Friday, May 23, 2014

SlideShare data and blues

A few days ago I've accidentally compared Slideshare reports mails there was something looking like pattern. I'm not sure but maybe it is.
Slideshare is perfect to keep old materials handy and maybe useful to someone else too, I'm putting there almost all presentations and papers which I've been publicly presenting.
It is on various languages,  that accidentally provides some additional insight into statistic data. Basically idea is English text is for anyone, local lingo is only useful for local community.

What catch my eye is slight increase in accessing one presentation dealing with CyberSecurity product by GuidanceSoftware, there is increase in activity on it in last few months. Since presentation is on local language (heavilyloaded with technical English terms) I suppose it is mostly accessed by local people.
What is interesting this hits are almost parallel with two other events, discount on CyberSecurity product and some cyber attacks on local banks. Interesting to see and think about, but unfortuanatelly threre was no official requests for CyberSecurity product ...




The week after CEIC 2014, stats changed in completely different way on the top is Encase Enterprise Basic File Collection which jumped for more that 100 hits in  a week ... there must be something embarrassing in it to cause such surge.  Again some changes this week too, week before 27th June 2014, 
"Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2" Views 213 making total  1007 and for  "EnCase Enterprise Basic File Collection" Views 127 making total 923

Thursday, May 15, 2014

Some thoughts about mobile forensics tools

Recently I've been talking about mobile forensics with some people from prominent mobile forensic vendors. I was curious to ask why their (and other vendors too) does not use IP connection to acquire data from smatrphones. Such question was asked few times before but never get any answer. This time answer was a bit of  surprise and why not to roll the idea. It was shocking revelation .. and I'm still not sure if this is not just a joke answer to my question.

So let me put some theory on the paper ...

Mobile forensics is wild, uncharted area with extreme development, cycle is fast, possible gains in market share are big, there are miriard of various phones each vastly different as devices

Since devices start to be a real computers pretending to be a phone while having a real operating system, huge storage space and memory thing get different perspective ...

Mobile forensic vendors are traditionally locked into approach "do-one-phone" at the time, while accessing phone over serial line, usb, bluetooth or IR connection. If we compare current mobile forensic tools to general purpose forensic tools there are huge differences, no standard format, ability only to handle phones, limited number of device images in one case and only recently some analylitics on extracted data. I even don't like to mention problems in interopretations among tools.

This are all sings of young, unmature market and fast development cycle. I suppose cycle is so fast that it keeps vendors locked in their niche, without much time to look from wider position.
As soon as mobile networks develop data transfer over TCP/IP mobile devices get a new access method
IP interface over 3G/2G network or wifi access. Strangely this very effective door to phone is not used :)
IP access provides you with practically unlimited number of devices being analyzed from one forensic workstation, limitation is in licencing and bandwidth.

First question to answer is is this approach forensically acceptable ?  This is actually a key method in live and network forensics where live machines are acquired and analyzed in forensically sound way over IP, for details there are many tools, enterprise wide forensic tools encase  ftk,  fsecure ... Same for some anti-malware tools and ability to remotely erase the mobile device.
Access methods are various but rely on the same idea.

There is one very interesting quirk also, this tools have support for mobile devices but strangely no over IP. I was not recently on the encase support site, but when I was there last time there is a thread where people ask why there is not yet a servlet for android or ios, servlet is encase forensic agent for remote access.

One of the possible explanation is in history of now defunct product Neutrino, encase mobile phone version. It failed because vendor was unable to provide resources to keep it with phone development .. each phone  model requires a lot off effort to keep it in system.What was left is support for smartphones almost as hunchback on encase today since it looks not fully integrated. This provides a reason for reluctance in pushing servlet technology to smartphones.

If we forget about existing enterprise forensic tools what can used for proof of concept ? There is one old, reliable tool, CF engine very reasonable tool to try. It works on  ios, andriod and windows it is logical test-bed to try, especially since it is event driven.













Monday, May 12, 2014

Davno zaboravio postati na blog .. teme za seminare, diplomske i sl ..

Za studente i ostale  zainteresirane, neke ideje za seminarske radove, diplomske...
Za sve teme postoji lista refrenci, literatura i sl.


Forenzička analiza društvenih mreža Prikazati društvene mreže (facebook, linkedin i sl.) načine upotrebe, te načine rada tih sustava. Za takve sustave objasniti što mogu biti artefakti i dokazi, te koje se metode i načini mogu primjeniti za pronalaženje, akvizijciju i analizu tih dokaza i artefakaka.

Forenzička analiza mobilnih uređaja baziranih na Android operacijskom sustavu Proučiti i istražiti forenzičku analizu mobilnih uređaja koji koriste Android operacijski sustav. U radu se treba osloniti na korištenje dostupnih nekomercijalnih alata i komercijalnih alata u smislu kontrole. Ustanoviti pouzdanost forenzičke akvizicije podataka iz mobilnog uređaja i opisati cijeli postupak na praktičnom primjeru

Postupak akvizicije digitalnog medija Prikaz i analiza postupaka akvizicije digitalnog medija u računalnoj forenzici

Simulatori računalnih mreža i sustava Pregled i analiza simulatora računalnih mreža i sustava

Računalni forenzički jezik visokog nivoa Izrada specifikacije za računalni forenzički jezik visokog nivoa, na osnovi postojećih alata u phytonu i drugim jezicima

Primjena računalne forenzike na inteligetnim kućnim uređajima Prikazati metode računalne forenzike na inteligetnimkučnim uređajima tj uređajima koji sadrže računalne i druge eletroničke komponene a koriste se u kučanstvu

Alati računalne forenzike u jeziku python Istražiti mogučnosti alata za računalnu forenziku baziranih na jeziku python. Posebno razraditi repozitorije alata, pronalaženje alata prikladnog za neki problem, te korištenje alata na odabranoj platformi i moguću integraciju ili povezivanje sa drugim forenzičkim alatima
  
Implementacija prospojnika drugog sloja u otovorenom kodu Proučiti i razraditi mogučnosti implementacije prospojnika drugog sloja u otovorenom kodu (open source layer 2 switch) u računalnim mrežama

Forenzika račualnih i mrežnih sustava u modernim automobilima Prikazati računalne i mrežne sustave u modernim automobilima. Na osnovi analize dostupnih podataka o radu tih sustava predložiti i razraditi metodologiju i postupke forenzike takvih računalnih sustava.

Računalna forenzika i vritualizacija sustava Korištenje virtualizacije u postupicma računalne forenzike, te forenzika virtualiziranih sustava

Forenzika aktivne mrežne opreme Forenzički postupci za aktivnu mrežnu opremu.

Forenzika baza podataka Računalna forenzika sustava baza podataka i sustava za trajnu pohranu podataka

Kučanski roboti i računalna forenzika Potrebno je razraditi forenzičku analizu kučanskih robota poput robota usisivača, robota čistaća i drugih slični uređaja.

Industrijski roboti i računalna forenzika Potrebno je prikazati i razraditi metode računalne forenzike za robotizirane industrijske sustave.

Dgitalni sustavi video nadzora i metode računalne forenzike Potrebno je prikazati primjenu računalne forenzike na sustavim digitalnog video nadzora.

Održavanje kontinuiteta poslovanja IT sustava Prikazati metode održavanja kontinuiteta poslovanja za IT sustav. Razraditi metode prkupljnja i analize podataka bez namjenskih programskih alata.

Održavanje kontinuiteta poslovanja Teoretksi obraditi sustav za nastavak poslovanja, pri tome se služiti postojeći standardima i praksom sa podrucja kontinuiteta poslovanja. Kao praktični dio razviti web bazirani sustav za kontrolu i provođenje kontinuiteta poslovanja.

Cyberwarfare napadački programi Prikaz rada i ofenzivnog ponašanja ratnog koda. Potrebno je prikazati kako radi prvi pravi ratni napadacki program stuxnet crv te naične obrane i detekcije tog crva.

Sustavi za automatsko trgovanje Opisati i analizirati sustave za automatsko trgovanje na burzama. Posebno proučiti probleme sigurnosti takvih sustava i na izvedbenoj i na algoritamskoj osnovi

Pregled modela digitalne forenzike Navesti, prikazati i objasniti modele izvođenja digitalne forenzike. Predložiti moguća rješenja za probleme zaostatka u forenzičkim laboratorijama te predložiti metodološke i tehničke mjere koje se mogu primjeniti za smanjenje zaostataka. Ocjeniti moguće modifikacije potojećih alata i procedura u skladu sa predloženim mjerama i modelima

Krizno umrežavanje Prikazati izgradnju jednostavne wifi mreže bazirane na ofshelf kompomentama i opensource kodu koja bi omogučila funkcioniranje i u slučaju ispada glavni IP i GMS providera.

Sigurno brisanje medija za pohranu podataka Prikazati i razraditi tehnike sigurnog brisanja podataka sa medija za pohranu. Posebno razraditi slučajeve novih tehnologija kao što je SSD

Korištenje Android simulatora u digitalnoj forenzici Proučiti mogučnosti simulatora ili korištenja virtualnog Android operacijskog sustava u forenzičkim postupcima. Pri analizi mobinih i drugih uređaja pod Andriod operacijskoim sustavom potrebno je ustanovit stanja uređaja, ponovo ga pokrenuti da se vidi ponašanje aplikacija i sl, a za te primjene isprobati simulator ili virtualni andorid te proučiti načine prenošenja slike uređaja u takvo simulirano okruženje. Predložiti postupke i navesti prednosti i nedostatke.

Mogučnosti primjene CFengine sustava u računalnoj forenzici Potrebno je proučiti mogučnosti primjene upravljačkog i sigurnosnog sustava CFengine u okvirima live forenzičkih zadataka mrežnih računalnih sustava.

Forenzička analiza metadata podataka u postojećim formatima dokumenata Analizirati poznate formate dokumenata za digitalne slike, digitalne dokumente, elektroničku poštu i druge tipove digitalnih dokumenata. Na osnovi forenzičke analize razraditi mehanizme izdvajanja metapodataka iz dokumenata i u mirovanju i mrežnom prijenosu i na osnovu tih mehanizama prikazati sigurnosne rizike te mehanizme uklanjanja tih rizika. Korištenjem dostupnih alata demonstrirati rezultate analize i otkrivene rizike

Wednesday, May 7, 2014

EnCase v7, UFED logical extraction data and frustration ...

I'm always frustrated with state of facts, where you are in huge trouble if you need to incorporate data from one forensic tool into another one. It is ridiculous  situation, but shows how unmature this market is. Lack of standardization, common formats, compatibility it is state of art :(

Anyhow to stop trolling about troubles what we can do ? Since there is no one like DOD in the  networking crisis of 1970, before TCP/IP revolution, who can force all vendors to stop doing silly things and start to cooperate ?  We can try to use features and existing tools to put kind of cooperation into action.

Since there is a strong invisible thin line among vendors doing mobile forensics and general forensics it is very hard to combine results this two class of tools.
There are some exceptions like NUIX but let us stay with older generation tools

Let imagine we have set of UFED logical extractions and set of PC images in EnCase we have to look as one job. Ufed things we can combine in UFED , same for PC images in EnCase but we can't process PC stuff in UFED so we have to move to EnCase and try some magic

Strategy is to move UFED data into logical evidence file and turn it somehow into data in EnCase, it will require a lot of scripting to do a full working importer. Idea is to use xml file created by UFED to populate records structure created by hand in EnCase and than later process new L01 file as part of bigger case.
Ill add later some examples and steps, maybe whole script too

Ufed logical extraction structure is well knwon, it is folder named by phone model and timestamp. In that folder there are subfolders and files with artifacts extracted. Key file is report.xml, a xml glue file which wraps all that together.


File report.xml is glue to keep findings together in ufed folder.

In enscript we have various code examples for creating L01, for xmls parsing but what we don't have is a mechanism to map UFED data to EnCase phone extraction record structure. This is a guessing task, to be done by custom enscript.


 EnCase view on the Ufed data stored in L01 file.

In EnCase in preview pane xml structure is easy visible, we can use Generic XML viewer plugin to see deeper into xml structure. It is easy to bookmark it or preview it. 


Structure of the file is visible, very intuitive, but not directly related to structure how encase present phones. 

If we use Report.htm instead of Report.xml, it actually requires less work but data is still not too usefull. 

It is possible to do indexing on evidence so search is possible to find out relevant data about phone results. Unfortunately this also does not provide full access to imporatnt information. 


Same situation we have with other artifacts, slightly better is with email addresses and phone numbers since there is a set of pasterns predefined in search.


Search by email pattern and keyword also give some results but still not good enough

Same results we have if we try to work with ufed report file in xml format there we have control on data which are selected for report. Xml parssing is well supported, there are encsript examples hot to parse and bookmark xml, but not much documentation how and where to store parsed data if we like to create L01 file which contains data extracted by ufed. Code which works in close manner exists, Belkaosft integration modules, Magnetforensic tools integration and some others.

One thing which makes all this very unpleasant is fact that in 7.09.05 (and probably earlier versions too) index search by pattern does not work as it is intended (there is this topic raised support issue about PII information idnexing )  simply index pattern for phone numbers does not return phone numbers and simmilar  does not return email addresses. There is almost nothing about this patterns in documentation only explanation with examples which I found was in that support topic. 
This actually makes whole effort senseless because we don't know what also is not working and why.

My unfortunate  conclusion is EnCase in current state can't be trusted as integration tool, if you like to analyze together data from mobiles or something similar.

Using NUIX

I'm using test version of NUIX, must say I'm delighted with it. First impressions are really good, haven't done comparation yet but at the same HW and on the same  evidence files it looks faster than other tools I've been using. User interface is consistent data presentation simple and understandable what is a huge advantage. It logs all relevant information into plain text log files, configuration is easy, only java has its own quirks.

I've managed to chrash it few times but this is mostly because of my unexperience and wrongly tuned parameters.   Ability to handle different evidence formats and results are great thing, ruby as scripting tool is also great.  I hope I'll get much deeper into NUIX  

ORF lectures about anti-forensics

Today we will talk about antiforensic methods and tools, mostly about methods and ideas since tools are changing with time
I'll stress the difference among offensive and defensive methods and the simple ideas how to hide important things among huge pile of files.
Strong encryption is definitely best method since without key it is impossible to get data, it is more defensive method but effective. For protecting active systems or active data in use , more offensive approach have to applied.

One of the most interesting is site https://www.anti-forensics.com/

My all time  favorites is a "Breaking Forensics Software: Weaknesses in Critical Evidence Collection"  article  with video  "Defcon 15 - Breaking Forensics Software: Weaknesses in Critical Evidence Collection"

There are also plenty of presentations and new developments. Very inspiring presentation from Takahiro Haruyama  "Malicious File for Exploiting Forensic Software"  and "One-Byte Modification for Breaking Memory Forensic Analysis",

The other tools and ideas are very well documented stenography, encryption, etc

There is also some rather terminal approach to antiforensics and we have to think about it if we are thinking about serious crimes it is using brute force, explosives, attacks to physically destroy media and evidence both with forensics and forensics lab ..
As an idea think about hard drive which instead of  platters has explosive charge and primer contacted to power line.. this is also antoforensic but a bit out of box in digital sense.

When we are talking about antiforensics and contraforensics measures it is important to understand that context of the situation and value item which are to be protected are actually key element in understanding how this items can be protected and why. The conficker worm is very good example.



Thursday, May 1, 2014

ORF lecture about Windows artifacts

Last topic we covered in ORF curriculum was MS windows artifacts, talking a lot about how and why things were developed, It was just glancing over a lot of issues

  • Finding Deleted Data
  • Hibernation Files
  • Examining the Window Registry
  • Print Spooling Evidence
  • Recycle bin Operation
  • Metadata: What It Is and How It’s Used
  • Thumbnail Images as Evidence 
  • Most Recently Used Lists: How They’re Created and Their Forensic Value 
  • Examining Prefetch and Link Files 
  • Windows log analyses
  • Windows search and indexing engine artifacts


There was talk about how this things evolved and come part of the system, how  it evolved what was driving force behind it and how one can think about this resources as a source of data for digital forensics. 
In digital forensic in computer science curriculum it is important to stress  what are this artifacts in the global picture of the operating systems and how development of hardware and software influenced this artifacts. 
This elements are so often completely ignored in professional digital forensic training or in pure forensic curriculum it is one of the reasons why we have so much problems in the digital forensics especially law enforcement related situations.