Tuesday, January 02, 2001
Ronald L. Mendell (ronmen9938@britannica.com) for
SecurityPortal
Computer crime investigators come from differing
backgrounds. In the private sector a wide range of certifications exist: CISSP,
MCSE, Internet Security Specialist, Computer Forensics Specialist, and the like.
Developing a common body of knowledge is often a response to the particular
examination program one wishes to pass through. Yet, professional practice often
dictates the areas of an investigator's expertise. Those with an emphasis on
forensic issues (such as police investigators) may concentrate on techniques
pertaining to "black" or illegal email, illegal pornography, and
common-law crimes committed using a computer. Those with an emphasis on security
issues may deal with technologies related to combating hacking, denial of
service (DoS), intrusion, and business espionage.
What I've tried to do is devise a summary of
basic, practical knowledge, "tricks," if you like, that should
interest all computer crime investigators. While they may not be the final word
in preparing for an examination, these techniques will provide some insight into
the ways and means of computer criminals. I hope to get you into the spirit of
the hunt. Learning to think how a criminal looks at twisting, altering, hiding,
and diverting information will definitely make the game more interesting. This
is a pathfinder, a starting point to discovering other resources.
Part One will cover:
Part Two continues with:
Part Three will discuss:
Part Four concludes with:
For those who grew up in the IT field with
MS-DOS, they found Unix and scripting not all that cryptic. Knowing command line
instructions gives one a backstage pass to what's happening behind the GUI.
Understanding how to examine a computer using MS-DOS with Windows 95 and 98
gives an investigator a firm foundation for other tricks of the trade. When
users get cute with trying to hide information, MS-DOS can uncover the hidden
structure. So, forget any notion that MS-DOS is dead; it will be a valuable
forensic tool for some time to come.
Before we go into the specifics of DOS tricks,
keep in mind that any time you examine a computer you run the risk of changing
the evidence. These articles will not give you enough knowledge to make you a
certified computer forensics expert. Accordingly, in a sensitive, crucial case a
bitstream backup copy of the hard drive and possibly a memory dump of the RAM
need to be done by a qualified specialist prior to examination. Copies of
floppies need to done with DOS Diskcopy (version 6.22) with the /v switch turned
on. The rule needs to be "preserve and then examine." Chain of custody
issues also become a problem if the copy is not properly hashed and then
digitally signed.
Users may try to hide files by using extended
ASCII characters in the file name. "Find" searches for
"Joes_2000_files" may not pull up "Joe£_2000_files." The
Alt key depressed while entering the character number on the numeric pad
generates these characters. For example, Alt + 241 is "±." Alt + 156
is "£." Having an ASCII chart is vital to figuring out which key
sequence will produce nonstandard characters not found on the keyboard. Most
MS-DOS manuals and Dan Gookin's DOS Secrets will have the chart. On the Web you
can find a chart at http://www.jimprice.com/ascii-128-255.gif
for the extended set. For a general discussion of ASCII try http://www.jimprice.com/jim-asc.htm.
To locate these files, make sure your "Find" utility has good parsing
capability (finding "Joe" no matter the adjacent characters). Or,
consider searching using a specialized "regular expression" engine
described in http://www.sans.org/infosecFAQ/cracking.htm
(see "Passwords").
Another way to hide files is by using the DOS
command "Attrib." Attrib +h hides a file from directory listings
produced by the "Dir" command. However, the command dir /a:h will list
all the hidden files in a directory. Remember, the Dir command can be an
effective tool to view what's in a hard drive's file structure even if running
Windows. Just go to the DOS prompt.
DEBUG has a lot of dust on it, something
almost forgotten. Yet it is a tool still found in MS-DOS in Windows 95 and 98.
It lets you view in hexadecimal and ASCII format what's in a file, on a floppy,
or on a hard drive. A poor man's hex editor, it can fill in when a more
sophisticated viewer is not at hand. It is useful for dumps of data and for
writing assembly language programs. (Hex editors are nifty tools to have too.
For more information on keeping one in your toolkit, see the Resources section
below.)
Also, don't forget the Undelete and Unformat
tools available in MS-DOS. They can move the picture of a hard drive one step
back, if needed, in examining a computer, but they do require caution in
execution. Their use may result in unforeseen data loss. They cannot be used
with Windows 98, or NT. Windows 95 can do Undelete with a bit of sleight of
hand, as we shall see later in the Windows section. But if you're checking an
old machine, a dinosaur, running Windows 3.1 or MS-DOS 5.0-6.22, the commands
may come in handy. For syntax specifics see http://www.computerhope.com/undelete.htm
and http://www.computerhope.com/unformat.htm.
And, don't forget there are a lot of dinosaurs out there, so keep those old
MS-DOS reference books.
Unix serves as a wonderful training ground for
computer security specialists. It teaches about access permissions for objects;
learning about those rwx's in directory listings gives one an appreciation for
granular security. It builds on MS-DOS knowledge: hidden files are "dot
files" in Unix. They become visible by the "ls-al" command (very
similar to dir /a:h). Unix expands on MS-DOS' piping and redirection
capabilities. Searching or manipulating files and directories using FIND and
SORT, an investigator, for example, can search a directory for inactive files
(by date) and pipe the results into a report file.
Using Unix's scripting capabilities (similar
to DOS batch files), an investigator may create combinations of commands into
specialized programs to conduct security audits and to do file checking as a
part of an inquiry. The GREP command searches files or directories that contain
a particular character string. This capability provides for granular searching.
For example, /usr/bin/grep 'ron' trade >
ronlist searches for all occurrences of "ron" in the file
"trade" and prints them into "ronlist."
Unix also has the capability to list processes
actively running on the machine by executing the command ps -ef. Processes may
be deleted using the Kill command. The Top, Head, and Tail commands allow
examination of portions of logs or process lists. Here are some examples of
each:
ps -ef UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Sep 07 ? 0:04 sched
root 1 0 0 Sep 07 ? 242:49 /etc/init -
root 2 0 0 Sep 07 ? 0:39 pageout
ps
-ef | head
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Sep 07 ? 0:04 sched
root 1 0 0 Sep 07 ? 242:49 /etc/init -
root 2 0 0 Sep 07 ? 0:39 pageout
ps
-ef | tail
johnjones 29805 29696 0 Nov 23 pts/26 0:00 -bash
happy 10732 10731 0 0:01 <defunct>
root 3450 12314 0 Nov 22 ? 0:04 /usr/local/sbin/sshd
top
last
pid: 11027; load averages: 4.31, 4.70, 4.99 01:20:40
272 processes: 198 sleeping, 65 zombie, 6 stopped, 3 on cpu
CPU states: 0.5% idle, 15.9% user, 15.3% kernel, 68.3% iowait, 0.0% swap
Memory: 8192M real, 914M free, 876M swap in use, 1172M swap free
PID
USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND
7596 peter 132 0 0 60M 60M cpu4 378:00 5.45% smd
22049 john 139 10 0 48M 48M cpu8 214:29 3.91% smd
3130 carl 136 58 0 45M 44M sleep 169:59 2.69% smd
Unix also serves to introduce regular
expressions, a powerful means to search for strings. And, later we'll see that
regular expressions can serve as the basis for cracking passwords. Used in
conjunction with Unix commands and scripts, AWK is a program language especially
suited for regular expression searching. AWK searches for patterns and
manipulates them when needed.
In the statement awk '$1 < $2 {print $0,
$1/$2}' file1 > file2, a file called "file1" with two columns of
numbers pipes into a new file called "file2" with columns 1 and 2 as
previously, but also adds a third column which is the ratio of the numbers in
columns 1 and 2. The ">" shows the piping into "file2,"
and the "<" shows that the program takes the input from
"file1." AWK has the ability to search for specific transactions in
logs and generate reports for the investigator.
Dougherty, Dale and Arnold Robbins, Sed
& Awk, O'Reilly, 1997.
Gookin, Dan, DOS Secrets, Computer
Publishing Enterprises, 1990.
Lasser, Jon, Think Unix, Que, 2000.
Microsoft, MS-DOS Version 5.0, Microsoft,
1991.
Syngress Editors, Hack Proofing Your
Network: Internet Tradecraft, Syngress, 2000.
Zaenglein, Norbert, Disk Detective,
Paladin Press, 1998.
http://www.jimprice.com/jim-asc.htm
http://www.jimprice.com/ascii-128-255.gif
"Free 'Hex' Editors"
http://www.geocities.com/Athens/6939/HexEds,htm
"Winhex"
http://www.winhex.com/winhex/
"Hextool"
http://www.durward.com/hextool/
Ronald L. Mendell's article on Hex Editors
http://securityportal.com/articles/hexeditors20001208.html
"About DEBUG"
http://www.computerhope.com/rdebug.htm
"A Listing and an Explanation of
Commands"
http://www.computerhope.com/msdos.htm
"The Unix Reference Desk"
http://www.geek-girl.com/unix.html
"Solaris Man Pages"
http://docs.sun.com/
"About AWK"
http://sparky.rice.edu/~hartigan/awk.html
"An AWK Reference"
http://www.gnu.org/manual/gawk/html_mono/gawk.html
© Copyright 1999, 2000 SecurityPortal, Inc.
All rights reserved.
Tuesday, January 16, 2001
Ronald L. Mendell (ronmen9938@britannica.com) for
SecurityPortal
Windows Tricks
In examining a computer using Windows,
important information may be under your very nose. Don't forget to check the
Recycle Bin for deleted files long forgotten by the user. If you have a specific
file name that you are looking for, don't overlook using the Windows Find
utility to search the hard drive. Also, checking for temp files created by the
word processing program may uncover evidence the user thought was safe from
prying eyes just because he never intentionally saved it from RAM to disk. Users
forget that many programs like MS Wordâ automatically save work-in-progress
(WIP) as temp files.
In Windows 3.1, remember that you can use
Undelete and Unformat to recover information. And yes, as indicated before,
these dinosaurs are out there. Expect old versions of word processors too, so
maintaining a library of "obsolete" manuals and software has great
investigative value.
Using Undelete in Windows 95 requires copying
Undelete.exe from DOS to the Command subfolder. Then you have to restart the
computer in DOS. And, you will have to lock and unlock to the folder that
contained the deleted file and do the Undelete procedure. Doing this sort of
manipulation is not child's play, so in critical cases make sure full bitstream
backups take place first and use the services of a computer forensics
specialist.
Unerase and Unformat are available through
Norton Utilities. You can use them from the Norton Utilities Emergency/Data
Recovery Disk. Both options are available from the disk's command menu.
Unformat, however, will not work with DOS 5.0 or earlier. When unformatting, pay
attention to the list of files and directories Norton identifies that may be
lost when executing the process.
Browser Fun
Finding cache and "cookie" files
tell where a user has been on the Internet. Whether anyone likes it or not,
these small text files create a "paper trail." They become a silent
electronic witness.
In Win 3.1 you use the File Manager to find
the Netscape folder and then the subfolder marked Cache. The Cache folder
contains the history of where the user's been on the Web including graphics,
URLs, and even email information. Netscape Navigatorâ has the cookies stored in
"cookies.txt" that Notepad reads easily.
In Win 95 Disk Detective recommends
pulling up File Manager from Winfile in Windows Explorer and locating the
respective folder for the browsers used on the computer. (Just enter
"winfile" at the RUN box from the Startup Menu.)
In Win 98 use Windows Explorer to get to
\windows\cookies and \windows\temporary Internet files.
Internet Explorer's History function is
incredibly easy to use and most users aren't even aware that it is tracking
their every move in cyberspace. You can access it in the IE browser whether it
is in the online or offline mode. Just go to the Toolbar in the browser and
click on History, and you get to see the computer's recent URL activity.
NSClean and IEClean are commercial utilities
for Netscape and Internet Explorer that enable one to see and to wipe clean
virtually all historical record in the respective browsers. These are powerful
tools to peek at every thing the browser has done. The URLs for these tools are:
http://www.nsclean.com/ieclean.html
Passwords
The screensaver password is often the easiest
to defeat. Usually to bypass it in Windows 95 and 98, one simply has to reset
the computer and then immediately right-click on the Desktop. Then go to
Properties and then Screensaver, and change the password before the screensaver
has a chance to cut in again.
The Network Password may be bypassed with
clicking on Cancel in the password box. Windows will let you into the local
machine. However, the personal settings of the user may not be visible on the
Desktop because Windows doesn't know who is coming in.
Industrial Strength Passwords prevent a lot of
security problems for users. Fortunately for computer investigators, most users
do not use them. The striking quality of strong passwords is that they are
statistically random, a product of a Random Password Generator. They are very
difficult to crack. (If you are interested in obtaining a generator, simply
enter "Random Password Generator" as a search on Google, and you'll
get pages full of download sites. Protect Your Privacy on the Internet has a
whole chapter on the subject. You will realize passwords considered strong by
the user are illusions. People do not generate statistically random passwords.)
Password cracking is usually child's play for
investigators armed with cracking tools available off the Internet. But before
you start using a cracker, learn some theory first. An excellent place to do
this is to read "Password Cracking Using Focused Dictionaries" found
at http://www.sans.org/infosecFAQ/cracking.htm.
In this article you will learn how most users make mistakes in selecting
passwords, how the use of regular expressions and a search matrix makes cracking
apparently "strong" passwords simple, and how dictionary attacks work.
Password Recovery is often a matter of some
simple research. Cryptologia, a journal dedicated to cryptography (indexed at http://www.math.utah.edu:8080/ftp/pub/tex/bib/toc/cryptologia.html#)
has articles from time to time on the weaknesses of certain password protections
on various software packages. Assume always that the password protection for
off-the-shelf software will be weak, so crackers learn of the flaws quite
readily. These flaws become public knowledge on the Internet. As a part of the
research for this article, I ran "Password Recovery," "MS Word
Passwords, " "WordPerfect Passwords," and "Windows
Passwords" on Google. Each search produced pages of resources about
recovery utilities or advice on how to do the recoveries.
Resources
Print Sources
Pfaffenberger, Bryan, Protect Your Privacy
on the Internet, John Wiley, 1997.
Rathbone, Andy, Windows 95 for Dummies 2nd
Edition, IDG Books, 1997.
Syngress Editors, Hack Proofing Your
Network: Internet Tradecraft, Syngress, 2000.
Zaenglein, Norbert, Disk Detective,
Paladin Press, 1998.
URLs
Windows
"Microsoft Windows Page"
http://www.microsoft.com/windows/default.asp
Browsers
"CNET Topic: Browsers" (A good
overview of browsers including those that are not IE or Netscape.)
http://www.cnet.com/internet/0-3773.html
http://www.nsclean.com/ieclean.html
Passwords
"Password Cracking Using Focused
Dictionaries" (An interesting article on the philosophy of cracking
passwords.)
http://www.sans.org/infosecFAQ/cracking.htm
"Password Crackers: Downloads"
http://www.hackersclub.com/km/files/password_cracker
"index to Cryptologia"
http://www.math.utah.edu:8080/ftp/pub/tex/bib/toc/
cryptologia.html
Computer Crime Investigator's Toolkit: Part III
Tuesday, January 16, 2001
Ronald L. Mendell (ronmen9938@britannica.com) for
SecurityPortal
Perl is a programming language adept at
processing lists and strings. If you want to search log files and output the
information, Perl is a very useful tool. Some computer writers have
characterized the language as the duct tape of computing. The New Hacker's
Dictionary describes it as the "Swiss-Army Chainsaw." Its
compactness, flexibility, and relative ease of use make it attractive to hackers
of all persuasions.
While one doesn't have to be a master
programmer to be a computer crime sleuth, being able to read code helps generate
insight. If you find a Perl script useful for checking the aging of passwords,
for example, understanding how the program works goes a long way toward
implementing the tool properly. And, you learn during the process how to develop
your own tools. Some investigators may prefer C or C++ as a starting point. That
preference has some merit since quite a few computer security tools are
available written in those languages. But the most important skill is to learn a
code and then build on that knowledge. More common ground exists between
languages than you might realize.
The commonalities include:
1.
Comments.
These lines of code document what is happening in the program. The compiler does
not act on these lines, but they may be the most important lines of code. They
serve as a record of why and how the program works. Perl tells the compiler that
a line is a comment by beginning it with the pound sign, "#." (# This
is an example of a comment line in Perl.) Learning to read comments tells a
computer sleuth what's going on in a program.
2.
Conditionals.
Acting as decision points in the program, they usually take the form of the IF,
THEN, ELSE statement. In Perl the statement takes the form of:
if
($a = = 21) { print "Happy Birthday Scully!\n" }
else
{ print "Mulder's been abducted!\n" }
Notice
the THEN is implied through using the braces (known as the "block").
The "= =" simply means "equal to." The "\n" tells
the compiler to start a new line after the string expression.
1.
Variables.
"$a" is a variable. It is a place to store a value in memory. Perl
identifies variables by beginning them with "$." $Rons_Paycheck_Amount
is a variable in Perl. Perl declares or assigns variables by a simple statement,
$Rons_Paycheck_Amount = 1000.00. You'll note the difference between the logical
equal sign used for assigning "=" and the mathematical equal sign
"= =."
2.
Loops.
When the need arises for the computer to do something repetitive, loops do the
trick. A loop consists of a counter value, which tells a loop where to start
counting from; a conditional statement, which tells the loop what conditions to
terminate under; and an increment, which tells the loop at what rate to count
down or up. A possible Perl loop would be:
4
$Counter
= 19;
#
This statement assigns the counter element a starting value of 19. Note most #
Perl statements end with the semicolon ";" unless terminated by a
block.
while
($Counter > 0 ) {
print
"Still processing" ;
$Counter
- = 1 ;
}
# The "while" statement gives the terminating condition, when $Counter
equals # zero.
#
The phrase "- = 1" is the declining increment reducing the $Counter
variable by
#
one each cycle of the loop.
print
"\n Counter reduced to zero.\n" ;
#
When the loop terminates, the last "print" statement executes.
Other commonalities include functions, which
are subroutines, arrays and other data structures, and variations on
conditionals and loops. But this very basic introduction gives you some starting
points to commence reading Perl code. If you want to see some Perl security
scripts for Unix/Linux, go to http://www.softpanorama.org/Security/perl_sec_scripts.shtml.
Perhaps, with the exception of cryptography,
no other area of computer security is as arcane as networking. Myriad acronyms
dominate networking discussions. Problems often emerge at several levels of
abstraction. Security holes are often subtle, missing the attention of even
experienced analysts. Yet, every computer crime professional must have some
grasp of networking, even though networking may not be the main focus of their
work. Any computer crime may spill over into a network.
A good test of one's network security
knowledge is to read Stephen Northcutt's article, "Intelligence Gathering
Techniques" at http://www.microsoft.com/technet/security/intel.asp.
He covers topics such as host mapping, ICMP echo requests, UDP echo requests,
Broadcast ICMP, detection of scans, netmask-based broadcasts, port scans,
scanning for a particular port, complex scripts, random port scans, FTP bounce,
NetBios traces, stealth attacks, SYN/ACK, and inverse mapping.
If the article is a real head spin for you, it
is time to do some networking study, which is nothing to be ashamed of. Many a
network engineer and architect has reams of books to refer to on their desks;
they are in them all the time just to do their daily jobs. Realizing what you
don't know is a healthy approach in this business. (If you want to see some
Network security tools such as TAMU, COPS, and SATAN, ftp to wuarchive.wustl.edu
and look at /packages/security.)
Possible attacks include:
·
Web Spoofing.
An attacker's server becomes the de facto ISP to the user's browser. A
user thinks he or she is reaching, say www.microsoft.com,
when actually the user is receiving content from the hacker. An insidious attack
when you consider the user may be supplying confidential data to the spoofed
site.
·
Denial of Service.
A common attack facing most public or commercial Websites. The trick lies in the
attacker overloading the site's routers or servers with bogus packets, usually
SYNs.
·
Sniffers.
An attacker builds intelligence against your site by monitoring your traffic and
picking off passwords and user data.
·
DNS Spoofing.
The hacker compromises the DNS server and changes the IP address database,
redirecting user URL calls to sites of the hacker's choice.
·
Mobile Code Attacks.
Using Java applets or ActiveX controls, the attacker plants Trojan horses into
your local machine. This malicious code can be embedded into HTML pages, making
it especially vicious. And, external Web pages aren't the only concern. Any
computer crime investigator looking at HTML pages on a local machine should
examine any links using the source code viewer first. Links can contain booby
traps that can plant viruses or Trojan horses on the investigator's disks or
that can delete files on the machine's hard drive. Always assume any local
machine contains booby traps.
·
IP Spoofing.
An attacker fakes the IP address of a machine the server recognizes or trusts in
order to gain entry. An interesting book describing IP attacks and the general
process of investigating network and Internet attacks is Takedown by
Tsutomu Shimomura with John Markoff, Hyperion, 1996.
When you want to know from which machine an
email originated, specialized search engines on the Web can help. The one
available for the Americas is http://www.arin.net/whois/.
Most people who send and receive email never see the detailed header information
for a piece of electronic mail. Yet, many email services like MS Outlook allow
you to see the full header when you select it under viewer options. The key
phrase to pay attention to is "Received: from."
A sample email header (with alterations for
security reasons) is below:
Received:
from hotmail.com (f54.pav1.hotmail.com [64.4.31.54]) by exchange.anyplace.com
with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
id
XBMVVB8A; Fri, 1 Dec 2000 05:04:58 -0600
Received:
from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri,
1 Dec 2000 03:06:19 -0800
Received:
from x.x.x.x by pv1fd.pav1.hotmail.msn.com with HTTP; Fri, 01 Dec 2000 11:06:19
GMT
X-Originating-IP:
[x.x.x.x]
From:
"Anyone" <XXXXXX@hotmail.com>
To:
ronmen9938@britannica.com
Subject:
Test
Date:
Fri, 01 Dec 2000 05:06:19 -0600
Mime-Version:
1.0
Content-Type:
text/plain; format=flowed
Message-ID:
<F546hm8Ua8d9Ee4zadT0000a828@hotmail.com>
X-OriginalArrivalTime:
01 Dec 2000 11:06:19.0949 (UTC) FILETIME=[BBB795D0:01C05B86]
The
first "Received: from" phrase indicates that the last server to
transmit the email was f54.pav1.hotmail.com with IP address 64.4.31.54. That
server received the email from the fictionalized MS Exchange server at
"anyplace.com" using Simple Mail Transfer Protocol (SMTP).
What
a search on ARIN produced for IP address 64.4.31.54:
MS
Hotmail (NETBLK-HOTMAIL)
1290 Oakmead Pkwy Ste 218
Sunnyvale, CA 94086
US
Netname: HOTMAIL
Netblock: 64.4.0.0
- 64.4.63.255
Coordinator:
Myers, Michael (MM520-ARIN)
icon@HOTMAIL.COM
408-222-7330
Domain System inverse mapping provided by:
NS1.HOTMAIL.COM 207.82.250.83
NS3.HOTMAIL.COM
209.185.130.68
Record last updated on 11-Feb-2000.
Database last updated on 30-Nov-2000 19:05:05 EDT.
The next "Received: from" tells you
what server at Hotmail.com received the email from anyplace.com. The next two
lines tell you the IP address of the machine at machine anyplace.com sent the
email to, or generated the email at, Hotmail.com before it was transmitted to ronmen9938@britannica.com.
In this case that machine's address has been fictionalized to x.x.x.x. But the
real IP address could be run on ARIN for identification. The same goes for the
domain name. The "From" line gives the sender's email address at
Hotmail.com.
Tracing emails will continue to play an
ever-increasing role in computer crime investigation. To see how it played a
role in a recent Texas homicide case, read "Murder via the Internet"
at http://securityportal.com/topnews/murdervia20000721.html.
Print Sources:
Casey, Eoghan, Digital Evidence and
Computer Crime, Academic Press, 2000.
Hayden, Matt, Networking in 24 Hours,
Sams, 1998.
Hoffman, Paul E., Perl 5 for Dummies,
IDG Books, 1997.
Mendell, Ronald L., Security Management,
June 1999, "Is the Internet Just a Web of Misinformation?"
Raymond, Eric S., The New Hacker's
Dictionary 3rd Edition, MIT Press, 1996.
Sharrar, Kristopher A. and Granado, Jose, Security
Management, March 1997, "Confessions of a Hard Drive."
Shimomura, Tsutomu with John Markoff, Takedown,
Hyperion, 1996.
Syngress Editors, Hack Proofing Your
Network: Internet Tradecraft, Syngress, 2000.
Tiwana, Amrit, Web Security, Digital
Press, 1999.
URLs:
http://www.perl.org
http://www.perl.com/perl/
http://www.softpanorama.org/Security/perl_sec_scripts.shtml
Intrusion Detection Pages
http://www.cerias.purdue.edu/coast/intrusion-detection/welcome.html
Attacks on IP Networks
http://www.docs.uu.se/~carle/datakomm/Notes/Networkin/51_AttacksOnIP.html
Network Intelligence
http://www.microsoft.com/technet/security/intel.asp
Whois Service
Internic and IP Address Searches:
http://rs.internic.net/cgi-bin/whois
Links to several registries
http://networksolutions.com/cgi-bin/whois/whois
American Registry for Internet Numbers (ARIN)
http://www.arin.net/whois
Tracing Email
http://www.usus.org/elements/tracing.htm
Computer Crime Investigator's Toolkit: Part IV
Tuesday, January 23, 2001
Ronald Mendell (ronmen9938@britannica.com) for
SecurityPortal
Slack space occurs on a hard drive or floppy
when a file gets partially overwritten after deletion. The new file does not
completely fill in the space created by the old file's data. So, a slack space
of residual data remains in the area between the end of file (EOF) boundary of
the new file and the end of the cluster. On a given disk, then, large amounts of
"hidden data" exist. These fragments may offer considerable evidence
about what was deleted from the disk.
Bitstream copying will preserve slack space.
Simple copying will not. Once safely backed up, the contents of slack space will
be visible by using software such as Hex editors and the Norton Utilities. Such
examination needs to be done by a qualified computer forensics specialist. If
you need a list of questions to ask an examiner to evaluate his or her
qualifications, try this Web page: http://www.keyco
mputer.net/equest.htm. A good article giving an overview of examining a
computer is in the March 1997 issue of Security Management,
"Confessions of a Hard Drive" by Kristopher A. Sharrar and Jose
Granado.
Slack space may reveal
Digital Evidence and Computer Crime
by Eoghan Casey also has a good overview of slack space on hard disks and how
bitstreaming preserves the evidence.
Cryptography is a vast subject, and it can be
as abstract as quantum physics. The average computer sleuth, though, does not
have to know the inner workings of designing cryptographic algorithms. But, he
or she does need to know the difference between simple and complex cryptography.
Simple cryptography is much like the decoder
rings found in cereal boxes when you were a kid. The classic cipher along this
vein is Caesar's Cipher, which rotated the alphabet three letters to the right.
In other words, in the ciphertext the letter H substitutes for the letter E in
the plaintext. A modern version of this substitution cipher is ROT13, where the
shift is thirteen (13) letters.
Another simple technique is to XOR (apply a
logical OR to) the plaintext. For a more sophisticated method, using a Vigenere
Square (an alphabet matrix: http://www.trincoll.edu/depts/cpsc/cryptography/vigen
ere.html) produces a more difficult substitution cipher. Unfortunately,
these methods are way too easy for computers to break and result in very weak
ciphers and encrypted passwords.
The fact that certain letters in English have
a higher frequency than others ("e" being the most common) makes these
ciphers vulnerable. Yet, some software packages continue to use them for
cryptographic protection. Such software may claim to have a secret, proprietary
algorithm for encryption. A computer sleuth can check the strength of a
package's cryptography by having it encrypt some known text. If repetitions in
letter patterns and frequencies are apparent (you can guess where the letters A
or E are), then the encryption is weak. Breaking it using the resources found in
the URLs below should be straightforward.
Strong, complex cryptography, suitable for the
computer age, takes the form of PGP, Triple DES, Blowfish, RSA, Twofish, and
other publicly documented strong algorithms. Tested in the public arena by
experts, they will stand up to cryptanalysis for reasonable periods of time,
provided they are implemented properly. And, they are only as good as the
security precautions used to protect them. If a user is careless about
safeguarding the keys used in the cipher, no matter how good the algorithm, the
message will be compromised. So checking a computer and the floppies nearby for
unencrypted files containing keys is a standard investigative step. If the user
has employed complex cryptography to protect a file or password and you can't
find the keys, bring in a qualified computer forensics expert to develop a
strategy for accessing the data.
Casey, Eoghan, Digital Evidence and
Computer Crime, Academic Press, 2000.
Sharrar, Kristopher A. and Granado, Jose,
Security Management, March 1997, "Confessions of a Hard Drive."
Singh, Simon, The Code Book,
Doubleday, 1999.
Smith, Richard E., Internet Cryptography,
Addison-Wesley, 1997.
Syngress Editors, Hack Proofing Your
Network: Internet Tradecraft, Syngress, 2000.
Tiwana, Amrit, Web Security, Digital
Press, 1999.
"Tutorial"
http://www.spnc.demon.co.uk/ilook/help/tutor_extract.htm
"The Third Step- Preserve the
Electronic Crime Scene" by Michael R. Anderson.
http://www.forensics-intl.com/art7.html
"Forensic Procedures for
Computers"
http://www.cops.org/forensic_examination_procedures.htm
"An Examiner's qualifications"
http://www.keycomputer.net/equest.htm
"The Vigenere Cipher"
http://www.trincoll.edu/depts/cpsc/cryptography/vigenere.html
"Index of
/pub/security/cryptography/cryptanalysis" (Has C program, vigsolve.c, for
cracking Vigenere ciphers.)
http://sunsite.bilkent.edu.tr/pub/securi
ty/cryptography/cryptanalysis/?S=A
"A course on classic
cryptography," Lesson One covers letter frequencies and distributions in
English.
http://www.fortunecity.com/skyscraper/coding/379/lesso
n1.htm
"A brief introduction to
cryptology"
http://www.ridex.co.uk/cryptology/#_Toc439908877