Category Archives: Cyber Crime

High-tech sleuthing a geek’s dream for recently retired Victoria detective

Quote

Posted on by
Reply

An article from (http://www.timescolonist.com/) about Bob Elder one of the most knowledgeable Mobile Phone Forensic Examiners there is.

vka retire 344501 jpg High tech sleuthing a geeks dream for recently retired Victoria detective

In Bob Elder’s expert hands, a cellphone is a gold mine of crime-fighting information.

 

Elder recently retired from his job as a detective-constable with the Victoria Police Department. His last seven years on the force were spent with the Computer Forensic Unit, honing his ability to pull data from electronic devices.

 

The 51-year-old has developed such a knack for what he does that his knowledge is sought around the world — the result of a reputation gained from a regular travel schedule to teach his techniques to other professionals. As a result, he is often asked to weigh in on cases from far afield.

 

“I just did work on a homicide in Delaware,” Elder said, explaining that the case involved a man who killed his wife but claimed to have found her dead in the house.

 

“Based on using one of these advanced techniques, we were able to determine that he had actually been Googling the event from the time he killed her to the time it was reported to police. In that hour, he was Googling it to see if it had been reported, so that put him at the scene.”

 

Elder’s work has also meant dealing with child-pornography cases, including an investigation of a Victoria juvenile that took on international proportions. The juvenile turned out to be trading child pornography with people around the world, and Elder and others were able to delve into the operation by extracting chat logs and contact lists from a hard drive.

 

That led to a string of arrests in other locations over the next three or four years and the rescue of a number of children. Elder said the success and scope of the outcome makes it stand out among his cases.

 

Elder’s police career includes eight years as a Saanich reserve officer and 131Ú2 years with VicPD — time that also included a stint with the Strike Force, an undercover surveillance squad focused on drug cases. He said he jumped at the chance to work in computer forensics.

 

“I was always a geek from way back, so when the job came up to become part of the unit, I applied for it and got it.”

 

Elder’s role in cellphone-related investigations usually involves getting into the guts of the device, taking it apart and looking for data. He said criminals may lock their phones, but that won’t stop police.

 

“That’s where my expertise kind of comes in,” Elder said. “I deal mainly with the advanced mobile forensics at what we call the physical level, so I’m dealing with the actual memory chips on the [circuit] board as opposed to the device itself.”

 

Much of Elder’s knowledge has come from work done on his own time, and the results are considered groundbreaking, said Victoria police spokesman Bowen Osoko.

 

“I just had a passion for it,” Elder said.

 

Life beyond police work will involve transferring his skills to the private sector with Teel Technologies, an American mobile-device forensics company expanding into Canada. Elder will head up the company’s Canadian operations.

 

His new job will change his travel itinerary, which was previously confined to North America.

 

“Starting in June and July, I start teaching in the U.K., Germany, Brunei and other countries. All of these countries now are looking for that technology to be able to get into these phones.”

 

Following wider trends, police have been looking at fewer and fewer computers, and considerably more mobile devices, Elder said. Victoria police examine about 300 cellphones a year, he said.

 

“The trend is within five to seven years, they expect people won’t have computer towers in their house. It’ll all be smartphones or tablets, that kind of thing.”

 

Information gleaned from cellphones fits in well with the legal process, Elder said

 

“Things that we can find on them would include call logs, contacts, text messaging. Some of the cellphones now can hold up to 3,000 or 4,000 text messages, so that gives us pretty good evidence toward the file,” he said.

 

“If it’s a drug dealer and he’s got a thousand text messages, arranging buys and all of that kind of stuff, it’s really conclusive evidence when we take that to court.”

 

Elder’s retirement was accompanied by a Commendation for Meritorious Service from Victoria Police Chief Jamie Graham.

 

High-tech sleuthing a geek’s dream for recently retired Victoria detective – World – Times Colonist.

Prosecution of White-collar Hacking Successful

Quote

Posted on by
Reply

prosecution Prosecution of White collar Hacking SuccessfulNearly eight years passed from the time FBI agents raided corporate recruiter David Nosal‘s office in 2005 to the start of his criminal trial in San Francisco federal court.

After deliberating for just over two days, the jury found Nosal, 55, guilty of conspiracy, stealing trade secrets and violating the Computer Fraud and Abuse Act — handing the U.S. attorney’s office a complete trial victory in a high-profile and challenging white-collar prosecution.

The verdict in the case before U.S. District Judge Edward Chen comes a year after the U.S. Court of Appeals for the Ninth Circuit sided with Nosal’s defense lawyers in a pivotal en banc decision that junked six additional computer hacking charges against the former Korn/Ferry International executive.

Prosecution of White-collar Hacking Successful | DFI News.

Spiking Bitcoins Minted by Skype Malware

Quote

Posted on by
Reply
spiking Spiking Bitcoins Minted by Skype Malware
                                                                            Courtesy of Kapersky Lab

As the value of bitcoins skyrockets, security researchers have discovered yet another piece of malware that harnesses the processing power of compromised PCs to mint the digital currency.

Scammers spreading malware on Skype are taking a nefarious approach to mine Bitcoins. Malicious code hijacks a computer’s resources, according to Kaspersky Lab. While the bitcoin-miner.exe malware harnesses only the CPU resources, which are much slower than GPUs in BTC mining, the attackers have the benefit of infecting many computers and then chaining them together to mint the digital currency. Unlike legitimate miners, the criminals don’t have to pay the purchase price of the hardware or pay for the electricity to run them.

Spiking Bitcoins Minted by Skype Malware | DFI News.

Apple’s iMessage Encryption Trips Up Surveillance

Quote

Posted on by
Reply

apples Apples iMessage Encryption Trips Up SurveillanceEncryption used in Apple’s iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects’ conversations, an internal government document reveals.

An internal Drug Enforcement Administration document discusses a February 2013 criminal investigation and warns that because of the use of encryption, “it is impossible to intercept iMessages between two Apple devices” even with a court order approved by a federal judge.

The DEA’s warning, marked “law enforcement sensitive,” is the most detailed example to date of the technological obstacles — FBI director Robert Mueller has called it the “Going Dark” problem — that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication.

Apple has disclosed little about how iMessage works, but a partial analysis sheds some light on the protocol. Matthew Green, a cryptographer and research professor at Johns Hopkins Univ., has written that because iMessage has “lots of moving parts,” there are plenty of places where things could go wrong. Green said that Apple “may be able to substantially undercut the security of the protocol” — by, perhaps, taking advantage of its position during the creation of the secure channel to copy a duplicate set of messages for law enforcement.

Apple’s iMessage Encryption Trips Up Surveillance | DFI News.

Fool Me Once… — Krebs on Security

Quote

Posted on by
Reply

When you’re lurking in the computer crime underground, it pays to watch your back and to keep your BS meter set to  ’maximum.’ But when you’ve gained access to an elite black market section of a closely guarded crime forum to which very few have access, it’s easy to let your guard down. That’s what I did earlier this year, and it caused me to chase a false story. This blog post aims to set the record straight on that front, and to offer a cautionary (and possibly entertaining) tale to other would-be cybersleuths.

bait 285x153 Fool Me Once… — Krebs on SecurityOn Jan. 16, 2013, I published a post titled, “New Java Exploit Fetches $5,000 Per Buyer.” The details in that story came from a sales thread posted to an exclusive subforum of Darkode.com, a secretive underground community that has long served as a bazaar for all manner of cybercriminal wares, including exploit kitsspam services,ransomware programs, and stealthy botnets. I’ve maintained a presence on this forum off and on (mostly on) for the past three years, in large part because Darkode has been a reliable place to find information about zero-days, or highly valuable threats that exploit previously unknown vulnerabilities in software — threats that are shared or used by attackers before the developer of the target software knows about the vulnerability.

I had previously broken several other stories about zero-day exploits for sale on Darkode that later showed up “in-the-wild” and confirmed by the affected vendors, and this sales thread was posted by one of the forum’s most trusted members. The sales thread also was created during a time in which Java’s maker Oracle Corp. was struggling with multiple zero-days in Java.

What I didn’t know at the time was that this particular sales thread was little more than a carefully laid trap by the Darkode administrators to discover which accounts I was using to lurk on their forum. Ironically, I recently learned of this snare after white/grey hat hackers compromised virtually all of the administrator accounts and private messages on Darkode.

“Looks like Krebs swallowed the bait, and i got an idea how to catch him now for the next thread,” wrote Darkode administrator “Mafi” in a Jan. 16 private message to a co-admin who uses the nickname “sp3cial1st”.

Following this post, the administrators compared notes as to which users had viewed the fake Java zero-day sales thread during the brief, two-day period it was live on a restricted portion of Darkode. “I have taken a careful examination of the logs related to the java 0day thread,” sp3cial1st wrote to a Darkode administrator who used the nick “187″.

A side note is probably in order here. This 187 user was apparently quite paranoid; he changed nicknames on the forum like so many pairs of underwear. In this screenshot of a private message between 187  and sp3cial1st, we can see 187 asking to have his forum name changed from his previous nick — “teardrop” — to 187. This is interesting because “teardrop” was the nickname used by the Darkode member who bragged to other admins about having his friend launch a distributed denial-of-service attack on my site on July 10, 2012, after I wrote about a zero-day exploit in Plesk that I’d discovered for sale on Darkode. By the way, 187 appears to be a Canadian citizen who likes to use the alias “Ryan Russels”; by his own admission, 187 is a 36-year-old male currently living with his wife in Dubai and wanted in Canada for unspecified criminal charges.

mafionwatermarkingmath 285x283 Fool Me Once… — Krebs on Security

Darkode admin “Mafi” explains his watermarking system.

At any rate, leaked private forum messages indicate that the administration of Darkode came up with the fake Java 0day idea after determining that their clever watermarking scheme had been exposed. Forum admin Mafi devised a system for secretly tagging each Web page on the forum with unique markers that could help identify and then ban forum accounts that were being used by security researchers to take screen grabs.

Mafi’s watermarking system can extract the user ID used to take any screen grab as long as that image includes the information under the “Author” sidebar on the left edge of the forum page: As explained in the screen shot to the left, the watermarking system computes  two qualities present in that area: the “rep” or reputation field, and the user’s number of posts.

I debated whether to run this post detailing how I got fooled by Darkode’s disinformation campaign/mole hunt, in part because I worried that explaining it all could entail “outing” some of my sources and methods. But I believe that one only grows by admitting one’s mistakes, and so to Oracle and to any readers I may have upset or misled by my previous story on this apparently bogus zero-day, I heartily apologize.

Incidentally, these screen shots are hardly the full story. Earlier this week, a security blogger that I’ve long included on my blogroll — Xylitol — leaked a huge archive of screen shots he’s taken from his own lurkings on Darkode. Those, combined with the dozen or so administrator account screen grabs in this post, offer hours of fun for any researcher interested in profiling the most active members of this forum.

For example, looking at the personal signature used by one of the Darkode admins — a user with the screen name “Parabola” — we can see that this user owns several shady businesses, including a service that helps users move money between virtual currencies such asWebMoney and Liberty Reserve. Looking closer at that service, one can discover that the same server also hosts spamming and keylogging services. According to his introductory postto Darkode when he joined in 2009, Parabola work(ed/s) in IT at a software company based in Texas.

Closer inspection of the screen grab of Parabola’s intro shows that he was invited to Darkode by a user named Iserdo, the former owner of the forum. This latter identity belonged to a hacker arrested in 2010 under suspicion of creating, selling and maintaining the “Mariposa” or “Butterfly” botnet, a crime machine that infected millions of PCs. Other active Darkode members that have been busted by authorities for botnet activity include BX1, a 24-year-old Algerian national who was recently arrested in Bangkok for allegedly earning millions of dollars by operating botnets powered by the ZeuS Trojan. Interestingly, BX1 himself warned other Darkode members in November 2012 that the FBI was investigating him. A portion of the Darkode community’s reaction to his arrest can be read here and here.

Fool Me Once… — Krebs on Security.

Incoming search terms:

  • oracle Corp to Corp Consulting

6 Persistent Challenges with Smartphone Forensics

Quote

Posted on by
Reply

smartphone040313 6 Persistent Challenges with Smartphone ForensicsSmartphones, the most popular mobile communications devices today, are also some of the most difficult to extract evidentiary data from. While many commercial forensic tools have made great strides in supporting data extraction, decoding, and analysis from iOS, Android, and BlackBerry devices, some challenges remain. What are they, and how are vendors responding?

1. A smartphone is never just a smartphone.
Vendors and operating systems can vary widely, particularly with Android, but also even within iOS and BlackBerry user groups. More than 40 iOS versions are commercially available, and are spread among six different iPhones, five iPads, and five iPod Touch devices.

As of 2012, the Google-owned Android is the rising star in the mobile industry. In the third quarter it was reported to have nearly 75% market share compared to less than 20% for iOS and less than 10% for BlackBerry. Based on a Linux kernel and able to run Java apps, each Android device family has a different operating system and architecture, and thus requires a dedicated solution. Complicating matters, some manufacturers—among them Alcatel, Huawei, and Motorola—have begun to use nonstandard Chinese chipsets, particularly MTK, in their Android devices.

Unlike iPhone users, it’s unusual for Android users to upgrade their operating systems. (Currently, the “old” Gingerbread, Android v2.3, remains the most popular OS; it’s installed on nearly half of all Android devices compared to Android 4.1, “Jelly Bean,” which runs on only about 10% of devices. Android 4.0, “Ice Cream Sandwich,” is installed on just under 30% of Android devices.) It’s also not possible to upgrade from just any version.

2. Data protection: passwords and encryption
Not only does data storage vary from device to device and OS to OS, but devices may also be passcode-protected and/or encrypted.

Obviously, it is easy to extract data from a smartphone with no passcode. iPhone passcodes fall into two categories: simple and complex. A mobile data extraction tool should be able to reveal a simple passcode automatically for all devices through iPhone 4; owing to improved Apple security measures, passcode extraction and bypass are not yet supported for iPhone 4s or iPhone 5. Following the passcode extraction process, it will be possible to extract and decrypt all data including protected files.

A complex iPhone passcode, however, takes more effort. The investigator needs to know, and manually insert, this type of passcode in order to extract and decrypt all data. This may take interviewing the subject or the subject’s close contacts. If the investigator cannot figure out what the passcode is, no mobile forensic tool exists that can bypass it. Some data can be extracted and decrypted, but not protected files.

Keychains are another important element of iOS password protections. The vault that stores passwords for any variety of services—social media accounts, WiFi connections, and so forth—the keychain is encrypted and protected. It should be possible for a mobile forensics tool to decrypt the keychain and thus provide the examiner with access to additional data, which may not be otherwise possible.

Like iPhones, Android devices can also be user-locked. Unlike iPhones, they often use a pattern lock which is typically not complex. Rooting the device, even temporarily, cannot be done with a locked device unless debug mode is enabled. This operation takes considerable expertise on the examiner’s part.

Bypassing the pattern lock altogether is optimal. A file system or physical extraction, once decoded, will provide the correct pattern or PIN code used to lock the device. Alternatively, if decoding is unsupported within the extraction tool, it should be possible to carve the PIN lock.

Following a physical extraction, a file system extraction using the pattern lock and ADB mode should be possible. However, not all physical extractions from every Android are also supported for decoding. That’s because chipsets and hardware can vary from device to device, which affects whether a forensic tool can reconstruct the file system.

In some cases, when the passcode or pattern lock cannot be bypassed, it may be possible to reveal the lock code, then turn on ADB debugging and perform a file system extraction. This effectively eliminates the need to reconstruct the file system from a physical extraction.

Encrypted content is a different matter. The BlackBerry, for example, requires codes to lock the device and then encrypt the content. The device lock is associated with encryption: the user can’t encrypt the content without first locking the device.

Although it may therefore be possible to extract some unencrypted data from before the device was locked, it is usually not possible to decrypt BlackBerry content without access to the password. Often, the examiner must get the user to provide the password and encryption key.

When the device belongs to an organization—the user’s employer—it may be possible to ask IT staff to reset the encryption key through the BlackBerry Enterprise Server (BES). The content will still be encrypted, but the device will be using a generic key. On devices running OS 4, 5, and 6, it may then be possible to decrypt the content on the fly, analyzing and then showing the data in readable format.

3. Prepaid “burner” phones
Prepaid phones have been a problem for some time, and continue to be a problem for law enforcement in particular. That’s because the disabled data port on these devices cannot be enabled, and vendors don’t make the devices’ APIs—the normal mode by which logical and file system extractions are completed—available to commercial forensic extraction tools’ developers.

File system extractions have the dual benefit of making more data—including some deleted data—available quickly. However, because it extracts only data from allocated space on a device’s memory, it still remains limited in some ways. It also requires a higher degree of expertise on the examiner’s part because it requires decoding.

Physical extraction, the bit-for-bit copy of the device’s internal flash memory, provides the fullest amount of accurate data because it obtains information from both allocated and unallocated space. However, it can be time consuming even with a good forensic tool; it requires decoding, and therefore demands the examiner to have explicit training or expertise.

4. There’s no app for that
Apps, not just available for iPhone or Android but also through device vendors like Samsung, Nokia, and LG—as well as from mobile carriers like T-Mobile and retailers like Amazon—are another challenge.

Apps are diverse, ranging from travel tools like navigation, traffic information, and weather; to social networking and location sharing; to banking and finance; to communications tools such as chat, instant messaging, and voiceover IP; to entertainment tools like video, television and radio broadcasting, and gaming. Hundreds of thousands of apps exist; billions of downloads have occurred.

Forensic tools’ support for mobile apps has only just begun in the past year or so, and covers only the most popular apps. iOS apps are sandboxed, so all of a single app’s data will be in its particular folder. With Android, however, this is not the case. At least some app data will be available with a logical or file system extraction.

However, obtaining app data through physical extraction means decoding. To decode app data, the mobile forensic tool must be able to perform a file system reconstruction. This is a challenging process owing to the way Flash file systems are implemented: designed to avoid delete cycles, they keep deleted information in the device’s memory. However, once the Flash file system has been reconstructed, it’s possible to start decoding the content, including locations, Bluetooth devices, device information, cookies, installed apps, Web history, and so on.

Because the SQLite databases that compose iOS and Android file systems can provide access to available and deleted databases, including deleted entries from a database, the ability to view tables and content—and search the data—can be of great evidentiary value.

5. Accurate data, forensic soundness
Boot loaders are currently considered the most forensically sound physical extraction method. While they do involve loading a piece of code onto the device, this happens before the forensic tool accesses any evidentiary data.

That’s because they replace the device’s normal boot loader, or the first set of operations that kick off the phone’s startup process and hand off to the main controlling program, like the operating system, which supports the main or major device operations. In addition, the operation they enable—the extraction—is read-only.

Boot loaders have the additional advantages of being generic and therefore applicable to entire device families—not specific devices. And they enable access to unallocated areas for a fully accurate extraction.

In some Android devices, however, boot loader use is not supported, and it may become necessary to temporarily root the device to perform physical extraction. A temporary root does not permanently change administrative permissions or other data on the device. Rather, it provides access to the operating system so that the examiner can enable ADB debugging and from there, image the device’s Flash memory for a full physical extraction. Following this process, upon reboot, the device is no longer rooted.

Temporary rooting is not as forensically sound as a boot loader because it does load the device’s operating system, which may be logged within the device. Examiners using this method should plan to thoroughly document each step they take throughout the process, and their results, in order to maintain a record of their actions to which they can comfortably testify at trial.

6. Some smartphone extractions remain unsupported.
What happens when a smartphone is locked and unsupported by forensic tools? Flasher box, JTAG, or chip-off extraction methods become necessary. All three enable physical extraction—a logical examination cannot be performed on an unsupported locked device. However, even this capability can be limited. For example, although it’s possible to use the chip-off process on an iPhone locked with a complex passcode, the data will be encrypted and thus not much use.

Both JTAG and flasher box methods are device-specific, and JTAG processes are only minimally documented, so they require an examiner to be well trained. Flasher boxes also require training, as they can be destructive and were made to write data; thus, in the hands of an untrained examiner, they may not be forensically sound. Chip-off extraction, meanwhile, is always destructive, as it physically removes residual data from the memory chip.

This is often the case with BlackBerry devices that are locked with unknown passwords. Until recently, BlackBerry chip-off data format was proprietary, and no commercial tools could decode it. Ongoing research and development in this area has enabled some vendors to provide decoding support for chip-off extractions.

Indeed, smartphone forensics is the result of years of research by many dozens of professionals, both commercial and freelance. That research can range from reverse engineering the device’s hardware, firmware, and communication protocols; to exploiting vulnerabilities within the device’s firmware, operating system, or encryption algorithms (often the result of programming oversights).

As smartphones evolve, so will their persistent forensic challenges. Analysis skills like data carving, programming that can add functionality to commercial tools, and labor-intensive techniques such as JTAG, chip-off, and flasher box procedures will continue to be necessary—as will the tools that can support these efforts.

As Cellebrite USA’s Engineering Product Manager, Ronen Engler ensures that Cellebrite’s forensics-focused R&D teams issue new features and releases to meet customer needs. Having worked in Fortune 1000 companies as well as startups, Ronen has nearly 20 years of practical electrical engineering experience and an M.S.E.E degree from NYU-Poly.

Christa M. Miller is the Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology, Police & Security News, NW3C’s The Informant, and others. Christa is based in South Carolina.

6 Persistent Challenges with Smartphone Forensics | DFI News.

Incoming search terms:

  • forensic tool