watching you watching us . .


Full Disk Encryption – Breaking Hard Disk Encryption

Good article and more importantly a great discussion in the comments! the article is centered around on the topic of Hard Disk Encyption after a less significant announcement of a “new..” ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt.

“If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.”

“most (if not all) encryption software hashes your password immediately, yielding a hex based result which is still easily searched by looking for strings.”

“You are not missing anything. Its a non issue for most. Just don’t use sleep.”

“OpenBSD’s malloc fills junk bytes into allocated and freed chunks via the J option. By default OpenBSD encrypts the swap (where hybernation state is kept), and has done so for many years.”

“DMA is just one such way of manipulating the memory beneath the CPU level there is also the Memory Managment Unit and the I/O mechanisms that rule the roost via the interupt mechanisms that run at what you might consider Ring -1. And these are what you might consider the upper layers of this gulf of insecurity. There are other tricks such as the actual CPU microcode or equivalent in all the other state machines.”

“Breaking Hard-Disk Encryption”
Bruce Schneier, 27 December 2012 – last access 24 January 2013 – ( Article )



Reverse Engineering Android Applications

Interesting article by Carl Benedict, introducing and dicussing Android applications, development and dissection, using some tools for reverse enginnering. Good focus on the Android permission-based system and how it allows access to resources, and where to alter these controls.

“Under the Hood: Reversing Android Applications”
Carl Benedict, 20 January 2012
Infosec Institute Resources – last access 23 January 2012 – ( Full Article )


pktool – a tool used for manipulating .apk files,

jad – a Java decompiler (Windows only),

JD-Core + JD-GUI – another Java decompiler, supporting newer Java versions and features,

dex2jar – a tool for converting .dex files to .class files, (dex2jar)


Solid State Disks, Update, Forensic Implications ?

Solid State Drive adoption in computers, tablets and devices, is presenting new challenges to the CF community. Good article by Mike Sheward explaining to some depth some of the current Forensic concerns and issues with SSD. Interesting testing and hash results with FTK imager and a write blocker.

“Rock Solid: Will Digital Forensics Crack SSD’s?”
Mike Sheward, 5 January 2012 – last access 23 January 2012 – ( Full Article )

Skype for iPhone and iPod Touch: iOS Vulnerability allows comprimising the device address on reciveing a text message, just add JavaScript

Exploit in Skype on an iPhone or iPod touch, allows comprimise of your device’s address book simply by the attacker sending you a chat message. When the exploit code in the message is run, the victim’s iPhone will automatically make a new connection to a server, grabbing a larger payload, to execute and upload the iPhones entire address book file to the server.

“.. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book.

.. failure by Skype to sanitize potentially dangerous JavaScript commands from the text that gets sent in chat messages ..

It’s already been 48 hours since this vulnerability was first documented, and the vulnerable app is still available in the iTunes Store. It will be interesting to see how long it takes Apple and Skype to close the gaping hole ..”

“Skype for iPhone makes stealing address books a snap”
Dan Goodin, Malware, The Register UK, 20 September 2011 – last access 21 September 2011 – ( Full Article )


Forging memory, a new development in Malware Rootkits

Apart from Rootkits modifying and hiding; files, registries, processes.. from detection software, some often typically modify memory. Anti-rootkit tools inspect memory areas in attempts to identify modifications and flag.

A particular rootkit also modifies a memory location to prevent actual disk access by detection software. This technique is not new, however it is the first found in the Wild and being adopted by Malware authors.

“.. a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard-coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of the hard disk.

But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks that are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break.

The reason for hooks not being reported was that the memory being read by the tools was not the actual memory ..”

“Memory Forging Attempt by a Rootkit”
Rachit Mathur, McAfee Blog Center, 21 April 2011 – last access 8 June 2011 – ( Full Article )


Going After the Money, Tracing Spammers with an End to End Analysis of the Spam Value Chain

Interesting publication of a paper at the IEEE Symposium on Security and Privacy 2011 (California). The research (involving 15 authors) investigated purchasing spam products and amongst other things, focused on tracing the payments.

” .. The paper performs holistic analysis that quantifies the full set of resources employed to monetize spam email—including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks ..

the so-called “spam value chain” involves; botnets, domain registration, name server provisioning, hosting services, and proxy services ..

spammers must also process orders, which requires “payment processing, merchant bank accounts, customer service, and fulfillment.” ..

95% of spam-advertised pharmaceutical, replica, and software products are monetized using merchant services from just a handful of banks ..

13 banks handling 95% of the 76 orders for which they received transaction information .. just three banks handled the majority of transactions: Azerigazbank in Azerbaijan, DnB NOR in Latvia (although the bank is headquartered in Norway), and St. Kitts-Nevis-Anguilla National Bank in the Caribbean ..

all software orders and 85% of pharmaceutical orders used the correct Visa “Merchant Category Code,” which identifies what’s been sold. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods,” ..

orders were fulfilled from 13 suppliers in four countries: the United States–Massachusetts, Utah, and Washington, all for herbal purchases, as well as West Virginia for pharmaceuticals–plus India, China, and New Zealand. Most pharmaceuticals came from India, while most herbal products came from the United States, likely due to weak regulations ..”

“3 Banks Service Majority Of Spam-Driven Sales”
Mathew J. Schwartz, InformationWeek 25 May 2011 – last access 8 June 2011 – ( Full Article )

“Click Trajectories: End-to-End Analysis of the Spam Value Chain”
Kirill Levchenko et al., IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011 – last access 8 June 2011 – ( Full Journal )


Covert hard drive fragmentation – Steganography Ad-dress

Snippets of recent article in the New Scientist..

“.. hide data on a hard drive without using encryption. Instead of using a cipher to scramble text, the method involves manipulating the location of data fragments.

– snip –

..possible to encode a 20-megabyte message on a 160-gigabyte portable hard drive. It hides data so well that its existence would be “unreasonably complex” to detect

– snip –

Encryption .. shows someone might have something to hide..

– snip –

steganography, hiding data in plain sight.. But these techniques are well known and easily detected, says Khan. So, with colleagues at the National University of Science and Technology in Islamabad, Pakistan, he has developed an alternative.

Their technique exploits the way hard drives store file data in numerous small chunks, called clusters. The operating system stores these clusters all over the disc, wherever there is free space between fragments of other files.

Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file’s cluster positions have been encoded.

The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message. If sequential clusters are stored in different places on the disc, this encodes a binary 0 (Computers and Security, DOI: 10.1016/j.cose.2010.10.005). The recipient then uses the same software to tell them the file’s cluster positions, and hence the message. The researchers intend to make their software open source.

“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan. Tests show the technique works, as long as none of the files on the hard disc are modified before handover.

“The real strength of this technique is that even a completely full drive can still have secret data added to it – simply by rearranging the clusters,” adds Khan.

Others are impressed with the technique but see limitations.

“This type of steganography could be used by spies, police or informants – but the risk is that it requires direct contact to physically exchange the USB device containing the secret data,” says Wojciech Mazurcyk, a steganographer at Warsaw University of Technology in Poland. “So it lacks the flexibility of internet steganography. Once you embed the secret data on the disk it is not easy to modify it.”

– snip –

“It’s how security vulnerability disclosure works,” says Khan. “We have identified that this is possible. Now security agencies can devise techniques to detect it.” He adds that his team have had no issues with either US or Pakistani security agencies over their development of this secret medium – despite current political tensions between the two nations.

“The use of steganographic techniques like this is likely to increase,” says Fred Piper, director of information security at Royal Holloway, University of London. “Eavesdroppers can learn much from the fact that somebody is encrypting a message.”


“Covert hard drive fragmentation embeds a spy’s secrets”
Paul Marks, New, 21 April 2011 – last access 29 April 2011 – ( Full Article )


Operation Ore suspect Jeremy Clifford awarded damages after 8 years of battle

“.. A man wrongly accused in Britain’s largest ever child pornography investigation has won damages in the High Court after an eight-year legal battle.

Jeremy Clifford, 51, from Watford, was arrested and falsely charged in 2003 as part of Operation Ore. His credit card details had been found among those of thousands of British people on a list maintained by Landslide, a commercial provider of illegal pornography based in the US.

Hertfordshire Constabulary seized a computer that had belonged to Mr Clifford and discovered 10 illegal thumbnail images in its temporary internet files folder.

However, a senior High Court judge found on Friday that the arresting officer had been told by a computer forensics expert that the images were not sufficient evidence to charge.

“The images could have been received unsolicited by and even without the knowledge of the operator of the computer, for example as ‘pop-ups’,” said Mr Justice Mackay.

Despite this, the officer, Detective Constable Brian Hopkins, pressed three charges of possession of indecent images of children. Mr Justice Mackay said he cut a “rather pathetic figure” in the witness box, having initially claimed he could not give evidence because of a psychiatric condition.

– snip –

The finding was based on evidence the court heard from an internal investigation launched after Mr Clifford was formally cleared of all the allegations before trial. It found that Hertfordshire Constabulary’s forensics expert, George Fouhey, had advised against pressing charges ..”

“Judge hits police with massive bill over false Operation Ore charges”
Court correspondent, Policing, The Register UK, 4 April 2011 – last access 5 April 2011 – ( Full Article )


Solid-State Disk Behavior Underlying Digital Forensics

“.. SSDs are different. Writing a virgin cell merely requires a write cycle. Rewriting a cell requires two cycles: an erase cycle and a write cycle. The erase cycle is governed by the physics, and takes time. Performance is improved by “pre-clearing” no longer needed cells (e.g., free space on the disk) during otherwise unused device cycles.

– snip –

A recent paper from Graeme Bell and Richard Boddington of Murdoch University in Perth, Solid State Drives: The Beginning of the End for Current Practices of Digital Forensic Recovery, documented several consequences of this implementation approach with respect to standard best practices for digital forensic acquisitions. In short, the autonomous pre-clearing function rendered free space unrecoverable on short order from the time that the drive was powered-on.

– snip –

As noted by Bell and Boddington, the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures:

data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order)
the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent ..”

“Solid-State Disk Behavior Underlying Digital Forensics”
Robert Gezelter, , 7 March 2011 – last access 1 April 2011 – ( Full Article )

“Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”
Graeme B. Bell and Richard Boddington, 2010
Journal of Digital Forensics, Security and Law, Vol. 5(3)


StarLogger Keylogger Found on New Samsung Laptops

Keylogger software discovered by Mohamed Hassan on two new Samsung laptops…

“.. Samsung installed a commercial keylogger on brand-new laptops to monitor customer usage, the company admitted after a user exposed the practice in a security newsletter.

– snip –

While setting up a new Samsung R525 laptop in early February, Hassan ran a full-system scan using an unnamed “licensed commercial security software” before installing anything else. The scan found two instances of a commercial keylogger, called StarLogger, installed within the Windows directory..

– snip –

A support supervisor then confirmed that Samsung knowingly put this software on the laptop to “monitor the performance of the machine and to find out how it is being used,”


“Samsung installs keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011 – last access 31 March 2011 – ( Full Article )

“Samsung responds to installation of keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011 – last access 31 March 2011 – ( Full Article )

“Samsung Installs Stealthy KeyLogger on Brand-New Laptops”
Fahmida Y. Rashid, eWeek, 30 March 2011 – last access 31 March 2011 – ( Full Article )


Dell takes digital forensics mobile

“.. Dell on Thursday launched another installment of its digital forensics bundle so law enforcement can collect data faster from crime scenes.

The company took its digital forensic bundle—Spektor Forensic Intelligence software from Evidence Talks and rugged hardware—and extended it to mobile devices. The goal: Examine data at a crime scene and collect data on the fly from various storage devices ..”

Larry Dignan, ZD Net, 24 March 2011 – last access 25 March 2011 – ( Full Article )


Reliably Erasing Data From Flash-Based Solid State Drives

Interesting paper by Wei at all.

“.. Sanitizing storage media to reliably destroy data is an essential aspect of overall data security. We have empirically measured the effectiveness of hard drive-centric sanitization techniques on flash-based SSDs. For sanitizing entire disks, built-in sanitize commands are effective when implemented correctly, and software techniques work most, but not all, of the time. We found that none of the available software techniques for sanitizing individual files were effective. To remedy this problem, we described and evaluated three simple extensions to an existing FTL that make file sanitization fast and effective. Overall, we conclude that the increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitization operations ..”

“Reliably Erasing Data From Flash-Based Solid State Drives”
Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson – last access 16 March 2011 – ( The Paper )

“.. In research that has important findings for banks, businesses and security buffs everywhere, scientists have found that computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques.

Even when the next-generation storage devices show that files have been deleted, as much as 75 percent of the data contained in them may still reside on the flash-based drives, according to the research, presented at the Usenix FAST 11 conference in California. In some cases, the SSDs, or sold-state drives, incorrectly indicate the files have been “securely erased” even though duplicate files remain in secondary locations.

The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that’s known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation layer, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change ..”

“Flash drives dangerously hard to purge of sensitive data”
Dan Goodin, The Register UK, 21 February 2011 – last access 16 March 2011 – ( News Article )


Stuxnet worm’s true origins ?

Interesting article on the possibile origins of Stuxnet… ?

“.. The worm, Stuxnet, is a Trojan horse said to have disabled Iran’s nuclear weapons program. The New York Times said late last year, “Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.” The Times updated their take on January 15, 2011 calling Stuxnet, “the most sophisticated cyberweapon ever deployed…experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009 ..

– snip –

No one is looking back to a time in the mid-70s, when an obscure program called Promis first reared its head. Promis, according to sources, is at the root of Stuxnet. Promis was a computer program that promised to help US prosecutors track criminals and legal maneuverings through the system, “Prosecutor’s Management Information System.” The people-tracking software was later marketed by a firm named Inslaw, under the auspices of William Hamilton, a former NSA officer who still markets a version of the product today.

– snip –

By the late 1980s, Promis programs had been sold to Britain, Australia, South Korea and Canada. Allies harmless enough, right? But then up next was the KGB. There are multiple claims as to who sold Promis to the Russians. Several, including a source of mine, said it was newspaper mogul Robert Maxwell in assistance to Israel. Another acquaintance, former double agent David Dastych (Polish intell working for the CIA during the Cold War) said that an American intelligence officer admitted to him, “Yes, we gave Promis to the Russians and Chinese to back door their intell. Worked like a charm.” Both claims may overlap. In fact, the KGB is said to have used Promis for over 15 years. At first, there was nothing to suspect since malicious malware had not really been coined. Few back then understood the power of the computer, and so the Trojan horse entered the realms of international espionage, the microscopic spy ..”

Stuxnet worm’s true origins are exposed
PJ Wilcox, /, 22 February 2011 – last access 3 March 2011 – ( Full Article )


Further to this article:

“.. So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed — mission accomplished. That’s easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems ..

this is a directed attack. It’s completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it’s trying to infect is actually running on that target. And if not, Stuxnet does nothing ..

And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It’s way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about — round about 15,000 lines of code. Looks pretty much like old-style assembly language ..

The big digital warhead — we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can’t overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, it was a match ..

And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure ..

This attack is generic. It doesn’t have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don’t have — as an attacker — you don’t have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That’s the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They’re in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments ..

My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that’s the United States — fortunately, fortunately. Because otherwise, our problems would even be bigger ..”

Cracking Stuxnet, a 21st-century cyber weapon
Ralph Langner, TED2011, March 2011 – Full Talk


EnCase EnScript to export MFT slack

Useful EnCase EnScript for extracting contents of Slack space in the MFT from Lance Mueller.

“.. MFT slack, that is, the data that may exist between the end of a logical MFT record and the end of the physical MFT record. A typical MFT record can be anywhere between 400 to 700 bytes in length, but the MFT allocates 1024 bytes for each record. This can cause data to be left from previous records, the same way data remains in file slack at the end of a cluster.

– snip –

The EnScript will process every MFT found in the case. The EnScript only exports data in the MFT record slack area with an ASCII value between 0x20 (space) and 0x7E (tilde). A folder is created in the case default export folder named “MFT Slack” and a file with a record number is created for every MFT record that contains slack. The reason this method was used, was so if you review the exported data and find something of interest, you can quickly map it back to the exact MFT record where it came from. If a MFT record has no data in slack, then no export file is created for that record. ..”

Lance Mueller, ForensicKB, 21 February 2011 – last access 27 February 2011 – ( Full Article and to download the EnScript )


Time Stamps on NTFS, examination of the MFT

Interesting article on examining Time Stamps (defeating Timestomp? Filetime ?), in terms of highlighting differences between SI and FN attributes. In this article a Perl script is refered to (previously written by Harlan Carvey) to output results…

“.. Chronological data about the files on a Windows system are stored in something called the Master File Table or $MFT ..

– snip –

there are two places in the MFT that store this chronological data. One is the $Standard_Information ($S_I) attribute, and the other is the $File_Name ($F_N) attribute ..”

Cepogue, The Digital Standard, 23 February 2011 – last access 26 February 2011 – ( Full Article )


Fun and games with Windows FILETIME and how to efficiently detect timestamp alterations

Interesting article by Lance Mueller on Filestamps (NTFS and FAT).

” .. an examiner should be familiar how the time values are stored on NTFS volumes AND the need to examine these dates manually, since many of the common forensic tools do not display the dates with any precision beyond one second, when there is any suspicion of tampering .. ”

Lance Mueller, ForensicKB, 21 January 2011 – last access 23 January 2011 – ( Full Article )

Independent Research and Reviews of iPhone Forensic Tools

“.. This white paper is intended for forensic analysts, corporations and consumers who want to understand what personal information is stored on the iPhone and how to recover it. The research reveals the vast amount of personal information stored on Apple’s iPhone and reviews techniques and software for retrieving this information. For questions about our research or our services, please contact us.

Note: viaForensics is independent and is not compensated in any way by the makers of the software reviewed in this white paper.

1. About this white paper
2. iPhone Forensics Overview and Techniques
3. Cellebrite UFED
5. Oxygen Forensic Suite 2010 PRO
6. Micro Systemation XRY
7. Lantern
8. MacLock Pick
9. Black Bag Technology Mobilyze
10. Zdziarski Technique
11. Paraben Device Seizure
12. Mobile Sync Browser
13. CellDEK
14. EnCase Neutrino
15. iPhone Analyzer
16. Overall Rankings
17. Report Conclusions ..”

Andrew Hoog and Katie Strzempka, viaforensics, November 2010 – last access 26 November 2010 (Full Article )


Forensics: Recovering a 12-year old floppy disk with DD

“.. True story. Earlier this year I was handed a 12-year old floppy disk loaded with bad sectors and unmountable due to a missing/corrupted partition table. A lost cause? Nope. DD can still image the raw media, skipping unreadable sectors and padding the output file with zeros to keep file structures intact wherever possible.

I booted up a Helix Live CD and ran:
dcfldd if=/dev/fd0 of=floppy.img bs=4k conv=noerror,sync

After much grinding and hissing, DD finished with a fully intact 1.4MB floppy disk image. Almost made me want to scour through my old floppy collection. Almost ..”, 9 September 2009 – last access 30 September 2010 (Full Article )