Search Brett's Ramblings

http://www.brettshavers.cc/index.php/about

Compiling Identity in Cyber Investigations

Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’.  As important an analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user.  An investigation without an identified suspect is a case that remains open and unsolved..sometimes for years or forever.

In many investigations (civil and criminal), identifying the computer user is obvious through confessions or by process of elimination.  Proving a specific person was at the keyboard is barely a consideration since the person either admitted control of the device or was caught red-handed and the examiner can focus more on the user activity on the computer devices rather than spending time identifying the user.

However, simply accepting the suspect’s identity without further investigation into other aspects of the suspect’s identity may sell the investigation short.  Whether the suspect is known or unknown, compiling a complete identity of the suspect adds important information that is beneficial to a case, such as motives, intentions, and identification of more crimes.  The most important point is that a physical person that has been identified, or even arrested, does not give a complete identity of that person.  It is only the physical identity.  Investigators should strive to compile a complete identity that includes digital identities.

So what’s in it for you?

Building a case against a suspect requires more than just finding evidence.  A case needs evidence to point to a suspect as well as showing motive and opportunity.  Providing evidence of every identified persona of a suspect paints a picture of the suspect, to include intent, desires, motive, behaviors, and overall character to add to the supporting evidence.  In short, you get a better case.

The Complete Identity

A physical identity (aka biometric identity) and digital identity comprises the complete identity of a person.  Biometrical features of a person, such as fingerprints and eye color, are bound to the physical identity and typically permanent to the person depending on the feature.  Although eye color can be temporarily changed with color contacts and hair can be temporarily dyed to a different color, the majority of physical features cannot be changed without drastic injury or surgery. 

Internet users create digital trails of use and subsequently (and without intention) create digital personas based on their unique computer use.  The normal, everyday use of the Internet creates a digital identity that is based on Internet surfing habits (the Websites visited), communications made online through forums, chats, e-mails, blog posts and comments, and through the accounts created for online services to include online shopping.

Compiling the digital identity and physical identity may seem like an obvious and easy task, but assembling the identities is not so simple.  In an ideal case, a suspect has a single physical identity and a single digital identity, but in reality, a person may have multiple physical personas tied to a single physical identity and multiple digital personas.  Some personas may be intentional while others unintentional.  For example, a criminal wanting to travel in a name other than his true name may create or purchase a fake driver’s license. As he goes about using the fake or stolen driver’s license, he creates a persona under the false name.  Although this persona is not truly a ‘physical’ identity, as it is not biometrically tied to a physical body, it is part of his physical identity as he uses the false name as if it were his true name. 

One example of a digital identity is the accumulation of normal Internet and computer use.  A person’s computer use is generally a reflection of that person’s personality, desires, and intentions.  The unique activity of one device is typically replicated across devices under that person’s control.  For instance, given a new computer, a user will configure it by personal preference by arranging icons, colors, sounds, and folder structure to save.  When the user has an additional computer, both computers will have a very similar order of computer activity when used over time and will even look the same, such as the placement of desktop icons and wallpaper choice.  Configurations of the computers will likely be similar, if not exact for some items, and Internet use will most certainly mirror each other by bookmarks and frequently visited Websites.  Merely comparing the type of computer use and configuration between two or more devices can give an indication that the same person used all of the devices. 

Adding to the complexity of finding both digital and physical identity of a suspect is that of multiple aspects of both types of identity.  A person leading a double life may have two spouses and two jobs with one being a false identity.  This person is physically tied to both identities, even if the false identity contains no true information.   Leading a double life is an extreme example of a fake physical identity, and examples that are more common include using a fake ID to make consumer purchases, or using fake names to register at hotels.  The depth of a fake physical identity depends upon the person’s intention and resources. Types of physical identifiers are seen in the following figure.

Digital identities, being far easier to create, generally mean that any one person can have multiple, or even hundreds, of fake digital identities.  A harassment suspect may have dozens of online identities that he uses to harass a single victim or victims through repeated e-mails from different e-mail accounts created to appear as different people.  In any investigation, treat each digital identity as its own identity that will be tied to a physical person at some point in the investigation.  Each identity gives information about a person based on the fake identity, whether the only information is the username of an e-mail or a completely falsified social networking account.

An example of having multiple digital identities is that of one fake identity used to create specific online accounts and a different fake identity used to create other specific online accounts.  In this manner, a person is simply trying to distance himself from something (such as registering for a pornographic Website) by using a fake digital identity while using a different fake identity to distance himself from other aspects of his online life.  An investigator who can identify the fake accounts adds to the case by showing the intentionally hidden aspects of a personality, motive, or intention of the real person based on the real person’s actions under the fake digital identities.  A pedophile whose physical identity has no ties to pedophilia may appear innocent until fake digital personas are found and tied to his physical identity.

Of note is that each person has a true physical identity and a true digital identity.  Typically, the true digital identity shows the real information, such as a real name, and is easily tied to the physical person.  However, every identity and persona (real and fake, digital and physical) should be compiled together to show the complete identity of a person.  False information is just as important as the true information to build a complete picture of a suspect.

A great example of tying a physical identity to a false persona is in the Silk Road case where the creator of Silk Road (Ross Ulbricht) used his public e-mail/forum (rThis email address is being protected from spambots. You need JavaScript enabled to view it.) account on the open Internet to market the Silk Road.  One simple post eventually tied his legitimate physical identity to a secret, false, and criminal persona on the Dark Web site, the Silk Road.

Identifying the digital identity becomes easier as Big Data continues to grow exponentially through massive data collection by government and corporations.  Social media sites contribute to identifying digital identities as the connectivity between sites exists through single usernames, using the same e-mail address across online accounts, and algorithms created to ‘find’ friends based on relationships and Internet use.  The digital identity is the sum of all electronic information of a person.  Corporations have been compiling digital identities of consumers in order to focus on advertising efforts.  Investigators should focus on compiling digital identities of suspects to determine motive and opportunity.

Any investigation benefits by compiling the complete identity of suspects.  Whether the identities contain true information about a suspect is not as relevant as tying the identities and personas to a person. Motives and intentions are clearer with a complete picture of a person in both the physical and digital worlds. 

Now that you know the ‘why’, become competent in the ‘how’ in each investigation with thorough research to find the connection between each identity in order to place your suspect at the keyboard.  Digital forensic skills are necessary and important, but solid cases usually need some old fashioned, gumshoe detective work too.

  3532 Hits
  0 Comments

The Secret to Becoming More-Than-Competent in Your Job

The Secret to Becoming More-Than-Competent in Your Job

I was part of an interesting and product online podcast today.   You can check it out at: http://nopskids.com/live/

The topics ranged from hacking, forensics, how to catch hackers, and a little on how criminals sometimes get away with it. Although I didn’t give any tips on how to get away with a crime, other than DON’T DO IT, I did speak a little on some of the things that can be found forensically on a hard drive.  Actually, I think I only had time to talk about one thing (the Windows registry) for a few minutes and nothing of which that has any impact on a criminal using the information to get away with a crime.

The one thing I wanted to stress that even if every top secret, secret squirrel, spy and investigative method was exposed, criminals would still get caught using the very techniques they know.  Proof in the pudding is seeing cops being arrested for committing crimes.  You’d figure they would be the most knowledgeable of not getting caught, but they get caught. Same with accountants being arrested for fraud, and so forth.  I’ve even arrested criminals when they had in their possession, books on how not to get caught.   The most diligent criminal can be identified and arrested by simple mistakes made and sometimes by sheer massive law enforcement resources put on a single case to find a criminal or take down an organization.

With that, I learned a few things from the podcast too.  One of the moderators was actually a case study in my latest book (Hiding Behind the Keyboard).  To be an expert, to be knowledgeable, and to be more than just competent requires talking, listening, and sharing.  That doesn’t mean sharing trade secrets or confidential information, but it does mean having conversations to learn your job better.

When I worked as a jailer, I talked to every person I booked (at least the sober arrestees and those cooperating with the booking process).  I asked personal questions like, “how did you get started with drug use?” and “how did you start doing X crime”?  I learned a lot after hundreds of bookings.  I learned so much that when I make it to patrol and hit the streets, I had a big leg up on the criminal world, in how it worked with people.  That directly helped me in undercover work.  I spoke to so many criminals, both as a police officer and as an undercover (where they didn’t know I was a police officer), that I learned how to investigate people who committed crimes.  I was darn effective.

The point of all this is that talking to “the other side” is not a terrible idea.  Working on the law enforcement side, I promise that if you have a conversation with a criminal defense expert, you will learn something to help win YOUR case.  If you talk to a hacker, you will learn something to help figure out YOUR cases.  The best part, like I said, nothing you give will make a criminal’s job easier.  In fact, anything you say will only make them worry and make more mistakes.

If you are more-than-competent, you can do your job like a magician.   My first undercover case was buying a gram of meth from a cold phone call of a guy I didn’t even have a name for.  As soon as we met, I recognized the meth dealer as someone I arrested a half dozen times when I was in patrol.   Luckily for me, he didn’t recognize me and believed my UC role.  Arrested, booked, and convicted.  This was a career criminal with dozens of arrests who probably met more cops that I ever did at that time.  Still, he was arrested, by me, because I was more-than-competent in my job.  Digital forensics work is no different.

Talk to everyone and share.  I promise you will get more than you give.  And there is no shame in learning that you don't know it all, because none of us do.

  1960 Hits
  0 Comments

Behind the Keyboard - Enfuse 2016 Presentation download

I had the amazing honor of speaking before a full room at Enfuse this week.  This was not only my first time speaking at Enfuse, it was my first time at Enfuse. The conference was put together well.  Kudos to poolside event coordinator.  Those who know my forensic tool choices also know that I do not use Encase as my primary forensic tool.  However, I have a license for v7 and have used Encase since v4 (with sporadic breaks of use and licensing).

This year at Enfuse, I did not speak on any forensic software (or hardware) at the conference. I gave a snippet of two recent books I published (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard).  I say “snippet” because one hour is not even near enough time to talk about the investigative tips in the books.  I was able to give a few good tips that I hope someone will be able to take the bank and boost case work.   I could spend weeks talking about investigative methods of not only finding suspects that are using computers to facilitate crimes, but also to place them at a specific device with both forensic analysis and traditional investigative techniques.   

After my talk, I received emails from some who did not or could not attend my Enfuse talk; I am providing my slidedeck for them and others who may want to see high-level notes from the Powerpoint slides.  However, I removed a number of slides that had personally identifiable information to avoid any embarrassment from Google searches and cases.  I did not get to a few slides in the presentation due to time (only one hour!), and I removed them as well.   Nonetheless, the meat and potatoes of the presentation is in the below PDF.

  

 

A few toughts on digital forensic skill development and giving away investigative secrets

Forensic examiners/analysts generally follow the same path in skill development, with some exceptions of course.  For most of us, the tools are just plain neat and we initially focus on the tools.  High tech software and using the type of hardware that you cannot find at Frys turns work into play.  We dive into the box, swim around in it for days, weeks, or even months, and then we pull out every artifact we can to write a report of what happened ‘in the box’.  Writing a report usually means pushing the "Create Report" button. I suggest that every examiner go through this stage quickly and move forward.  Get it out of your system as soon as you can. There is more to digital forensics than the toys, I mean, tools.

Digital forensics investigators must investigate, unless your job is solely looking at data because someone else is investigating the case.  This is where leaving the stage of ‘playing with high-tech toys’ turns the new forensic examiner into a real digital forensics crime fighter.  When an examiner can integrate data recovered from ‘the box’ with information collected from ‘outside the box’, using any tool and investigative method available, we have a competent and effective digital forensics investigator, not just a tool user.

I have always believed that a good digital forensics investigator can practically use any software, as long as the software can do the job, without relying on the software to do the complete job.  Pushing a button to find evidence, then pushing another to print a report does not a forensic analysis make.  Just as Picasso could paint a masterpiece only using an old paintbrush and watercolors, a good forensic examiner can make a great case with only using a hex editor and gumshoe detective mindset.  The high-tech tools should be used to make the work easier and faster without becoming a crutch.

And that was the inspiration of why I wrote Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard, boiled down in two simple intentions:

1) To push forensic examiners out of the high-tech toy reliance into becoming a well-rounded, effective, efficient, and competent investigator.

2) As a reminder to the former investigator-turned-forensic-analyst to get back into the investigative mindset.

If you are currently in the ‘gotta-have-the-most-expensive-tools-on-the-planet’ stage while at the same time not working outside the CPU, don’t fret. It happens to most everyone, and not just in the digital forensics field.  When I was a young Marine, I went to the local army surplus store and base PX to buy every cool tool I could think that would help me in the field.  I had so many ‘tools’ that my ALICE pack looked like a Christmas tree dangling a five years' worth of trinkets from New Orleans’ Mardi Gras parades.  After one trip to the field, I realized how much money I wasted on unnecessary gear (if you could actually call some of those things I bought "gear"..) and focused on using only the things that work and making things work for me.  Digital forensics work is no different.  Consider yourself DFIR SEALTeam 6 once you can work a case using ANY computer and ANY tool.

Giving away trade secrets?

There is a long-standing problem in the digital forensics world: Sharing, or rather, lack of sharing.  Yes, experts and practitioners share their work, but many do not.  I completely understand why.  When you share your ideas and research to the public, there is a fear that the bad guys will see it and use it for their benefit.  The fear is that once the methods are known to the criminal world, the methods become ineffective.

In short, that thinking is incorrect.

First off, cybercriminals and criminals, in general, share information with each other.  They share the methods when they work together to commit crimes, they share it online,  and they share it during their stays in the big house.  Still, they get caught.  Still, they make mistakes. Still, the methods work against them.  I have even arrested drug dealers when they had in their possession, books on 'how not to get caught dealing drugs'.  Cybercrime is no different.  An entire website can be written on how to get away with crime on the Internet and read by every cybercriminal, and yet, they can still be identified, found, and arrested.  

Second, lack of sharing only hurts us all. If you were to find a better way to find evidence, but keep it to yourself, the entire community stagnates.  But when shared, we push ourselves ahead in skills.  Do not be afraid that the bad guys will get away with crimes if they know how you catch them.  Just as watching a Youtube video on Marine Corps boot camp does not make boot camp any easier, criminals that know how we place them behind a keyboard does not negate the process that can place a suspect behind a keyboard.  In fact, the more they know, the more chance they will slip up more than once out of sheer fear of how easy it is to put enough investigative resources to find a criminal that cannot be countered with any amount of preparation.  

  2190 Hits
  0 Comments

Reviewing a tech book technically makes you a peer reviewer…

    If you have been in the digital forensics world for more than a day, then you know about peer reviews of analysis reports.  If you have ‘only’ been doing IR work where forensics isn't the main point (as in taking evidence collection all the way to court), then you may not be reading reports of opposing experts.  Anyway, the opposing expert peer review is one of the scariest reviews of all since the reader, which is again, the opposing expert, tries to find holes in your work.  The peer review is so effective to push toward doing a good job that I think it prevents errors by the examiner more than it does help opposing experts find errors of the examiner.  Peer reviews take different shapes depending on where it is being done (review of a book draft, review of a report, etc...) but in general, a peer review is checking the accuracy of the written words.

    Academia has always been under the constant worry of peer reviews.  One professor's journal may be peer reviewed by dozens of other professors in the same field, with the end result being seen by the public, whether good or bad. Peer reviews are scary, not for the sake that you made a mistake, but that maybe you could have missed something important that someone else points out to you.

    If you read a tech book and write a review of it (formally in an essay/journal, or informally on social media), consider yourself a peer reviewer of tech writings.  That which you say, based on what you read, is a peer review of that material.  Think about that for a second.  If you are in the field of the book you are reviewing, you practically are tech reviewing that book for accuracy (so make sure you are correct!).  That is a good thing for you as it boosts your experience in the field.  Always be the expert on the stand who can say, “I’ve read x number of forensic books and have given x number peer reviews on social media, Amazon, essays, etc….”.  If for nothing else, this shows more than that you just read books.  You read for accuracy and give public review of your findings. Nice.

    There is some stress in writing a peer review because you have to be correct in your claims.  Sure, maybe some things in the book could have been done a different way, but was it the wrong way?  The manner in which you come across in a peer review is important too.  Crass and rude really doesn't make you look great on the stand if you slam a book or paper.  You can get the point across just as well by being professional.

    Writing books takes no back seat to peer review stress, especially when it comes to technical books.  Not only does the grammar get combed by reviewers, but the actual technical details get sliced and diced.  Was the information correct? Was it current and up-to-date?  Is there any other information that negates what was written in the book?

    So, to get any positive reviews makes for a good day.  Not for the sake of ego, but for the sake of having done it right so others can benefit from the information.  Writing is certainly not about making money as  much as it is putting yourself out there to share what you have learned at the risk of having your work examined under a microscope by an unhappy camper.

    b2ap3_thumbnail_HBTK.JPGWhich brings me to my latest reviews for Hiding Behind the Keyboard.  This is my third tech book (more to come in both nonfiction and fiction) and with each book, I have always cautiously looked at Amazon book reviews each time.  Not that I have written anything inaccurate, inappropriate, or misleading, but that I just want to have written something useful in a topic that I wish existed when I started out in the digital forensics field.  My best analogy of what it is like to write a book is to walk outside to your mailbox nude and then check Facebook to see what people say about you…then do it again.  At least I don't have a Facebook account...

    So far, the reviews for my latest book show that I did a good job (my gratitude to the reviewers).

And that brings me to another point of this post. 

    One of the social media reviewers is actually in a case study in the book.  Higinio Ochoa read and reviewed my book in a Tweet (as seen below).   

 

    You will have to check the Internet to get Hig’s story, or read it my book…  Suffice to say he was a hacker who was caught, and then ended up as one of the case studies in my book.  Positive reviews from forensic experts are great, but so are reviews from former hackers that can double-validate the work.  Like I said, it takes a lot of guts to write a book and almost as much guts to peer review it in public.  That’s what we are doing when we write a review of a tech book.  We are all peer reviewers.

 

  1491 Hits
  0 Comments

When everyone's talking about it

When everyone's talking about it

The King County Library System asked me to present on cyber safety topics in a very neat program they have (“When everyone’s talking about it..”).  I have been giving two separate, but related presentations and both have been well-received by those who have attended.  Mine is but a small part of the KCLS program.  I have even attended presentations that I had interest  (like the presentation on drones!).  

For the most part, I have skipped over the basics in my presentations. There really isn’t much need to talk about “what is email” or “the Internet is a bunch of computers connected together”.  We all know that kind of information.  Rather, I have been giving practical advice on what to do right now to reduce the risk of having your devices compromised by hackers and reducing the risk of predators accessing your children online.  Every bit of information I talk about is real time applicable, from reducing your digital footprint to surfing the Internet while maintaining your privacy.  I even show how to use the Tor Browser and encrypted email!

In every presentation, I am seeing parents take notes furiously, ask serious questions, and show a genuine interest in online safety for their families and themselves.  For me, this is easy stuff.  I have already raised two kids in the digital age of Facebook and cell phones (hint: they survived, but still not easy).  And I have investigated cybercriminals (hackers, child pornographers, and others who have used technology to commit crimes).  That is the biggest benefit to attendees I try to give.  Cram as much pertinent information from what I know into an afternoon or evening presentation that can be put to use right away.  Free to anyone.

This is one of the few presentations you can step out the door and put the information to use before you get home.

But if you think this is just another Internet safety program, you are mistaken.  I go through how to use social media to help get (or keep) a job, get into (or prevent getting kicked out) of school for families and individuals, and reduce the risk of cyberbullying.  I show how easy it is for anyone to be a victim by clicking the wrong link or opening the wrong email along with ways to identify the dangerous links and emails. The term "Third party provider" takes on a whole new meaning to attendees when they are shown the ways their personally identifiable information (PII) can be stolen when stored on third party service providers such as their health insurance company or a toy company.

Most importantly, I answer tough questions. Although I give some guidance on creating family rules and personal use of technology, I leave it up to the invididual and family to decide what is appropriate. My guidance is to show how to create rules on the foundation of safety. Everything else is up to personal morals and values.

I’d like to credit the King County Library System for adding these presentations to their program this year because cyber safety is probably one of the most important topics today.   Everything comes down to cyber.  Whether it is personal information being leaked or hacked online or a child being lured from home, cyber is serious.  You can use technology safely and still enjoy the benefits but to ignore safety is like betting the farm on the Roulette wheel.  You never know when your number will come up, but when it does, it will hurt and hurt for a long time.

As far as this program (When everyone's talking about it) goes, KCLS nailed it.  I have organized more than a dozen training events and several conferences over the past decade.  I know exactly the effort needed to put something like this together and KCLS did it right.  If you are in King County, Washington, you really should check out the programs.  They do a fantastic job at a price you can't beat anywhere.  

As for me, I only have two more talks left.  All you need to do is show up.  No RSVP.  No charge.  Free parking.

Again, kudos to KCLS for putting this great program together.  Let's do it again next year.

----------------------------------My next talks----------------------------------

Cell Phones in the Family

Woodmont Library

26809 Pacific Hwy S, Des Moines, WA 98198

April 30, 2016      2PM – 3:30PM

 

Cell Phones in the Family

Newport Way Library

14250 SE Newport Way, Bellevue, WA 98006

June 23, 2016       7PM – 8:30PM

  2075 Hits
  3 Comments

I'm just a Tor exit node! I'm just a Tor exit node!

I'm just a Tor exit node!  I'm just a Tor exit node!

Never thought I would still see this happening…

http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-who-maintain-tor-anonymity-network-node-1552524

I have personally seen warrants served on the wrong address on two occasions.  The first was a drug investigation where the lead detective went to the wrong door to an apartment.   The warrant was correct in having the correct address, but the detective didn’t take the time to check the numbers on the door…

The second time I witnessed a wrong door entry was when the lead detective had the wrong address on both the search warrant and affidavit.  The detective never even corroborated the information to find the right address.  Basically, the detective looked down the street and picked the house she thought was the drug dealer’s house.  After SWAT kicked in the door and broke a few things in the process, it took all of 5 minutes to realize that it was the wrong house.  The drug dealer was on the next street over…the victim house got a new door from Home Depot and carpet cleaning paid for by the task force.  

Both of these warrants taught me something that I will never forget.  Before you kick in the door, make sure you got the right door.  After you make sure you got the right door, make sure again.  Then ask your partner to double-check that you got the right door. Then get a warrant and kick it in if the suspect doesn’t open it for you.

After investigating drug crimes, I went into cyber cases.  The same fear of entering the wrong house became even more worrisome since relying on IP addresses is not the same as relying on your eyes. You have to rely upon a fax from an Internet service provider for the address.  In an investigation case of following a suspect to his home, it is easy to physically see the house for which you plan to swear to in an affidavit.  But with an IP address, you have to rely on some third party service provider to give you the subscriber at the physical address where the IP address exists and trust that the information is accurate. That is at least one step before swearing to an affidavit to ask for authority to force your way into someone's home.  Investigators must still confirm that their suspect and/or evidence is at that particular and specific address, which requires at least some legwork to confirm the physical address.

When Tor is used by a criminal, relying on the IP address is worse than a bad idea, especially since it is so common knowledge that an exit node on the Tor network has nothing to do with the origin of any data that flows through it, other than the data flows through it.  I have taught and wrote about Tor as it relates to criminal/civil investigations for several years now, each time repeating:

IP address ≠ a person

MAC address ≠ a person

Email address ≠ a person

Tor IP address ≠ the address you want

CSI Cyber regularly does one thing right…whenever the cybercriminal uses Tor (proxies) on the show, the Hollywood FBI hackers don’t even try to trace it because they know that a proxy is not going to lead back to the cybercriminal.   They then resort to other means to find the cybercriminal before the hour ends.  Not that any of their other methods are realistic, but at least they got Tor right.  Anyone watching CSI Cyber even one time is exposed to explanations that tracing cybercriminals using Tor is virtually impossible.  This is the “CSI effect” in reverse.

Since TV show viewers can figure it out, you can imagine my surprise seeing this tweet today:

I don’t have access to the case reports, nor know anyone involved, but the one thing I can tell is that if this case was based on an IP address alone, I cannot fathom why no one checked to see if the IP address was a Tor exit node.  Checking a Tor exit node takes about 10 seconds.  The Tor Project even helps and provides everything you need.

https://check.torproject.org/cgi-bin/TorBulkExitList.py

Certainly, there are probably other details that could have led to going to the ‘wrong’ house, but running a Tor relay should not be one of those details.  At least currently, it is not illegal to run a Tor exit node.

The best analogy I can give to how relying on a Tor exit node to accurately reflect the physical address is that using an envelope.  Consider a criminal committing a crime through the mail (mailing drugs or something like that).  Instead of putting his address as a return address, he puts your address as the return address, drives to another city, and drops the package in a mail box on the side of the street.  Let’s say the police seize the package of drugs at its destination and then kick down your door because your return address was on the package.  Any investigator charged with tracking criminals online must (not should) be aware of how Tor works.  Even in the private sector investigating employee misconduct, or IP theft, knowing how Tor works is mandatory when IP addresses are involved.  You just can't get around knowing it unless you don't mind kicking down the wrong door one day..

https://www.torproject.org/about/overview.html.en

On side note, I am one of the biggest advocates of those who have the job of tracking, investigating, arresting, charging, prosecuting, convicting, and incarcerating predators of children.  I have not a bit of compassion for these criminals and I cannot imagine anyone feeling any different.

Coincidently, I gave a presentation on this very topic at an ICAC conference in the Seattle area last year…oh well.

 

UPDATE: APRIL 8, 2016

Link to the search warrant affidavit:  AFFIDAVIT

  2541 Hits
  2 Comments

Barking up the Encryption Tree. You're doing it wrong.

Barking up the Encryption Tree.  You're doing it wrong.

There always comes a time when an obscure, yet important concept, leaves the technical world and enters the main stream.  Recovering deleted files was one of those where we pretty much knew all along not only that it can be done, but that we have been doing it all along. The Snowden releases were another aspect of ‘yeah, we knew this all along, but the GFP (general f’ing public) was oblivious.

Encryption is just the most current ‘old’ thing to make the limelight.  Whenever something like this happens, there are ton of people ringing the end-of-the-world bells, clamoring that national security will be lost, and personal freedoms take a back seat to everything.  It happens all the time and when it happens, there is a fire to make new laws on top of thousands of other laws, in which the promise of better safety and security is as strong as a wet paper bag holding your groceries on a windy and rainy day.

b2ap3_thumbnail_bancalifornia.JPG

Legally, it is super easy to ban, control, and/or regulate encryption. A stroke of the pen with or without citizen oversight can make it happen quickly and painlessly.  One signature on the last page of a law that is a ream in size is all it takes.

Practically, it is impossible to completely eliminate or control or regulate encryption.  The only thing laws will do is restrict the sale of encryption products by corporations.  Encryption exists in the minds of mathematical practitioners and can be recreated over and over again. You can't blank out someone’s brain (I hope not…).  Encryption is available everywhere on the Internet, from software programs that are FREE and OPEN SOURCE to download and even in TOYS that can be bought off Amazon.com.  These 'toys' work by the way.

b2ap3_thumbnail_engima.JPG
Enigma encryption...for sale on Amazon.com

Go ahead and ban encryption and people will just buy a $10 toy to create cipher text for emails.  Tor use will skyrocket as will third party online privacy providers operating in safe harbors overseas.  Banning encryption or breaking the trust of companies like Apple will only result in loss of business for corporations and (more) loss of trust by consumers of both corporations and government.  Even if encryption is not banned, but under the complete control of any government, that particular piece of technology won’t be used for anything other than entertainment. No business is going to transmit sensitive intellectual property data through an insecure system.  No government is going to use a system that can be more easily compromised by enemies or hackers.

b2ap3_thumbnail_veracrypt.JPG
Free encryption software: https://sourceforge.net/projects/veracrypt/

The end result of banning encryption is creating a whole new class of “criminals” who just want to protect their private communications.  “Private” does not mean “illegal”.  Controlling the source code of Apple is only going to cause Apple to end up with 3 employees who will their only customers.  Not even the government will use Apple if they know the source code has been compromised...especially if compromised by the government itself.

Not long ago, I gave a presentation on Internet investigations to a group of law enforcement investigators.  One of the first questions I asked was 'Given authority and ability, what would like to see done in regards to the Internet?".  Most answers were to 'lock it down', 'watch everything', 'control it all', and "give government complete control".  At the end of the presentation, no one felt that way after I explained how that will negatively affect everyone down to the individual person business, including the government.  Ignorance may be bliss, but that doesn't make ignorance a good idea.

If this 'ban encryption bandwagon' keeps going, the next thing we will see is envelope regulations requiring the paper to be transparent, just in case the government needs to read your mail without opening it.

b2ap3_thumbnail_envelope.JPGI also do not believe that there is any one 'thing' that can prevent the apprehension of criminals, prevention of terrorist attacks, or investigation of a crime.  If encryption can do all of those, we need better investigative training for our detectives and case officers.
  1794 Hits
  0 Comments

The four corners of the Apple v FBI encryption debacle

The four corners of the Apple v FBI encryption debacle

If only the FBI had picked a case where the issue was clear cut…that would make this encryption issue so much easier.

  1. The FBI doesn’t want Apple to simply “unlock” the phone.

Apple (and just about every other high tech company) has been unlocking devices and allowing access to data for law enforcement for decades.  That’s not the issue here.  The FBI wants the encryption to be broken. They want software to be rewritten or written that compromises security features. That’s a lot different than just unlocking a device.  That request breaks security.  Worse yet, it sets a precedent.  Law enforcement knows about precedent setting laws. Sometimes it is good, but sometimes it is not.

  1. It’s not the end of the world if encryption is broken.

Our lights will still turn on. Cars will still run.  Kids will still be able to go to school.  However, online payment systems will be as protected as a wet paper bag, secure communications will be as secure as Windows 3.1, and anything you send electronically is fair game to hackers (and government).  But don’t worry. If encryption is banned or broken, there will still be those able to use encryption (hint: one is government and the other is not law-abiding citizens).

  1. “Terrorist will Go Dark” is the best marketing ever created by government. 

The only time terrorists are not operating in the dark is when they use social media in the open, print terrorism training manuals (which are then posted online), and killing people in the open.  Plus, they still have to drive, fly, walk, eat, sleep, talk, go to the doctor, read a book, watch TV, and surf the Internet.  Terrorist and criminals have all the faults of ‘regular’ folks like complacency, laziness, incompetence, and bad luck when they plan and commit terrorist acts.  I've published two books on catching criminals (and terrorists) with online and forensic investigations.  You can put both books in the hands of a terrorist and the methods to find and catch them will still work.  "Going dark"? If a criminal or terrorist can do all the things needed to carry out their devious plans in encrypted emails ONLY, their plans are going to stink.  Planning an attack or conspiring to commit a crime requires way more than sending encrypted emails.  Working undercover in criminal organizations did teach me a thing or two in how it really works and how they really think and plan.

  1. You have nothing to hide, so what’s the big deal?

The government claims that since you cannot build a house that is impenetrable, you should not have use of encryption that can’t be broken.  Well..if I could make my home impenetrable, you bet I would. If I could buy a safe that was unbreakable, I would.  They just don’t exist.  It’s not that I have anything illegal to hide in a safe, but I don’t want anyone to steal what I have.  It’s not that I have anything top secret in an email, but I just don’t want strangers reading what I am sending to a friend, or to a business colleague.  The point is NOT having something to hide, but rather, NOT hanging my underwear in the front yard on a clothesline for anyone to see or steal (that is, if they wanted to steal my undies…).

And of course, if Apple loses, or bows down to government pressure, I can think of at least one less customer who will buy a "secure" device from Apple since the definition of "secure" will change to "that which you can't break, but hackers and government can". 

  2165 Hits
  0 Comments

Dude, just write the book.

Dude, just write the book.

I had a discussion with a peer of mine about writing a book, in that my peer has been thinking of writing a book but never gets around to doing it.  After about two years of listening to how he should write his book, my response was “Dude, stop talking about it and write the darn book.”

His book idea is a nonfiction technical book and is about **secret topic** (of course I’m not leaking the topic or title!).  He is an expert, or at least knows a heckuv a lot more about the topic than I do.  I would buy the book tomorrow.  I even said that if he had written this book when he first told me about it, we’d be talking about the next edition and I would have already bought the first edition.  "Dude, you’re two years and two editions behind now!”

Which brings me to my point. Years ago, I said the same thing.  “Hey, I think I could write a book.” I said it a few people and one of the guys told me, “Dude, just write the darn book.” And so I did.  Three times already. Started a fourth. Plans for a fifth.  All from one person telling me to stop talking about it and write the book.  I took the suggestion to heart because he had already published several books himself. Thanks HC.

Fair warning: It’s not easy.

If you can get a contract, you’ll have deadlines to meet, standards to keep up, and demands placed on you by the publisher. Worse yet, if you don’t have a contract and want to self-publish, you have to place those same demands on yourself.

So now you know the secret. Just write the darn thing.

      

  1554 Hits
  0 Comments

Let's not go all Patriot Act on this Apple - FBI encryption thing.

Let's not go all  Patriot Act on this Apple - FBI encryption thing.

I’ve been involved in about a half dozen conversations, three different email threads, and twice as many emails with friends and clients about this Apple – FBI encryption issue.   It seems to be a divided opinion with no compromise, at least as far as I can see.

 

FBI's Fight With Apple Over Encryption May Erode European Trust in US - Newsweek

http://news.google.com Sat, 20 Feb 2016 19:24:00 GMT

NewsweekFBI's Fight With Apple Over Encryption May Erode European Trust in USNewsweekMax Schrems, the Austrian who brought the Safe Harbor case to the European Court of Justice and won, tells Newsweek that the FBI's possible victory over Apple isn't too concerning to Europeans because it is a targeted access to data—not the pre ...and moreᅠ»

Read more ...

Here is my opinion: “Let Apple develop their software as they see fit for business and consumer demand, as long as their actions do not violate law.” 

That means that I am in agreement with Apple choosing to not decrypt a dead terrorist's phone. I am not a pro-terrorist or pro-criminal person. In fact, in my previous law enforcement career, I arrested more criminals personally than the rest of my 100+ officer department did…combined.  Not once did I have to break the law, bend the law, or misinterpret the law to make any of my cases in patrol or as a detective. Not once did I ask for any leniency or looking the other way ‘just this one time’ to make a case or to gather evidence. Not once. Ever.

So for any law enforcement agency asking ‘just this once’ to do something does not mean ‘just this one time’. It means, “just this one time until we ask again.”  Technical issues aside, whether or not Apple can unlock the phone or just doesn’t want to unlock the phone, the bigger question is why should they?  If a landlord refuses to give a key to a residence that SWAT has a search warrant for, SWAT will just boot the door. They can't force the landlord to give up the key.  I know this analogy is weak in the key area since you can't break unbreakable encryption, but the concept holds true. You can't force the landlord to give up the key unless the key is some how evidence.

Yes, yes, yes, I know this is a terrorist case. I’ve been involved in terrorism cases before  and exactly know how important these cases are (as I have also investigated murders..they are also important). I have seen quite enough to know how important it is to catch pedophiles, murderers, and terrorists. None should be on the street.  But that doesn’t mean taking shortcuts, bypassing Constitutional Rights, or asking a corporation to bend the rules a little to make a case.  Investigators can do this in Hollywood films, but not in real life.  

And yes, I have had cases where evidence was so little that probable cause to arrest didn’t exist. But such is life in the USA. Get PC (probable cause) and make the case or go back to square one.

After 9/11 and we panicked as a country to capture every terrorist responsible, the PATRIOT Act was typed, printed, signed, sealed, delivered, and implemented in 60 seconds flat. I was a federal task force officer at the time the PATRIOT when into effect. I have never seen such authority given to federal law enforcement in such short order without hardly a concern by the citizens the PATRIOT Act targeted (as in, it targets everyone's communications).  We do not need to continue along the lines of granting more authority to do what can already be done under the authority that already exists which is restricted to protect individual rights.  I’ve seen it misused before and it ain’t pretty. It's wrong.

As far as encryption goes, when any encryption is broken or perceived to broken, no one should use it. When TrueCrypt was reported to be flawed, it practically died, as it should.  Broken encryption is like a wet paper bag. It looks like it will hold your groceries until you actually put groceries in it.

Former NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable' - Billboard

http://news.google.com Thu, 18 Feb 2016 15:38:22 GMT

The Week MagazineFormer NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable'BillboardTim Cook's opinion that Apple should not develop a way to hack into the encrypted phone belonging to one of the San Bernardino shooters has earned an endorsement from an unlikely source, though it comes with a big "but." Michael Hayden, the former NSAᅠ...Ex-NSA, CIA chief Michael Hayden sides with Apple in FBI iPhone encryption fightThe Week MagazineFormer Director of CIA and N ...

Read more ...

As for me, any software provider (or secure device provider) that tries to sell me encryption that is so good that no one, including the NSA, can get into it, they better mean it. A disclaimer of, “well, sometimes we might let the FBI access our encryption” means that I am going somewhere else. I have nothing to hide, but I also am not going to cut a hole in my bedroom wall for anyone to peer in and look whenever they want.

For those who fall back on the ‘if you have nothing to hide, you have nothing to worry about’, I fully support your beliefs in waiving your protections. After all, I have given Miranda warnings more times that I can remember and I always asked the suspects if they wanted to waive their rights. Most said yes. It’s their right to waive their rights.  But for me, I’m not waiving anything and I’m not in agreement that the choice to waive or exercise my rights can be taken away because a case agent can’t get enough evidence without resorting to bending the rules ‘just this one time’.

I mean, really. Would you buy a safe to hold your most prized and valuable possessions  knowing that a master key exists? That's like trusting the safe in your hotel closet....

  2220 Hits
  0 Comments

Apple. Oranges. And Encryption.

Apple. Oranges. And Encryption.

One of the hottest topics currently is the FBI vs Apple battle over encryption, in that the FBI wants Apple to rewrite their operating system in order for law enforcement to bypass Apple’s encryption.  The arguments on both sides are strong. Law enforcement must have the ability to bypass encryption in the name of national security.  Conversely, consumers (in the USA at least) are afforded protections in the Constitution against unreasonable search and seizure.  The third part of this argument is security and safety of ALL electronic data.  If the legal argument stands that encryption is outlawed, that puts all data at risk of being compromised by criminals, disgruntled employees, and lackadaisical custodians of data.

Apple Fights Order to Unlock San Bernardino Gunman's iPhone - New York Times

http://news.google.com Thu, 18 Feb 2016 02:59:37 GMT

New York TimesApple Fights Order to Unlock San Bernardino Gunman's iPhoneNew York TimesApple executives had hoped to resolve the impasse without having to rewrite their own encryption software. They were frustrated that the Justice Department had aired its demand in public, according to an industry executive with knowledge of the case ...Google's CEO just sided with Apple in the encryption debateThe VergeOn Apple, the FBI, encryption, and why you should be worriedVentureBeatApple, The FBI And iP ...

Read more ...

Encryption does not explicitly have to be banned to outlaw encryption. Once a legal requirement of encryption having backdoors is created, encryption is effectively outlawed.

But I’m not writing about the legalities of encryption, nor the Constitutional protections of being secure in your home and possessions. There are many others debating those issues.  I’m writing about the practical law enforcement investigative efforts with encryption being a small sliver of the topic.  By the way, much of the 'encryption protections' marketed by providers such as Apple is pure marketing...access already exists in many instances.

 

Apple can read your iMessages despite them being encrypted - SC Magazine

http://news.google.com Wed, 27 Jan 2016 16:30:40 GMT

SC MagazineApple can read your iMessages despite them being encryptedSC MagazineDespite Apple taking a pro-encryption stance, with its CEO Tim Cook insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form ...

Read more ...

For example, law enforcement receives an abundance of training on an annual and ongoing basis for an entire career. This training covers everything from blood borne pathogens to the application of deadly force.  Investigators receive so much training in how to conduct investigations that range from a broad overview of criminal investigations to specific courses on blood spatter patterns, that any investigator can probably be considered an expert in their respective fields. I stopped counting my formal training hours after it went well over 2,000 hours.  That’s 2,000 hours of formalized, in the classroom training. I’d guess I have close to 3,000 hours now.  Investigators know how to do an investigation and do not need to bend Constitional Rights to do an investigation. The ends do not justify the means.

So consider the amount of training law enforcement receives. Encryption is one small sliver.  It is so small that investigators don’t even take training in it unless they are dedicated digital forensic analysts.  Encryption is such a small concern in most cases that encrypted files are many times ignored in the investigations simply because there is so much more overwhelming evidence to make the case that fighting with an encrypted file or system isn’t worth the effort without knowing how long it will take to crack it (if ever).

And that is my point, or at least one of my points.

To be fair, I am not discounting the importance that encrypted files and systems can give to an investigation.  But at the same time, I personally know of cases were suspects have purposely created thousands of encrypted files on storage media that contained meaningless data for the sole purpose of making an investigator’s job difficult.

My point is that investigators have such an array of investigative tools that they do not need to dip into areas where a person’s possessions and papers are no longer secure.  Although television’s CSI typically exaggerates the tools and capabilities available, there are some neat things that do some neat stuff that you can’t buy off the shelf at Radio Shack.  To the extent the government wants backdoors in encryption, they may as well as for a masterkey for every safe made...just in case they can't force open a safe. Would you ever purchase a safe knowing that someone (or many people) have a master key to your safe?

In the area of providing backdoors in encrypted devices, I am on the edge of saying that if anything, this leans in the area of laziness.  I have seen only ONE case where the only evidence was on one laptop which was encrypted.  All other evidence was circumstantial and would have made a difficult trial. That laptop, to this day and my knowledge, sits encrypted in evidence after years collecting dust. The suspect walked away, no charges. Highly frustrating.  

But that was the only case that I am personally aware.  I don’t know how many more are similar, but my guess is that the ratio is about the same.  But even if there were dozens of cases, I do not believe that waiving personal protections is worth those cases. In those cases, investigators need to do more work to find evidence NOT stored in the device.  Yes, that means getting out of the office. 

Not that I disagree with the ‘easy way’, but I do believe that some things must be done the ‘hard way’. That is just the way it is.  I started in law enforcement before the Internet took off for the average consumer and I left law enforcement when the Internet became what it is today.  I have seen investigators sit at their computers on a daily basis and leaving the office usually meant grabbing a cup of coffee at Starbucks.  Long term surveillance became a thing of the past for many.  Surveillance sometimes was not even on some investigators’ mind at all!  The entire tradition of being a gumshoe detective has been lost on so many.  About the only thing to get some detectives out of the office was the promise of overtime.

Back to the encryption issue. First, be prepared for analogy after analogy about how we should (and should not) have back doors in encryption.  Remember, any backdoor requirement negates the encryption, as in, it will no longer be encryption when anyone can have the key to access it. Analogies don’t always work well, but they are already being used to argue for (or against) backdoors.  Probably the best analogy in this encryption issue is that the government is simply asking you to give them a key to the backdoor of your home, and they are asking you to trust they will only use it when and if they need it. That completely negates the security of your home. 

Second, be prepared to hear that terrorists will not be found and criminals will go free.  Well, that is true, always has been, and always will be.  The government is restrained by the Constitution.  But even with the restraints, you have no idea of the absolute power a search warrant gives law enforcement until you have held one in your hands, forced your way into a person’s abode, and looked into every nook and cranny with unfettered access. To say law enforcement needs more power than that is to say we don’t need protections against unreasonable searches and seizures.

I have also read comments where people have said, “I have nothing to hide, go ahead and look at what you want.” I totally support that argument. Anyone can waive their individual rights whenever they want. I’ve read Miranda Warnings more times than I can count and asked every person if they wanted to waive their rights. Most did.  I wouldn't.  Speaking of Miranda warnings, when the warnings were required to be given (if the suspect was in custody and being questioned), I can imagine the investigators crying over how cases will never be solved because we are telling criminals to not talk. Well...that didn't pan out.  They still talk and will always talk and always confess.  Some never will, regardless if they are given Miranda warnings, but the point remains that investigators must, and do, work within legal limits.

Where I diverge on a person waiving their rights is where everyone must be forced to waive their rights by having all their electronic devices and data accessible by law enforcement.  Again, once there is cause (probably cause), law enforcement can get pretty much anything they want, from kicking down a door to seizing all the funds in a bank account.  If technology eventually allows access into highly encrypted files, then they can have that too.  You don't have to open your door for the police, but if they have a warrant (or other authority, such as exigent circumstances), they will open the door.

As much as I would hate to see Apple close its doors, I would hope that if they lose the encryption battle, Apple simply shuts down in protest.  Consumers are already suspicious of companies that have covertly cooperated, without warrants, to capture and analyze data, and snoop everyone’s phone calls regardless if any individual was suspected of a crime. It’s not that you don’t have something to hide, you just don’t want someone from the government watching you in your home through a compromised webcam to make sure you aren’t doing something wrong.

The last point to make is that banning encryption is like banning anything. It doesn’t work. Banning something only makes new criminals out of non-criminals, allows criminals the only people to possess the banned things, and creates a black market.  If guns are banned, criminals will still have guns. Citizens who refuse to turn in their guns…they become criminals.  And guns will still be available on the black market. This is the same for encryption.  It will still be available and still used by criminals and terrorists. The only people who won’t use encryption (or who agree to allow backdoors) are those who wouldn’t be using it illegally anyway.

I feel for any investigator fighting an encrypted device for file (been there, done it, still doing it).  But a backdoor will not fix the problem. If Apple folds like a cheap card table and builds a backdoor, guess who won’t be using Apple products…criminals and terrorists… They will find something else, which leaves everyone else using an Apple product to know the security has been compromised.  The problem is not solved, it is multiplied.

I’m not bashing law enforcement, but I am saying to them that rather than trying to make laws and force private companies to do their bidding, get out of the office and work. Follow suspects around. Dig through garbage in trash runs.  Interview witnesses.  Develop informants.  Work undercover. Build cases. You don’t need 100% into everything from your desktop to build a case.

As far as the criminals and terrorists go…it does not matter how much they know about the limitations and extent of authority law enforcement has, because a good investigator can make a good case on any criminal or terrorist. I mean it.  There is not a criminal alive that can remain at large if a good investigator puts a case on him (or her). Encryption? So what.  Find evidence elsewhere, because if the only evidence you have is an encrypted device or file, you really don’t have much of a case. Dig and you will find.

 

  1693 Hits
  2 Comments

Books written by practitioners are many times better than those written by those who 'never done it'

Books written by practitioners are many times better than those written by those who 'never done it'

Many of Syngress published books I’ve read are those written by people simply writing about how they do their job…while they are doing their job.   They are probably not writing while they are physically doing their work, but you know what I mean.

With my first book, Placing the Suspect Behind the Keyboard, I was consulting on a criminal cyber harassment case, two arson cases, and several civil litigation projects. In three of the cases during writing the book, the main goal was identifying users behind the keyboard (in one case, behind a mobile device).  In addition to doing what I knew from my law enforcement detective days, I conferred with experts for tips and tricks on tracking Internet users.  I was writing the book while doing the work.

My current book, Hiding the Behind the Keyboard, was virtually the same, however, this time with a co-author (John Bair). While writing the book, there were multiple interruptions of having to do work in the real-world outside of typing and testing theories. While John was working homicides and examining mobile devices in those cases, I was consulting on employee matters where unidentified employees were creating havoc with their company by being anonymous online. It is one thing to create a perfect scenario to test a theory and quite another to have actual evidence on an active case.  Again, this was another book of authors writing what they do on a daily basis.

I write about this only because I remind myself regularly of college courses I have taken in digital forensics where the required books not only cost an arm and a leg, but were written by academia, not active practitioners.  I’ve even taken a computer forensics course from a community college where the professor had not done one forensic exam…not a single one.  The professor did not even know how to connect a hardware write-blocker to a hard drive. I kid you not.  

I’m not a Syngress employee, but I do like their books. The cost may seem high for some of the books, but it is still about half the price of a college text in the same subject matter.  But the biggest difference is how the books read. I so much prefer reading a book that simply says, “This is how you do it in the real world”. I do not prefer books that speak in terms of an idealized theory.  Reminds me of my Field Training Officers in patrol telling me to forget what I learned at the academy because they were going to teach me what works on the street, in real life.  The best thing I like about the Syngress books is that I can read what the experts are using day-to-day in their own words.

And year after year, I check to see the new titles that come out and hope that Syngress changes their book covers from the previous year.  This year, there are more than a few titles that I have already pre-ordered and will have on hand for the next conference to have signed by the authors.  The cover design change was probably a bit overdue, but glad it has changed.

The discounts are nice too when you have more than a few books you want to buy...

 

 

  1510 Hits
  0 Comments

Bio-hacked humans and digital forensic issues...

Bio-hacked humans and digital forensic issues...

If you thought The Grudge was the scariest thing you’ve seen on screen, you must have not yet watched Showtime’s ‘The Dark Net’.  In short, the series show how humans are procreating less and merging digitally into technology with bio-hacks. That makes for a bad combination on a few different levels.

Without getting into non-techical issues (such as moral, ethical, or legal), I have a technical question: How the heck are we going to going to do a forensic analysis of a bio-hacked…human?

Before the human race ends up looking like robots, we are already in the era of implanting electronic data devices in our bodies.  Check out http://dangerousthings.com to find how you too can jab an injection device into your hand and shoot a RFID under your skin…all by doing it yourself. As for me, I don't think I'll be joining in that movement anytime soon.

RFID (http://en.wikipedia.org/wiki/Radio-frequency_identification) tags store data. Data such as medical, financial, personal, or any type of information can be stored on a RFID tag, although the amount is quite limited currently (2-10 kilobytes?).  That's not much data, but depending on the content, it may be more than enough to cause a war or bankrupt a company.

But even at that low amount of storage, it can raise suspicions in theft of intellectual property, trade secrets, or national security information.  Imagine the use of implanted RFID chips by criminals, terrorists, and corporate spies to exfiltrate and transport sensitive data.  Just when you thought the MicroSD cards presented a threat because of their small sizes, the RFID is even an even bigger problem.  We can find a USB since we can see it. RFID chips implanted under the skin…not so easy.

b2ap3_thumbnail_implant.JPG

Now back to my first question of how we will be doing forensic analysis on a bio-hacked human. When the time arrives where humans are embedded with multiple types of technology and devices, where and how do we start the data acquisition process?   Depending on how much technology is embedded, where it is embedded, and what it is connected to, forensic imaging takes on a whole new world.  

And what if the person (or man-machine cyborg…) doesn’t want to be forensically analyzed? 

b2ap3_thumbnail_robocop.JPG

Maybe for imaging software, we can try Robocopy (looks like the software is already here….).

b2ap3_thumbnail_header.JPGb2ap3_thumbnail_robocopy.JPGhttp://sourceforge.net/projects/robocoprobocopy/

 

 

 

 

 

 

 

 

  2289 Hits
  1 Comment

Tech Talk Can Get You Lost in Lingo

Tech Talk Can Get You Lost in Lingo

    Every career and academic field has its own “lingo” to the extent that a conversation buried deep in lingo sounds like a foreign language. I have experienced military lingo, law enforcement lingo, and technical lingo in my life to the point that I practically dream in acronyms, speak with words not recognized by Webster’s Dictionary, and instantly recognize the glazed-over look when speaking to an non-native lingo listener.

                The reasons for individualized lingo range from the coolness factor such “oh dark thirty”  in order to express time as ‘really damn early’ to efficiency such as using “HMMWV” instead of saying “High Mobility Multi-purpose Wheeled Vehicle”.  Many acronyms are spoken as works when gives an added effect of the listener not having a clue of what you are talking about.  For example, “I’m going to pick up a hum-v” means “I’m going to pick up a high mobility multipurpose wheeled vehicle”. Even in law enforcement, the acronyms can irritate the most patient listener if they are not in the club.

b2ap3_thumbnail_hmmwv.JPG

                There are two situations where lingo can get you killed, or at least make you feel like you are getting killed. One is in court. The other in your writing.

                Getting killed in court by lingo as a witness is painful. In fact, I’ve seen witnesses get physically ill as if the roach coach burrito eaten at lunch has suddenly reached its final destination in all its glory. Getting beat up on the stand by an attorney or judge is so unpleasant, that time actually slows to a stop and you wonder why you even got up that morning. Using lingo on the stand can give you a bad case of ‘why did I say that?” when being cross examined.

                I talk about lingo today, because I recently experienced one of the best cases of using lingo in all the wrong ways in a federal district court.  I gave my testimony first as the defense expert in a class action lawsuit, and spoke as simply as I could to make sure the judge understood what I intended to say. Then the opposing expert was called. One of the attorneys asked her a question, she answered, but her answer was not only complicated, it was complex, full of lingo, and I even felt a sway of arrogance. I barely understood what she said and took notes to make sure I got correct what she said.

b2ap3_thumbnail_courtrooom.JPG

                Then the beating started. The judge asked her to repeat her answer. She did. Then the judge asked her the same question by rephrasing it and asked for a better explaination. The expert answered again but it sounded even more complex. After three more tries with increasing tension and the judge telling the witness that she does not understand the answer, the judge turned to me at the back of the courtroom and said, “Can you tell me what she is trying to say?”

                That is when I knew this cross country trip for court was worth the trip. I translated the opposing expert’s answer, the judge understood it, and the opposing expert said I was correct.  Boom. Lingo killed that day, but luckily it didn’t kill me.

                The other place where lingo can kill is in writing. I’ve written more police reports and affidavits for search warrants than I could ever count and the one thing I learned is to keep lingo out unless it is pertinent, relevant, and understandable. Jurors don’t get lingo and much of what they hear in the movies is incorrect or misused. Judges don’t like it either.  Don’t be the only person in the room that understands what you are saying…

In fiction books where computer technology is a key element or theme, using lingo without explanation is like using a foreign language to frustrate a reader. I say this because I just read an unnamed book that when I read it, I had to really slow down my reading in order to understand what was being described. I don’t like reading slow...which means I won’t finish reading it if I don’t have to.

It is one thing to use a technical term in a sentence, but there comes a point that when the majority of words in a sentence are acronyms and “words” not found in a dictionary, the reader becomes lost and frustrated. That’s not good. It’s not good for reports, testimony, or fiction writing. Nonfiction technical writing is a little different since generally, the reader of a technical writing is a technical person.  For those types of writing, give the definition once and move on since the audience is a technical reader audience. In the other types, even though you give the definition once, the reader/listener is going to forget by the time the uncommon word or acronym is used again. So be sparse in the lingo unless it really matters or that it is used so often, your reader won’t be frustrated trying to figure out what it means.

I’ve given a few talks of putting ‘cybercrime’ into writing for fiction authors who are not computer experts.  Some of the talk is showing what forensics look like (hint: it’s not like what you see in James Bond…) as well as how to use technical terms without turning off the reader or sounding like you don’t know what you are talking about. For me, when I read, I just want to read without having to say to myself, “Excuse me, that’s not how Tor works…”.

Remember, lingo kills.

Tags:
  2725 Hits
  1 Comment

What is this thing "privacy" you speak of?

What is this thing "privacy" you speak of?

 

I luckily missed being born into the Internet generation.  Facebook creeped me out with the amount of information demanded to create an account.  It took me all of 1 minute to create an account, 5 minutes to decide to delete it, and then two hours to figure out how. That was years ago and I still receive email reminders from Facebook to re-join with all my information still in the deleted  account, as if I never deleted it. If you ever wondered what Mark Zuckerberg thought of Facebook users, you may want to take a look...http://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5 

Perhaps a decade of working undercover has made me ultra-paranoid on personal information. At the time of doing UC work, I had little concern of sitting in an illegal business, having dinner with an organized crime figure and having one of his goons run me through Google, because there was no Google when I first started. That changed before I left the narc world and an undercover friend of mine was identified with Internet searches (while he was in the midst of a group of bad guys). If I was still doing undercover work, I'd no longer be doing undercover work. Thanks Google...

I can imagine that being born into the Internet age means never knowing what privacy is, nor have any concern about it all. Kids are literally texting in grade school, Facebooking in middle school, and blogging by high school.  Every generation now willfully gives up every aspect of their lives on social media and to buy some gadget online.

So when I see that the majority of people could care less about their most intimate and private details of their lives, it gives me pause. If you don’t think your Internet searches and web browsing is intimate, take a look at your web history and tell me that you don’t have some secrets in what you look at that you wouldn’t want anyone else to know about you. Health, wealth, and interests. How much more intimate can you get?

Despair at the Number of Americans Who Choose Security over Liberty, Privacy - Reason (blog)

http://news.google.com Thu, 31 Dec 2015 17:41:15 GMT

Reason (blog)Despair at the Number of Americans Who Choose Security over Liberty, PrivacyReason (blog)According to a new, frustrating poll, a majority of Americans in both the major parties appears to support warrantless government surveillance of Am ...

Read more ...

 

I’m not sure if people just don’t care the government watches and logs their Internet activity or if they just don’t know that they have a right to be secure in their homes, papers, and possessions. Either way, the result is the same. Privacy no more, and like the arrow flown, you can’t get the data back.

I can say that there are government organizations that actually take issue with privacy, one for example: Public Libraries. I’ve had criminal investigations where I needed information about a library patron for serious felonies. Not only were librarians willing to throw down with me to fight giving it to me, but I was promptly kicked out and told to get a warrant (which I did every time).  The library in the county where I live takes privacy seriously (KCLS). No security cameras anywhere. Not inside the library. Not in the parking lots. Nothing recorded. Patrons can use Tor if they bring it on a CD or flashdrive to plug into public use computers. The WiFi is free, no login required, no tracking of the users. 

For this, I say libraries may be the last bastion of personal privacy protection, but then again, I have no idea how many national security letters have been handed out to librarians

Certainly the day is close where privacy no longer exists in any manner. Already, if you ever applied for a security clearance, foreign governments have your application and probably your fingerprints too.

China says OPM breach was the work of criminal hackers - Engadget

http://news.google.com Thu, 03 Dec 2015 04:59:00 GMT

EngadgetChina says OPM breach was the work of criminal hackersEngadgetChina says the massive security breaches at the US Office of Personnel Management (OPM) that exposed the personal information of more than 21.5 million US government employees, con ...

Read more ...

I can say with experience, the Internet is great for investigators. Finding suspects has never been easier. In fact, finding an entire life history of a suspect takes on a whole new meaning with Facebook and every other type of social networking account.  Heck, they list their associates too. How much easier can it get? Criminals are people too, and they put as much personal information online as everyone else. Take the Dark Web as one example.  The Silk Road creator took massive steps to hide his identity, but an IRS agent identifed him with Google searches...

The Tax Sleuth Who Took Down a Drug Lord - New York Times

http://news.google.com Fri, 25 Dec 2015 17:48:14 GMT

New York TimesThe Tax Sleuth Who Took Down a Drug Lord New York Times It was Mr. Alford's supervisors at the I.R.S. who assigned him in February 2013 to a D.E.A. task force working the Silk Road case. The Strike Force, as it was known, had so far had l ...

Read more ...

My only concern with personal privacy evaporating like dry ice in the summer is that criminals also have an easier time of finding enough personal information to do damage to anyone, whether as ID theft, stalking, or worse.  It's bad enough that there are several levels of government agencies tracking everyone (including you), and that the criminals are using the same methods, but we also have the foreign governments doing it too.

Probably the best thing that can happen to the Internet is that it breaks...but then again, how will students find answers to their homework if they can't access Wikipedia? Can you imagine telling your kids to go to the library? The horror!

  2220 Hits
  0 Comments

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

I had help with this book with early reviews, suggestions, recommendations, and co-authoring.  Most of what is in the book, I’ve done or helped others do. Some things work sometimes, other things work other times, and nothing works all the time. But having a toolbox to choose from gives you choices of methods that can fit individual cases.

As a side note, many of the methods can work in civil litigation depending upon cooperation and legal authority. For example, use of the Tor browser in a corporate espionage or employee IP theft case can make a huge difference in the direction a forensic analysis takes.

For anyone going to Las Vegas for the Enfuse conference, I’ll be presenting on this book and look forward to meeting you there (please say hi).

You can order Hiding Behind the Keyboard here:

  2160 Hits
  0 Comments

RegRipper

RegRipper

The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)

http://github.com/keydet89

 

What is RegRipper?

RegRipper was created and maintained by Harlan Carvey.  RegRipper, written in Perl, is the fastest, easiest, and best tool for registry analysis in forensics examinations.  RegRipper has been downloaded over 5000 times and used by examiners everywhere.

How can you make it better?

If you want RegRipper to be better, you can help by first sending in registry hives with specific information of what you need RegRipper to do with that hive to Harlan Carvey.  Is it a P2P application of interest?  Or USB devices? Or…?

What is the RegRipper?
RegRipper is *not*…it’s not a Registry Viewer.  An examiner would not open a Registry hive file in RegRipper to “look around”.

Further, RegRipper is NOT intended for use with live hive files.  Hive files need to be extracted from a case (or from a live system using FTK Imager…), or accessible via a tool such as Mount Image Pro or F-Response.

RegRipper is a Windows Registry data extraction and correlation tool. RegRipper uses plugins (similar to Nessus) to access specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API.

How does RegRipper work?
RegRipper uses James McFarlane’s Parse::Win32Registry module to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API.  This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data.  When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.

Who should/can use RegRipper?
Anyone who wants to perform Windows Registry hive file analysis.  This tool is specifically intended for Windows 2000, XP, and 2003 hive files (there has been limited testing on Vista/Win2K8 hive files…everything has worked fine so far…).

How do I use RegRipper?
Simply launch rr.exe.  Also, please be sure to read the RegRipper documentation.

Do I have to install anything to use the RegRipper?
Nope, not a thing.  RegRipper ships as an EXE file, able to run on Windows systems.  All you need to do is extract the EXE and DLL in the same directory. The source file (rr.pl) is also included, as are the plugins.

Further, RegRipper doesn’t make any changes to your analysis system…no Registry entries are made, nor are any files installed in odd, out-of-the-way locations.

HC

—————————————————————

RipXP

Installing
RipXP uses all of the same plugins available with RegRipper, so simply extract the files in this archive into the same directory with RegRipper (rr.exe) and rip (rip.exe).

Running
1. Using your tool-of-choice (I use FTK Imager), open the image and extract the hive files you’re interested in from the system32\config directory, as well as from user profile(s), into a directory (ie, D:\cases\case001\xp\config).

2. Using that same tool, within the image navigate to the directory where the Restore Point directories are located (usually C:\System Volume Information\{GUID}\). Extract all of the RP* directories into a directory on your analysis system (ie, D:\cases\case001\xp\restore).

3. To see the options used by RipXP, simply type:
C:\ripXP>ripxp

RipXP allows you to run one plugin across a designated hive file, and all corresponding hive files in the Restore Point directories.

C:\ripXP>ripxp -r d:\case\config\ntuser.dat -d d:\case\restore -p userassist

——————————————————————————

RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

RegRipper consists of two basic tools, both of which provide similar capability. TheRegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it’s activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it’s activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.

Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

The use and function of RegRipper is discussed in great detail in the book, Windows Registry Forensics.

How do I..

…install RegRipper?

Go to the download site for RegRipper and get the archive that contains the most recent version of RegRipper (in this case, rrv2.5.zip). Extract the archive into a directory on your system, such as “C:\rr”.

Next get the latest plugin archive, based on the date of the archive, and extract everything in the archive into “C:\rr\plugins”.

That’s it…you’re done. Either launch rr.exe (the GUI) or run rip.exe (CLI) from the command prompt.

…get a list of all plugins?

This is actually pretty straight-forward. To list all of the plugins in the \plugins folder, simply open a command prompt, navigate to the folder where you installed RegRipper, and type:

rip -l

Another way to see what plugins are available is to launch the Plugin Browser (pb.exe), and navigate through the list of plugins, one at a time. In order to get a .csv listing of the available plugins, use this command:

rip -l -c > plugins.csv

You can then open the resulting file in Excel.

In order to get just a listing of plugins available for a particular hive file (in this case, the Software hive), type:

rip -l -c | find ",Software" /i

Does RegRipper do…?

Perhaps one of the biggest misconceptions regarding the RegRipper plugins is whether or not it does specific things; that is, does it check for specific values, parse specific data, or enumerate the contents of specific keys? This isn’t the right question to ask.

From the beginning, RegRipper plugins have been created and updated based on needs. Some needs are relatively easy to meet, due to the availability of data; most Windows systems have a ‘Run’ key. Other plugins have been created/modified due to unique circumstances based on analysis; finding something new or unusual during an examination will very often result in a new plugin, or an update to an existing plugin.

Of those currently writing plugins, it appears that few have encountered systems on which the P2P application Ares has been installed and used. As such, the ares.pl plugin may be somewhat limited and not meet the complete needs of a specific examiner working on a specific case.

In short, the power of RegRipper is in the plugins, and for this to be a truly powerful tool, it depends on examiners sharing their needs and data before hand, rather than asking, “Does it do…?” after the fact.

If you have any suggestions, recommendations, or questions about RegRipper, just ask Harlan.  Don't be afraid. Don't post all over the Internet that RegRipper doesn't do what you thought it would or is defective.  Ask Harlan. http://windowsir.blogspot.com

This email address is being protected from spambots. You need JavaScript enabled to view it.

 

ASEPs

Auto-Start Extensibility Points (ASEPs) checked by RegRipper's plug-ins

Details

Run Keys

Software Hive Run keys

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKLM\Software\ Microsoft\Windows\CurrentVersion\RunServices

• HKLM\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• soft_run plugin

NTUSER.DAT Hive Run keys

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

o Run and Load values

• user_run plugin

System Services

• HKLM\System\CurrentControlSet\Services

o services plugin (list services by last write times)

o svcdll plugin (list services with ServiceDLL values)

o svc plugin to (list services and drivers by last write times)

o svc_plus plugin (short format with warnings for type mismatches)

o svc2 plugin (csv output)

• Legacy registry keys located at HKLM\System\CurrentControlSet\Enum Root

o legacy plugin

Software Registry Hive ASEPs

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

o winlogon plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls and init_dlls plugins

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls plugins

• HKLM\SOFTWARE\Microsoft\SchedulingAgent

o schedagent plugin

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

o shellext plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

o svchost plugin

System Registry Hive ASEPs

• HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

o appcertdlls plugin

• HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

o securityproviders plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

o lsa_packages plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\Session Manager\CWDIllegalInDllSearch

o dllsearch plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\SafeBoot

o safeboot plugin

NTUSER.DAT Registry Hive ASEPs

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon_u plugin

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

o load plugin

• HKCU\Software\Microsoft\Command Processor\Autorun

o cmdproc plugin

UsrClass.dat Registry Hive ASEPs

• HKCU\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell_u plugin

This section presents and discusses a list of artifact categories, as they relate to the RegRipper tools and plugins. As they are defined or described (see below), each of these categories applies specifically to artifacts found within the Windows Registry.

Many of the available Registry artifacts persist beyond file and program deletion, providing indications of system or user activity that occurred in the past.

Many artifacts can and may fall within multiple categories. For example, the File Access category by extension indicates Program Execution.

Multiple categories of artifacts can be used in analysis though the use of an analysis matrix.

Categories are identified within plugins as part of the configuration hash (%config) provided as part of the plugin. The use of categories in this manner does not obviate the use of profiles within RegRipper; instead, it enhances that capability.

Note: This should be considered to be a living document, subject to update and modification.

Category Definitions

What follows are some of the categories that have been identified, along with descriptions of each of the categories.

Where applicable, examples of available RegRipper plugins are provided.

OS Info

Basic OS information, such as version, installation date, install source path, time zone information, etc.

Example plugins: winver.pl, compname.pl

User Account Info

Basic user account information.

Example plugins: samparse.pl, profilelist.pl

Network Configuration

Artifacts associated with the network configuration of the system.

Example plugins: compname.pl, networklist.pl

AutoStart

Registry artifacts associated with the autostart of applications and programs (those programs/applications that are launched with no interaction from the user or system).

This category can overlap with and include some of the same artifacts as those from the Program Execution category.

Example plugins: services.pl, legacy.pl

Program Execution

Artifacts that relate to or indicate that programs were executed.

Example plugins: appcompatcache.pl, direct.pl, sysinternals.pl, muicache.pl, userassist.pl

Installed Programs

Installed Programs artifacts differ from Program Execution artifacts, in that many applications/programs are installed on a Windows system via a setup.exe file, or via an MSI file. As such, the program itself has artifacts in the Software hive, and then user-specific artifacts "live" in the user's NTUSER.DAT hive.

An example of this includes Adobe Reader; the Software hive will contain information about the system-wide application configuration, while the NTUSER.DAT hives will indicate not only which user(s) launched the application, but also maintain an MRU list of files that the user accessed.

Note: A program or application can be installed, but may not have been executed.

Example plugins: apppaths.pl

Storage Information

This category pertains to the usage of or access to storage media, including (but not limited to) USB devices, network shares, "cloud" storage, etc.

Example plugins:

Log Info

This category pertains to artifacts related to the configuration of log files on the system, which can include Windows Event Logs, as well as application specific logs.

Example plugins:

Malware

This category pertains to artifacts that specifically provide indications of malware infection or activity. This category differs from the AutoStart category, in that legitimate applications can make use of AutoStart artifacts. In many instances, the AutoStarts or Program Execution categories can be used to extract general information (i.e., contents of the Run key, etc.) that the analyst can review, plugins in the Malware category can be used to look for specific artifacts related to a variety of specific malware samples, or related to malware families.

Examples of a malware specific artifacts include:

  • Variants of Zeus have been known to add "sdra64.exe" to the UserInit Registry value
  • OSVerion

Example plugins: osversion.pl, zeus.pl

File Access

This category pertains to files that a user has accessed, which is most often through the use of a specific application. As such, artifacts within this category will indicate Program Execution (or usage), but the purpose of this category is to provide indications of files that a user specifically had access to, via downloading, or through creation or modification.

Example plugins: recentdocs.pl, trustrecords.pl

Communications

This category can be a subset of the Installed Programs and Program Execution categories, and is specific to programs/applications intended for off-system communications. While the Program Execution category may be used to look for indications of the use of ftp.exe or chat programs, this category is intended for communication application-specific artifacts.

Example plugins:

Analysis Matrix

The above listed categories can be used in an analysis matrix; several categories of artifacts may be used in specific types of analysis activities.

The following table is a notional analysis matrix, and is intended to serve as a starting point for both discussion and analysis:

  Malware Detection Data Exfil Unauth Use Illicit Images
Program Execution X     X
Malware X     X
File Access   X   X
Storage Info   X   X
Comms X X    

 

Tool Architecture  

RegRipper is actually a suite of tools that all rely on a core set of functionality.

Helper Functions

The main user interface (UI) tools for RegRipper (ie, the RegRipper GUI and the rip CLI tools) provide a number of functions to the plugins. These functions are included in a separate .pl file, and are accessed by the UI code via the require pragma (allows the code to be loaded at run-time). This allows for the following:

  • The one set of code is available to the UI tools in a uniform manner.
  • The helper function code can updated and made available without requiring the tools themselves to be completely recompiled.
  • The code is completely transparent; anyone can open the helper files and see what the code is doing.

Note: In order to make the code portable and usable by the widest range of users, any modules required to use the helper functions (ie, Time::Local) will be compiled into the UI.

Time

This secton is about how time is treated on Windows systems, as well as the various time formats found on Windows systems.

Formats

Time in recorded in a number of formats on Windows systems. Even though MS maintains a page that discusses time formats, there are other formats available, as well.

Unix Time

Unix epoch time - yes, there are time values recorded on Windows systems in the 32-bit Unix epoch time format, which is the number of seconds since midnight UTC, 1 Jan 1970.

This time format has a granularity of 1 second.

This time format is found in Windows XP/2003 Event Log records, as well as some Registry value data.

To convert this time format to something readable, use the built-in gmtime() function.

DOSDateTime

DOSDateTime - Date and time format encoded in two 16-bit values. Used as part of the shell item format specification, described by Joachim Metz. Shell item ID lists appear in the Shell\BagsMRU Registry values, as well as part of the MS-SHLLINK binary format for Windows shortcut files.

This time format has a granularity of 2 seconds.

Python code for translating the DOSDateTime values into something readable can be found as part of the libforensics package.

Perl code (note: requires the Time::Local module to translate to a Unix epoch time):

sub convertDOSDate {
  my $date = shift;
  my $time = shift;
  if ($date == 0x00 || $time == 0x00){
    return 0;
  }
  else {
    my $sec = ($time & 0x1f) * 2;
    $sec = "0".$sec if (length($sec) == 1);
    my $min = ($time & 0x7e0) >> 5;
    $min = "0".$min if (length($min) == 1);
    my $hr  = ($time & 0xF800) >> 11;
    $hr = "0".$hr if (length($hr) == 1);
    my $day = ($date & 0x1f);
    $day = "0".$day if (length($day) == 1);
    my $mon = ($date & 0x1e0) >> 5;
    $mon = "0".$mon if (length($mon) == 1);
    my $yr  = (($date & 0xfe00) >> 9) + 1980;
    return "$yr-$mon-$day $hr:$min:$sec";
#   return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr));
  }
}

UUID

UUID - Windows systems maintain volume GUIDs, particularly those associated with volumes beneath the MountedDevices and MountPoints2 keys, in UUIDv1 format. Part of this format specification includes a 60-bit time value, which indicates the number of 100-nanosecond intervals since 15 Oct 1582 (this date is described in the RFC as the date of Gregorian reform to the Christian calendar).

This time format has a granularity of 100 nanoseconds.

Note: This format also includes a "node" value, which for several of the volume GUIDs is a MAC address that was available on the Windows system at the time that the GUID was generated.

FILETIME

FILETIME - A 64-bit time value representing the number of 100-nanosecond intervals since midnight UTC, 1 Jan 1601. Used pervasively throughout Windows systems, and can be found:

  • $STANDARD_INFORMATION and $FILE_NAME attributes within MFT records
  • Registry key properties
  • Registry value data

This time format has a granularity of 100 nanoseconds.

Perl code for translating a FILETIME object into a Unix epoch time (borrowed from Andreas Schuster):

#-------------------------------------------------------------
# getTime()
# Translate FILETIME object (2 DWORDS) to Unix time, to be passed
# to gmtime() or localtime()
#-------------------------------------------------------------
sub getTime($$) {
  my $lo = shift;
  my $hi = shift;
  my $t;

  if ($lo == 0 && $hi == 0) {
    $t = 0;
  } else {
    $lo -= 0xd53e8000;
    $hi -= 0x019db1de;
    $t = int($hi*429.4967296 + $lo/1e7);
  };
  $t = 0 if ($t < 0);
  return $t;
}

SYSTEMTIME

SYSTEMTIME - 128-bit format, and according to MS, "The time is either in coordinated universal time (UTC) or local time, depending on the function that is being called." This time format is used in a number of artifacts on Windows systems, including (but not limited to) in XP Scheduled Task/.job files, as well as in value data beneath the Vista/Win7 NetworkList key (within the Software hive).

It is important to note that this value can be stored in the Registry in either UTC or localtime format. Beneath the NetworkList key, for example, the value is stored in localtime format.

This time format has a granularity of 1 millisecond.

Example Perl code to parse this date format appears as follows:

sub parseDate128 {
  my $date = $_[0];
  my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
                      "Aug","Sep","Oct","Nov","Dec");
  my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
  my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
  $hr = "0".$hr if ($hr < 10);
  $min = "0".$min if ($min < 10);
  $sec = "0".$sec if ($sec < 10);
  my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom."
     ".$hr.":".$min.":".$sec." ".$yr;
  return $str;
}

Strings

Strings - Date and time values may be stored in Registry value data in string format; ie, "2011-06-07" or "1/2/2011". This is often found in Registry values in specific applications.

To convert data stored in this format to a Unix epoch time, parse the strings and use the Time::Local module to convert the information.

File System Tunneling

MS KB172190 describes file system tunneling, which can have a significant impact on your analysis.

Links

MS KB299648: Description of NTFS date and time stamps

MS: File Times

MS KB188768: Working with the FILETIME structure

MS: SYSTEMTIME structure

MS: DosDateTimetoFileTime function

Software Sleuthing: DateTime formats and conversions

Old New Thing Blog: DateTime formats and conversions

Shellbags

MS KB 813711 describes what actions cause data to be added to the Shell Bags values.

The structure of shell items is very important to understand, as these structures are used in multiple locations on Windows systems, not just in the Shell BagMRU subkeys within the Registry. For example, the structures are used in the shell item ID list section in Windows shortcut LNK files, as well as within the LNK streams in .automaticDestinations-ms Jump List files on Windows 7. These structures are also used within the data of values beneath the OpenSavePidlMRU keys within the Windows 7 NTUSER.DAT hives (full path is "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU").

As such, being able to recognize and parse these structures is essential to being able to fully understand the data that you're looking at, and what it's telling you.

GUIDs

The Variable type (type == 0x00) data structures can contain a variety of information, in various formats. One of the data structures, in particular, can be seen (when viewed in hex) to contain "1SPS" in several places. If the data is broken up, using "1SPS" as a separator (ie, via Perl's split() function), the first 16 bytes of each section appears to be a GUID.

One GUID in particular appears as follows:

{B725F130-47EF-101A-A5F1-02608C9EEBAC} - Ref: Schema (Windows)

Apparently, this GUID applies to both desktop and Metro-style (Win8) apps, and is referred to as both a SHCOLUMNID and a PROPERTYKEY structure. The contents of the subsection of data that begins with this GUID can be further parsed using a distinct set of rules.

References

MS: Canonical Names of Control Panel Items

MS: Known Folder GUIDs

MS: KnownFolderID

Links

Joachim Metz's Windows Shell Item format specification paper (PDF)

ShellBagMRU.py, part of Registry Decoder (written by Kevin Moore)

Willi Ballenthin's Windows Shellbag Forensics

Alerts

The purpose of adding alerts (or an alerting function, via alertMsg()) is to provide a facility for identifying items of interest (from previous analyses) within the vast wealth of data available within a Windows system, and in particular the Registry. This allows an analyst to identify "low-hanging fruit" that may be of value to an examination.

This page will serve as a facility for collaboration amongst the admins of this site, to add, revise, and hone the information alerted on within various plugins.

Plugins

Many plugins provide path information that can be searched via grep() for specific indicators of suspicious or malicious activity:

  • appcompatcache.pl
  • userassist.pl
  • service.pl - also, added Beth S.'s checks from svc_plus.pl to the services.pl plugin

Note: To avoid issues with case sensitivity, process the path through the lc() function first, and then grep for the lower-case string of interest.

Paths

Below are some paths to check for:

  • Recycle
  • GlobalRoot
  • System Volume Information
  • App + Data (gets "Application Data", and "AppData")
  • Temp
  • ADSs - split() the path, check the final element for a colon

Example Code:

my @vals = ("Recycle","GLOBALROOT","System Volume Information", "Temp",
  "Application Data","AppData");

foreach my $v (@vals) {
  ::alertMsg("ALERT: ".$v." found in path: ".$_) if (grep(/lc($v)/,lc($_));
}

Example ADS Check:

my @vals = split(/\\/,$_);

my $int = scalar(@vals) - 1;

::alertMsg("ALERT: Possible ADS found: ".$_) if (grep(/:/,$vals[$int]));

Other Checks

 

  • appinitdlls.pl - generate an alert if the value is NOT blank
  • imagefile.pl - generate an alert if a Debugger value is found
  • attachmgr.pl - generate an alert based on MS KB 883260
  • winlogon.pl - generate several alerts; UserInit value with multiple entries, 'TaskMan', 'System, 'load' or 'run' values found, etc.

Checking for Encryption

 

  • MountedDevices key - check value data for "TrueCryptVolume"; access to a TrueCrypt volume often results in a volume GUID within the MountedDevices key that includes "TrueCryptVolumeN" in the data (with N being a volume letter)
  20354 Hits
  3 Comments

Massive Government Surveillance - Not a new thing

I'm close to wrapping up my latest book, Hiding Behind the Keyboard. One of the more interesting things I found while researching the electronic surveillance chapter is a historical note of massive electronic surveillance...way back in the early  1890s

Considering that government surveillance is one of the hottest topics today, no doubt brought into the spotlight by Edward Snowden, I found this one historical bit of surveillance in New York to be a reminder that electronic surveillance has been around much longer than what the average person may know.

Before getting into the New York Police massive surveillance story, you should know that wiretapping has been around as long as communicating electronically has existed.  For example, as soon as the telegraph was used, the telegraph communications were intercepted. During the Civil War, a "wire tapper" was an actual job in the war to intercept telegraphs!  But that's not what I mean in regards to mass goverment surveillance. The New York Police Department's history with wiretaps is what I found to be really interesting, even more interesting than the NSA surveillance disclosures

In short, back in the late 1800s, New York made wiretapping a felony but the NYPD believed they were above this law. They tapped people at whim and without warrants, including tapping Catholic priests.

In fact, NYPD quickly discovered that they could tap into any phone line of the New York Telephone Company, at anytime  to listen to any person on the line. They even tapped into hotels to listen to hotel any guest.

Obviously, this free-wheeling phone tapping ended after the Supreme Court decided that the Fourth Ammendent protected "intangles" such as communications when it was previously believed that only "tangibles" were protected against unreasonable search and seizure. However, the NYPD experience shows that when  given unfettered access to monitoring and surveillance, government can go too far with good or bad intentions.

The solution to prevent going too far is simple. Get a warrant. Smart government employees know that a warrant protects the people and the employee's career. For anyone to say warrants are difficult, impossible, or too burdonsome simply has not written an affidavit for a warrant or just doesn't have the probable cause in the first place (or may be lazy....).  Warrants are easy to write if you have probable cause.  In fact, some warrants don't even need to be written for approval as a recorded phone call to a judge can get you a telephonic warrant approved in less than half an hour or faster.

For those against any government surveillance, such as wiretaps or pen registers, as long as there is a warrant, there really isn't any problem.  The Constitution and state or federal  laws that approve wiretaps require that the searches not be unreasonable or unnecessary (meaning, there must be cause).  Technically, it is almost as easy as flipping a switch, but practically, it takes takes an investigation to develop probable cause that a crime exists in the first place.  No crime = no probable cause = no warrant.

As a disclaimer to my personal experiences, I have initiated and supported dozens of wiretaps, pen registers, trap and traces, hidden cameras, GPS installations, body wires, and bugs during my time in criminal investigations. I've had probable cause every single time, so much so, that PC dripped out of my investigation binders. And with that, I'm not a fan of unfettered, massive government surveillance without cause...

  1986 Hits
  0 Comments

Libraries and the Tor Browser

Libraries and the Tor Browser

A few weeks ago, I was asked by a librarian for my opinion on library patrons using Tor in public libraries. My initial reaction, based upon having done more than a few cybercrime cases, is that Tor in public libraries is a bad idea. How can law enforcement track criminals who use library computers when the Tor browser is being used?  And libraries are government entities! Tax dollars would be spent helping criminals commit crimes on the Internet and remain anonymous. By all means, NO! Don’t do it!

From a law enforcement perspective (which I have not lost since my days in law enforcement), the Tor browser makes cybercrime investigations practically impossible to identify the user for 99% of cyber detectives and this is a major problem for investigators.  The remaining 1% of cyber analyts have access to supercomputers and virtually unlimited budgets that is beyond the scope and reach of the regular police detective.   Since the Tor network is so effective in providing anonymity to Internet users and police are practically powerless against it, why support it since criminals are using it?

About a half second later, my opinion changed.

The public library protects freedoms more than most people will ever know (except for librarians…they know about freedom protections). Sure, police protect freedoms by protecting Constitutions (state and federal versions) but law enforcement has a dilemma. On one hand, they swear to protect freedoms and on the other, the freedoms restrict their ability to protect.  Using the First Amendment as an example;

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Taking the freedom of speech as an example, people have a right to express themselves and that not only includes speaking, but also reading, and communicating (assembly) with other people. Libraries provide access to information and support intellectual freedom.  And of course, people abuse freedoms and commit crimes, such as harassment where free speech goes too far and intrudes on someone else’s rights. Maybe it's easier to protect speech by getting rid of it? Nope. That doesn't work...

Many (all?) public libraries today in the United States provide Internet access with WiFi and public terminals. Complete freedom to browse the Internet and communicate with people around the world certainly meets freedom of speech criteria.  You can’t get much more supportive in providing access to information than that. As a government entity, the public library supports the First Amendment more than any other entitity.

Here comes Tor.

Without getting into too much detail about “Tor” (The Onion Router: http://www.torproject.org), let’s just say that Tor can be looked at simply as an Internet browser that hides the Internet Protocol (IP) address of the computer user. That means that a computer user can be practically anonymous online when using the Tor browser.  The Internet history cannot be tracked, the physical location of the user cannot be tracked, and users can feel secure that they have privacy online without interference from government or other persons.

Internet privacy is important. Not only is government tracking of Internet users invasive, but so is corporate intrusions into personal privacy. Every person has different tastes, likes, interests, and beliefs. The founding principle of privacy is…privacy. Tor provides that privacy when it is used appropriately.

Running the Tor browser is simple enough since it is just an Internet browser (basically anyway). For a library to support Tor use, IT staff just need to download the browser to the public computers and put the icon on the desktop.  That’s all there is to it to give library patrons access to Internet privacy.

During a recent conversation with a librarian, I was told that the library (in the Seattle area), does not monitor, track, record, or even look at patron Internet history and useage. After explaining that the library certainly has the technology to do so, by default in their network system, and that every patron’s Internet history can be viewed, tracked, recorded, logged, and be required to be produced to law enforcement by court order, the conversation changed quite a bit. Obviously, if a crime has been committed and a search warrant is obtained, providing any information to investigate and prosecute criminals is a good thing for society as a whole.  The drawback is Internet history being logged or viewed for all patrons, in any manner, for general purpose or for later historical analysis. That negates privacy and goes against intellectual freedoms for which the public library stands.

With Tor, patrons can generally be assured their Internet use is private (barring screen capture software, keyloggers, compromised systems, etc…). This is a good thing for patrons to have as a choice. Tor is not perfect and has drawbacks to the ‘normal’ Internet browsers, but for the most part, if privacy is a concern, the Tor browser relieves the concerns.

As an investigative point, if a criminal wants to remain anonymous and use Tor to commit crimes, the library probably isn’t the best place to do it. Although most libraries do not have video surveillance cameras, some do.  There are libraries (the East Baton Rouge Parish Library as one example) that hire police officers as security! For a criminal to use a library computer to commit a crime may make it easier to get caught.

Tor relays: it’s Tor, but a little bit different topic. One of the methods that Tor is effective is that when using the Tor browser, computer relays (“Tor relays”) are being used to route the computer user’s traffic around the world.

http://www.torproject.org 

Anyone can volunteer to be a Tor exit relay, where Internet traffic running through the Tor network will ‘exit’ from your system. By being a volunteer, you help world-wide Internet anonymity by providing a Tor exit relay. For the most part, nothing bad happens, but occasionally, the Internet traffic leaving your relay could be criminal in some aspect, such as child pornography. You won’t see it, nor have anything to do with it, but your IP address will be tied to it since your relay is the last relay to receive/send it.

Not that this makes you a criminal, or that you facilitated a crime any more than if you sold a Ford that was used in a bank robbery as a getaway car, but it can happen. Today, law enforcement is more aware that Tor exit relays are not the source of crime, and the person running the relay is not the criminal they are looking for.

https://www.propublica.org/article/library-support-anonymous-internet-browsing-effort-stops-after-dhs-email

So it was strange to find an article where law enforcement pressured a library to not volunteer as a Tor relay. Tor relays exist world-wide. There are literally thousands of relays, everywhere. Shutting down every relay is virtually impossible. So why push libraries to not volunteer when it is the public library standing for the freedoms in the first place?

As a business consideration, my opinion on public libraries being Tor exit routers depends upon the cost required to set up and maintain it since public libraries are funded by the public with taxes. Other than that, if the public supports it and libraries can do it, why not? A public library can do little more for intellectual freedom than not only providing use of the Tor browser, but also operating a Tor relay.

Restricting or eliminating use of the Tor network would be like shutting down Toyota dealerships because the Toyota Camry is used for bank robbery getaway cars.

For the investigators worried about rampant crime in the library because of Tor…you can still catch the cybercriminals.  And for libraries worried that they will facilitate crime, don’t worry about that either. Tor users can’t choose the Tor exit relays.  It won’t be like cybercriminals will be able to pick a library Tor exit relay and commit crimes.  I give an entire chapter on beating Tor in my next book, at least as much as Tor can be beaten.

 

 

 

Tags:
  7102 Hits
  0 Comments

Teaching Digital Forensics at the University of Washington

Teaching Digital Forensics at the University of Washington

Several years ago, I taught at the UW Digital Forensics Continuing Education program before taking a break. Now I'm back at it.  A new course with new material, including mobile device forensics.  A change in the program is that the course is offered online as well (not on demand, as the classroom will be broadcast in real-time).

A continual theme in the program is case development.  From the smallest piece of evidence through gathering more evidence, broad analysis to specific targeting focus, to search warrants, and putting an entire case together; that is the goal of the course.

My primary purpose is teaching how to do an actual digital forensic case as I firmly believe that a certification without competence is not useful in the least bit.

A potpourri of software is used throughout the program to show that there are many ways to get to the answer using different tools.  In fact, the tool is not the focus as much as running a case is.  Using software tools gets the information you need to further your case development through case closure.

Consider registrating for the course, it'll be lots of work, but lots of fun to work cases along the way.

b2ap3_thumbnail_UW.JPGhttp://www.pce.uw.edu/certificates/digital-forensics.html

  2437 Hits
  0 Comments