eForensics Mobile by Aleksandra Bielska

MOBILE VOL. 1 NO. 1

ANDROID PHONE SIP CALL FORENSICS HOW CAN SOFTWARE HELP SMARTPHONE FORENSICS?

SAFETY IS NOT A PRIVILEGE. IT IS A RIGHT. INTERVIEW WITH CHRISTIAAN BEEK

INTEGRATING CYBER FORENSICS IN INCIDENT RESPONSE SECURITY TESTING TOOL OR CYBER WEAPON MOBILE PHONE FORENSICS

Issue 1/2012 (1) August www.eForensicsMag.com

Improve your Firewall Auditing switches, routers and other infrastructure devices As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing sys- this could mean manually reviewing the configuration files saved from a wide variety of devices. tems installed and maintained by experienced people, often protective of their own methods and technologies. On Device Auditing Scanners Nipper Studio any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identiPassword Encryption Settings fied within those technologies will then have to be explained in a way that both management and system Physical Port Audit maintainers can understand. The network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls,

enquiries@titania.com T: +44 (0)845 652 0621 2

Network Address Translation Network Protocols Time Synchronization Warning Messages (Banners)

Network Administration Services

Network Service Analysis

Password Strength Assessment

Software Vulnerability Analysis

Network Filtering (ACL) Audit

Wireless Networking

* *

* Limitations and constraints will prevent a detailed audit

infrastructure devices, you can speed up the audit process without compromising the detail. You can customize the audit policy for your customerâ&#x20AC;&#x2122;s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titaniaâ&#x20AC;&#x2122;s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

www.titania.com www.eForensicsMag.com

Safety is not a privilege. It is a right. Dear Readers! TEAM Editor: Barbara Orchowska barbara.orchowska@software.com.pl Betatesters/Proofreaders: Glen Victor , Daniel Sligar, Gabriele Biondo, Sailaja Aduri, Roshan Harneker , Olivier Caleff, Vaman Amarjeet, Massa Danilo, Nicolas Villatte, Williams Joshua, Jonathan Ringler, Cindy Brodie, Lance Reck, Steven Doan, Andrew Levandosky. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Mateusz Jagielski mateuszjagielski@gmail.com DTP: Mateusz Jagielski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Ewa Dudzic Publisher: Software Media Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.eforensicsmag.com

DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Modern world offers a lot. At times far too lot. It is difficult to keep up with changes, let alone, to adopt to them. The variety of new technologies, does not always ease this task. Though for a specialist this range of the new inventions constitutes a fascinating subject of interest, for a layman it often means the maze of complications. Such a discrepancy of attitudes towards the newest technological achievements may result in different scenarios. On the one hand there appears a group of experts ready to come to help to these in need. On the other hand, this group may take advantage of their superiority and make use of their knowledge to achieve profits illegally. Obvious as it seems, such a situation bears the uncertainty among the ordinary Internet users, about whom to trust in the online mode. Therefore the sense of safety in such circumstances is very fragile and has small chances for improvement if no measures are taken. Thus, it is crucial to promote the proponents of the first of the two scenarios presented above. According to the motto of McAffee: Safety is not a privilege. It is a right, so everyone deserves it. This statement sets clear standards which all the users of mobile devices and the Internet should stick to. As eForensics Mobile Magazine shares this opinion, we decided to cross examine Christiaan Beek – McAffee’s Principal Architect on the Strategic Security team, who says about his experience in Incident Response and gives a piece of advice to newbies in the field of digital forensics. Some of you may be skeptical about the practical application of such an idealistic motto, but our authors’ texts will definitely shatter your doubts. Jan Kirchhoff, who has been receiving strange calls, presents the investigation which he conducted in order to get rid of silent phone interlocutors. Larry Smith and Donald Cinco, on the other hand, show what they found out when installing ‘social share’ application on their company webpage. These two cases reveal some gaps, which unfair Internet users made use of hoping that nobody detects their misdoings. Nevertheless, we’d like to escape a simplistic impression, which could emerge from the description above, that the world we live in stages an unequal fight of constantly clashing powers of good and evil. Therefore, the full picture of this month’s issue is completed by a witty story by Eric Lakes, who names his struggles to solve a criminal case… fun. All in all, we all like a good challenge, as the author states. Isn’t it a good solution to treat such a duel of experts and delinquents in this way: as a bit of fun serving higher purposes? Enjoy reading! Barbara Orchowska & eForensics Team Thank you all for your great support and invaluable help.

6. INTERVIEW OF THE ISSUE

by Vaman Amarjeet and eForensics Team Christiaan Beek – the expert of this month’s issue is answering questions concerning digital forensic investigation and incident response.

10. ANDROID PHONE: TABLET URL JAVASCRIPT VULNERABILITY

MOBILE FORENSICS

by Larry Smith, Donald Cinco In this article Larry Smith and Donald Cinco present what they found out after the installation of ’social share’ widget.

14. SIP CALL FORENSIC ANALYSIS

by Jan Tilo Kirchhoff It all started during my 2011 summer vacation. One evening my mobile started ringing but when I finally got to it and accepted the call there was no one on the line.... In this article, Jan Kirchhoff presents the investigation he conducted in order to detect the source of the mysterious calls.

18. ISSUES IN MOBILE DEVICE FORENSICS

by Eamon Doherty, PHD, SSCP, CCP, CCE This article discusses examples of usage of the mobile devices, accessories and tools, which one may encounter on suspect during an investigation.

24. MOBILE PHONE FORENSICS: CHALLENGE OF THE FUTURE

by prof. M. Tahar-Kechadi, dr Lamin Aouad This article shares some thoughts about the reasons leading to the rapid development of mobile ecosystems.

30. HOW CAN SOFTWARE HELP SMARTPHONE FORENSICS?

by Alessandro Distefano The author presents how Software Mobile Forensics can ease several concerns of the current Mobile Forensics tasks.

34. AN INTRODUCTION TO NETWORK ANALISYS

NETWORK FORENSICS

by Scott Taylor Scott Taylor shows some helpful tricks, which may come in handy when a problem with traffic identification or other operational activities occurs.

40. ANDREW HOOG “ANDROID FORENSICS”

ANDROID FORENSICS

by Apurva Rustagi If you are just beginning your journey towards mobile forensics and you have chosen to start it with Android, then this is a perfect book for you. Apurva Rustagi in his review of “Android Forensics”, written by Andrew Hoog writes about the distinctive qualiteis of this book. He persuades that this publication won’t disappoint any forensic practitioner irrespective of their ’stage of initiation’.

42. CYBER AGENTS: HACKING EXTORTION CASE

DATA FORENSICS

by Eric Lakes In this story Eric Lakes and Sergeant Randy, investigators at Cyber Agents do their best to prove their client innocent and to outwit his smart wife.

48. INTEGRATING CYBER FORENSICS IN INCIDENT RESPONSE

LAW REGULATIONS

by Mukesh Saini Clear incident investigation procedures can help to ensure that data collection and data handling are evidentially sound and legally admissible. The article deliberates over the necessity and importance of the DEFR in organizations, a private company or a government department

52. SECURITY TESTING TOOL OR CYBER WEAPON

by Kevin Coleman In this article Kevin Coleman stresses the burning need to provide a clear distinction between Security Testing Tool and Cyber Weapon. His surprising remarks clearly pertain to the problem of nomenclature in the current regulatory system.

www.eForensicsMag.com

INTERVIEW WITH CHRISTIAAN BEEK by Vaman Amarjeet and eForensics Team

Christiaan Beek – the expert of this month’s issue is answering questions concerning digital investigation and incident response. He gives a piece of advice to newbies in the field of digital forensics so as to finally reveal what keeps him up at night. Do you want to learn more? We cross-examined Christiaan, to quench your thirst for knowledge.

Christiaan Beek As a Principal Architect on the McAfee Strategic Security team: Foundstone, Christiaan is responsible for the Incident Response and Forensics services team in EMEA. He has 12 years of experience in information security performing Information Security Assessments, Penetration Testing, Reverse Engineering malware, Risk Assessments, and Forensics and Incident Response.He has worked internationally and has industry experience in Government, Financial Services, Insurance, Healthcare, Manufacturing, Retail, Pharmaceuticals, Oil, Food Services, and Entertainment. Christiaan has performed numerous forensic investigations from intrusions, theft, child pornography, malware infections, and mobile devices. He has also participated as an expert witness for the Dutch Department of Justice in high-profile investigations, leading a team of computer forensics specialists who assisted police with evidence recovery. He has also taught several classes for the Dutch Department of Justice, Intelligent Agencies and Private Sector about digital evidence, incident response cloud security, cybercrime and basic reverse engineering of malware. He’s the developer and lead-instructor of the Malware Forensics and Incident Response Class. This class is taught all around the world including the Black Hat events.

Certiﬁcations and Training

MCSE, CCNA, CQSS, CCSA, CCSE and SANS training.

Notable Accomplishments

- speech at the Black Hat conferences in Barcelona, Las Vegas and Abu Dhabi in 2010/2011.

www.eForensicsMag.com

ANDROID PHONE: TABLET URL JAVASCRIPT VULNERABILITY by Larry Smith, Donald Cinco

While editing our website I installed this widget called â&#x20AC;&#x153;social shareâ&#x20AC;? from a popular website. At first the widget seemed harmless but as I always do I tried using the app with every available device on hand just to make sure it works as it is supposed to.

[This is what the installed widget looks like] This is a set of widgets that you would install on your web page to access Facebook, Twitter, etc. as you can see from the image above. After installing the code to the website I checked it on the IPhone and PC and everything looked fine. I then tried accessing this app using an Android phone and after typing the URL address of our website that the widget app was loaded on I noticed that it goes to the correct index. html but for about 2 or 3 seconds and then it re-directs my browser to a different website.

[Here is an example of one redirect] Then, as you can see from the picture above it automatically redirects my android browser to multiple unwanted web sites. The picture below reveals one of them and more unwanted web sites followed.

www.eForensicsMag.com

SIP CALL FORENSICS: CHASING PHREAKS ON THE INTERNET by Jan Kirchhoﬀ

It all started during my 2011 summer vacation. One evening my mobile started ringing but when I finally got to it and accepted the call there was no one on the line. The same thing happened again in the middle of the night, followed by another call on the next day. The caller id showed that calls were coming from my home phone number. Finally I remembered that I had configured my home PBX to forward calls to a specific SIP account to my mobile. So I got on the internet to check the logs for any strange activities.

The call log showed that the calls had indeed come in through the SIP account in question but the originating caller id had been obscured. 20.07.2011;20:35:31;00:00:24;00:00;0,000;0;58;;;43;030868765432;***;;tilo;Firma Wahl;192.168.88.63 (0A0B0C010203); 21.07.2011;01:41:13;00:00:24;00:10;0,000;0;58;;;46;030868765432;***;;tilo;Firma Wahl;192.168.88.63 (0A0B0C010203); 22.07.2011;15:39:55;00:00:32;00:00;0,000;0;58;;;1;030868765432;***;;tilo;Firma Wahl;192.168.88.63 (0A0B0C010203);

1;;Geschäft;Telefon;kommend;Eigene 1;;Geschäft;Telefon;kommend;Eigene 1;;Geschäft;Telefon;kommend;Eigene

I decided to investigate further but wanted to get rid of the annoying calls at unpredictable times first. I changed the configuration to forward the calls to my voicemail, which would send me an e-mail notification for each new message it had recorded. Also I configured the system to create trace files of all SIP transactions. In the following days the calls to my SIP account continued. Each time the call was accepted by the voicemail system but there was only silence in the recordings. The call was disconnected after the configured timeout by the voicemail system. So who was calling me? A quick look at one of the SIP INVITE messages at first raised more questions than it answered. The incoming message was directed towards the public IP address of my home PBX <22:35:56.111>-RX(942 Bytes)--SIP--IP:68.233.250.164--Dest:5060--Src:5060--INVITE sip:00441913561034@88.73.81.183 SIP/2.0 But the destination number 00441913561934 did not match any of my numbers/accounts. So at least there was a configuration problem since the call was still routed by the PBX. Still this would have to wait as I wanted to find out more about what was going on. I tried to call the destination number from my mobile but did not get anywhere. So I continued to analyse the SIP Information. Via: SIP/2.0/UDP 68.233.250.164;branch=z9hG4bKjgV0Myn7VUFW;rport From: „asterisk” <sip:asterisk@68.233.250.164>;tag=nnGiiC0kgk 10

www.eForensicsMag.com

ISSUES IN MOBILE DEVICE FORENSICS by dr Eamon Doherty

This article discusses some of the mobile devices and accessories that one may encounter on a suspect during an investigation. It is important to know about many of the new devices that are wireless and provide storage or those that utilize GPS, mark routes as well as points of interest. This article discusses examples of usage of these mobile devices and accessories and the tools that one can use to examine them. The article also starts off with some certifications that make one more marketable in this emerging field. Eighty percent of the people in the world have a cell phone [1]. Many of these devices have cameras, Internet connectivity, and could hold evidence that could help prove someone innocent or guilty with regards to a crime. Some of the evidence gathered to bring down the largest American spy in history, Robert Hanssen, was gathered from a PDA [1]. Tiger Woods cell phone played a part in revealing that he had contact with at least one other woman [6]. Sexting, Cyberbullying, and other modern activities are now making it mandatory for investigators to learn about digital forensics on mobile devices. This article discusses using tools such as Access Data’s FTK, Guidance Software’s Encase, and RecoverMyFiles to recover evidence from a digital camera with a FAT file system. The article also discusses GPS forensics, GPS Spoofing, and tools such as Berla’s Blackthorn 2 to recover routes, waypoints, and phone calls that occurred in the motor vehicle. This article also discusses some of the certifications one should obtain to make oneself more knowledgeable and marketable in this field.

COMBINING CERTIFICATIONS TO MAKE ONE SELF FOR MARKETABLE

A digital forensics student had told Dr. Doherty and his fellow classmates many years ago that he had a strategy to make himself more marketable to the digital forensics industry. He said that he was getting his Encase Certification EnCE and getting various Hazmat certifications while working as a volunteer fireman. He said that while many people could go to a crime scene and image a computer, collect digital media and accompanying peripheral devices, only a few could do that in an environment where a biological, radiological, or chemical attack occurred. Soon after graduation he obtained a position in digital forensics. 12

It seems that lawyers are now taking more graduate classes and continuing education in digital forensics to improve their knowledge in this area so that they can better defend clients and spar with digital forensics experts on technical issues. It seems no longer sufficient to just try to find fault in the chain of custody or make sure that a Faraday Bag was used because of possible issues with connectivity, contamination, and tampering. Becoming a Certified Computer Examiner (CCE) and being a lawyer sounds like a great combination for those who are employed as defense attorneys. It is also good to join organizations such as ASIS International, The American Society of Digital Forensics and eDiscovery, The High Tech Crimes Investigative Association (HTCIA), and the International Association of Computer Investigative Professionals (IACIS) to network with people and find out what is the current news in digital forensics. It is good to ask what type of cases are going on, what type of tools are needed, and what type of certifications are needed.

DIGITAL CAMERA SEIZURE AND EXAMINATION

It is important to put the digital camera in a Faraday Bag if one seizes a digital camera because many of these devices have infrared or some type of wireless connectivity [1]. The Faraday Bag, like Paraben’s Stronghold Bag, is a good way to prevent others from connecting to the camera and altering the evidence. There are many people who carry and use PDAs, iPADs, iPAD and palmtops that are small and could go unnoticed, so it is important to protect against possible tampering by isolating the evidence with that bag [1]. That is also good to note on the chain of evidence. The camera should also be transported in a cool place so the heat does not damage it. It is also good to protect the digital camera from radio frequency waves that could damage the media by not putting it near a

Boundless helps integrate and improve organizational ARC’s – Audit, Risk, and Compliance activities – to safeguard reputation and fiduciary integrity

Expert Training. Entertaining Speaking. Candid Consulting.

For more information call (267) 297-0706. www.boundlessllc.com www.eForensicsMag.com

MOBILE PHONE FORENSICS:

HUGE CHALLENGE OF THE FUTURE by prof. M. Tahar Kechadi, dr L. Aouad

While the processes and procedures are well established in traditional hard drive based computer forensics, their counterparts for the rapidly emerging mobile ecosystem have proven to be much more challenging. This article shares some thoughts about the reasons leading to this, as well as the current state of mobile digital forensics, what is needed, and what to expect in the future. The information and data era is rapidly evolving. As a result, there has been an exponential growth of consumer electronics, and especially mobile devices over the past few years, with ever-increasing trends and forecasts for the coming years. Mobile devices have already overtaken PCs, and mobile data traffic is expected to increase 18-fold over the next five years to approach 11 Exabyte per month, according to Cisco systems [1]. Their computing power, storage, and functionality have tremendously increased. Phones have been transformed from simple handheld devices, essentially emitting and receiving calls or text messages, into highly effective devices capable of doing more or less everything a desktop or a laptop computer can do, and even more. A large range of Android -based smartphones, iPhones, BlackBerrys, and even tablets products, are all examples of these mobile devices. Their typical storage capacity today is higher than a powerful desktop back in the late 1990s! And the vast majority can also be fed memory cards.

suspect he was about to arrest was using his smartphone to listen to the police secure channels streaming via the Internet! [2]. All classes of crimes can involve some type of digital evidence (a photo, a video, a received or emitted call, messages, web pages, etc.). These devices are also commonly used is social networking nowadays, and in carrying out sensitive operations online, including online banking, shopping, electronic reservations, etc. Hacking becomes then a huge problem. In February 2011, hackers were remotely monitoring the calls made and received from about 150,000 infected mobile devices in China [3]. Another example is the Zeus man-in-the -mobile Trojan, discovered in September 2010, which was the first Trojan in the mobile devices environment to compromise the online bankingâ&#x20AC;&#x2122;s two-factor authentication mechanism [4] [5]. It is indeed quite easy for cyber criminals to build a Trojan application nowadays [6], because these mobile systems are at their early stages.

This tremendous computational and storage capacity have turned mobile devices into data repositories capable of computing and storing a large amount of personal, organisational and also sensorial information. Indeed, although these devices can be input limited, they have remarkable context awareness because of all the sensors and various connectivity options. Unfortunately, criminals use this technology. They have not missed this proliferation of mobile systems and its data revolution, and these devices are being used as a support to criminal activities. For instance, earlier this year, a US officer found out that the

Valuable information can then be obtained from a mobile device: text messages, e-mails, communication logs, contacts, multimedia files, geo-location information (GPS and Wi-Fi hotspots), etc. These can only help answering crucial questions in cybercrime investigations, and solve the related cases. However, there are still a huge number of challenges facing a forensics investigator in obtaining forensically sound evidence from these devices. In this article, we present the process of recovering digital evidence and its challenges, and then share some information about current methods and tools, and few prospects for the future.

Network and/or Application Penetration Tester Ref: 14951

Location: UK wide Salary: £25k-£75k base + bonus + package Job Type: Permanent

Multiple opportunities for Penetration Testers. Varying levels of experience will be considered. You will be offered first rate project exposure as well as on-going training, culminating in superb earning potential. Key competencies and experience required: • Use of a variety of network security testing tools and exploits to identify vulnerabilities and recommend corrective action • Manual penetration testing and a deep understanding of IP networking in a security context • Deep knowledge of IP networking protocols • Experience with security testing of Web-based applications • Intimate knowledge of at least one enterprise development framework • Proven ability to explain verbally the output of a penetration test to a non-technical client • Strong inter-personal and communication skills • Report-writing and presentation skills • Must be prepared to travel Desirables: • Code review skills • CHECK, CREST or TIGER qualification • Current UK driving licence Please email your CV to careers@acumin.co.uk quoting the reference above

Web Application Penetration Tester and Security Specialist Ref: RF14803

Location: South East Salary package: £400-£600 per day Job Type: Contract

This blue chip finance organisation is currently developing its internal information security function, and as such has identified a need for a lead security specialist with a particular focus on web application security. Responsibilities • Conduct technical security assessments against strategic initiatives prior to final release in to an operating environment. • Carry out such tests and assessments against internal standards as well as industry standards such as SAS70 and PCI-DSS. • Define and execute penetration tests as part of the review lifecycle for infrastructure, applications, and web applications. • Perform regular vulnerability assessments using scanning tools to ensure the on going security of systems to emerging and known threats. • Provide expertise in to forensics investigations and incident management as required. • Identify and manage required resources, creating reusable documentation, processes, and toolsets. Requirements: • Strong understanding of technical security principles around penetration testing, vulnerability management, and forensics. • Knowledge of current assessment techniques and toolsets such as OWASP guidelines, WebInspect and Fortify. • Prior working experience of industry standards and processes - PCI, ITIL, Prince, COBIT, COSO. • Demonstrable track record of security design, review, and implementation. Please email your CV to careers@acumin.co.uk quoting the reference above

Acumin Consulting Ltd Suite 22, Beautfort Court, Admirals Way, www.eForensicsMag.com London E14 9XL

Telephone +44 (0)20 7997 3838 Fax +44 (0)20 7987 8243 Email info@acumin.co.uk

www.acumin.co.uk www.acuminconsulting.com

HOW CAN SOFTWARE HELP SMARTPHONE FORENSICS? by Alessandro Distefano, Freelance Certified Professional Computer Engineer

The Smartphone’s market provides a great variety of manufacturers and models causing strong, mandatory and unattractive heterogeneity of the hardware tools used to retrieve Smartphone contents in a forensically sound way. At the same time, the software support provided by the last-generation devices is powerful and much more suitable in order to face the complexity of the devices’ plethora. For such reasons can be interesting and very attractive to think about a new kind of Mobile Forensics that leverages only on software tools: Software Mobile Forensics. Software Mobile Forensics can ease several main concerns of the current Mobile Forensic tasks (e.g., data acquisition, assessment of forensic properties, data analysis) as will be explained in this article. Index Terms—Mobile Devices, Evidence, Forensics, Data Collection, Data Analysis, Anti-Forensics

INTRODUCTION The last decade has practically shown how the daily life can be upset by the new emerging technology of smart mobile devices. Such devices, that range from micro-scaled to handheld, to tablet appliances, follow the distributed and pervasive computing paradigm and leverage on the last-generation computation and network capabilities. In addition to these enablers, smart mobile devices have met the mass-market favor because of the even more reduced cost of production. In such scenario, the previous generation of mobile cellular phones has been superseded by a new kind of mobile phones that are enriched by a plethora of value-added services, both through hardware and software. These mobile phones are commonly named Smartphones. This kind of device has shifted the intelligence of the provided services from the network service provider to the device itself. For such reason, 16

the forensic analysis of these devices has been revolutionized because the most useful and interesting information are no longer stored by the provider (e.g., phone records) but must be collected by the devices. At the same time, the ability to isolate and seize each mobile device is very limited and quite always, in order to literally apply the common best practice of forensics, the device has to be physically violated (e.g., memory volumes desoldering).

OVERVIEW ON SMARTPHONE FORENSICS At the time of writing, the best common practices in Smartphone Forensics, published by the National Institute of Standard and Technology, state that ‘‘To acquire data from a phone, a connection must be established to the device from the forensic workstation.’ Following this approach, a lot of commercial (and very expensive) tools have been developed and published over the last ten year; these kinds of tools have both software (which drives the data collection and the further analysis of the data ) and hardware tools (e.g., cables and connectors and a forensic

NETWORK FORENSICS: AN INTRODUCTION TO NETWORK ANALYSIS by Scott Taylor

Various IT professionals have the skillsets to identify system and network traďŹ&#x192;c patterns using Open Source and commercials tools which analyze packet headers or data streams, and provide the user with wonderful results, commonly referred to as Network Forensic Analysis Tools (NFATs). Hopefully, most IT professionals should be familiar with legacy Open Source programs like tcpdump, windump and Wireshark (formerly Ethereal) used for data capture & analysis. Iâ&#x20AC;&#x2122;m sure there are many readers who will recall the good old days too, with the X25 scope. BASIC DEFINITIONS network forensics - the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. From time to time, I receive inquires from colleagues and business associates to assist in the identification of traffic for customers or to troubleshoot internal implementations and other operational activities. These colleagues are security architects, network engineers, or (pre/post) technical sales consultants and they have extensive experience with the inner workings of routers, switches, firewalls, WAN optimizers and any number of related appliances. They are usually licensed experts in their fields, understanding how to implement complex configurations, analyze logs, perform packet captures, respond to incidents and maintain the operational states of the systems they interact with on a daily basis. Inherently, each subject matter expert possesses an excellent understanding of their own systems permitting them to isolate and kill rogue www.eForensicsMag.com

network services or system processes. From time to time, they too may need some specialized forensic expertise when troubleshooting implementation or network issues, often due to time constraints related to their daily activities. Today most network vendors include some implementation of a packet capture tool within their devices and there are numerous pcap utilities for whatever distribution/OS one runs so that anyone can get a capture done with a little effort and direction. Surprisingly, there are many who understand how to perform a capture, and interpret the TCP/IP & Internet related protocols, but they either neglect deeper inspection into the information contained in the packets or do not understand how to interpret the information hidden within the packets. As we 17

CYBER CRIME LAWYERS

Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies. We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way.Â Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice.

Please contact David Cook on

0161 909 3000

for a discussion in confidence or email david.cook@pannone.co.uk

www.pannone.com 18

ANDREW HOOG: ‚‚ANDROID FORENSICS” by Apurva Rustagi

If you are just beginning your journey towards mobile forensics and you have chosen to start it with Android, then this is a perfect book for you.

Book info: Android Forensics, 1st Edition Investigation, Analysis and Mobile Security for Google Android Author :A Hoog Release Date:15 Jun 2011 Imprint: Syngress Media,U.S. ISBN:9781597496513 To begin with, Andrew Hoog shares a brief history of Android along with an introduction to commonly used Linux tools. He then dives gradually into the use of Open Source software tools and Ubuntu VM, commonly used in Digital Forensics. This is useful to readers as many of the concepts outlined in the book are explained using these tools. The other important part of the first chapter covers downloading and compiling the Android source code. www.eForensicsMag.com

The second chapter focuses on Android Hardware platforms. While this chapter gives quite a lot of information about a wide array of Android-supported hardware and device-types, the most important part is the boot process of Android. Once the readers are adequately familiarized with the Android Operating System, Hoog makes them comfortable using the Android Software Development Kit and using tools like Android Emulator and Android Debug Bridge. As Hoog approaches the heart of this book, he details the internal memory architecture and various file systems used in Android, focusing on YAFFS2. What I appreciate about this book is that, even when Hoog starts deep dives into complex technical topics, his writing style doesn’t lose its simplicity. Beginners will still comfortably grasp these complex concepts while reading. The fifth chapter goes into more detail about the theoretical aspects of mobile security, and has less detail about the forensic analysis of Android phones. These concepts are explained by focusing on Android OS. This chapter will be of specific interest to Android application developers who should keep security in mind when designing their apps. The chapter also discusses corporate security strategies which can be used by IT administrators to secure the Android devices of corporate employees under the Bring Your Own Device (BYOD) policy. Hoog, further in the book goes on to explain the different types of forensic analysis techniques of Android devices. The reader is first introduced to concepts of physical and logical analysis and how each of these can be accomplished on Android devices. Hoog also explains acquisition and verification techniques that should be followed for respective analysis and evaluates various commercially available software and hardware tools such as viaExtract, Cellebrite etc. This information is useful for examiners who are looking forward to adding to their arsenal of Android Forensics tools In the final chapter, Hoog explains various strategies and tools that can be used to analyze Android devices. The analysis of FAT file system is explained using some commonly used Linux tools. However, the real value of the book is found at the end 19

CYBER AGENTS: HACKING EXTORTION CASE by Eric Lakes

One often has to wonder about the criminal’s mind and how it works. Do they really think their plan is that good? Do they really think it will work and they won’t get caught? Yep!!! My name is Randy…I’m a cop (Da Da Da Dant). Well I used to be. I retired two years ago from a pretty decent sized city in central Kentucky called Lexington. I know, I know, I don’t look old enough to be retired, but since you can’t see me, you’ll have to trust me, I am.

on my friend, read on. We were contacted by the defendant’s,we’ll call him Jack, counsel in April 2006, to review electronic media on two computers: Jack’s and his now ex-girlfriend’s, Jill. Both had been charged with serious crimes.

For the past several years I have been working on a contractor basis, with my friend and computer genius Eric Lakes in the capacity of a very exciting field called computer forensics. Eric has been involved in computers for more than 20 years himself, so forensics seemed to be a natural fit for both of us.

At the beginning of this case, Jack was dating and living with Jill. At that time, they were also working for the same company, but in very different capacities.

While working with Eric and of course more than 22 years in Law Enforcement, Eric & I have come across some very bizarre cases. In all of my years in Law Enforcement, I seldom get shocked anymore by one human’s actions against another but this case shocked me. It reads like a dime-store novel. Details you would have had to make up because no one would ever try this. She did! You know the phrase…”There is no fury like a woman scorned?” Well, this was fury, even though I’m not sure about the scorned part. Who is she you’re asking? Well, the “Perpetrator” in this case,we’ll call her Jill, devised a plan so bazaar that you know that this case and its details have to be true. Truth, as you know, is in fact stranger than fiction. This case, I’m sad to say, is not fiction! This case was real and very unique from start to finish. It was “fun,” not only due to the content of the case, but also because of the immediate challenges that the case presented and of course we like a good challenge. But it was also very serious.

The Defendant vs. Perpetrator They are not the same in this case. Normally you would ask, well isn’t the defendant the perpetrator? Not in this case, read 20

Jack was involved with the company at an upper level and Jill on a much lesser, worker-bee, level. Eventually an incident occurred at work that did not involve Jack; however, Jill was somehow implicated and separated from the company. She must have taken great offense to this. Jack and Jill had a stormy relationship from the start. One in which it appeared at least, that Jack was doing all the work and Jill was creating all the “drama” and spending all the money. So, after too many un-resolvable incidents between Jack and Jill, Jack finally realized that he was in love with the wrong girl and had to leave. Eventually he moved out and got a place of his own.

The Story This is where the fun begins. Don’t think for a moment that Jill was going to take being broken up with by Jack lightly, especially since she had no job and needed to pay her bills. Even after the break-up, Jill tried to maintain a relationship with Jack and since he was broken hearted, I guess he tried too. Of course it didn’t last. It was during this time that on one of Jill’s “visits” to Jack’s new apartment that Jill came into possession of one of Jack’s credit cards, although Jack was not aware of this.

The Only Magazine about Pentesting

200 Pages of the Best Technical Content Every Month 8500 Readers 4 Specialized Issues

From theory to practice, from methodologies and standards to tools and real-life solutions! PenTest gives an excellent opportunity to observe security trends on the market for the readers, and for companies â&#x20AC;&#x201C; to share their invaluable knowledge. To learn more visit: http://pentestmag.com/. www.eForensicsMag.com For any questions or inquiries please mail us at: en@pentestmag.com.

INTEGRATING CYBER FORENSICS IN INCIDENT RESPONSE by Commander Mukesh Saini (Retd.)

Over last few years International Organization for Standardization is working hard to find a common procedure of Cyber Forensics which makes evidence collected in one jurisdiction applicable across the world. The work on standard ISO/IEC 27037 is in its final leg and it expected that the standard will be released by October 2012.

The proposed standard hinges at the Digital Evidence First Responder (DEFR) who will be responsible for identification, collection, preservation and transportation of digital evidence. He will be required to be trained and authorized to undertake all activities related to the cyber evidence from the time when the evidence comes to the light. This means that he will be part of the Cyber Incident Response Team (CIRT). One of the objective of the Information Security Incident Management standard ISO/IEC 27035 states, “Clear incident investigation procedures can help to ensure that data collection and handling are evidentially sound and legally admissible. These are important considerations if legal prosecution or disciplinary action might follow. It should be recognized however, that there is a chance that the actions necessary to recover from an information security incident might jeopardize the integrity of any such collected evidence.” The article deliberates over the necessity and importance of the DEFR in an organizations whether in a private company or a government department. When a cyber-event is escalated into an incident, the incident response team starts their investigation in all its earnest. At that point of time no one can pre-judge the enormity of the incident. A cyber incident thus could be any of the following: 22

a) b) c) d) e) f)

A false alarm; just a techno-mechanical failure; a software glitch; a human (genuine) error; a malware based attack; an internal employee attempt to steal information or defraud the organization; g) Generic hacker attack; h) Competitor’s motivated specific hack-attack; i) Cyber-attack from non-state actor or other nation state. Therefore as the investigation unfolds itself, actions required to be undertaken by an organization will have to proportionate to the level and sophistication of cyber-attack as well as financial/other implication of such attack. Hence no organization approaches the police at very outset of the incident. Internal investigation and risk assessment has to be undertaken by the management based on incident management team’s report. However if during this stage digital evidences are not handled professionally, it may destroy the probative value and evidentiary weight of the digital evidence.

www.eForensicsMag.com

SECURITY TESTING TOOL OR CYBER WEAPON by Kevin G. Coleman

Many software and systems testing tools can be considered dual-use technology. While they are used to legitimately test software and systems, they can also be used to attack those same software and systems. Therefore, there is a growing concern about the development and proliferation of what has been referred to as Cyber Arms. In fact, in 2011 China and Russia submitted a recommendation to the United Nations about a Cyber Arms Treaty. This topic is not new to the United Nations; it can be traced back to 2006 when the U.N. General Assembly requested that all countries submit their views on a binding conventional arms trade treaty. Currently, the UN is working on a global treaty that would regulate the international arms trade covering all conventional weapons that would promote transparency and accountability in the arms trade. An international legal definition of conventional arms really does not exist. The closest thing we could find states that conventional arms are all weapons that are not chemical, biological or nuclear in nature. Given that broad definition, cyber weapons would have to fall under the conventional arms heading even though cyber weapons are not specifically addressed. There is another big issue with this movement by the UN. There are 231 countries connected to the Internet and only 193 of those countries are members of the United Nations. Could the 38 countries not represented by the UN become sanctuaries for cyber arms dealers? That is a distinct possibility. Recently the European Union contributed to and further confused this already complex issue by their actions to control cyber weapons that negatively impact security testing tools. It states that the production or sale of devices such as computer programs designed for cyber attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offenses. If convicted, a cyber attacker would face at least two years in prison and at least five years under aggravating circumstances (example the use of a tool specifically designed to for large-scale attacks), or attacks that cause considerable damage (disrupting critical infrastructure). Many software and systems testing tools can be considered dual-use technology. While they are used to legitimately test 24

software and systems, they can also be used to attack those same software and systems. Pentesting is a technique used in evaluating the security of a web sites, computer system, networks and connected devices by simulating a cyber attack. In the hands of an attacker this would be an automated cyber attack platform. Now consider system capacity (load) testing tools. They automate the generation of a massive number of transactions used to assess and verify the capacity of a computer, server, network or entire system. A distributed denial of service (DDoS) also generates a massive number of transactions used to overwhelm the capacity of a computer, server, network or entire system. This legislation forces one to ask - how would software developers and others be able to conduct security / penetration tests and check security of our own systems or those of clients’ systems if they are no longer allowed to own such tools? The answer is very ugly – we would have to go back to manual testing methods! I asked one security consultant about this law and his only comment was “This is evil or moronic” and he is far from being alone with that opinion. There is a fairly large and growing global market for these testing tools. A quick search resulted in nearly 600 such tools on the market today. Last year one analyst group forecasted the Asia Pacific region would have a compound average annual growth rate (CAGR) of 33.6 percent between 2010 and 2014. There are a number of conferences that address this subject matter and have robust vendor shows. The EU actions have many asking should this growth rate be considered as an indicator of cyber arms proliferation. Legislation or regulations that outlaw these security testing tools will cause more harm than good. The only difference between a security testing tool and a cyber weapon is the intent of those using it. It would be nearly impossible to regulate intent, but it appears they are

going to try. The EU efforts will ultimately result in the bad actors having access to automated attack capabilities (also known as cyber weapons) and system developers forced to revert back to highly costly and lesser effective manual testing methods. There is a lot at risk due to the threat of cyber attacks that target our systems. The vast majority of the efforts to date are reactive and arguably not well thought through. To be proactive, we need an effective strategy that addresses the multiple facets of cyber security and defense, and requires all countries connected to the Internet to cooperate during investigations of cyber attacks.

Author bio

Kevin G. Coleman is a long time security technology executive and former Chief Strategist at the Internet pioneer Netscape as well as the lead author of the Cyber Commanderâ&#x20AC;&#x2122;s eHandbook. He is Senior Fellow with the Technolytics Institute where he provides consulting services on strategic technology and security issues. He has presented/testified at the United Nations as well as multiple elements of the U.S. Congress and has briefed and instructed courses for the U.S. military and U.S. intelligence organizations. He writes a weekly blog for AOL Government on the topic of cyber intelligence and on Digital ConďŹ&#x201A;ict at Defense Systems as well as writing for Eye Spy Intelligence magazine in the UK. Additional Information http://gov.aol.com/2012/07/09/cyber-intelligence-un-arms-treaty-what-about-cyber-arms/ http://www.infosecisland.com/blogview/20901-EU-Possession-of-Hacking-Tools-to-Become-a-Criminal-Offense.html h t t p : / / w w w. e u r o p a r l . e u r o p a . e u / s i d e s / g e t D o c . do?pubRef=-%2f%2fEP%2f%2fTEXT%2bIM -PRESS%2b20120326IPR41843%2b0%2bDOC%2bXML%2bV0%2f%2fEN&language=EN

www.eForensicsMag.com

THE UPCOMING ISSUE OF eFORENSICS MOBILE, WILL BE DEVOTED TO...

SIM/USIM Card analysis Tools & Techniques

Now Hiring Teamwork Innovation Quality Integrity Passion

Sense of Security

Compliance, Protection and

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

www.eForensicsMag.com

info@senseofsecurity.com.au www.senseofsecurity.com.au

Global I.T. Security Training & Consulting

In February 2002, Mile2 was established in response to the critical need for an international team of IT security training experts to mitigate threats to national and corporate security far beyond USA borders in the aftermath of 9/11.

IS YOUR NETWORK SECURE?

www.mile2.com TM

mile2 Boot Camps

A Network breach... Could cost your Job! Available Training Formats

C)PTETM C)PTCTM

PENETRATION TESTING (AKA ETHICAL HACKING) Certified Penetration Testing Engineer Certified Penetration Testing Consultant

C)SCETM

SECURE CODING TRAINING Certified Secure Coding Engineer

C)WSETM C)WNA/PTM

WIRELESS SECURITY TRAINING Certified Wireless Security Engineer Certified Wireless Network Associate / Professional

DR/BCP

DR&BCP TRAINING Disaster Recovery & Business Continuity Planning

C)SVMETM

VIRTUALIZATION BEST PRACTICES Certified Secure Virtual Machine Engineer

C)DFETM

DIGITAL FORENSICS Certified Digital Forensics Examiner

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. 28

1. 2. 3. 4. 5.

F2F CBT LOT KIT LHE

Classroom Based Training Self Paced CBT Live Online Training Study Kits & Exams Live Hacking Labs (War-Room)

Other New Courses!! ITIL CompTIA ISC2

Foundations v.3 & v.4 Security+, Network+ CISSP & CAP

Worldwide Locations

CISSPTM C)ISSO C)SLO ISCAP

GENERAL SECURITY TRAINING CISSP & Exam Prep Certified Information Systems Security Officer Certified Security Leadership Officer Info. Sys. Certification & Accred. Professional

SANS GSLC GIAC Sec. Leadership Course SANS 440 Top 20 Security Controls SANS GCIH GIAC Cert Incident Handler

INFORMATION ASSURANCE SERVICES

We practice what we teach.....

Other Mile2 services available Globally: 1. Penetration Testing 2. Vulnerability Assessments 3. Forensics Analysis & Expert Witnesses 4. PCI Compliance 5. Disaster Recovery & Business Continuity

1-800-81-MILE2 +1-813-920-6799

11928 Sheldon Rd Tampa, FL 33626

secureninja.com

Forging IT Security Experts

• Security+ • CISSP® • CEH (Professional Hacking) v7.1 • CAP (Certified Authorization Professional) • CISA • CISM • CCNA Security • CWNA • CWSP • DIACAP • ECSA / LPT Dual Certification • ECSP (Certified Secure Programmer) • EDRP (Disaster Recovery Professional) • CCE (Computer Forensics) • CCNA Security

Expert IT Security Training & Services

• CHFI • ISSEP • Cloud Security • Digital Mobile Forensics • SSCP • Security+ • Security Awareness Training … And more

Free Hotel Offer on Select Boot Camps Offers ends on Jan 31, 2012 – Call 703-535-8600 and mention code: PentestNinja to secure your special rate.

Welcome Military – Veterans Benefits & GI Bill Post 9/11 Approved WIA (Workforce Investment Act) Approved

www.secureninja.com

703 535 8600 www.eForensicsMag.com