MS COFEE for live comp. forensics

It is all about the COFEE [1] that will keep you awake. In this case, ahead of the game. Microsoft’s COFEE (Computer Online Forensics Evidence Extractor) [1] is out and about, making the rounds on the Internet underground (and overground, “freedom of speech” sites). This is what happens when you try to keep something secret, everyone wants it.

I understand the motives to keep it hush hush, but from what I hear the tool set is compromised of basic programs you can find on a Windows OS and at Microsoft online (old Sysinternals tool set, now part of Microsoft).

Will Anti-forensics kick in and destroy your acquisition? Well to be honest if the tools are the ones you find on a Windows OS, then any rootkit installed on the machine will feed any tool talking to the OS false data anyway. Nothing new there! Once again proving that usual computer forensics still will be required to extrapolate the information.

What about the volatile information lost after a shutdown, that has been captured by this tool set. That is why it is called volatile (it lives for a short period) and good luck in piecing things together after imaging the drive. It will provide valuable information that you would not have otherwise but how will it be proven in court is another matter altogether. It would not be a hard subject if everything was handed to you in a silver-platter-report every time.

[1] – http://wikileaks.org/wiki/Microsoft_COFEE_%28Computer_Online_Forensics_Evidence_Extractor%29_tool_and_documentation%2C_Sep_2009

Posted in Digital Forensics, Mobile Phones, PDA Forensics | Leave a comment

iPhone: myPhone on lock-down

…and you thought you were the only person to have the privilege of locking your iPhones screen. Think again. Once again a stunt and proof of concept demonstrates that high tech. mobile devices can be manipulated and possibly locked down by malicious people, leaving the users at their mercy. In some cases even try to get you to part with your money. This was demonstrated with the iPhone ‘Your iPhone’s been hacked’ stunt as reported [1] by Wired.

It appears that jailbroken iPhones have SSH and a default root password (if not changed), allowing full remote access to the phone. It is that easy. The users are lucky that the creator didn’t start locking the devices as we have seen with ransomware (malware that requests ransom to decrypt data or unlock a pc).

I would not be surprised if Apple didn’t try to use this problem to demonstrate to people that jailbreaking the iPhone will mean that you are taking avoidable risks and that you are not being protected to the fullest.

[1] Wired – Hacker holds Dutch iPhones for EUR5 ransom – http://www.wired.co.uk/news/archive/2009-11/04/hacker-holds-dutch-iphones-for-EUR5-ransom.aspx

Posted in Digital Forensics, Mobile Phones, PDA Forensics | 5 Comments

Python 2.6 and 3.0 compatibility

If you will be writing any new programs in the Python programming language then check Lennart Regebro’s presentation[1] and slides[2] on their compatibility issues. It is interesting to see the amount of changes they have made to make the language more robust and correct. This does mean that programs written in Python 2.x , to some extent, will be incompatible with Python 3.x so keep it in mind when deciding on which one to pick.

Links Used:
[1] Lennart Regebro’s presentation – http://blip.tv/file/1949281

[2] Lennart Regebro’s slides – http://liwo.polsl.pl/pycon-pl2008/materia142y/python-3-compatibility.pdf

1 Comment

Phone tapping the VoIP way

VoIP stands for Voice over IP (or the Internet). It is a cheap (or free) way of contacting people around the world. The most commonly used online application is Skype. When I came across this article [http://www.theregister.co.uk/2009/08/28/skype_trojan_source_code/] I had to write about it. It is amazing what people come up with and openly [http://www.megapanzer.com/source-code/#skypetrojan] demonstrate how programs can be created to intercept a normal programs function. In this case we have the redirection of a voice call saved to an MP3, encrypted (nifty) and sent over to a server.

Now I wonder how many SME’s make use of VoIP and Skype…

By the bye, I am amazed that we still get charged so high for making International calls in the UK.

Posted in Digital Forensics, Mobile Phones, PDA Forensics | 3 Comments

e-Crime Wales Summit 2009

The e-Crime Wales 2009 Summithttp://www.ecrimewales.com/ held at Llandudno, Wales is over and a number of great speakers attended. Our own Prof. Andrew Blyth presented our findings on the installation of 15 IDS sensors in Welsh SME’s around Wales. Hopefully the attendees (business owners etc) would have come into contact with a number of security professionals and brought upto date on how to protect their businesses or at least where to go from here.

The few that I did see at least, from the live feed, all pointed out the need to be aware of the security implications of using online resources and complacency should not an option, even though most people choose it. There is always one question that that needs to be answered before deciding to got (or watch the live feed) one of these events, ‘What information will I walk away with?’ . I think that it is a great opportunity to be exposed to the horror stories that the speakers have to offer through their experience and you can always pickup and relate to them at some point or hope not to.

Check out the twitter feed here [http://twitter.com/ecrimewales] with some questions and answers and a general overview of the speakers key points.

A picture of Prof. Andrew Blyth, Ed Gibson & Chris Corcoran http://bit.ly/3drSUL

A great service provided by SpamHaus are the advisory lists they provide (i.e., Spamhaus Block List, Exploits Block List and Policy Block List ). Check them out at http://www.spamhaus.org/.

e-Crime Wales also have a blog at http://ecrimewales.posterous.com/

Update (@11:20): We got a mention in the Welsh Daily Post: “E-crime costs Welsh companies hundreds of millions of pounds annually” – Oct 22 2009 – Daily Post – http://www.dailypost.co.uk/business-news/business-news/2009/10/22/e-crime-costs-welsh-companies-hundreds-of-millions-of-pounds-annually-55578-24989506/

2 Comments

AccessData Corp Youtube Channel

It seems that towards the end of the summer AccessData Training Team has started to post videos of how to do certain things with FTK 3 on youtube ( http://www.youtube.com/profile?user=AccessDataCorp#g/u ).

Of interest :

FTK 3 Computer Forensics: Mac Analysis : http://www.youtube.com/watch?v=P2DCxtMqQyw

Showing you the developments in support of the Mac OS X files and HFS+ format and extended attributes (very useful!!! check http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s). It also demonstrates where to find the Mac user’s password shadow file and password has and then use PRTK to attack the hash value. EXIF data for photos, etc are supported now too.

FTK 3 Computer Forensics: Field Mode : http://www.youtube.com/watch?v=mSHsn22YxeY&feature=channel

Demonstrating on the fly analysis without doing the initial lengthly analysis, at least when not needed.

Links used:

AccessData youtube channel – http://www.youtube.com/profile?user=AccessDataCorp#g/uhttp://www.youtube.com/watch?v=P2DCxtMqQyw

FTK 3 Computer Forensics: Field Mode – http://www.youtube.com/watch?v=mSHsn22YxeY&feature=channel

FTK 3 Computer Forensics: Mac Analysis: Attributes B-tree @ 4m23s – http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s

Leave a comment

Graphviz, Python and Tkinter

When creating a specific program that does one thing it is sometimes useful to provide a generic solution and build upon those foundations. This is what I present in todays posting, what I call graphing[1] .

Graphviz [2] is a great tool that allows you to create diagrams and flow-charts and almost any type of graph. I wont go into the details about Graphviz as this is not a tutorial, the site has more details.

What I have done is create a parser that converts a .gv file (e.g., [3, 4]) into a dot file (through the dot package) and then this is read to create the layout on a Tkinter Canvas in Python. The advantage to this is that you can add your own code and make these items interactive (e.g. mouse interactive, etc). You will need to install at least dot which is part of Graphviz[2].

Dependencies:
Graphviz (dot is needed)
Tkinter part of Python

Links Used:
[1] graphing by Konstantinos Xynos (2008) – http://www.comp.glam.ac.uk/staff/kxynos/dot_parser2Tk.zip
[2] Graphviz – http://www.graphviz.org/
[3] Example: Finite Automaton – http://www.graphviz.org/Gallery/directed/fsm.html
[4] Example: Finite Automaton gv file – http://www.graphviz.org/Gallery/directed/fsm.gv.txt

2 Comments

Snort Rules checked by dumbpig

Writing custom Snort rules and what to check if they are correct? ..up to a certain point.
Well dumbpig [1] by Leon Ward is what you are after. For a good example check out VRT Sourcefire’s blog entry [2].

…while you are at it have a look at Snoge [3] “Take your Snort or Sourcefire IPS events and place them onto Google Earth.”.

Links Used:

[1] – dumbpig – http://leonward.wordpress.com/dumbpig/

[2] – Syntax Checking your Snort Rules – http://vrt-sourcefire.blogspot.com/2009/08/syntax-checking-your-snort-rules.html

[3] – snoge – http://code.google.com/p/snoge/

1 Comment

Blue Screen your shinny Windows Vista/7 box

An exploit is making the rounds that affects Windows Vista and 7 which have SMB (i.e., SAMBA or file sharing) enabled. The researcher, after a small change in the SMB Header has managed to crash the SRV2.SYS DLL which fails to handle malformed SMB headers[1].

“\x00\x26″# Process ID High: –> 🙂 normal value should be “\x00\x00”

Solution:
As of now: Funny enough disable file sharing if and when not needed, or implement a rule to block SMB ports.

Links Used:
[1] – Full Disclosure: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. – http://seclists.org/fulldisclosure/2009/Sep/0039.html

2 Comments

Gmail in the uk down?

I was trying to check (ie. refresh) my uk based google mailbox (gmail/googlemail in uk) and all I get is a 502 Server Error. It seems gmail.com generally is not responding, although pings are going through.

Google Error

Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.

UPDATE (1 Sep. 2009 @ 21:41):
Google has us updated here (note IMAP and POP work!!!):http://www.google.com/appsstatus#rm=1&di=1&hl=en

2 Comments