an image have ranges of accuracy based on the satellite
Iptc.Application2.Keywords String 8 Historic
Iptc.Application2.Keywords String 9 Landscape
signal coverage at the time of capture. Typically, each field
Iptc.Application2.Keywords String 10 Landscapes
can contain up to three elements that define the location
Iptc.Application2.Keywords String 6 London resolution of the coordinates; they are either:
Iptc.Application2.Keywords String 7 Outdoor
Iptc.Application2.Keywords String 8 Outdoors • Degrees
Iptc.Application2.Keywords String 9 Political • Degrees and minutes
Iptc.Application2.Keywords String 5 Signs • Degrees, minutes and seconds
Iptc.Application2.Keywords String 3 Sky
Iptc.Application2.Keywords String 19 St. Stephen’s Tower From our example in our metadata previously we have degrees
Iptc.Application2.Keywords String 10 Still life and minutes. To convert the GPSLatitude or GPSLongtitude fields
Iptc.Application2.Keywords String 6 Street
to Google maps friendly co-ordinates we do the following:
Iptc.Application2.Keywords String 7 Symbols
Iptc.Application2.Keywords String 25 Palace of Westminster
• degrees + (minutes / 60)
Iptc.Application2.Keywords String 7 Tourism
Iptc.Application2.Keywords String 14 Transportation
Then if the Latitude or Longitude reference fields are South or
Iptc.Application2.Keywords String 6 Travel
Iptc.Application2.Keywords String 12 Tube Station
West we then multiply the result from the previous calculation
Iptc.Application2.Keywords String 11 Underground
by -1 to make it a negative value. If we had degrees, minutes
Iptc.Application2.Keywords String 15 Vanishing Point and seconds in our extracted GPS coordinates we’d do the
Iptc.Application2.Keywords String 11 Westminster following to calculate the longitude or latitude:
Iptc.Application2.Keywords String 16 Westminster Tube
Iptc.Application2.CountryCode String 2 gb • degrees + (minutes / 60) + (seconds / 3600)

52 Digital / ForensicS

DF11_51-54_Image Forensics.indd 52 25/04/2012 13:40

 Followed by the West / South multiplication if required. So if Extracting and converting the GPS information is useful, but
we take our example: on its own is just another source of information. This begs the
question, how do we take this data visualize it and identify
Exif.GPSInfo.GPSLatitudeRef Ascii 2 North relationships with other sources?
Exif.GPSInfo.GPSLatitude Rational 3 51deg 30.06000’

Exif.GPSInfo.GPSLongitudeRef Ascii 2 West / Visualization and Relationship Identification

Exif.GPSInfo.GPSLongitude Rational 3 0deg 7.48000’ The concept of visualizing relationships within an
investigation is by no means new. Well-established
We do the required calculations: products like I2’s Analyst Notebook [11] and emerging
products such as Paterva’s CaseFile [12] already provide
• Latitude = (51 + (30.06000 / 60)) = 51.501 the means to graph interconnects between distinct objects
• Longitude = ((0 + (7.48000 / 60)) * -1) = -0.124 through manual data input. However the application of
visualization and relationship identification solutions
We can then plug this into the parameters of Google maps directly to forensic data mining is only now emerging.
URL (which has the format: The volume of data associated with an investigation has
created a requirement to utilize automated solutions;
http://maps.google.com/?q=Latitude,Longitude); particularly as multi-case investigations are becoming
which in our example becomes http://maps.google. more common.
com/?q=51.501,-0.124.
When looking at extensible visualization, relationship
If you don’t want to do this calculation by hand then there are a identification and data mining engines there are three key
number of tools available as part of the Google Earth supplemental technologies on the market today:
open source project called Google Earth Hotkey [10].
• I2’s range of products [13]
To turn these map co-ordinates into a location or address • Palantir [14]
there are a number of public services like openstreetmap. • Paterva’s Maltego [15]
org that can be used to convert the data into a consumable
address in XML format: When deciding which product to build upon we wanted a
low cost barrier of entry. While I2’s and Palantir’s solutions
<reversegeocode timestamp=”Mon, 30 Jan 12 05:39:47 have gained significant traction within central governments
-0500” attribution=”Data Copyright OpenStreetMap
around the world and in the case of I2 law enforcement they
are also a substantial investment when working with smaller
Contributors, Some Rights Reserved. CC-BY-SA 2.0.” quer
point specific problems. For this reason, combined with the
ystring=”format=xml&lat=51.5015&lon=-0.124&zoom=18&addr
fact we had experience of Maltego and its existing open
essdetails=1”> source intelligence plug-ins, resulted in us selecting it as the
<result place_id=”2136837319” osm_type=”node” osm_ product to initially build our solution upon.
id=”469762514” lat=”51.5015818” lon=”-0.1240972”>

Westminster Millenium Pier, Victoria Embankment,

When developing for Maltego you have to first choose which
model you’re going to adopt for your extension (transform).
Whitehall, City of Westminster, Greater London, London,
The available options are:
England, SW1A 2LW, United Kingdom

</result> • Public (cloud) server based

<addressparts> • Private server based
<bus_stop>Westminster Millenium Pier</bus_stop> • Private database based
<road>Victoria Embankment</road> • Local client based
<suburb>Whitehall</suburb>
Sending forensically acquired data off-site across the
<city>City of Westminster</city>
Internet is unlikely to be acceptable so that ruled out the
<county>Greater London</county> public server based solution. A private server or database
<state_district>London</state_district> server would have likely been overkill at this initial stage. As a
<state>England</state> result, a local plug-in to the analyst workstation was selected
<postcode>SW1A 2LW</postcode> as the best method, at least for the initial release.
The interface between Maltego and its external
<country>United Kingdom</country>
transforms is XML based and well documented. Normally
<country_code>gb</country_code>
when embarking on such a custom Maltego transform it
</addressparts> is normally wise to spend time during initial the design
</reversegeocode> stages answering:

53

DF11_51-54_Image Forensics.indd 53 25/04/2012 13:40

 / FROM THE LAB

• Which new Maltego entities will need to be defined? / Conclusions and Closing Thoughts
• How existing Maltego entities that can be leveraged? In this article we’ve discussed the point specific problem of
• What the relationships between entities will look like? photograph image metadata forensics; the information available,
• What the relationships between entities and other how to extract it and the benefits of visualization, relationship
transforms will be? identification and data mining. We believe this type of solution
has significant implications to the world of digital forensics. So
As a result of answering these questions we defined a much so, that we’ve taken it a step further and integrated the
number of new entities: same concepts with an existing desktop forensics solution which
we’ll hopefully discuss in a future issue. /
• Local folder entity: Used to represent a local file path on the
workstation. REFERENCES
• Interim image entity: To show which files in the specified [1] http://www.ssddfj.org/papers/SSDDFJ_V1_1_Cohen.pdf
file path either contain EXIF image or were taken in the [2] http://en.wikipedia.org/wiki/Exchangeable_image_file_format
specified location. [3] http://en.wikipedia.org/wiki/IPTC_Information_Interchange_Model
• Time and/or date entity: To represent any time & date [4] http://en.wikipedia.org/wiki/Extensible_Metadata_Platform
EXIF data. [5] http://wiki.photoolsweb.com/index.php?title=EXIF_Maker_Notes
[6] http://andrew.triumf.ca/andrew/trustcam/
We also utilized a number of pre-defined Maltego [7] http://www.kodak.com/global/en/digital/acrobat/software/
entities in order for the user to be able to utilize existing Authentication_whitepaper.PDF
transforms to create these entity types or to allow further [8] http://blog.crackpassword.com/2011/04/nikon-image-
data extraction or mining. The existing Maltego entities we authentication-system-compromised/
used were: [9] http://www.exiv2.org/
[10] http://code.google.com/p/googleearth-autohotkey/
• Device: Extracted mobile device make, model and serial [11] http://www.i2group.com/us/products/analysis-product-line/
number (if available). analysts-notebook
• Image: The image including thumbnail. [12] http://maltego.blogspot.com/2011/11/maltego-casefile-beta-released.html
• GPS co-ordinates: Extracted co-ordinates. [13] http://www.i2group.com/us/products
• Phrase: Used for the software details contained in the [14] http://www.palantirtech.com
EXIF data. [15] http://www.paterva.com/
[16] http://ctas.paterva.com/view/Specification
Using the existing entities for the data we extract where [17] http://nickfurneaux.blogspot.co.uk/2011/10/evidence-visualisation.html
appropriate allows relationships with entities produced by [18] http://nickfurneaux.blogspot.co.uk/2011/12/forensic-
other transforms such Internet based image GPS data mining visualization-part-2-court.html
to be created; whilst allowing other transforms to take the [19] http://nickfurneaux.blogspot.co.uk/2012/02/visualizing-online-
data and further extend of mine as appropriate. investigations-live.html

/ Putting It All Together

With the Recx image forensic transforms installed and a small / Author Bio
set of sample data we’re then able to do the following: Ollie Whitehouse is one of the co-owners
of Recx and actively works in the field of
consulting, research and development. He
1. Specify a local file path and extract only images from that
has extensive experience in both software
path which have GPS EXIF data present. security and consulting and applied
2. From the set of image entities extract: computer security research. Over the past
a. GPS co-ordinates. eleven years he has worked for @stake,
b. Capturing device make and model. Symantec and Research In Motion (BlackBerry) in a
variety of roles including technical director and manager of a
c. Time and date properties. pan European security research and assessment team.
3. Resolve using the GPS co-ordinates the broad location
where the images were taken. Recx Ltd was formed in 2009 by a group of skilled British
nationals who together have a combined experience of over
fifty years in the field of systems and network attack, defence,
We can quickly see the following based on the available exploitation and applied security research. Recx’s pedigree
data from test images when visualized: comes from its employees who have worked for organisations
such as DERA, QinetiQ, DSTL, @stake, Symantec , Logica and
• They were taken on the same data. Research In Motion (BlackBerry) in the fields of information
and software security research, assessment and consultancy.
• They were taken in the same location.
Instead of claiming to solve all of the world’s information
• They were taken with the same make and model of device. security problems with its software, Recx instead focuses on
• They were taken on the same day over a period of specific real-world problems.
32 minutes.

54 Digital / ForensicS

DF11_51-54_Image Forensics.indd 54 25/04/2012 13:40

DF11_55_Ad.indd 55 15/04/2012 17:32
 COMPETITION
/ This issue we have A TARANTULA CHINESE CELL PHONE
ANALYSIS KIT TO GIVE AWAY, COURTESY OF EDEC

/ Question
In his article, “Visualising Photographic Image Metadata for
Effective Data Mining”, Ollie Whitehouse explains that image
metadata can be stored in three formats, EXIF, IIM and XMP.
What does the acronym XMP stand for?

A. EXTENSIBLE METADATA PLATFORM

B. EXTENDABLE METADATA PLATFORM
C. EXTENDABLE METADATA PROCESSES

/ To Enter
To enter the competition all you need to do is send an
email to: competition@digitalforensicsmagazine.com,
writing ISSUE11COMP in the subject line, include your
name address and phone number with your entry.

TERMS AND CONDITIONS

This competition is open to anyone aged 18 or over, except for
employees of TR Media Ltd and their immediate families. Only
one entry is permitted per person. Entries can be submitted
by email only to competition@digitalforensicsmagazine.
com. TR Media shall not be responsible for technical errors in
telecommunication networks, Internet access or otherwise,
preventing entry to this competition. Closing date for all entries
is on 1 June 2012 at 9.30am GMT. Any entries received after that
time will not be included. The correct winning entry,
chosen at random by the DFM team, will be notified by email on
01/07/2012. The winners may also be announced in Issue 11 of
the magazine and on the Digital Forensics Magazine website.
Submitting your entry constitutes your consent for us to use
your name for editorial or publicity purposes, should you be
one of the winners. TR Media Ltd reserves the right to change or
withdraw the competition and/or prize at any time. By entering
the competition, entrants are deemed to have accepted these
terms and conditions.

56

DF11_56_Competition.indd 56 26/04/2012 10:05

 / FEATURE

TRAP YOUR OWN BOTNETS

Techniques for forensic examination of BotNets
by Brian Cusack & Junewon Park

/ ADVANCED

T
he economic driver for BotNet propagation is simple.
Someone (the master or herder) sets up a network
of control over many computers (bots) and steals the
computing and communication resources. The stolen property
is then sold on to willing buyers who make a living from
spamming, theft of personal identities, extortion, DDOS attacks
and so on. It is a simple economic formula that delivers high
financial gains and the motivation to continue the development
of anti-forensic techniques to avoid detection. We reasoned
that it would not be hard to find examples of BotNets in action
and more from boredom than a serious research perspective
we placed a honeypot outside the Lab firewall and took a look Figure 1. System Architecture for our Bot Investigation
at the free space of the web (WWW). After 11 days the honeypot
reported more than 140,000 exploitation attempts, the repelling / CATCH YOUR OWN BINARIES
of 3,227 attacks, 1,466 malware samples and 110 unique The analysis reports showed that 96% of the malicious
binaries. Not a bad effort for an average day’s work. malware was either Conflicker.B or Conflicker.C. Our honeypot
It was interesting. If the open web is polluted with such a vast was hosted on a virtual server and connected to the external
array of malware at any given instance what are the implications service supplier for the analysis. Virtualization software
for the unwary? How can serious investigations be attempted? provided the most efficient and flexible method to catch a
What tools would be helpful for forensic examination? It would BotNet. If a researcher only used physical computers and
seem the bait of easy economic gains is fuelling a demise that did their own analysis then the costs increase significantly.
has potential to impair open communications and network Costs are not just financial but also include efficiencies and
systems. The intelligence of bots and the continually changing risk management; by using a hybrid of physical, virtual and
adaptation mechanisms suggest that they will not just go away. outsourcing services we optimised the accuracy, efficiency
The threat requires a response and for our part we decided to and the budget bottom line. Table 1 lists a full scope of the
investigate further. The first step was to analyse the huge dump software and services we used.
of malwares and to categorise. All of this occurred outside the The honeypot was hosted virtually on VMware and the
firewall as we did not want trouble and outsourced the analysis analysis services outsourced to Anubis and CWSandbox.
to external service suppliers. Once categorised, we selected After virus scanning, the binaries were further analysed
a number of binaries, brought them inside the firewall and using unpacking, string extraction and reverse engineering
allowed them to attack one of our own machines in order to techniques, compiling the static evidence and run in a
learn the malware behaviours (see Figure 1). dynamic simulation on a secure machine.

Type Name Purpose

Malware collection Dionea A low interaction honeypot that collects a copy of the malware exploiting vulnerabilities exposed
VMware workstation
Virtualization Tools for visualizing the computer system.
VirtualBox
Forensic Image Hilex Pro A forensic tool that is specified for incident response.
Memory analysis Volatility Framework A forensic tool that can extract various types of information from a memory image.
Initial virus scan VirusTotal A public service that analyses suspicious files and URLs
Initial sandbox Public services that analyse the behaviour of Windows PE-executables with special focus on
Anubis, CWSandbox
analysis the analysis of malware
Packer Detectors PEiD v 0.94 A tool that detects packers, cryptors and compilers for Windows PE-executables
String extractor BinText v3.03 A tool that finds ASCII, Unicode and Resource strings in a file.
Disassemblers and IDA Pro
Tools for reveres engineering.
Debuggers OllyDbg
Table 1. System Architecture for our Bot Investigation

57

DF11_57-60_BotNets.indd 57 25/04/2012 14:20

 / FEATURE

We found that the purpose and the behaviour of the

BotNets could be established from the reports provided by the / The Functionality of Honeypots
outsourced service providers. For each process the malicious
Honeypots are a construct that present a target of value
code is described by file, registry, and network activities. to attract malicious attack. They may be virtual or real and
Figure 2 shows the result of IRCBot analysis. The process that internal or external to a network. They work by attracting
is responsible for the malicious activities is visible and in this participation of a suspect and then by recording the
case, the submitted binary performs malicious activities by behaviours of the suspects. The record is a full 360 degree
appraisal of the actions and no aspect is left undocumented.
creating a Windows batch file named a.bat in the Windows The suspect may be a live hacker or a bot or any other
root folder followed by a suspicious process that runs a series automated malware. The honey pot acts like a collector unit for
of command line instructions. For instance, the Process #2 (ID: any unauthorised activity. They may be classified by deployment
24), Process #3 (ID: 1572), Process #5 (ID: 816), and Process and by the level of intended activity. A production honeypot for
example is usually inside a business with the intent of increasing
#6 (ID: 1964) execute the following instructions:
the level of security and generally is designed for a low level of
interaction. A research honeypot is usually outside the firewall
C:\> cmd /c net stop “SharedAccess” and set to gather information on motivations and tactics of
C:\> a.bat attackers. The output is further analysis and the dissemination
of reports on new attack signatures. They may be high or low in
C:\> cmd /c net stop “Security Center”
terms of interaction. Useful honeypots that often include external
C:\> cmd /c net start “SharedAccess”
analysis services can be downloaded for implementation. For
example, http://www.honeynet.org; http://anubis.iseclab.org;
The first instruction is used for disabling the Internet and others that can be found by a simple web search.
Connection Firewall (ICF)/Internet Connection Sharing (ICS)
service. The third one stops Windows Security Center Service
which manages the computer security settings such as
Windows Update, Windows Firewall, and the installed anti-
virus software package. Later, a suspicious process runs an
instruction to change Registry values by regedit.exe with silent
mode to completely achieve the intended purpose.
In the file activities section, the results showed evidence of
the malicious code in the infected system. The a.bat file has
been created by the Process #1 (ID: 632). At the same time,
this process copied itself to the Windows System folder (C:\
WINDOWS\system) as named ‘servicer.exe’. Next, the created
batch file creates a Registry file name 1.reg at the administrator’s
temporary folder (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\),
this Registry file is loaded by the same process. After executing
batch files and updating the Registry, the batch and Registry files Figure 2. The analysis summary of the IRC Bot
are deleted to hide their activities; in addition to deletion of the
created files, the first infected file also has been deleted by the most important because those values are created or modified.
process which has launched the copied file. Table 2 shows the The impact of code changing the Registry is to disable
summary of file activities of IRCBot on the infected machine. the security services of the operating system and register
In the report, Registry activities of malicious binaries are a malicious service to start at boot-up time. The IRCBot
classified in five sub-categories: Open keys, Set values, Query processes are used to prevent Windows Security Center and
values, Delete values, and Enum values. Set values are the Update Services from starting automatically. In addition, the

Type Name Purpose

Malware collection Dionea A low interaction honeypot that collects a copy of the malware exploiting vulnerabilities exposed
VMware workstation
Virtualization Tools for visualizing the computer system.
VirtualBox
Forensic Image Hilex Pro A forensic tool that is specified for incident response.
Memory analysis Volatility Framework A forensic tool that can extract various types of information from a memory image.
Initial virus scan VirusTotal A public service that analyses suspicious files and URLs
Initial sandbox Public services that analyse the behaviour of Windows PE-executables with special focus on
Anubis, CWSandbox
analysis the analysis of malware
Packer Detectors PEiD v 0.94 A tool that detects packers, cryptors and compilers for Windows PE-executables
String extractor BinText v3.03 A tool that finds ASCII, Unicode and Resource strings in a file.
Disassemblers and IDA Pro
Tools for reveres engineering.
Debuggers OllyDbg
Table 2. IRCBot Activity Summary

58 Digital / ForensicS

DF11_57-60_BotNets.indd 58 25/04/2012 14:20

 attacker changed the TCP/IP service parameter for a reason
which is not evidential from this analysis report.
In the network section, the report showed that the network
communication is through the IRC channel. The Process
#8 (ID: 252) communicated with 60.10.179.100:8681 (the
IP address of a remote host). The process used “SP2-501”
as user name and “USA|XP|SP3|446911” as a nickname.
According to the keywords on the communication message,
the researcher can infer that this binary has the capability for
DDOS attack. The BotNet that this bot belongs to has at least
two Command & Control servers (C&C): 58.240.104.57 is for
update and 60.10.179.100 for distribution.

/ WHAT TO LOOK FOR

Knowing what to look for is the most difficult problem once Figure 3. BotNet architectures
the service provider has delivered the report. There is also the
question of where the evidence extracted sits in the life cycle of a The Botnet architecture is defined by its protocol and the
BotNet. The creation of a BotNet starts from using already known modes of operation. The Botnets, which have already launched
vulnerabilities on a victim system (including social engineering attacks, continuously maintain the connection with their bot
attacks). During the initial infection phase, the attacker scans a masters and are commanded to update its binary code. The main
target subnet for any known vulnerabilities, and infects victim purpose of this process is to evade detection techniques or add
machines through different exploitation methods. The spreading new functionality to install bots. In certain cases, the bots can
mechanism of a BotNet includes several infection strategies move to a different C&C server. It is useful for bot masters to keep
already used in worms, viruses and social engineering. their Botnet alive to be updated. bot masters also try to keep
After initial infection comes the secondary injection phase, the their Botnets invisible and portable by using Dynamic Domain
infected hosts execute a script known as shellcode; this shellcode Name System (DDNS) which is a resolution service that facilitates
fetches the image of the actual bot binary from the specific frequent updates and changes in server locations. In cases where
location using either File Transfer Protocol (FTP), HTTP, or Peer to authorities disrupt a C&C server at a certain IP address, the bot
Peer (P2P) (see Figure 3) and installs itself on the target machine. master can easily set up another C&C server instantly with the
Once the bot program is installed, the victim computer turns into same name at a different IP address.
a ‘zombie’ and runs the malicious code. The bot application starts There are two features to be observed in any BotNet
automatically each time when the zombie is rebooted. investigation; the network feature and software feature. In terms
of the network feature, it is worthwhile looking at the difference
between bot clients running on an infected system and its
/ Botnet Propagation Methods previous generation of malicious code such as viruses or worms.
The propagation method employed by botnet masters has The bot clients can use the functionality of other malicious codes
been moved from a “push” based model where the Bots to propagate themselves in order to hide from detection and to
are commissioned to remotely intrude a system through
security flaws, to a “pull” based model where the unwitting
attack the target. The primary difference between the bot clients
host performs an action like a download or a mouse click. and viruses or worms is that bot clients are able to take an action
One of the propagation techniques in this new model is autonomously and execute the given commands in a coordinated
using various social engineering techniques. For example, manner. Bot clients have the ability to perform their actions when
attackers gather visitors of a website with phishing methods,
and allow the visitors to accidentally download the malware.
attackers are not logged into the target machine. Further, the bot
Another technique involves exploitation of various browser malicious codes are communicating with each other to achieve
vulnerabilities. In this case, visitors come to automatically the same goal. To accomplish this they use the C&C channel to
download malware and run it without their knowledge. construct a typical Botnet, which consists of one or more bot
These techniques are called ‘drive-by downloads’. Using the
techniques, the number of victims can be easily increased servers and thousands of bot clients. For this reason, a Botnet
without any barriers because conventional protection can be classified by the C&C.
mechanism cannot prevent infection. The software features of the bots show that they are modular,
In any botnet investigation, the evolution of the botnet adaptive, and targetable. The BotNet is a collection of various
malware propagation method, like the pull-based model,
makes it difficult for the investigators to reconstruct the initial malicious codes. During the period of the evolution of a Botnet,
phase of a botnet attack. In the investigation of the botnet it is armed with modularity and extendibility. Modularity means
using a traditional method such as a push based model, here that when a typical Botnet is formed, each module is
investigators might reveal the fingerprints of the infection employed to serve a specific purpose; e.g. one module exploits
by finding vulnerabilities of the system. However, to find
the initial phase of an attack in the push based botnets, some kind of vulnerabilities of the target and then another
investigators must consider various possibilities of how the module would stop antivirus software which is supposed to
botnet malwares were distributed. protect the targeted system. After securing the bot client, the
third module is looking for new vulnerable systems.

59

DF11_57-60_BotNets.indd 59 25/04/2012 14:20

 / FEATURE

Modular bots can easily adopt different functionalities to

exploit the host system. When a bot discovers a new vulnerability / Expert tip
on a victim system, it can automatically install a specific module
Sandboxes are a safe way to process captured binaries. These
which can easily attack that vulnerable point. It means that services are run by service suppliers who can manage the
defeating one component of a Botnet is not enough to ensure executable risk. Antivirus scanning is a quick an easy way
that the entire system is cleaned up. Also the bots utilize a to classify unknown files and many antivirus vendors offer
the scanning services to the public for example http://www.
number of techniques to increase its continuity and stability
virustotal.com. In computer security, a sandbox is a security
depending on the situation of a specific system targeted. With service that is used to execute unverified or untrusted program
targeting capability, bot attackers can customise their attacks code. For malware analysis the supplier executes malware in
to the client market. The targeting capability of Botnets is a monitored environment and performs behaviour analysis
without infection risk. Three suppliers of this service are
adaptive as well. The bot client can check the newly infected
http://anubis.iseclab.org ; http://www.norman.com ; and,
host for applications so that it knows how to make use of the http://www.sunbeltsecurity.com
new infected system. The creation of Botnets is comprised of
five steps: initial infection, secondary infection, connection,
malicious command and control, update and maintenance. shows evidence of malicious BotNet process on that machine. The
After propagation, a new bot establishes a command and BotNet binary extracted from the memory image is a critical clue
control (C&C) channel to communicate with the control server. that the investigator is able to map onto existing knowledge.
This communication means the bot joins with the BotNet. The analysis procedure used static, live and existing data and
Once it happens, the specific bot becomes a member of a bot the procedure focused the preservation of the integrity of digital
master’s zombie army. The attacker disseminates commands evidence with the intent of increasing the repeatability. Most
through the C&C channel, and the bot receives and executes analysis activities were conducted in a controlled environment
those commands. In this phase, bots, remotely controlled by and suggested that standardised procedure can be developed.
a bot master, can conduct various malicious activities such as Regardless of the professional possibilities for sorting out Botnet
exploiting other machines, commencing DDoS attacks, and so on. forensic practices it is not hard to begin a low risk investigation
and to learn the fundamental steps for knowing the attacker. /
/ GIVING IT A GO
We are not suggesting in this article that you let malicious REFERENCES
binaries loose on your home or work network just to observe Adelstein, F. (2006). Live forensics: diagnosing your system without
the behaviour. It is prudent to take your first steps outside your killing it first. Communications of the ACM, 49(2), 63-66.
firewall and to outsource the risks associated with analysis to an Aquilina, J. M., Casey, E., & Malin, C. H. (2008). Malware Forensics:
external service provider. The starting point of good investigation Investigating and Analyzing Malicious Code. Burlington: Syngress.
is to be able to read the service provider report in sufficient detail Ard, C. (2007). Botnet Analysis. The International Journal of Forensic
that an overall picture of the BotNet activity is apparent and then Computer Science, 2(1), 65-74.
to be able to focus on particular events. The intrusion vector can Bächer, P., Holz, T., Kötter, M., & Wicherski, G. (2008, Oct 08). Know your
be identified and the evidence ordered around the reconstruction Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots/
of the activities conducted after infection. The information Balas, E., & Viecco, C. (2005). Towards a third generation data
extracted from the memory image can show how the Registry capture architecture for honeynets. from http://ro.ecu.edu.au/cgi/
values were changed to disable the firewall and Security Center viewcontent.cgi?
services and so on. The limitation is that the information would
not show how those activities happened and what is to happen
in the future. Static code analysis can verify to the limit and / Author Bio
unpacking tools used to work out how the binary is constructed. Dr Brian Cusack comes from a background
At this point considerable knowledge should have been gained of academic research in IS Security and
IT Forensics. He currently leads the AUT
and if the competency skills exist a dynamic testing of the binary
University Digital Forensic Research
can proceed in order to understand its future behaviours. Laboratories and chaired the ISO Study
Our half-hearted exploration leaves a number of questions group that inquired into corporate Digital
unanswered and are open for further investigation. Further work Forensic readiness.
is required to better understand the BotNet hierarchies and also
Junewon Park has a Master of Forensic IT
the impact of BotNets on mobile devices. We were able to identify Honours degree and is a Researcher at
two IP addresses that were being used for the C&C servers the AUT Digital Forensics Laboratories,
but not detect if these IPs had been spoofed. The propagation Auckland, New Zealand. His research
methods were clear and the sequence of events defined. Further interests include malware, Networks,
IT Security systems, and Forensic tools
refinement may include geographic units and organisational units
and techniques. He is employed as a IT
(for example to identify Bank fraud or Stuxnet type unit targeting). security consultant and also undertakes
Through the investigation of an infected host it is possible to commercial digital forensic services for
reconstruct a BotNet incident. Even though the information Investigators and data recovery for clients.
extracted from the memory image is not sufficient, the information

60 Digital / ForensicS

DF11_57-60_BotNets.indd 60 25/04/2012 14:20

DF11_61_Ad.indd 61 23/04/2012 13:01
 / FEATURE

COVERT CHANNELS IN
NETWORK PROTOCOLS
This is the first in a series of articles that look at the use of covert storage channels
within six specific network protocols and fields and evaluate their effectiveness.
by Matthew Isbell
/ ADVANCED

I
n a world where new technologies are released the information is hidden within a benign medium thus
daily, the potential for the technology to be used for allowing for the communications to take place without
malicious ends or conflict is in a constant state of arousing the warden’s suspicion. In the same way, if we
growth. During such a situation, communications links are view Alice and Bob as two systems on a network that
a necessity for battle damage assessment, command and should not be communicating and Wendy as a third system
control, information extraction and situation reports. This or system administrator, then covert channels provide the
communication will have to use the networked technologies communications channel.
that are being used to attack and also being attacked, as This article looks at the implementation and assessment
a result of conflict, partly because of the wide existence of different covert channels according to three different
of network protocols and partly due to the fact that it is attributes: bandwidth/capacity, stealth and reliability.
relatively simple to implement a covert channel within Stealth refers to whether a third party can view the
them. Hence, the communications must be covert in nature transmissions and to what length they can decipher the
allowing for maximum discretion while also transmitting as message. Reliability refers to packet loss and ordering of the
much information as possible. transmission; e.g. if a transmission comes through as it is
Covert channels are best described using the sent, with minimal packet loss, then it is said to be reliable.
prisoner problem, as explained by Radhakrishnan and
Shanmugasundaram (2002). The analogy describes two / Covert Channels
inmates, Alice and Bob, who wish to communicate in Secure computer systems use both mandatory and discretionary
order to plan their escape, but all communication between access systems (Kemmerer, 1991) to restrict the flow of data and
them is monitored by Wendy, the warden, who will put information to only legitimate channels. Kemmerer further notes,
them in solitary confinement should she suspect the however, that the potential for exploitation of storage locations
slightest hint of secret communications. The problem and timing processes to create covert channels, was increasing
is solved using ‘Steganographic’ techniques, in which as security protocols became more robust.

62 Digital / ForensicS

DF11_62-66_Covert Channels.indd 62 25/04/2012 14:44

 Tumoian and Anikeev (2005) explain that the first step when changed greatly in the last decade with new technologies
unauthorised access is gained is to obtain information from the and the use of application levels to transmit data covertly.
compromised system. However, in order to maintain secrecy of However, Millens closing statement is an answer from Bob
the data exfiltration, mainly using malware, covert channels are Morris to the question of whether covert channels are a threat,
implemented. They describe covert channels in general terms to which Morris answers simply, “Yes.”
as “transferring data in unused fields of network protocols”. In terms of what protocols can be used as covert channels,
Covert channels are a means of communication between Giani, Berk and Cybenko (2006) describe the following as useful
two processes that are not permitted to communicate, but do protocols: HTTP, FTP, SSH and EMAIL. Zander, Armitage and
so, a few bits at a time, by affecting shared resources. This Branch (2007) provide more specific examples of covert channels
is very similar to the definition given by Son et al., (2000) such as Unused header Bits, Header Extensions and Padding, IP
who describe a covert channel as a mechanism that “allows Identification and Fragment Offset, TCP Initial Sequence Number
indirect transfer of information from a subject at a higher Field, Checksum Field, Modulating the IP Time to Live Feed,
access class to a subject at a lower access class” using the Modulating Address Fields and Packet Lengths, Modulating
Bell-LaPadula access model to illustrate the differences Timestamp Fields, Packet Rate/Timing, Message Sequence
between the access levels and subjects and objects. Melliar- Timing, Packet Loss, Frame Collisions, Ad-Hoc Routing Protocols,
Smith and Moser (1991) provide further evidence for this Wireless LAN, HTTP, DNS and Payload Tunnelling.
statement by explaining how, even though technology is All research that discusses covert channels, divide them up
successful at preventing “direct unauthorised communications into two distinct classes, covert timing channels and covert
in multilevel secure computer systems,” it is not as effective storage channels.
at protecting those types of systems against covert channel
attacks. Both authors also explain that knowledge of a covert
channel is not sufficient protection against it and that the use / SYSTEMS & TOOLS
of these channels must be prevented, including any potential System Configurations and Software to be used in the testing
channels that we are not aware of. & analysis stage:
This is different from information hiding, where two parties
• Processor: AMD Atholon™ 64bit Processor 3500+
are allowed to communicate but the content is censored or • RAM: 4GiB
restricted and so using ‘piggybacking’ techniques, information • Operating System: Ubuntu 11.04 (Natty Narwhal)
is sent invisibly across the legitimate channel. • Kernel Linux 2.6.38-11-generic-pae
Zander, Armitage and Branch, compare covert channels in • GNOME 2.32.1
network protocols to data hiding techniques in a different way.
The following software and tools will be used. All tools are
They explain that the covert channels are very much similar either built in to the Linux distribution used or downloaded
to data hiding techniques in textual, audio or visual media. and installed using the Ubuntu Software Centre utility.
Steganography requires content as a cover while covert
channels require some network protocol as a carrier. Thus • Wireshark
• Packit
they are not as different as previously described.
• PackETH
Writing in 1999, Millen did not see covert channels as a • MD5 Hash Utility
major threat as they required ‘Trojan Horses’ to implement • TCP Relay
them and were difficult to implement. This situation has

63

DF11_62-66_Covert Channels.indd 63 25/04/2012 13:41

 / FEATURE

/ Timing Channels diagrammatical form provides a comprehensive list of

Eggers and Mallet (1988) provide one of the earliest scenarios that can be automatically created.
descriptions of a covert timing channel and state that they One form of detecting covert channels could be to use Event
are “a covert channel in which one process signals another by Pattern Analysis as proposed by Perrochon et al., (2000) in
modulating its own use of system resources in such a way that which software is used to monitor the security infrastructure
this manipulation affects the real response time observed by of an organisation, highlighting when irregular activities occur
the second process.” By altering a specific time-reliant module/ that do not fit in with a baseline pattern. Software like this has
process, such as CPU Time, we can transmit information by already been developed and will soon to become a valuable
creating a pattern of sorts. Giani, Berk and Cybenko (2006) part of security infrastructure.
explain that timing channels are examples of “a subtle Moskowitz and Kang (1994) explain, however, that
mechanism that uses only normal traffic.” They compare timing regardless of the analysis and prevention techniques used on
channels to communication methods such as Morse code that covert channels, they will never be totally eliminated in many
uses timed beeps or timed signals to transmit a message. practical high-assurance systems.
Covert channels are analysed according to a specific set of
/ Storage Channels properties and how well they can satisfy those properties. Ray
Storage channels are described by many as channels that involve and Mishra (2008) describe these properties as stealthiness,
the writing of a storage location by a process, which is then lightweight, confidentiality & integrity and reliability/ordering.
directly read by another process. Typically, the bandwidth will be Stealthiness relates to how easy/difficult it is to detect the use
limited by the finite resource shared by two subjects at different of a covert channel. Lightweight is a measure of how resource
security levels. Storage channels are the most common type of intensive a channel is and whether it requires the use of a
covert channel as they are the easiest to implement and do not variety of resources, or just one. Confidentiality is describing
require any complex algorithms or programming. how easy it is for someone to eavesdrop on the conversation.
Further from Storage and Timing channels, there are Ideally only the intended recipient should be able to
various sub-classes of covert channels that can be organised view the exchanged information and should also be able to
according to the mechanisms and protocols used to transmit detect any tampering. This is usually achieved by making
information, such as TCP/IP, ARP and UDP channels. Covert the occurrence/statistical property of the covert channel as
channels using network protocols are the most common type close to the statistical property of the legitimate channel as
of covert channel in use. possible. Reliability is a measure of data loss and whether the
information can still be read/obtained despite any data loss
/ Analysis of Covert Channels Giani, Berk and Cybenko explained that the ‘covertness’ of
Prior to 1991, most covert channel analysis centred around a covert channel is proportional to the capacity of the channel
code inspection or “inspection of the high level specification.” and the transmission rate.
(Kemmerer, 1991). More often than not, Information Flow
analysis was involved which could be very time consuming Covertness (Capacity of the medium – Transmission Rate)
and difficult to follow.
Kemmerer (1991) also provides one of the most in-depth Various forms of covert channels have been identified and
and consistent methods of analysing covert channels by the aim of this article is to assess and evaluate a select group
using Flow Trees. The advantage of flow trees being the of these channels.

Figure 1. IPv4 Datagram

64 Digital / ForensicS

DF11_62-66_Covert Channels.indd 64 25/04/2012 13:41

 / Covert Channel List / ICMP Echo Request
The following describes the Covert Storage Channels picked “The Internet Control Message Protocol (ICMP) is a network-
to implement and analyse, and also explains how each of the layer protocol used for generating informational, error and test
covert channels work. messages related to IP-based communication.” It is an essential
utility that is used for both diagnosing problems in the network
/ Noisy Channel in the IP Protocol/Time and general IP-networking facilities. As ICMP echo requests are
to Live Field fairly common on any network, they provide a perfect opportunity
This covert channel was identified by Qu, Su and Feng using for covert communication. Various channels have been presented
the Time to Live (TTL) field of the IPv4 header. The basic idea in ICMP echo request but for this implementation we shall be
is to encode the information into the TTL fields allowing the using the sequence number field to implement a basic storage
sender to pass data between hosts in packets that would channel. The message shall be encrypted for added security.
appear to be initial connection requests or intermediate steps.
The TTL field is an indication of the maximum number of nodes / TCP ACK Field
that a packet can cross before reaching the destination and CLACK is a specific type of covert channel proposed in research by
is expressed in seconds. The field consists of 8 bits, and so Luo, Chan and Chang, which utilizes the ACK field of the TCP (Figure
the maximum number of nodes can be calculated as 255. 2) protocol and is based on a persistent flow of TCP data meaning
The real advantage of using this field is that the number that direct encoding is not viable, as the ACK has to continue it’s
constantly changes due to changes in network status and primary function. The focus of the research is, therefore, based
routing information. Another advantage of using this channel on a mechanism they call ‘partial ACK encoding,’ i.e. encoding
type is that it will not be affected by the change to IPv6 due to messages into pre-existing packets. In order to simplify the method
the fact that the IPv6 header has a corresponding field called performed by the researchers, Packit will be used to encode the
‘Hop Limit’. The IPv4 datagram is shown below (Figure 1) to message into the ACK field of a stream of packets and then injected
demonstrate where the data will be entered. onto the network. This channel will not, therefore, be as exactly
described in the research but should produce similar results.
/ Basic Channel Using The IPv4
Identification Field / UDP Storage Channel (Experimental)
As seen above in the IPv4 datagram, 16-bits are reserved for After performing a baseline analysis it was observed that
the identification field of the IPv4 header. This field is used to certain protocols were more abundant than others. One of
“uniquely identify an IP datagram within a flow of datagram’s these was the User Datagram Protocol (UDP). Currently, there
sharing the same source and destination four-tuple.” In other is little experimental and statistical data on the use of the UDP
words, the field is used to identify frames within a set containing protocol as a covert channel, although it has been suggested as a
the same values in the Source Address field and Destination potential channel by several researchers. The UDP header (Figure
Address field. This value is usually randomly generated by 3) offers three distinct fields that could be used to transmit
the source but can hold a non-random value without causing information, the source port field, data length and checksum
any disruption to the flow of traffic. Therefore, it provides an field. UDP itself does carry some disadvantages due to the fact it
opportunity for covert communication but would require the will drop packets rather than wait for them to be sent, however,
message to be encrypted as the message would be transmitted it may still provide a viable channel. For this channel, the source
as plain text and can be easily detected by packet sniffers. port field will be used as the covert carrier field.

Figure 3. UDP Header

Figure 2. TCP Header

65

DF11_62-66_Covert Channels.indd 65 26/04/2012 10:20

 / FEATURE

REFERENCES
/ TCP ACK Field Radhakrishnan, R., Shanmugasundaram, K. & Memon, N., 2002.
The point to note for the TCP ACK Field is that, in order Data Masking: A Secure-Covert Channel Paradigm. In Workshop on
to successfully see the correct ACK number, the ‘Relative Multimedia Signal Processing., 2002. IEEE.
sequence numbers and window scaling’ option must be Kemmerer, 1991. Covert Flow Trees: A Visual Approach to Analyzing
unchecked in the TCP Preferences menu of Wireshark. Covert Storage Channels. Transactions on Software Engineering,
17(11), pp.1166-85.
Tumoian, E. & Anikeev, M., 2005. Network Based Detection of
Passive Covert Channels in TCP/IP. In Conference on Local Computer
Networks 30th Anniversary., 2005. IEEE.
Son, S.H., Mukkamala, R. & David, R., 2000. Integrating Security and
Real-Time Requirements Usinf Covert Channel Capacity. Transactons
on Knowledge and Data Engineering, 12(6), pp.865-79
Melliar-Smith, P.M. & Moser, L.E., 1991. Protection Against Covert
Storage and Timing Channels. In Computer Security Foundations
Workshop IV. Franconia, NH, 1991. IEEE.
Zander, S., Branch, P. & Armitage, G., 2007. Error Probability Analysis
of IP Time To Live Covert Channels. In International Symposium on
/ TCP Sequence Number (Experimental) Communications and Information Technologies., 2007. IEEE.
As TCP is one of the most commonly occurring protocols Millen, J., 1999. 20 Years of Covert Channel Modelling and Analysis.
on most networks, it would seem to be the best carrier of In IEEE Symposium on Security and Privacy., 1999. IEEE.
covert information. One form of covert channel within the Giani, A., Berk, V.H. & Cybenko, G.V., 2006. Data Exfiltration and
TCP header (Figure 2) has already been discussed on the Covert Channels. In Proceedings of the SPIE Sensors, and Command,
previous page (TCP ACK Field). For a second covert channel Control, Communications, and Intelligence Technologies for
in the TCP header, it has been proposed that the sequence Homeland Security and Homeland Defense V., 2006.
number be used. Being a 32-bit field, it offers considerable Luo, X., Chan, E.W.W. & Chang, R.K.C., 2008. TCP Covert Timing
space per packet for information, very much like the ACK Channels: Design and Detection. In International Conference on
number field, which is the same length. The valuable Dependable Systems & Networks. Alaska, 2008.
feature of using the sequence number is that the packet
can be crafted to resemble a SYN packet, which is always
the first packet in the TCP handshake, and so would appear / Author Bio
benign to most network sniffers and intrusion detection Responsible for developing and delivery
systems. Again, to be able to see the information in of the IAS technical portfolio, Matthew
is a fully trained and experienced crime
Wireshark, the TCP preferences must be set so that ‘relative
scene investigator. He holds a Bachelors
sequence numbers’ are unchecked. degree in Forensic Science (University of
In the next article in this series we will take a look at Lincoln) and a Masters degree in Forensic
the testing of the various covert channels and measure Computing (DeMontfort University).
their effectiveness. /

66 Digital / ForensicS

DF11_62-66_Covert Channels.indd 66 27/04/2012 10:38

 / NEXT ISSUE

COMING SOON…
A roundup of features and articles for Issue 12…

C
ontinuing our aim of bringing you new and interesting articles from the world of Digital Forensics, Issue 12 is shaping up
to be another good mix of research and practical advice, here is just a taste of some of the articles being looked at for the
next issue of Digital Forensics Magazine.

/ Security analysis and data recovery in DPAPI

In this article Julie Wunder analyses the operation of DPAPI,
looking at the undocumented structures and encryption
algorithms of DPAPI, with a view to understand and describe
the internal functioning of the system.

/ What’s so ethical about hacking?

In this article David Hewitt takes a look at the definition
‘ethical hacking’ and discusses whether it is appropriate or
confusing. David also gives an overview of the history of pen
testing/hacking and what it’s place is in today’s industry.

/ Database Specific Forensics

In this article David Litchfield looks at the collection, collation
and analysis of evidence from a compromised Oracle database
server showing how the what, how, why as well as how time
and cost of a breach investigation can both be dramatically
reduced using a particular framework and tool.

/ Ontology Aided Searching

for Automated Evidence Retrieval
Graeme Horseman takes a look at the proposal for the use
of web crawling and ontological structures to automatically
generate knowledge of a suspected offence that can query
binary data stored within suspected files and decide which
data is evidential.

/ Mobile Malware
Jamie Blasco takes a look at how malware on smartphones NEXT ISSUE PUBLISHED
is used by criminals to make money; they steal information,
contact details, emails, personal data or even financial AUGUST 2012
information; they hijack browser sessions, interfering with
online banking transactions and circumventing one time Note: DFMag may change the planned
content of future issues without notice.
password (OTP) security procedures.

/ Intellectual Property Theft

David Nides looks at his list of potential IP theft methods
and felt that this might be useful to the wider digital
forensics community.

PLUS
All of our usual features: Apple Autopsy, 360, IRQ,
Robservations and Legal news & alerts.

67

DF11_67_Next Issue.indd 67 26/04/2012 10:06

 / COURSE WRITE-UP

DOCUMENT FORENSICS
– A STUDENT VIEW
Documents are the life-blood of business, regardless of what your case might be; I defy you to
find a computer that doesn’t contain a document. There is, though, a dearth of material available
on this level of analysis – but one need not fret any longer – the Document Analysis course from
De Montfort University will allow you to grpl with sprms within OLE2 files with no fear of failure!
In this short article we cover a few of the starting details that you’ll come across in the course,
but, consider it but a taster from a student perspective. To master this subject is a long journey;
of which this course is not only a first step, but also a constant companion on the journey of one
who is holding a map…

W
ord processing is the function that took the computer essentially, a file system in its own right, with multiple FATs and
from the specialist business tool to the mainstream. internal “files” that contain the content, format and metadata.
Prior to that it was a tool that, with a great deal of Being a filesystem, we see the traditional things that we love
success, replaced mathematical tools, calculators and log in forensics; slackspace and deleted “files”. Once the structure
tables’ after that it found its way into all aspects of business, has been decomposed, the process of decoding the data begins
academia and art. With such success came the opportunity to and that includes the author details, dates and times, versions
use it for nefarious purposes. of operating system and software and much more. The course
Documents underpin our society; they enshrine our is as characteristic of Professors Sammes and Jenkinson, is
records, our plans and our contracts. George Orwell pointed delivered with humour, panache and, possibly of most value,
this out in “1984” with the Ministry of Truth; “our control with a real world experience and relevance that clearly makes
over documents and how what they say allows us to rewrite this a course by practitioners for practitioners.
history and the future”.
It turns out however that this isn’t entirely true; documents
created on computers themselves contain a history, and, like DE MONTFORT HAS EQUIPPED
a historian, we can piece together the truth of history, what BOTH THE STUDENT LAB AND
actually happened, if we just dig under the surface.
For a long time, there was little (nothing!) available in THE RESEARCH AND CASEWORK
the way of training on the subject of document forensics, it FACILITIES TO A VERY
was a black art at best. Microsoft didn’t publish the details
of the Word document formats and what did exist was not HIGH STANDARD
comprehensible by any normal human reader as it was so
laden with acronyms and specific technical terms that it The whole course (four days of lectures and practical’s with
sounded more like a foreign language than anything else. an exam on the fifth day); is accompanied by a colour copy
We are now, however, blessed; this translation work has of all slides, examples and supporting documentation. In this
been carried out for us, and is available (at a more than course, it was bound as a book, future courses are likely to
reasonable price!) through the “Binary Analysis of Microsoft have it ring bound, which you are allowed to refer to in the
Office Documents” course in the Cyber Security Centre of De exam. The days are long, even for those who are familiar with
Montfort University, Leicester. the “week full” style of distance learning, running from 9am till
This master’s degree course, taught by Professors Sammes 6pm with occasional coffee and lunch breaks and there is a lot
and Jenkinson (formerly of Cranfield, and of a certain degree of information that you need to absorb in that time. Coursework
of notoriety in the field in general) is focused on the most to complete the course to be a module towards an MSc is also
common, but hardest to decipher, OLE2 container for Microsoft available, although you can just take it, as a short course should
Office documents. In this case a document is anything produced you need the knowledge but not the degree. The overall facilities
by the Office suite, so Excel, Word, PowerPoint etc., from are excellent; De Montfort has equipped both the student lab and
Word Version 6.0 onwards (although latest versions support the research and casework facilities to a very high standard, the
the newer XML formats, many are still producing OLE2 for remainder of the University is equally impressive with catering
compatibility across IT environments). The OLE2 file format is, and student support facilities to rival any other institution. /

68 Digital / ForensicS

DF11_68_Course Write-Up.indd 68 16/04/2012 12:49

DF11_69_Ad.indd 69 20/04/2012 10:50
MD5 Investigator full page ad:Layout 1 31/3/10 15:47 Page 1

MD5 are recognised as one of the leading digital

forensic specialists delivering mobile phone and
computer solutions to Corporate, Legal and Law
Enforcement/Government Agencies. Working within
a law enforcement security vetted building, our
highly skilled forensic investigators have over 50 mobile phone and computer forensic specialists

years collective experience.

Mobile Phone Examinations

> Expert Service for all handset models.

> Competitive, fixed price service.

> Specialists in ‘Chip Removal Process.’

> Able to bypass iPhone passcode and

Blackberry security codes.
> All examinations compliant with
ACPO and RIPA guidelines.

Computer Forensics
> State of the art, fully equipped computer forensics lab
in a security vetted building.
> Expert examination service
to support backlogs and
outsourcing requirements.
> Ex law enforcement
investigators.
> Fully compliant with ACPO
standards (presently
working towards
ISO 17025).
> Developers of unique
forensic software
including VFC and Forensic Analyser.

For more information call:

01924 220999
or e-mail: sales@md5.uk.com

www.md5.uk.com URS CERTIFICATE NO. 26889 URS CERTIFICATE NO. 26889

DF11_70_Ad.indd 70 22/04/2012 13:35

 / FEATURE

CYBER CHAMPIONS –
MAKING A DIFFERENCE
ACROSS GENERATIONS
‘If we are to truly maximise the potential of the digital economy and the benefits
it can bring to all sections of society, we must ensure that children and young
people are confident and empowered to access, use and create digital media"
by Anu Khurmi
/ ENTRY

I
n an increasingly digitalised world it is crucial to ensure works is close to my heart so the moment I heard about the
best practice in online safety awareness is promoted early Cyber Champions initiative I was keen to join. We have had
in younger generations. The Cyber agenda is dramatically tremendous feedback from teachers and students.’ Jean
changing our world today and for all time as social media Claude, Head of ICT at George Green School, endorsed this.
tools such as webcams and smartphones become increasingly “Teachers telling pupils about the issues is good, but when
pervasive and invasive in our everyday lives. professionals like Giselle and Sophie come in and give the
It is imperative therefore that our children grow up same messages that makes a fantastic impact,” he said.
understanding how to exploit social media tools and tap
into the power of the digital world without compromising
their personal exposure, security and well being. Speaking NEW TECHNOLOGIES ARE
at a recent Cyber Champion‘s recognition event, City of CENTRAL TO MODERN LIFE AND
London Police Commissioner Adrian Leppard observed, “The
challenge with Cyber is that young people are already ahead PROVIDE A POWERFUL SUPPORT
of the game. We need to do all we can while they are still FOR LEARNING, BUT THEY CAN
young to ensure they are able to look out for themselves and
be safe in the online world.” So who better to promote this ALSO PRESENT A RISK FOR YOUNG
message to future generations than the digitally savvy young PEOPLE IF THEY ARE NOT TAUGHT
professionals of today who are volunteering their time as
Cyber Champions. HOW TO USE THEM SAFELY
Cyber Champions is an exciting Corporate Social
Responsibility (CSR) initiative mobilising young professional As well as having a unique ability to communicate and
volunteers’ from across the industry to deliver online safety connect with the younger generation, Cyber Champions are
awareness workshops to schools and youth organisations also great business and IT role models. Stakeholders including
in their local communities. Since launching at the House of organisation such as Child Exploitation & Online Protection
Commons in June last year, Cyber Champions have visited (CEOP), City of London Police, Beat Bullying, and Get Safe Online,
schools and delivered e-safety awareness workshops to are unanimous in their praise of the young professionals who
over 2,500 students across the UK and the numbers are volunteer their time and take part. Chairman of the Parliamentary
continuing to grow. Internet, Communications and Technology Forum (PICTFOR), Alun
The key messaging in the hour-long workshop is based on Michael MP highlights the initiative as “a superb example of the
best practice and collateral from relevant sources including importance of older children acting as role models for the next
CEOP and Get Safe Online and the lesson plan is highly younger generation”. Nick Gargan, CEO of the National Policing
interactive. Feedback from pupils and teachers alike has been Improvement Agency states, “It is absolutely right that we and
overwhelmingly positive. Cyber Champions Giselle Frederick, the Association of Chief Police Officers should be supporting this
of Credit Suisse and Sophie Bialaszewski from Templar initiative. The focus on schools is particularly appropriate and
Executives speak enthusiastically about their experiences the engagement with young professionals is beneficial to us all
with schools in Tower Hamlets. Giselle explains, ‘Working including the police who are facing new and different challenges
with young people and helping show them how technology created by the explosion of social media.”

71

DF11_71-72_Cyber Champions.indd 71 25/04/2012 14:43

 / FEATURE

In turn, participating in Cyber Champions is an excellent of McAfee International says, “The internet opens our
way for young professionals to raise their profile, expand children to new opportunities and risks. We are really
their network and enhance their interpersonal skills. There is pleased to be part of this fantastic programme that is
also the opportunity to be mentored and supported by Cyber harnessing the power of volunteers to help children and
Guardians, senior leaders in industry or subject matter experts young people get safe online.” Stephen Kingan, Managing
in security. Andrew Fiitzmaurice, Founder and CEO of security Director of Nexor, whose young professionals have been
firm Templar Executives is passionate about the importance of mentoring in local schools in Nottingham explains, ‘Whilst it
those from business and in positions of expertise mentoring is critical to educate kids to make sure they are safe online,
young professionals and becoming Cyber Guardians, “It is it is also important for graduates to work in the community
our role to ensure the digital footprint of young people is a and develop themselves; becoming Cyber Champions gives
positive one and that they are aware of not only the great them this opportunity.’ DeMontfort, Lancaster and Royal
power of technology, but also how to use it safely.” Holloway are some of the first UK universities to sign up as
Being a Cyber Champion is incredibly rewarding. The Campus Cyber Champions.
children want to learn online safety, and they need to learn, Cyber Champions is run on an entirely voluntary basis and its
it is absolutely vital, and teaching it helps both them and success has everything to do with the enthusiasm, calibre and
the Cyber Champion to grow stronger as a person. Many commitment of the professionals and organisations involved.
volunteers agree that, being part of Cyber Champions is an A growing number of major employers and SMEs value it as
extraordinary experience, not only do they personally taken part of both their Corporate Social Responsibility and their
on board the lessons taught and improve their own public Professional Development programmes and the initiative has
speaking but it introduces them to people from all walks of life captured the hearts and minds of all those who participate.
they wouldn't ordinarily meet. As young IT professionals they EURIM Vice Chair Anu Khurmi sums up, “The momentum and
find it rewarding to be able share experiences in online safety positive impact created by Cyber Champions in such a short
and safe browsing practices. Jack Mayor, entrepreneurship timescale has been phenomenal, but it’s just the start and
student at Lancaster University commented that, there is so much more to do. Teaching children best practice in
‘collaborating with other like-minded young professionals for e-safety early is also about skilling up the future workforce and
Cyber Champions is incredibly empowering and contributes creating empowered users in the online world”.
to the protection of children online, a very worthwhile cause’ The team is calling for organisations and professionals to
Jayesh Bhadresha and Elliot Greene, IT interns at IBM agreed, get involved through volunteering or sponsorship. If you or
"Cyber Champions is one of the most fulfilling activities that your organisation are inspired by this initiative and want to
we have been involved in. Your time and effort has a direct make a difference as a Cyber Champion or a Cyber Guardian,
impact on the future and safety of the next generation, contact us now at cyberchampions@ypnglobal.com /
being able to see such a visible difference is one of the most
rewarding facets of being a Cyber Champion".
The initiative is continuing to attract support from
parliamentarians, public and private sector organisations,
universities and schools. Jacqueline de Rojas, Vice President

72 Digital / ForensicS

DF11_71-72_Cyber Champions.indd 72 25/04/2012 13:44

 Digital
ForensicS
/ magazine

BACK ISSUES
The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners

Competition! Competition! Competition!

Win one of 3 copies of Win 3 Digital Forensics WIN 3 Forensics & Security
WinHex Professional books from Syngress Books from Syngress

ISSUE 07 ISSUE 08 ISSUE 09 ISSUE 10

1st may 2011 AUGUST 2011 November 2011 FEBRUARY 2012

INSIDE INSIDE INSIDE INSIDE

/ bill dean on detecting / e-Discovery Tools / Using Wireshark / Analysis of a
commercial grade spyware / Image Processing / Deep Packet Inspection Windows Mobile
/ cell site analysis / Hacking the Cloud / Cryptanalysis / Mobile Phone
/ imaging a macBOOK air / Digital Forensics / Social Network Challenges
/ advanced cyber probes in Sri Lanka Monitoring
/ The Exabyte
Challenge
/ Traceback
Competition!
Win copies of Kuiper
Forensics Peerlab

GENETIC
ALGORITHMS
& DIGITAL FORENSICS LATENT
Tim Watson looks at the way that genetic
SEMANTIC BIG BROTHER CRACKING
FORENSICS
algorithms can be used in forensic tools

INDEXING ANDROID PATTERNS,

02
Dr Michael R Taylor explains why
conceptual search is vital in the 03
Chad Tilbury takes a look at the
rise of Geo Location data and how 04
PINS & PASSWORDS 01

analysis of large multi lingual geo-artifacts can add a crucial 9 772042 061110
How Android implements its lock screens, PLUS 9 772042 061127
9 772042 061110 9 772042 061110
Issue 7 / £11.99 TR Media
data sets Issue 8 / £11.99 TR Media dimension to investigations Issue 9 / £11.99 TR Media techniques for circumventing and cracking them Issue 10 / £11.99 TR Media

/ REGULARS / FROM THE LAB / INTRODUCING / Book Reviews / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews
robservations, 360, peter jones looks our new legal editor hacking the human robservations, 360, Ted Smith looks at our new FEATURE ON Digital Forensics robservations, 360, PART 2 OF TED SMITH’S our new FEATURE ON XBOX Forensics robservations, 360, Jim Swuager Explains Digital Forensic Thors Microsoft
news, irq & more… at cellebrite pa v2 scott zimmerman windows registry forensics news, irq & more… X-Ways Forensics Biometrics & Forensics with Open Source Tools news, irq & more… X-Ways Forensics Forensic Uncertainty Extrusion Detection news, irq & more… Chip Off Forensics Organisations Security Bible

DF7_OFC_Cover - Online.indd 1 20/04/2011 17:57 DF8_OFC_Cover - Online.indd 1 22/07/2011 10:09 DF9_OFC_Cover - Online.indd 1 14/10/2011 15:54 DF10_OFC_Cover - Online.indd 1 17/01/2012 10:35

Issue 7 Issue 8 Issue 9 Issue 10

May 2011 August 2011 November 2011 February 2012

/ Genetic Algorithms & / Latent SemantIc Indexing / Big Brother Forensics / Cracking Android Patterns,
Digital Forensics / Hacking the Cloud / Hunting Malware with Pins & Passwords
/ File Integrity Monitoring / Biometrics & Forensic a (Wire)shark / Mobile Phone
/ Imaging 1000 Drives / e-Discovery and the Mac / Social Network Monitoring Forensic Challenges
/ Cell Site Analysis / Video & Image Forensics / Geo Tagging the Mac / Traceback
/ Imaging a MacBook Air / Criminal Profiling / Cryptanalysis Using / iPhone 4S & iOS 5
/ Detecting Commercial / File Integrity Distributed Systems / Forensic Analysis on
Grade Spyware / DF in Sri Lanka / Digital Archiving a Windows Mobile
/ Advanced Cyber Probes / Exploring the and Data Recovery / The Exabyte Challenge
/ CelleBrite Physical e-Discovery Process / Deep Packet Inspection / Legal Hurdles in Mobile
Analyser V2.0 / X-Ways Forensics / X-Ways Forensics, part 2 Device Forensics

ORDER ONLINE
www.digitalforensicsmagazine.com

DF11_73_Back Issues Ad.indd 73 22/04/2012 13:44

 / FEATURE

STEGANOGRAPHY
SECURITY CONTROLS
New NIST controls address covert information exfiltration and malware infiltration.
by James E. Wingate

/ INTERMEDIATE

T
he latest revision to the master catalogue of security Beyond addressing the emerging threat of digital
controls for US federal government agencies released steganography, this revision to the master security control
by the National Institute of Standards and Technology catalogue represents the continuing evolution and refinement
(NIST) on February 28, 2012, includes, for the first time, of a converged federal information security framework by
explicit references to steganography. making the following major changes:
NIST Special Publication 800-53 (SP800-53), Revision 4
(Initial Public Draft) [1] includes control enhancements for • New security controls and control enhancements;
two security controls and supplemental guidance in another • Clarification of security control requirements and
security control that reference use of steganography to specification language;
infiltrate malicious code or exfiltrate sensitive information in • New tailoring guidance including the introduction of overlays;
the Security Control Catalogue at Appendix F. • Additional supplemental guidance for security controls and
Release of this revision marks the second “Red Letter” day enhancements;
for raising awareness and perception of the threat from use of • New privacy controls and implementation guidance;
digital steganography for nefarious purposes. • Updated security control baselines;
The first was April 17, 2006 when the National Science • New summary tables for security controls to facilitate ease-
and Technology Council released the Federal Plan for of-use; and
Cyber Security and Information Assurance Research • Revised minimum assurance requirements and designated
and Development. The Plan is notable for being the first assurance controls.
unclassified US federal government document that explicitly
stated that steganography posed a threat that had been To put the new steganography controls in proper context
“documented in numerous intelligence reports.” [2] as an aid to understanding, it will be helpful to have a bigger
picture of the general structure of the security controls.
/ Background
Revision 4 of SP800-53 is the result of a year-long project / Security Control Structure
to update the security controls catalogue along with the Security controls listed in SP 800-53 are organized into 18
guidance for choosing security controls for federal agencies families with a two-character identifier used to identify the
and the information systems they own and operate to perform security control families. The security control identifiers and
their mission. family names are listed in Table 1.
The project was conducted in cooperation and collaboration Individual controls within the families are numbered
with the Department of Defence, the Department of Homeland sequentially beginning with 1. For example, the third control
Security, the Intelligence Community led by the Office of the in the Configuration Management family would be identified
Director for National Intelligence (ODNI), and the Committee as CM-3.
on National Security Systems (CNSS) under the Joint Task Force Without delving too deeply into the nuances of the security
Transformation Initiative (JTFTI) which was established in 2006. control structure let’s suffice it to say that each control contains:
The JTFTI Interagency Working Group was established in
April 2009 with the objective of creating a unified information
security framework for use throughout the federal government. / QUOTE
Historically, there have been multiple policies, publications, “The potential for trusted US Government and contractor
and processes for risk management and systems security for insiders using their authorized access to personnel, facilities,
information, equipment, networks or information systems in
national security systems and non-national security systems. order to cause great harm is becoming an increasingly serious
Naturally, this resulted in much duplication of effort and sub- threat to national security [3].”
optimal security across the many and varied agencies of the LTG Ronald L. Burgess, Director, DIA
federal government.

74 Digital / ForensicS

DF11_74-77_NIST & Stegonography.indd 74 25/04/2012 13:45

 ID Family ID Family
AC Access Control MP Media Protection
AT Awareness & Training PE Physical & Environmental Protection
AU Audit & Accountability PL Planning
CA Security Assessment & Authorization PS Personnel Security
CM Configuration Management RA Risk Assessment
CP Contingency Planning SA System & Services Acquisition
IA Identification & Authentication SC System & Communications Protection
IR Incident Response SI System & Information Integrity
MA Maintenance PM Program Management

Table 1. Security Control Identifiers and Family Names

• A Control section that describes specific security-related activities The organization prevents the unauthorized exfiltration of
to be carried out by organizations or information systems. information across managed interfaces.
• A Supplemental Guidance section that provides additional The Supplemental Guidance provides the following
information related to a specific security control and examples of safeguards implemented by organizations to
• A Control Enhancements section that provides statements prevent unauthorized exfiltration of information:
of security capability to add functionality/specificity to a
control and/or to increase the strength of a control • Strict adherence to protocol formats
– This section may also contain a Supplemental Guidance section • Monitoring for beaconing from information systems
• Monitoring for steganography
/ The Steganography Controls • Disconnecting external network interfaces except when
The Security Control Catalogue in Revision 4 to NIST SP800-53 explicitly needed
references steganography in three separate security controls • Disassembling and reassembling packet headers
as follows: • Employing traffic profile analysis to detect deviations from
the volume/types of traffic expected within organizations
• SC – System and Communications Protection
– SC-7: Boundary Protection
RELEASE OF THIS REVISION
• SI – System and Information Integrity MARKS THE SECOND
– SI-3: Malicious Code Protection
– SI-4: Information System Monitoring “RED LETTER” DAY FOR RAISING
AWARENESS AND PERCEPTION
These controls are graphically illustrated in Figure 1.
OF THE THREAT FROM USE OF
/ Steganography Control Details DIGITAL STEGANOGRAPHY FOR
To ensure accuracy, much of the information below is taken
directly from SP800-53. NEFARIOUS PURPOSES
SC-7 Boundary Protection SI-3 Malicious Code Protection
This control specifies the information system does the following: This control specifies the organization does the following:

• Monitors and controls communications at the external A. Employ malicious code protection mechanisms at
boundary of the system and at key internal boundaries information system entry and exit points and at
within the system; and workstations, servers, or mobile computer devices on the
• Connects to external networks or information systems network to detect and eradicate malicious code:
only through managed interfaces consisting of boundary • Transported by electronic mail, electronic mail attachments,
protection devices arranged in accordance with an web accesses, removable media, or other common means; or
organization security architecture • Inserted through the exploitation of information system
vulnerabilities
The specific reference to steganography is contained in the B. Updates malicious code protection mechanisms (including
Supplemental Guidance to Control Enhancement #10: signature definitions) whenever new releases are
available in accordance with organizational configuration
(10) Boundary Protection/Unauthorized Exfiltration management policy and procedures;

75

DF11_74-77_NIST & Stegonography.indd 75 25/04/2012 13:45

 / FEATURE

Figure 1. Steganography Controls in NIST SP800-53 Revision 4

C. Configures malicious code protection mechanisms to: • Blocks malicious code, quarantines malicious code, or
• Perform periodic scans of the information system at a sends alerts to an administrator in response to malicious
frequency defined by the organization and real-time scans code detections; and
of files from external sources at endpoints and/or network D. Addresses the receipt of false positives during malicious
entry/exit points as the files are downloaded, opened, or code detection and eradication and the resulting potential
executed in accordance with organization security policy; and impact on the availability of the information system.

GIVEN THE INCREASED The specific reference to steganography is in the

Supplemental Guidance, which states the following types of
THREAT PERCEPTION, IT IS malicious code can be hidden in files using steganography:
REASONABLE TO PRESUME THE • Viruses
STEGANOGRAPHY CONTROLS • Worms
WILL EVENTUALLY FILTER DOWN •
•
Trojan horses
Spyware
INTO VARIOUS CYBER SECURITY
CONTROL SETS SI-4 Information System Monitoring
This control specifies the organization does the following:

A. Monitors the information system to detect attacks and

/ Q&A indicators of potential attacks in accordance with the
Does inclusion of the steganography controls in the monitoring objectives defined by the organization
security control catalogue mean that every agency must B. Identifies unauthorized use of the information system
deploy a solution to detect steganography?
C. Deploys monitoring devices strategically within the
Yes. SI-3 is required to be implemented for all three-control
baselines; for low impact, moderate impact, and high impact information system to collect organization-determined
systems. However, the control enhancements for SC-7 and SI-4 essential information; and at ad hoc locations within the
aren’t required to be implemented for any of the control baselines. system to track specific types of transactions of interest to
the organization;

76 Digital / ForensicS

DF11_74-77_NIST & Stegonography.indd 76 25/04/2012 13:45

 D. Heightens the level of information system monitoring whenever
there is an indication of increased risk to an organization’s INSIDER USE OF DIGITAL
operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence
STEGANOGRAPHY TO EXFILTRATE
information, or other credible sources of information; and SENSITIVE OR CLASSIFIED
E. Obtains legal opinion with regard to information system
monitoring activities in accordance with applicable federal
INFORMATION AND HACKER USE
laws, Executive Orders, directives, policies, or regulations. OF DIGITAL STEGANOGRAPHY TO
The specific reference to steganography is in the
COVERTLY DISTRIBUTE OR IMPLANT
Supplemental Guidance to Control Enhancement #18: MALWARE CAPABLE OF COVERTLY
(18) Information System Monitoring | Analyze Traffic/
EXFILTRATING INFORMATION IS A
Covert Exfiltration GROWING THREAT
The organization analyzes outbound communications traffic REFERENCES
at the external boundary of the information system (i.e., 1. NIST Special Publication 800-53, Revision 4, Security and Privacy
system perimeter) and at other organization-defined interior Controls for Federal Information Systems and Organizations, Initial
points within the system (e.g., subsystems, subnetworks) to Public Draft, February 2012, http://csrc.nist.gov/publications/
detect covert exfiltration of information. PubsDrafts.html#SP-800-53-Rev.%204
The Supplemental Guidance states that steganography 2. Federal Plan for Cyber Security and Information Assurance
is an example of covert means that can be used for the Research and Development, National Science and Technology
unauthorized exfiltration of organization information. Council, Report by the Interagency Working group on Cyber Security
and Information Assurance, April 2006
/ Significance of New Steganography Controls 3.Burgess, Ronald L. Jr., Lieutenant General, USA, Director, Defense
Including steganography controls in Revision 4 of the security Intelligence Agency, Annual Threat Assessment, Statement
controls catalogue is significant. It means perception of the Before the Senate Armed Services Committee, United States
threat from insider use of steganography to steal sensitive Senate, February 16, 2012, http://www.dia.mil/public-affairs/
information has finally increased to the point where the testimonies/2012-02-16.html
authors of SP800-53, senior leaders and working group 4. Federal Financial Institutions Examination Council Information
members of the JTFTI, believed it was appropriate to include Security Handbook, July 2006, http://ithandbook.ffiec.gov/it-
controls to detect use of digital steganography. booklets/information-security.aspx
Given the increased threat perception, it is reasonable to 5.North American Electric Reliability Corporation (NERC) Standards:
presume the steganography controls will eventually filter Reliability Standards, Critical Infrastructure Protection (CIP), http://
down into various cyber security control sets such as those www.nerc.com/page.php?cid=2%7C20
published by the Federal Financial Institutions Examination 6. Foreign Spies Stealing US Economic Secrets in Cyberspace,
Council (FFIEC) [4] for protecting financial institution networks Report to Congress on Foreign Economic Collection and Industrial
and the North American Electric Reliability Corporation (NERC) Espionage, 2009-2011, Office of the National Counterintelligence
[5] for providing critical infrastructure protection. Executive, October 2011, http://www.ncix.gov/publications/reports/
fecie_all/Foreign_Economic_Collection_2011.pdf
/ Conclusion
Insider use of digital steganography to exfiltrate sensitive or
classified information and hacker use of digital steganography / Author Bio
to covertly distribute or implant malware capable of covertly James E. Wingate, CISSP-ISSEP, CISM, CHP,
exfiltrating information is a growing threat. CHSS, is Director of the Steganography
Analysis and Research Center (SARC) and
One need look no further than the Report to Congress on Foreign Vice President of Backbone Security. He is
Economic Collection and Industrial Espionage, 2009-2011, released leading efforts to develop state-of-the-art
by the Office of the National Counterintelligence Executive in digital steganalysis tools for use by digital
October 2011 to grasp the magnitude of the threat from “malicious forensics examiners and network security
personnel in the public and private sectors. He is a member
actors, whether they are corrupted insiders or foreign intelligence of HTCC and HTCIA and regularly gives presentations on the
services, to quickly steal and transfer massive quantities of data use of digital steganography to conceal evidence of criminal
while remaining anonymous and hard to detect.” [6] Digital activity at major conferences across the United States. He
steganography applications are perfect tools for doing just that. retired from the US Air Force after more than 24 years of service
as a Communications and Information officer. He holds a B.S.
NIST has addressed this threat by including three controls in in Computer Science from Louisiana Tech University, Ruston,
the security control catalogue and government agencies and Louisiana, and an M.S. in Computer Engineering from the
private sector organizations that fail to implement the controls University of South Florida, Tampa, Florida.
do so at their peril. /

77

DF11_74-77_NIST & Stegonography.indd 77 25/04/2012 13:45

DF11_78_Ad.indd 78 16/04/2012 12:31
 BOOK REVIEWERS
New initiative for practitioners to review books on digital forensics subjects.

W
e recently announced a new initiative to improve the / Debbie Garside (UK)
book review section and as ever you have responded Debbie is currently studying a PhD (ABD) in Human
magnificently to the call. Members of DFM, LinkedIn Visual Perception in Cyber Security and is a visiting
group, followers on Twitter to @dfmag and readers of the research fellow for the University of Wales. In addition to her
monthly newsletter were all notified of the new initiative and academic work Debbie is an advisor to industry and Government.
if interested, to contact 360@digitalforensicsmagazine.com
providing their CV and photograph. / Jon Fowler (USA)
The aim is to establish a sub-group on LinkedIn for the book Jonathan is the Director of Forensics at First Advantage
reviewers to facilitate discussion on books as well as posting Litigation Consulting in Washington DC. As a practicing
the reviews via the various outlets at our disposal including forensicator he is also qualified as an expert witness.
the Blog, LinkedIn and of course the magazine review section.
The CV is to ensure that the reviewer has the relevant / Jacson RC Silva (Brazil)
background and experience to review technical details and the Having attained BSc and MSc degrees in computer
photograph is to create a “rouges gallery” on the website of science Jacson is a developer of the Linux
our reviewers. We have had requests from some reviewers to distribution “Vix”. When he is not developing he is educating
not provide photographs and not be included and we will, of others and doing his full time job of network administration.
course, respect their wishes.
If you would like to get involved and become a book reviewer, / Chara Makri (Greece)
send your CV and photo to 360@digitalforensicsmagazine.com. Following a undergraduate computer science degree
Use the subject line “Book Reviewer” and make sure you indicate in computer science, Chara obtained an MSc in
if you are happy to be included in the reviewer’s gallery. Forensic Information Technology. Chara currently works for
The following are some of those who have already joined: RIM on the Blackberry Playbook

Title Author ISBN Publisher

The Basics of Digital Forensics John Sammons 978-1-59749-661-2 Syngress

Windows Forensic Analysis Toolkit Harlan Carvey 978-1-59749-727-5 Syngress

Penetration Testers Open Source Toolkit Jeremy Faircloth 978-1-59749-627-8 Syngress

Low Tech Hacking Jack Wiles et al 978-1-59749-665-0 Syngress

Windows Registry Forensics Harlan Carvey 978-1-59749-580-6 Syngress

Digital Forensics with Open Source Tools Cory Altheide et al 978-1-59749-586-8 Syngress

Industrial Network Security Eric D Knapp 978-1-59749-645-2 Syngress

Securing The Cloud Vic (J.R.) Winkler 978-1-59749-592-9 Syngress

Security Risk Management Evan Wheeler 978-1-59749-615-5 Syngress

iPhone & iOS Forensics Andrew Hoog et al 978-1-59749-659-9 Syngress

Android Forensics Andrew Hoog 978-1-59749-651-3 Syngress

The Basics of Hacking & Pen Testing Patrick Engebretson 978-1-59749-655-1 Syngress

Coding for Pen Testers Jason Andress et al 978-1-59749-729-9 Syngress

Digital Forensics for Legal Professionals Larry E Daniel et al 978-1-59749-643-8 Syngress

The Basics of Information Security Jason Andress 978-1-59749-653-7 Syngress

Digital Evidence & Computer Crime Eoghan Casey 978-0-12-374268-1 Academic Press

Distributed & Cloud Computing Kai Hwang et al 978-0-12-385880-1 Morgan Kaufman

Private Cloud Computing Stephen R. Smoot et al 978-0-12-384919-9 Morgan Kaufman

Migrating to the Cloud Tom Laszewski 978-1-59749-647-6 Syngress

Moving to the Cloud Dinkar Sitaram 978-1-59749-725-1 Syngress

The Basics of Digital Forensics John Sammons 978-1-59749-661-2 Syngress

A small example of current titles being reviewed

79

DF11_79_Book Reviewers.indd 79 25/04/2012 13:45

 / BOOK REVIEWS

BOOK REVIEWS
The Basics of Digital Forensics Rather than focus solely on Forensic Analysis of Windows
machines, Sammons does describe how to perform Forensic
Author: John Sammons Analysis of web pages, email systems and also Network
Publisher: Syngress Forensics, providing the Beginner with a wide understanding
Date of Publication: of the Digital Forensic industry.
9th March 2012 By far the most interesting chapter, and the one that I
Price: £18.99 (UK), $29.95 (USA) believe will be most attractive to beginners is the chapter
ISBN: 978-1597496612 on Anti-forensics; demonstrating to the reader the various
Reviewer: Willem Knot ways in which people will attempt to hide and/or remove any
Verdict: incriminating evidence on their computer devices.
The Basics Of Digital Forensics is certainly one of the shortest
Forensics books I have read, but this certainly does not detract
If you’re just starting out in the industry of Digital Forensics, from the quality of the information that Sammons presents to
and want a basic overview of the industry, including an the reader. Each chapter is broken down into easy-to-follow
introduction to beginner tools and techniques, then this is the sections, with an overall summary at the chapter conclusion.
perfect book for you. Having worked in the Digital Forensics industry, it is rare
Sammons starts at the very beginning with a brief that a book for beginners piques my interest. However,
introduction to Forensic Science as a whole, before the style of writing and the delivery of the information
concentrating on an introduction to what is meant by ‘Digital within this book provide a valuable resource for beginners
Forensics’. In the introductory chapter, Sammons also brings and a great refresher for those who are reacquainting
the reader ‘up to speed’ on Locards Principle of Exchange, themselves with the industry. Syngress has provided
The Role of the Forensic Examiner and also on various another top quality publication that should appear of every
Organisations of note (although this part concentrates mainly practitioner’s bookshelf.
on US organisations).
The second chapter in the Beginners journey, presented by The Basics of Hacking & Penetration Testing
Sammons, introduces the basics about Bits, Bytes and the
various numbering schemes, such as Binary and Hexadecimal. Authors: Patrick Engebretson
The reader is then taken through the ways in which Data is Publisher: Syngress
stored in various environments finishing with the basics of Date of Publication:
computer functions. 1st August 2011
With the basic introduction to computer science out of Price: £18.99 (UK), $29.95 (USA)
the way, Sammons then enters the realm of Labs and Tools, ISBN: 978-1-59749-655-1
explaining how Labs can be operated and providing an Reviewer: Alan Pimloy
insight into the ways in which forensic tools work. Sammons Verdict:
concentrates mainly on AccessData’s Forensic Toolkit (FTK)
and gives a brief mention of Cellebrite’s UFED tool for mobile
device analysis. Have you ever wondered what hacking and penetration testing
Throughout the book, Sammons pays good attention to is all about or are you someone who is thinking of digital
common Forensic practices and the preservation of evidence forensics as a career and want to learn more about hackers
through an intact chain of custody. and how to test networks? Well, this is an entry level book to
As Sammons approaches the heart of the book, much get you started.
of the focus falls to analysing Windows artefacts, a move Patrick Engebretson is a product of Dakota State
which I consider integral to any beginners education with the University and is currently an assistant Professor of
Microsoft products still dominating the Computer market. Information Assurance. He is not only an avid researcher
For those of you who are outside of the US, a lot of with many peer reviewed and published articles he is also a
the legislation mentioned and discussed will be of little senior penetration tester with a security firm, giving him a
to no use and I would advise any reader to be fully aware depth of knowledge and practical experience to call on when
of this before they focus too heavily on the practices writing such a book.
laid out in the specified US legal documents such as the The opening chapter gets right to the heart of the subject
Fourth Amendment. by introducing the reader to penetration testing, Backtrack

80 Digital / ForensicS

DF11_80-81_Book Reviews.indd 80 25/04/2012 13:45

 Linux and how to create a hacking lab. Using a simple step by introducing appropriate tools at each stage of the process,
step approach the author has provided an easy to follow and and introducing different techniques to try and achieve the
simplified introduction including reducing pen testing to a aim of each stage. It has to be remembered that this is a
simple 4 step process. book introducing the basics of penetration testing or as
The following chapters are dedicated to one of the four step the author calls it “Zero Entry Hacking”, it does not go into
processes of penetration testing, namely; Reconnaissance, depth on every tool.
Scanning, Exploitation and Maintaining Access. Each of Whilst not explicitly stated, the book does assume
the chapters broken down in such a way that explains in that the reader has knowledge of computers, networking
clear terms what is involved as well as looking at tools and and the command line interface. This is entirely reasonable
techniques to be considered by the would be Pen Tester. as it is unlikely that anyone would be looking into the
Interspersed throughout each chapter you find hidden subject of penetration testing and hacking unless they
gems included, often missed in purely technical tombs, were already involved in the world of computing and
such as Social Engineering in the Reconnaissance section computer security.
and MACOF “Making Chicken Salad our of Chick Sh*t” As someone who has worked in the computer security
in the Exploitation section. The level of technical detail industry for the last 20 plus years it is a rare event when
complete with explanation on the tools and techniques a book keeps my interest going from start to finish and
gives the reader an excellent base knowledge on which to leaves me looking for the next book from the author. If you
develop their skills. are interested in the tools and techniques of penetration
Each chapter builds on the previous chapter expanding testing but do not know where to start, then this is the
the understanding and knowledge of the subject, book for you.

81

DF11_80-81_Book Reviews.indd 81 25/04/2012 13:45

 / COLUMN

IRQ
Is Anti-Virus really dead?
by Angus Marshall

S
o, the government has decided that changing the rules We’ve seen it time and time again. Once a facility becomes
on interception of communications data might not be available for one reason, someone realises the other possibilities,
such a bad idea after all, has it? In spite of all the fuss and then the system starts to be abused. We’ve already seen
produced when the last government proposed pretty much this with the RIPA system with numerous reports of council staff
exactly the same thing! Interesting. abusing the powers in order to investigate the major crime of
As far as I can see, the two main features of the proposal putting the bins out for collection on the wrong day.
are a change to authorisation mechanisms, to allow the Furthermore, processes such as this are easily bypassed
interception to happen more quickly, and a shift in the by the technically savvy, using encrypted communications,
responsibility for data capture from law enforcement to forwards, disposable addresses, VPNs etc., it will still be
communications service providers. easy to communicate in a way which really isn’t amenable
To some extent, I can understand and almost agree with to any form of interception. Even with the powers proposed,
the first reason. Under the RIPA rules, authorisation for the truly serious threats to national security may still remain
interception of data about communications (NOT content) un-investigable because the best that can be achieved is the
requires sign-off by a senior officer; something that can take a knowledge that someone, somewhere may or may not be
significant amount of time to achieve. Where lives might be at communicating in some way with someone who may or may
stake, delays in authorisation could be critical. not be of interest. Public concern about less well-regulated
interception will lead to an increase in the use of these
technologies by innocent, but concerned, users. That will
DATA CAPTURE SYSTEMS create a new problem; more noise from which the important
WOULD NEED TO BE messages still need to be extracted.
It’s not exactly a new problem. The government should,
PERMANENTLY ENABLED perhaps, look at what has happened in businesses where
employee contracts explicitly permit interception of
It might be useful, though to consider the reasons for the communications on the business network, without warning.
delays rather than introducing shortcuts. It takes time to get Employees either stop communicating as effectively, or find
authorisation because a) senior officers are pretty busy and can alternative channels to use (e.g. smartphones), resulting in a
be hard to pin down and b) authorising an intercept can have new headache for the business; the possibility that business
serious repercussions in the longer term; naturally, anyone asked communications are happening by inappropriate channels,
to make a decision has to be persuaded that it’s necessary and leaving them liable but unable to effectively monitor the
not going to come back to haunt them in the future. As a result, communications and with a far less supportive workforce.
I have a reasonable degree of confidence that most of these Nobody likes to feel that they could be under observation
intercepts are only approved when a good case has been made. any time, all the time. /
I’m also aware that authority can be (and is) withdrawn if the
supporting argument weakens. Under the new proposal, it seems
that this element of personal responsibility, which causes a / Author Bio
“pause for thought” for each application, may disappear. Angus Marshall is an independent digital
More worrying, for me at least, is the proposal that CSPs should forensics practitioner, author and researcher,
currently working on the ‘fitness for purpose’
be responsible for carrying out the interception and monitoring challenge. In a past life he was an academic
in real time. Effectively this means that, in order to avoid delays, course leader in Digital Forensics and Forensic
data capture systems would need to be permanently enabled and Computing and still retains strong links with
academia, professional bodies and regulators.
details filtered on demand. Where’s the problem? He can be contacted through his company,
Simply, there are two inherent problems: scope creep and n-gate ltd. (http://www.n-gate.net).
technical anti-intercept methods.

82 Digital / ForensicS

DF11_82_IRQ.indd 82 25/04/2012 14:37

DF11_IBC_Ad.indd 63 22/04/2012 13:30
DF11_OBC_Ad.indd 84 15/04/2012 15:35
 A
CE TA WI
The Quarterly Magazine for Digital Forensics Practitioners LL RA
PH NT
ON UL
N!
EA AC
NA HIN
LY ES
SI
S E
KI
T

ISSUE 11
MAY 2012

DATA THEFT
Jim Grier explains how to carry out an investigation, when 9 772042 061127
02

no artefacts exist, using his stochastic forensics approach Issue 11 / £14.99 TR Media

/ REGULARS / FROM THE LAB / INTRODUCING / Book Reviews

robservations, 360, Image Metadata for Cyber Warfare & INCLUDING The Basics
news, irq & more… Effective Data Mining Covert Channels of Digital Forensics

DF11_OFC_Cover - Online.indd 1 25/04/2012 14:05

DF11_IFC_Ad.indd 2 20/04/2012 10:33
 / EDITORIAL

EDITORIAL
Digital Forensics Magazine is a quarterly magazine, published by
TR Media Ltd, registered in the UK. It can be viewed online at:
www.digitalforensicsmagazine.com

Editorial Board

A
Roy Isbell, Alastair Clement, Scott C Zimmerman, Rob Lee,
Angus Marshall & Sean Morrissey
recent news article about flying Acquisitions
cars set me to thinking about the Roy Isbell, Sean Morrissey, Rob Lee & Scott Zimmerman
current limitations/boundaries or
Editorial
lack of boundaries in digital forensics. Roy Isbell
Traditionally forensics was about finding
News Desk
evidential artefacts that can be used Matthew Isbell
to help law enforcement prosecute
Sales & Marketing
offenders or by defence lawyers to prove
Andrew Nicholson
the innocence of their client. These days
Production and Design
it is much more and includes investigating cause and effect as
Matt Dettmar (www.freelancemagazinedesign.co.uk)
the many uses of technology continues to expand.
Contributing Authors
In the mad rush to use technology as an enabler, the first
Angus Marshall, Brian Cusack, Rob Harriman, Rob Lee,
casualties are often security and safety. Naturally this comes
Scott C. Zimmerman, Sean Morrissey, Glen Edwards, Jonathan
from the desire to make things happen; security and safety Grier, Andy Swift, Kevin North, Ollie Whitehouse, Matthew Isbell,
are often seen as blockers to this ideal and often add a level of Jim Wingate & Juneown Park
cost and complexity that is considered a stifling of innovation Technical Reviewers
and progress. I do not subscribe to such short-termism. All Dr. Tim Watson, Scott C. Zimmerman, Sean Morrissey, Rob Lee
too often the blinkered cut costs to speed up development or & Angus Marshall
production only to find that they have to pay a greater amount
subsequently. Then there is the developer who just wants to CONTACT DIGITAL FORENSICS MAGAZINE
make it work, no matter what the cost. Editorial
Take the ubiquitous motor vehicle; this has become ever more Contributions to the magazine are always welcome; if you are
complex as more technology is added to improve on braking, interested in writing for Digital Forensics Magazine or would
steering, engine management and such like. Add to this mix like to be on our technical review panel, please contact us on
the SatNav, Bluetooth, WiFi and communications both Car-to- editorial@digitalforensicsmagazine.com
Car (V2V) and Car to Infrastructure (V2X) and you have a heady Alternatively you could telephone us on:
environment rich in potential with regard to digital information. Phone: +44 (0) 844 5 717 318
Next we move on to our humble dwellings, once the mud News
huts protecting us from the wind and rain; now they are awash If you have an interesting news items that you’d like us to cover,
with technology rich in information and set to become even please contact us on: news@digitalforensicsmagazine.com
richer. The so-called “Smart” houses of the not too distant Advertising
future will provide a wealth of information for investigations. If you are interested in advertising in Digital Forensics Magazine
When considering a timeline investigation we already use or would like a copy of our media kit, contact the marketing team
on: marketing@digitalforensicsmagazine.com.
CCTV and alarm systems for artefacts, now consider if you can
tell when lights were turned on and off, does the pattern and Subscriptions
time fit with the investigation? For all subscription enquiries, please visit our website at
www.digitalforensicsmagazines.com and click on subscriptions.
It is in this vein that we continue to look for interesting and
For institutional subscriptions please contact our marketing
informative articles on the expanding and challenging world
department on marketing@digitalforensicsmagazine.com.
that we call Digital Forensics. Following the more focussed issue
Feedback
10 on mobile phones, issue 11 has an interesting mix covering
Feedback or letters to the Digital Forensics Magazine editor
a number of disciplines and activities; Chinese Cell Phones,
should be sent to 360@digitalforensicsmagazine.com.
Stochastic Forensics, WPS, Botnets, Password Cracking and
Covert Channels is a heady mix and once again shows the broad
Copyright and Trademarks
nature and diversity of the digital forensics profession. Trademarked names may appear in this magazine. Rather than
I hope you enjoy the latest issue of Digital Forensics use a trademark symbol with every occurrence of a trademarked
Magazine and remember we are always happy to hear from name, we use the names only in an editorial fashion and to the
you via 360 or if you want to “Get Involved” you can follow benefit of the trademark owner, with no intention of infringement
the various links from the website or contact us at of the trademark.
editorial@digitalforensics magazine.com Digital Edition Provider
Digital Forensics Magazine uses ZMags for its Digital Editions,
/ ROY ISBELL allowing the creation of carbon neutral publications.

DF11_03_Editorial.indd 3 25/04/2012 13:27

DF11_04_Ad.indd 4 15/04/2012 17:29
 / CONTENTS

CONTENTS
/ DIGITAL FORENSICS MAGAZINE ISSUE 11

REGULARS
/ NEWS
/ ROBSERVATIONS
06
14
09
/ 360° 26
/ LEGAL EDITORIAL 29
/ APPLE AUTOPSY 45
/ COMPETITION 56
/ BOOK REVIEWS 80
/ IRQ 82

FEATURES
/ Let Me In 09
Glen Edwards’ guide for how to avoid an investigation
being delayed or, at worst, stopped
/ Stochastic Forensics 16
How to prove or disprove that data has been stolen
/ WPS Insecurities AND False Prophets 22
In this article, Andy Swift looks at the WPS facility and
analyses the vulnerability it presents
/ Meet the DF Professionals 36
An interview with Chip Off researcher, Jim Swauger
/ Chinese Cell Phone AND Digital Forensics
A look at the increase of mobile phones in China
40
16
/ Imaging and Write Blocking on a Mac 46

40
How first responders and examiners should handle
the imaging of both old and new Macs
/ BotNets 57
Brian Cusack and Junewon Park investigate the enemy
/ Covert Channels 62
Matthew Isbell takes a look at covert channels
/ CYBER CHAMPIONS
Educating youngsters about the digital world
71
39
LEGAL
/ China’s Evidentiary Requirements 30
A look at legal system in the People’ s Republic of China

FROM THE LAB

71
/ image Forensics 51
Ollie Whitehouse explains how to deal with large
quantities of forensically acquired image data

DF11_05_Contents.indd 5 25/04/2012 13:26

 / NEWS

NEWS
EnCase Version 7 released with extra features

Since the last issue of Digital Forensics

Magazine, the leading software solution for
Digital Forensic Investigations, EnCase, has
been upgraded to version 7.
Guidance Software, the company behind
EnCase, has explained that the latest version
of EnCase Enterprise is designed to help with
the growing computer investigation needs of
commercial enterprises and government organisations for
governance, risk and compliance.
EnCase version 7 also comes packed with integrated
smartphone support, a revamped user experience and brand
new, powerful template-driven processing. Being dubbed as
the most powerful and easiest to use version of EnCase, the
software was debuted at the 2012 RSA conference.
Victor Limongelli, president of Guidance Software explained
that, “EnCase Enterprise has long had a dominant market
position with Fortune 100 firms, but recently we’ve seen a
boom in demand – new EnCase Enterprise customers tripled in
2011 – which tells us that the addressable market for remote
forensics is growing beyond just the world’s top companies.
EnCase Enterprise version 7 is aimed at simplifying
enterprise investigations through automation and enhanced
functionality, allowing the examiner to complete remote
forensics in a timely and effective manner.” Russia to hold ISPs responsible for illegal file sharing
The key features of version 7 include:

• Comprehensive Device Support – in addition to the robust file Illegal file sharing is still a growing issue in the realm of
system support that EnCase Enterprise is known for, version Cyber Crime. While previous attempts to target individual
7 delivers integrated support for Apple, Blackberry, Android, file-sharers has failed, authorities and copyright holders have
Windows Mobile and other smartphone and tablet devices. been forced to lay the blame elsewhere.
• Expanded Encryption Support – The software provides The battle against illegal file sharing is continuing globally
additional support for file- and disk-based encryption, as well and it has been seen as routine to witness Internet Service
as all new integrated Passware support to quickly identify Providers (ISPs) being drawn into the debate and treated as
files locked by passwords and to decrypt TrueCrypt files. the sole reason for the existing problems.
• Enhanced User Experience – The EnCase Enterprise user One nation that has been described by many as a haven for
interface has been redesigned to have the same simplicity as cybercrime and illegal file sharing is Russia. However, it may
using a web browser, with ability to quickly zoom-in on data seem that this is all about to change. Recent reports from
of interest in an all new system and volatile data viewer. Russia explain that authorities are soon to put more pressure
• Fast, Powerful Performance – New caching capabilities make onto Internet Service Providers whose networks are being
opening and browsing case data faster and more efficient. used to conduct copyright offenses and share illegal material.
• Support for Governance, Risk and Compliance (GRC) Although the networks provided by ISPs give the users
Products – EnCase Enterprise supports compliance concerns access to a wealth of legal material and services, it was
by allowing activity to be stored in Windows event log files never going to be long before these networks were used for
to trigger auditing function in SEIM tools. The software malicious and nefarious purposes. There is no evidence to
provides comprehensive logging of operations and allows suggest that the ISPs advertise the availability of the illegal
Active Directory integration for user authentication. material, and indeed no suggestion is being made, but there

6 Digital / ForensicS

DF11_06-07_News.indd 6 25/04/2012 13:27

 / NEWS ROUND-UP
FIRST ACCREDITED COURSE IN THE UNITED STATES
Marshall University (MU), in West Virginia, has
become the first University to receive accreditation
for its Digital Forensic program in the United
States. The award, presented to the University
by the Forensic Science Education Programs
Accreditation Commission, was announced on
April 2nd at a press conference. Dr Terry Fenger,
director of the Forensic Science Center at MU, explained
how the center does more than just train graduate students
in Forensic Science, bur also trains law enforcement
professionals and assists the police across the whole
nation. The Center is located in the South Side of the city
and offers a “multi-faceted program” including education
in forensic science, training for professionals and advanced
scientific analysis. In an industry that is still very young,
this accreditation shows a step forward in the development
of standards to judge the effectiveness of courses and
certifications within the United States.

STUDENTS HELP SOLVE CYBERCRIME CASE

A group of Eastern European cybercriminals has been
brought to justice with the aid of a Computer Forensics
professor and a group of his students. Gary Warner,
Professor at the University of Alabama in the United States,
played a key role in what is now known as Operation
Trident Breach, after pinpointing a Trojan that was being
used to collect banking data from small and medium sized
American companies. The data was then used to steal
money that was transferred to “money mules” based in
are current claims stating that the ISPs use the existence of the US before being transferred to the main perpetrators.
such illegal networks as a ‘plus point’ when marketing their The scheme allowed the group of hackers to collect more
various products. than $70million before the FBI, in cooperation with other
international agencies, finally located and prosecuted the
The Interior Ministry’s cyber crime department has stated individuals responsible. The FBI has acknowledged that
that, in advance of any action against ISPs, nationwide checks Social Media was highly effective in helping to capture
are being carried out into the use of the local networks, with some of the Money Mules.
results being released in May.
NEW HMRC CYBERCRIME TEAM TO TACKLE TAX FRAUD
A statement from three ISPs who spoke to Vedomosti.ru Her Majesty’s Revenue and Customs (HMRC) in the UK has
describes how none of them are aware of any investigations recently revealed new plans to create a team of forensic and
currently underway. Anyone who is prosecuted for direct security professionals that will proactively tackle tax fraud
being carried out by organised groups of criminals. The
copyright infringement in Russia can face a sentence of up to
National Cyber Security Program will fund the team enabling
6 years imprisonment. the recruitment of experts, analysts and investigators who
This method of blaming and encouraging ISPs to spy on will protect the UK Exchequer from increasingly sophisticated
their users has been seen elsewhere in the world recently with methods aimed at its repayment systems. HMRC is also
planning to deploy new technologies that will provide
the failed attempt to bring SOPA, the Stop Online Piracy Act,
investigators with real-time intelligence of criminal activities.
into legislation in the US. The team will play a key role in the defence of the UK economy
It would seem that the idea of making ISPs and websites where cyber criminals are constantly finding new and more
responsible for their users actions is becoming very popular sophisticated methods of obtaining data that would otherwise
be unavailable to them. The UK Government continues to
in political circles and we may see more similar action being
regard Cyber Security as a top priority and has recently put
taken around the world in the coming year. another £100,000 towards the budget for cyber security, on
SOPA failed to be enacted in the USA after it was voted a top of the £650million that has already been allocated to fight
breach of an individual’s privacy and was seen by many as a against cyber-attacks up until 2014.
deceptive way for governments to spy on their citizens.

DF11_06-07_News.indd 7 25/04/2012 13:27

DF11_08_Ad.indd 8 15/04/2012 17:29
 / FEATURE

LET ME IN
An outline of how incident responders
can get into a locked system
by Glenn Edwards
/ ADVANCED

I
n the field of Incident Response (IR), time is of the / Unlocking a Dead System
essence and a locked system may cause an investigation The system is not running so why would you need to unlock
to become delayed, or even worse, over. For the purpose it? We as incident responders cannot always fully prepare
of this paper, a locked system should be considered either for an engagement, and sometimes we do not even have
a live or a dead system that requires authentication on the all of the necessary details. With that being the case, what
Operating System (OS) level. Over the years there have been a if you need to boot up the target hard drive during or after
few tricks to get around this type of restraint, however, some an investigation? An example use case would be if you
methods are not maintained by the community, do not work are investigating a check fraud case and you need to open
because of system updates, or the responder is simply not the commercial application on the system that contains
aware of them. evidence in a proprietary format. You could boot it up using
The intent of this article is to inform the IR community “LiveView” or put it in a spare desktop, but what happens if
of current techniques available to overcome these types of you are prompted with the Windows logon screen? Do you
situations while also providing a brief technical overview of have credentials?
what each technique involves. Although this paper includes
techniques that will also work on Macintosh and Linux / Kon-Boot
platforms, the primary focus of this paper will be unlocking a If you are able to reboot the target system and
Windows system. Windows is still the most dominant platform consideration #1 is not of concern, then Kon-Boot[1] should
on the market and is what an incident responder is most likely be the first tool you turn to. Kon-Boot is a tool that can
to encounter. be loaded onto a floppy disk, USB stick, or CD/DVD, and
when the target system is physically booted from it, it will
/ Considerations allow you to bypass the authentication at the OS level.
In order for the techniques outlined in this paper to While it was originally a project created for Linux systems,
successfully work, there are some considerations to be made it has evolved to work on both 32 bit and 64 bit versions of
and requirements to be met, these are: Windows as well.
When the target system is booted from Kon-Boot, it first
1. Since some of the following techniques involve resetting enters a pre-boot environment that then loads itself into
a user’s password, any files the user had encrypted with memory and proceeds to hook into the BIOS. Here, it modifies
the Windows Encrypting File System (EFS) will be lost. This the Windows kernel to not require a password at the Windows
should only be a concern if the original credentials/private logon screen. Since this is all done in memory and prior to the
EFS key(s) were not exported prior or if the technique used OS loading, this technique does not alter the file system of the
does not make a permanent system change. target system. If your patching is successful, you should be
2. Will you have physical access to the system? presented with a screen similar to Figure 1.
3. Can you reboot the system?
4. Does the target system have Full Disk Encryption (FDE)?

For the second part of this paper; dealing with a live system,
there are other limitations that need to be considered aside
from the list previously stated above, these include:

5. Lack of a FireWire port on the target system;

6. Whether or not an expansion slot (PCIe, ExpressCards etc.)
is accessible on the system (as an alternative for a missing
FireWire port);
7. Whether or not the 1394 stack is disabled on the target system;
8. How much Random Access Memory (RAM) it has;
9. What OS and patch level the target system has.
Figure 1. Kon-Boot boot-up screen

DF11_09-12_Let Me In.indd 9 25/04/2012 13:29

 / FEATURE

/ PASSWORDS
One of the ultimate decisions you need to make is whether or not
you need the user’s password. To help in your decision tree, here
are some key examples of when and why it is a good idea to do so:

• The target system has EFS

• The users’spassword is used or believed to be used on other
systems/accounts
Figure 2. Sticky Keys pop-up • The user’s password is used or believed to be used for their
hard drive, BIOS or FDE password
• The user’s password is used to encrypt other files such
/ Sticky Keys as ZIP/RAR/7zip archives, PGP/TrueCrypt containers or
Have you ever accidentally hit the Shift key 5 times and turned password safes like KeePass
on the Sticky Keys feature? • In order to correlate with other logs and prove the users
credentials were the ones used to log into somewhere else
Sticky Keys is an accessibility feature within Windows (bank, email, ssh, ftp etc.)
meant to aid users who are unable to hold down two or more
keys at a time. This feature is enabled by default on Windows
installations and is therefore highly reliable as another * If you are getting an ‘Access Denied ‘error you need to
option. change this file’s ownership and permissions
By switching the Sticky Keys application with a command
prompt on the system, we can take advantage of this feature 4. Restart the system and press the Shift key 5 times
and reset a local user’s password or create a new local user. 5. A command prompt should now pop up and allow us to add
There are two different ways this can be accomplished: via a a new user or reset an existing users password:
Windows installation disk, or from a Linux Live CD/USB. If you
choose to use a Windows installation disk: • List the local users
> net user
1. Go to recovery console > command prompt • Reset an existing accounts password
2. Create a copy of the Sticky Keys application > net user <username> <new password>
• Create a new account
> copy c:\Windows\system32\sethc.exe c:\Windows\ > net user /add <username> <password>
system32\sethc.bak > net localgroup administrators <username> /add

3. Replace the Sticky Keys application with a copy of 6. If this is not being done on a cloned copy/virtual image of the
command prompt system then remember to revert the Sticky Keys application

> copy /y c:\Windows\system32\cmd.exe c:\Windows\ > copy c:\Windows\system32\sethc.bak c:\Windows\

system32\sethc.exe system32\sethc.exe

Figure 3. Stick Keys replaced with Command Prompt

10 Digital / ForensicS

DF11_09-12_Let Me In.indd 10 25/04/2012 13:29

 Figure 4. Ophcrack successfully cracking Windows hashes

/ Ophcrack 4. Change into JTR’s directory

Ophcrack[2] is a free open source program that cracks both LAN $ cd /pentest/password/john
Manager (LM) and NT LAN Manager (NTLM) hashed Windows
passwords by using rainbow tables. A rainbow table is a pre- 5. Run JTR against the file containing the password hashes and
computed table consisting of all possible combinations from a if successful your output will be similar to:
predefined character set which utilizes a time-memory tradeoff
for reversing hashing functions, such as LM and NTLM. There are $ john ~/sam.txt
still many environments where the weak LM hashing function is Loaded 2 password hashes with no different salts (LM DES
in use for backwards compatibility and because of this, Ophcrack [128/128 BS SSE2])
may be a great solution for you to use if you are able to reboot T123 (admin:2)
the system and need to obtain a user’s password. T123 (cert:2)
Ophcrack can be downloaded as a full installation as well MYSECRE (admin:1)
as in the form of a LiveCD; the latter of which will suffice for MYSECRE (cert:1)
the purposes we are focusing on. The LiveCD comes in two …snipped…
versions, XP and Vista/7, and both already contain some basic
rainbow tables (other tables[3] are available for download). / Unlocking a Live System
When you boot the target system from the Ophcrack LiveCD, There may come a time when you are presented with a locked
Ophcrack will load the hashes from the SAM file located on the system and are unable to shut it down because the volatile
Windows partition and attempt to crack them. If successful, data is imperative to your investigation, it has Full Disk
you will be presented with a screen similar to Figure 4. Encryption (FDE), or maybe it is a critical server. Whatever the
Notice that the hashes for both of the users are the same, reason may be, what would you do?
which means once you crack one, you crack both. If these Most modern techniques for unlocking a live system rely on
hashes were utilizing a ‘salt’, both hashes would differ even the IEEE 1394, or FireWire interface. FireWire is a serial bus
though their passwords are identical, making it harder and interface that allows for fast data transfer. The reason it is able
more time consuming to crack identical passwords. to achieve this and why we care about it for Incident Response
is because FireWire provides the ability to read/write directly
/ BackTrack to a systems memory through Direct Memory Access (DMA).
BackTrack[4] is a Linux-based penetration testing distribution By doing so, we are able to bypass the systems Central
which can be installed on your system or booted from a Live Processing Unit (CPU) and OS to circumvent any restrictions,
CD/USB. BackTrack has been around for years and is popular which would otherwise prohibit such ability.
among security professionals because it incorporates several
useful tools into a single distribution. A common way for an
incident responder to utilize Backtrack is to crack the targets / CONSIDERATIONS
systems password hashes by booting the target system into Having the ability and knowledge to unlock a live system may
BackTrack and using bkhive, samdump2 and John the Ripper make you feel like a magician but there are some considerations
that need to be addressed prior to your investigation.
(JTR) in the following way:
• When you first attempt to unlock a live system with Inception
1.Mount the target systems Windows partition you should use the “-n” or no-write option. By doing so
$ mkdir /mnt/<dir> you will perform a dry run and see if you find the correct
signature/offset to unlock the system without writing
$ mount –t <type> /dev/<partition> /mnt/<dir> –o ro
anything back to the target system.

2. Copy the system hive • While similar methods have been around for years, the legality
$ bkhive /mnt/<dir>/WINDOWS/system32/config/system ~/key.txt of actually performing incident response by utilizing FireWire’s
DMA has not really been tested. The best thing to always follow
is the practice of being ‘forensically sound’ and having someone
3. Dump the hashes from the SAM hive else be able to reproduce the results you were able to find –
$ samdump2 /mnt/<dir>/WINDOWS/system32/config/SAM ~/key. which becomes questionable with this method.
txt > ~/sam.txt

11

DF11_09-12_Let Me In.indd 11 25/04/2012 13:29

 / FEATURE

/ Inception
While the concept of using FireWire to bypass the Windows / Extend your arsenal
Lock Screen has been discussed and presented since 2004, libforensic1394 also provides the ability to dump the memory of a
a recent release of a tool called Inception[5] (formally known live system. Besides being able to unlock a live system on the fly,
the libforensic1394 library also provides a means for live memory
as FTWAutopwn[6]) provides a more stable and reliable
dumping. While there is not a formal script yet written for the
means than previous tools, such as Winlockpwn. This is public, the author of the library presented some insight of how
because it incorporates a new open source library called to do this in his paper[11]. The only requirement missing is a little
libforensic1394[7] which uses the new Juju FireWire stack knowledge in python and a target system to perform this on.
and allows you to present a Serial Bus Protocol 2 (SBP-2)
unit directory with original FireWire bus information from
your machine to the target system.
Inception is actively maintained, which means its author / AutomatiON
is constantly adding new features, bug fixes, and more Instead of remembering what commands need to be entered,
reliable unlocking techniques. This tool works great for what files need to be downloaded and what packages are
required, why not leverage the simplicity of Bash scripting and
Windows XP SP0-3 and Windows 7 x86 SP0-1, however, it automate the process.
may be a hit or miss if you are trying it on Windows x64 I wrote a setup script [8] for use with BackTrack v5; for use
systems at the time of writing this. This is because the with other distributions some slight modifications might be
method it uses relies on the signature it is patching to be at required. Additionally, it was written for use with a non-
persistent system (Live CD/USB) as well as a system with a
a specific offset and on 64 bit systems the offset address is persistent configuration. If you are going to run this script on
less stable and more likely to change. If the signatures and a non-persistent system, Internet access is required unless
offsets within the configuration file are not working for your the files/packages required are downloaded prior and stored
scenario and you have some disassembly knowledge, you on some other removable media, which would then have to be
configured in the script as well.
can load the specific msv1_0.dll version into a disassembler
and determine the signature/offset combination that you
need to add to Inception.
In Windows, the Dynamic Link Library (DLL) msv1_0.dll
(Located in %SYSTEMROOT%\System32\) is the Microsoft
Authentication Package that is responsible for validating
a user’s password. Within this DLL is a function called
MsvpPasswordValidate that is responsible for performing a
comparison between an entered password and the correct
password. Inception patches this comparison to say that
the correct password was entered regardless of what or
if anything was entered at all. Since this is all done in
memory, the patching is not persistent and restarting the
system will restore to its normal authentication. In order to
use Inception there are some files/packages, which need to
be downloaded and installed on your system but to make / Conclusion
things easier I wrote a simple bash script that can be, found The goal of this article was to inform you, the incident responder,
in Appendix I. of ways to unlock both a live and a dead system so if you find
Once you have your system properly configured and DMA yourself in either scenario, you will have the knowledge and
access to your target system, choose which target you want to ability to continue your investigation. It is equally important to
unlock and if you are successful you will see a screen similar know all of the available techniques that can be used in case one
to Figure 5. does not work or is not feasible due to other limitations. /

/ Author Bio
Glenn P. Edwards Jr. is a Senior
Consultant with Foundstone’s
Incident Response practice
where he specializes in Incident
Response, Digital Forensics and
Malware Analysis. Glenn holds a
M.S degree in Digital Forensics
from the University of Central
Florida as well as a B.S. degree
in Information Security and
Privacy from High Point University.

Figure 5. Windows 7x86 SP1unlocked from FTWAutopwn

12

DF11_09-12_Let Me In.indd 12 25/04/2012 13:29

DF11_13_Ad.indd 13 15/04/2012 17:18
 / ROBSERVATIONS

ROBSERVATIONS
Is Anti-Virus really dead?
by Rob Lee

A
year ago, I decided to find out if anti-virus really is dead
by creating a realistic attack scenario based upon the
experiences of a group of instructors at SANS and some
independent experts, who also reviewed and advised on the
attack “script”. We created an incredibly rich and realistic
scenario across multiple windows-based systems in an
enterprise environment. This scenario will be used for some
examples in the new courseware that I am planning.
The purpose is to give students real file-system and memory
images that they can examine in class to detect, identify, and
forensicate APT-based activities across these systems in class.
The aim is to give students who attend the course “real world”
data to analyze. The goal is to create attack data to use in our
courses at SANS so that our students could have a direct feel / What? Nothing?
for what it is like to investigate advanced adversaries. What is bundled into this suite? Anti-virus, Anti-spyware,
This past week, we ran through the exercise. I had a team of Safe surfing, Anti-spam, Device Control, Onsite Management
attackers mimic the actions of an advanced adversary similar (McAfee Endpoint Protection). I also separately purchase their
to the APT. Having seen APT tactics first hand, I scripted the desktop host intrusion prevention piece and built that into
exercise but also wanted to create a realistic environment that McAfee EPO and deployed that across my environment as well.
would mimic many organizations home enterprise networks. The point is not to embarrass anyone, that isn’t the intent of
Over the week, I learned some very valuable lessons by being the exercise. However, trying to create a realistic environment
able to observe the attack team first-hand. More in future articles, with enterprise tools deployed is. As a result, we knew we
but the first question I had on my list was: “Is AV really dead?” had to include real world implementations of some of the
best tools money can buy. In the end, this isn’t about trying to
/ So, Is AV Really Dead? shame anyone. It is about reporting, “What happened?” and
Over the years, I knew that it can be circumvented, but until I “What did we notice?”
helped plan out and execute this exercise I was exposed to the To help understand how this might have happened, many
truth first hand. In many incidents over the years (including have asked for the details of the network and the attack.
many APT ones), we and other IR teams have found that AV
detected signs of intrusions, but they were often ignored. I / The Windows Based Enterprise Network
expected at least some of those signs to exist this past week • Full auditing turned on per recommended guidelines
while running through the exercises we were creating. I had • Users are restricted to only being a user
hoped differently, but after a week of exploiting a network using • Windows DC set up and configuration didn’t tighten
the same APT techniques that we have seen our adversaries down the network more than what is expected in real
use, I think it paints a very dark picture for how useful AV is in enterprise networks
stopping advanced and capable adversaries. This isn’t an anti- • Systems installed and have real software on it that is used
AV or HIDS write-up, but to give you something to think about (Office, Adobe, Skype, Email, Dropbox, Firefox, Chrome)
when it comes to what we are blindly looking for. I would never • Fully patched (Patches are automatically installed)
recommend someone go without it, but it is clear that in order • Enterprise Incident Response agents (F-Response Enterprise)
to find and defend against advanced adversaries we need to do • Enterprise AV and On-Scan capability (McAfee Endpoint
more than rely on AV. Protection — Advanced Suite )
To be honest, I actually had some hope for some of the • Firewall only allowed inbound 25 and outbound 25, 80, 443.
enterprise level AV and HIDS products (In this case, McAfee • The “APT actors” have hit 4 of the systems in this enterprise
Endpoint Protection) to catch some of the more basic techniques network. (Win2008R2 Domain Controller, Win764bit,
we used (as I wanted the artifact to be discovered by attendees), Win732bit, WinXP).
but AV proved easy to circumvent by my team. While I’m sure • Users have been “using” this network for over a year prior
many of these products stop low-hanging fruit attacks, we found to the attack. That way, it looks and feels real. These users
that we basically did whatever we wanted without our enterprise have setup social media, email, Skype, etc. Each character
managed host-based AV and security suite sending up a flare. user has a ‘backstory’ and a reason to be there working.

14 Digital / ForensicS

DF11_14-15_Robservations.indd 14 25/04/2012 14:24

 / Bad habits we included and commonly see in
most enterprise networks:
• Local Admin User (SRL-Helpdesk) found on each system
with the same password
• A regular user with local admin rights on an XP machine.

/ Malware Used (non-public):

• C2 Beacon — Port 80 C2 channel encoded in XMLRPC traffic.
Meterpreter backend — Malware detected on Microsoft
Security Essentials due to payload, but not in McAfee’s
products (I know -- odd!). The beacon would beacon every X
seconds over port 80.
• C2 Channel — Custom Meterpreter Backed based Figure 1. Spearphishing Attack Super Timeline
executable. Will connect out over port 80. It doesn’t
have persistence or a beacon interval. Must be started
to connect.
THE GOAL WAS TO CREATE ATTACK
DATA TO USE IN OUR COURSES
/ Malware Used (Public)
The evasion technique is pretty simple, wrap the executable
AT SANS SO OUR STUDENTS
into a python script (you can also use perl and Ruby) then COULD HAVE A DIRECT FEEL FOR
insert it into a good executable or export to a new one.
WHAT IT IS LIKE TO INVESTIGATE
• Poison Ivy — Straight export to Python Array. Pretty sad that ADVANCED ADVERSARIES
it worked actually. This is where I had hoped to create some
alerts that I would have had to suppress. / Conclusion
• Psexec — Not malware We used a combination of custom crafted malware and
• Radmin — No encoding needed. Is this backdoor OK? well-known malware such as Poison Ivy, metasploit, and
• mimikatz — No encoding. Again, another location hoping to more. We used simple AV evasion to get around it and we
suppress some alerts so we could find them in the “system NEVER turned it off.
forensics” piece of the exercise.
RESULT = NOT A PEEP from AV!
/ APT Attack Phases
This exercise and challenge will be used to show real Yes it was installed correctly as it did detect the un-
adversary traces in network captures, host systems, memory, armoured metasploit payload quickly and killed it (a test to
hibernation/pagefiles etc. And through the week none of the make sure it DID in fact work as I became worried it really
defences we had put in place did not matter what-so-ever. didn’t work or was setup wrong). I would gladly let anyone
It was quite simple to evade any detection. Our APT “team” from McAfee look at our setup to make sure we didn’t make
consisted of John Strand and Tim Tomes. a mistake, but I followed their guide to the letter and used
recommended settings when installing the product. I also
• Phase 1 — Spearphsing attack (with signed Java Applet have found a lot of clients with incorrectly installed Enterprise
attack — public) and malware C2 beacon installation products, so it is clearly possible I mundged something up
(custom malware — encapsulated port 80 http traffic and during the install. If we are wrong, then we are wrong and we
POISON IVY) can go back and do run through it again after we apply their
• Phase 2 — Lateral movement to other systems, malware suggestions as we have it snapshotted inside an ESX server.
utilities download, install additional beacons, and obtain I was actually anticipating it would find at least ONE thing we
domain admin credentials did. Nothing was found.
• Phase 3 — Search for intellectual propery, profile network, If anyone needs just a little proof that you are using AV
dump email, dump enterprise hashes products to mainly defend against low skilled attackers, then
• Phase 4 — Collect data to exfiltrate and copy to staging there it is. I asked that the attack team use skills learned in
system. Rar up data using complex passphrase most Penetration Testing courses. They didn’t use anything
• Phase 5 — Exfiltrate rar files from staging server, perform really advanced, which is one of the reasons many argue
cleanup on staging server that even the “Advanced Persistence Threat” isn’t really that
advanced. We also made many mistakes during the attack,
In the end, we will have created authentic memory captures however even then; nothing was found and nothing was
on each box, network captures, malware samples, in addition automatically blocked. If this were a real compromise, we
to full disk images with Restore Points (XP) and VSS for (Win7 could have been on this network for months or years prior to
and Win2008) machines. anyone finding us. Just like in the real world. /

15

DF11_14-15_Robservations.indd 15 25/04/2012 13:29

 / LEAD FEATURE

INVESTIGATING
DATA THEFT WITH
STOCHASTIC FORENSICS
A new approach to forensics lets you reconstruct activity, even if it leaves no artifacts.
By Jonathan Grier

/ ADVANCED

Y
ou must find out if Roger walked off with our data.” / No Artifacts, Yes Forensics?..!
This mandate, handed to me by my (very nervous) Conventional wisdom tells us the thought of forensics without
client, was all I had to work with as I walked into artifacts is absurd. Forensics works by reconstructing data from
my office Monday morning. My client, a large company artifacts, and, if we have no artifacts, we have no forensics.
headquartered in Manhattan, was very concerned about Roger However faced with my client’s growing panic, I had no choice but
(not his real name), a high level employee who had recently to challenge this conventional wisdom. In doing so, I developed a
been forced to leave the company. Days after Roger’s ousting, method I call Stochastic Forensics, which let me crack this case.
rumors began to circulate that, before leaving, he walked off A stochastic process is, by definition, something unpredictable,
with data which was potentially very, very damaging to them; but unpredictable in a precise way. Think of the molecules in
damaging enough to put them into a fit of panic. My task was a gas: we can’t predict how any individual molecule will move
to find out of if these rumors were true. and shake; but by accepting that randomness and describing it
Insider data theft is much harder to forensically investigate mathematically, we can use the laws of statistics to accurately
than external penetrations. External penetrations leave predict the gas’s overall behavior. Physics underwent such a
the digital equivalent of broken windows, which all good paradigm shift in the late 1800s, moving from the traditional
forensics experts know how to identify. Insider data theft, Newtonian view of fully determined particles to a new paradigm,
however, often leaves no traces: the insider is authorized to pioneered by Ludwig Boltzmann, of unpredictable individual
use the data, routinely using it every day. Whether they’re particles from which predictable properties nonetheless emerge.
stealing it or just using it to do their job, their access is, from Could digital forensics be in need of such a paradigm shift as well?
the computer’s perspective, technically indistinguishable. As these thoughts turned in my head, I thought of using
Copying a file is a routine operation, forensically similar to access timestamps. Operating systems store the time of each
simply reading it. Indeed, as I did my background research for file’s last access, updating it every time the file is opened. The
this case, I saw that all experts had agreed: copying files on timestamp is simply a date and time: it doesn’t tell you who
a standard Windows system leaves no artifacts [REF: Carvey]. opened it, why, or how. Individual timestamps consequently
I was faced with one question: Is forensics possible when no tell us very little; but perhaps, when taken as a whole and
artifacts are left behind? analyzed statistically, they may have quite a bit to tell us.

Figure 1. Project Aurora

16 Digital / ForensicS

DF11_16-20_Stochastic Forensics.indd 16 25/04/2012 13:32

 / Solve an Easier Problem emergent properties: routine access is selective: some files
The mathematician George Polya used to advise: “When faced are opened and others ignored, whereas copying typically
with a problem you can’t solve, there is an easier problem copies an entire folder, including all its contents. Routine access
which you can: find it.” Taking Polya’s advice, I decided to first is temporally irregular, with activity occurring in spurts and
explore a simpler scenario: breaks, whereas copying proceeds continuously until complete.
Imagine watching someone using a computer. Over their Routine access is randomly ordered, whereas copying follows a
shoulder, you can see they’re using a particular folder, but you strict recursive descent. Finally, routine access may open a file
can’t see what they’re doing with it. Now, they leave the room, without opening its parent folder, whereas copying will always
and, as a forensic examiner, you’re asked to determine if they open a parent and then its children.
copied it or simply used it routinely. Where do you begin?
Look at the Project Aurora folder in Figure 1. Let’s imagine / Works In Theory, Fails in Practice
that the person you watched was an engineer, using this Excited with this theoretical breakthrough, I dashed off to
folder to do his work. He opened the top folder (Project my lab to do some experiments. Surprisingly, none of these
Aurora) at 9:13AM, immediately opened the Engineering emergent properties of copying showed up! Remembering
subfolder, then its Tests subfolder, and then finally opened the Yogi Berra’s quip “In theory there’s no difference between
Vibration.xls spreadsheet. After looking at the spreadsheet for theory and practice. In practice, there is,” I set out to
a few minutes, he opened the McarthySmith Word document determine why copying didn’t behave as I expected.
at 9:17AM. Since this file was on Word’s list of recent files,
he didn’t need to open any folders to get to it. Finally, after
spending a few minutes looking at the Word document, he ALTHOUGH I HAD BEEN HIRED TO
opened the Blueprint.dwg CAD file at 9:21. If you plotted the INVESTIGATE DATA THEFT, WHAT
access timestamps of all those files and folders, you’d see
what looks like a random pattern. MY CLIENT REALLY NEEDED WAS
Now imagine that instead of doing all that, he instead TO NEUTRALIZE IT
copied the Project Aurora folder to a thumb drive. What
pattern would you see? At 9:13, when he started the
copy, Windows would open the Project Aurora folder to
enumerate its contents. It would first find the Engineering
subfolder, and so it would open that as well. Windows
would proceed to drill down through the Engineering
folder’s contents, opening and copying each file it finds.
After spending a few seconds copying those files, Windows
would return to the next subfolder of Project Aurora, and
descend through it likewise. If you plotted those access
timestamps, you’d see a very unique pattern, showing each
folder and file being opened one after the next, in order,
with no pauses in between.
This is an amazing point! While no single timestamp tells
us anything of value, when we look at many of them, patterns
emerge which identify copying. In fact, there are four such
Copying vs. Routine Access Table

17

DF11_16-20_Stochastic Forensics.indd 17 25/04/2012 13:32

 / LEAD FEATURE

COPYING A LARGE FOLDER / Experimenting with

CREATES WHAT I CALL A CUTOFF timestamps is tricky!
CLUSTER: A POINT IN TIME WHICH Modern operating systems are tuned for speed, using
several tricks to speed up timestamp updates. For instance,
NO SUBFOLDER HAS AN ACCESS they can cache a timestamp update in memory, writing it to
disk later. If you examine the live system, it might report
TIMESTAMP LESS THAN (HENCE A the value in memory, but if you pull the plug and image the

CUTOFF), AND MANY SUBFOLDERS disk, you’ll get the older timestamp. Experimenters should
always do a full operating system shutdown and then pull
HAVE AN ACCESS TIMESTAMP timestamps directly from the disk. Also, systems vary in
their timestamp precision: some systems may only be
EQUAL TO (HENCE A CLUSTER) accurate to within 1 hour!

After research and reverse engineering, I hit a breakthrough: Fortunately, more digging managed to save the day.
copying a file in Windows doesn’t update its access timestamp Although Windows doesn’t update a file’s timestamp when
at all! Unlike Unix platforms, where the copy command works copying it, it does update a folder’s timestamp. CopyFile() can
in userspace by opening a file, reading its data, and writing it only be used to copy a single file at a time. To copy an entire
to a new one, Windows provides a CopyFile() system primitive. folder, the copy command must open the folder, enumerate
The CopyFile() primitive doesn’t involve a user level read, and its contents, and copy each one individually. Enumerating
hence doesn’t update the timestamp at all. Was all lost? Was a folder’s contents is done via a standard read. I reran my
my method just another nice theory of no practical value, at experiments, this time only plotting folders’ timestamps and
least as far as Windows is concerned? not files. Voila! The emergent patterns appeared precisely.

Figure 2. Histograms

18 Digital / ForensicS

DF11_16-20_Stochastic Forensics.indd 18 25/04/2012 13:32

 / Saved by Stochastic Forensics opened even once in the last year. This pattern, with a few
So far, I was tackling an easy problem, where I had the luxury of items getting lots of activity and most items getting very little,
examining the computer immediately after the alleged copying is surprisingly ubiquitous: researchers have found it in wealth
may have occurred. Now it was time to tackle the hard problem, distribution, word usage, and book sales [REF: Newman]. It’s
where weeks and months had passed since the time of copying. known as a heavy tailed distribution.
Timestamps are notoriously ephemeral: only the single most Using these two observations, let’s imagine examining
recent access time is preserved. The data in my case was used the engineer’s computer once again. This time, however,
heavily every day, and I could be sure that it had been accessed a month has elapsed since they copied the Project Aurora
hundreds of times since the alleged copying. Each subsequent folder. We’ll find that all of the copied subfolders have
access would overwrite the previous timestamps. Would any timestamps greater than or equal to the time of copying;
patterns of timestamps still remain? none have a timestamp less than the time of copying.
Putting on my thinking cap, I made two observations. First, Moreover, if the folder in question is large, we’ll find a lot
when a timestamp is overwritten, it’s not changed arbitrarily. of subfolders that haven’t been opened at all since the time
Barring system malfunction or tampering, a timestamp’s of copying. These subfolders will have timestamps equal to
value can only increase, never decrease. If a file is opened the time of copying.
on July 3rd, it will never have a timestamp less than July 3rd, That is, copying a large folder creates what I call a cutoff
no matter how many times it’s subsequently opened. The cluster: a point in time which no subfolder has an access
second observation I made is that activity on a file system is timestamp less than (hence a cutoff ), and many subfolders
not distributed uniformly. A few files get most of the activity, have an access timestamp equal to (hence a cluster). To test
while most files are hardly touched. Farmer and Venema, in this, I returned to my lab and built a simulator of a filesystem.
their landmark book Forensic Discovery [REF: Farmer], report I ran it for 300 simulated days, opening files and folders
that the vast majority of files on a typical server haven’t been randomly according to the heavy tailed pattern reported by
Farmer, Venema, and others [REF: Vogels. REF: Mitzenmacher].
At the end of 300 days, I plotted a histogram of the access
/ Identifying Cutoff Clusters timestamps, and saw the exact heavy tailed shape predicted
Standard tools like Sleuth Kit and EnCase can extract a list (see Figure 2). I then ran the simulator again, this time
of access timestamps, but eyeballing that list won’t catch a instructing it to copy the folder on day 200. After that, the
cutoff cluster. Instead, I train examiners to use a method I call
simulator continued opening files for another 100 days. When
“Filter & Plot.”
I plotted the results, I saw a beautiful cutoff cluster on the
Step 1 date of copying, sticking out like a sore thumb).
Select several parent folders you wish to examine. You should
include several control folders in addition to the folders you
suspect may have been copied. For each parent folder, create a WE CAN’T PREDICT HOW ANY
list of the access timestamps of all its child folders and files.
INDIVIDUAL MOLECULE WILL
Step 2
Split each of these lists into two sublists, one of folders and MOVE, BUT WE CAN STILL USE THE
one of files. For reasons explained in the article, timestamps
of folders and files need to be analyzed separately. This is
LAWS OF STATISTICS TO PREDICT
especially important on Windows. THE GAS’S BEHAVIOR. COULD
Step 3 FORENSICS DO THE SAME?
Remove entries from each list that a typical copy operation
might skip. This includes hidden and system files, files
whose names begin with a dot character, NTFS alternate data I then plotted my client’s actual data, taken from several
streams, and files that the copying user didn’t have privileges different folders. Most of the folders showed a standard
to open. Be creative here, because every case requires heavy tailed distribution. My mouth dropped, however, when
different filtering. I plotted one particular folder and saw a giant cutoff cluster.
Step 4 This folder was the very one that Roger was suspected of
For each list, plot an access timestamp histogram. The x access stealing. Only one other folder showed a cutoff cluster on
should show dates, and the y access should show the number a different date: this subsequently turned out to be due to
of files or folders with access timestamps on that date. authorized copying.
Step 5
Typical folders will have a standard heavy tailed shape. / Think Like Sherlock, Not Aristotle
However, if you find a folder with a large spike at one point, It would have been a grave mistake for me to have wrapped
with minimal values prior to the spike, you’ve found a cutoff things up at that point and exclaimed “Roger did it!” The
cluster! Finding a cutoff cluster doesn’t prove data exfiltration,
cutoff cluster was startling, especially considering that the
of course. You now need to look for other possible causes,
compare the plots of control folders, and most of all, zero in other folders didn’t have any. But it was by no means proof
your investigation on the date of the cluster. that Roger stole the data. Perhaps it wasn’t even caused by
copying, but by backup software or even grep -r.

19

DF11_16-20_Stochastic Forensics.indd 19 25/04/2012 13:32

 / LEAD FEATURE

/ Q&A / Forensics as a Deterrent

Does a cutoff cluster prove that someone stole data? While we normally think of using forensics after the fact, I’ve
No. Before drawing any conclusions, you should: had good results using it as a deterrent. When your employees
1. Check other folders to see if they also have cutoff clusters. If know you can detect data theft, you can deter would-be
they don’t, the cutoff cluster demands investigation. thieves from even trying. A good deterrent requires teamwork
2. Experiment with system software in use on the computer, between forensics professionals and human resources,
like backup software, antivirus, search and indexing. Likewise, legal, and managerial staff. Employees must be aware of the
check if recursive Unix tools like grep are in use. Determine if detection capability, and investigators must be alerted to the
these might be the cause. first signs of trouble. Surprisingly, it’s often the most effective
3. Most importantly, thoroughly investigate the time of the way to solve tough security challenges.
cluster. Something very unusual happened then, and it’s your
job to find out what.

I brainstormed other possible causes besides copying. the dark about how much we knew. Avoiding an
Testing their backup software and antivirus, I found that outright confrontation, he simply made sure Roger was
running them didn’t update access timestamps. Neither scared and confused. With Roger worried, the attorney
did their search system. Grep would have, but there was made it clear that if the data disappeared, Roger would
no system with it installed, and no techies in the office who be okay, but if it ever surfaced, they’d come after him with
would know how to use it. Moreover, the cutoff cluster was everything they have. With that job done, my client and
very unique, occurring in only one other large folder known Roger were able to settle their grievances, and the stolen
to have been copied legitimately. Eventually I became data was never heard from again. /
confident that the cluster was indeed caused by copying. But
who did it? & why? REFERENCES
Carvey, Harlan. Windows forensic analysis DVD Toolkit. 2nd ed.

WITH ROGER WORRIED, THE Syngress Publishing; 2009. Carvey writes explicitly “I’ve received a
number of questions... asking about data exfiltration... there are no
ATTORNEY MADE IT CLEAR THAT IF apparent artifacts of this process... Artifacts of a copy operation... are

THE DATA DISAPPEARED, ROGER not recorded in the Registry, or within the file system, as far as I and
others have been able to determine.”
WOULD BE OKAY, BUT IF IT EVER Farmer Dan, Venema Wietse. Forensic discovery. Addison Wesley

SURFACED, THEY’D COME AFTER Professional; 2004.

Mitzenmacher, Michael. A Brief History of Generative Models for
HIM WITH EVERYTHING THEY HAVE Power Law and Lognormal Distributions. Internet Mathematics, Vol.
1, No. 2. (2004), pp. 226-251.
It’s for times like this that I have a sign in my office: Newman, MEJ. Power laws, Pareto distributions and Zipf’s law.
“Think like Sherlock Holmes, not Aristotle.” Digital forensics Contemporary Physics Vol. 46, Iss. 5, 2007. This is the best detailed
investigators are, after all is said and done, investigators, and introduction to heavy tailed distributions I know of.
it’s investigation that’s called for. The cutoff cluster gave me Vogels, Werner. 1999. File system usage in Windows NT 4.0. In SOSP
a precise point in time. I investigated that time, using both ’99: Proceedings of the seventeenth ACM symposium on Operating
digital means and good ol’ fashioned legwork. Who was in the systems principles. New York, NY, USA: ACM.
building then? What were they doing? One clue led to another,
and, like an old suit, once I had grabbed hold of one thread,
many others soon unraveled. / Author Bio
Jonathan Grier has been an independent security consultant
/ Forensics is... useless for over a decade. He has conducted forensic investigations,
Pablo Picasso once remarked: “Computers are useless. They performed security audits, trained programmers in secure
application development, and advised clients on data
can only give you answers.” As I continued investigating, I
security. Jonathan has consulted for clients in health care,
eventually assembled strong evidence pointing to Roger. Yet telecommunications, construction, and professional services,
I knew that answers alone wouldn’t help my client. Although and taught classes sponsored by the US Department of
I had been hired to investigate data theft, what my client Defense Cyber Crime Center. He has forensically investigated
really needed was to neutralize it. And it’s here where a employee dishonesty, network break-ins, data theft and
good attorney (which my client thankfully had) becomes an industrial espionage. An active researcher, Jonathan has
developed new methods used in forensics and application
invaluable partner.
security. The FBI, Microsoft Press, the Journal of Digital
My client’s attorney confronted Roger. He presented Investigation, Symantec, and the US Department of Defense
Roger small bits of specific evidence about his activities, have all featured his work. Jonathan can be reached at
demonstrating our ability to reconstruct them forensically. jdgrier@grierforensics.com.
Yet he made sure to not reveal everything, keeping Roger in

20 Digital / ForensicS

DF11_16-20_Stochastic Forensics.indd 20 25/04/2012 13:32

DF11_21_Ad.indd 21 22/04/2012 13:23
 / FEATURE

WPS INSECURITIES
& FALSE PROPHETS
There has been a lot of conversation throughout the start of this year among
the security community about what WPS is and how it has provided hackers
world wide with a simple and effective way to gain access to previously “secure”
WiFi networks. Firstly we will be taking a closer look at the WPS technology
itself, the protocols that make it up and what it’s fundamental issues mean for
individuals and organisations alike. For those who are unfamiliar with WPS we
begin with a brief introduction to the technology itself…
By Andy Swift

/ ADVANCED

W
iFi Protected Set-up or WPS, as it is more commonly routers up in a secure fashion and also in many cases as a
known, is a standard that was created in 2007 by the convenient way to quickly and securely add devices to their
WiFi alliance. Their goal was simple: to provide secure networks, usually via the touch of a button located on the
and easy step-by-step router configuration for the average front of the router.
home user. It is interesting to read the original WPS specification from
WiFi enabled routers are now of course rolled out by most the WiFi alliance and to note in particular that security was
ISP’s as part of a standard Internet package, their popularity never really the main goal of the project, what appears to have
has effectively skyrocketed over the last few years to a point taken it’s place is a notable emphasis on providing a clean and
where WiFi enabled routers are now of course considered to user friendly experience to configuring a router.
be common place in the majority of households.
Unfortunately beyond a basic understanding of such
technology, the majority of home users are blissfully unaware
(through no fault of their own) as to the inner workings of a
WiFi router let alone how to configure it correctly and securely.
On many household routers the WPS feature leaves the
factory enabled by default; it should be noted that to qualify
for certification under the WiFi alliance, which in itself has
become a major selling point for home WiFi routers, the
feature must be present and enabled by default. Its likely then
that most home users will see WPS as an easy way to set their Figure 2. Protocol Exchange Key

Figure 1. Protocol Exchange

22 Digital / ForensicS

DF11_22-24_WPS Insecurities.indd 22 25/04/2012 13:34

 / WPS is a Good Idea!
So far, WPS would seem to be a great idea; an easy and / WPS data
effective way to configure and add devices to your home If you have a WPS router nearby you can indeed “sniff ” the
network that even the technically challenged would find to be traffic using Wireshark, and observer traffic patterns similar to
the figure below. If you don’t have a WPS enabled router (that
a somewhat trivial task. However, one should note that when is yours!) nearby to play with, there is a handy example file on
creating a system to simplify a complex task more often than the “wireshark wiki” you can download and open:
not simple is rarely the best practise or indeed secure. http://wiki.wireshark.org/SampleCaptures
Roll forward to December 2011 and a critical flaw was
published to the public regarding the way users authenticate
to a WPS enabled WiFi router. The flaw was identified and
reported by Stefan Viehböck, who noted that when accessing
the WPS service a user only needs to enter the 8 digit pin
associated with the device (which is typically printed on the
side of the router) to add devices to their network.
As many readers will have noted already the
implementation of this technology is somewhat baffling; For
example why are we encrypting everything on the network
using proven and effective encryption technologies such as
WPA or WPA2 with (presumably) super secure pre-shared
keys when the network can in actual fact can be accessed and
devices added using a simple 8 digit PIN code?
BRUTE FORCING THE PIN CODE IN A
CRUDE ONLINE WAY IS INDEED BY
/ Getting Down to the Maths
For those readers interested in the maths, an 8 digit PIN
FAR THE LESS TIME CONSUMING
code in this case can be represented by 107 or to put it METHOD, AND COULD TAKE AS
bluntly 10,000,000 possible digit combinations; the security
conscious currently thinking 8 digits could be cracked in a
LITTLE AS A FEW MINUTES TO GAIN
bearable amount of time given enough processing power, are ACCESS TO A “SECURE” NETWORK
in for a further treat.
As some of the better mathematicians among us may have Theoretically then one would simply have to look out for
spotted there are 107 possibilities and not 108 as you might the emergence of the EAP-NACK message and note where it
well expect given 8 digits, this is indeed due to the fact that occurs in the sequence to work out if they have successfully
the last digit of the 8 is in actual fact not a random digit at all, guessed the first half of the PIN.
but a checksum digit used for checking the correctness of the
7 previous digits making this the easiest digit to predict as it / Practical Brute Forcing
will either be true or false, in fact if we consider brute forcing Of course, various tools have predictably surfaced over
the PIN code we would obviously assume this digit to be true the last few months to exploit this issue, (such as Reaver
100% of the time. developed by Tactical Network Solutions in Maryland) that will
make short work of the WPS vulnerability by attempting every
/ That’s Bad & It Does Get Worse combination of the PIN in a brute force style attack, and most
Worrying though this is, Viehböck went further in his investigation, PIN’s can and will undoubtedly be cracked in around 2 to 4
informing us that the registrar (as shown below) actually submits hours using this rather crude but effective method.
the 8 digit PIN in two separate segments of 4 digits. Many suggestions have also been made by the security
This of course means that now there are only around 10,000 community that offline cracking may also be possible, by this
possibilities for the first segment and because one digit from the of course I am talking about the practice of capturing wireless
second segment is indeed a checksum, it rounds up to a nice total communications (in this case a WPS handshake) and decrypting
of only 11,000 possible combinations to crack the PIN code. the associated digits via brute force techniques offline away from
So why was this simple error ever made and accepted by the original site. This method while theoretically possible, could
so many reputable manufacturers? Also why are only 4 digits potentially be no more than a waste of time; to explain further, an
checked at any one time? The answer becomes apparent attacker would have to wait for a legitimate WPS communication
when observing the protocol in use in Figure 1. The key to to occur, typically these are rare and by design users of the ”push
understanding the protocol in Figure 1 is shown in Figure 2. button to connect” style feature that is WPS, will only ever use it
As we can see at no point in the entire exchange is the once and perhaps not again for any number of months if at all.
complete 8 Digit PIN checked, in fact we can see that starting In short then brute forcing the PIN code in a crude online way is
at M4, the first half of the PIN is checked, if this fails at any indeed by far the less time consuming method, and could take as
stage because the PIN is incorrect an EAP-NACK message is little as a few minutes to gain access to a “secure” network, and
sent back to the client. indeed most efficient, so; how hard can it be?

23

DF11_22-24_WPS Insecurities.indd 23 25/04/2012 13:34

 / FEATURE

This question can probably be answered with a brief tutorial:

/ EAP-NACK Response
1. Get yourself a copy of Backtrack freely available from So what’s an EAP-NACK Response? Put simply in the terms
http://www.backtrack-linux.org/ of WPS it is the response packet sent back to any client that
2. Get yourself a WPS enabled WiFi router, I have used a Linksys is requesting to join the network with an incorrect PIN code.
WR54GS for this feature, but for a larger list of vulnerable After receiving this packet the client will then have to start
the communication sequence again.
routers check the following publicly maintained document: The big issue is that EAP-NACK responses can be sent twice
https://docs.google.com/spreadsheet/ccc?key=0Ags-JmeLM within the standard communication sequence, firstly just after
FP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c#gid=0 the M4 packet and secondly after the M6 packet, so armed
3. Once your all set up, boot up Backtrack and create a with this information the following conclusions can be drawn:
monitoring interface on your wireless card by using the If the attacker receives an EAP-NACK message after sending the
following command: M4 packet, it becomes obvious that the 1st half of the PIN was
incorrect and the next guess should be sent.
# airmon-ng start wlan0
If the attacker receives an EAP-NACK message after sending the
M6 packet, then the 2nd half of the PIN can be seen as incorrect.
Of course replacing wlan0 with your wireless card name, you
can verify this has worked by typing in ifconfig and checking
that you have a monitor mode interface called mon0 or similar. The key factor in all of this would appear to be down to one
thing: simplification for the everyday user. And what’s more,
4. Now we have a monitoring interface to monitor wireless this is by no means the first (or I dare say the last) time this
network traffic, we should be ready to run the following type of error will be made.
command and start the brute forcing process, where the
“-b 00:01:02:03:04:05” part is to be replaced with the MAC / Conclusion
address of your target wireless router: As the world we live in becomes more complex, and
specialist technologies work their ways into everyday life
# reaver -i mon0 -b 00:01:02:03:04:05 (WiFi, RFID Banking Cards, Satellites etc) there’s a need for
the technologies to become accessible and usable to all,
Once this process is started it is simply a matter of time, unfortunately there is one key word missing here, and that is
it could be minutes or hours before the correct PIN code is “understood” and as long as this key word is missing from the
guessed in full. equation, technologies like WPS or similar in principle to WPS
will always crop up from time to time in an attempt to make
So, what does this all mean to the unsuspecting home user? our lives easier, but not help us understand how they work
Well put simply any vaguely “secure” WiFi network (and by that or should be configured. A key fact to keep in mind is that
I mean WPA or even WPA2) that has been configured (or comes when making complex things easier to use, there will always
with) WPS will have unknowingly rendered the aforementioned be an element of risk involved be it from the user or from the
secure encryption protocols irrelevant as the network can now technology itself as in this case.
be accessed by breaking a simple 8 digit PIN number. It would therefore seem that WPS is somewhat of a false
prophet in many respects, some may be tempted to argue
/ How Can We Fix It? that in some ways users would be better off learning how to
The flaws uncovered in the WPS protocol are quite illogical secure their WiFi networks for themselves, but understanding
and there are a number of suggested fixes some of which are these technologies and how to configure them correctly takes
entirely trivial, here are a few simple suggestions to get started: time and considerable effort for a complete novice. However
perhaps the core fact here is that technologies such as WPA/
• It has already been mentioned that at no point is the WPA2 are complex for a reason: they are hard to break unlike
entire 8 digit PIN checked, if this was implemented after a simple 8 digit PIN code. /
M4 packet or thereabouts then the amount of possible
combinations for the PIN will be increased dramatically and
the attack will become far more time consuming. / Author Bio
• A sensible lockout should be implemented (it should be Having studied Forensic Computing at
noted this has been introduced in a number of routers but DeMontfort University, and undertaking
by no means the majority) where the attacker is locked out subsequent training with the Tiger/
Check schemes, Andy is currently
after ‘x’ amount of attempts. Once again this will greatly
working as a Penetration Tester with
delay (but not nullify) the attack. Convergent Network Solutions in London
• Disable WPS altogether. Abandoning this technology is a providing security consultancy to variety
shame, after all let’s not forget the WiFi alliance set out with of high profile clients specialising in Network Security,
the best of intentions; however good ideas do not always Website Applications and Social Engineering.
result in good implementations as is the case here.

24 Digital / ForensicS

DF11_22-24_WPS Insecurities.indd 24 26/04/2012 10:16

DF11_25_Ad.indd 25 15/04/2012 17:30
 / LETTERS

360°
Your chance to have your say…

H
ere at Digital Forensics Magazine we welcome feedback
and are using email and social media to allow you to let / LinkedIn, Twitter
& DFM Blog
us know your thoughts along with providing interesting
news stories or links to technical articles that will be useful to
investigators. The following is just some of the activity from The membership of LinkedIn and followers
of @DFMag on Twitter continues to grow and the
the social media facilities. Send your letters and feedback to:
discussions and problem solving that is going on, we are
360@digitalforensicsmagazine.com encouraging the posting of jobs
and that the members make use
of the promotions facility.
Letters & Emails
(ISC)2 CPE Points
Hi DFM, I’m just writing to enquire about CPE points for (ISC)2. Since the original agreement (ISC)2 have placed additional
On the 2nd February I renewed my annual subscription to requirements on Digital Forensics Magazine and their
DFM and included my CISSP number. I know it make take a subscribers who wish to claim their CPE points.
few weeks for the points to show up, but I would have thought (ISC)2 now requires its members to validate their learning
that they should have been there by now. experience in order for them to be awarded five (5) CPE
Craig Jones hours for subscribing to (ISC)2- approved magazines such
as Digital Forensics Magazine. Validation can be conducted
Hello Craig, thanks for either by providing a short quiz on the topics covered by
your email. When we the magazine or by the member writing a brief summary of
received your note not more than 150 words.
we realised that this If the member takes and passes a quiz, we at Digital
was not the first time Forensics Magazine will submit five (5) CPE hours to (ISC)2
this subject had been on the member’s behalf. However, if the member writes the
raised and thought brief summary, he/she has to upload it to the (ISC)2 website
it was about time and claim the CPE hours. Like any other CPE hours, members
that we explained will be required to provide the necessary documentation or
the process that information regarding this particular CPE claim when audited.
we are required In order to support this we will be creating a download
to run and what is section on the members only section of the website. There
required of those who are we will be placing the latest information from (ISC)2 along
applying for the CPE Points with notes on the process and the questionnaires that will be
as a result of subscribing to created for each issue.
Digital Forensics Magazine. I hope that this has clarified the situation not only for Craig
Digital Forensics Magazine is listed as an but for all of you who are members of (ISC)2 who subscribe to
“(ISC)2 CPE Submitter” and as part of the submitter agreement Digital Forensics Magazine. We would encourage anyone who
we are required to submit the following so that the subscriber has any questions regarding the process to get in contact via
can be allocated their CPE points: 360 so that we can ensure the information we are providing is
meeting the needs of subscribers.
• (ISC)2 Member Identification Number
• Last Name If you think you can contribute in any way to the magazine or to
• First Name any of the discussions taking place via social media, please make
• Number of CPE points claimed. sure that you join the groups and follow us as appropriate.

26 Digital / ForensicS

DF11_26_360.indd 26 25/04/2012 14:27

DF11_27_Ad.indd 27 15/04/2012 16:12
 Cell
site
analysis

Computer
forensics

Audio
visual

Questioned
documents

Mobile
phone
forensics

Understanding the digital picture

MP3 players, mobile phones, laptops, As part of the UK’s largest independent For the complete picture visit
Blackberries, SatNavs, printers, CCTV, provider of forensics services, our digital www.digital.lgcforensics.com
digital cameras and more. and document investigators take a
holistic approach that draws on a whole LGC Forensics
These are the tools of a modern society,
range of innovative and traditional Tel: +44 (0)844 2641 999
painting a digital picture of our everyday Email: d&df@lgcforensics.com
methods to reveal high quality digital
lives in images, emails and text. What
and documentary evidence that will
can they tell us about someone’s PLEASE QUOTE REF: DFM0410
stand up in court. Using the latest
behaviour and movements? How can IN ANY CONTACT
forensic techniques, we will work
we combine and present this evidence
closely with you to establish the facts,
to support reliable verdicts in criminal
applying years of forensics experience
and civil proceedings?
and understanding to uncover and
follow all potential lines of inquiry.

© LGC Limited, 2010. All rights reserved. 2456/OR/0210

DF11_28_Ad.indd
LGC_Digital 28 - CB2.indd 1
A4 Ads-v5 15/04/2012
07/04/2010 17:36
13:07:45
 / LEGAL EDITORIAL

LEGAL EDITORIAL
Apple’s trademark kerfuffle with Proview intensifies…
by Scott C Zimmerman

I
n the previous issue of this illustrious magazine, the Legal
News section included a titbit about a Chinese company
called Proview International that was pursuing litigation
against Apple Computer for alleged trademark infringement.
At the time it seemed like an unusual twist on the sort of
intellectual property suits taking place elsewhere in industry,
but the story has become rather more complicated since then.
To refresh the reader’s memory:
“…Proview International sold what they described as the
“global trademark” for IPAD to Apple in 2006. However, for
reasons not entirely clear, the firm has claimed that the “global”
portion of that description does not actually include China.”
More information has come to light recently, though one
may argue for or against it providing much additional clarity.
Part of the issue stems from the naming disparity between
two countries: mainland China is properly called “the People’s
IN FEBRUARY 2012, PROVIEW-
Republic of China”, or PRC. Taiwan, on the other hand, is CHINA AND PROVIEW-TAIWAN
properly called “the Republic of China”, or ROC. We shall not
be discussing the friction this nomenclature continues to
FILED A JOINT SUIT IN SANTA
cause between the two countries, but it is a salient point for CLARA, CALIFORNIA AGAINST
one specific reason: Proview International has offices in both
China and Taiwan. Apparently the primary issue is that the
APPLE, THIS TIME ALLEGING
Taiwan branch of Proview sold the “worldwide rights” to the THAT APPLE HAD CREATED A
IPAD trademark to Apple, and the China office of Proview is
arguing that the Taiwan branch did not have the right to do
SHADOW COMPANY SIMPLY AND
so. As a result, Proview-China has claimed that the agreement SOLELY FOR THE PURPOSE OF
inked between Apple and Proview-Taiwan is neither valid nor
enforceable in China.
BUYING THE IPAD TRADEMARK
In their recent complaints, Proview-China has claimed that
they own the rights to the product name “IPAD”, since they had The situation is unlikely to improve in the near future.
created a product with that name in the year 2000. They further In February 2012, Proview-China and Proview-Taiwan filed
claimed that Apple should be barred from selling the new iPad a joint suit in Santa Clara, California against Apple, this
3s in China until the trademark issues were resolved. Naturally time alleging that Apple had created a shadow company
this set a rather contentious tone for future talks: Apple is keen simply and solely for the purpose of buying the IPAD
to sell a great many iPad 3s in China, and a blanket restriction trademark. This alleged company was called “IP Application
on them doing so would put a noticeable crimp in their China Development”: by naming the company thus, it appears
operations. In this observer’s opinion, it appears that Proview- the goal was to present an easily-explainable reason why
China believes they have Apple over the proverbial barrel and another firm would want to buy the rights to the name of a
will be able to extract money from them as a result. long-defunct product. The Proviews, however, allege that
I was careful in the last sentence to use ‘extract’ rather than the purported buyers did so “with the intent to defraud
‘extort’, but one might make a case either way. It seems a bit and induce the plaintiffs to enter into the agreement”. This
telling that Proview-China waited until the imminent release appears to mean “If we had known Apple were behind it, we
of the iPad3 to make this particular set of statements. The would have held out for more money”.
Shenzhen (Guangdong Province) branch of Proview sent an While I am completely in favour of trademark owners
open letter to a variety of resellers, encouraging them to stop legitimately defending their intellectual property, the Proview-
selling Apple products. Specifically, the letter said “Anybody China litigation efforts seem to be only a cash grab by a
who continues to [sell Apple kit] will be seen as intentionally company in grave health.
infringing rights and the company will adopt the most severe I hope you enjoy the Legal Section and I would love to hear
measures by taking legal action”. Well, there you go. your thoughts and comments via 360. /

29

DF11_29_Legal Editorial.indd 29 25/04/2012 14:29

 / LEGAL FEATURE

CHINA'S LAWS
An overview of China’s evidentiary requirements.
by Scott Zimmerman

/ INTERMEDIATE

A
stute readers of DFM may already have noticed the “documentary evidence” for a recovered financial spreadsheet
overall global feel to issue 11; this is no accident. While or “conclusions of expert witnesses” where a forensic examiner
we have covered UK and US law in past issues of the documented his or her process for recovering deleted files and
magazine, the fact remains that – not surprisingly – the laws the results thereof. In this way, the categories can cover a broad
in those two countries are rather more similar than they are range of topics without going into excessive detail.
different. The two systems’ shared heritage is the basis for the
similarities, rather like the similarities in domesticated dogs Article 64 A party shall have the responsibility to provide
and in wolves. However, the time has come to look at a legal evidence in support of its own propositions. For the evidence
system that is not deeply rooted in English Common Law: that cannot be obtained by any parties or their litigation
we’re going to take a look at evidentiary requirements under representatives because of some realistic reasons or for the
the legal system in the People’ s Republic of China, or PRC. evidence that the people’s court considers necessary for
adjudicating the case, the people’s court shall investigate
/ CIVIL PROCEDURE LAW IN THE and collect such evidence.
PEOPLE’S REPUBLIC OF CHINA
Since this publication is devoted to coverage of digital As in other legal systems, those wishing to bring a particular
forensics, one of the chief areas of concern vis a vis law is the case must have evidence to hand to bolster the claim(s) that
rules that govern the acquisition, handling, admission, and they wish to make. The second part of the article seems
verification of evidence. In the PRC, the matter of evidence to indicate that if a party cannot bring evidence
is described in a document titled “General Principles of the due to a “realistic” reason, the government,
Civil Law of the People's Republic of China”; it is available i.e. the People’s Court, reserves the option
in full at http://http://shhsfy.gov.cn, which is the web site to perform its own investigation and
of the Shanghai International Platform for Maritime Legal gather the evidence it feels is
Information. Oddly enough the entire document is only necessary to be able to make an
twenty-four pages long – fairly short for a description of a informed and correct decision.
system of civil procedure, however we will be focusing only An example of this might be
on Chapter 6 – Evidence. The Principles document is broken an individual who does not
down into individual articles that describe particular concepts. wish to deliver any sort of testimony or other sort of information
The numbering system isn’t tied to the chapter boundaries, so as part of the proceedings. In this case, the government may be
Chapter 6 does not start on e.g. Article 60. able to compel the individual to provide a statement, to hand over
Article 63 Evidence shall be classified as follows: evidence, or to perform some other action which will permit the
work of the Court to proceed unimpeded.
1. documentary evidence; If article 64 were not plain enough, Article 65 makes the
2. physical evidence; point very clearly indeed:
3. audio and visual material;
4. testimony of witnesses; Article 65 The people’s court shall have the authority to obtain
5. statements of involving parties; evidence from any relevant units or individuals, and such units
6. conclusions of expert witnesses; and or individuals may not refuse to provide evidence. The people’s
7. transcripts of inspection and examination. court shall verify and determine the validity of documentary
evidence provided by relevant units or individuals.
Any of the above-mentioned evidence must be verified
before it can be taken as a basis for finding a fact. The second portion of article 65 is quite interesting: if the
It is clear that the list is designed to include all manner of Court takes the matter upon itself to collect and make use of
evidence, from the traditional eyewitness report to business documentary evidence, the Court itself will be responsible
records to items seized or recovered at a crime scene. Unlike for verifying the validity – here, meaning the usefulness and
the UK and US counterparts, there is no specific calling out of relevance to the court proceedings – of such evidence. One
computer evidence. However, one might make the case that can also reasonably expect that the validation will extend to
such evidence could fall into one or more categories, such as establishing and verifying provenance of such items as well.

30 Digital / ForensicS

DF11_30-32_Legal Feature.indd 30 25/04/2012 13:37

 It is important to note that only documentary
evidence is addressed in Article 65. If the reader
refers to Article 63, he will be reminded that there are
several other types of evidence that are not included,
e.g. physical evidence. It is in these cases that the individuals;
be they police officers, expert witnesses, or transcribers; are
responsible for attesting to the veracity and relevance of the
evidence they provide. Only when the Court gathers its own
evidence will they be responsible for the validation.

IT IS POSSIBLY A BIT TELLING THAT

THE GLOBAL NATURE OF INCIDENTS
AND INVESTIGATIONS IS MORE AP
PARENT IN CHINA THAN IT IS IN
EITHER THE UK OR THE US
Article 66 Evidence shall be presented in the court and
cross-examined by parties, however, evidence that involves
state secrets, trade secrets, or individual privacy shall not
be presented in an open court session.

This line item is similar to those in the statutes of the US

and the UK. Cross-examination and questioning is permitted
and generally expected of and from both sides. Matters
that may be considered classified (e.g. Top Secret) in a
particular jurisdiction may be handled somewhat differently.
An example here would be holding the court’s proceedings
in a secured area that is accredited for the storage of such
information, while ensuring the individuals involved are
cleared to view such information; this will prevent the need
to reveal state secrets in court.
The “trade secrets” clause is interesting,
since there are currently so many
Intellectual Property-related actions
underway around the world. From
the wording one may infer that
the trade secrets would not
be exposed in open court
unless the detail of such
information formed the
basis of the case at hand
– and then, the inclusion
of such information
would likely be kept to
the minimum required to
establish, refute, and/or
evaluate the validity of the
claims being brought.
We shall skip Article 67,
which indicates that documents
that are notarized according to the
correct procedure will be accepted by
the court, and will instead move to Article 68.

31

DF11_30-32_Legal Feature.indd 31 25/04/2012 13:37

 / LEGAL FEATURE

Article 68 Any document submitted as evidence shall be by extension the protection of the integrity of said evidence.
the original one. Physical evidence shall also be original. Fortunately there is one more item for us to cover.
If it is truly difficult to present the original document or
physical evidence, then duplications, photographs, copies, Article 74 Under circumstances where there is a likely-hood
or extracts of the original evidence may be admitted. that evidence may be destroyed, lost or too difficult to obtain
later on, any litigation participants may apply to the people’s
Any digital forensics examiners in the audience may be court for the preservation of the evidence. The people’s court
scratching their heads at the first sentence in this article. Fear may also take initiative to preserve such evidence.
not – please do continue to parse the item and pay particular
attention to the “truly difficult” clause. In the realm of computer It will probably be clear to many readers that this article is
forensics, an examiner may make a very compelling case that very light on details. There are no prescriptive directions, only
presenting the original evidence would be “truly difficult” and a very broad and descriptive bit of guidance. However, even
the bar would have been met for the submission of duplicates, this rather vague wording can be applied effectively to the
photos, or other copies. Incidentally, this item bears a striking process of digital forensics.
resemblance to Article 1003 of the US Federal Rules of Evidence. Many, if not all, of the evidentiary requirements developed
However, Article 68 goes on to state the following: under English Common Law systems deal more precisely with
the collection, handling, and maintenance of evidence to ensure
If a document in a foreign language is submitted as its integrity is unimpeachable. The reason for this is obvious: if
evidence, a Chinese translation shall be appended. the evidence cannot be shown to be exactly as it was when it
was collected, and if it cannot be shown to be collected properly,
This may prove to be a rather weighty requirement. So then the evidence; no matter how useful it potentially might
much of the content of a given document, e.g. a contract, be to a case, will be of greatly diminished import during court
may depend on particularly nuanced words, and such proceedings. Worse still, the evidence may not be admissible at
detail may be quite literally lost in translation. However, the all in such an event. The PRC statute we see here basically says
wording of this item seems to leave the door open for expert that if there is a good chance the evidence could be damaged,
witnesses on both sides to examine the originals as well as lost, or stolen between collection and trial, it can be handed over
the translations, and then come to an agreement on content. to the People’s Court for safekeeping. In other words, both parties
It is possibly a bit telling that the global nature of incidents can transfer their evidence to the court, and the court will assume
and investigations is more apparent in China than it is in either responsibility for maintaining the integrity of the evidence. In a
the UK or the US: neither of the Anglocentric statutes calls out computer forensics case, the court would need to ensure that the
translations as explicitly as the PRC statutes do. hard drives and other media were stored appropriately, that they
The next few rules are straightforward and will not benefit were not used or powered up, etc. The court also reserves the
significantly from additional exposition, so let us move on to option; as they might do during a high-profile case, to order the
Article 73. evidence transferred from both parties into the Court’s care.

Article 73 When inspecting or examining physical evidence / CONCLUSION

on site, the inspector must show his credentials issued by Readers who recall the descriptions of the US and UK
a people’s court. The inspector and examiner shall prepare evidentiary rules in previous DFM issues will likely be
a written record for the circumstances and results of the somewhat surprised by the approach taken by the PRC. It is
inspection or examination. The inspector, examiner, the important to note that the statute covered here was ratified
party concerned and the invited participants shall affix their on 01 January 1987; ages ago in the technology world. Your
signatures or seals to the record. author spoke at a digital evidence conference in 2009, and
there was a group from the PRC in attendance. If memory
Article 73 seems to indicate that search and seizure of serves, there was an effort underway at the time to translate a
physical items at a “site”; presumably a crime scene, must much newer version of China’s rules of evidence into English,
be conducted by a qualified individual who has already been but it is not clear whether this was ever published. If and when
accredited by the Chinese government. This is in noticeable it becomes available, you may be able to read about it here. /
contrast to the US and UK rules of evidence which state
that evidence must be handled appropriately, must be
documented, and so forth but do not state that the individual / Author Bio
handling the evidence must be authorized by the government Scott C. Zimmerman, CISSP has been an
to do so. One might reasonably infer that this is a cultural Information Security consultant, presenter,
and trusted advisor since 1995. He has
difference, or one might also infer that the PRC statute [as
been researching legal issues in computer
written] assumes the individual collecting the evidence would forensics part-time for nearly ten years,
be a police officer or similar. and is working to bridge the gap between
Those reading this article may have notice the conspicuous law and technology in this area.
lack of a certain topic thus far; handling of evidence itself, and

32 Digital / ForensicS

DF11_30-32_Legal Feature.indd 32 25/04/2012 13:37

 VENDOR INDEPENDENCE
the difference

ASSESSMENT | GUIDANCE | MANAGEMENT

CALL | +44 (0)1274 736223 | TODAY

www.ecsc.co.uk

DF11_33_Ad.indd 33 15/04/2012 17:36

 / LEGAL NEWS ALERT

LEGAL NEWS ALERT

Apple settles with iPhone 4 customers over antenna issues

When the iPhone 4 was released, quite a few customers noticed

immediately that call quality and functionality depended greatly
on how the user gripped the device. Holding the phone one way
resulted in normal service; holding it a different way resulted in
poor performance. This behaviour was traced to the layout of the
internal antennas installed in the iPhone: when the user held the
case a certain way, the internal antennas could come into contact
with one another – i.e. become “bridged” – which greatly reduced
the wireless performance. Warner Brothers vs Hotfile vs
Apple’s first response to the slew of customer calls was to say the Electronic Frontier Foundation
essentially “You’re holding it wrong”. As one might expect, this
was not the answer the callers wanted to hear, and Apple took an
unusually strong public relations hit. To make up for the incorrect In 2011, Warner Brothers Entertainment sued Anton Titov;
answer to the questions, Apple agreed to provide iPhone 4 owner and operator of the file-sharing site called Hotfile, for
owners with gratis protective Bumper cases; these cases would copyright infringement for making Warner Brothers material
prevent the user from accidentally bridging the antennas. available for download; the entertainment firm insisted that
Now Apple have agreed to another form of recompense: all copyrighted material be removed from Hotfile’s systems.
users who did not accept the Bumper case will be eligible for Mr. Titov then countersued Warner Brothers for requesting
a $15US settlement as a result of a class action suit brought takedown of materials for which Warner Brothers did not own
against the firm. Users who wish to become part of the the copyright. Under the Digital Millennium Copyright Act
settlement group can go to https://www.iphone4settlement. (DMCA), copyright holders may only request actions be taken
com for more information. Please note that Apple does not against their own property; in other words, for example, Sony
operate the web site, though it does contain some links to Music would not be permitted to request action regarding the
Apple offerings (e.g. technical support). Conversely, users who property of the Miramax movie studio since they (Sony) do not
would prefer to receive the Bumper case may still do so. hold copyright on that material.
The Electronic Frontier Foundation (EFF) filed an “amicus
curiae” brief with the United States District Court in Miami,
/ Yahoo! Sues Facebook for Florida to lend its support to Mr. Titov. An amicus curiae, or
copyright infringement simply amicus brief, as they are often called, allows a party not
In March of 2012, Yahoo! Brought a copyright infringement
actively involved in a given legal action to express its opinion
suit against Facebook, alleging that operators of the social and to provide support to the party with which it is in agreement.
networking site had committed ten different infractions in the Amicus curiae is generally translated as “friend of the court”; one
area of “methods and systems for advertising on the Web”. The might liken the idea to that of a character witness.
suit was filed in the Federal court in San Jose, California (near
Silicon Valley). According to the allegations, Facebook had not
In their brief, the EFF stated that they objected to the
been receiving good financial results from their advertising process that Warner Brothers used to identify alleged
efforts; the suit further alleges that Facebook appropriated copyright infringement. They indicated that Warner Brothers
Yahoo! advertising methods; without licence or recompense and used a completely automated process that checked only
they [Facebook] are now making money through advertising by
improperly using Yahoo!’s intellectual property. the file names when attempting to identify the content; the
EFF points out that the process apparently had no human
oversight, and as a result the findings were wildly inaccurate.
In the words of the EFF: “Warner claims that these were simple
“mistakes,” and that it cannot be held accountable for its
misrepresentations because, in essence, its system design
does not allow for a deliberate lie. Warner gets it exactly
backwards: the problem is that it does not appear that its
system could have provided a sufficient basis for Warner to
form the requisite good faith belief.”

34 Digital / ForensicS

DF11_34_Legal News.indd 34 25/04/2012 13:38

 Reviewing the latest
sports highlights

Attending a Review
Seminar online

Put your time to better use. In pursuit of your (ISC)²®

certification, attend an Official (ISC)² CBK® Review Seminar
live online, in person or on site. You’ll ready yourself for an
(ISC)² exam by refreshing your knowledge in information
security. You’ll also send a message to peers and current
employers that you’re in this game for real.
Learn more at www.isc2.org/reviewseminar

Look for an (ISC)2 Authorized Education Provider.

DF11_35_Ad.indd 35 15/04/2012 17:38

 / MEET THE PROFESSIONALS

MEET THE DF
PROFESSIONALS
Jim Swauger
Interviewer: Roy Isbell

I
was intrigued by the article submission we received with the fact that I come from a family of law enforcement
regarding Chip Off Forensics and wanted to find out more officers, led me seek a career involving both the justice system
about the person who was actively doing this work. So and computers. Shortly after graduating from college, the
I decided to interview the author and to find out some more Ohio Attorney General established one of the first U.S. state
about Jim Swauger and his work. computer crime units. Although computer forensic degrees did
not yet exist back then, I was fortunate to have the right mix
/ Interviewee Bio of education, aptitude and luck of being in the “right place at
Jim currently lives in Lebanon, Ohio, a small, historic town the right time” which allowed me to start my career in digital
central to the metropolises of Columbus, Cincinnati and forensics as an original hire to this new unit. Since then, my
Dayton, Ohio with his wife and son. He is an avid sports interest and excitement for the profession has only grown
fan and outdoorsman, and enjoys cheering his alma mater stronger as technology evolves.
University of Cincinnati Bearcats at both football and
basketball games. Cooking and reading are a personal What is the size of your company and what aspects of digital
retreat; which is unfortunately declining as the world of digital forensics are you investigating?
forensics continues to creep into that time! We are currently very small with two partners and three
associates who contribute to our cases. Although we have
/ Professional Background been in business since 2000, most of our growth has occurred
Jim started in the digital forensics field back in 1997 working during the last three years as we have seen a significant
for the Ohio Attorney General’s office with the Ohio Bureau of increase in requests involving cellular phones and other
Criminal Investigation Computer Crimes Unit. While there, he mobile devices. So far this year, we are seeing a pretty
assisted local, state, and federal law enforcement agencies even split between computers and mobile devices cellular
with the investigation and prosecution of felony cases phones. We work all types of cases including civil and criminal
involving advanced technologies. After 8+ years of public engagements, employment investigations and private or
sector work, he spent 3 years as the lead technical security domestic matters.
investigator for a top-10 U.S. financial institution. Deciding
to embrace his entrepreneurial side, Jim began his current How did you get into the field of Chip Off Forensics?
position full-time as a partner with Binary Intelligence, LLC. To Several years of frustration, disappointment and aggravation
quote Jim “The sum of my experience to date has allowed me of not being able to extract deleted data from many cell
to gain a great deal of experience and knowledge in both the phone models started me down the chip-off path. I was
public and private sectors, which has been vital in my current exasperated with commercial tools, flasher boxes and
role”. With Binary Intelligence, Jim provides both consultation service software utilities; in most cases the recovered data
and expert witness services related to digital forensics, high- was very limited and, even when successful, I found the
tech investigations and electronic discovery. He has worked methods to be convoluted and inconsistent. In 2009 while
with a diverse client base that includes individuals, attorneys, working a civil case I became particularly disturbed after
HR professionals and Fortune 500 companies. I accidently “bricked” a client phone as I was trying to
Over the course of his career Jim has acquired several download the flash data with a service utility. That situation
certifications including Computer Forensics Certified Examiner motivated me to really began thinking about chip-offs as
(CFCE); CISSP; Digital Forensics Certified Practitioner (DFCP); a potential panacea that might allow for the consistent
EnCase Certified Examiner (EnCE). Jim is also a licensed extraction of almost any device. I started researching tools
professional investigator in the State of Ohio. and techniques but really couldn’t find any material of note
regarding chip-offs. Things did not progress much past the
What got you into the world of Digital Forensics? initial exploration stage until several months later when I
I grew up in the 80s during the personal computer renaissance received a call from a prosecutor who needed to extract text
age and, thanks to a Commodore 64, really developed a messages from a physically broken cell phone. The phone
strong interest in computer technology. That interest, coupled could not be repaired and, given the importance of the data,

36 Digital / ForensicS

DF11_36-37_Meet the Professionals.indd 36 25/04/2012 13:38

 I did not want to simply give up. So, I decided to go ahead What do you see as some of the challenges facing digital
and purchase some basic tools and experiment on a bunch forensics in the future?
of like-model phones purchased from eBay. Even though I Generally speaking for all types of devices and storage media,
never got a perfect full read of all of the flash memory from I anticipate increased use of effective encryption and data
that particular phone, I was able to read a large percentage sanitization technologies. I also think more and more stored
of the data and recover hundreds of text messages that data will be pushed out into the cloud where it can be difficult
were critical to the case. My work on that case is what really to obtain access to.
convinced me that chip-offs were something I wanted to be
become more aggressively involved in. How do you think we can overcome some of these challenges?
Hopefully some of the more brilliant researchers will be able
How did you research Chip Off Forensics and what problems to continue to identify implementation weaknesses that will
did you encounter? overcome some of the encryption challenges. I’m not sure
Initially, I set up a makeshift basement lab and spent many what the answer is in regards to getting access data stored
nights removing chips and trying to read them using a in the cloud, but it seems providers are increasingly reluctant
universal programmer. I had some basic electronic skills to produce data. Perhaps not so much in response to law
and was comfortable with a soldering iron but it didn’t take enforcement but, in the civil arena, we have found that many
long to figure out that cleanly pulling BGA chips was going providers refuse to produce records when served with a civil
to take more expensive equipment, plenty of patience and court order. I suspect this issue will need to be resolved with
lots of practice. Many of the first chips I worked on were litigation or legislation.
damaged during removal; some had obvious damage such
as the pads coming off the chips whereas others appeared
fine but had internal problems. I also found out that the SEVERAL YEARS OF
chips needed to be re-balled before the programmer could FRUSTRATION, DISAPPOINTMENT
make a reliable connection.
Re-balling was something that I struggled with for some AND AGGRAVATION OF NOT BEING
time until I eventually met and started working with a rework ABLE TO EXTRACT DELETED
technician. Things really began to take off once I had access
to the proper equipment and skilled technician to partner DATA FROM MANY CELL PHONE
with. Together we spent many days over many months testing MODELS STARTED ME DOWN THE
various techniques to reliably remove and clean the chips. We
are still constantly refining techniques, and I consider every CHIP-OFF PATH
case an opportunity to further research analysis methods.
Right now we are focusing our testing on different Blackberry Do you think that Chip Off Forensics will become mainstream
models and are really encouraged by the amount of deleted or remain a specialist field?
data we are recovering. A little of both. I believe that as word spreads about
successful chip-off cases and, as we run into more devices
How widespread do you think this aspect of Digital Forensics using flash memory, more forensic investigators will recognize
is globally? that chip-offs are a feasible option when other methods fall
Currently, I think it is rather limited. If you search the Internet short. In this regard I see the practice becoming mainstream
you’ll find that there are only a handful of commercial labs with investigators increasingly seeking out the assistance of
that actually advertise chip-off services. I know there are a few chip-off specialists to help extract the raw data. I do not see
government and law enforcement labs that perform chip-offs a rush of labs looking to bring chip-off capabilities in-house;
but they are generally not widely publicized. However, I do at least not in the near future. Given the small percentage
believe that the level of awareness about chip-offs and their of cases where a chip-off is warranted, many labs would
potential is increasing. not process enough devices to get a reasonable return on
investment. I believe we will eventually see several specialized
What do you see is the future for this work/research? government and commercial labs performing the basic chip-off
I see lots of opportunity for training and tools. In addition to extraction services in which they handle the chip removal,
the actual chip extraction process, there is a definite need for read the chip and then provide the raw data back to the
resources to support the actual data analysis. I think we will submitting agency for analysis. /
see training focusing on how flash memory works, particulars
of various device file systems and interpretation of the many My thanks to Jim for his time, if you would like to find out
operating system and application data structures. I also think more about Chip-Off Forensics you can go to the website at
forensic tool vendors will increase R&D in the area of flash http://www.binaryintel.com
memory analysis so, whether the data is acquired by chip-
off or other means, investigators will have access to more
examination tools.

37

DF11_36-37_Meet the Professionals.indd 37 25/04/2012 13:38

DF11_38-39_Ad.indd 38 23/04/2012 12:24
DF11_38-39_Ad.indd 39 23/04/2012 12:24
 / FEATURE

CHINESE CELL PHONES

& DIGITAL FORENSICS
In this article, we explain why investigators need to understand the macro trends in
the cell phone industry driving the incorporation of more Chinese chipsets in phones
and the challenges that they present to examiners. We also lift the lid on Tarantula,
a new analysis system developed to analyze problematic Chinese “white box” cell
phones and, increasingly, the legitimate branded phones based on Chinese chipsets.
by Kevin J North

/ INTERMEDIATE

Hercules had to defeat a hydra as one of his 12 labours. / Simple Beginnings

It was a monster with 9 heads, and if Hercules smashed Chinese cell phones came into existence as a result of China’s
one head, two more would take its place. For mobile unparalleled manufacturing base fuelled by abundant, low-
forensic investigators, Hercules’ hydra takes the form of cost labour, a flood of international investment, a robust
Chinese cell phones. More specifically, knock-off phones, supply chain, and the world’s largest market. In southern
known internationally as “white-box” or “clone-phones” China, manufacturing plants dominate the landscape and the
and “Shanzhai” (pirated goods) in China, have taken world city of Shenzhen is the epicentre of the cell phone industry.
markets by storm. In 2011, over 800 million cellular mobile More specifically, Shenzhen’s North Huangqiang Street is
devices in close to 40,000 models were manufactured in China’s major hub for mobile phone commerce.
China. Approximately half of those were exported to world In the early 2000s, a Taiwanese integrated circuit (IC)
markets, comprising of more than 30% of the global cell manufacturer, MediaTek launched an innovative business
phone market.

40 Digital / ForensicS

DF11_40-43_Chinese Cell Phones.indd 40 25/04/2012 14:31

 strategy in China, offering hardware packages called “systems legitimate manufacturer. White box phones
on a chip” (SoC) for wireless communication devices. This often adopt famous brands that have nothing
development opened the door for small, entrepreneurial to do with the cell phone industry like Adidas or
teams with as few as 4 people to design and contract Marlboro and manufacturers are opportunistic,
manufacture, cell phones. building a phone around available parts until they run out;
Entrepreneurs, both legitimate and illegitimate, then moving on to the next opportunity. The transient and
leveraged these hardware packages and the manufacturing shadowy nature of the industry frustrates any standardization
environment to rapidly produce even relatively small runs for hardware or software found in these phones.
of phone designs. Hundreds of small companies known as While IDH’s customize the phones they develop, the
independent design houses (IDH) in Shenzhen alone churn core features such as screen resolution, Bluetooth, media
out white box phones with a dazzling array of features; many capability or network support are determined by the
useful, some highly creative, and others entirely fake. The specifications of the SoC (chipset) they decide to use.
fastest producers can get from idea to market in less than 30 For roughly ten years, the hardware packages from the
days compared to months or years for larger international top Chinese chipset manufactures were closed platform,
cell phone companies. With near unlimited demand offering only feature phone capability. In mid 2011,
domestically and a foreign market hungry to participate however, a major shift occurred with the introduction of
in the digital revolution but often unable to buy expensive Chinese chipsets supporting Android. The driving force
branded phones; China has become a world leader in mobile of white box innovation is really at the hands of the SoC
phone production, rivalling even their more established manufacturers, and they are meeting market demands with
western counterparts. cutting-edge chip sets able to run smart phone operating
While not produced with quality in mind, white box systems, albeit at a higher price than the ultra low cost
technology is attaining a level of complexity that is nearly state feature phones that still flood the market.
of the art. Knock off makers follow industry trends to take
advantage of the accomplishments of legitimate technology
developers. White-box devices have advanced rapidly from
CHINA HAS BECOME A WORLD
simple feature phones to include the same high end features on LEADER IN MOBILE PHONE
popular international brands, and now smart phones.
High-end clones can be visually nearly indistinguishable
PRODUCTION, RIVALLING EVEN
from the legitimate phones that they mimic, including popular THEIR MORE ESTABLISHED
iPhone and Blackberry handset models. In many cases the
knock-offs use components from the same sub-suppliers as the
WESTERN COUNTERPARTS

41

DF11_40-43_Chinese Cell Phones.indd 41 25/04/2012 13:38

 / FEATURE

In some cases, white box phone manufacturers like

Tianyu or Oppo have become so sophisticated and so well / Inside the Chinese Chip Market
established as producers that they eventually “go legit” with Approximately 800 million Chinese chipped cell phones
their own brands. More mainstream brands like HuaWei, ZTE, entered the global market in 2011, making up nearly 35% of
TCL and Lenovo are some of the largest brands using the devices worldwide. Given the rapid increase in prevalence,
Chinese chipsets in their phones, selling their phones through popularity and sophistication of these devices, it is important
to know who makes the chipsets that allow them to operate.
China’s three largest carriers. As the industry leaders, the companies below will shape the
future of white-box mobile devices.
/ Barriers to Analysis
The non-standard nature of Chinese phones makes them vexing Top White-box Chip Makers:
to mobile forensics examiners. They are often built on unique • MediaTek (MTK): (Approximate Market Share 60%)
or modified operating systems with modifications that may MediaTek develops chips for everything from GPS systems to
only exist in a certain production run of a handset model. Until HDTVs. MediaTek is the world’s second largest producer of
recently all white box phones were embedded platforms, not semiconductors to the cell phone industry, after Qualcomm.
• Spreadtrum: (Approximate Market Share 30%) As the second
open source, and many contain distinct file system structures. largest white-box chipset manufacturer, Spreadtrum has its
Another hindrance to forensic analysis is the absence of sights set on MediaTek and has doubled its market share
standards for hardware such as data cables. Even though the over the past decade.
cables that come with these phones may look the same as the • Infineon Technologies: (Approximate Market Share 5%) A
spin-off of Siemens AG in 1999, Infineon made its name by
cables that come with Android or iPhone handsets, the wiring providing semiconductors to the automotive, industrial and
is often different. This is sometimes a deliberate strategy by multimarket sectors before entering the cell phone industry.
manufacturers to maximize accessory sales. Unfortunately • M-star Semi Conductor: (Approximate Market Share 5%)
it also impedes the task of the digital forensics investigator, Split from System General Technology in 2002, MStar
specializes in mixed-mode integrated circuit technologies.
as it can be difficult to establish compatibility between these MStar is known in China as “Little-M”, contrasting the firm
phones and forensic analysis tools. with “Big-M” – MediaTek.
While standard logical cell phone tools use synchronization
to extract data, white box manufacturers typically block
synchronization features. Even when the hardware
is compatible, phone manufacturers may disallow
synchronization through the software as a means of
simplifying the devices. (The transfer of media files is typically
supported however).
The barriers to analysis of white box phones come down
to one core issue, the absence of industry standards.
Unfortunately, hundreds of millions of cell phones are
circulating in worldwide markets that are so cheap they are
nearly disposable, that accommodate multiple SIM chips,
function across national borders, and are inherently difficult to
analyze, making them perfect for criminal activity and a huge Mstar are racing to develop chipsets to serve this market
challenge for investigators. and Chinese phone manufacturers like Huawei, ZTE, TCL, and
Lenovo are designing smart phones. Even non-Chinese brands
/ A Global Issue like Motorola and Alcatel are incorporating Chinese chipsets in
Further compounding the threat, these phones are quickly some of their less expensive smartphones and in India, Spice
internationalized, moving from China to Southeast Asia, the Mobile and Micromax are designing smart phones around low-
Middle East, Africa and beyond. They may be flashed and cost Chinese chipsets. Strategy Analytics predicts that the sales
re-flashed with new software, exacerbating the problem of of lower cost smart phones will triple from 191 million phones
tracking the devices with issues like non-unique IMEI numbers in 2012 to 551 million phones in 2016, with 75% being exported
and IMEI numbers that do not relate to manufacturing origin to emerging markets. So whether they are in feature phones or
or phone model. Certain countries like the United Kingdom smart phones, Chinese chip based phones are here to stay.
prohibit by law the changing of IMEI numbers, a practice that
is commonplace with white box phones. / It’s Not About Phones; Its About Chipsets
If you think the adoption of smart phones will make the Fortunately, even in the face of all these hindrances to
Chinese phone problem go away, think again. Market research analysis, there is a light at the end of the tunnel for mobile
firm, Strategy Analytics, reports that while the US is still the forensic professionals. Even with tens of thousands of handset
largest smartphone market overall, China overtook the US models on the market, over 90% of the chipsets at the heart
as the largest market for smartphones retailing below $ 170 of these devices are designed and built primarily by four
(the fastest growing segment of the market). Major Chinese firms: Spreadtrum, Infineon, MStar and MediaTek (MTK). The
chipset manufacturers; MediaTek, Infineon, Spreadtrum, and concentration of manufacturers enables forensics technology

42 Digital / ForensicS

DF11_40-43_Chinese Cell Phones.indd 42 25/04/2012 13:38

 analyze data and evidence from them. Integrating Tarantula
with Logicube’s data extraction device, CellXtract, provides
added functionality that will give law enforcement, military
and government agencies an unparalleled solution to address
the thousands and thousands of phones, including legitimate
brands and white box, manufactured with Chinese chipsets.”

/ Looking Forward
There is no doubt that cell phones based on Chinese chipsets
will continue to present a challenge to investigators for the
foreseeable future. MediaTek, Spreadtrum and other IC
manufacturers are not only vying for position in the Chinese
developers to focus their efforts on tools that can physically market, they are also making headway in the global market by
analyze the chipsets on which the phones are designed. signing deals with the world’s top cell phone manufacturers.
International mobile forensic companies are working on Feature phone chipsets that have been utilized by Chinese
technologies to address the growing problem of phones based IDHs for years, such as Mediatek’s MT6226 or MT6253 are
on Chinese chipsets. At the forefront of this effort is EDEC showing up in low cost handsets from international firms like
Digital Forensics with Tarantula, currently the only forensic Motorola and Alcatel.
tool that can extract and decode data from all 4 major Chinese With the core strength of cell phone hardware
chipset manufacturers (comprising about 90% of all phones manufacturing achieved, Chinese chipset manufacturers are
that include Chinese chipsets), In addition to decoding data now expanding their reach to include a wider range of mobile
such as phone book contacts, call logs, and SMS messages, device types. MediaTek’s smartphone chipset, MT6573, and
Tarantula acquires deleted data, PIN lock codes and IMEIs Spreadtrum’s SC8810 are capable of supporting Android
(both current and historical, if present) from most chipsets. tablets, a device category previously dominated by Western
In demonstrations to the state police forces in Australia, IC firms. Both companies are working to create chipsets that
Jason Hanel, Owner of Task Intelligence, a security and support Japanese and Korean networks, another category
investigation firm located near Canberra, Australia, invited previously served by international players. The landscape of
them to bring their own Chinese phones. In all cases, Tarantula mobile devices is shifting as Chinese chipsets manufacturers
has succeeded in getting data. Phones purchased whilst in evolve at unprecedented speed.
Singapore and Indonesia were also tested with good results. To be prepared for all potential scenarios, forensics
In addition, Cellebrite’s UFED CHINEX is a connectivity kit for its investigators need to ensure that they are trained in the
UFED Physical Analyzer. Chinex is capable of physical extraction latest acquisition methods for the latest devices. By the same
of critical data from a subset of phones based on MediaTek token, forensics tool developers will need to remain vigilant
chips. Micro Systemation’s XRY system is capable of logical data and cooperate with one another to remain at the forefront of
extraction from a subset of several hundred Chinese phones. Chinese chip technology.
Oxygen Forensics recently updated their proprietary Oxygen While there are many factors that make analysis of Chinese
Forensic Suite 2012 to support MediaTek phones and Logicube built devices exceedingly difficult, the silver lining is that there
has announced that it has a licensing agreement with EDEC is a whole industry rising to these challenges. The best way
allowing it to integrate Tarantula into its own CellXtract product forensic investigators can prepare for the future is to pay careful
allowing it to do physical analysis on Chinese phones. attention to industry trends and seek out the appropriate
educational programs to ensure that they are as well versed in
/ Industry Cooperation this emerging field. The bottom line is that Chinese technology
While there may be competition between the leading is here to stay, so we might as well adapt to it. /
developers of digital forensics tools, there is also a good deal
of cooperation and collaboration. As much as executives want
their products to outsell the competition, they recognize the / Author Bio
need to provide effective tools to as many law enforcement as Kevin J. North is an American freelance
possible. This was evidenced in March of this year, eDEC and journalist who specializes in the fields of
finance and technology. He is a graduate of
Logicube announced that they were partnering to combine
Monmouth University in West Long Branch,
Tarantula software with CellXtract hardware. The finished New Jersey, with a Bachelors Degree in
product is slated to debut at this year’s Techno Security & Public Relations and Journalism. Currently,
Digital Investigations and Mobile Forensics Conferences in Mr. North resides in Santa Barbara,
Myrtle Beach, South Carolina, USA. California, where he writes and edits articles related to digital
forensics, automotive safety technology and financial advice
In a release regarding the partnership, Logicube Executive
for investors. In addition to his work as a journalist, Mr. North
Vice President and COO Farid Emrani stated, “Our digital serves as a consultant to the health and wellness, web design,
forensics customers are encountering large quantities of these entertainment, and data acquisition industries.
types of phones, creating an urgent requirement to extract and

43

DF11_40-43_Chinese Cell Phones.indd 43 25/04/2012 13:38

DF11_44_Ad.indd 44 22/04/2012 13:32
 / APPLE AUTOPSY

APPLE AUTOPSY
The State of Apple
by Sean Morrissey

T
hings have seemed to change under the stewardship
of Mr. Tim Cook, Chief Executive Officer of Apple.
Unlike his predecessor, Mr. Cook seems to be willing
to negotiate a solution to the patent wars with its supplier/
competitor Samsung. However will this change the stance
between Apple and Google? Steve Jobs wanted to go to all out
war and “Thermo Nuclear” on Google. So, how does one hurt
Google? You hit them where it hurts: revenue.
In the patent suit against Google brought by Oracle, Google
made four times in revenue from iOS devices than its own
Android OS. Since the inception of the 2G iPhone in 2007, iOS
has carried Google maps and Google’s search engine. Apple Tim Cook was the one that created the Apple supply chain
did purchase two mapping companies, and now with iOS 5 engine, one like no other company. He needs Samsung more
came ‘Siri’. So if Apple decided at one point to drop Google that patents. Google? Now that may be a bigger fish to fry.
maps and searching, how does that factor in to Google’s bottom Manufacturers have been uneasy since the acquisition of
line? Google has always been an advertising company with Motorola, even with the mighty hand of Google attempting to
Android being just another vehicle to generate more revenue put those worries to rest.
and then add to this mix, the patent wars. Interestingly enough If Google starts to label Motorola phones as Google phones,
it seems to want to settle with Samsung, but no mention of this that will be an interesting move, and what will Samsung, LG,
in reference to Motorola. So, will Tim Cook placate and settle HTC, and others do? Look to Microsoft? Even though Samsung
with Samsung, which is important to Apple’s supply chain, or has publically stated that it is not interested in purchasing the
continue to do battle? I think he will deal. ailing RIM, would they look at it when that day comes? Palm
is also out there now in the open source world. Grab that and
do it right unlike the miserable way HP attempted to use that
OS? At the end of the day, there are options for those outside
of Google. Apple could pull the plug, and what will Google do
then? Time will tell and we will all see the outcome of what
Steve Jobs intended. To that end and to add more fuel to the
fire, Apple released another amazing product.
The new iPad, Apple’s third generation iPad; with
the stunning retina display, which is really amazing.
You’ve noticed it on the iPhones but on an iPad it is truly
marvellous. This generation iPad includes the upgraded A5
X chipset. Unlike the A5 from previous versions this version
is on graphic steroids. The iPads have a commanding lead in
the Tablet market.
There have been some gains from those like the Amazon
fire, which is a departure from the traditional android. If you
didn’t know any better, you wouldn’t know it was android.
Also add a price of $199 and you’ve created a tablet that
has gained traction in the market place. Apple has seen this
coming and there have been rumours that they are “testing” a
7-inch mini iPad, not to compete with Amazon but to add to its
domination of the tablet market.
Not just a new iPad is enough for Apple, now it appears to
be looking at how to change one more industry, the Television.
Will it be something that once it is released, that causes the
market to take a pause? Steve Jobs revolutionized 4 industries
why not add one more? /

45

DF11_45_Apple Autopsy.indd 45 25/04/2012 13:39

 / FEATURE

IMAGING AND WRITE

BLOCKING ON A MAC
Whether it is an older Mac (Power PC) or a newer Mac (Intel),
all can be imaged in the same manner as PCs. The only difference
is how first responders and examiners handle these devices…
by Sean Morrissey
/ ADVANCED

T
oday we have Mac Pro’s, MacBook Pros, iMacs, and 1. Boot the Mac and hold down the “option” key. Then the
MacBook Air; all of which have differing levels of Mac Boot screen appears;
complexity. The device that has caused a degree of 2. Select the Windows CDROM and press “Enter”; this will
consternation to a number of forensic analysts when it first begin the boot process with WinFE;
came out was the MacBook Air. A departure from the standard 3. Once boot process is completed the Boot Process Complete
platter hard drive to a flash memory drive provides challenges screen is seen;
unlike other Mac devices, the MacBook Air also has the ability 4. Once a successful boot is achieved, check to ensure
to add a USB Drive. that you can see the disks. To do this, from the
The first MacBook Air had a 1.8 inch 4200 rpm hard drive command prompt type “DISKPART” “Enter” then type
with a zif connector allowing us to use the same adapter “list volumes”. You should see the EFI Partition along
as we used for iPods; it was therefore easy to remove with the external Hard Drive. Next we have to make the
and image these older MacBook Air devices. The newer external drive writeable;
MacBook Air has a solid-state drive with a “mini PCie” 5. From the command prompt type “select volume 2” make
connector; this connector is often mistaken for the “micro sure it’s your external hard drive;
PCie” connector. 6. type “ATTRIBUTES DISK CLEAR READONLY” hit enter;
So, how does one image these devices? There are 7. type “”ASSIGN LETTER=Z”;
numerous tools and methods available. Encase Portable 8. type “Exit”. You are now ready to start imaging the drive.
and MacQuisition are viable paid-for alternatives for To do this we bring up FTK Imager lite and from the
imaging the MacBook Air; however I like free tools for command prompt:
imaging and there are many tools that can image any Mac 9. type “ cd \”;
for free, including Windows FE with Access Data’s FTK 10. type “”cd TOOLS”;
Imager Lite. 11. type “FTK Imager Lite” this will then bring up the familiar
interface of FTK Imager.
/ Imaging the MacBook Air 12. From the File Menu, select “Create Image”
Connect an Apple Super Drive and one 500GB External USB 13. The next menu will ask, Physical, logical, etc. Select
Hard Drive to your device, in our demonstration we are using a “Physical” and hit next.
13”MacBook Air (256GB SSD). 14. Here you will see the SSD as seen in the next figure, seen
as physical drive “0”;
15. Select Finish;
16. From the next menu select “add” then “Next”;
17. Since this is a NTFS formatted drive we can keep this as a
single segmented dd, therefore select RAW (dd) in the next
menu, then press “Next”.
MacBook Air Flash Drive

DISKPART List

46 Digital / ForensicS

DF11_46-49_Write Blocking on a Mac.indd 46 25/04/2012 14:40

 18. The next screen will ask for case specific information. Fill Raptor however can now identify and image the newer
out the appropriate areas; MacBook Air devices, so you don’t have to open up the Mac
19. You now require to point FTK to your destination drive. and take out the SSD to image. There aren’t any known
Remember we gave the external drive, drive letter “Z”. So adapters at present, however there is a solution for those
in the destination Path type “Z:\”; that want to do it that way, which we will discuss later in
20. Under “image name” give your image a name for example this article.
“MacBook Air”; So if you want to image a MacBook Air with a Linux boot
21. Also in the Segment size, delete the default 1500 and place a disk such as Raptor it is now an alternative solution. Raptor
“0” This will keep the dd image as a single segmented file; is a boot disk that I’ve used since its release; developed by
22. Press “Finish”, the FTK Imager will then start the Forward Discovery it is freely available and you can burn
imaging process; a disk from the ISO distributed from their website, http://
23. Once completed Exit out of FTK Imager and WinFE. forwarddiscovery.com/. After discussing the imaging of a
MacBook Air with Ryan Johnson of Forward Discovery, he was
/Linux Boot Disk – Raptor happy to make himself available to demonstrate how to create
There is a more conventional way to image these new solid a bootable USB drive.
state drives for the MacBook Air than using the WinFE+FTK; Before you start you will need a 4 GB USB drive as a
the old standby Linux Distro’s like Forward Discovery’s Raptor minimum. Using a Windows machine, go to http://www.
for example. Most people in the Mac Imaging community have linuxliveusb.com/ and download the live USB utility. You can
known about Raptor but when the first MacBook Air’s came off then create a bootable USB with the Raptor ISO as seen in the
the line, there wasn’t a procedure or an adapter for this new following steps,
“Cat” drive. I had to quickly devise a method of imaging these
because one came into the Lab that where I was working at 1. Step 1, point to the USB device that you are going to use;
the time. At that time, WinFE+FTK Imager and Encase Portable 2. Step 2, leave the default setting;
were the only viable options. 3. Skip step 3;
4. Step 4, if you need to reformat the drive, select Format the
key in FAT 32
5. Step 5, click on the thunderbolt and the app will create the
bootable USB for you.

Once you have created your bootable USB drive you can
proceed to image your MacBook Air. Using either the DVD or
USB Raptor will work fine. If you’re using the DVD, I suggest
getting an “Apple Superdrive”. The newer MacBook Air has
Thunderbolt, USB and 2 USB ports. The older MacBook Air
had only one USB requiring the use of a USB Hub. Connect
the super drive to one USB port and the External destination
drive on the other; this is the same configuration as discussed
earlier. Now again thanks to Ryan at Forward Discovery there
is a trick to using Raptor and boot.
Turn on the MacBook Air while holding down the “alt/option”
button, the MacBook Air Option Start screen will appear.
Using either the USB or DVD option select “Windows” from
the DVD or USB icon in the boot option screen. Next is the
little trick; from the boot option screen in Raptor select “Boot
Raptor”. On the bottom of the screen there is a command
line interface that you need to edit with the following,
“nomodeset”, this should be inserted prior to the double
hyphens. See Figure 14 for an example.
Raptor will then boot and from the main screen of Raptor,
select “Raptor Tools”
The interface for imaging is simple an easy to use. Prior to
imaging you will require a wiped and formatted disk to write
the image to, you can use Raptor to do both, and my volume of
choice is HFS+. No need to segment the image as it is needed
for oher volumes such as FAT 32. As I tend to examine Mac
devices with a Mac, using HFS+ is preferable. Once you have a
formatted disk, go to the “Image” tab and follow these steps,
Linux Live USB Creator

47

DF11_46-49_Write Blocking on a Mac.indd 47 25/04/2012 13:40

 / FEATURE

Raptor Installer Boot Menu Select Raptor Tools

1. First select the volume you wish to image and make sure The enclosure has eSata, FireWire 800/400 and USB 2.0/1.1
you image the whole disk by selecting the device which connectors. A combination of the enclosure and traditional
includes “/dev/sda”. write blockers will do the job. We will be discussing “Write
2. Then select what type of image are you going to use, E01, blockers” later in this article.
dmg or dd (dd and dmg are exactly the same, I just don’t
have to rename the image from .dd to .dmg when using a / Imaging All The Other Macs
Mac), and change the 2000 in the Segment file to 0, you There are several ways to image the raw disk of a Mac such as
don’t want a segmented .dmg on a Mac. The segmentation the “Target FireWire/Thunderbolt Disk Mode” that has been
is necessary when imaging to a volume such as FAT. available on Macs for many years, effectively turning the Mac
3. So, after selecting in this case, a “.dmg”, I then select the into a Big FireWire disk drive. To place a Mac into FireWire
volume where I will image to. You also have an option to Disk mode, boot the Machine and hold down the “T” button.
verify the image, which I recommend should be done as well. A FireWire or Thunderbolt symbol will be seen on screen
4. Lastly give the image a filename and hit start. Once if successful. To image the disk there are many tools and
completed, you should lock and mount the image on a Mac command line methods available.
and begin your examination. Nearly all forensics analysis The command line options are binaries such as DCFLDD
on a Mac can be done completely without the use of any and DC3DD, freely available from SourceForge. The tools are
automated tools. variants of the standard “dd” command. The following are the
download locations of these command line utilities.
As stated previously there isn’t a known adapter for the SSD
of a MacBook Air, however there is a hardware alternative to 1. dcfldd – http://sourceforge.net/projects/dcfldd/
solve this problem for those that do want to disassemble the 2. dc3dd – http://sourceforge.net/projects/dc3dd/
MacBook Air and image the SSD traditionally. Other World
Computing has an enclosure that has the adapter built into Note: make sure that you destination disk is formatted HFS.
it. The enclosure isn’t cheap, but it does the job and can This will be important so that there won’t be a need to split
be found at: http://eshop.macsales.com/item/Other%20 the image.
World%20Computing/SSDAPEPMQ/
To image the device, open a terminal from the destination Mac:

1. Run the command df -h

2. This will show all the mounted disks, which shows disk0
(your hard drive) as the hard drive on a Mac. When you
plug in anther disk it will have a device name with a
corresponding number such as disk1.
3. Attach your external disk that you intend to image to the
Mac and execute df-h a second time. You will then see “/
dev/disk1”.
4. Therefore any subsequent device such as your evidence
drive would be “/dev/disk2”

Prior to any imaging; disk arbitration needs to be dealt

with. The “diskarbitration” (deamon) is what needs to be shut
off to stop the auto mounting of volumes on a Mac. This is
very important if you don’t have access to a write blocker. A
Imaging with Raptor Toolbox

48 Digital / ForensicS

DF11_46-49_Write Blocking on a Mac.indd 48 25/04/2012 13:40

 free tool called disk arbitrator is a free utility that will disable
diskarbitration and allow the forensic examiner to mount
volumes read only or read/write. The download for this free
utility is at:

https://github.com/aburgh/Disk-Arbitrator.

1. Start the Disk Arbitrator Application

2. Make sure that you have activated the Application by
checking the “Activated” box towards the bottom
3. Test the write blocking by adding a flash drive to the
imaging Mac; Disk Arbitrator should see it however it will
be greyed out or “Not Mounted”. Once tested make sure Tableau FireWire WriteBlocker
you detach the flash drive.
4. Place the Target Mac into FireWire Target Disk mode by The Mac operating system “Lion” provides full disk
starting up the Mac and holding down the “T” button. encryption, however there are ways to deal with this as
5. Using a FireWire cable, attach the Target Mac to the well. With full disk encryption, one needs to image the
Imaging Mac. RAM of which until recently was next to impossible. A free
6. In Disk Arbitrator highlight the disk in reference to your utility “Goldfish” allows the imaging of RAM from a FireWire
target device. The example in Figure 19 shows Disk 1 as the connection. The utility is free to Law Enforcement at http://cci.
evidence disk. Hit Mount from the menu bar, ucd.ie/goldfish.
7. After selecting “Mount” another dialog box appears. Make
sure that “read-only” is selected and the Path can be / Write Blockers
anything, but use “/Volumes”, then select ‘Mount’. There aren’t any specific “writeblockers” for the Mac. If you
remove the hard drive from any Mac including the MacBook
Using the “dc3dd” binary from the command line, open Air, all can be attached to conventional writeblockers
the terminal application and from the command line, type manufactured by various vendors, except for one
the following, writeblocker, which can be used while a Mac is in FireWire
target disk mode. The FireWire write blocker is manufactured
“Dc3dd if=/dev/rdisk2 conv=sync,noerror bs=512k by Tableau. The Forensic FireWire Bridge T-9 is a write
hash=md5,sha1 progress=on of=/device/image.dd” blocker that can be utilized during imaging using FireWire
Target Disk Mode.
The main items of the command line that are critical are “if ” All the others created by CRU Dataport, Tableau, ICS, and
INPUT FILE “of ” OUTPUT FILE. The output file is the path of others use conventional adapters and writeblockers for the
where the image will be written too. rest of the Mac line, if the drives are remove from the system.
Your “if=/dev/rdisk2”, means you will image the “rdisk” Imaging Macs isn’t a daunting task; a hard drive on a Mac
complete raw disk of your evidence drive. As one can see isn’t any more special than those found in windows and
that there isn’t a split command. This will create one dd file the Mac allows for easy free imaging using the FireWire/
that can then be forensically analysed on a Mac by simply Thunderbolt disk mode. This overcomes the fear of tearing
renaming the extension. This will be discussed later. into a Mac in order to remove the hard drive for imaging. This
Note: Remember to disable “diskarbitration” by disabling mode as discussed earlier can also overcome the problems
from the top menu bar as seen below, and the quitting the encountered with the MacBook Air. There are many ways
application as well. to image Macs, some are paid for but most are free. Some
Lastly there are options for removing the hard drive from require pushing a few buttons, some are command line, but
Mac devices. If you are interested in this iFixit and other both are effective and have been used for years. /
websites have great walkthroughs on taking Macs apart
and getting to the hard drives. Imaging with commercially
available write blockers and free tools, such as FTK Imager / AUTHOR BIO
from Access Data are windows alternatives to imaging Macs. Sean Morrissey is presently employed
Finally, we have to deal with “File Vault”. File Vault is a user by Paradigm Solutions and assigned
as a Computer/Mobile Forensic
level encryption that can be employed on any Mac. There are Analyst, in the Department State
tools and techniques in cracking the “Keychain” on a Mac, Computer Investigations and Forensics
which will allow you to find the password for the user volume. Division. Sean was an Instructor of
Depending on the version of OS X you can sometimes get Forensics at the Defense Cyber Crime
Center, a former Law Enforcement Officer and U.S. Army
lucky and find the password in plain text in the sleep image. Officer. He also authored Mac OS X, iPod and iPhone Forensic
By simply doing a “grep” search for either “password” or Anaylsis and the upcoming book iOS Forensic Analysis.
“long password” you can find the password.

49

DF11_46-49_Write Blocking on a Mac.indd 49 25/04/2012 13:40

DF11_50_Ad.indd 50 16/04/2012 18:14
 / FROM THE LAB

IMAGE FORENSICS
The challenge when dealing with large quantities of forensically acquired
data, of quickly identifying relationships whilst augmenting with open and
closed source intelligence sources is daunting. This is particularly true if
your goal is to abstract the data to allow forensics investigators to work with
the information rather than learning specific forensic tools or data formats.
by Ollie Whitehouse

/ ADVANCED

I
n this article we’re going to walk through how Recx [7] and Image Authentication System (Nikon) the
solved the problem of allowing intuitive data access, implementations don’t always stand up to scrutiny. Elcomsoft
visualization and relationship identification specifically for example, managed to successfully bypass Nikon’s Image
in the case of photographic image forensics. The article will Authentication System [8] in April 2011. As a result, it’s
first review the metadata embedded within an image; before important to keep in mind that anti-forensics as a field of
looking at how to first extract and finally visualize and link study continues to progress; and as it does, there is potential
the data with other sources. for misuse of image metadata by the more technically savvy.
The quantity of useful information available within EXIF and
/ Digital Image Metadata the other similar standards is vast. To a forensic investigator
The subject of digital image forensics and its associated there is useful information embedded within images that may
metadata is a well-documented area of study. Articles that be beneficial to an ongoing investigation, such as:
cover this subject include ‘Digital Still Camera Forensics’[1] by
Kevin Cohen (2007) for example deal with forensic acquisition • Make and model of the device that took the photograph.
from cameras and the post analysis of the acquired data. • Time and date the image was captured.
In summary, when dealing with digital pictures there is a • Device software version that can indicate the mobile device
potential wealth of embedded information, depending on firmware version.
the device or software used to produce the image. Image • GPS co-coordinates of the photograph (geo tagging) (altitude,
metadata is typically stored in three common formats: direction and speed can also sometimes be included).
• GPS time the photograph was taken.
• Exchangeable Information File [2] (EXIF) format • Any software used for post modification.
• IPTC Information Interchange Model [3] (IIM) • Device serial number (mobile devices don’t include this to-date).
• Extensible Metadata Platform (XMP) [4]
There is obviously considerable benefit from the extraction
For camera originating images the most common format is and analysis of this metadata during an investigation. Being
EXIF, although at times you may see others. Common forensic in a position to leverage this information to identify or group
tooling such as Encase, iLook and viaForensics allow access to photographs based on time, date, location, device type or
the image metadata, although typically only in text form. a specific device has obvious investigatory uses. Numerous
It’s important to point out that whilst there are standard examples of software exist within the open source community,
EXIF metadata tags that are extremely useful the EXIF which can be used to retrieve metadata. A good example of
standard also documents the concept of maker notes [5]. a mature open source extractor is Exiv2 [9]. Exiv2 is capable
Maker notes allow hardware and software vendors to add of handling all three of the common formats (EXIF, IPTC and
custom metadata to images inside of the EXIF construct. In XMP), is cross platform, easy to use and has good support for
the case of photographs, these additional tags can sometimes custom maker notes.
contain information valuable to the forensic investigation. For
example, some vendors embed the device serial number as a / Extracting the Metadata
maker note. Typically, serial numbers are most often seen on Off the shelf forensic software packages can already extract
high-end devices and to date never seen on mobile phones. some image metadata. However, being able to inspect the data
The integrity of the metadata should also be considered. with minimal abstraction is often useful; this is especially true if
EXIF provides no mechanism for either integrity validation or you want to integrate this data into a data mining solution.
general tamper resistance. While there have been designs [6] For example if we take an image from the Internet and
for systems to reduce the likelihood of image modification and retrieve, using Exiv2 [9], all of the EXIF, IPTC and XMP
commercial products such as Kodak Picture Authentication metadata we can extract the following:

51

DF11_51-54_Image Forensics.indd 51 25/04/2012 13:40

 / FROM THE LAB

Exif.Image.Make Ascii 6 Apple Within the extracted data, there are three distinct image
Exif.Image.Model Ascii 7 iPhone time stamps:
Exif.Image.Orientation Short 1 top, left
Exif.Image.XResolution Rational 1 72
Exif.Image.DateTime Ascii 20 2009:08:03 16:06:13
Exif.Image.YResolution Rational 1 72
Exif.Photo.DateTimeOriginal Ascii 20 2009:08:03 16:06:13
Exif.Image.ResolutionUnit Short 1 inch
Exif.Photo.DateTimeDigitized Ascii 20 2009:08:03 16:06:13
Exif.Image.DateTime Ascii 20 2009:08:03 16:06:13
Exif.Image.ExifTag Long 1 171
Exif.Photo.FNumber Rational 1 F2.8
And one GPS based time stamp:
Exif.Photo.ExifVersion Undefined 4 2.21
Exif.GPSInfo.GPSTimeStamp Rational 3 16:06:00.3
Exif.Photo.DateTimeOrigina Ascii 20 2009:08:03 16:06:13
Exif.Photo.DateTimeDigitized Ascii 20 2009:08:03 16:06:13
Exif.Photo.FlashpixVersion Undefined 4 1.00 We also see the GPS co-ordinates that the image was taken at:
Exif.Photo.ColorSpace Short 1 sRGB
Exif.Photo.PixelXDimension Long 1 1200 Exif.GPSInfo.GPSLatitudeRef Ascii 2 North
Exif.Photo.PixelYDimension Long 1 1600 Exif.GPSInfo.GPSLatitude Rational 3 51deg 30.06000’
Exif.Image.GPSTag Long 1 321 Exif.GPSInfo.GPSLongitudeRef Ascii 2 West
Exif.GPSInfo.GPSLatitudeRef Ascii 2 North Exif.GPSInfo.GPSLongitude Rational 3 0deg 7.48000’
Exif.GPSInfo.GPSLatitude Rational 3 51deg 30.06000’
Exif.GPSInfo.GPSLongitudeRef Ascii 2 West
Although the extracted information is useful, it raises the
Exif.GPSInfo.GPSLongitude Rational 3 0deg 7.48000’
question of how best to use that data to maximize the value?
Exif.GPSInfo.GPSTimeStamp Rational 3 16:06:00.3

/ Reverse Geocoding
Iptc.Envelope.CharacterSet String 3 <%G
Iptc.Application2.RecordVersion Short 1 2
Iptc.Application2.Copyright String 20 ® Jeremy Quinn 2009
Converting captured GPS data into longitude and latitude can
Iptc.Application2.City String 6 London be useful if you’re interested in reverse geocoding. Reverse
Iptc.Application2.CountryName String 7 Britain geocoding simply refers to the process of converting longitude
Iptc.Application2.Caption String 23 Gosh! I’m late for tea! and latitude into a place with varying degrees of resolution.
Iptc.Application2.Keywords String 9 Afternoon The common resolutions used in reverse geocoding include:
Iptc.Application2.Keywords String 12 Architecture
Iptc.Application2.Keywords String 7 Big Ben • Specific address
Iptc.Application2.Keywords String 7 Britain • Road
Iptc.Application2.Keywords String 7 British • Town or city
Iptc.Application2.Keywords String 8 Building
• County or state
Iptc.Application2.Keywords String 4 City
• Country
Iptc.Application2.Keywords String 6 Clouds
Iptc.Application2.Keywords String 7 Culture
The GPSLatitude and GPSLongitude fields embedded within
Iptc.Application2.Keywords String 10 Government
an image have ranges of accuracy based on the satellite
Iptc.Application2.Keywords String 8 Historic
Iptc.Application2.Keywords String 9 Landscape
signal coverage at the time of capture. Typically, each field
Iptc.Application2.Keywords String 10 Landscapes
can contain up to three elements that define the location
Iptc.Application2.Keywords String 6 London resolution of the coordinates; they are either:
Iptc.Application2.Keywords String 7 Outdoor
Iptc.Application2.Keywords String 8 Outdoors • Degrees
Iptc.Application2.Keywords String 9 Political • Degrees and minutes
Iptc.Application2.Keywords String 5 Signs • Degrees, minutes and seconds
Iptc.Application2.Keywords String 3 Sky
Iptc.Application2.Keywords String 19 St. Stephen’s Tower From our example in our metadata previously we have degrees
Iptc.Application2.Keywords String 10 Still life and minutes. To convert the GPSLatitude or GPSLongtitude fields
Iptc.Application2.Keywords String 6 Street
to Google maps friendly co-ordinates we do the following:
Iptc.Application2.Keywords String 7 Symbols
Iptc.Application2.Keywords String 25 Palace of Westminster
• degrees + (minutes / 60)
Iptc.Application2.Keywords String 7 Tourism
Iptc.Application2.Keywords String 14 Transportation
Then if the Latitude or Longitude reference fields are South or
Iptc.Application2.Keywords String 6 Travel
Iptc.Application2.Keywords String 12 Tube Station
West we then multiply the result from the previous calculation
Iptc.Application2.Keywords String 11 Underground
by -1 to make it a negative value. If we had degrees, minutes
Iptc.Application2.Keywords String 15 Vanishing Point and seconds in our extracted GPS coordinates we’d do the
Iptc.Application2.Keywords String 11 Westminster following to calculate the longitude or latitude:
Iptc.Application2.Keywords String 16 Westminster Tube
Iptc.Application2.CountryCode String 2 gb • degrees + (minutes / 60) + (seconds / 3600)

52 Digital / ForensicS

DF11_51-54_Image Forensics.indd 52 25/04/2012 13:40

 Followed by the West / South multiplication if required. So if Extracting and converting the GPS information is useful, but
we take our example: on its own is just another source of information. This begs the
question, how do we take this data visualize it and identify
Exif.GPSInfo.GPSLatitudeRef Ascii 2 North relationships with other sources?
Exif.GPSInfo.GPSLatitude Rational 3 51deg 30.06000’

Exif.GPSInfo.GPSLongitudeRef Ascii 2 West / Visualization and Relationship Identification

Exif.GPSInfo.GPSLongitude Rational 3 0deg 7.48000’ The concept of visualizing relationships within an
investigation is by no means new. Well-established
We do the required calculations: products like I2’s Analyst Notebook [11] and emerging
products such as Paterva’s CaseFile [12] already provide
• Latitude = (51 + (30.06000 / 60)) = 51.501 the means to graph interconnects between distinct objects
• Longitude = ((0 + (7.48000 / 60)) * -1) = -0.124 through manual data input. However the application of
visualization and relationship identification solutions
We can then plug this into the parameters of Google maps directly to forensic data mining is only now emerging.
URL (which has the format: The volume of data associated with an investigation has
created a requirement to utilize automated solutions;
http://maps.google.com/?q=Latitude,Longitude); particularly as multi-case investigations are becoming
which in our example becomes http://maps.google. more common.
com/?q=51.501,-0.124.
When looking at extensible visualization, relationship
If you don’t want to do this calculation by hand then there are a identification and data mining engines there are three key
number of tools available as part of the Google Earth supplemental technologies on the market today:
open source project called Google Earth Hotkey [10].
• I2’s range of products [13]
To turn these map co-ordinates into a location or address • Palantir [14]
there are a number of public services like openstreetmap. • Paterva’s Maltego [15]
org that can be used to convert the data into a consumable
address in XML format: When deciding which product to build upon we wanted a
low cost barrier of entry. While I2’s and Palantir’s solutions
<reversegeocode timestamp=”Mon, 30 Jan 12 05:39:47 have gained significant traction within central governments
-0500” attribution=”Data Copyright OpenStreetMap
around the world and in the case of I2 law enforcement they
are also a substantial investment when working with smaller
Contributors, Some Rights Reserved. CC-BY-SA 2.0.” quer
point specific problems. For this reason, combined with the
ystring=”format=xml&lat=51.5015&lon=-0.124&zoom=18&addr
fact we had experience of Maltego and its existing open
essdetails=1”> source intelligence plug-ins, resulted in us selecting it as the
<result place_id=”2136837319” osm_type=”node” osm_ product to initially build our solution upon.
id=”469762514” lat=”51.5015818” lon=”-0.1240972”>

Westminster Millenium Pier, Victoria Embankment,

When developing for Maltego you have to first choose which
model you’re going to adopt for your extension (transform).
Whitehall, City of Westminster, Greater London, London,
The available options are:
England, SW1A 2LW, United Kingdom

</result> • Public (cloud) server based

<addressparts> • Private server based
<bus_stop>Westminster Millenium Pier</bus_stop> • Private database based
<road>Victoria Embankment</road> • Local client based
<suburb>Whitehall</suburb>
Sending forensically acquired data off-site across the
<city>City of Westminster</city>
Internet is unlikely to be acceptable so that ruled out the
<county>Greater London</county> public server based solution. A private server or database
<state_district>London</state_district> server would have likely been overkill at this initial stage. As a
<state>England</state> result, a local plug-in to the analyst workstation was selected
<postcode>SW1A 2LW</postcode> as the best method, at least for the initial release.
The interface between Maltego and its external
<country>United Kingdom</country>
transforms is XML based and well documented. Normally
<country_code>gb</country_code>
when embarking on such a custom Maltego transform it
</addressparts> is normally wise to spend time during initial the design
</reversegeocode> stages answering:

53

DF11_51-54_Image Forensics.indd 53 25/04/2012 13:40

 / FROM THE LAB

• Which new Maltego entities will need to be defined? / Conclusions and Closing Thoughts
• How existing Maltego entities that can be leveraged? In this article we’ve discussed the point specific problem of
• What the relationships between entities will look like? photograph image metadata forensics; the information available,
• What the relationships between entities and other how to extract it and the benefits of visualization, relationship
transforms will be? identification and data mining. We believe this type of solution
has significant implications to the world of digital forensics. So
As a result of answering these questions we defined a much so, that we’ve taken it a step further and integrated the
number of new entities: same concepts with an existing desktop forensics solution which
we’ll hopefully discuss in a future issue. /
• Local folder entity: Used to represent a local file path on the
workstation. REFERENCES
• Interim image entity: To show which files in the specified [1] http://www.ssddfj.org/papers/SSDDFJ_V1_1_Cohen.pdf
file path either contain EXIF image or were taken in the [2] http://en.wikipedia.org/wiki/Exchangeable_image_file_format
specified location. [3] http://en.wikipedia.org/wiki/IPTC_Information_Interchange_Model
• Time and/or date entity: To represent any time & date [4] http://en.wikipedia.org/wiki/Extensible_Metadata_Platform
EXIF data. [5] http://wiki.photoolsweb.com/index.php?title=EXIF_Maker_Notes
[6] http://andrew.triumf.ca/andrew/trustcam/
We also utilized a number of pre-defined Maltego [7] http://www.kodak.com/global/en/digital/acrobat/software/
entities in order for the user to be able to utilize existing Authentication_whitepaper.PDF
transforms to create these entity types or to allow further [8] http://blog.crackpassword.com/2011/04/nikon-image-
data extraction or mining. The existing Maltego entities we authentication-system-compromised/
used were: [9] http://www.exiv2.org/
[10] http://code.google.com/p/googleearth-autohotkey/
• Device: Extracted mobile device make, model and serial [11] http://www.i2group.com/us/products/analysis-product-line/
number (if available). analysts-notebook
• Image: The image including thumbnail. [12] http://maltego.blogspot.com/2011/11/maltego-casefile-beta-released.html
• GPS co-ordinates: Extracted co-ordinates. [13] http://www.i2group.com/us/products
• Phrase: Used for the software details contained in the [14] http://www.palantirtech.com
EXIF data. [15] http://www.paterva.com/
[16] http://ctas.paterva.com/view/Specification
Using the existing entities for the data we extract where [17] http://nickfurneaux.blogspot.co.uk/2011/10/evidence-visualisation.html
appropriate allows relationships with entities produced by [18] http://nickfurneaux.blogspot.co.uk/2011/12/forensic-
other transforms such Internet based image GPS data mining visualization-part-2-court.html
to be created; whilst allowing other transforms to take the [19] http://nickfurneaux.blogspot.co.uk/2012/02/visualizing-online-
data and further extend of mine as appropriate. investigations-live.html

/ Putting It All Together

With the Recx image forensic transforms installed and a small / Author Bio
set of sample data we’re then able to do the following: Ollie Whitehouse is one of the co-owners
of Recx and actively works in the field of
consulting, research and development. He
1. Specify a local file path and extract only images from that
has extensive experience in both software
path which have GPS EXIF data present. security and consulting and applied
2. From the set of image entities extract: computer security research. Over the past
a. GPS co-ordinates. eleven years he has worked for @stake,
b. Capturing device make and model. Symantec and Research In Motion (BlackBerry) in a
variety of roles including technical director and manager of a
c. Time and date properties. pan European security research and assessment team.
3. Resolve using the GPS co-ordinates the broad location
where the images were taken. Recx Ltd was formed in 2009 by a group of skilled British
nationals who together have a combined experience of over
fifty years in the field of systems and network attack, defence,
We can quickly see the following based on the available exploitation and applied security research. Recx’s pedigree
data from test images when visualized: comes from its employees who have worked for organisations
such as DERA, QinetiQ, DSTL, @stake, Symantec , Logica and
• They were taken on the same data. Research In Motion (BlackBerry) in the fields of information
and software security research, assessment and consultancy.
• They were taken in the same location.
Instead of claiming to solve all of the world’s information
• They were taken with the same make and model of device. security problems with its software, Recx instead focuses on
• They were taken on the same day over a period of specific real-world problems.
32 minutes.

54 Digital / ForensicS

DF11_51-54_Image Forensics.indd 54 25/04/2012 13:40

DF11_55_Ad.indd 55 15/04/2012 17:32
 COMPETITION
/ This issue we have A TARANTULA CHINESE CELL PHONE
ANALYSIS KIT TO GIVE AWAY, COURTESY OF EDEC

/ Question
In his article, “Visualising Photographic Image Metadata for
Effective Data Mining”, Ollie Whitehouse explains that image
metadata can be stored in three formats, EXIF, IIM and XMP.
What does the acronym XMP stand for?

A. EXTENSIBLE METADATA PLATFORM

B. EXTENDABLE METADATA PLATFORM
C. EXTENDABLE METADATA PROCESSES

/ To Enter
To enter the competition all you need to do is send an
email to: competition@digitalforensicsmagazine.com,
writing ISSUE11COMP in the subject line, include your
name address and phone number with your entry.

TERMS AND CONDITIONS

This competition is open to anyone aged 18 or over, except for
employees of TR Media Ltd and their immediate families. Only
one entry is permitted per person. Entries can be submitted
by email only to competition@digitalforensicsmagazine.
com. TR Media shall not be responsible for technical errors in
telecommunication networks, Internet access or otherwise,
preventing entry to this competition. Closing date for all entries
is on 1 June 2012 at 9.30am GMT. Any entries received after that
time will not be included. The correct winning entry,
chosen at random by the DFM team, will be notified by email on
01/07/2012. The winners may also be announced in Issue 11 of
the magazine and on the Digital Forensics Magazine website.
Submitting your entry constitutes your consent for us to use
your name for editorial or publicity purposes, should you be
one of the winners. TR Media Ltd reserves the right to change or
withdraw the competition and/or prize at any time. By entering
the competition, entrants are deemed to have accepted these
terms and conditions.

56

DF11_56_Competition.indd 56 26/04/2012 10:05

 / FEATURE

TRAP YOUR OWN BOTNETS

Techniques for forensic examination of BotNets
by Brian Cusack & Junewon Park

/ ADVANCED

T
he economic driver for BotNet propagation is simple.
Someone (the master or herder) sets up a network
of control over many computers (bots) and steals the
computing and communication resources. The stolen property
is then sold on to willing buyers who make a living from
spamming, theft of personal identities, extortion, DDOS attacks
and so on. It is a simple economic formula that delivers high
financial gains and the motivation to continue the development
of anti-forensic techniques to avoid detection. We reasoned
that it would not be hard to find examples of BotNets in action
and more from boredom than a serious research perspective
we placed a honeypot outside the Lab firewall and took a look Figure 1. System Architecture for our Bot Investigation
at the free space of the web (WWW). After 11 days the honeypot
reported more than 140,000 exploitation attempts, the repelling / CATCH YOUR OWN BINARIES
of 3,227 attacks, 1,466 malware samples and 110 unique The analysis reports showed that 96% of the malicious
binaries. Not a bad effort for an average day’s work. malware was either Conflicker.B or Conflicker.C. Our honeypot
It was interesting. If the open web is polluted with such a vast was hosted on a virtual server and connected to the external
array of malware at any given instance what are the implications service supplier for the analysis. Virtualization software
for the unwary? How can serious investigations be attempted? provided the most efficient and flexible method to catch a
What tools would be helpful for forensic examination? It would BotNet. If a researcher only used physical computers and
seem the bait of easy economic gains is fuelling a demise that did their own analysis then the costs increase significantly.
has potential to impair open communications and network Costs are not just financial but also include efficiencies and
systems. The intelligence of bots and the continually changing risk management; by using a hybrid of physical, virtual and
adaptation mechanisms suggest that they will not just go away. outsourcing services we optimised the accuracy, efficiency
The threat requires a response and for our part we decided to and the budget bottom line. Table 1 lists a full scope of the
investigate further. The first step was to analyse the huge dump software and services we used.
of malwares and to categorise. All of this occurred outside the The honeypot was hosted virtually on VMware and the
firewall as we did not want trouble and outsourced the analysis analysis services outsourced to Anubis and CWSandbox.
to external service suppliers. Once categorised, we selected After virus scanning, the binaries were further analysed
a number of binaries, brought them inside the firewall and using unpacking, string extraction and reverse engineering
allowed them to attack one of our own machines in order to techniques, compiling the static evidence and run in a
learn the malware behaviours (see Figure 1). dynamic simulation on a secure machine.

Type Name Purpose

Malware collection Dionea A low interaction honeypot that collects a copy of the malware exploiting vulnerabilities exposed
VMware workstation
Virtualization Tools for visualizing the computer system.
VirtualBox
Forensic Image Hilex Pro A forensic tool that is specified for incident response.
Memory analysis Volatility Framework A forensic tool that can extract various types of information from a memory image.
Initial virus scan VirusTotal A public service that analyses suspicious files and URLs
Initial sandbox Public services that analyse the behaviour of Windows PE-executables with special focus on
Anubis, CWSandbox
analysis the analysis of malware
Packer Detectors PEiD v 0.94 A tool that detects packers, cryptors and compilers for Windows PE-executables
String extractor BinText v3.03 A tool that finds ASCII, Unicode and Resource strings in a file.
Disassemblers and IDA Pro
Tools for reveres engineering.
Debuggers OllyDbg
Table 1. System Architecture for our Bot Investigation

57

DF11_57-60_BotNets.indd 57 25/04/2012 14:20

 / FEATURE

We found that the purpose and the behaviour of the

BotNets could be established from the reports provided by the / The Functionality of Honeypots
outsourced service providers. For each process the malicious
Honeypots are a construct that present a target of value
code is described by file, registry, and network activities. to attract malicious attack. They may be virtual or real and
Figure 2 shows the result of IRCBot analysis. The process that internal or external to a network. They work by attracting
is responsible for the malicious activities is visible and in this participation of a suspect and then by recording the
case, the submitted binary performs malicious activities by behaviours of the suspects. The record is a full 360 degree
appraisal of the actions and no aspect is left undocumented.
creating a Windows batch file named a.bat in the Windows The suspect may be a live hacker or a bot or any other
root folder followed by a suspicious process that runs a series automated malware. The honey pot acts like a collector unit for
of command line instructions. For instance, the Process #2 (ID: any unauthorised activity. They may be classified by deployment
24), Process #3 (ID: 1572), Process #5 (ID: 816), and Process and by the level of intended activity. A production honeypot for
example is usually inside a business with the intent of increasing
#6 (ID: 1964) execute the following instructions:
the level of security and generally is designed for a low level of
interaction. A research honeypot is usually outside the firewall
C:\> cmd /c net stop “SharedAccess” and set to gather information on motivations and tactics of
C:\> a.bat attackers. The output is further analysis and the dissemination
of reports on new attack signatures. They may be high or low in
C:\> cmd /c net stop “Security Center”
terms of interaction. Useful honeypots that often include external
C:\> cmd /c net start “SharedAccess”
analysis services can be downloaded for implementation. For
example, http://www.honeynet.org; http://anubis.iseclab.org;
The first instruction is used for disabling the Internet and others that can be found by a simple web search.
Connection Firewall (ICF)/Internet Connection Sharing (ICS)
service. The third one stops Windows Security Center Service
which manages the computer security settings such as
Windows Update, Windows Firewall, and the installed anti-
virus software package. Later, a suspicious process runs an
instruction to change Registry values by regedit.exe with silent
mode to completely achieve the intended purpose.
In the file activities section, the results showed evidence of
the malicious code in the infected system. The a.bat file has
been created by the Process #1 (ID: 632). At the same time,
this process copied itself to the Windows System folder (C:\
WINDOWS\system) as named ‘servicer.exe’. Next, the created
batch file creates a Registry file name 1.reg at the administrator’s
temporary folder (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\),
this Registry file is loaded by the same process. After executing
batch files and updating the Registry, the batch and Registry files Figure 2. The analysis summary of the IRC Bot
are deleted to hide their activities; in addition to deletion of the
created files, the first infected file also has been deleted by the most important because those values are created or modified.
process which has launched the copied file. Table 2 shows the The impact of code changing the Registry is to disable
summary of file activities of IRCBot on the infected machine. the security services of the operating system and register
In the report, Registry activities of malicious binaries are a malicious service to start at boot-up time. The IRCBot
classified in five sub-categories: Open keys, Set values, Query processes are used to prevent Windows Security Center and
values, Delete values, and Enum values. Set values are the Update Services from starting automatically. In addition, the

Type Name Purpose

Malware collection Dionea A low interaction honeypot that collects a copy of the malware exploiting vulnerabilities exposed
VMware workstation
Virtualization Tools for visualizing the computer system.
VirtualBox
Forensic Image Hilex Pro A forensic tool that is specified for incident response.
Memory analysis Volatility Framework A forensic tool that can extract various types of information from a memory image.
Initial virus scan VirusTotal A public service that analyses suspicious files and URLs
Initial sandbox Public services that analyse the behaviour of Windows PE-executables with special focus on
Anubis, CWSandbox
analysis the analysis of malware
Packer Detectors PEiD v 0.94 A tool that detects packers, cryptors and compilers for Windows PE-executables
String extractor BinText v3.03 A tool that finds ASCII, Unicode and Resource strings in a file.
Disassemblers and IDA Pro
Tools for reveres engineering.
Debuggers OllyDbg
Table 2. IRCBot Activity Summary

58 Digital / ForensicS

DF11_57-60_BotNets.indd 58 25/04/2012 14:20

 attacker changed the TCP/IP service parameter for a reason
which is not evidential from this analysis report.
In the network section, the report showed that the network
communication is through the IRC channel. The Process
#8 (ID: 252) communicated with 60.10.179.100:8681 (the
IP address of a remote host). The process used “SP2-501”
as user name and “USA|XP|SP3|446911” as a nickname.
According to the keywords on the communication message,
the researcher can infer that this binary has the capability for
DDOS attack. The BotNet that this bot belongs to has at least
two Command & Control servers (C&C): 58.240.104.57 is for
update and 60.10.179.100 for distribution.

/ WHAT TO LOOK FOR

Knowing what to look for is the most difficult problem once Figure 3. BotNet architectures
the service provider has delivered the report. There is also the
question of where the evidence extracted sits in the life cycle of a The Botnet architecture is defined by its protocol and the
BotNet. The creation of a BotNet starts from using already known modes of operation. The Botnets, which have already launched
vulnerabilities on a victim system (including social engineering attacks, continuously maintain the connection with their bot
attacks). During the initial infection phase, the attacker scans a masters and are commanded to update its binary code. The main
target subnet for any known vulnerabilities, and infects victim purpose of this process is to evade detection techniques or add
machines through different exploitation methods. The spreading new functionality to install bots. In certain cases, the bots can
mechanism of a BotNet includes several infection strategies move to a different C&C server. It is useful for bot masters to keep
already used in worms, viruses and social engineering. their Botnet alive to be updated. bot masters also try to keep
After initial infection comes the secondary injection phase, the their Botnets invisible and portable by using Dynamic Domain
infected hosts execute a script known as shellcode; this shellcode Name System (DDNS) which is a resolution service that facilitates
fetches the image of the actual bot binary from the specific frequent updates and changes in server locations. In cases where
location using either File Transfer Protocol (FTP), HTTP, or Peer to authorities disrupt a C&C server at a certain IP address, the bot
Peer (P2P) (see Figure 3) and installs itself on the target machine. master can easily set up another C&C server instantly with the
Once the bot program is installed, the victim computer turns into same name at a different IP address.
a ‘zombie’ and runs the malicious code. The bot application starts There are two features to be observed in any BotNet
automatically each time when the zombie is rebooted. investigation; the network feature and software feature. In terms
of the network feature, it is worthwhile looking at the difference
between bot clients running on an infected system and its
/ Botnet Propagation Methods previous generation of malicious code such as viruses or worms.
The propagation method employed by botnet masters has The bot clients can use the functionality of other malicious codes
been moved from a “push” based model where the Bots to propagate themselves in order to hide from detection and to
are commissioned to remotely intrude a system through
security flaws, to a “pull” based model where the unwitting
attack the target. The primary difference between the bot clients
host performs an action like a download or a mouse click. and viruses or worms is that bot clients are able to take an action
One of the propagation techniques in this new model is autonomously and execute the given commands in a coordinated
using various social engineering techniques. For example, manner. Bot clients have the ability to perform their actions when
attackers gather visitors of a website with phishing methods,
and allow the visitors to accidentally download the malware.
attackers are not logged into the target machine. Further, the bot
Another technique involves exploitation of various browser malicious codes are communicating with each other to achieve
vulnerabilities. In this case, visitors come to automatically the same goal. To accomplish this they use the C&C channel to
download malware and run it without their knowledge. construct a typical Botnet, which consists of one or more bot
These techniques are called ‘drive-by downloads’. Using the
techniques, the number of victims can be easily increased servers and thousands of bot clients. For this reason, a Botnet
without any barriers because conventional protection can be classified by the C&C.
mechanism cannot prevent infection. The software features of the bots show that they are modular,
In any botnet investigation, the evolution of the botnet adaptive, and targetable. The BotNet is a collection of various
malware propagation method, like the pull-based model,
makes it difficult for the investigators to reconstruct the initial malicious codes. During the period of the evolution of a Botnet,
phase of a botnet attack. In the investigation of the botnet it is armed with modularity and extendibility. Modularity means
using a traditional method such as a push based model, here that when a typical Botnet is formed, each module is
investigators might reveal the fingerprints of the infection employed to serve a specific purpose; e.g. one module exploits
by finding vulnerabilities of the system. However, to find
the initial phase of an attack in the push based botnets, some kind of vulnerabilities of the target and then another
investigators must consider various possibilities of how the module would stop antivirus software which is supposed to
botnet malwares were distributed. protect the targeted system. After securing the bot client, the
third module is looking for new vulnerable systems.

59

DF11_57-60_BotNets.indd 59 25/04/2012 14:20

 / FEATURE

Modular bots can easily adopt different functionalities to

exploit the host system. When a bot discovers a new vulnerability / Expert tip
on a victim system, it can automatically install a specific module
Sandboxes are a safe way to process captured binaries. These
which can easily attack that vulnerable point. It means that services are run by service suppliers who can manage the
defeating one component of a Botnet is not enough to ensure executable risk. Antivirus scanning is a quick an easy way
that the entire system is cleaned up. Also the bots utilize a to classify unknown files and many antivirus vendors offer
the scanning services to the public for example http://www.
number of techniques to increase its continuity and stability
virustotal.com. In computer security, a sandbox is a security
depending on the situation of a specific system targeted. With service that is used to execute unverified or untrusted program
targeting capability, bot attackers can customise their attacks code. For malware analysis the supplier executes malware in
to the client market. The targeting capability of Botnets is a monitored environment and performs behaviour analysis
without infection risk. Three suppliers of this service are
adaptive as well. The bot client can check the newly infected
http://anubis.iseclab.org ; http://www.norman.com ; and,
host for applications so that it knows how to make use of the http://www.sunbeltsecurity.com
new infected system. The creation of Botnets is comprised of
five steps: initial infection, secondary infection, connection,
malicious command and control, update and maintenance. shows evidence of malicious BotNet process on that machine. The
After propagation, a new bot establishes a command and BotNet binary extracted from the memory image is a critical clue
control (C&C) channel to communicate with the control server. that the investigator is able to map onto existing knowledge.
This communication means the bot joins with the BotNet. The analysis procedure used static, live and existing data and
Once it happens, the specific bot becomes a member of a bot the procedure focused the preservation of the integrity of digital
master’s zombie army. The attacker disseminates commands evidence with the intent of increasing the repeatability. Most
through the C&C channel, and the bot receives and executes analysis activities were conducted in a controlled environment
those commands. In this phase, bots, remotely controlled by and suggested that standardised procedure can be developed.
a bot master, can conduct various malicious activities such as Regardless of the professional possibilities for sorting out Botnet
exploiting other machines, commencing DDoS attacks, and so on. forensic practices it is not hard to begin a low risk investigation
and to learn the fundamental steps for knowing the attacker. /
/ GIVING IT A GO
We are not suggesting in this article that you let malicious REFERENCES
binaries loose on your home or work network just to observe Adelstein, F. (2006). Live forensics: diagnosing your system without
the behaviour. It is prudent to take your first steps outside your killing it first. Communications of the ACM, 49(2), 63-66.
firewall and to outsource the risks associated with analysis to an Aquilina, J. M., Casey, E., & Malin, C. H. (2008). Malware Forensics:
external service provider. The starting point of good investigation Investigating and Analyzing Malicious Code. Burlington: Syngress.
is to be able to read the service provider report in sufficient detail Ard, C. (2007). Botnet Analysis. The International Journal of Forensic
that an overall picture of the BotNet activity is apparent and then Computer Science, 2(1), 65-74.
to be able to focus on particular events. The intrusion vector can Bächer, P., Holz, T., Kötter, M., & Wicherski, G. (2008, Oct 08). Know your
be identified and the evidence ordered around the reconstruction Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots/
of the activities conducted after infection. The information Balas, E., & Viecco, C. (2005). Towards a third generation data
extracted from the memory image can show how the Registry capture architecture for honeynets. from http://ro.ecu.edu.au/cgi/
values were changed to disable the firewall and Security Center viewcontent.cgi?
services and so on. The limitation is that the information would
not show how those activities happened and what is to happen
in the future. Static code analysis can verify to the limit and / Author Bio
unpacking tools used to work out how the binary is constructed. Dr Brian Cusack comes from a background
At this point considerable knowledge should have been gained of academic research in IS Security and
IT Forensics. He currently leads the AUT
and if the competency skills exist a dynamic testing of the binary
University Digital Forensic Research
can proceed in order to understand its future behaviours. Laboratories and chaired the ISO Study
Our half-hearted exploration leaves a number of questions group that inquired into corporate Digital
unanswered and are open for further investigation. Further work Forensic readiness.
is required to better understand the BotNet hierarchies and also
Junewon Park has a Master of Forensic IT
the impact of BotNets on mobile devices. We were able to identify Honours degree and is a Researcher at
two IP addresses that were being used for the C&C servers the AUT Digital Forensics Laboratories,
but not detect if these IPs had been spoofed. The propagation Auckland, New Zealand. His research
methods were clear and the sequence of events defined. Further interests include malware, Networks,
IT Security systems, and Forensic tools
refinement may include geographic units and organisational units
and techniques. He is employed as a IT
(for example to identify Bank fraud or Stuxnet type unit targeting). security consultant and also undertakes
Through the investigation of an infected host it is possible to commercial digital forensic services for
reconstruct a BotNet incident. Even though the information Investigators and data recovery for clients.
extracted from the memory image is not sufficient, the information

60 Digital / ForensicS

DF11_57-60_BotNets.indd 60 25/04/2012 14:20

DF11_61_Ad.indd 61 23/04/2012 13:01
 / FEATURE

COVERT CHANNELS IN
NETWORK PROTOCOLS
This is the first in a series of articles that look at the use of covert storage channels
within six specific network protocols and fields and evaluate their effectiveness.
by Matthew Isbell
/ ADVANCED

I
n a world where new technologies are released the information is hidden within a benign medium thus
daily, the potential for the technology to be used for allowing for the communications to take place without
malicious ends or conflict is in a constant state of arousing the warden’s suspicion. In the same way, if we
growth. During such a situation, communications links are view Alice and Bob as two systems on a network that
a necessity for battle damage assessment, command and should not be communicating and Wendy as a third system
control, information extraction and situation reports. This or system administrator, then covert channels provide the
communication will have to use the networked technologies communications channel.
that are being used to attack and also being attacked, as This article looks at the implementation and assessment
a result of conflict, partly because of the wide existence of different covert channels according to three different
of network protocols and partly due to the fact that it is attributes: bandwidth/capacity, stealth and reliability.
relatively simple to implement a covert channel within Stealth refers to whether a third party can view the
them. Hence, the communications must be covert in nature transmissions and to what length they can decipher the
allowing for maximum discretion while also transmitting as message. Reliability refers to packet loss and ordering of the
much information as possible. transmission; e.g. if a transmission comes through as it is
Covert channels are best described using the sent, with minimal packet loss, then it is said to be reliable.
prisoner problem, as explained by Radhakrishnan and
Shanmugasundaram (2002). The analogy describes two / Covert Channels
inmates, Alice and Bob, who wish to communicate in Secure computer systems use both mandatory and discretionary
order to plan their escape, but all communication between access systems (Kemmerer, 1991) to restrict the flow of data and
them is monitored by Wendy, the warden, who will put information to only legitimate channels. Kemmerer further notes,
them in solitary confinement should she suspect the however, that the potential for exploitation of storage locations
slightest hint of secret communications. The problem and timing processes to create covert channels, was increasing
is solved using ‘Steganographic’ techniques, in which as security protocols became more robust.

62 Digital / ForensicS

DF11_62-66_Covert Channels.indd 62 25/04/2012 14:44

 Tumoian and Anikeev (2005) explain that the first step when changed greatly in the last decade with new technologies
unauthorised access is gained is to obtain information from the and the use of application levels to transmit data covertly.
compromised system. However, in order to maintain secrecy of However, Millens closing statement is an answer from Bob
the data exfiltration, mainly using malware, covert channels are Morris to the question of whether covert channels are a threat,
implemented. They describe covert channels in general terms to which Morris answers simply, “Yes.”
as “transferring data in unused fields of network protocols”. In terms of what protocols can be used as covert channels,
Covert channels are a means of communication between Giani, Berk and Cybenko (2006) describe the following as useful
two processes that are not permitted to communicate, but do protocols: HTTP, FTP, SSH and EMAIL. Zander, Armitage and
so, a few bits at a time, by affecting shared resources. This Branch (2007) provide more specific examples of covert channels
is very similar to the definition given by Son et al., (2000) such as Unused header Bits, Header Extensions and Padding, IP
who describe a covert channel as a mechanism that “allows Identification and Fragment Offset, TCP Initial Sequence Number
indirect transfer of information from a subject at a higher Field, Checksum Field, Modulating the IP Time to Live Feed,
access class to a subject at a lower access class” using the Modulating Address Fields and Packet Lengths, Modulating
Bell-LaPadula access model to illustrate the differences Timestamp Fields, Packet Rate/Timing, Message Sequence
between the access levels and subjects and objects. Melliar- Timing, Packet Loss, Frame Collisions, Ad-Hoc Routing Protocols,
Smith and Moser (1991) provide further evidence for this Wireless LAN, HTTP, DNS and Payload Tunnelling.
statement by explaining how, even though technology is All research that discusses covert channels, divide them up
successful at preventing “direct unauthorised communications into two distinct classes, covert timing channels and covert
in multilevel secure computer systems,” it is not as effective storage channels.
at protecting those types of systems against covert channel
attacks. Both authors also explain that knowledge of a covert
channel is not sufficient protection against it and that the use / SYSTEMS & TOOLS
of these channels must be prevented, including any potential System Configurations and Software to be used in the testing
channels that we are not aware of. & analysis stage:
This is different from information hiding, where two parties
• Processor: AMD Atholon™ 64bit Processor 3500+
are allowed to communicate but the content is censored or • RAM: 4GiB
restricted and so using ‘piggybacking’ techniques, information • Operating System: Ubuntu 11.04 (Natty Narwhal)
is sent invisibly across the legitimate channel. • Kernel Linux 2.6.38-11-generic-pae
Zander, Armitage and Branch, compare covert channels in • GNOME 2.32.1
network protocols to data hiding techniques in a different way.
The following software and tools will be used. All tools are
They explain that the covert channels are very much similar either built in to the Linux distribution used or downloaded
to data hiding techniques in textual, audio or visual media. and installed using the Ubuntu Software Centre utility.
Steganography requires content as a cover while covert
channels require some network protocol as a carrier. Thus • Wireshark
• Packit
they are not as different as previously described.
• PackETH
Writing in 1999, Millen did not see covert channels as a • MD5 Hash Utility
major threat as they required ‘Trojan Horses’ to implement • TCP Relay
them and were difficult to implement. This situation has

63

DF11_62-66_Covert Channels.indd 63 25/04/2012 13:41

 / FEATURE

/ Timing Channels diagrammatical form provides a comprehensive list of

Eggers and Mallet (1988) provide one of the earliest scenarios that can be automatically created.
descriptions of a covert timing channel and state that they One form of detecting covert channels could be to use Event
are “a covert channel in which one process signals another by Pattern Analysis as proposed by Perrochon et al., (2000) in
modulating its own use of system resources in such a way that which software is used to monitor the security infrastructure
this manipulation affects the real response time observed by of an organisation, highlighting when irregular activities occur
the second process.” By altering a specific time-reliant module/ that do not fit in with a baseline pattern. Software like this has
process, such as CPU Time, we can transmit information by already been developed and will soon to become a valuable
creating a pattern of sorts. Giani, Berk and Cybenko (2006) part of security infrastructure.
explain that timing channels are examples of “a subtle Moskowitz and Kang (1994) explain, however, that
mechanism that uses only normal traffic.” They compare timing regardless of the analysis and prevention techniques used on
channels to communication methods such as Morse code that covert channels, they will never be totally eliminated in many
uses timed beeps or timed signals to transmit a message. practical high-assurance systems.
Covert channels are analysed according to a specific set of
/ Storage Channels properties and how well they can satisfy those properties. Ray
Storage channels are described by many as channels that involve and Mishra (2008) describe these properties as stealthiness,
the writing of a storage location by a process, which is then lightweight, confidentiality & integrity and reliability/ordering.
directly read by another process. Typically, the bandwidth will be Stealthiness relates to how easy/difficult it is to detect the use
limited by the finite resource shared by two subjects at different of a covert channel. Lightweight is a measure of how resource
security levels. Storage channels are the most common type of intensive a channel is and whether it requires the use of a
covert channel as they are the easiest to implement and do not variety of resources, or just one. Confidentiality is describing
require any complex algorithms or programming. how easy it is for someone to eavesdrop on the conversation.
Further from Storage and Timing channels, there are Ideally only the intended recipient should be able to
various sub-classes of covert channels that can be organised view the exchanged information and should also be able to
according to the mechanisms and protocols used to transmit detect any tampering. This is usually achieved by making
information, such as TCP/IP, ARP and UDP channels. Covert the occurrence/statistical property of the covert channel as
channels using network protocols are the most common type close to the statistical property of the legitimate channel as
of covert channel in use. possible. Reliability is a measure of data loss and whether the
information can still be read/obtained despite any data loss
/ Analysis of Covert Channels Giani, Berk and Cybenko explained that the ‘covertness’ of
Prior to 1991, most covert channel analysis centred around a covert channel is proportional to the capacity of the channel
code inspection or “inspection of the high level specification.” and the transmission rate.
(Kemmerer, 1991). More often than not, Information Flow
analysis was involved which could be very time consuming Covertness (Capacity of the medium – Transmission Rate)
and difficult to follow.
Kemmerer (1991) also provides one of the most in-depth Various forms of covert channels have been identified and
and consistent methods of analysing covert channels by the aim of this article is to assess and evaluate a select group
using Flow Trees. The advantage of flow trees being the of these channels.

Figure 1. IPv4 Datagram

64 Digital / ForensicS

DF11_62-66_Covert Channels.indd 64 25/04/2012 13:41

 / Covert Channel List / ICMP Echo Request
The following describes the Covert Storage Channels picked “The Internet Control Message Protocol (ICMP) is a network-
to implement and analyse, and also explains how each of the layer protocol used for generating informational, error and test
covert channels work. messages related to IP-based communication.” It is an essential
utility that is used for both diagnosing problems in the network
/ Noisy Channel in the IP Protocol/Time and general IP-networking facilities. As ICMP echo requests are
to Live Field fairly common on any network, they provide a perfect opportunity
This covert channel was identified by Qu, Su and Feng using for covert communication. Various channels have been presented
the Time to Live (TTL) field of the IPv4 header. The basic idea in ICMP echo request but for this implementation we shall be
is to encode the information into the TTL fields allowing the using the sequence number field to implement a basic storage
sender to pass data between hosts in packets that would channel. The message shall be encrypted for added security.
appear to be initial connection requests or intermediate steps.
The TTL field is an indication of the maximum number of nodes / TCP ACK Field
that a packet can cross before reaching the destination and CLACK is a specific type of covert channel proposed in research by
is expressed in seconds. The field consists of 8 bits, and so Luo, Chan and Chang, which utilizes the ACK field of the TCP (Figure
the maximum number of nodes can be calculated as 255. 2) protocol and is based on a persistent flow of TCP data meaning
The real advantage of using this field is that the number that direct encoding is not viable, as the ACK has to continue it’s
constantly changes due to changes in network status and primary function. The focus of the research is, therefore, based
routing information. Another advantage of using this channel on a mechanism they call ‘partial ACK encoding,’ i.e. encoding
type is that it will not be affected by the change to IPv6 due to messages into pre-existing packets. In order to simplify the method
the fact that the IPv6 header has a corresponding field called performed by the researchers, Packit will be used to encode the
‘Hop Limit’. The IPv4 datagram is shown below (Figure 1) to message into the ACK field of a stream of packets and then injected
demonstrate where the data will be entered. onto the network. This channel will not, therefore, be as exactly
described in the research but should produce similar results.
/ Basic Channel Using The IPv4
Identification Field / UDP Storage Channel (Experimental)
As seen above in the IPv4 datagram, 16-bits are reserved for After performing a baseline analysis it was observed that
the identification field of the IPv4 header. This field is used to certain protocols were more abundant than others. One of
“uniquely identify an IP datagram within a flow of datagram’s these was the User Datagram Protocol (UDP). Currently, there
sharing the same source and destination four-tuple.” In other is little experimental and statistical data on the use of the UDP
words, the field is used to identify frames within a set containing protocol as a covert channel, although it has been suggested as a
the same values in the Source Address field and Destination potential channel by several researchers. The UDP header (Figure
Address field. This value is usually randomly generated by 3) offers three distinct fields that could be used to transmit
the source but can hold a non-random value without causing information, the source port field, data length and checksum
any disruption to the flow of traffic. Therefore, it provides an field. UDP itself does carry some disadvantages due to the fact it
opportunity for covert communication but would require the will drop packets rather than wait for them to be sent, however,
message to be encrypted as the message would be transmitted it may still provide a viable channel. For this channel, the source
as plain text and can be easily detected by packet sniffers. port field will be used as the covert carrier field.

Figure 3. UDP Header

Figure 2. TCP Header

65

DF11_62-66_Covert Channels.indd 65 26/04/2012 10:20

 / FEATURE

REFERENCES
/ TCP ACK Field Radhakrishnan, R., Shanmugasundaram, K. & Memon, N., 2002.
The point to note for the TCP ACK Field is that, in order Data Masking: A Secure-Covert Channel Paradigm. In Workshop on
to successfully see the correct ACK number, the ‘Relative Multimedia Signal Processing., 2002. IEEE.
sequence numbers and window scaling’ option must be Kemmerer, 1991. Covert Flow Trees: A Visual Approach to Analyzing
unchecked in the TCP Preferences menu of Wireshark. Covert Storage Channels. Transactions on Software Engineering,
17(11), pp.1166-85.
Tumoian, E. & Anikeev, M., 2005. Network Based Detection of
Passive Covert Channels in TCP/IP. In Conference on Local Computer
Networks 30th Anniversary., 2005. IEEE.
Son, S.H., Mukkamala, R. & David, R., 2000. Integrating Security and
Real-Time Requirements Usinf Covert Channel Capacity. Transactons
on Knowledge and Data Engineering, 12(6), pp.865-79
Melliar-Smith, P.M. & Moser, L.E., 1991. Protection Against Covert
Storage and Timing Channels. In Computer Security Foundations
Workshop IV. Franconia, NH, 1991. IEEE.
Zander, S., Branch, P. & Armitage, G., 2007. Error Probability Analysis
of IP Time To Live Covert Channels. In International Symposium on
/ TCP Sequence Number (Experimental) Communications and Information Technologies., 2007. IEEE.
As TCP is one of the most commonly occurring protocols Millen, J., 1999. 20 Years of Covert Channel Modelling and Analysis.
on most networks, it would seem to be the best carrier In IEEE Symposium on Security and Privacy., 1999. IEEE.
of covert information. One form of covert channel within Giani, A., Berk, V.H. & Cybenko, G.V., 2006. Data Exfiltration and
the TCP header (Figure 2) has already been discussed in Covert Channels. In Proceedings of the SPIE Sensors, and Command,
Section 4.4. TCP ACK Field. For a second covert channel in Control, Communications, and Intelligence Technologies for
the TCP header, it has been proposed that the sequence Homeland Security and Homeland Defense V., 2006.
number be used. Being a 32-bit field, it offers considerable Luo, X., Chan, E.W.W. & Chang, R.K.C., 2008. TCP Covert Timing
space per packet for information, very much like the ACK Channels: Design and Detection. In International Conference on
number field, which is the same length. The valuable Dependable Systems & Networks. Alaska, 2008.
feature of using the sequence number is that the packet
can be crafted to resemble a SYN packet, which is always
the first packet in the TCP handshake, and so would appear / Author Bio
benign to most network sniffers and intrusion detection Responsible for developing and delivery
systems. Again, to be able to see the information in of the IAS technical portfolio, Matthew
is a fully trained and experienced crime
Wireshark, the TCP preferences must be set so that ‘relative
scene investigator. He holds a Bachelors
sequence numbers’ are unchecked. degree in Forensic Science (University of
In the next article in this series we will take a look at Lincoln) and a Masters degree in Forensic
the testing of the various covert channels and measure Computing (DeMontfort University).
their effectiveness. /

66 Digital / ForensicS

DF11_62-66_Covert Channels.indd 66 26/04/2012 10:21

 / NEXT ISSUE

COMING SOON…
A roundup of features and articles for Issue 12…

C
ontinuing our aim of bringing you new and interesting articles from the world of Digital Forensics, Issue 12 is shaping up
to be another good mix of research and practical advice, here is just a taste of some of the articles being looked at for the
next issue of Digital Forensics Magazine.

/ Security analysis and data recovery in DPAPI

In this article Julie Wunder analyses the operation of DPAPI,
looking at the undocumented structures and encryption
algorithms of DPAPI, with a view to understand and describe
the internal functioning of the system.

/ What’s so ethical about hacking?

In this article David Hewitt takes a look at the definition
‘ethical hacking’ and discusses whether it is appropriate or
confusing. David also gives an overview of the history of pen
testing/hacking and what it’s place is in today’s industry.

/ Database Specific Forensics

In this article David Litchfield looks at the collection, collation
and analysis of evidence from a compromised Oracle database
server showing how the what, how, why as well as how time
and cost of a breach investigation can both be dramatically
reduced using a particular framework and tool.

/ Ontology Aided Searching

for Automated Evidence Retrieval
Graeme Horseman takes a look at the proposal for the use
of web crawling and ontological structures to automatically
generate knowledge of a suspected offence that can query
binary data stored within suspected files and decide which
data is evidential.

/ Mobile Malware
Jamie Blasco takes a look at how malware on smartphones NEXT ISSUE PUBLISHED
is used by criminals to make money; they steal information,
contact details, emails, personal data or even financial AUGUST 2012
information; they hijack browser sessions, interfering with
online banking transactions and circumventing one time Note: DFMag may change the planned
content of future issues without notice.
password (OTP) security procedures.

/ Intellectual Property Theft

David Nides looks at his list of potential IP theft methods
and felt that this might be useful to the wider digital
forensics community.

PLUS
All of our usual features: Apple Autopsy, 360, IRQ,
Robservations and Legal news & alerts.

67

DF11_67_Next Issue.indd 67 26/04/2012 10:06

 / COURSE WRITE-UP

DOCUMENT FORENSICS
– A STUDENT VIEW
Documents are the life-blood of business, regardless of what your case might be; I defy you to
find a computer that doesn’t contain a document. There is, though, a dearth of material available
on this level of analysis – but one need not fret any longer – the Document Analysis course from
De Montfort University will allow you to grpl with sprms within OLE2 files with no fear of failure!
In this short article we cover a few of the starting details that you’ll come across in the course,
but, consider it but a taster from a student perspective. To master this subject is a long journey;
of which this course is not only a first step, but also a constant companion on the journey of one
who is holding a map…

W
ord processing is the function that took the computer essentially, a file system in its own right, with multiple FATs and
from the specialist business tool to the mainstream. internal “files” that contain the content, format and metadata.
Prior to that it was a tool that, with a great deal of Being a filesystem, we see the traditional things that we love
success, replaced mathematical tools, calculators and log in forensics; slackspace and deleted “files”. Once the structure
tables’ after that it found its way into all aspects of business, has been decomposed, the process of decoding the data begins
academia and art. With such success came the opportunity to and that includes the author details, dates and times, versions
use it for nefarious purposes. of operating system and software and much more. The course
Documents underpin our society; they enshrine our is as characteristic of Professors Sammes and Jenkinson, is
records, our plans and our contracts. George Orwell pointed delivered with humour, panache and, possibly of most value,
this out in “1984” with the Ministry of Truth; “our control with a real world experience and relevance that clearly makes
over documents and how what they say allows us to rewrite this a course by practitioners for practitioners.
history and the future”.
It turns out however that this isn’t entirely true; documents
created on computers themselves contain a history, and, like DE MONTFORT HAS EQUIPPED
a historian, we can piece together the truth of history, what BOTH THE STUDENT LAB AND
actually happened, if we just dig under the surface.
For a long time, there was little (nothing!) available in THE RESEARCH AND CASEWORK
the way of training on the subject of document forensics, it FACILITIES TO A VERY
was a black art at best. Microsoft didn’t publish the details
of the Word document formats and what did exist was not HIGH STANDARD
comprehensible by any normal human reader as it was so
laden with acronyms and specific technical terms that it The whole course (four days of lectures and practical’s with
sounded more like a foreign language than anything else. an exam on the fifth day); is accompanied by a colour copy
We are now, however, blessed; this translation work has of all slides, examples and supporting documentation. In this
been carried out for us, and is available (at a more than course, it was bound as a book, future courses are likely to
reasonable price!) through the “Binary Analysis of Microsoft have it ring bound, which you are allowed to refer to in the
Office Documents” course in the Cyber Security Centre of De exam. The days are long, even for those who are familiar with
Montfort University, Leicester. the “week full” style of distance learning, running from 9am till
This master’s degree course, taught by Professors Sammes 6pm with occasional coffee and lunch breaks and there is a lot
and Jenkinson (formerly of Cranfield, and of a certain degree of information that you need to absorb in that time. Coursework
of notoriety in the field in general) is focused on the most to complete the course to be a module towards an MSc is also
common, but hardest to decipher, OLE2 container for Microsoft available, although you can just take it, as a short course should
Office documents. In this case a document is anything produced you need the knowledge but not the degree. The overall facilities
by the Office suite, so Excel, Word, PowerPoint etc., from are excellent; De Montfort has equipped both the student lab and
Word Version 6.0 onwards (although latest versions support the research and casework facilities to a very high standard, the
the newer XML formats, many are still producing OLE2 for remainder of the University is equally impressive with catering
compatibility across IT environments). The OLE2 file format is, and student support facilities to rival any other institution. /

68 Digital / ForensicS

DF11_68_Course Write-Up.indd 68 16/04/2012 12:49

DF11_69_Ad.indd 69 20/04/2012 10:50
MD5 Investigator full page ad:Layout 1 31/3/10 15:47 Page 1

MD5 are recognised as one of the leading digital

forensic specialists delivering mobile phone and
computer solutions to Corporate, Legal and Law
Enforcement/Government Agencies. Working within
a law enforcement security vetted building, our
highly skilled forensic investigators have over 50 mobile phone and computer forensic specialists

years collective experience.

Mobile Phone Examinations

> Expert Service for all handset models.

> Competitive, fixed price service.

> Specialists in ‘Chip Removal Process.’

> Able to bypass iPhone passcode and

Blackberry security codes.
> All examinations compliant with
ACPO and RIPA guidelines.

Computer Forensics
> State of the art, fully equipped computer forensics lab
in a security vetted building.
> Expert examination service
to support backlogs and
outsourcing requirements.
> Ex law enforcement
investigators.
> Fully compliant with ACPO
standards (presently
working towards
ISO 17025).
> Developers of unique
forensic software
including VFC and Forensic Analyser.

For more information call:

01924 220999
or e-mail: sales@md5.uk.com

www.md5.uk.com URS CERTIFICATE NO. 26889 URS CERTIFICATE NO. 26889

DF11_70_Ad.indd 70 22/04/2012 13:35

 / FEATURE

CYBER CHAMPIONS –
MAKING A DIFFERENCE
ACROSS GENERATIONS
‘If we are to truly maximise the potential of the digital economy and the benefits
it can bring to all sections of society, we must ensure that children and young
people are confident and empowered to access, use and create digital media"
by Anu Khurmi
/ ENTRY

I
n an increasingly digitalised world it is crucial to ensure works is close to my heart so the moment I heard about the
best practice in online safety awareness is promoted early Cyber Champions initiative I was keen to join. We have had
in younger generations. The Cyber agenda is dramatically tremendous feedback from teachers and students.’ Jean
changing our world today and for all time as social media Claude, Head of ICT at George Green School, endorsed this.
tools such as webcams and smartphones become increasingly “Teachers telling pupils about the issues is good, but when
pervasive and invasive in our everyday lives. professionals like Giselle and Sophie come in and give the
It is imperative therefore that our children grow up same messages that makes a fantastic impact,” he said.
understanding how to exploit social media tools and tap
into the power of the digital world without compromising
their personal exposure, security and well being. Speaking NEW TECHNOLOGIES ARE
at a recent Cyber Champion‘s recognition event, City of CENTRAL TO MODERN LIFE AND
London Police Commissioner Adrian Leppard observed, “The
challenge with Cyber is that young people are already ahead PROVIDE A POWERFUL SUPPORT
of the game. We need to do all we can while they are still FOR LEARNING, BUT THEY CAN
young to ensure they are able to look out for themselves and
be safe in the online world.” So who better to promote this ALSO PRESENT A RISK FOR YOUNG
message to future generations than the digitally savvy young PEOPLE IF THEY ARE NOT TAUGHT
professionals of today who are volunteering their time as
Cyber Champions. HOW TO USE THEM SAFELY
Cyber Champions is an exciting Corporate Social
Responsibility (CSR) initiative mobilising young professional As well as having a unique ability to communicate and
volunteers’ from across the industry to deliver online safety connect with the younger generation, Cyber Champions are
awareness workshops to schools and youth organisations also great business and IT role models. Stakeholders including
in their local communities. Since launching at the House of organisation such as Child Exploitation & Online Protection
Commons in June last year, Cyber Champions have visited (CEOP), City of London Police, Beat Bullying, and Get Safe Online,
schools and delivered e-safety awareness workshops to are unanimous in their praise of the young professionals who
over 2,500 students across the UK and the numbers are volunteer their time and take part. Chairman of the Parliamentary
continuing to grow. Internet, Communications and Technology Forum (PICTFOR), Alun
The key messaging in the hour-long workshop is based on Michael MP highlights the initiative as “a superb example of the
best practice and collateral from relevant sources including importance of older children acting as role models for the next
CEOP and Get Safe Online and the lesson plan is highly younger generation”. Nick Gargan, CEO of the National Policing
interactive. Feedback from pupils and teachers alike has been Improvement Agency states, “It is absolutely right that we and
overwhelmingly positive. Cyber Champions Giselle Frederick, the Association of Chief Police Officers should be supporting this
of Credit Suisse and Sophie Bialaszewski from Templar initiative. The focus on schools is particularly appropriate and
Executives speak enthusiastically about their experiences the engagement with young professionals is beneficial to us all
with schools in Tower Hamlets. Giselle explains, ‘Working including the police who are facing new and different challenges
with young people and helping show them how technology created by the explosion of social media.”

71

DF11_71-72_Cyber Champions.indd 71 25/04/2012 14:43

 / FEATURE

In turn, participating in Cyber Champions is an excellent of McAfee International says, “The internet opens our
way for young professionals to raise their profile, expand children to new opportunities and risks. We are really
their network and enhance their interpersonal skills. There is pleased to be part of this fantastic programme that is
also the opportunity to be mentored and supported by Cyber harnessing the power of volunteers to help children and
Guardians, senior leaders in industry or subject matter experts young people get safe online.” Stephen Kingan, Managing
in security. Andrew Fiitzmaurice, Founder and CEO of security Director of Nexor, whose young professionals have been
firm Templar Executives is passionate about the importance of mentoring in local schools in Nottingham explains, ‘Whilst it
those from business and in positions of expertise mentoring is critical to educate kids to make sure they are safe online,
young professionals and becoming Cyber Guardians, “It is it is also important for graduates to work in the community
our role to ensure the digital footprint of young people is a and develop themselves; becoming Cyber Champions gives
positive one and that they are aware of not only the great them this opportunity.’ DeMontfort, Lancaster and Royal
power of technology, but also how to use it safely.” Holloway are some of the first UK universities to sign up as
Being a Cyber Champion is incredibly rewarding. The Campus Cyber Champions.
children want to learn online safety, and they need to learn, Cyber Champions is run on an entirely voluntary basis and its
it is absolutely vital, and teaching it helps both them and success has everything to do with the enthusiasm, calibre and
the Cyber Champion to grow stronger as a person. Many commitment of the professionals and organisations involved.
volunteers agree that, being part of Cyber Champions is an A growing number of major employers and SMEs value it as
extraordinary experience, not only do they personally taken part of both their Corporate Social Responsibility and their
on board the lessons taught and improve their own public Professional Development programmes and the initiative has
speaking but it introduces them to people from all walks of life captured the hearts and minds of all those who participate.
they wouldn't ordinarily meet. As young IT professionals they EURIM Vice Chair Anu Khurmi sums up, “The momentum and
find it rewarding to be able share experiences in online safety positive impact created by Cyber Champions in such a short
and safe browsing practices. Jack Mayor, entrepreneurship timescale has been phenomenal, but it’s just the start and
student at Lancaster University commented that, there is so much more to do. Teaching children best practice in
‘collaborating with other like-minded young professionals for e-safety early is also about skilling up the future workforce and
Cyber Champions is incredibly empowering and contributes creating empowered users in the online world”.
to the protection of children online, a very worthwhile cause’ The team is calling for organisations and professionals to
Jayesh Bhadresha and Elliot Greene, IT interns at IBM agreed, get involved through volunteering or sponsorship. If you or
"Cyber Champions is one of the most fulfilling activities that your organisation are inspired by this initiative and want to
we have been involved in. Your time and effort has a direct make a difference as a Cyber Champion or a Cyber Guardian,
impact on the future and safety of the next generation, contact us now at cyberchampions@ypnglobal.com /
being able to see such a visible difference is one of the most
rewarding facets of being a Cyber Champion".
The initiative is continuing to attract support from
parliamentarians, public and private sector organisations,
universities and schools. Jacqueline de Rojas, Vice President

72 Digital / ForensicS

DF11_71-72_Cyber Champions.indd 72 25/04/2012 13:44

 Digital
ForensicS
/ magazine

BACK ISSUES
The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners

Competition! Competition! Competition!

Win one of 3 copies of Win 3 Digital Forensics WIN 3 Forensics & Security
WinHex Professional books from Syngress Books from Syngress

ISSUE 07 ISSUE 08 ISSUE 09 ISSUE 10

1st may 2011 AUGUST 2011 November 2011 FEBRUARY 2012

INSIDE INSIDE INSIDE INSIDE

/ bill dean on detecting / e-Discovery Tools / Using Wireshark / Analysis of a
commercial grade spyware / Image Processing / Deep Packet Inspection Windows Mobile
/ cell site analysis / Hacking the Cloud / Cryptanalysis / Mobile Phone
/ imaging a macBOOK air / Digital Forensics / Social Network Challenges
/ advanced cyber probes in Sri Lanka Monitoring
/ The Exabyte
Challenge
/ Traceback
Competition!
Win copies of Kuiper
Forensics Peerlab

GENETIC
ALGORITHMS
& DIGITAL FORENSICS LATENT
Tim Watson looks at the way that genetic
SEMANTIC BIG BROTHER CRACKING
FORENSICS
algorithms can be used in forensic tools

INDEXING ANDROID PATTERNS,

02
Dr Michael R Taylor explains why
conceptual search is vital in the 03
Chad Tilbury takes a look at the
rise of Geo Location data and how 04
PINS & PASSWORDS 01

analysis of large multi lingual geo-artifacts can add a crucial 9 772042 061110
How Android implements its lock screens, PLUS 9 772042 061127
9 772042 061110 9 772042 061110
Issue 7 / £11.99 TR Media
data sets Issue 8 / £11.99 TR Media dimension to investigations Issue 9 / £11.99 TR Media techniques for circumventing and cracking them Issue 10 / £11.99 TR Media

/ REGULARS / FROM THE LAB / INTRODUCING / Book Reviews / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews
robservations, 360, peter jones looks our new legal editor hacking the human robservations, 360, Ted Smith looks at our new FEATURE ON Digital Forensics robservations, 360, PART 2 OF TED SMITH’S our new FEATURE ON XBOX Forensics robservations, 360, Jim Swuager Explains Digital Forensic Thors Microsoft
news, irq & more… at cellebrite pa v2 scott zimmerman windows registry forensics news, irq & more… X-Ways Forensics Biometrics & Forensics with Open Source Tools news, irq & more… X-Ways Forensics Forensic Uncertainty Extrusion Detection news, irq & more… Chip Off Forensics Organisations Security Bible

DF7_OFC_Cover - Online.indd 1 20/04/2011 17:57 DF8_OFC_Cover - Online.indd 1 22/07/2011 10:09 DF9_OFC_Cover - Online.indd 1 14/10/2011 15:54 DF10_OFC_Cover - Online.indd 1 17/01/2012 10:35

Issue 7 Issue 8 Issue 9 Issue 10

May 2011 August 2011 November 2011 February 2012

/ Genetic Algorithms & / Latent SemantIc Indexing / Big Brother Forensics / Cracking Android Patterns,
Digital Forensics / Hacking the Cloud / Hunting Malware with Pins & Passwords
/ File Integrity Monitoring / Biometrics & Forensic a (Wire)shark / Mobile Phone
/ Imaging 1000 Drives / e-Discovery and the Mac / Social Network Monitoring Forensic Challenges
/ Cell Site Analysis / Video & Image Forensics / Geo Tagging the Mac / Traceback
/ Imaging a MacBook Air / Criminal Profiling / Cryptanalysis Using / iPhone 4S & iOS 5
/ Detecting Commercial / File Integrity Distributed Systems / Forensic Analysis on
Grade Spyware / DF in Sri Lanka / Digital Archiving a Windows Mobile
/ Advanced Cyber Probes / Exploring the and Data Recovery / The Exabyte Challenge
/ CelleBrite Physical e-Discovery Process / Deep Packet Inspection / Legal Hurdles in Mobile
Analyser V2.0 / X-Ways Forensics / X-Ways Forensics, part 2 Device Forensics

ORDER ONLINE
www.digitalforensicsmagazine.com

DF11_73_Back Issues Ad.indd 73 22/04/2012 13:44

 / FEATURE

STEGANOGRAPHY
SECURITY CONTROLS
New NIST controls address covert information exfiltration and malware infiltration.
by James E. Wingate

/ INTERMEDIATE

T
he latest revision to the master catalogue of security Beyond addressing the emerging threat of digital
controls for US federal government agencies released steganography, this revision to the master security control
by the National Institute of Standards and Technology catalogue represents the continuing evolution and refinement
(NIST) on February 28, 2012, includes, for the first time, of a converged federal information security framework by
explicit references to steganography. making the following major changes:
NIST Special Publication 800-53 (SP800-53), Revision 4
(Initial Public Draft) [1] includes control enhancements for • New security controls and control enhancements;
two security controls and supplemental guidance in another • Clarification of security control requirements and
security control that reference use of steganography to specification language;
infiltrate malicious code or exfiltrate sensitive information in • New tailoring guidance including the introduction of overlays;
the Security Control Catalogue at Appendix F. • Additional supplemental guidance for security controls and
Release of this revision marks the second “Red Letter” day enhancements;
for raising awareness and perception of the threat from use of • New privacy controls and implementation guidance;
digital steganography for nefarious purposes. • Updated security control baselines;
The first was April 17, 2006 when the National Science • New summary tables for security controls to facilitate ease-
and Technology Council released the Federal Plan for of-use; and
Cyber Security and Information Assurance Research • Revised minimum assurance requirements and designated
and Development. The Plan is notable for being the first assurance controls.
unclassified US federal government document that explicitly
stated that steganography posed a threat that had been To put the new steganography controls in proper context
“documented in numerous intelligence reports.” [2] as an aid to understanding, it will be helpful to have a bigger
picture of the general structure of the security controls.
/ Background
Revision 4 of SP800-53 is the result of a year-long project / Security Control Structure
to update the security controls catalogue along with the Security controls listed in SP 800-53 are organized into 18
guidance for choosing security controls for federal agencies families with a two-character identifier used to identify the
and the information systems they own and operate to perform security control families. The security control identifiers and
their mission. family names are listed in Table 1.
The project was conducted in cooperation and collaboration Individual controls within the families are numbered
with the Department of Defence, the Department of Homeland sequentially beginning with 1. For example, the third control
Security, the Intelligence Community led by the Office of the in the Configuration Management family would be identified
Director for National Intelligence (ODNI), and the Committee as CM-3.
on National Security Systems (CNSS) under the Joint Task Force Without delving too deeply into the nuances of the security
Transformation Initiative (JTFTI) which was established in 2006. control structure let’s suffice it to say that each control contains:
The JTFTI Interagency Working Group was established in
April 2009 with the objective of creating a unified information
security framework for use throughout the federal government. / QUOTE
Historically, there have been multiple policies, publications, “The potential for trusted US Government and contractor
and processes for risk management and systems security for insiders using their authorized access to personnel, facilities,
information, equipment, networks or information systems in
national security systems and non-national security systems. order to cause great harm is becoming an increasingly serious
Naturally, this resulted in much duplication of effort and sub- threat to national security [3].”
optimal security across the many and varied agencies of the LTG Ronald L. Burgess, Director, DIA
federal government.

74 Digital / ForensicS

DF11_74-77_NIST & Stegonography.indd 74 25/04/2012 13:45

 ID Family ID Family
AC Access Control MP Media Protection
AT Awareness & Training PE Physical & Environmental Protection
AU Audit & Accountability PL Planning
CA Security Assessment & Authorization PS Personnel Security
CM Configuration Management RA Risk Assessment
CP Contingency Planning SA System & Services Acquisition
IA Identification & Authentication SC System & Communications Protection
IR Incident Response SI System & Information Integrity
MA Maintenance PM Program Management

Table 1. Security Control Identifiers and Family Names

• A Control section that describes specific security-related activities The organization prevents the unauthorized exfiltration of
to be carried out by organizations or information systems. information across managed interfaces.
• A Supplemental Guidance section that provides additional The Supplemental Guidance provides the following
information related to a specific security control and examples of safeguards implemented by organizations to
• A Control Enhancements section that provides statements prevent unauthorized exfiltration of information:
of security capability to add functionality/specificity to a
control and/or to increase the strength of a control • Strict adherence to protocol formats
– This section may also contain a Supplemental Guidance section • Monitoring for beaconing from information systems
• Monitoring for steganography
/ The Steganography Controls • Disconnecting external network interfaces except when
The Security Control Catalogue in Revision 4 to NIST SP800-53 explicitly needed
references steganography in three separate security controls • Disassembling and reassembling packet headers
as follows: • Employing traffic profile analysis to detect deviations from
the volume/types of traffic expected within organizations
• SC – System and Communications Protection
– SC-7: Boundary Protection
RELEASE OF THIS REVISION
• SI – System and Information Integrity MARKS THE SECOND
– SI-3: Malicious Code Protection
– SI-4: Information System Monitoring “RED LETTER” DAY FOR RAISING
AWARENESS AND PERCEPTION
These controls are graphically illustrated in Figure 1.
OF THE THREAT FROM USE OF
/ Steganography Control Details DIGITAL STEGANOGRAPHY FOR
To ensure accuracy, much of the information below is taken
directly from SP800-53. NEFARIOUS PURPOSES
SC-7 Boundary Protection SI-3 Malicious Code Protection
This control specifies the information system does the following: This control specifies the organization does the following:

• Monitors and controls communications at the external A. Employ malicious code protection mechanisms at
boundary of the system and at key internal boundaries information system entry and exit points and at
within the system; and workstations, servers, or mobile computer devices on the
• Connects to external networks or information systems network to detect and eradicate malicious code:
only through managed interfaces consisting of boundary • Transported by electronic mail, electronic mail attachments,
protection devices arranged in accordance with an web accesses, removable media, or other common means; or
organization security architecture • Inserted through the exploitation of information system
vulnerabilities
The specific reference to steganography is contained in the B. Updates malicious code protection mechanisms (including
Supplemental Guidance to Control Enhancement #10: signature definitions) whenever new releases are
available in accordance with organizational configuration
(10) Boundary Protection/Unauthorized Exfiltration management policy and procedures;

75

DF11_74-77_NIST & Stegonography.indd 75 25/04/2012 13:45

 / FEATURE

Figure 1. Steganography Controls in NIST SP800-53 Revision 4

C. Configures malicious code protection mechanisms to: • Blocks malicious code, quarantines malicious code, or
• Perform periodic scans of the information system at a sends alerts to an administrator in response to malicious
frequency defined by the organization and real-time scans code detections; and
of files from external sources at endpoints and/or network D. Addresses the receipt of false positives during malicious
entry/exit points as the files are downloaded, opened, or code detection and eradication and the resulting potential
executed in accordance with organization security policy; and impact on the availability of the information system.

GIVEN THE INCREASED The specific reference to steganography is in the

Supplemental Guidance, which states the following types of
THREAT PERCEPTION, IT IS malicious code can be hidden in files using steganography:
REASONABLE TO PRESUME THE • Viruses
STEGANOGRAPHY CONTROLS • Worms
WILL EVENTUALLY FILTER DOWN •
•
Trojan horses
Spyware
INTO VARIOUS CYBER SECURITY
CONTROL SETS SI-4 Information System Monitoring
This control specifies the organization does the following:

A. Monitors the information system to detect attacks and

/ Q&A indicators of potential attacks in accordance with the
Does inclusion of the steganography controls in the monitoring objectives defined by the organization
security control catalogue mean that every agency must B. Identifies unauthorized use of the information system
deploy a solution to detect steganography?
C. Deploys monitoring devices strategically within the
Yes. SI-3 is required to be implemented for all three-control
baselines; for low impact, moderate impact, and high impact information system to collect organization-determined
systems. However, the control enhancements for SC-7 and SI-4 essential information; and at ad hoc locations within the
aren’t required to be implemented for any of the control baselines. system to track specific types of transactions of interest to
the organization;

76 Digital / ForensicS

DF11_74-77_NIST & Stegonography.indd 76 25/04/2012 13:45

 D. Heightens the level of information system monitoring whenever
there is an indication of increased risk to an organization’s INSIDER USE OF DIGITAL
operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence
STEGANOGRAPHY TO EXFILTRATE
information, or other credible sources of information; and SENSITIVE OR CLASSIFIED
E. Obtains legal opinion with regard to information system
monitoring activities in accordance with applicable federal
INFORMATION AND HACKER USE
laws, Executive Orders, directives, policies, or regulations. OF DIGITAL STEGANOGRAPHY TO
The specific reference to steganography is in the
COVERTLY DISTRIBUTE OR IMPLANT
Supplemental Guidance to Control Enhancement #18: MALWARE CAPABLE OF COVERTLY
(18) Information System Monitoring | Analyze Traffic/
EXFILTRATING INFORMATION IS A
Covert Exfiltration GROWING THREAT
The organization analyzes outbound communications traffic REFERENCES
at the external boundary of the information system (i.e., 1. NIST Special Publication 800-53, Revision 4, Security and Privacy
system perimeter) and at other organization-defined interior Controls for Federal Information Systems and Organizations, Initial
points within the system (e.g., subsystems, subnetworks) to Public Draft, February 2012, http://csrc.nist.gov/publications/
detect covert exfiltration of information. PubsDrafts.html#SP-800-53-Rev.%204
The Supplemental Guidance states that steganography 2. Federal Plan for Cyber Security and Information Assurance
is an example of covert means that can be used for the Research and Development, National Science and Technology
unauthorized exfiltration of organization information. Council, Report by the Interagency Working group on Cyber Security
and Information Assurance, April 2006
/ Significance of New Steganography Controls 3.Burgess, Ronald L. Jr., Lieutenant General, USA, Director, Defense
Including steganography controls in Revision 4 of the security Intelligence Agency, Annual Threat Assessment, Statement
controls catalogue is significant. It means perception of the Before the Senate Armed Services Committee, United States
threat from insider use of steganography to steal sensitive Senate, February 16, 2012, http://www.dia.mil/public-affairs/
information has finally increased to the point where the testimonies/2012-02-16.html
authors of SP800-53, senior leaders and working group 4. Federal Financial Institutions Examination Council Information
members of the JTFTI, believed it was appropriate to include Security Handbook, July 2006, http://ithandbook.ffiec.gov/it-
controls to detect use of digital steganography. booklets/information-security.aspx
Given the increased threat perception, it is reasonable to 5.North American Electric Reliability Corporation (NERC) Standards:
presume the steganography controls will eventually filter Reliability Standards, Critical Infrastructure Protection (CIP), http://
down into various cyber security control sets such as those www.nerc.com/page.php?cid=2%7C20
published by the Federal Financial Institutions Examination 6. Foreign Spies Stealing US Economic Secrets in Cyberspace,
Council (FFIEC) [4] for protecting financial institution networks Report to Congress on Foreign Economic Collection and Industrial
and the North American Electric Reliability Corporation (NERC) Espionage, 2009-2011, Office of the National Counterintelligence
[5] for providing critical infrastructure protection. Executive, October 2011, http://www.ncix.gov/publications/reports/
fecie_all/Foreign_Economic_Collection_2011.pdf
/ Conclusion
Insider use of digital steganography to exfiltrate sensitive or
classified information and hacker use of digital steganography / Author Bio
to covertly distribute or implant malware capable of covertly James E. Wingate, CISSP-ISSEP, CISM, CHP,
exfiltrating information is a growing threat. CHSS, is Director of the Steganography
Analysis and Research Center (SARC) and
One need look no further than the Report to Congress on Foreign Vice President of Backbone Security. He is
Economic Collection and Industrial Espionage, 2009-2011, released leading efforts to develop state-of-the-art
by the Office of the National Counterintelligence Executive in digital steganalysis tools for use by digital
October 2011 to grasp the magnitude of the threat from “malicious forensics examiners and network security
personnel in the public and private sectors. He is a member
actors, whether they are corrupted insiders or foreign intelligence of HTCC and HTCIA and regularly gives presentations on the
services, to quickly steal and transfer massive quantities of data use of digital steganography to conceal evidence of criminal
while remaining anonymous and hard to detect.” [6] Digital activity at major conferences across the United States. He
steganography applications are perfect tools for doing just that. retired from the US Air Force after more than 24 years of service
as a Communications and Information officer. He holds a B.S.
NIST has addressed this threat by including three controls in in Computer Science from Louisiana Tech University, Ruston,
the security control catalogue and government agencies and Louisiana, and an M.S. in Computer Engineering from the
private sector organizations that fail to implement the controls University of South Florida, Tampa, Florida.
do so at their peril. /

77

DF11_74-77_NIST & Stegonography.indd 77 25/04/2012 13:45

DF11_78_Ad.indd 78 16/04/2012 12:31
 BOOK REVIEWERS
New initiative for practitioners to review books on digital forensics subjects.

W
e recently announced a new initiative to improve the / Debbie Garside (UK)
book review section and as ever you have responded Debbie is currently studying a PhD (ABD) in Human
magnificently to the call. Members of DFM, LinkedIn Visual Perception in Cyber Security and is a visiting
group, followers on Twitter to @dfmag and readers of the research fellow for the University of Wales. In addition to her
monthly newsletter were all notified of the new initiative and academic work Debbie is an advisor to industry and Government.
if interested, to contact 360@digitalforensicsmagazine.com
providing their CV and photograph. / Jon Fowler (USA)
The aim is to establish a sub-group on LinkedIn for the book Jonathan is the Director of Forensics at First Advantage
reviewers to facilitate discussion on books as well as posting Litigation Consulting in Washington DC. As a practicing
the reviews via the various outlets at our disposal including forensicator he is also qualified as an expert witness.
the Blog, LinkedIn and of course the magazine review section.
The CV is to ensure that the reviewer has the relevant / Jacson RC Silva (Brazil)
background and experience to review technical details and the Having attained BSc and MSc degrees in computer
photograph is to create a “rouges gallery” on the website of science Jacson is a developer of the Linux
our reviewers. We have had requests from some reviewers to distribution “Vix”. When he is not developing he is educating
not provide photographs and not be included and we will, of others and doing his full time job of network administration.
course, respect their wishes.
If you would like to get involved and become a book reviewer, / Chara Makri (Greece)
send your CV and photo to 360@digitalforensicsmagazine.com. Following a undergraduate computer science degree
Use the subject line “Book Reviewer” and make sure you indicate in computer science, Chara obtained an MSc in
if you are happy to be included in the reviewer’s gallery. Forensic Information Technology. Chara currently works for
The following are some of those who have already joined: RIM on the Blackberry Playbook

Title Author ISBN Publisher

The Basics of Digital Forensics John Sammons 978-1-59749-661-2 Syngress

Windows Forensic Analysis Toolkit Harlan Carvey 978-1-59749-727-5 Syngress

Penetration Testers Open Source Toolkit Jeremy Faircloth 978-1-59749-627-8 Syngress

Low Tech Hacking Jack Wiles et al 978-1-59749-665-0 Syngress

Windows Registry Forensics Harlan Carvey 978-1-59749-580-6 Syngress

Digital Forensics with Open Source Tools Cory Altheide et al 978-1-59749-586-8 Syngress

Industrial Network Security Eric D Knapp 978-1-59749-645-2 Syngress

Securing The Cloud Vic (J.R.) Winkler 978-1-59749-592-9 Syngress

Security Risk Management Evan Wheeler 978-1-59749-615-5 Syngress

iPhone & iOS Forensics Andrew Hoog et al 978-1-59749-659-9 Syngress

Android Forensics Andrew Hoog 978-1-59749-651-3 Syngress

The Basics of Hacking & Pen Testing Patrick Engebretson 978-1-59749-655-1 Syngress

Coding for Pen Testers Jason Andress et al 978-1-59749-729-9 Syngress

Digital Forensics for Legal Professionals Larry E Daniel et al 978-1-59749-643-8 Syngress

The Basics of Information Security Jason Andress 978-1-59749-653-7 Syngress

Digital Evidence & Computer Crime Eoghan Casey 978-0-12-374268-1 Academic Press

Distributed & Cloud Computing Kai Hwang et al 978-0-12-385880-1 Morgan Kaufman

Private Cloud Computing Stephen R. Smoot et al 978-0-12-384919-9 Morgan Kaufman

Migrating to the Cloud Tom Laszewski 978-1-59749-647-6 Syngress

Moving to the Cloud Dinkar Sitaram 978-1-59749-725-1 Syngress

The Basics of Digital Forensics John Sammons 978-1-59749-661-2 Syngress

A small example of current titles being reviewed

79

DF11_79_Book Reviewers.indd 79 25/04/2012 13:45

 / BOOK REVIEWS

BOOK REVIEWS
The Basics of Digital Forensics Rather than focus solely on Forensic Analysis of Windows
machines, Sammons does describe how to perform Forensic
Author: John Sammons Analysis of web pages, email systems and also Network
Publisher: Syngress Forensics, providing the Beginner with a wide understanding
Date of Publication: of the Digital Forensic industry.
9th March 2012 By far the most interesting chapter, and the one that I
Price: £18.99 (UK), $29.95 (USA) believe will be most attractive to beginners is the chapter
ISBN: 978-1597496612 on Anti-forensics; demonstrating to the reader the various
Reviewer: Willem Knot ways in which people will attempt to hide and/or remove any
Verdict: incriminating evidence on their computer devices.
The Basics Of Digital Forensics is certainly one of the shortest
Forensics books I have read, but this certainly does not detract
If you’re just starting out in the industry of Digital Forensics, from the quality of the information that Sammons presents to
and want a basic overview of the industry, including an the reader. Each chapter is broken down into easy-to-follow
introduction to beginner tools and techniques, then this is the sections, with an overall summary at the chapter conclusion.
perfect book for you. Having worked in the Digital Forensics industry, it is rare
Sammons starts at the very beginning with a brief that a book for beginners piques my interest. However,
introduction to Forensic Science as a whole, before the style of writing and the delivery of the information
concentrating on an introduction to what is meant by ‘Digital within this book provide a valuable resource for beginners
Forensics’. In the introductory chapter, Sammons also brings and a great refresher for those who are reacquainting
the reader ‘up to speed’ on Locards Principle of Exchange, themselves with the industry. Syngress has provided
The Role of the Forensic Examiner and also on various another top quality publication that should appear of every
Organisations of note (although this part concentrates mainly practitioner’s bookshelf.
on US organisations).
The second chapter in the Beginners journey, presented by The Basics of Hacking & Penetration Testing
Sammons, introduces the basics about Bits, Bytes and the
various numbering schemes, such as Binary and Hexadecimal. Authors: Patrick Engebretson
The reader is then taken through the ways in which Data is Publisher: Syngress
stored in various environments finishing with the basics of Date of Publication:
computer functions. 1st August 2011
With the basic introduction to computer science out of Price: £18.99 (UK), $29.95 (USA)
the way, Sammons then enters the realm of Labs and Tools, ISBN: 978-1-59749-655-1
explaining how Labs can be operated and providing an Reviewer: Alan Pimloy
insight into the ways in which forensic tools work. Sammons Verdict:
concentrates mainly on AccessData’s Forensic Toolkit (FTK)
and gives a brief mention of Cellebrite’s UFED tool for mobile
device analysis. Have you ever wondered what hacking and penetration testing
Throughout the book, Sammons pays good attention to is all about or are you someone who is thinking of digital
common Forensic practices and the preservation of evidence forensics as a career and want to learn more about hackers
through an intact chain of custody. and how to test networks? Well, this is an entry level book to
As Sammons approaches the heart of the book, much get you started.
of the focus falls to analysing Windows artefacts, a move Patrick Engebretson is a product of Dakota State
which I consider integral to any beginners education with the University and is currently an assistant Professor of
Microsoft products still dominating the Computer market. Information Assurance. He is not only an avid researcher
For those of you who are outside of the US, a lot of with many peer reviewed and published articles he is also a
the legislation mentioned and discussed will be of little senior penetration tester with a security firm, giving him a
to no use and I would advise any reader to be fully aware depth of knowledge and practical experience to call on when
of this before they focus too heavily on the practices writing such a book.
laid out in the specified US legal documents such as the The opening chapter gets right to the heart of the subject
Fourth Amendment. by introducing the reader to penetration testing, Backtrack

80 Digital / ForensicS

DF11_80-81_Book Reviews.indd 80 25/04/2012 13:45

 Linux and how to create a hacking lab. Using a simple step by introducing appropriate tools at each stage of the process,
step approach the author has provided an easy to follow and and introducing different techniques to try and achieve the
simplified introduction including reducing pen testing to a aim of each stage. It has to be remembered that this is a
simple 4 step process. book introducing the basics of penetration testing or as
The following chapters are dedicated to one of the four step the author calls it “Zero Entry Hacking”, it does not go into
processes of penetration testing, namely; Reconnaissance, depth on every tool.
Scanning, Exploitation and Maintaining Access. Each of Whilst not explicitly stated, the book does assume
the chapters broken down in such a way that explains in that the reader has knowledge of computers, networking
clear terms what is involved as well as looking at tools and and the command line interface. This is entirely reasonable
techniques to be considered by the would be Pen Tester. as it is unlikely that anyone would be looking into the
Interspersed throughout each chapter you find hidden subject of penetration testing and hacking unless they
gems included, often missed in purely technical tombs, were already involved in the world of computing and
such as Social Engineering in the Reconnaissance section computer security.
and MACOF “Making Chicken Salad our of Chick Sh*t” As someone who has worked in the computer security
in the Exploitation section. The level of technical detail industry for the last 20 plus years it is a rare event when
complete with explanation on the tools and techniques a book keeps my interest going from start to finish and
gives the reader an excellent base knowledge on which to leaves me looking for the next book from the author. If you
develop their skills. are interested in the tools and techniques of penetration
Each chapter builds on the previous chapter expanding testing but do not know where to start, then this is the
the understanding and knowledge of the subject, book for you.

81

DF11_80-81_Book Reviews.indd 81 25/04/2012 13:45

 / COLUMN

IRQ
Is Anti-Virus really dead?
by Angus Marshall

S
o, the government has decided that changing the rules We’ve seen it time and time again. Once a facility becomes
on interception of communications data might not be available for one reason, someone realises the other possibilities,
such a bad idea after all, has it? In spite of all the fuss and then the system starts to be abused. We’ve already seen
produced when the last government proposed pretty much this with the RIPA system with numerous reports of council staff
exactly the same thing! Interesting. abusing the powers in order to investigate the major crime of
As far as I can see, the two main features of the proposal putting the bins out for collection on the wrong day.
are a change to authorisation mechanisms, to allow the Furthermore, processes such as this are easily bypassed
interception to happen more quickly, and a shift in the by the technically savvy, using encrypted communications,
responsibility for data capture from law enforcement to forwards, disposable addresses, VPNs etc., it will still be
communications service providers. easy to communicate in a way which really isn’t amenable
To some extent, I can understand and almost agree with to any form of interception. Even with the powers proposed,
the first reason. Under the RIPA rules, authorisation for the truly serious threats to national security may still remain
interception of data about communications (NOT content) un-investigable because the best that can be achieved is the
requires sign-off by a senior officer; something that can take a knowledge that someone, somewhere may or may not be
significant amount of time to achieve. Where lives might be at communicating in some way with someone who may or may
stake, delays in authorisation could be critical. not be of interest. Public concern about less well-regulated
interception will lead to an increase in the use of these
technologies by innocent, but concerned, users. That will
DATA CAPTURE SYSTEMS create a new problem; more noise from which the important
WOULD NEED TO BE messages still need to be extracted.
It’s not exactly a new problem. The government should,
PERMANENTLY ENABLED perhaps, look at what has happened in businesses where
employee contracts explicitly permit interception of
It might be useful, though to consider the reasons for the communications on the business network, without warning.
delays rather than introducing shortcuts. It takes time to get Employees either stop communicating as effectively, or find
authorisation because a) senior officers are pretty busy and can alternative channels to use (e.g. smartphones), resulting in a
be hard to pin down and b) authorising an intercept can have new headache for the business; the possibility that business
serious repercussions in the longer term; naturally, anyone asked communications are happening by inappropriate channels,
to make a decision has to be persuaded that it’s necessary and leaving them liable but unable to effectively monitor the
not going to come back to haunt them in the future. As a result, communications and with a far less supportive workforce.
I have a reasonable degree of confidence that most of these Nobody likes to feel that they could be under observation
intercepts are only approved when a good case has been made. any time, all the time. /
I’m also aware that authority can be (and is) withdrawn if the
supporting argument weakens. Under the new proposal, it seems
that this element of personal responsibility, which causes a / Author Bio
“pause for thought” for each application, may disappear. Angus Marshall is an independent digital
More worrying, for me at least, is the proposal that CSPs should forensics practitioner, author and researcher,
currently working on the ‘fitness for purpose’
be responsible for carrying out the interception and monitoring challenge. In a past life he was an academic
in real time. Effectively this means that, in order to avoid delays, course leader in Digital Forensics and Forensic
data capture systems would need to be permanently enabled and Computing and still retains strong links with
academia, professional bodies and regulators.
details filtered on demand. Where’s the problem? He can be contacted through his company,
Simply, there are two inherent problems: scope creep and n-gate ltd. (http://www.n-gate.net).
technical anti-intercept methods.

82 Digital / ForensicS

DF11_82_IRQ.indd 82 25/04/2012 14:37

DF11_IBC_Ad.indd 63 22/04/2012 13:30
DF11_OBC_Ad.indd 84 15/04/2012 15:35