Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
SCHOOL OF ENGINEERING NAMES: NELSON J. CHIRWA COURSE: COMPUTER HACKING FORENSICS INVESTIGATION STUDENT NUMBER: 1412398872 BACHELOR OF SCIENCE IN INFORMATION SECURITY AND COMPUTER FORENSICS ASSIGNMENT NUMBER: 1 – 10 LECTURER: MR INNOCENT NSUNGA 1. Investigating Web Attacks It is often the case that web applications face suspicious activities due to various reasons, such as a kid scanning a website using an automated vulnerability scanner or a person trying to fuzz a parameter for SQL Injection, etc. In many such cases, logs on the webserver have to be analyzed to figure out what is going on. If it is a serious case, it may require a forensic investigation. Apart from this, there are other scenarios as well. For an administrator, it is really important to understand how to analyze the logs from a security standpoint. People who are just beginning with hacking/penetration testing must understand why they should not test/scan websites without prior permissions. This article covers the basic concepts of log analysis to provide solutions to the above mentioned scenarios. Setup For demo purposes, I have the following setup. Apache server – Pre installed in Kali Linux This can be started using the following command: service apache2 start MySQL – Pre installed in Kali Linux This can be started using the following command: service mysql start A vulnerable web application built using PHP-MySQL I have developed a vulnerable web application using PHP and hosted it in the above mentioned Apache-MySQL. With the above setup, I have scanned the URL of this vulnerable application using few automated tools (ZAP, w3af) available in Kali Linux. Now let us see various cases in analyzing the logs. Logging in the Apache server It is always recommended to maintain logs on a webserver for various obvious reasons. The default location of Apache server logs on Debian systems is /var/log/apache2/access.log Logging is just a process of storing the logs in the server. We also need to analyze the logs for proper results. In the next section, we will see how we can analyze the Apache server’s access logs to figure out if there are any attacks being attempted on the website. Analyzing the logs Manual inspection In cases of logs with a smaller size, or if we are looking for a specific keyword, then we can spend some time observing the logs manually using things like grep expressions. In the following figure, we are trying to search for all the requests that have the keyword “union” in the URL. From the figure above, we can see the query “union select 1,2,3,4,5” in the URL. It is obvious that someone with the IP address 192.168.56.105 has attempted SQL Injection. Similarly, we can search for specific requests when we have the keywords with us. In the following figure, we are searching for requests that try to read “/etc/passwd”, which is obviously a Local File Inclusion attempt. As shown in the above screenshot, we have many requests trying for LFI, and these are sent from the IP address 127.0.0.1. These requests are generated from an automated tool. In many cases, it is easy to recognize if the logs are sent from an automated scanner. Automated scanners are noisy and they use vendor-specific payloads when testing an application. For example, IBM appscan uses the word “appscan” in many payloads. So, looking at such requests in the logs, we can determine what’s going on. Microsoft Excel is also a great tool to open the log file and analyze the logs. We can open the log file using Excel by specifying “space” as a delimiter. This comes handy when we don’t have a log-parsing tool. Aside from these keywords, it is highly important to have basic knowledge of HTTP status codes during an analysis. Below is the table that shows high-level information about HTTP status codes. Information Successful Redirection Client Error Server Error Web shells Web shells are another problem for websites/servers. Web shells give complete control of the server. In some instances, we can gain access to all the other sites hosted on the same server using web shells. The following screenshot shows the same access.log file opened in Microsoft Excel. I have applied a filter on the column that is specifying the file being accessed by the client. If we clearly observe, there is a file named “b374k.php” being accessed. “b374k” is a popular web shell and hence this file is purely suspicious. Looking at the response code “200”, this line is an indicator that someone has uploaded a web shell and is accessing it from the web server. It doesn’t always need to be the scenario that the web shell being uploaded is given its original name when uploading it onto the server. In many cases, attackers rename them to avoid suspicion. This is where we have to act smart and see if the files being accessed are regular files or if they are looking unusual. We can go further ahead and also see file types and the time stamps if anything looks suspicious. One single quote for the win It is a known fact that SQL Injection is one of the most common vulnerabilities in web applications. Most of the people who get started with web application security start their learning with SQL Injection. Identifying a traditional SQL Injection is as easy as appending a single quote to the URL parameter and breaking the query. Anything that we pass can be logged in the server, and it is possible to trace back. The following screenshot shows the access log entry where a single quote is passed to check for SQL Injection in the parameter “user”.%27 is URL encoded form of a Single Quote. For administration purposes, we can also perform query monitoring to see which queries are executed on the database. If we observe the above figure, it shows the query being executed from the request made in the previous figure, where we are passing a single quote through the parameter “user”. We will discuss more about logging in databases later in this article. Analysis with automated tools When there are huge amount of logs, it is difficult to perform manual inspection. In such scenarios we can go for automated tools along with some manual inspection. Though there are many effective commercial tools, I am introducing a free tool known as Scalp. According to their official link, “Scalp is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET.” It is a Python script, so it requires Python to be installed on our machine. The following figure shows help for the usage of this tool. As we can see in the figure, we need to feed the log file to be analyzed using the flag “–l”.Along with that, we need to provide a filter file using the flag “-f” with which Scalp identifies the possible attacks in the access.log file. We can use a filter from the PHPIDS project to detect any malicious attempts. This file is named as default_filter.xml. 1 <filter> 2 <id>12</id> 3 <rule><![CDATA[(?:etc\/\W*passwd)]]></rule> 4 <description>Detects etc/passwd inclusion attempts</description> 5 <tags> 6 <tag>dt</tag> 7 <tag>id</tag> 8 <tag>lfi</tag> 9 10 11 </tags> <impact>5</impact> </filter> It is using rule sets defined in XML tags to detect various attacks being attempted. The above code snippet is an example to detect a File Inclusion attempt. Similarly, it detects other types of attacks. After downloading this file, place it in the same folder where Scalp is placed. Run the following command to analyze the logs with Scalp. python scalp-0.4.py –l /var/log/apache2/access.log –f filter.xml –o output –html ‘output’ is the directory where the report will be saved. It will automatically be created by Scalp if it doesn’t exist. –html is used to generate a report in HTML format. As we can see in the above figure, Scalp results show that it has analyzed 4001 lines over 4024 and found 296 attack patterns. We can even save the lines that are not analyzed for some reason using the “–except” flag. A report is generated in the output directory after running the above command. We can open it in a browser and look at the results. The following screenshot shows a small part of the output that shows directory traversal attack attempts. Logging in MySQL This section deals with analysis of attacks on databases and possible ways to monitor them. The first step is to see what are the set variables. We can do it using “show variables;” as shown below. The following figure shows the output for the above command. As we can see in the above figure, logging is turned on. By default, this value is OFF. Another important entry here is “log output”, which is saying that we are writing them to a “FILE”. Alternatively, we can use a table also. We can even see “log_slow_queries” is ON. Again, the default value is “OFF”. Query monitoring in MySQL The general query log logs established client connections and statements received from clients. As mentioned earlier, by default these are not enabled since they reduce performance. We can enable them right from the MySQL terminal or we can edit the MySQL configuration file as shown below. I am using VIM editor to open “my.cnf” file which is located under the “/etc/mysql/” directory. If we scroll down, we can see a Logging and Replication section where we can enable logging. These logs are being written to a file called mysql.log file. We can also see the warning that this log type is a performance killer. Usually administrators use this feature for troubleshooting purposes. We can also see the entry “log slow queries” to log queries that take a long duration. Now everything is set. If someone hits the database with a malicious query, we can observe that in these logs as shown below. The above figure shows a query hitting the database named “web service” and trying for authentication bypass using SQL Injection. More logging By default, Apache logs only GET requests. To log POST data, we can use an Apache module called “mod_dumpio”. Alternatively, we can use ‘mod security’ to achieve the same result. 2. INVESTIGATING DOS ATTACKS TYPES OF DOS ATTACKS Denial-of-service attacks are characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. There are two general forms of DoS attacks: those that crash services and those that flood services. The most serious attacks are distributed. Many attacks involve forging of IP sender addresses (IP address spoofing) so that the location of the attacking machines cannot easily be identified and so that the attack cannot be easily defeated using ingress filtering. Distributed DoS A distributed denial-of-service (DDoS) is a cyber-attack where the perpetrator uses more than one, often thousands of, unique IP addresses. The scale of DDoS attacks has continued to rise over recent years, even reaching over 1Tbit/s. Advanced persistent DoS An advanced persistent DoS (APDoS) is more likely to be perpetrated by an advanced persistent threat (APT): actors who are well resourced, exceptionally skilled and have access to substantial commercial grade computer resources and capacity. APDoS attacks represent a clear and emerging threat needing specialised monitoring and incident response services and the defensive capabilities of specialised DDoS mitigation service providers. This type of attack involves massive network layer DDoS attacks through to focused application layer (HTTP) floods, followed by repeated (at varying intervals) SQLI and XSS attacks. Typically, the perpetrators can simultaneously use from 2 to 5 attack vectors involving up to several tens of millions of requests per second, often accompanied by large SYN floods that can not only attack the victim but also any service provider implementing any sort of managed DDoS mitigation capability. These attacks can persist for several weeks- the longest continuous period noted so far lasted 38 days. This APDoS attack involved approximately 50+ petabits (100,000+ terabits) of malicious traffic. Attackers in this scenario may (or often will) tactically switch between several targets to create a diversion to evade defensive DDoS countermeasures but all the while eventually concentrating the main thrust of the attack onto a single victim. In this scenario, threat actors with continuous access to several very powerful network resources are capable of sustaining a prolonged campaign generating enormous levels of un-amplified DDoS traffic. APDoS attacks are characterised by: advanced reconnaissance (pre-attack OSINT and extensive decoyed scanning crafted to evade detection over long periods) tactical execution (attack with a primary and secondary victim but focus is on primary) explicit motivation (a calculated end game/goal target) large computing capacity (access to substantial computer power and network bandwidth resources) simultaneous multi-threaded OSI layer attacks (sophisticated tools operating at layers 3 through 7) persistence over extended periods (utilising all the above into a concerted, well managed attack across a range of targets). Denial-of-service as a service Some vendors provide so-called "booter" or "stresser" services, which have simple web-based front ends, and accept payment over the web. Marketed and promoted as stress-testing tools, they can be used to perform unauthorized denial-of-service attacks, and allow technically unsophisticated attackers access to sophisticated attack tools without the need for the attacker to understand their use. Symptoms The United States Computer Emergency Readiness Team (US-CERT) has identified symptoms of a denial-of-service attack to include: unusually slow network performance (opening files or accessing web sites) unavailability of a particular web site inability to access any web site dramatic increase in the number of spam emails received (this type of DoS attack is considered an e-mail bomb). Additional symptoms may include: disconnection of a wireless or wired internet connection long-term denial of access to the web or any internet services. If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised without the attacker's knowledge or intent by incorrectly configured or flimsy network infrastructure equipment. Attack techniques A wide array of programs are used to launch DoS-attacks. Attack tools In cases such as MyDoom the tools are embedded in malware, and launch their attacks without the knowledge of the system owner. Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. In other cases a machine may become part of a DDoS attack with the owner's consent, for example, in Operation Payback, organized by the group Anonymous. The LOIC has typically been used in this way. Along with HOIC a wide variety of DDoS tools are available today, including paid and free versions, with different features available. There is an underground market for these in hacker related forums and IRC channels. UK's GCHQ has tools built for DDoS, named PREDATORS FACE and ROLLING THUNDER. Application-layer floods Various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time. Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resources. Bandwidthsaturating floods rely on the attacker having higher bandwidth available than the victim; a common way of achieving this today is via distributed denial-of-service, employing a botnet. Another target of DDoS attacks may be to produce added costs for the application operator, when the latter uses resources based on Cloud Computing. In this case normally application used resources are tied to a needed Quality of Service level (e.g. responses should be less than 200 ms) and this rule is usually linked to automated software (e.g. Amazon CloudWatch to raise more virtual resources from the provider in order to meet the defined QoS levels for the increased requests. The main incentive behind such attacks may be to drive the application owner to raise the elasticity levels in order to handle the increased application traffic, in order to cause financial losses or force them to become less competitive. Other floods may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs. A "banana attack" is another particular type of DoS. It involves redirecting outgoing messages from the client back onto the client, preventing outside access, as well as flooding the client with the sent packets. A LAND attack is of this type. An attacker with shell-level access to a victim's computer may slow it until it is unusable or crash it by using a fork bomb. A kind of applicationlevel DoS attack is XDoS (or XML DoS) which can be controlled by modern web application firewalls(WAFs). Degradation-of-service attacks "Pulsing" zombies are compromised computers that are directed to launch intermittent and shortlived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as "degradation-of-service" rather than "denial-of-service", can be more difficult to detect than regular zombie invasions and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more disruption than concentrated floods. Exposure of degradation-of-service attacks is complicated further by the matter of discerning whether the server is really being attacked or under normal traffic loads. Denial-of-service Level II The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from the Internet, but without system crash. Distributed DoS attack A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic. A botnet is a network of zombie computers programmed to receive commands without the owners' knowledge. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-ofservice attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This, after all, will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack. A system may also be compromised with a trojan, allowing the attacker to download a zombie agent, or the trojan may contain one. Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web. Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. In some cases a machine may become part of a DDoS attack with the owner's consent, for example, in Operation Payback, organized by the group Anonymous. These attacks can use different types of internet packets such as: TCP, UDP, ICMP etc. These collections of systems compromisers are known as botnets / rootservers. DDoS tools like Stacheldraht still use classic DoS attack methods centered on IP spoofing and amplification like smurf attacks and fraggle attacks (these are also known as bandwidth consumption attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer tools can use DNS servers for DoS purposes. Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address. Script kiddies use them to deny the availability of well-known websites to legitimate users. More sophisticated attackers use DDoS tools for the purposes of extortion – even against their business rivals. Simple attacks such as SYN floods may appear with a wide range of source IP addresses, giving the appearance of a well distributed DoS. These flood attacks do not require completion of the TCP three way handshake and attempt to exhaust the destination SYN queue or the server bandwidth. Because the source IP addresses can be trivially spoofed, an attack could come from a limited set of sources, or may even originate from a single host. Stack enhancements such as syn cookiesmay be effective mitigation against SYN queue flooding, however complete bandwidth exhaustion may require involvement. If an attacker mounts an attack from a single host it would be classified as a DoS attack. In fact, any attack against availability would be classed as a denial-of-service attack. On the other hand, if an attacker uses many systems to simultaneously launch attacks against a remote host, this would be classified as a DDoS attack. It has been reported that there are new attacks from internet of things which have been involved in denial of service attacks. In one noted attack that was made peaked at around 20,000 requests per second which came from around 900 CCTV cameras. UK's GCHQ has tools built for DDoS, named PREDATORS FACE and ROLLING THUNDER. DDoS extortion In 2015, DDoS botnets such as DD4BC grew in prominence, taking aim at financial institutions. Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid in Bitcoin. Security experts recommend targeted websites to not pay the ransom. The attackers tend to get into an extended extortion scheme once they recognize that the target is ready to pay. HTTP POST DoS attack First discovered in 2009, the HTTP POST attack sends a complete, legitimate HTTP POST header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/110 seconds). Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, which can take a very long time. The attacker establishes hundreds or even thousands of such connections, until all resources for incoming connections on the server (the victim) are used up, hence making any further (including legitimate) connections impossible until all data has been sent. It is notable that unlike many other (D) DoS attacks, which try to subdue the server by overloading its network or CPU, a HTTP POST attack targets the logical resources of the victim, which means the victim would still have enough network bandwidth and processing power to operate. Further combined with the fact that Apache will, by default, accept requests up to 2GB in size, this attack can be particularly powerful. HTTP POST attacks are difficult to differentiate from legitimate connections, and are therefore able to bypass some protection systems. OWASP, an open source web application security project, has released a testing tool to test the security of servers against this type of attacks. Internet Control Message Protocol (ICMP) flood A smurf attack relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The attacker will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping" command from Unix-like hosts (the -t flag on Windows systems is much less capable of overwhelming a target, also the -l (size) flag does not allow sent packet size greater than 65500 in Windows). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim. Ping of death is based on sending the victim a malformed ping packet, which will lead to a system crash on a vulnerable system. The Black Nurse attack is an example of an attack taking advantage of the required Destination Port Unreachable ICMP packets. Nuke A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop. A specific example of a nuke attack that gained some prominence is the Win Nuke, which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data was sent to TCP port 139 of the victim's machine, causing it to lock up and display a Blue Screen of Death (BSOD). Peer-to-peer attacks Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. With peer-topeer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. Permanent denial-of-service attacks Permanent denial-of-service (PDoS), also known loosely as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore "bricks" the device, rendering it unusable for its original purpose until it can be repaired or replaced. The PDoS is a pure hardware targeted attack which can be much faster and requires fewer resources than using a botnet or a root/vserver in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique has come to the attention of numerous hacking communities. PhlashDance is a tool created by Rich Smith (an employee of Hewlett-Packard's Systems Security Lab) used to detect and demonstrate PDoS vulnerabilities at the 2008 EUSecWest Applied Security Conference in London. Reflected / spoofed attack A distributed denial-of-service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. (This reflected attack form is sometimes called a "DRDOS") ICMP Echo Request attacks (Smurf attack) can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack. Amplification Amplification attacks are used to magnify the bandwidth that is sent to a victim. This is typically done through publicly accessible DNS servers that are used to cause congestion on the target system using DNS response traffic. Many services can be exploited to act as reflectors, some harder to block than others. US-CERT have observed that different services implies in different amplification factors, as you can see below: UDP-based Amplification Attacks Protocol Bandwidth Amplification Factor NTP 556.9 CharGen 358.8 DNS up to 179 QOTD 140.3 Quake Network Protocol 63.9 BitTorrent 4.0 - 54.3 SSDP 30.8 Kad 16.3 SNMPv2 6.3 Steam Protocol 5.5 NetBIOS 3.8 DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier. The process typically involves an attacker sending a DNS name look up request to a public DNS server, spoofing the source IP address of the targeted victim. The attacker tries to request as much zone information as possible, thus amplifying the DNS record response that is sent to the targeted victim. Since the size of the request is significantly smaller than the response, the attacker is easily able to increase the amount of traffic directed at the target. [38][39] SNMP and NTP can also be exploited as reflector in an amplification attack. An example of an amplified DDoS attack through NTP is through a command called monlist, which sends the details of the last 600 people who have requested the time from that computer back to the requester. A small request to this time server can be sent using a spoofed source IP address of some victim, which results in 556.9 times the amount of data that was requested back to the victim. This becomes amplified when using botnets that all send requests with the same spoofed IP source, which will send a massive amount of data back to the victim. It is very difficult to defend against these types of attacks because the response data is coming from legitimate servers. These attack requests are also sent through UDP, which does not require a connection to the server. This means that the source IP is not verified when a request is received by the server. In order to bring awareness of these vulnerabilities, campaigns have been started that are dedicated to finding amplification vectors which has led to people fixing their resolvers or having the resolvers shut down completely. R-U-Dead-Yet? (RUDY) RUDY attack targets web applications by starvation of available sessions on the web server. Much like Slowloris, RUDY keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value. Slow Read attack Slow Read attack sends legitimate application layer requests but reads responses very slowly, thus trying to exhaust the server's connection pool. Slow reading is achieved by advertising a very small number for the TCP Receive Window size and at the same time by emptying clients' TCP receive buffer slowly. That naturally ensures a very low data flow rate. Sophisticated low-bandwidth Distributed Denial-of-Service Attack A sophisticated low-bandwidth DDoS attack is a form of DoS that uses less traffic and increases their effectiveness by aiming at a weak point in the victim's system design, i.e., the attacker sends traffic consisting of complicated requests to the system. Essentially, a sophisticated DDoS attack is lower in cost due to its use of less traffic, is smaller in size making it more difficult to identify, and it has the ability to hurt systems which are protected by flow control mechanisms. (S)SYN flood A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server can make, keeping it from responding to legitimate requests until after the attack ends. Teardrop attacks A teardrop attack involves sending mangled IP fragments with overlapping, oversized payloads to the target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack. (Although in September 2009, a vulnerability in Windows Vista was referred to as a "teardrop attack", this targeted SMB2which is a higher layer than the TCP packets that teardrop used). One of the fields in an IP header is the “fragment offset” field, indicating the starting position, or offset, of the data contained in a fragmented packet relative to the data in the original packet. If the sum of the offset and size of one fragmented packet differs from that of the next fragmented packet, the packets overlap. When this happens, a server vulnerable to teardrop attacks is unable to reassemble the packets - resulting in a denial-of-service condition. Telephony denial-of-service (TDoS) Voice over IP has made abusive origination of large numbers of telephone voice calls inexpensive and readily automated while permitting call origins to be misrepresented through caller ID spoofing. According to the US Federal Bureau of Investigation, telephony denial-of-service (TDoS) has appeared as part of various fraudulent schemes: A scammer contacts the victim's banker or broker, impersonating the victim to request a funds transfer. The banker's attempt to contact the victim for verification of the transfer fails as the victim's telephone lines are being flooded with thousands of bogus calls, rendering the victim unreachable. A scammer contacts consumers with a bogus claim to collect an outstanding payday loan for thousands of dollars. When the consumer objects, the scammer retaliates by flooding the victim's employer with thousands of automated calls. In some cases, displayed caller ID is spoofed to impersonate police or law enforcement agencies. A scammer contacts consumers with a bogus debt collection demand and threatens to send police; when the victim balks, the scammer floods local police numbers with calls on which caller ID is spoofed to display the victims number. Police soon arrive at the victim's residence attempting to find the origin of the calls. Telephony denial-of-service can exist even without Internet telephony. In the 2002 New Hampshire Senate election phone jamming scandal, telemarketers were used to flood political opponents with spurious calls to jam phone banks on election day. Widespread publication of a number can also flood it with enough calls to render it unusable, as happened with multiple +1area code-867-5309 subscribers inundated by hundreds of misdialed calls daily in response to the song 867-5309/Jenny. TDoS differs from other telephone harassment (such as prank calls and obscene phone calls) by the number of calls originated; by occupying lines continuously with repeated automated calls, the victim is prevented from making or receiving both routine and emergency telephone calls. Related exploits include SMS flooding attacks and black fax or fax loop transmission. Defense techniques Defensive responses to denial-of-service attacks typically involve the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. A list of prevention and response tools is provided below: Application front end hardware Application front-end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Application level Key Completion Indicators In order to meet the case of application level DDoS attacks against cloud-based applications, approaches may be based on an application layer analysis, to indicate whether an incoming traffic bulk is legitimate or not and thus enable the triggering of elasticity decisions without the economical implications of a DDoS attack. These approaches mainly rely on an identified path of value inside the application and monitor the macroscopic progress of the requests in this path, towards the final generation of profit, through markers denoted as Key Completion Indicators Blackholing and sinkholing With blackhole routing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP. A DNS sinkhole routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks. IPS based prevention Intrusion prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. An ASIC based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic. DDS based defense More focused on the problem than IPS, a DoS defense system (DDS) can block connectionbased DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as teardrop and ping of death) and rate-based attacks (such as ICMP floods and SYN floods). Firewalls In the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy, with routers being adversely affected before the traffic gets to the firewall. Routers Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS has optional features that can reduce the impact of flooding. Switches Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate DoS attacks through automatic rate filtering and WAN Link failover and balancing. These schemes will work as long as the DoS attacks can be prevented by using them. For example, SYN flood can be prevented using delayed binding or TCP splicing. Similarly, content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using bogon filtering. Automatic rate filtering can work as long as set rate-thresholds have been set correctly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism. Upstream filtering All traffic is passed through a "cleaning center" or a "scrubbing center" via various methods such as proxies, tunnels, digital cross connects, or even direct circuits, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the "cleaning center" or "scrubbing center". Examples of providers of this service: CloudFlare Level 3 Communications Radware Arbor Networks AT&T F5 Networks Incapsula Neustar Inc Akamai Technologies Tata Communications Verisign Verizon Unintentional denial-of-service An Unintentional denial-of-service can occur when a system ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users – potentially hundreds of thousands of people – click that link in the space of a few hours, having the same effect on the target website as a DDoS attack. A VIPDoS is the same, but specifically when the link was posted by a celebrity. When Michael Jackson died in 2009, websites such as Google and Twitter slowed down or even crashed. Many sites' servers thought the requests were from a virus or spyware trying to cause a denial-of-service attack, warning users that their queries looked like "automated requests from a computer virus or spyware application". News sites and link sites – sites whose primary function is to provide links to interesting content elsewhere on the Internet – are most likely to cause this phenomenon. The canonical example is the Slashdot effect when receiving traffic from Slashdot. It is also known as "the Reddit hug of death" and "the Digg effect". Routers have also been known to create unintentional DoS attacks, as both DLink and Netgear routers have overloaded NTP servers by flooding NTP servers without respecting the restrictions of client types or geographical limitations. Similar unintentional denials-of-service can also occur via other media, e.g. when a URL is mentioned on television. If a server is being indexed by Google or another search engine during peak periods of activity, or does not have a lot of available bandwidth while being indexed, it can also experience the effects of a DoS attack. Legal action has been taken in at least one such case. In 2006, Universal Tube & Rollform Equipment Corporation sued YouTube: massive numbers of would-be youtube.com users accidentally typed the tube company's URL, utube.com. As a result, the tube company ended up having to spend large amounts of money on upgrading their bandwidth.[71] The company appears to have taken advantage of the situation, with utube.com now containing ads for advertisement revenue. In March 2014, after Malaysia Airlines Flight 370 went missing, DigitalGlobe launched a crowdsourcing service on which users could help search for the missing jet in satellite images. The response overwhelmed the company's servers. An unintentional denial-of-service may also result from a prescheduled event created by the website itself, as was the case of the Census in Australia in 2016. This could be caused when a server provides some service at a specific time. This might be a university website setting the grades to be available where it will result in many more login requests at that time than any other. Side effects of attacks Backscatter In computer network security, backscatter is a side-effect of a spoofed denial-of-service attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP packets sent to the victim. In general, the victim machine cannot distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter. If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by network telescopes as indirect evidence of such attacks. The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims. Legality Many jurisdictions have laws under which denial-of-service attacks are illegal. In the US, denial-of-service attacks may be considered a federal crime under the Computer Fraud and Abuse Act with penalties that include years of imprisonment. The Computer Crime and Intellectual Property Section of the US Department of Justice handles cases of (D)DoS. In European countries, committing criminal denial-of-service attacks may, as a minimum, lead to arrest. The United Kingdom is unusual in that it specifically outlawed denial-ofservice attacks and set a maximum penalty of 10 years in prison with the Police and Justice Act 2006, which amended Section 3 of the Computer Misuse Act 1990. On January 7, 2013, Anonymous posted a petition on the whitehouse.gov site asking that DDoS be recognized as a legal form of protest similar to the Occupy protests, the claim being that the similarity in purpose of both are same. 3 INVESTIGATING INTERNET CRIMES Tracing IP addresses Internet Protocol (IP) addresses provide the basis for online communication, allowing devices to interface and communicate with one another as they are connected to the Internet. As was noted in Chapter 3, IP addresses provide investigators a trail to discover and follow, which hopefully leads to the person(s) responsible for some online malfeasance. In Chapter 5 and 6, we discussed different tools that investigators can use to examine various parts of the Internet, including identifying the owners of domains and IP addresses. In this chapter, we are going to discuss tracing an IP address and the investigative advantages of this process. We have covered the tools to help us trace IP addresses in previous chapters, but here we want to walk through the process of identifying the IP to trace and who is behind that address. Online tools for tracing an IP address Tracing IP addresses and domains is a fundamental skill for any Internet investigator. There are many resources available on the Internet to assist in this process. Of primary importance are the entities responsible for the addressing system, namely, the Internet Assigned Number Authority (IANA) and its subordinate bodies the Regional Internet Registries (RIR). In addition to IANA and RIR, there are a multitude of other independent online resources that can assist the investigator in conducting basic IP identification. E-Zine Dedicated CISO job still open to debate E-Zine Insider Edition: Improved threat detection and incident response E-Handbook How to build an incident response toolkit for enterprise security IANA and RIR Starting at the top is IANA. According to their website they are ". . .responsible for the global coordination of the DNS Root, IP addressing and other Internet protocol resources." What this means to the investigator is that they manage and assign the top level domains, that is, .com, org, mil, edu. (see Table 3.6 for additional examples) and coordinate the IP addresses and their allocation to the RIR. IANA established the RIR to allocate IP address in geographical regions. The RIR system evolved over time, eventually dividing the world into the following five regions: 1. African Network Information Centre (AfriNIC) for Africa, http://www.afrinic.net/ 2. American Registry for Internet Numbers (ARIN) for the United States, Canada, several parts of the Caribbean region, and Antarctica, https://www.arin.net/ 3. Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring countries, http://www.apnic.net/ 4. Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of the Caribbean region, http://www.lacnic.net/en/web/lacnic/inicio 5. Réseaux IP Européens Network Coordination Centre (RIPE NCC) for Europe, Russia, http://http://www.ripe.net/ Each site has a search "Who is" function that allows the investigator to identify IP registration information. IANA and the RIR are the official registrars and owners of the domain records and IP addresses. An investigator wishing to verify the owner of an IP can use the RIR to locate the records. Internet commercial and freeware tools There are also many Internet sites to look up IP and Domain registrations. Some provide the basic registration information and other sites combine additional tools that enable the investigator to identify an IP's physical location. DNS Stuff (http://www.dnsstuff.com/tools/tools): This website has been around for a number of years. It offers both free and pay options for assisting in IP addresses identification and other online information. Network-Tools.com (http://network-tools.com): Another website with a simple user interface to assist in IP tracing. CentralOps.net (http://centralops.net/co/): This is another website that assists with your IP tracing. One of its features, Domain Dossier, does multiple lookups on an IP address or domain. In some circumstances, the investigator may look up a domain or and IP address with these commercial tools and find the address concealed by the commercial registrar. In these cases, the investigator may need to go to the commercial registrar's site and use the Who is search located there to determine the domain registration records. Each of the mentioned websites presents the domain registration information in a slightly different manner and may have additional tools useful to the investigator. Experience with each will provide the investigator with a better understanding of each site's features. Geolocation of an IP address Geolocation in general refers to the identification of the real geographical area of an electronic device, such as a cell phone, IP addresses, WiFi, and MAC addresses. Now that being said that does not mean an IP address can be traced directly to a house. Geolocation particularly for IP addresses is not an exact science. Unlike cell phones that can be traced via their GPS coordinates or cell tower triangulation, IP addresses use a common database of address locations maintained by different companies. One of the most commonly used databases is maintained by Maxmind, Inc. which can be found at www.maxmind.com. Maxmind provides a free service to geolocate an IP address to a state or city. Purchasing their services can give the Internet investigator access to a more precise location, up to and including physical addresses. There are other online services that provide geolocation identification of IP addresses such as IP2Location.com. Some investigative tools, such as Vere Software's WebCase, include access to the Maxmind database as a feature of its domain lookup. On Maxmind's website you can use their demo function to identify an IP addresses location. An example of a Maxmind search for the geolocation of IP address 97.74.74.204 is shown in Figure 8.1. Along with identifying the geolocation of the address as Scottsdale, Arizona, website provides the latitude and longitude based on this location and the Internet Service Provider (ISP) hosting the IP address, in this case GoDaddy.com LLC. . Tracking Emails and Investigating Email Crimes 4 Tracing Email and News Postings Before heading down the messaging path and looking for tracks in the sand, let's quickly discuss how these messaging services operate. News groups and email are cousins. Descending from original siblings on pre-Internet Unix systems, they have continued to evolve in parallel, with much sharing of genetic material. Both services have the following attributes: Simple Internet application protocols that use text commands Store-and-forward architecture allowing messages to be shuttled through a series of intermediate systems Message body composed entirely of printable characters (7-bit, not 8-bit) Human-readable message headers indicating the path between sender and receiver You'll need the assistance of systems administrators, perhaps on every system the message transited, and they won't be able to help you unless they have logging information on their messaging hosts. If the originator wants to cover his or her tracks, determining the real sender of either bogus news postings or suspicious email can be challenging. News is probably a bit easier, but email is more common today, so let's start with it. Tracking Email An email program such as Outlook, Notes, or Eudora is considered a client application, which means that it is network-enabled software that is intended to interact with a server. In the case of email, it is normal to interact with two different servers: one for outgoing and one for incoming mail. When you want to read email, your client connects to a mail server using one of three different protocols: Post Office Protocol (POP, not to be confused with Point of Presence) Internet Mail Access Protocol (IMAP) Microsoft's Mail API (MAPI) For the purposes of investigation, the protocol used to gather incoming email from a server is of minimal interest. The most important thing to understand about these different protocols is that their use affects where mail messages are stored (as depicted in Table 2-1). All incoming mail is initially stored on a mail server, sorted by that mail server into individual mailboxes for access by the addressee. POP users have the choice of either downloading a copy of their mail from their server, or downloading it and subsequently allowing it to be automatically deleted. Email that has been read or stored for future use is stored on the computer that is running the email client. IMAP and MAPI users have the option of leaving all their mail on their mail server. There are two major advantages to leaving email stored on the server. First, all of the stored email for an entire organization can be easily backed up from a central location. Second, it provides users the flexibility of accessing their mailboxes from multiple client machines: office, home, through the Web, and so forth. The implications of this to the investigator is that POP mail users always use their local machine for their email archives: copies of outgoing mail, mail stored in folders for future reference, deleted mail that hasn't been purged, all are stored on the individual's workstation. Organizations that provide IMAP or MAPI service, or a proprietary service like Lotus Notes, probably store email on the server, although individual users may or may not have the option of storing their email locally. Table 2-1 Internet Email Protocols Post Office Protocol Relevance to Investigation POP Must access workstation in Service Incoming message store order to trace mail. only Storage of all Open: MAPI messages (optional) Copies of both incoming and outgoing messages may Proprietary: Microsoft MAPI be stored on server or workstation (and Post Office Protocol Relevance to Investigation Service Lotus Web-based: server/workstation backup Notes tapes). http Incoming and outgoing messages are stored on send and receive server, possibly with optional manual download to workstation. Facilitates identity spoofing. Outgoing email uses a completely different protocol called Simple Mail Transfer Protocol (SMTP). Unlike the protocols used to retrieve mail from a post office, SMTP doesn't require any authentication—it is much like tossing a message into a mail slot at the post office. Servers that accept mail and relay it to other mail servers are sometimes called mail transfer agents (MTAs), and they also use SMTP. Your ISP will give you the name of the mail server that you should use for outgoing mail, often something along the lines of smtp.bobsisp.com. The SMTP server that the ISP uses relays messages to their destinations. Either the destination server recognizes a message as being addressed to one of its local users, and places it into the appropriate mailbox for that user, or based on a set of rules, it relays the message on further. SMTP is a very simple protocol. Like many Internet protocols, such as HTTP, it consists of a few simple text-based commands or keywords. One of the first tricks an Internet hacker learns is how to manually send an email message by telneting to port 25, the SMTP port. Not only is it a fun trick to become a human email forwarder, but it also enables you to put any information you want into the headers of the email message you are sending—including fake origination and return addresses. Actually, you needn't do this manually if you want to fake email. When you configure your personal email client, you tell it what return address to put on your outgoing mail. You can always change that configuration, but if you want to send only a single message coming from [email protected], it is much easier to use one of several GUI-based hacker tools that enable you to quickly send a message with your choice of return addresses. SMTP mail has no strong authentication and without using PGP or S/MIME (Secure Multipurpose Internet Mail Extensions) to add a digital signature, the level of trust associated with a mail message is pretty low. The following steps (our input is in boldface) show how incredibly easy it is to fake the return address in an Inter-net mail message: [root@njektd /root]# telnet localhost 25 Trying 127.0.0.1... Connected to njektd.com. Escape character is '^]'. 220 njektd.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 5 Dec 2000 17:37:02 – 0500 helo 250 OK mail from: [email protected] 250 [email protected] Sender ok rcpt to: [email protected] 250 [email protected] Recipient ok data 354 Haha-this is a spoofed mail message! . 250 RAA25927 Message accepted for delivery quit 221 njektd.com closing connection Connection closed by foreign host. The results of this spoofed mail message are shown in Figure 2-4. The test.com domain is just one we made up for demonstration purposes, but the email client reports whatever information it was provided. Figure 2-4 Reading the spoofed mail message As we'll discuss later in this chapter, some identification information is associated with the mail header that is a bit harder to spoof. As recorded in the following mail header, we were indeed logged in as 208.164.95.173: Received: from dhcp-95–173.ins.com ([208.164.95.173]) by dtctxexchims01.ins.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id YM4CM2VP; Sun, 10 Dec 2000 08:46:30 -0600 From: [email protected] Date: Sun, 10 Dec 2000 09:46:46 -0500 (EST) Message-Id: [email protected] When relaying a message from another relay host, current versions of SMTP also keep track of the IP address of the system connecting to them, and they add that IP address to the header of the message. If you want to show that a mail message originated from a specific computer, the best way to do so is to investigate the entire path that appears in the extended header information. Although SMTP servers won't perform any authentication when receiving mail from the client, most Internet mail servers are configured to accept mail for relay only when that mail originates from a specific range of IP addresses. If an ISP does not place any limits on which systems can connect to the ISP's mail server, allowing it to be used as a free relay station, it won't take spammers long to find it. To reduce the amount of spam mail that originates with their mail servers, most ISPs allow relay connections only from IP addresses within the range that they assign to their own subscribers. Authentication based just on IP address is very weak, but for the purposes of preventing unauthorized use of SMTP servers, it is adequate. It should come as no surprise that Web-based email is not only available, but is becoming increasingly popular. The Internet browser is rapidly becoming the universal front end. Web- based email enables users to access all of their email—both incoming and saved messages— through a Web browser. Not only does this free the user from installing and configuring an email client on his or her workstation, but it also means that the user can easily access email from any workstation virtually anywhere in the world. Undoubtedly, many people are accessing free Webbased email from work for their personal use. It also shouldn't come as a surprise that free email services are being used by some people to hide their identities. For the novice computer criminal, these services appear to be an easy way to hide their identity, and by adding at least one more server and involving another service provider, it certainly does complicate the association of a mail account with a specific person. The only way to find out who the ISP thinks is using a specific email address is to obtain a subpoena for the account information. If you are working with law enforcement agencies, they can obtain a subpoena to facilitate their investigation, or you can obtain a subpoena from a lawsuit (for more information, see Chapter 12). Fortunately, some providers of free email service are including the originator's IP address in the header information. Previously, you would have to subpoena the email provider and then the originating ISP to determine the originator. We recommend issuing a subpoena for the email logs from the email provider, but at the same time, you can also subpoena the originating ISP. Reading the Mail Trail When you are investigating a case involving email, you have to decipher email headers. If you have never viewed a header before, it might first appear to be gibberish, but once you get the hang of it and understand how SMTP works, it makes sense. The first annoyance you encounter is that most client email programs hide the header information from the user. Depending on the mail client you're using, you may have to do a little bit of digging to get to the header. In most programs, if you click File|Properties, an option to view the header is displayed. If your particular program provides a different way to access header information, consult the Help menu and documentation or try the company's Web site for instructions. Most users don't want to be bothered with deciphering email headers, which encourages the email software vendors to make access to it as obscure as possible. Let's look at Microsoft Outlook Express. It is a popular email program for many reasons, including the fact that it comes free with Internet Explorer and recent versions of Windows. As shown in Figure 2-5, the header information is available in Outlook Express by clicking on File and then Properties, which displays the dialog box that looks like that shown in Figure 2-6. Figure 2-5 Outlook Express File menu Figure 2-6 Outlook Express Message Properties window Figure 2-7 Viewing the message source in Outlook Express The General Tab for the properties in Outlook Express displays some basics about the message such as the subject of the message, the apparent sender, and the date and time sent and received. Click on the Details tab to display the information like that shown in Figure 2-6. By examining the headers of this message, it is clear that both the from address ([email protected]) and the Reply-To address are fake addresses (another_test@test. org). This is a real message that we sent from the Internet, but before sending the message, we first changed the From address to "HTCIA NE Chapter." The From address is completely arbitrary—it contains whatever the sender configures into their email program. The most important tracks are found at the top of the message. In this case, the first line shows the computer that the message was originally sent from. While the name of the PC, "mypc," can easily be spoofed, the IP address that mypc was assigned when we logged on to the ISP is much more difficult to spoof. While it is not impossible to spoof an IP address, we are not aware of a case in which one has been spoofed to counterfeit email. The practical details involved in spoofing an IP address make it virtually impossible in an email transaction, which involves several round trips between the SMTP server and the connecting system. (Do be aware, though, that the actual sender of the message could have cracked the system from which it was sent, and logged on as somebody else.) In this case, the email was sent from a computer in the same domain, monmouth.com, as the SMTP server that relayed the mail, shell.monmouth.com. Do a whois on the IP address and see if you get something that matches the purported domains of both the originating client and the relay server. Then follow up using the Dig w/AXFR advanced query, as shown in Figure 2-8, using NetscanTools. Figure 2-8 Using NetScanTools to investigate an IP address In contrast to Outlook Express, Microsoft Outlook (included with Microsoft Office) places the full email header information in an obscure position. As shown in Figure 2-9, to view the header information, you click on View and then Options. Clicking on Message Header seems to be a more obvious way to access header information—a mistake that we make all the time—but all that does is hide the To, From, and Subject lines from the message itself. It does not show you the detailed header information that you need to track an intruder. By clicking on Options, you access the Message Options window shown in Figure 2-10. Figure 2-9 Outlook View menu Figure 2-10 Viewing a message header in Microsoft Outlook You've probably already noticed "Joe Anonymous" in the Have replies sent to field. We faked this deliberately to illustrate how you cannot believe everything you read. The only way to extract this information from this window is to select it all (hint: try Control-A), copy it, and then paste it into a text document, which we've done in the following: Received: from hoemlsrv.firewall.lucent.com ([192.11.226.161]) by nj7460exch002h.wins.lucent.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id W4VCF23A; Sat, 20 Nov 1999 21:19:10 –0500 Received: from hoemlsrv.firewall.lucent.com (localhost [127.0.0.1]) by hoemlsrv.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id VAA06660 for <[email protected]>; Sat, 20 Nov 1999 21:19:10 –0500 (EST) Received: from shell.?nmouth.com (shell.?onmouth.com [205.231.236.9]) by hoemlsrv.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id VAA06652 for <[email protected]>; Sat, 20 Nov 1999 21:19:09 –0500 (EST) Received: from mypc (bg-tc-ppp961.?onmouth.com [209.191.51.149]) by shell.?onmouth.com (8.9.3/8.9.3) with SMTP id VAA01448 for <[email protected]>; Sat, 20 Nov 1999 21:17:06 –0500 (EST) Message-ID: <001401bf33c6$b7f214e0$9533bfd1@mypc> Reply-To: "Joe Anonymous" <[email protected]> From: "Joe Anonymous" <[email protected]> To: <[email protected]> Subject: test from outlook express Date: Sat, 20 Nov 1999 21:18:35 –0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859–1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 This header is longer than it was in our first example. This time, the message was relayed through four different servers. Each time an SMTP server accepts a message, it places a new Received header at the top of message before forwarding it on to another server or a user mailbox. In the first message, we intentionally sent the message from our ISP account to our ISP account. The second message originated externally and then was relayed through the Lucent firewall and to the mail server used to host our mailbox. But even with the extra headers, it is still apparent that the original message was received from: "mypc," and our address at the time was:?onmouth.com [209.191.51.149]. The lines in the header tell a story about where the email message has been, when it was there, and when it was delivered to its destination. It may be a contrived story, but it is still a story. Virtually any of the headers with the exception of the topmost one could be bogus—it is up to you to verify each one of them and determine the actual history of the message. The last example that we will look at is from Eudora, another popular email client.7 Eudora hides the header information by default, like the rest of the client programs, but as you can see from the Eudora Lite example in Figure 2-11, the full header is only a mouse-click away. A helpful piece of information is X-Sender, which shows the mail server and the account the message was sent from. One of the quirky characteristics of Eudora is that the icon is labeled "Blah, Blah, Blah." Strange label, but it provides the information we need. When you click on the Blah button, your email message changes from that shown in Figure 2-11 to something that looks like that shown in Figure 2-12. Figure 2-11 Viewing the X-Sender header on Eudora Lite Figure 2-12 Viewing mail headers with Eudora When you are conducting an investigation involving email, even if the computer's name is bogus, you have the IP address that the user was assigned. If you trust the ISP, or the company that the address resolves to, you can ask for their assistance in identifying your suspect. They probably won't disclose the information to you immediately, but by noting that IP address, along with the exact date and time that the message was sent, you can ask the ISP to save the logs until you have a chance to get a court order. As long as the logs are still available, the ISP or other organization should be able to identify the user that was assigned that IP address at the time the message was sent. Look at the two headers the arrows are pointing to in Figure 2-13. Compare the domain name in the Received header, "monmouth.com," to the domain in the From header, "test.org." Because they do not match, we can assume that the user configured his or her email incorrectly or that the user is trying to hide his or her identity. A message can be injected anywhere in the chain of Received headers—you can be sure that only the topmost one is accurate. Do an nslookup against each domain—especially the purportedly original domain—and see if they exist. Do a whois against each of those domains to find out who the administrator is and contact that person. Keep in mind that if the administrator is the originator of a phony or illegal message, he or she probably won't be inclined to cooperate. Figure 2-13 Extended email header with discrepancies in originator fields When you are investigating a case on behalf of a victim, but you can't visit the victim or otherwise obtain the original message on your own, it is possible for the victim to email you a copy of it. You must give the victim very specific instructions on the appropriate way to send the mail to you—especially if the victim usually deletes messages right after receiving them. Ask the victim to send the message as an attachment and not to forward the message. Forwarding replaces the suspect's information with your victim's information. You might want to ask your victim not to delete the original message until he or she hears from you. 5. Cell Phone Forensics Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers. The use of phones in crime was widely recognized for some years, but the forensic study of mobile devices is a relatively new field, dating from the early 2000s and late 1990s. A proliferation of phones (particularly smartphones) and other digital devices on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics techniques. Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages. Smartphones may additionally contain video, email, web browsing information, location information, and social networking messages and contacts. There is growing need for mobile forensics due to several reasons and some of the prominent reasons are: Use of mobile phones to store and transmit personal and corporate information Use of mobile phones in online transactions Law enforcement, criminals and mobile phone devices Mobile device forensics can be particularly challenging on a number of levels: Evidential and technical challenges exist. for example, cell site analysis following from the use of a mobile phone usage coverage, is not an exact science. Consequently, whilst it is possible to determine roughly the cell site zone from which a call was made or received, it is not yet possible to say with any degree of certainty, that a mobile phone call emanated from a specific location e.g. a residential address. To remain competitive, original equipment manufacturers frequently change mobile phone form factors, operating system file structures, data storage, services, peripherals, and even pin connectors and cables. As a result, forensic examiners must use a different forensic process compared to computer forensics. Storage capacity continues to grow thanks to demand for more powerful "minicomputer" type devices. Not only the types of data but also the way mobile devices are used constantly evolve. Hibernation behavior in which processes are suspended when the device is powered off or idle but at the same time, remaining active. As a result of these challenges, a wide variety of tools exist to extract evidence from mobile devices; no one tool or method can acquire all the evidence from all devices. It is therefore recommended that forensic examiners, especially those wishing to qualify as expert witnesses in court, undergo extensive training in order to understand how each tool and method acquires evidence; how it maintains standards for forensic soundness; and how it meets legal requirements such as the Daubert standard or Frye standard. As a field of study forensic examination of mobile devices dates from the late 1990s and early 2000s. The role of mobile phones in crime had long been recognized by law enforcement. With the increased availability of such devices on the consumer market and the wider array of communication platforms they support (e.g. email, web browsing) demand for forensic examination grew. Early efforts to examine mobile devices used similar techniques to the first computer forensics investigations: analyzing phone contents directly via the screen and photographing important content. However, this proved to be a time-consuming process, and as the number of mobile devices began to increase, investigators called for more efficient means of extracting data. Enterprising mobile forensic examiners sometimes used cell phone or PDA synchronization software to "back up" device data to a forensic computer for imaging, or sometimes, simply performed computer forensics on the hard drive of a suspect computer where data had been synchronized. However, this type of software could write to the phone as well as reading it, and could not retrieve deleted data. Some forensic examiners found that they could retrieve even deleted data using "flasher" or "twister" boxes, tools developed by OEMs to "flash" a phone's memory for debugging or updating. However, flasher boxes are invasive and can change data; can be complicated to use; and, because they are not developed as forensic tools, perform neither hash verifications nor (in most cases) audit trails. For physical forensic examinations, therefore, better alternatives remained necessary. To meet these demands, commercial tools appeared which allowed examiners to recover phone memory with minimal disruption and analyse it separately. Over time these commercial techniques have developed further and the recovery of deleted data from proprietary mobile devices has become possible with some specialist tools. Moreover, commercial tools have even automated much of the extraction process, rendering it possible even for minimally trained first responders—who currently are much more likely to encounter suspects with mobile devices in their possession, compared to computers—to perform basic extractions for triage and data preview purposes. Professional applications Mobile device forensics is best known for its application to law enforcement investigations, but it is also useful for military intelligence, corporate investigations, private investigations, criminal and civil defense, and electronic discovery. Types of evidence As mobile device technology advances, the amount and types of data that can be found on a mobile device is constantly increasing. Evidence that can be potentially recovered from a mobile phone may come from several different sources, including handset memory, SIM card, and attached memory cards such as SD cards. Traditionally mobile phone forensics has been associated with recovering SMS and MMS messaging, as well as call logs, contact lists and phone IMEI/ESN information. However, newer generations of smartphones also include wider varieties of information; from web browsing, Wireless network settings, geolocation information (including geotags contained within image metadata), e-mail and other forms of rich internet media, including important data—such as social networking service posts and contacts—now retained on smartphone 'apps'. Internal memory Nowadays mostly flash memory consisting of NAND or NOR types are used for mobile devices. External memory External memory devices are SIM cards, SD cards (commonly found within GPS devices as well as mobile phones), MMC cards, CF cards, and the Memory Stick. Service provider logs Although not technically part of mobile device forensics, the call detail records (and occasionally, text messages) from wireless carriers often serve as "back up" evidence obtained after the mobile phone has been seized. These are useful when the call history and/or text messages have been deleted from the phone, or when location-based services are not turned on. Call detail records and cell site (tower) dumps can show the phone owner's location, and whether they were stationary or moving (i.e., whether the phone's signal bounced off the same side of a single tower, or different sides of multiple towers along a particular path of travel). Carrier data and device data together can be used to corroborate information from other sources, for instance, video surveillance footage or eyewitness accounts; or to determine the general location where a non-geotagged image or video was taken. The European Union requires its member countries to retain certain telecommunications data for use in investigations. This includes data on calls made and retrieved. The location of a mobile phone can be determined and this geographical data must also be retained. In the United States, however, no such requirement exists, and no standards govern how long carriers should retain data or even what they must retain. For example, text messages may be retained only for a week or two, while call logs may be retained anywhere from a few weeks to several months. To reduce the risk of evidence being lost, law enforcement agents must submit a preservation letter to the carrier, which they then must back up with a search warrant. Forensic process Main article: digital forensic process The forensics process for mobile devices broadly matches other branches of digital forensics; however, some particular concerns apply. Generally, the process can be broken down into three main categories: seizure, acquisition, and examination/analysis. Other aspects of the computer forensic process, such as intake, validation, documentation/reporting, and archiving still apply. Seizure Seizing mobile devices is covered by the same legal considerations as other digital media. Mobiles will often be recovered switched on; as the aim of seizure is to preserve evidence, the device will often be transported in the same state to avoid a shutdown, which would change files. In addition, the investigator or first responder would risk user lock activation. However, leaving the phone on carries another risk: the device can still make a network/cellular connection. This may bring in new data, overwriting evidence. To prevent a connection, mobile devices will often be transported and examined from within a Faraday cage (or bag). Even so, there are two disadvantages to this method. First, it renders the device unusable, as its touch screen or keypad cannot be used. Second, a device's search for a network connection will drain its battery more quickly. While devices and their batteries can often be recharged, again, the investigator risks that the phone's user lock will have activated. Therefore, network isolation is advisable either through placing the device in Airplane Mode, or cloning its SIM card (a technique which can also be useful when the device is missing its SIM card entirely). Acquisition iPhone in an RF shield bag RTL Aceso, a mobile device acquisition unit The second step in the forensic process is acquisition, in this case usually referring to retrieval of material from a device (as compared to the bit-copy imaging used in computer forensics). Due to the proprietary nature of mobiles it is often not possible to acquire data with it powered down; most mobile device acquisition is performed live. With more advanced smartphones using advanced memory management, connecting it to a recharger and putting it into a faraday cage may not be good practice. The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data. Most acquisition tools for mobile devices are commercial in nature and consist of a hardware and software component, often automated. Examination and analysis As an increasing number of mobile devices use high-level file systems, similar to the file systems of computers, methods and tools can be taken over from hard disk forensics or only need slight changes. The FAT file system is generally used on NAND memory. A difference is the block size used, which is larger than 512 bytes for hard disks and depends on the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128, 256, or 512 kilobyte. Different software tools can extract the data from the memory image. One could use specialized and automated forensic software products or generic file viewers such as any hex editor to search for characteristics of file headers. The advantage of the hex editor is the deeper insight into the memory management, but working with a hex editor means a lot of handwork and file system as well as file header knowledge. In contrast, specialized forensic software simplifies the search and extracts the data but may not find everything. Access Data, Sleuthkit, and En Case, to mention only some, are forensic software products to analyze memory images. Since there is no tool that extracts all possible information, it is advisable to use two or more tools for examination. There is currently (February 2010) no software solution to get all evidences from flash memories. Data acquisition types Mobile device data extraction can be classified according to a continuum, along which methods become more technical and “forensically sound,” tools become more expensive, analysis takes longer, examiners need more training, and some methods can even become more invasive.[15] Manual acquisition The examiner utilizes the user interface to investigate the content of the phone's memory. Therefore, the device is used as normal, with the examiner taking pictures of each screen's contents. This method has an advantage in that the operating system makes it unnecessary to use specialized tools or equipment to transform raw data into human interpretable information. In practice this method is applied to cell phones, PDAs and navigation systems.[16] Disadvantages are that only data visible to the operating system can be recovered; that all data are only available in form of pictures; and the process itself is time-consuming. Logical acquisition Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical storage (e.g., a file system partition). Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. Logical extraction acquires information from the device using the original equipment manufacturer application programming interface for synchronizing the phone's contents with a personal computer. A logical extraction is generally easier to work with as it does not produce a large binary blob. However, a skilled forensic examiner will be able to extract far more information from a physical extraction. File system acquisition Logical extraction usually does not produce any deleted information, due to it normally being removed from the phone's file system. However, in some cases—particularly with platforms built on SQLite, such as iOS and Android—the phone may keep a database file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. In such cases, if the device allows file system access through its synchronization interface, it is possible to recover deleted information. File system extraction is useful for understanding the file structure, web browsing history, or app usage, as well as providing the examiner with the ability to perform an analysis with traditional computer forensic tools. Physical acquisition Physical acquisition implies a bit-for-bit copy of an entire physical store (e.g. flash memory); therefore, it is the method most similar to the examination of a personal computer. A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device original equipment manufacturer needs to secure against arbitrary reading of memory; therefore, a device may be locked to a certain operator. To get around this security, mobile forensics tool vendors often develop their own boot loaders, enabling the forensic tool to access the memory (and often, also to bypass user passcodes or pattern locks). Generally, the physical extraction is split into two steps, the dumping phase and the decoding phase. Brute force acquisition Brute force acquisition can be performed by 3rd party passcode brute force tools that send a series of passcodes / passwords to the mobile device. This is a time consuming method, but effective nonetheless. Brute forcing tools are connected to the device and will physically send codes on ios devices starting from 0000 to 9999 in sequence until the correct code is successfully entered. Once the code entry has been successful, full access to the device is given and data extraction can commence. Tools List of digital forensics tools § Mobile device forensics Early investigations consisted of live manual analysis of mobile devices; with examiners photographing or writing down useful material for use as evidence. Without forensic photography equipment such as Fernico ZRT, EDEC Eclipse, or Project-a-Phone, this had the disadvantage of risking the modification of the device content, as well as leaving many parts of the proprietary operating system inaccessible. In recent years a number of hardware/software tools have emerged to recover logical and physical evidence from mobile devices. Most tools consist of both hardware and software portions. The hardware includes a number of cables to connect the phone to the acquisition machine; the software exists to extract the evidence and, occasionally even to analyse it. Most recently, mobile device forensic tools have been developed for the field. This is in response both to military units' demand for fast and accurate anti-terrorism intelligence, and to law enforcement demand for forensic previewing capabilities at a crime scene, search warrant execution, or exigent circumstances. Such mobile forensic tools are often ruggedized for harsh environments (e.g. the battlefield) and rough treatment (e.g. being dropped or submerged in water). Generally, because it is impossible for anyone tool to capture all evidence from all mobile devices, mobile forensic professionals recommend that examiners establish entire toolkits consisting of a mix of commercial, open source, broad support, and narrow support forensic tools, together with accessories such as battery chargers, Faraday bags or other signal disruption equipment, and so forth. ome current tools include Cellebrite UFED, Susteen Secure View and Micro Systemation XRY. Some tools have additionally been developed to address increasing criminal usage of phones manufactured with Chinese chipsets, which include MediaTek (MTK), Spreadtrum and MStar. Such tools include Cellebrite's CHINEX, and XRY PinPoint. Open source Most open source mobile forensics tools are platform-specific and geared toward smartphone analysis. Though not originally designed to be a forensics tool, BitPim has been widely used on CDMA phones as well as LG VX4400/VX6000 and many Sanyo Sprint cell phones.[21] Physical tools[edit] Forensic desoldering Commonly referred to as a "Chip-Off" technique within the industry, the last and most intrusive method to get a memory image is to desolder the non-volatile memory chip and connect it to a memory chip reader. This method contains the potential danger of total data destruction: it is possible to destroy the chip and its content because of the heat required during desoldering. Before the invention of the BGA technology it was possible to attach probes to the pins of the memory chip and to recover the memory through these probes. The BGA technique bonds the chips directly onto the PCB through molten solder balls, such that it is no longer possible to attach probes. Here you can see that moisture in the circuit board turned to steam when it was subjected to intense heat. This produces the so-called "popcorn effect." Desoldering the chips is done carefully and slowly, so that the heat does not destroy the chip or data. Before the chip is desoldered the PCB is baked in an oven to eliminate remaining water. This prevents the so-called popcorn effect, at which the remaining water would blow the chip package at desoldering. There are mainly three methods to melt the solder: hot air, infrared light, and steam-phasing. The infrared light technology works with a focused infrared light beam onto a specific integrated circuit and is used for small chips. The hot air and steam methods cannot focus as much as the infrared technique. Chip re-balling After desoldering the chip a re-balling process cleans the chip and adds new tin balls to the chip. Re-balling can be done in two different ways. The first is to use a stencil. The stencil is chip-dependent and must fit exactly. Then the tinsolder is put on the stencil. After cooling the tin the stencil is removed and if necessary a second cleaning step is done. The second method is laser re-balling. Here the stencil is programmed into the re-balling unit. A bond head (looks like a tube/needle) is automatically loaded with one tin ball from a solder ball singulation tank. The ball is then heated by a laser, such that the tin-solder ball becomes fluid and flows onto the cleaned chip. Instantly after melting the ball the laser turns off and a new ball falls into the bond head. While reloading the bond head of the re-balling unit changes the position to the next pin. A third method makes the entire re-balling process unnecessary. The chip is connected to an adapter with Y-shaped springs or spring-loaded pogo pins. The Y-shaped springs need to have a ball onto the pin to establish an electric connection, but the pogo pins can be used directly on the pads on the chip without the balls. The advantage of forensic desoldering is that the device does not need to be functional and that a copy without any changes to the original data can be made. The disadvantage is that the reballing devices are expensive, so this process is very costly and there are some risks of total data loss. Hence, forensic desoldering should only be done by experienced laboratories. JTAG Existing standardized interfaces for reading data are built into several mobile devices, e.g., to get position data from GPS equipment (NMEA) or to get deceleration information from airbag units. Not all mobile devices provide such a standardized interface nor does there exist a standard interface for all mobile devices, but all manufacturers have one problem in common. The miniaturizing of device parts opens the question how to automatically test the functionality and quality of the soldered integrated components. For this problem an industry group, the Joint Test Action Group (JTAG), developed a test technology called boundary scan. Despite the standardization there are four tasks before the JTAG device interface can be used to recover the memory. To find the correct bits in the boundary scan register one must know which processor and memory circuits are used and how they are connected to the system bus. When not accessible from outside one must find the test points for the JTAG interface on the printed circuit board and determine which test point is used for which signal. The JTAG port is not always soldered with connectors, such that it is sometimes necessary to open the device and re-solder the access port. The protocol for reading the memory must be known and finally the correct voltage must be determined to prevent damage to the circuit. The boundary scan produces a complete forensic image of the volatile and non-volatile memory. The risk of data change is minimized and the memory chip doesn't have to be desoldered. Generating the image can be slow and not all mobile devices are JTAG enabled. Also, it can be difficult to find the test access port. Command line tools System commands Mobile devices do not provide the possibility to run or boot from a CD, connecting to a network share or another device with clean tools. Therefore, system commands could be the only way to save the volatile memory of a mobile device. With the risk of modified system commands it must be estimated if the volatile memory is really important. A similar problem arises when no network connection is available and no secondary memory can be connected to a mobile device because the volatile memory image must be saved on the internal non-volatile memory, where the user data is stored and most likely deleted important data will be lost. System commands are the cheapest method, but imply some risks of data loss. Every command usage with options and output must be documented. AT commands AT commands are old modem commands, e.g., Hayes command set and Motorola phone AT commands, and can therefore only be used on a device that has modem support. Using these commands one can only obtain information through the operating system, such that no deleted data can be extracted. For external memory and the USB flash drive, appropriate software, e.g., the Unix command dd, is needed to make the bit-level copy. Furthermore, USB flash drives with memory protection do not need special hardware and can be connected to any computer. Many USB drives and memory cards have a write-lock switch that can be used to prevent data changes, while making a copy. If the USB drive has no protection switch, a blocker can be used to mount the drive in a readonly mode or, in an exceptional case, the memory chip can be desoldered. The SIM and memory cards need a card reader to make the copy. The SIM card is soundly analyzed, such that it is possible to recover (deleted) data like contacts or text messages.[11] The Android operating system includes the dd command. In a blog post on Android forensic techniques, a method to live image an Android device using the dd command is demonstrated. Non-forensic commercial tools Flasher tools A flasher tool is programming hardware and/or software that can be used to program (flash) the device memory, e.g., EEPROM or flash memory. These tools mainly originate from the manufacturer or service centers for debugging, repair, or upgrade services. They can overwrite the non-volatile memory and some, depending on the manufacturer or device, can also read the memory to make a copy, originally intended as a backup. The memory can be protected from reading, e.g., by software command or destruction of fuses in the read circuit. Note, this would not prevent writing or using the memory internally by the CPU. The flasher tools are easy to connect and use, but some can change the data and have other dangerous options or do not make a complete copy. Controversies In general, there exists no standard for what constitutes a supported device in a specific product. This has led to the situation where different vendors define a supported device differently. A situation such as this makes it much harder to compare products based on vendor provided lists of supported devices. For instance, a device where logical extraction using one product only produces a list of calls made by the device may be listed as supported by that vendor while another vendor can produce much more information. Furthermore, different products extract different amounts of information from different devices. This leads to a very complex landscape when trying to overview the products. In general, this leads to a situation where testing a product extensively before purchase is strongly recommended. It is quite common to use at least two products which complement each other. Mobile phone technology is evolving at a rapid pace. Digital forensics relating to mobile devices seems to be at a stand still or evolving slowly. For mobile phone forensics to catch up with release cycles of mobile phones, more comprehensive and in depth framework for evaluating mobile forensic toolkits should be developed and data on appropriate tools and techniques for each type of phone should be made available a timely manner. Anti-forensics is more difficult because of the small size of the devices and the user's restricted data accessibility. Nevertheless, there are developments to secure the memory in hardware with security circuits in the CPU and memory chip, such that the memory chip cannot be read even after desoldering. 6. Router Forensics Reconnaissance is considered the first pre attack phase. The hacker seeks to find out as much information as possible about the victim. The second pre attack phase is scanning and enumeration. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Access can be gained in many different ways. A hacker may exploit a router vulnerability or maybe social engineer the help desk into giving him a phone number for a modem. Access could be gained by finding vulnerability in the web server’s software. Just having the access of an average user account probably won’t give the attacker very much control or access to the network. Therefore, the attacker will attempt to escalate himself to administrator or root privilege. Once escalation of privilege is complete the attacker will work on ways to maintain access to the systems he or she has attacked and compromised. Hackers are much like other criminals in that they would like to make sure and remove all evidence of their activities, which might include using root kits to cover their tracks. This is the moment at which most forensic activities begin. Searching for Evidence You must be knowledgeable of each of the steps of the hacking process and understand the activities and motives of the hacker. You many times will be tasked with using only pieces of information and playing the role of a detective in trying to reassemble the pieces of the puzzle. Information stored within a computer can exist in only one or more predefined areas. Information can be stored as a normal file, deleted file, hidden file, or in the slack or free space. Understanding these areas, how they work, and how they can be manipulated will increase the probability that you will find or discover hidden data. Not all suspects you encounter will be super cyber criminals. Many individuals will not hide files at all; others will attempt simple file hiding techniques. You may discover cases where suspects were overcome with regret, fear, or remorse, and attempted to delete or erase incriminating evidence after the incident. Most average computer users don’t understand that to drop an item in the recycle bin doesn’t mean that it is permanently destroyed. One common hiding technique is to place the information in an obscure location such as C:\winnt\system32\os2\dll. Again, this will usually block the average user from finding the file. The technique is simply that of placing the information in an area of the drive where you would not commonly look. A system search will quickly defeat this futile attempt at data hiding. Just search for specific types of files such as bmp, tif, doc, and xls. Using the search function built into Windows will help quickly find this type of information. If you are examining a Linux computer, use the grep command to search the drive. Another technique is using file attributes to hide the files or folders. On a Macintosh computer, you can hide a file with the ResEdit utility. In the wonderful world of Windows, file attributes can be configured to hide files at the command line with the attrib command. This command is built into the Windows OS. It allows a user to change the properties of a file. Someone could hide a file by issuing attrib +h secret.txt. This command would render the file invisible in the command line environment. This can also be accomplished through the GUI by right-clicking on a file and choosing the hidden type. Would the file then be invisible in the GUI? Well, that depends on the view settings that have been configured. Open a browse window and choose tools/folder options/view/show hidden files; then, make sure Show Hidden Files is selected. This will display all files and folders, even those with the +h attribute set. Another way to get a complete listing of all hidden files is to issue the command attrib /s > attributes.txt from the root directory. The attrib command lists file attributes, the /s function list all files in all the subdirectories, and > redirects the output to a text file. This text file can then be parsed and placed in a spreadsheet for further analysis. Crude attempts such as these can be quickly surmounted. An Overview of Routers Routers are a key piece of networking gear. Let’s know the role and function of a router. What Is a Router? Routers can be hardware or software devices that route data from a local area network to a different network. Routers are responsible for making decisions about which of several paths network (or Internet) traffic will follow. If more than one path is available to transmit data, the router is responsible for determining which path is the best path to route the information. The Function of a Router Routers also act as protocol translators and bind dissimilar networks. Routers limit physical broadcast traffic as they operate at layer 3 of the OSI model. Routers typically use either link state or hop count based routing protocols to determine the best path. The Role of a Router Routers are found at layer three of the OSI model. This is known as the networking layer. The network layer provides routing between networks and defines logical addressing, error handling, congestion control, and packet sequencing. This layer is concerned primarily with how to get packets from network A to network B. This is where IP addresses are defined. These addresses give each device on the network a unique (logical) address. Routers organize these addresses into classes, which are used to determine how to move packets from one network to another. All types of protocols rely on routing to move information from one point to another. This includes IP, Novell’s IPX, and Apple’s DDP. Routing on the Internet typically is performed dynamically; however, setting up static routes is a form of basic routing. Dynamic routing protocols constantly look for the best route to move information from the source to target network. Routing Tables Routers are one of the basic building blocks of networks, as they connect networks together. Routers reside at layer 3 of the OSI model. Each router has two or more interfaces. These interfaces join separate networks together. When a router receives a packet, it examines the IP address and determines to which interface the packet should be forwarded. On a small or uncomplicated network, an administrator may have defined a fixed route that all traffic will follow. More complicated networks typically route packets by observing some form of metric. Routing tables include the following type of information: ■ Bandwidth This is a common metric based on the capacity of a link. If all other metrics were equal, the router would choose the path with the highest bandwidth. ■ Cost The organization may have a dedicated T1 and an ISDN line. If the ISDN line has a higher cost; traffic will be routed through the T1. ■ Delay This is another common metric, as it can build on many factors including router queues, bandwidth, and congestion. ■ Distance This metric is calculated in hops; that is, how many routers away is the destination. ■ Load This metric is a measurement of the load that is being placed on a particular router. It can be calculated by examining the processing time or CPU utilization. ■ Reliability This metric examines arbitrary reliability ratings. Network administrators can assign these numeric values to various links. By applying this metric and consulting the routing table, the routing protocol can make a best path determination. At this point, the packet is forwarded to the next hop as it continues its journey toward the destination. Router Architecture Router architecture is designed so that routers are equipped to perform two main functions: process routable protocols and use routing protocols to determine best path. Let’s start by reviewing routable protocols. The best example of a routed protocol is IP. A very basic definition of IP is that it acts as the postman of the Internet—its job is to organize data into a packet, which is then addressed for delivery. IP must place a target and source address on the packet.This is similar to addressing a package before delivering it to the post office. In the world of IP, the postage is a TTL (Time-to-Live), which keeps packets from traversing the network forever. If the recipient cannot be found, the packet can eventually be discarded. All the computers on the Internet have an IP address. If we revert to our analogy of the postal system, an IP address can be thought of as the combination of a zipcode and street address. The first half of the IP address is used to identify the proper network; the second portion of the IP address identifies the host. Combined, this allows us to communicate with any network and any host in the world that is connected to the Internet. Now let us turn our attention to routing protocols. Routing Protocols Routing protocols fall into two basic categories, static and dynamic. Static, or fixed, routing is simply a table that has been developed by a network administrator mapping one network to another. Static routing works best when a network is small and the traffic is predictable. The big problem with static routing is that it cannot react to network changes. As the network grows, management of these tables can become difficult. Although this makes static routing unsuitable for use on the Internet or large networks, it can be used in special circumstances where normal routing protocols do not function well. Dynamic routing uses metrics to determine what path a router should use to send a packet toward its destination. Dynamic routing protocols include Routing Information Protocol (RIP), Border Gateway Protocol (BGP), Interior Gateway Routing Protocol (IGRP), and Open Shortest Path First (OSPF). Dynamic routing can be divided into two broad categories: link-state or distance vector dynamic routing protocols, which are discussed in greater detail later in the chapter. RIP RIP is the most common routing protocol that uses a hop count as its primary routing metric. RIP is considered a distance vector protocol. The basic methodology of a distance vector protocol is to make a decision on what is the best route by determining the shortest path. The shortest path is commonly calculated by hops. Distance vector routing is also called routing by rumor. Head of the Class… What Is a Hop Count? A hop count is the number of routers that a packet must pass through to reach it destination. Each time a packet passes through a router, the cost is one hop. So, if the target network you are trying to reach is two routers away, it is also two hops away. The major shortcoming of distance vector protocols is that the path with the lowest number of hops may not be the optimum route. The lower hop count path may have considerably less bandwidth than the higher hop count route. OSPF OSPF is the most common link state routing protocol and many times, it is used as a replacement to RIP. Link state protocols are properly called Dijkstra algorithms, as this is the computational basis of their design. Link state protocols use the Dijkstra algorithm to calculate the best path to a target network. The best path can be determined by one or more metrics such as hops, delay, or bandwidth. Once this path has been determined, the router will inform other routers as to its findings. This is how reliable routing tables are developed and routing tables reach convergence. Link state routing is considered more robust than distance vector routing protocols. One reason is because link state protocols have the ability to perform faster routing table updates. NOTE Convergence is the point at which routing tables have become synchronized. Each time a network is added or dropped, the routing tables must again resynchronize. Routing algorithms differ in the speed at which they can reach convergence. Hacking Routers Full control of a router can often lead to full control of the network. This is why many attackers will target routers and launch attacks against them. These attacks may focus on configuration errors, known vulnerabilities, or even weak passwords. Router Attacks Routers can be attacked by either gaining access to the router and changing the configuration file, launching DoS attacks, flooding the bandwidth, or routing table poisoning. These attacks can be either hit-and-run or persistent. Denial of Service attacks are targeted at routers. If an attacker can force a router to stop forwarding packets, then all hosts behind the router are effectively disabled. Router Attack Topology The router attack topology is the same as all attack topologies. The steps include: 1. Reconnaissance 2. Scanning and enumeration 3. Gaining access 4. Escalation of privilege 5. Maintaining access 6. Covering tracks and placing backdoors Hardening Routers The Router Audit Tool can be used to harden routers. Once downloaded, RAT checks them against the settings defined in the benchmark. Each configuration is examined and given a rated score that provides a raw overall score, a weighted overall score (1-10), and a list of IOS commands that will correct any identified problems. Denial-of-Service Attacks Denial-of-service (DoS) attacks fall into three categories: ■ Destruction. Attacks that destroy the ability of the router to function. ■ Resource consumption. Flooding the router with many open connections simultaneously. ■ Bandwidth consumption. Attacks that attempt to consume the bandwidth capacity of the router’s network. DoS attacks may target a user or an entire organization and can affect the availability of target systems or the entire network. The impact of DoS is the disruption of normal operations and the disruption of normal communications. It’s much easier for an attacker to accomplish this than it is to gain access to the network in most instances. Smurf is an example of a common DoS attack. Smurf exploits the Internet Control Message Protocol (ICMP) protocol by sending a spoofed ping packet addressed to the broadcast address and has the source address listed as the victim. On a multi access network, many systems may possibly reply. The attack results in the victim being flooded in ping responses. Another example of a DoS attack is a SYN flood. A SYN flood disrupts Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This large number of half-open TCP connections fills the buffer on victim’s system and prevents it from accepting legitimate connections. Systems connected to the Internet that provide services such as HTTP or SMTP are particular vulnerable. DDoS attacks are the second type of DoS attack and are considered multiprotocol attacks. DDoS attacks use ICMP, UDP, and TCP packets. One of the distinct differences between DoS and DDoS is that a DDoS attack consists of two distinct phases. First, during the pre-attack, the hacker must compromise computers scattered across the Internet and load software on these clients to aid in the attack. Targets for such an attack include broadband users, home users, poorly configured networks, colleges and universities. Script kiddies from around the world can spend countless hours scanning for the poorly protected systems. Once this step is completed the second step can commence. The second step is the actual attack. At this point the attacker instructs the masters to communicate to the zombies to launch the attack. ICMP and UDP packets can easily be blocked at the router, but TCP packets are difficult to mitigate. TCP-based DoS attacks comes in two forms: ■ Connection-oriented. These attacks complete the 3-way handshake to establish a connection. Source IP address can be determined here. ■ Connectionless. These packets SYN are difficult t trace because source An example of a DDOS tool is Tribal Flood Network (TFN). TFN was the first publicly available UNIX-based DDoS tool.TFN can launch ICMP, Smurf, UDP, and SYN flood attacks.The master uses UDP port 31335 and TCP port 27665.TFN was followed by more advanced DDoS attacks such as Trinoo. Closely related to TFN, this DDoS allows a user to launch a coordinated UDP flood to the victim’s computer, which gets overloaded with traffic. A typical Trinoo attack team includes just a few servers and a large number of client computers on which the Trinoo daemon is running. Trinoo is easy for an attacker to use and is very powerful in that one computer is instructing many Trinoo servers to launch a DoS attack against a particular computer. Routing Table Poisoning Routers running RIPv1 are particularly vulnerable to routing table poisoning attacks. This type of attack sends fake routing updates or modifies genuine route update packets to other nodes with which the attacker attempts to cause a denial of service. Routing table poisoning may cause a complete denial of service or result in suboptimal routing, or congestion in portions of the network. Hit-and-Run Attacks and Persistent Attacks Attackers can launch one of two types of attacks, either-hit and-run or persistent. A hit-and-run attack is hard to detect and isolate as the attacker injects only one or a few malformed packets. With this approach, the attacker must craft the attacks so that the results have some lasting damaging effect. A persistent attack increases the possibility for identification of the attacker as there is an ongoing stream of packets to analyze. However, this attack lowers the level of complexity needed by the attacker as they can use much less sophisticated attacks. Link state routing protocols such as OSPF are more resilient to routing attacks than RIP. Forensic Analysis of Routing Attacks During a forensic investigation the analyst should examine log files for evidence such as IP address and the protocol. It is a good idea to redirect logs to the syslog server. This can be accomplished as follows: #config terminal Logging 192.168.1.1 Investigating Routers When investigating routers there are a series of built-in commands that can be used for analysis. It is unadvisable to reset the router as this may destroy evidence that was created by the attacker. The following show commands can be used to gather basic information and record hacker activity: ■ Show access list ■ Show clock ■ Show ip route ■ Show startup configuration ■ Show users ■ Show version Chain of Custody The chain of custody is used to prove the integrity of evidence. The chain of custody should be able to answer the following questions: ■ Who collected the evidence? ■ How and where is the evidence stored? ■ Who took possession of the evidence? ■ How was the evidence stored and how was it protected during storage? ■ Who took the evidence out of storage and why? There is no such thing as too much documentation. One good approach is to have two people work on a case. While one person performs the computer analysis, the other documents these actions. At the beginning of an investigation, a forensic analyst should prepare a log to document the systematic process of the investigation. This is required to establish the chain of custody. This chain of custody will document how the evidence is handled, how it is protected, what process is used to verify it remains unchanged, and how it is duplicated. Next, the log must address how the media is examined, what actions are taken, and what tools are used. Automated tools such as EnCase and The Forensic Toolkit compile much of this information for the investigator. Volatility of Evidence When responding to a network attack, obtaining volatile data should be collected as soon as possible. Although all routers are different, you will most likely be working with Cisco products as Cisco has the majority of the market share. Cisco routers store the current configuration in nonvolatile ram (NVRAM). The current configuration is considered volatile data and the data is kept in Random Access Memory (RAM). If the configuration is erased or the router powered down all information is lost. Routers typically are used as a beachhead for an attack. This means the router may play an active part in the intrusion. The attacker uses the router as a jumping off point to other network equipment. When starting an investigation, you should always move from most volatile to least volatile. The first step is to retrieve RAM and NVRAM. To accomplish this, you may use a direct connection to the console port using RJ-45-RJ-45 rolled cable and an RJ-45-to-DB-9 female DTE adapter. In instances when a direct connection is not available a remoter session is the next preferred method. Insecure protocols such as FTP should not be used; an encrypted protocol Secure Shell (SSH) is preferred. You should make sure to capture both volatile and nonvolatile configurations for comparison changes and documentation purposes. Cisco routers have multiple modes, so to gain privilege mode the password must be known by the analyst. Case Reports Case reporting is one of the most important aspects of computer forensics. Just as with traditional forensics everything should be documented. Reporting should begin the minute you are assigned to a case. Although it may sometimes seem easier to blindly push forward, the failure to document can result in poorly written reports that will not withstand legal scrutiny. Let’s face it, not all aspects of computer forensics are exciting and fun. Most of us view paperwork as drudgery. It is a somewhat tedious process that requires an eye for detail. Don’t allow yourself this fallacy. In the end, the documentation you keep and the process you follow will either validate or negate the evidence. The report is key in bringing together the three primary pieces of forensics: acquisition, authentication, and analysis. The case report will be the key to determining one of the following actions: ■ Employee remediation ■ Employee termination ■ Civil proceedings ■ Criminal prosecution When the investigation is complete a final written report is prepared. Some of the items found in this report will include: ■ Case Summary ■ Case Audit Files ■ Bookmarks ■ Selected Graphics ■ File Location Path ■ File Location Properties Although this is not an all-inclusive list it should give you some indication of what should be included. Depending on the agency or corporation, the contents of the report will vary. What is consistent is that anyone should be able to use the logs and the report to recreate the steps performed throughout the investigation. This process of duplication should lead to identical results. Incident Response Incident response is the effort of an organization to define and document the nature and scope of a computer security incident. Incident response can be broken into three broad categories that include: ■ Triage. Notification and identification ■ Action/Reaction. Containment, analysis, tracking ■ Follow up. Repair and recovery, prevention Compromises Before a compromise can be determined, investigators must be alerted that something has happened. It is best if the alert function is automated as much as possible. Otherwise, the sheer volume of log information would be overwhelming for an employee. Even with a high level of automation someone must still make a judgment regarding the validity of the alert. Once an attack has been validated it is important to reduce the damage of the attack as quickly as possible and work to restore normal business functions. Summary In this chapter, we reviewed how routers can play an important part in forensics. Readers were introduced to routed protocols such as IP and we discussed how routed protocols work. In many ways, IP acts as a “postman” since its job is to make the best effort at delivery. In a small network or those that seldom change, the route that the IP datagrams take through the network may remain static or unchanged. Larger networks use dynamic routing. Administrators use routing protocols such as RIP for dynamic routing. We also looked at how attackers attack routers and how incident response relates to routers and router compromises. Overview of Routers _ Routers are designed to connect dissimilar protocols. _ Routers deal with routing protocols. _ Common routing protocols include RIP and OSPF. Hacking Routers _ Routers can be attacked by exploiting misconfigurations or vulnerabilities. _ Routers need to have logging enabled so sufficient traffic is captured to aid in forensic investigations. Incident Response _ Monitoring for incidents requires both passive and active tasks. _ Incident response requires development of a policy to determine the proper response. 7. Introduction to Network Forensics and Investigating Logs This chapter focuses on network forensics and investigating logs. It starts by defining network forensics and describing the tasks associated with a forensic investigation. The chapter then covers log files and their use as evidence. The chapter concludes with a discussion about time synchronization. Network Forensics Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks. Capturing network traffic over a network is simple in theory, but relatively complex in practice. This is because of the large amount of data that flows through a network and the complex nature of Internet protocols. Because recording network traffic involves a lot of resources, it is often not possible to record all of the data flowing through the network. An investigator needs to back up these recorded data to free up recording media and to preserve the data for future analysis. Analyzing Network Data The analysis of recorded data is the most critical and most time-consuming task. Although there are many automated analysis tools that an investigator can use for forensic purposes, they are not sufficient, as there is no foolproof method for discriminating bogus traffic generated by an attacker from genuine traffic. Human judgment is also critical because with automated traffic analysis tools, there is always a chance of a false positive. An investigator needs to perform network forensics to determine the type of an attack over a network and to trace out the culprit. The investigator needs to follow proper investigative procedures so that the evidences recovered during investigation can be produced in a court of law. Network forensics can reveal the following information: • How an intruder entered the network • The path of intrusion • The intrusion techniques an attacker used • Traces and evidence Network forensics investigators cannot do the following: • Solve the case alone • Link a suspect to an attack The Intrusion Process Network intruders can enter a system using the following methods: • Enumeration: Enumeration is the process of gathering information about a network that may help an intruder attack the network. Enumeration is generally carried out over the Internet. The following information is collected during enumeration: • Topology of the network • List of live hosts • Network architecture and types of traffic (for example, TCP, UDP, and IPX) • Potential vulnerabilities in host systems • Vulnerabilities: An attacker identifies potential weaknesses in a system, network, and elements of the network and then tries to take advantage of those vulnerabilities. The intruder can find known vulnerabilities using various scanners. • Viruses: Viruses are a major cause of shutdown of network components. A virus is a software program written to change the behavior of a computer or other device on a network, without the permission or knowledge of the user. • Trojans: Trojan horses are programs that contain or install malicious programs on targeted systems. These programs serve as back doors and are often used to steal information from systems. • E-mail infection: The use of e-mail to attack a network is increasing. An attacker can use e-mail spamming and other means to flood a network and cause a denial-of-service attack. • Router attacks: Routers are the main gateways into a network, through which all traffic passes. A router attack can bring down a whole network. • Password cracking: Password cracking is a last resort for any kind of attack. Looking for Evidence An investigator can find evidence from the following: • From the attack computer and intermediate computers: This evidence is in the form of logs, files, ambient data, and tools. • From firewalls: An investigator can look at a firewall’s logs. If the firewall itself was the victim, the investigator treats the firewall like any other device when obtaining evidence. • From internetworking devices: Evidence exists in logs and buffers as available. • From the victim computer: An investigator can find evidence in logs, files, ambient data, altered configuration files, remnants of Trojaned files, files that do not match hash sets, tools, Trojans and viruses, stored stolen files, Web defacement remnants, and unknown file extensions. End-To-End Forensic Investigation An end-to-end forensic investigation involves following basic procedures from beginning to end. The following are some of the elements of an end-to-end forensic track: • The end-to-end concept: An end-to-end investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked. • Locating evidence: Once an investigator knows what devices were used during the attack, he or she can search for evidence on those devices. The investigator can then analyze that evidence to learn more about the attack and the attacker. • Pitfalls of network evidence collection: Evidence can be lost in a few seconds during log analysis because logs change rapidly. Sometimes, permission is required to obtain evidence from certain sources, such as ISPs. This process can take time, which increases the chances of evidence loss. Other pitfalls include the following: • An investigator or network administrator may mistake normal computer or network activity for attack activity. • There may be gaps in the chain of evidence. • Logs may be ambiguous, incomplete, or missing. • Since the Internet spans the globe, other nations may be involved in the investigation. This can create legal and political issues for the investigation. • Event analysis: After an investigator examines all of the information, he or she correlates all of the events and all of the data from the various sources to get the whole picture. Log Files as Evidence Log files are the primary recorders of a user’s activity on a system and of network activities. An investigator can both recover any services altered and discover the source of illicit activities using logs. Logs provide clues to investigate. The basic problem with logs is that they can be altered easily. An attacker can easily insert false entries into log files. An investigator must be able to prove in court that logging software is correct. Computer records are not normally admissible as evidence; they must meet certain criteria to be admitted at all. The prosecution must present appropriate testimony to show that logs are accurate, reliable, and fully intact. A witness must authenticate computer records presented as evidence. Legality of Using Logs The following are some of the legal issues involved with creating and using logs that organizations and investigators must keep in mind: • Logs must be created reasonably contemporaneously with the event under investigation. • Log files cannot be tampered with. • Someone with knowledge of the event must record the information. In this case, a program is doing the recording; the record therefore reflects the a priori knowledge of the programmer and system administrator. • Logs must be kept as a regular business practice. • Random compilations of data are not admissible. • Logs instituted after an incident has commenced do not qualify under the business records exception; they do not reflect the customary practice of an organization. • If an organization starts keeping regular logs now, it will be able to use the logs as evidence later. • A custodian or other qualified witness must testify to the accuracy and integrity of the logs. This process is known as authentication. The custodian need not be the programmer who wrote the logging software; however, he or she must be able to offer testimony on what sort of system is used, where the relevant software came from, and how and when the records are produced. • A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used, including the logging software • A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence. • If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspect. • In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization. • An organization’s own logging and monitoring software must be made available to the court so that the defense has an opportunity to examine the credibility of the records. If an organization can show that the relevant programs are trade secrets, the organization may be allowed to keep them secret or to disclose them to the defense only under a confidentiality order. • The original copies of any log files are preferred. • A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped computers that have USB or SCSI interfaces. Examining Intrusion and Security Events As discussed earlier, the inspection of log files can reveal an intrusion or attack on a system. Therefore, monitoring for intrusion and security breach events is necessary to track down attackers. Examining intrusion and security events includes both passive and active tasks. A detection of an intrusion that occurs after an attack has taken place is called a post-attack detection or passive intrusion detection. In these cases, the inspection of log files is the only medium that can be used to evaluate and rebuild the attack techniques. Passive intrusion detection techniques usually involve a manual review of event logs and application logs. An investigator can inspect and analyze event log data to detect attack patterns. On the other hand, there are many attack attempts that can be detected as soon as the attack takes place. This type of detection is known as active intrusion detection. Using this method, an administrator or investigator follows the footsteps of the attacker and looks for known attack patterns or commands, and blocks the execution of those commands. Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data. There are various types of intrusions, including unauthorized access to files and systems, worms, Trojans, computer viruses, buffer overflow attacks, application redirection, and identity and data spoofing. Intrusion attacks can also appear in the form of denial of service, and DNS, e-mail, content, or data corruption. Intrusions can result in a change of user and file security rights, installation of Trojan files, and improper data access. Administrators use many different intrusion detection techniques, including evaluation of system logs and settings, and deploying firewalls, antivirus software, and specialized intrusion detection systems. Administrators should investigate any unauthorized or malicious entry into a network or host. Using Multiple Logs as Evidence Recording the same information in two different devices makes the evidence stronger. Logs from several devices collectively support each other. Firewall logs, IDS logs, and TCPDump output can contain evidence of an Internet user connecting to a specific server at a given time. Maintaining Credible IIS Log Files Many network administrators have faced serious Web server attacks that have become legal issues. Web attacks are generally traced using IIS logs. Investigators must ask themselves certain questions before presenting IIS logs in court, including: • What would happen if the credibility of the IIS logs was challenged in court? • What if the defense claims the logs are not reliable enough to be admissible as evidence? An investigator must secure the evidence and ensure that it is accurate, authentic, and accessible. In order to prove that the log files are valid, the investigator needs to present them as acceptable and dependable by providing convincing arguments, which makes them valid evidence. Log File Accuracy The accuracy of IIS log files determines their credibility. Accuracy here means that the log files presented before the court of law represent the actual outcome of the activities related to the IIS server being investigated. Any modification to the logs causes the validity of the entire log file being presented to be suspect. Logging Everything In order to ensure that a log file is accurate, a network administrator must log everything. Certain fields in IIS log files might seem to be less significant, but every field can make a major contribution as evidence. Therefore, network administrators should configure their IIS server logs to record every field available. IIS logs must record information about Web users so that the logs provide clues about whether an attack came from a logged-in user or from another system. Consider a defendant who claims a hacker had attacked his system and installed a back-door proxy server on his computer. The attacker then used the back-door proxy to attack other systems. In such a case, how does an investigator prove that the traffic came from a specific user’s Web browser or that it was a proxied attack from someone else? Extended Logging in IIS Server Limited logging is set globally by default, so any new Web sites created have the same limited logging. An administrator can change the configuration of an IIS server to use extended logging. The following steps explain how to enable extended logging for an IIS Web/FTP server and change the location of log files: 1. Run the Internet Services Manager. 2. Select the properties on the Web/FTP server. 3. Select the Web site or FTP site tab. 4. Check the Enable Logging check box. 5. Select W3C Extended Log File Format from the drop-down list. 6. Go to Properties. 7. Click the Extended Properties tab, and set the following properties accordingly: • Client IP address • User name • Method • URI stem • HTTP status • Win32 status • User agent • Server IP address • Server port 8. Select Daily for New Log Time Period below the general Properties tab. 9. Select Use local time for file naming and overturn. 10. Change the log file directory to the location of logs. 11. Ensure that the NTFS security settings have the following settings: • Administrators - Full Control • System - Full Control Keeping Time With the Windows time service, a network administrator can synchronize IIS servers by connecting them to an external time source. Using a domain makes the time service synchronous to the domain controller. A network administrator can synchronize a standalone server to an external time source by setting certain registry entries: Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ Setting: Type Type: REG_SZ Value: NTP Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ Setting: NtpServer Type: REG_SZ Value: ntp.xsecurity.com Avoiding Missing Logs When an IIS server is offline or powered off, log files are not created. When a log file is missing, it is difficult to know if the server was actually offline or powered off, or if the log file was deleted. To combat this problem, an administrator can schedule a few hits to the server using a scheduling tool. The administrator can keep a log of the outcomes of these hits to determine when the server was active. If the record of hits shows that the server was online and active at the time that log file data is missing, the administrator knows that the missing log file might have been deleted. Log File Authenticity An investigator can prove that log files are authentic if he or she can prove that the files have not been altered since they were originally recorded. IIS log files are simple text files that are easy to alter. The date and time stamps on these files are also easy to modify. Hence, they cannot be considered authentic in their default state. If a server has been compromised, the investigator should move the logs off the server. The logs should be moved to a master server and then moved offline to secondary storage media such as a tape or CDROM. Working with Copies As with all forensic investigation, an investigator should never work with the original files when analysing log files. The investigator should create copies before performing any postprocessing or log file analysis. If the original files are not altered, the investigator can more easily prove that they are authentic and are in their original form. When using log files as evidence in court, an investigator is required to present the original files in their original form. Access Control In order to prove the credibility of logs, an investigator or network administrator needs to ensure that any access to those files is audited. The investigator or administrator can use NTFS permissions to secure and audit the log files. IIS needs to be able to write to log files when the logs are open, but no one else should have access to write to these files. Once a log file is closed, no one should have access to modify the contents of the file. Chain of Custody As with all forensic evidence, the chain of custody must be maintained for log files. As long as the chain of custody is maintained, an investigator can prove that the log file has not been altered or modified since its capture. When an investigator or network administrator moves log files from a server, and after that to an offline device, he or she should keep track of where the log file went and what other devices it passed through. This can be done with either technical or nontechnical methods, such as MD5 authentication. IIS Centralized Binary Logging Centralized binary logging is a process in which many Web sites write binary and unformatted log data to a single log file. An administrator needs to use a parsing tool to view and analyze the data. The files have the extension. ibl, which stands for Internet binary log. It is a server property, so all Web sites on that server write log data to the central log file. It decreases the amount of system resources that are consumed during logging, therefore increasing performance and scalability. The following are the fields that are included in the centralized binary log file format: • Date • Time • Client IP address • User name • Site ID • Server name • Server IP address • Server port • Method • URI stem • URI query • Protocol status • Windows status • Bytes sent • Bytes received • Time taken • Protocol version • Protocol substatus ODBC Logging ODBC logging records a set of data fields in an ODBC-compliant database like Microsoft Access or Microsoft SQL Server. The administrator sets up and specifies the database to receive the data and log files. When ODBC logging is enabled, IIS disables the HTTP.sys kernel-mode cache. An administrator must be aware that implementing ODBC logging degrades server performance. Some of the information that is logged includes the IP address of the user, user name, date, time, HTTP status code, bytes received, bytes sent, action carried out, and target file. Tool: IISLogger IISLogger provides additional functionality on top of standard IIS logging. It produces additional log data and sends it using syslog. It even logs data concerning aborted Web requests that were not completely processed by IIS. IISLogger is an ISAPI filter that is packaged as a DLL embedded in the IIS environment. It starts automatically with IIS. When IIS triggers an ISAPI filter notification, IISLogger prepares header information and logs this information to syslog in a certain format. This occurs each time, for every notification IISLogger is configured to handle. The following are some of the features of IISLogger: • It generates additional log information beyond what is provided by IIS. • It recognizes hacker attacks. • It forwards IIS log data to syslog. • It provides a GUI for configuration purposes. Figure 1-1 shows a screenshot from IISLogger. Importance of Audit Logs The following are some of the reasons audit logs are important: • Accountability: Log data identifies the accounts that are associated with certain events. This data highlights where training and disciplinary actions are needed. • Reconstruction: Investigators review log data in order of time to determine what happened before and during an event. • Intrusion detection: Investigators review log data to identify unauthorized or unusual events. These events include failed login attempts, login attempts outside the designated schedules, locked accounts, port sweeps, network activity levels, memory utilization, and key file or data access. • Problem detection: Investigators and network administrators use log data to identify security events and problems that need to be addressed. Syslog Syslog is a combined audit mechanism used by the Linux operating system. It permits both local and remote log collection. Syslog allows system administrators to collect and distribute audit data with a single point of management. Syslog is controlled on a per-machine basis with the file /etc/syslog.conf. This configuration file consists of multiple lines like the following: mail.info /var/log/maillog The format of configuration lines is: facility.level action The Tab key is used to define white space between the selector on the left side of the line and the action on the right side. The facility is the operating system component or application that generates a log message, and the level is the severity of the message that has been generated. The action gives the definition of what is done with the message that matches the facility and level. The system administrator can customize messages based on which part of the system is generating data and the severity of the data using the facility and level combination. The primary advantage of syslog is that all reported messages are collected in a message file. To log all messages to a file, the administrator must replace the selector and action fields with the wildcard (*). Logging priorities can be enabled by configuring /var/log/syslog. All authorized messages can be logged with priorities such as emerg (highest), alert, crit, err, warning, notice, info, or debug (lowest). Events such as bad login attempts and the user’s last login date are also recorded. If an attacker logs into a Linux server as root using the secure shell service and a guessed password, the attacker’s login information is saved in the syslog file. It is possible for an attacker to delete or modify the /var/log/syslog message file, wiping out the evidence. To avoid this problem, an administrator should set up remote logging. Remote Logging Centralized log collection makes simpler both day-to-day maintenance and incident response, as it causes the logs from multiple machines to be collected in one place. There are numerous advantages of a centralized log collection site, such as more effective auditing, secure log storage, easier log backups, and an increased chance for analysis across multiple platforms. Secure and uniform log storage might be helpful in case an attacker is prosecuted based on log evidence. In such cases, thorough documentation of log handling procedures might be required. Log replication may also be used to audit logs. Log replication copies the audit data to multiple remote logging hosts in order to force an attacker to break into all, or most, of the remote-logging hosts in order to wipe out evidence of the original intrusion. Preparing the Server for Remote Logging The central logging server should be set aside to perform only logging tasks. The server should be kept in a secure location behind the firewall. The administrator should make sure that no unnecessary services are running on the server. Also, the administrator should delete any unnecessary user accounts. The logging server should be as stripped down as possible so that the administrator can feel confident that the server is secure. Configuring Remote Logging sThe administrator must run syslogd with the -r option on the server that is to act as the central logging server. This allows the server to receive messages from remote hosts via UDP. There are three files that must be changed: • In the file /etc/rc.d/init.d/syslog, a line reads: SYSLOGD_OPTIONS=“-m 0” The administrator must add the -r flag to the options being passed to syslog: SYSLOGD_OPTIONS=“-m 0 -r” The -r option opens the syslog daemon port 514 and makes syslog listen for incoming log information. • In the file /etc/sysconfig/syslog, there is a line similar to the above line. The administrator needs to add the -r flag to this line also. • The administrator needs to integrate the syslog daemon service into the /etc/services files. Syslog 514/udp The administrator must run the following command after altering the three files: /sbin/service syslog restart A reference should appear in the var/log/messages file indicating that the remote syslog server is running. The syslog server can be added to the /etc/syslogd.conf file in the client, which can preserve an audit trail even if a cracker does an rm -rf. Other servers can be configured to log their messages to the remote server by modifying the action field in the syslog.conf as: Auth.* @myhost Tool: Syslog-ng Syslog-ng is a flexible and scalable audit-processing tool. It offers a centralized and securely stored log for all the devices on a network. The following are some of the features of Syslog-ng: • It guarantees the availability of logs. • It is compatible with a wide variety of platforms. • It is used in heavily firewalled environments. • It offers proven robustness. • It allows a user to manage audit trails flexibly. • It has customizable data mining and analysis capabilities. • It allows a user to filter based on message content. 8. Analysis of Laser and Inkjet Prints Using Spectroscopic Methods for Forensic Identification of Questioned Documents Lukáš Gál, Michaela Belovičová, Michal Oravec, Miroslava Palková, Michal Čeppan Slovak University of Technology in Bratislava, Faculty of Chemical and Food Technology, Institute of Polymer Materials, Department of Graphic Arts Technology and Applied Photochemistry Abstract: The spectral properties in UV-VIS-NIR and IR regions of laser and inkjet prints were studied for the purposes of forensic analysis of documents. The procedures of measurements and processing of spectra of printed documents using fibre optics reflectance spectroscopy in UV-VIS and NIR region, FTIR-ATR with diamond/ZnSe and germanium crystals were optimized. It was found that the shapes of spectra of various black laser jet prints and inkjet prints generally differ in the spectral regions UV-VIS-NIR and IR. However, the resolution of individual spectra, and hence of individual printers, based on the simple visual comparison is not reliable enough. However, using of these spectra for identification of individual printers should be enhanced by computational chemometric methods Keywords: document, spectroscopy, laser, inkjet Introduction In the realm of interesting facts frequently cited, a major legal step with strong implications for Questioned Documents examination was taken in 1562 when the English Parliament decreed forgery as a statutory offense. The damages incurred by forgery were considered so severe that in 1634 it was made a capital offense, which it remained for more than two hundred years. Thus, the crime of forgery was established in the sixteenth century, and in 1684 it was ruled that “comparison of hands is without doubt good evidence in cases of treason” (R v. Hayes, 10 State Tr. 307). The protecting copyright and verifying authenticity is very important in each aspects of our life. The documents like agreements, wills, and ownership of properties, judicial papers, and educational certificates or other commonly used documents in economy and society are used every day. Document is any material that contains printed information conveying some meaning or a message. With the growing of new technologies creation documents increased too. However, the exchange principle, now called Contact Traces, first articulated by Edmond Locard in 1910 give us an advantage in this direction: “One cannot come into contact with an environment without changing it in some way” The graphic documents represent a complex system of underlay and material structure of own graphical information (inks, toners, colours…) and substrate (usually paper) with mutual complex interactions of components, which are represented on document properties. Observation of authenticity and other characteristics of graphical documents are approached to from several directions. A basic process is material analysis of documents, i.e. determination of material characteristics of documents components, underlays and inks and layers structure in the case of multi-layered documents, which can help to investigate and clarify the facts. In practice throughout range of physical and chemical methods is used to the study and analysis of document composition and to state of graphical documents too. Currently used analytical techniques for investigation of inks and writing means pastes (TLC, HPTLC, GC-MS, and HPLC) [2-4] requires pre-treatment of a sample – separation of analysed material from carrier (mostly paper). This approach brings several disadvantages – risk of changes of chemical structure during separation of dyes, poor solubility of some components of writing materials in extraction reagent, irreversible damage of integrity of the studied material. Due to the character of studied objects, the methods, which allow the greatest extend of nondestructive and micro-destructive investigation have special importance, among which molecular spectroscopy methods and other optical methods (colorimetric to objective dye description, photography and micro-photography in different spectral areas, imaging photometry and image analysis) are preferably used [5-9]. Various applications of spectroscopic methods in analysis of inks [5, 8, 10], dating of inks of ball tip pens [11, 12], analysis of paper [11, 12], tonners for copiers and laser printers [13, 14], as well as forensic analysis of other materials [15] were described in the literature. The aim of this work was study of spectral properties of laser and inkjet prints and assessment of possibilities of non-destructive methods of molecular spectroscopy to identify laser toners and inkjet inks. Experimental methods Samples of prints were preparing as follows: A model target which consists of solid surfaces, lines corresponding to the thickness of the font size 8, 10 and 12 points and characters of size 8, 10 and 12 points was designed. Subsequently a set of prints from various types of inkjet and laser printers, using the same type of office paper for all types of printers, with standard print quality settings were prepared. For inkjet prints only the printing in black was selected. For laser printer’s samples with black printing settings were printed and for color laser printers the samples with CMYK printing settings were printed, too… Number of samples analysed: 15 prints of different inks for inkjet prints and 20 prints of different toners for laser prints. Methodology of work and examination methods UV-VIS-NIR spectroscopy The reflectance spectra of inkjet prints in UV-VIS-NIR region area were measured on fibre optic reflectance spectroscopic system Ocean Optics, which consisting of HR 4000 spectrometer, UVVIS-NIR light source DH-2000-BAL and of standard adapter for measurement of reflection spectra with geometry 45/45. For each measurement, the detector was calibrated on the blank paper near to the inked area. In this way, influences of the paper were largely excluded. A measured reflectance spectra R(l) were converted to optical density spectra D(l) (1). D(λ) = log 1/R(λ) (1) Directly obtained spectra contain a lot of points and are noisy and almost unusable without processing. The original spectra were interpolated in the wavelength range 220-1050 nm with the step 2 nm. Then the spectra were smoothed, without significant influence on the shape using Savitzky-Golay type of filter with filtration parameters 15 points and second polynomial order. Finally, the spectra of optical densities were normalized to interval 0-1. This type of shape enhancement is more suitable for analysis. Thus obtained spectra are appropriate for further analysis. FTIR-ATR spectroscopy The reflectance spectra of laser prints in the Infrared region (IR) were measured on Excalibur FTS 3000MX (Digilab, USA) spectrometer with ATR adapter with diamond crystal. The obtained spectra of laser prints were processed and normalized in the same way as in the case of UV-VISNIR spectra of inkjet print above. The reflectance spectra of inkjet prints in IR region are practically useless, because absorption signals of inks penetrated deeply into the paper are overlapped by strong absorption signal of cellulose. Results and discussion Laser prints Spectra are included into individual groups according to the different absorption in the wavelength range 1500-600 cm. FTIR spectra of individual laser prints are generally different. Simple visual distinction is not unambiguous and for assignment of spectra to individual prints will the numerical, chemometric have to be used. FTIR spectra of 2 groups of laser prints IR spectra of diverse laser toners are different in various extents. The differences between the spectra of laser prints of different producers are more significant. Comparison of FTIR spectra of laser prints of different producers Inkjet prints Comparison of normalised optical densities spectra (Figure 6) from 4 different types of prints shows, that the shapes of spectra of inks of Epson printers significantly differ from the shapes of spectra of Canon inks. The differences are most noticeable in the spectral range 600-1050 nm. Based on these differences of shapes the possibility of resolution of individual marks of inks can be presumed. Spectra from 4 different types of prints The spectra of two black inks of Epson used in different types of inkjet printers are on the There is significant bathochromic shift into the near infrared region in the spectrum of ink from the printer Epson PM-D800, so spectra of these two inks can be resolved. Spectra of black inks of different Epson inkjet printers and Spectra of black inks of different Canon inkjet printers. The spectra of two black inks Canon used in different types of Canon inkjet printers are on the. The shapes of the spectra differ mainly in the spectral range 550-1050 nm. So, the resolution of these spectra and hence inks is possible. 9. Investigating Trademark and Copyright Infringement Trademark Investigations Brand owners invest a lot of time and resources in trademarks, and they deserve to have competent assistance to make sure that they aren’t wasting any capital. With the trademark investigation services of Kessler International at your disposal, you’ll be able to determine if someone else already holds the trademark you’re interested in or if it’s been abandoned. Our trademark in-use investigation protocols are also designed to inform you if anyone is profiting from valuable intellectual property without the permission of the owners. Forewarned Is Forearmed Before seriously committing to deploying any trademark, prominent organizations or their attorneys enlist us so that they can discover if the coast is legally clear. It’s far better to allow us to provide you with thorough, reliable info beforehand rather than finding yourself caught up in litigation later on. We’ll let you know: If anyone is currently using a similar mark How long a given mark has been in existence How extensively a trademark has been used The geographical distribution of a trademark Secure Your Rights Whether through ignorance or malice, there are many people and organizations who might unfairly employ the fruits of other people’s labor toward their own ends. We’ll endeavour to prevent this from happening with our intellectual property investigation efforts. If we uncover a case of someone illicitly profiting from the property of you or your clients, we’ll take steps to help you resolve the issue either amicably or through the legal system. About Our Intellectual Property Investigations In order to conduct a trademark investigation, we employ sophisticated tools, like our proprietary Web.Sweep and News.Sweep programs. They enable us to do cost-effective trademark searches across the internet as part of a comprehensive trademark in use investigation. We aren’t restricted to searching only in certain geographical areas or markets; we operate around the world. We supplement these measures with photographic evidence and undercover investigations whenever necessary. After gathering all the information we need, we’ll compile a detailed report of our findings. Our professional researchers and investigators have a wealth of knowledge and experience, so they’re well suited to the task of creating documents that lay out exactly what you wish to ascertain. We pass all our reports along to members of our senior staff, who review them for accuracy before handing them over to our clients. Trusted by Large Enterprises We’ve been consulted by Fortune 500 companies, who appreciate the fact that we can safeguard their brands with a meticulous trademark in use investigation. We’ve been serving our clients, including law firms and corporate counsel, for more than two decades. If you believe that it’s time for a diligent trademark investigation, then Kessler International is here to lend you a hand. Contact us today to learn more about how we can efficiently defend intellectual property rights and prevent poor investments. 1. Case Studies Our client, a proprietor in the wines and spirits industry retained the services of Kessler International to conduct a trademark investigation with respect to an upstart liquor company producing a beverage found to be similarly named, and using a similar logo as that of our client. Kessler conducted research, contacted key individuals, and provided the necessary findings to our client. In turn, it was requested that Kessler provide a supplemental service in light of our investigation’s results. As such, Kessler monitored the growth and expansion of the particular trademarked beverage, and consistently forwarded the results to our client to proceed in a manner they saw fit. Recently, Kessler was retained to conduct a trademark investigation on behalf of a high-end law firm. In this particular case, the law firm had been contacted by a hotel group with a growing concern that a competing entity constructing hotels would feature a currently in-use trademark. Our investigators conducted Internet and social media research to acquire any and all intelligence available on the competitor. An undercover investigator was also sent to the offices of the competitor to confirm or deny their very existence. Upon providing this information to our client, it was requested that Kessler perform an on-site visit to confirm the extent of trademark infringement. Kessler then sent an investigator to visit the construction sites to obtain additional information regarding any and all infringement of our client’s mark. In one location the currently in-use trademark was found represented within a fully-operational hotel, while the second location was found to still be under construction. Our in-depth findings were forwarded to our client. Our written report was further supplemented by top quality photographs of our on-site findings. 2. Trademark & Copyright Infringement Investigation The idea for your new corporate logo is decidedly brilliant. So you pursue the next step and hire an artist, who for a hefty price will immortalize your firm forever. Right? Wrong! Everyday, many companies just like yours make the mistake of committing large amounts of time and money to a trademark only to find out that another firm across the country is using the exact same image to brand their company name. How can you be sure this doesn’t happen to you? Make sure you get trademark clearance from ADSPL. We specialize in the areas of trademark search and trademark investigation. 3. Trademark Investigation – Secure Your Brand Identity What if you don’t? What if you go ahead with the trademark generation without a trademark inuse search or intellectual property investigation, and later find it to be identical to an already existing trademark? The ramifications could be devastating, and may undermine your firm’s financial stability. Not only would you waste large amounts of capital unnecessarily. You’d also be legally liable to pay damages to the original trademark owner, leading to financial losses that could devastate your firm’s capital structure. 4. Trademark In Use Investigations Should it be determined that certain trademarked materials are currently in-use, that does not mean ADSPL’S investigation stops. ADSPL has developed a number of strategies, including undercover product acquisition to verify usage or non-usage of a particular trademarked item. In addition, ADSPL’S established the Trademark Acquisition Division to function as a liaison should you so decide to purchase an existing trademark. A simple phone call to ADSPL and a meeting with a member of our expert trademark investigation research team in our Trademark Acquisition Division will lay the foundation for a complete international market survey of your proposed logo or trademark. We’ll let you know if your trademark is in use, and give you the name and contact information of the trademark owner. We’ve found that just because a trademark is owned doesn’t necessarily mean it’s being used. We’ll help you ascertain the usage or non-usage, and act as a liaison in if you decide to purchase an existing trademark. 5. Our Trademark Investigations are Worldwide In performing trademark investigations, ADSPL is able to determine the first date of a trademark’s use; obtain documents from governmental agencies regarding any and all filings of the trademarked material; in addition to providing information regarding the supply and distribution of a given trademarked product. As ADSPL has operations worldwide, the trademark investigations we conduct are not limited to a specific geographical region. As our fee structure is considered quite competitive, the charges associated with trademark investigations usually remain the same regardless of our client’s location. 6. Protect Your Business from Trademark Infringement According to recent statistics, the epidemic of trademark infringements is growing at an exponential rate. Through advancements in technology and the explosive growth of the Internet, access to your prized intellectual property is exposed, more than ever before, to unscrupulous individuals looking to cash in on your good name and reputation. These infringements, if not detected early, lead to dilution and fair market use of your properties without compensation. Intellectual property and trademark infringement suits can be difficult, exhausting your time and resources. 7. Technology of Trademark Investigations In an effort combat trademark infringement, ADSPL’S researchers and investigators have an array of tools at their disposal to make sure that any property that you decide to trademark is safe from infringement. At ADSPL, we’re also able to conduct full national and international market surveys of your existing trademarks. Our research has no bounds. All markets and industries can be investigated for illegal use of your intellectual property. ADSPL has been consulted by many number of prominent industry leaders to not only confirm if a trademark is available, but that inuse trademarks are being appropriately represented. Each and every of ADSPL trademark investigations are compiled into a report written by a competent team of researchers and investigators with editorial experience. Each report is reviewed by these individuals, and then subsequently reviewed for accuracy by members of the Senior Staff to ensure that our client’s receive only the most accurate results. Let the professional investigators and researchers at ADSPL handle your trademark investigations. We will protect you from infringements, and make sure you’re not found guilty of the same yourself, with efficient and cost effective solutions. When you want total protection for your prized intellectual property, call ADSPL today. 10. Investigating Child Pornography Cases At the Neal Davis Law Firm, we handle a number of child pornography cases, and we’re often asked why it takes so long for the Government to conduct a computer forensic investigation either before or after a suspect’s arrest. We’ve seen a general pattern of investigation in these cases. It begins with law enforcement suspecting someone of possessing child pornography, usually because law enforcement has seen the suspect online upload to or download from a known child porn site. Law enforcement obtains a search warrant, goes to the suspect’s home, and seizes any items—e.g., hard drives, cell phones, or computers—that could store digital media, including child porn. Law enforcement typically tries to interview the suspect and then decides whether to make an arrest. If the suspect is not arrested at that time, and child porn is discovered after forensic evaluation of their digital media, then the suspect will be arrested later, usually within 6 to 12 months. Regardless of whether the suspect is arrested immediately or later, law enforcement submits the items suspected to contain pornography to a computer forensics unit to be analyzed. Because of the backlog of evidence waiting to be analyzed—child porn cases are much more prevalent than the public believes—this process can take several months. We’re currently seeing at least a six-month wait, sometimes up to a year, for forensic analysis to occur. HOW THE GOVERNMENT INVESTIGATES COMPUTER CRIMES Child pornography images and videos have a unique “hash” number assigned to them. This is a computer code that is unique to each image and video, sort of like the “Bates stamp” used to number documents submitted as evidence. The hash codes for images and videos are typically compared to a Government database of known child pornography victims. If the hash numbers match, then the Government can tie a specific pornographic image or video with a known victim. For example, suppose a particular image has a hash number of I23423594985043. The Government runs this number through a database, matches it with a 12-year-old victim named “Alexa” who was photographed in the Ukraine in the mid-1990s, and whom Ukrainian police have already confirmed was a minor at the time. If the hash numbers do not match but it appears there is a child involved, then the Government will turn to the question of whether the suspect actually made the pornography. The Government will look for anything in the image or video— location, prescription bottles, or anything else—that would confirm whether the suspect made the child pornography. IMPORTANCE OF HIRING A COMPUTER CRIME LEGAL DEFENDER It is imperative that a person suspected or charged with child pornography hire the right attorney. All kinds of defensive issues can arise in computer searches, from whether the initial search warrant was legal and based on probable cause, to whether the computer forensics are valid. Contact expert computer crime defense attorneys at the Neal Davis Law Firm. Our Houston criminal defense law firm specializes in charges involving computer crimes, including child pornography and sex offenses. We can get you real help, right away What’s Involved in the Investigation Stage of a Child Pornography Case? If you are innocent, being wrongly accused of possessing, making or distributing indecent images of children can be an extremely traumatic scenario. Whilst child pornography as a sexual offence breaks down into the above three charges, it’s vital that you understand what’s involved during an investigation of this challenging nature. Our unique advice and assistance will allow you to determine the best course of action to take. This insight may lead to an understanding of the impact that these allegations can have on your own life, as well as the people around you. Our experts classify the latter as “collateral damage.” How Long Do Child Pornography Investigation Cases Last? The fight against any allegation should begin as soon as you believe you have been accused of breaking the law by committing a sexual offence. With the possibility of imprisonment, impact on reputation, Sexual Offences Prevention Order and having your name added to the Sexual Offender Register, cases can be both complex and ongoing. In some instances, it may take 18 months for a case to reach a conclusion. This might be a decision to prosecute or no further action (NFA). However, each case will vary depending on a number of factors, including the severity of the allegations made and legal defences. In Your Defence are specialist lawyers, daily advising suspects as to the best option in all the prevailing circumstances. The UK Home Secretary and Conservative politician, Theresa May, has outlined plans to amend existing procedures, so that sexual offence cases are resolved within a shorter timeframe. A sixmonth limit has been suggested by politicians, government agencies and our own lawyers. At present however, the timespan of all individual cases varies across the 43 police forces of England and Wales. Cases are supposed to be resolved with ‘due expedition.’ The latest position adopted by the Home Secretary is that there should be a maximum of six months on bail, but it is unclear as to whether this will include the modern approach of being ‘under investigation’ after an initial ‘voluntary’ interview under caution. Child Pornography - The Investigation Process During the investigation stage, the police should require evidence to back up any claims that you are involved with the possession, making or distribution of indecent images of children. To obtain this, they can apply to a magistrate for a warrant to search premises. This is nearly always granted and you may be awoken with a dawn raid on your home or business address. Whilst executing their search, the police would have the power to seize computers, hard drives, tablets, mobile phones and other devices which they believe may contain evidence of child pornography or extreme pornography. The examination of this equipment can take a long time and the wait for an outcome during this process can be excruciating. Some days, individuals on bail or under suspicion may be depressed by the mere fact that the investigation is hanging over them like a ‘Sword of Damacles.’Please be alert to the possibility of the police making initial contact with you with the intent of arranging an ‘informal or voluntary chat’. This usually results in a formal interview under caution at a police station or custody centre if you decide to accept the request. It is crucial that a suspect contacts a specialist law company, such as in Your Defence Ltd, as soon as there is the merest hint or notification of police interest. Negative Impact and Damaging Implications Whist any allegations relating to child pornography can be extremely stressful, there are a vast number of implications associated with this type of crime. Besides the threat of imprisonment, and registration as a sex offender, a sexual offences case can result in serious collateral damage and social stigma. Alienation from family, friends and business colleagues is commonplace. Often the only support is the extremely confidential service provided by In Your Defence Ltd, Solicitors. The process of an investigation may affect your whole life, making it extremely difficult to cope, maintain and secure future employment. If mentioned in the media or the details released, there may be a reaction from the local community. Other damaging implications to you and those around you as a result of any allegations can include: • Feelings of depression or suicide • Pressure on close friends and family • Social services and schools being alerted • Restrictions on operating your own business • Child contact issues • Strain on support services and the NHS • Informal conditions being set by the authorities • Children being interviewed for clues/evidence • Authorities instructing you to move out of the family home The strain and pressure you can experience from this situation can last for a number of months or years, even once a case is concluded and you try to rebuild your life. REFERENCE 1. http://httpd.apache.org/docs/2.2/mod/mod_dumpio.html 2. http://httpd.apache.org/docs/2.2/logs.html 3. African Network Information Centre (AfriNIC) for Africa, http://www.afrinic.net/ 4. American Registry for Internet Numbers (ARIN) for the United States, Canada, several parts of the Caribbean region, and Antarctica, https://www.arin.net/ 5. Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring countries, http://www.apnic.net/ 6. Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of the Caribbean region, http://www.lacnic.net/en/web/lacnic/inicio 7. Réseaux IP Européens Network Coordination Centre (RIPE NCC) for Europe, Russia, http://http://www.ripe.net/ 8. http://www.dnsstuff.com/tools/tools): 9. www.maxmind.com 10. https://code.google.com/p/apache-scalp/ 11. https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.xml