tag:blogger.com,1999:blog-87959514674357374982024-03-15T09:16:16.911+00:00CSITech - Computer ForensicsNews and opinion about Computer Forensics and CSITech. Authored by Nick FurneauxNick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.comBlogger46125tag:blogger.com,1999:blog-8795951467435737498.post-51434657250820210312013-08-29T12:42:00.000+01:002013-08-29T12:42:01.999+01:00Extracting recent contacts from OSX Mail(The original blog post can be found here - <a href="http://www.csitech.co.uk/extracting-recent-contacts-from-osx-mail/">http://www.csitech.co.uk/extracting-recent-contacts-from-osx-mail/</a>) <br />
<br />
Having spent the best part of the last decade working on Live
Forensic techniques I've begun to turn my attention to OSX. I'm an
unashamed MacHead but have not spent much time thinking about ways to
extract data from a live machine.<br />
<br />
Knowing
who a suspect speaks to or emails can be very useful in an
investigation and so I've started looking at the email system in OSX.
The inbuilt email app, Mail is very widely used and connects to the OSX
Address Book for the management of contact data. However, tucked away
in a SQL Lite table is a large list of 'Recent Contacts', which contains
the name and email address of recently contacted people who may or may
not be in your standard contacts.<br />
<br />
You can see this list by opening
OSX Mail and browsing to Window - Previous Recipients. This opens a
box with all the recent contacts, but apart from being able to add the
contact to your main contacts, there is no way to export them.<br />
<br />
I've written a small shell script to extract the name and email from the SQL table and pop them in a csv file for you.<br />
<br />
The code is very simple, just 2 lines:-<br />
<br />
<pre>echo 'First Name,Surname,Email Address' > ~/Desktop/recentcontacts.csv</pre>
<pre> </pre>
This simply writes the column heads to a CSV file on your Desktop<br />
<br />
<pre>sqlite3 -csv ~/Library/Application\ Support/AddressBook/MailRecents-v4.abcdmr 'select ZFIRSTNAME, ZLASTNAME, ZEMAIL from ZABCDMAILRECENT;' >> ~/Desktop/recentcontacts.csv</pre>
<br />
This
opens the MailRecents SQL file and pulls out the first name, last name
and email address, writing them to the CSV file on your Desktop.<br />
<br />
Easy!<br />
<br />
For ease just drop the file somewhere, 'cd' to it and run - ./recentexport.sh<br />
<br />
If it doesn't run you might have a permissions issue so just type - chmod +x recentexport.sh<br />
<br />
<a data-mce-href="http://www.csitech.co.uk/wp-content/uploads/2013/08/recentexport.sh_.zip" href="http://www.csitech.co.uk/wp-content/uploads/2013/08/recentexport.sh_.zip">You can download the tool here</a>.<br />
<br />
Hope its useful to you.Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com3tag:blogger.com,1999:blog-8795951467435737498.post-71568401960776559492013-06-06T10:34:00.002+01:002013-06-06T10:34:46.419+01:00iPhone Video Metadata - Tool releasedFollowing the research I posted about the available metadata in iPhone video files, my good friend Robin Wood from www.digininja.com has written a tool to extract the data for you.<br />
<br />
You can find the research <a href="http://www.csitech.co.uk/iphone-video-metadata/" target="_blank">here</a> and the tool <a href="http://www.csitech.co.uk/ivmeta-iphone-metadata/">here.</a><br />
<br />
NickNick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com7tag:blogger.com,1999:blog-8795951467435737498.post-52552135160155686732013-05-29T16:33:00.001+01:002013-05-30T14:10:42.552+01:00iPhone Video Metadata<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>808</o:Words>
<o:Characters>4609</o:Characters>
<o:Company>CSITech</o:Company>
<o:Lines>38</o:Lines>
<o:Paragraphs>10</o:Paragraphs>
<o:CharactersWithSpaces>5407</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-ansi-language:EN-US;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span lang="EN-US">(This is also available on the CSITech website at http://www.csitech.co.uk/iphone-video-metadata/)</span><a href="http://www.csitech.co.uk/iphone-video-metadata/" target="_blank">http://www.csitech.co.uk/iphone-video-metadata/</a></div>
<div class="MsoNormal">
<a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK7"><span lang="EN-US"><br /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGr8R3Ekw1Pckg0ZmuH6imyv0ioc-JzPH4bLZm5rCpSxxb6OhOJlJoC_WZ7oftdajSTaUqtLpqNGm0YuXJ3HZiRxDBpfoxnMFDWzkgp7xPlDmUrttgLsyJROBwy9yTMEvJ-b0SoTsj4PA/s1600/Screen+Shot+2013-05-29+at+12.24.06.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGr8R3Ekw1Pckg0ZmuH6imyv0ioc-JzPH4bLZm5rCpSxxb6OhOJlJoC_WZ7oftdajSTaUqtLpqNGm0YuXJ3HZiRxDBpfoxnMFDWzkgp7xPlDmUrttgLsyJROBwy9yTMEvJ-b0SoTsj4PA/s200/Screen+Shot+2013-05-29+at+12.24.06.png" width="200" /></a></div>
<div class="MsoNormal">
<a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK8"></a><span lang="EN-US">First question, if you start a
sentence with the word iPhone should you captialise the ‘I’, answers on a
postcard please.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">Second question came from a law firm that I often
assist with digital forensics cases.
When an iPhone is used to take a video and then distributed does it
contain any device ID information that can be used to trace it back to the
original phone?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">The answer, somewhat surprisingly knowing Apple,
appears to be no, I cannot find any reference to the serial number, IMEI or
ICCID numbers within the file although it is possible that the data is there
but obfuscated in some way.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">Whether there or not, looking at iPhone movie data
is very interesting. We are all used to
the vast amount of metadata embedded within a photo but movies are a bit more
of a dark area with not much written about it.
The movies are based around the QuickTime file type that is well
documented by Apple which can be found here - </span><a href="http://developer.apple.com/library/mac/documentation/quicktime/qtff/qtff.pdf"><span lang="EN-US">http://developer.apple.com/library/mac/documentation/quicktime/qtff/qtff.pdf</span></a><span lang="EN-US"><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">The filetype is awash with metadata, some which are
used by default in the iPhone and many that are not. Although there does not appear to be anything
to specifically identify the iPhone which shot the video there are some useful bits
of data which could help. I have focused
on a video shot by an iPhone 5 and then emailed out of the device. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 12.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US">The QuickTime structure is
based around Atoms and Keys. Atoms are
small 4 character tags such as ‘prfl’ for profile, ‘tkhd’ for the track header
and many, many more. There are also keys
that are of specific interest to us as they contain the primary metadata that
we may want. The keys are in the ‘mdta’
atom and take the form of ‘</span><span lang="EN-US" style="font-family: Helvetica; font-size: 11.0pt; mso-bidi-font-family: Helvetica;">com.apple.quicktime.author’,
for example.</span><span lang="EN-US"><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">At offset 0x04 you come across the ‘ftyp’ atom
which identifies the type of video to follow.
The iPhone uses QuickTime and so the tag which follows is ‘qt’.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUU4MWPFr97QxOWWX5T8gU72loTFYPBJraT7UWfYWupSEtDJ2OvJuKXyPDa0c1OlMGKveDjEuPOv1_5yYopT1BLw0ZopkRNEufGXgSZnl0axxnfMliEFkF1ecsfkIZOuRkRVInzoaf-8I/s1600/Screen+Shot+2013-05-29+at+11.33.11.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUU4MWPFr97QxOWWX5T8gU72loTFYPBJraT7UWfYWupSEtDJ2OvJuKXyPDa0c1OlMGKveDjEuPOv1_5yYopT1BLw0ZopkRNEufGXgSZnl0axxnfMliEFkF1ecsfkIZOuRkRVInzoaf-8I/s400/Screen+Shot+2013-05-29+at+11.33.11.png" width="400" /></a><span lang="EN-US"></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
Next is the ‘mdat’ atom which I guess stands for
movie data and contains the data related to the movie itself.<o:p></o:p><br />
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLUpK8DrGcXODBS7Wv5PChRBEGBiV39RLkSnYhU_QJLBukCqJzckOutzbx8DOcr7cU2hM_pShmeTzHAWBX6wx03MaKkXGtROSVBvRWZQWD10SWpYqPLwMRrnV10V5DDdVwVK4F_D9QMds/s1600/Screen+Shot+2013-05-29+at+11.33.27.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLUpK8DrGcXODBS7Wv5PChRBEGBiV39RLkSnYhU_QJLBukCqJzckOutzbx8DOcr7cU2hM_pShmeTzHAWBX6wx03MaKkXGtROSVBvRWZQWD10SWpYqPLwMRrnV10V5DDdVwVK4F_D9QMds/s400/Screen+Shot+2013-05-29+at+11.33.27.png" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US">Next is the ‘moov’ atom which partly indicates that
the movie came from a Mac platform, ie the iPhone. The ‘moov’ atom has a number of sub-atoms
which brings us to the area we are interested in.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">Once we pass all the obvious movie data we pick up
a ‘keys’ atom which is then followed by metadata identified by the atom
‘mtda’. The entire section can be seen
in the image below.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixH-MqKc569wA3nqwGZ4mpdldB9xVXyMsfTHaYulywiNRAMgub96NlbSPUxwijDWrriccqvEuvQSNivhrmkg2C8K65yv65EdvAnQNgbAd-2t6DoYy8UTVB2De12WSoOXHabnqszMYZ5jc/s1600/Screen+Shot+2013-05-29+at+11.41.31.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixH-MqKc569wA3nqwGZ4mpdldB9xVXyMsfTHaYulywiNRAMgub96NlbSPUxwijDWrriccqvEuvQSNivhrmkg2C8K65yv65EdvAnQNgbAd-2t6DoYy8UTVB2De12WSoOXHabnqszMYZ5jc/s1600/Screen+Shot+2013-05-29+at+11.41.31.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij6EEDP1LEoHs-ExC9V9dCZA_LH2R5gomDzEFt9lvEyeNPO4yjzzyzER14jiiOEgth8gyRT9Z5f7znF0QJphU5AfGMDqtKXHXJlVhVrPJDFyfCNb7E9OKXjVlmhDvX1KwSWIjtLcBih3w/s1600/Screen+Shot+2013-05-30+at+11.56.35.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij6EEDP1LEoHs-ExC9V9dCZA_LH2R5gomDzEFt9lvEyeNPO4yjzzyzER14jiiOEgth8gyRT9Z5f7znF0QJphU5AfGMDqtKXHXJlVhVrPJDFyfCNb7E9OKXjVlmhDvX1KwSWIjtLcBih3w/s400/Screen+Shot+2013-05-30+at+11.56.35.png" width="400" /></a></div>
</div>
<div class="MsoNormal">
<br />
There are several interesting tags here.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">©mak«Apple - This identifies that the movie came
from an Apple manufactured device.
Although this might sound obvious we might have a series of videos from
a suspects computer that we think he may have taken. However, if he is an Android and PC user then
this would reduce the likelihood that he created them.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">©swr«6.1.4 - This is rather useful as it tells us
the IOS software version that was installed at the time that the video was
taken. Again, a scenario could be that a
suspect accuses his co-defendant of shooting a video but we not that the
co-defendants iPhone is running an earlier IOS version.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">©day«2013-05-27T21:38:21+0100 – This provides us
with the time and date that the video was shot.
Helpfully this date does NOT change when the file is moved, emailed or
uploaded. This provides a solid line in
the sand as to when the video was made.
The time is also adjusted from UTC so we see the real world time it was
created.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">©xyz<a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK2"></a><a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK1">«+52.5461</a><a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK4"></a><a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK3">-002.6371</a><a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK6"></a><a href="http://www.blogger.com/blogger.g?blogID=8795951467435737498" name="OLE_LINK5">+115.546
</a>– This tag ‘@xyz’ provides GPS location data provided by the GPS
chip in the phone. Although not
delimited we can divide it up to provide:-<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">x - +52.5461<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">y - -002.6371<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">z - +115.546 – This appears to be the direction
taken from the onboard compass.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">This data depends on location data being turned on
for Photos in the Privacy tab in Settings.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">©mod«iPhone 5 - This is great, it doesn’t just tag
the device as an iPhone but as an iPhone 5.
Again this may help us to identify the phone in a case that shot a
video. So we know the video was taken by
an Apple iPhone 5 with firmware 6.1.4 on the 27/5/13 at 21:38:21 at a specific
location. That’s not bad information.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">All the information is then repeated using
different tags as follows:-<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">mdtacom.apple.quicktime.make<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">mdtacom.apple.quicktime.creationdate<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">mdtacom.apple.quicktime.location.ISO6709<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">mdtacom.apple.quicktime.software<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">mdtacom.apple.quicktime.model<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">So can we identify a specific device that shot a
video? Not definitively no, however we
may have a case where a number of phones are seized, perhaps a couple of
Androids, an iPhone 3 and an iPhone 5.
They may all have the same video on their phones showing illegal
activity and be accusing one another of shooting it. In this case we may have sufficient metadata
to pinpoint the culprit.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">When I first started looking at this I assumed that
it was a purely academic exercise as our normal forensic tools probably report
this data but it seems not. A quick look
in FTK with my test video only showed the Operating System dating, created,
modified etc and not the embedded video created date. There was also no extraction of ANY of the
metadata we have discussed, no model, firmware, GPS data, anything! Obviously you can manually work through the
Hex to find the tags but it could easily be missed if we don’t know it’s there.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">Hope that’s helpful to you? <o:p></o:p></span></div>
<!--EndFragment-->Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com11tag:blogger.com,1999:blog-8795951467435737498.post-32300560509671486212013-04-08T17:05:00.001+01:002013-04-08T17:08:31.642+01:00Maltego Machines and other stuff<span style="font-family: Arial,Helvetica,sans-serif;">Once again it has been several lifetimes of certain moths since I wrote a blog post. I have been trying to write the text for my new web site whilst also writing a book. That's right loyal follower, I am writing a book! The working title is Weaponizing Open Source Intelligence. Obviously for those of you in the UK it will be Weaponising! It should be pretty interesting not only covering advanced Open Source Techniques but how to understand how the data can be 'weaponised' into an attack against you or your organisation. Should be good!</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Anyway, 2 weeks back I taught the first Advanced Open Source Course to international acclaim and applause, well, all the students thought it was epic and enjoyed it. The highlight seemed to be the real-world exercises where you do everything from hunting down bad guys to planning an attack on a company, loads of fun.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">A good chunk of the course is focused on the tools from Maltego, CaseFile and primarily Radium, which, frankly, rocks. If you haven't seen the tool before take a look at Paterva's YouTube channel at <a href="http://www.youtube.com/user/PatervaMaltego" target="_blank">http://www.youtube.com/user/PatervaMaltego</a>. It is essentially a graphing tool to assist with 'automated' Open Source Intel gathering.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdo19k7SpKeVxGSfREcIMXxnJ_MfBcrPH9QN06RpZ_OBLIIi-SgRrkuHJEPu6sGTZW0FuIUBi-lHmRbQiGbE6YgoLvAsk-qSkp9EaRrOIvAYYI2yltxK4xMEQNaHsE7Sg_PeojgwF8VZ4/s1600/Screen+Shot+2013-04-04+at+13.48.12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdo19k7SpKeVxGSfREcIMXxnJ_MfBcrPH9QN06RpZ_OBLIIi-SgRrkuHJEPu6sGTZW0FuIUBi-lHmRbQiGbE6YgoLvAsk-qSkp9EaRrOIvAYYI2yltxK4xMEQNaHsE7Sg_PeojgwF8VZ4/s400/Screen+Shot+2013-04-04+at+13.48.12.png" width="400" /></a></span></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">One of the interesting things about Radium is the ability to write your own Transforms (searches) but also to code up your own Machines to essentially daisy-chain commands together so that they run automatically. </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">During the course we had a segment given online by Social Engineering Guru, Chris Hadnagy where we discussed the identification of key people within an organisation to create targets for phishing targets and the like. It can also be useful to identify people who may know eachother for the same purpose. Obviously we are not teaching this to be able to carry out an actual attack but rather identify vectors can could be used by an attacker against us.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">I thought it would be interesting to create a Radium Machine that would accept the input of a Domain, extract 50 or so documents and then rip out the meta data in the documents hopefully giving us real names email addresses and like. Then we can remove any data that only appears once, working on the principle that we would like to ID people who had authored many documents. I took a good go at writing it and thanks to Andrew at Paterva he tidied it up and made sure it worked properly.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">If you have a version of Radium simply click the Machines tab, Manage Machines, New Machine. You can type any old rubbish into the dialogue as it will be overwritten by this code anyway. The code looks like this, simply cut and paste into the code window and press the 'tick' button to compile:-</span><br />
<br />
-------------------------------------- <br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">machine(<br /> "MetadataMachine",<br /> displayName:"Metadata Machine",<br /> author:"Nick Furneaux (thanks to Andrew)",<br /> description: "Finds documents and their metadata for a domain and then deletes any documents where the meta data is not found in more than one document"<br /> ) <br />{<br /><br /><br /> start {<br /> <br /> <br /> /* Find all documents and then their Metadata */<br /> <br /> <br /> // Get Documents<br /> status("Searching for Documents")<br /> log("Finding Documents....",showEntities:false)<br /> run("paterva.v2.DomainToDocument_SE",slider:100)<br /> <br /> // Get Metadata from Documents<br /> status("Extracting metadata")<br /> log("Extracting metadata",showEntities:false)<br /> run("paterva.v2.DocumentToPersonEmail_Meta")<br /> <br /><br /> <br /> /* Remove all entities that have less than 2 links incoming to the entity*/<br /> <br /><br /><br /> //now we select any people,phrases and email addresses<br /> type("maltego.Person", scope:"global")<br /> incoming(lessThan:2)<br /> delete()<br /><br /> type("maltego.Phrase", scope:"global")<br /> incoming(lessThan:2)<br /> delete()<br /><br /> type("maltego.EmailAddress", scope:"global")<br /> incoming(lessThan:2)<br /> delete()<br /> <br /> <br /> <br /> /* Remove any remaining documents that no longer have children */<br /> <br /> <br /> type("maltego.Document", scope:"global")<br /> outgoing(0)<br /> delete()<br /> <br /> /* Ask if you would like more work to be done on any extracted email addresses */<br /> <br /> type("maltego.EmailAddress", scope:"global")<br /> userFilter(title:"Choose Email Addresses",heading:"Email",description:"Please select the email addresses you want to do more research on.",proceedButtonText:"Next>")<br /> run("paterva.v2.EmailAddressToPerson_SamePGP")<br /> <br /> <br /> <br /><br /> }<br />}</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><br /></span></span>
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">-------------------------------</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">The first command that runs, looks at the Domain you have supplied and goes looking for Office or PDF documents posted to that Domain.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> run("paterva.v2.DomainToDocument_SE",slider:100)</span></span></span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Next these documents have their metadata extracted.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> run("paterva.v2.DocumentToPersonEmail_Meta")</span></span></span></span></span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Then we remove any metadata that has less than 2 links to it.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"> </span></span></span></span></span></span></span></span></span><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> //now we select any people,phrases and email addresses<br /> type("maltego.Person", scope:"global")<br /> incoming(lessThan:2)<br /> delete()<br /><br /> type("maltego.Phrase", scope:"global")<br /> incoming(lessThan:2)<br /> delete()<br /><br /> type("maltego.EmailAddress", scope:"global")<br /> incoming(lessThan:2)<br /> delete()</span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Lastly, we display any email addresses and ask if you want more work done. At the moment it just looks at a PGP server and tries to extract the registered name for that email address which could be useful. We could do a web search for sites containing that address too.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span> <span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">userFilter(title:"Choose
Email Addresses",heading:"Email",description:"Please select the email
addresses you want to do more research
on.",proceedButtonText:"Next>")<br /> run("paterva.v2.EmailAddressToPerson_SamePGP")</span></span></span></span></span></span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">As code goes, this is pretty simpl<span style="font-size: small;">e</span> and can help to automate tasks that you run regularly. Interestingly the code also enables you to set timers to run the script every minute, hour or whenever. This could be very useful for monitoring a specific Domain for new activity etc.</span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Thats all for now. If you want to learn more about the Advanced Open Source Intelligence Course you can download a syllabus here - <a href="http://www.csitech.co.uk/Advanced_OSI_Syllabus.pdf."></a><a href="http://www.csitech.co.uk/Advanced_OSI_Syllabus.pdf"><span style="font-size: small;">www.csitech.co.uk/Advanced_OSI_Syllabus.pdf.</span></a></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="font-size: small;"> </span></span> </span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-size: x-small;"> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span> <br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> </span></span> </span></span></span><br />
<br />
<br />Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com4tag:blogger.com,1999:blog-8795951467435737498.post-48801694504719468362012-10-01T14:14:00.000+01:002012-10-02T11:54:48.762+01:00Password extraction funExtraction of passwords whether remotely or by gaining physical access to a computer is always an area of interest for my clients. If you can acquire the Windows password this can be very useful, users often consider their OS to need a very strong password, not realising that they are very easy to crack. The average number of passwords used by a person tends to not exceed 3, or derivatives of 3. If you get the Windows password it tends to be the 'strong' one that they use and so applying it to their Paypal, Gmail etc you might be successful.<br />
<br />
Generally the way to grab the password is to dump the LM/NT hashes either by grabbing the SAM or from a RAM dump and then use Rainbow tables (or a dictionary or brute force attack) to decrypt the plain text. This is not terribly hard but requires some knowledge and there is always the possibility of the crack not coming through for you.<br />
<br />
Somehow I had missed the release of a tool called Mimikatz written by a chap with an extraordinary ability to undermine security holes within Microsoft (and has a penchant for writing everything in French, tres bien). If you would like to know how his technique works then please take the time our to read his cracking Powerpoint <a href="http://www.blogger.com/goog_803374493" target="_blank">click here (Thankfully not in French!)</a><a href="http://blog.gentilkiwi.com/mimikatz" target="_blank">.</a> Thanks to my friend Jon Evans who mentioned it to me last week.<br />
<br />
Mimikatz can achieve a number of things but the most useful to me is its claim to extract <b><i>plain text</i></b> user passwords. Guess what - it works!<br />
<br />
Here's what to do. <br />
<br />
Download <a href="http://blog.gentilkiwi.com/mimikatz" target="_blank">Mimikatz</a><br />
<br />
Run the 32bit or 64bit version as administrator (please dont make me explain how you would know which!!) and you are presented with a console environment.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihY9xZXT57DZDBJEzohyphenhyphenP20MbfUWalVr_hNqg7-rv0fCGis99_zGUheVB4AN_qVRJg0x2Lo7uBNbVDvNWPiI9ibfN9ZwbqLEND3gfL1KELhBVC87oPYVgCNDo8egTKefsGJvhVPmM6VRE/s1600/Screen+Shot+2012-10-01+at+13.51.10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihY9xZXT57DZDBJEzohyphenhyphenP20MbfUWalVr_hNqg7-rv0fCGis99_zGUheVB4AN_qVRJg0x2Lo7uBNbVDvNWPiI9ibfN9ZwbqLEND3gfL1KELhBVC87oPYVgCNDo8egTKefsGJvhVPmM6VRE/s400/Screen+Shot+2012-10-01+at+13.51.10.png" width="400" /></a></div>
<br />
Next get into debug mode with the command:-<br />
<blockquote class="tr_bq">
<code class="plain plain">privilege::debug</code></blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJq4Bb9s0rOic_XkOR3Rz7SiVCd5tlt8pm4-VYEKGNzmgrbOlfMdu8kSLmMGoYXXspmarugvgtfvAP2spIsuZc9BkdfaX_1PjRNTvc7A_gfFylO2l11foFhvWKGQYEpbR07-7ItPMCl8M/s1600/Screen+Shot+2012-10-01+at+13.53.51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJq4Bb9s0rOic_XkOR3Rz7SiVCd5tlt8pm4-VYEKGNzmgrbOlfMdu8kSLmMGoYXXspmarugvgtfvAP2spIsuZc9BkdfaX_1PjRNTvc7A_gfFylO2l11foFhvWKGQYEpbR07-7ItPMCl8M/s400/Screen+Shot+2012-10-01+at+13.53.51.png" width="400" /></a></div>
<br />
Next simply dump the passwords by running:-<br />
<blockquote class="tr_bq">
<code class="plain plain">sekurlsa::logonPasswords full</code></blockquote>
Job done!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvJwyO9mzPXOlrn4qb2MIFQiC3EYUH_EVCirghmKJ6NyPjdvO-b0MjNMTus-hTknDwW4cwqYMiXA8IFb2BbzWuHJSEkeVTd8lyXhDY2tsZ4yaF0q-fmSfpiyCtCV_C3kdBRo7vnbOOMWo/s1600/Screen+Shot+2012-10-01+at+13.58.01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvJwyO9mzPXOlrn4qb2MIFQiC3EYUH_EVCirghmKJ6NyPjdvO-b0MjNMTus-hTknDwW4cwqYMiXA8IFb2BbzWuHJSEkeVTd8lyXhDY2tsZ4yaF0q-fmSfpiyCtCV_C3kdBRo7vnbOOMWo/s400/Screen+Shot+2012-10-01+at+13.58.01.png" width="400" /></a></div>
<br />
Username - nickfx<br />
Password - 123<br />
<br />
Easy eh!<br />
<br />
This is an extremely useful addition to any first responder toolkit and I highly recommend having a go for 10 minutes.<br />
<br />
<br />
<br />
<br />Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com3tag:blogger.com,1999:blog-8795951467435737498.post-63372935043137291552012-09-24T10:16:00.000+01:002012-09-24T10:16:17.845+01:00Volatility - cmdscan buggy?I tweeted last week that I was impressed with a new command in Volatility called cmdscan. The command is designed to extract command shell history. I had run it on a variety of new and old RAM dumps and appeared to get slightly random results, often interspersed with obviously correct history.<br />
<br />
In my tweet I made the comment that the command was good but a bit buggy. <br />
<br />
An example of my issues are in the image below:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-Id8j6Lf1a0hFZnTiLZ0uuk0JDqeBAJ4xFcJc03PTdM1JBppcMrWdZGzGo1a_9wkWfZsvJJseTSFY1N5KP7qVgyGb6vx-ZSbdX760uye7SCuoDy9Z0VDYVj4q7mI6T-kYaEZD6LdpFng/s1600/Screen+Shot+2012-09-21+at+15.17.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-Id8j6Lf1a0hFZnTiLZ0uuk0JDqeBAJ4xFcJc03PTdM1JBppcMrWdZGzGo1a_9wkWfZsvJJseTSFY1N5KP7qVgyGb6vx-ZSbdX760uye7SCuoDy9Z0VDYVj4q7mI6T-kYaEZD6LdpFng/s640/Screen+Shot+2012-09-21+at+15.17.03.png" width="489" /></a></div>
<br />
You can see that the upper part of the results seem to display erroneous results whereas the lower portion is very obviously a series of recovered commands. <br />
<br />
To my pleasant surprise Michael Ligh himself dropped me a line asking for more details which I duly provided only to discover that I should have not been such an ass but have checked the code before making the comment, Turns out it is doing exactly what it should. I thank Mike for his gracious response and explanation which I re-print here:-<br />
<br />
MHL<br />
<br />
<blockquote class="tr_bq">
...so in short, cmdscan is to consoles as psscan is to pslist. In other words, the consoles plugin (not sure if you tried that one) will find active/running console sessions (like pslist will only find active processes) and not only print command history but full input/output buffers. The cmdscan plugin, on the other hand, will scan through memory using pattern matching and try to brute force with sanity checks etc - the advantage being that it can not only find histories from active/running processes but also closed consoles that have been partially deallocated or overwritten (similar to how psscan carves and finds terminated processes). <br /><br />If you take a look at the command history structure: <br /><br />http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/malware/cmdhistory.py#44<br /><br />You'll see there's a CommandBucket member which is an array of pointers (to command structures). The CommandCount member tells you how many pointers in the CommandBucket are valid. However, if the command history structs belong to closed/terminated processes, then we cannot rely on CommandCount. It could be 0 although there are still valid pointers in the CommandBucket array. Or vice versa - it could be 40 although there are only 10 valid pointers in the array - not even continuous, it could be slots 0, 4, 5, 10, 11, 12, 18, etc. <br /><br />So cmdscan ignores the CommandCount member and treats CommandBucket as an array of 50 pointers, because 50 is the max history on most systems. If a pointer points to a valid location (i.e. somewhere allocated and not paged) and looks like it might be at lest some unicode characters, then its printed to the terminal. <br /><br />If you look at your "Screen Shot 2012-09-21 at 15.27.59.png" image, it says CommandCount is 15. You see slots 0-14 are are valid but it goes on to print slot 18, 25, 32, 39, and 46 anyway just in case CommandCount isn't accurate. The consoles command would trust CommandCount and only print slots 0-14. <br /><br />After looking at the screen shots, I'd say the plugin is working as expected. So if you do get a chance to look over the code, its pretty well commented and you should be able to figure out why it seemed buggy. </blockquote>
<br />
Thanks again to MHL and the Volatility team for such a useful toolset. Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com1tag:blogger.com,1999:blog-8795951467435737498.post-46626548220069560822012-09-17T15:08:00.002+01:002012-09-17T15:13:30.453+01:00Advanced Open Source Intelligence Gathering<style>
<!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Cambria;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-ansi-language:EN-US;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
</style><br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US"> The Internet contains a vast amount of
information about people that may be of interest to us.<span style="mso-spacerun: yes;"> </span>Police and other Agencies may want to
know more about a suspect, a company may want to research the background of a
senior candidate or understand the ‘exposure’ of their company or key
employees.<span style="mso-spacerun: yes;"> </span>Much can be gathered if
you know how to exploit online resources.</span></div>
<div class="MsoNormal">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKP7qi3hZlbuMJdpUQOAEz76QK2Lqtnr9WzAdsx3kG7Ju3rudais-944L60NLMauDH8lMomDwuzvWv0YxMtB4zt-ZUfzHwnNaV7_mMP6qhBMbTLX8hkSzb4AOT4sAe80Bia8q3pVWlLLw/s1600/Screen+Shot+2012-08-29+at+14.23.53.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKP7qi3hZlbuMJdpUQOAEz76QK2Lqtnr9WzAdsx3kG7Ju3rudais-944L60NLMauDH8lMomDwuzvWv0YxMtB4zt-ZUfzHwnNaV7_mMP6qhBMbTLX8hkSzb4AOT4sAe80Bia8q3pVWlLLw/s400/Screen+Shot+2012-08-29+at+14.23.53.png" width="400" /></a><span lang="EN-US"> </span><br />
<span lang="EN-US">This course focuses on the investigators
ability to gather information on people, groups or companies from the
Internet in a truly advanced manner.<span style="mso-spacerun: yes;"> </span>Rather than just using
‘advanced’ Google searches and other web sites we will be leveraging the tools
available to look ‘under the surface’ of the internet, accessing data gleaned
by understanding database API’s used by the likes of Twitter, Facebook and
others, ‘dark net’ data collection methods and other areas rarely taught.<span style="mso-spacerun: yes;"> </span></span></div>
<div class="MsoNormal">
<span lang="EN-US">The 4 day course is completely hands-on and
will teach a range of skills from staying anonymous, bouncing data around the world, setting up false online
identities, extracting data using API's, using Patervas awesome Maltego and graphing and visualizing data both historical and in
real-time.</span></div>
<div class="MsoNormal">
<span lang="EN-US">We have already begun seeding the Internet
with the false identities of subjects that we will be investigating on the
course.<span style="mso-spacerun: yes;"> </span>The final exam will pit
your new skills against the online world as you work to discover all you can
about a person, their friends and what they are planning to do!</span></div>
<div class="MsoNormal">
<span lang="EN-US">Other Open Source courses are available,
but not like this!</span></div>
<div class="MsoNormal">
<span lang="EN-US">The course will include a 6 month license
for Maltego Case File, 6 months VPN access, an encrypted </span><br />
<span lang="EN-US">hard drive, a large
number of software tools and course manual.</span></div>
<div class="MsoNormal">
<span lang="EN-US">The 4 day course is £1800 + VAT </span></div>
<div class="MsoNormal">
<span lang="EN-US">Nick Furneaux (me!) teaches Law Enforcement agencies all over the world and this is the first time that corporate students have been accepted.</span></div>
<div class="MsoNormal">
<span lang="EN-US">To inquire further please <a href="http://www.csitech.co.uk/contact.php" target="_blank">contact me here</a> </span></div>
<h3 class="MsoNormal">
<b><span lang="EN-US">Syllabus</span></b></h3>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US">Day
1</span></b></div>
<div class="MsoNormal">
<span lang="EN-US">Understanding the law – what can you do?</span></div>
<div class="MsoNormal">
<span lang="EN-US">Setting up your tool kit</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Encryption
of data</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>To
cache or not to cache</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Benefits
of using Virtual Machines</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Adding
magic to Firefox</span></div>
<div class="MsoNormal">
<span lang="EN-US">Bouncing anonymously round the world –
Proxies and VPN’s</span></div>
<div class="MsoNormal">
<span lang="EN-US">Setting up your own false identities</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US">Day
2</span></b></div>
<div class="MsoNormal">
<span lang="EN-US">Maltego Case File usage</span></div>
<div class="MsoNormal">
<span lang="EN-US">Aggressive searching – only search the part
of the web you need to</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Lots
of useful sites to bookmark and try</span></div>
<div class="MsoNormal">
<span lang="EN-US">Searching through maps</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Using
social media to ‘see’ an area</span></div>
<div class="MsoNormal">
<span lang="EN-US">What can a web site tell us?</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Who
owns it and where are they?</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Blowing
a web site apart – mapping a web site in real time</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>What
did it used to say? - Finding deleted data on the Internet</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Finding
hidden links</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>Finding
documents</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"> </span>The
wonder of Metadata!</span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-tab-count: 1;"></span>Maltego V3!</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Google Hacking 101</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Understanding email – identification and
tracking</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Day 3</span></b></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; tab-stops: center 225.5pt; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Finding forums, blogs, websites, IRC
entries</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;"><span style="mso-tab-count: 1;"> </span>Working
with IRC clients</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; tab-stops: center 225.5pt; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Are you or you organization leaking?</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;"><span style="mso-tab-count: 1;"> </span>Using
your skills to understand your own vulnerabilities</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;"><span style="mso-tab-count: 1;"> </span>Checking
if hackers have released your/corporate information</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Exploiting Social Networking<br style="mso-special-character: line-break;" />
<br style="mso-special-character: line-break;" />
</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Mapping Social
Networking accounts and followers</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Following the
network – don’t forget the family!</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Extracting data
from Twitter via API</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Extracting data from
Facebook via API</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Facebook
‘naughtyness’</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Graphing Twitter data LIVE</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; tab-stops: center 225.5pt; text-autospace: none;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Day 4</span></b></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Geo location possibilities (Where are
they, or are they where they say they are?)</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">EXIF data
extraction</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Plane and Ship
mapping</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Enumerating Geo-Coordinates
using API</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none; text-indent: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Finding people using public records</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Being a bit more aggressive to get IP’s</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">101 Social Networking – why not just call
and ask what you want to know!</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Final exam – Full online search and enumeration of a named subject.<span style="mso-spacerun: yes;"> </span>Course grade based on details located.
(Open book)</span></div>
<div class="MsoNormal" style="text-indent: 36.0pt;">
<span lang="EN-US" style="mso-ascii-font-family: Cambria; mso-bidi-font-family: Cambria; mso-bidi-font-size: 16.0pt; mso-hansi-font-family: Cambria;">Course certificated and graded.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US">TOTAL
COST - £1850 + VAT</span></b></div>
Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com1tag:blogger.com,1999:blog-8795951467435737498.post-56668899889348762142012-06-20T12:57:00.001+01:002012-06-20T12:57:09.937+01:00Firewire fun with ThunderboltSince 2006 when Adam Boileau released his research on exploiting machines using Firewire, we have had fun unlocking locked computers and imaging RAM from the same. With the release of Thunderbolt (TB) I wondered if the same issues surrounding Direct Memory Access (DMA) exists with that implementation. Turns out it does. The interesting thing about this is that allowing DMA provides much of the cool functionality that TB provides however this also provides an attack vector for physical access in the same way as Firewire. As this is due to an implementation in the hardware layer the OS remains blissfully unaware of whats going on.<br />
<br />
Reading a blog on the subject this week there were many comments about it being a lame duck attack as physical access is needed, however, many in our community know that gaining access to a machine is often possible.<br />
<br />
If a computer is dead then file level access is simple, however a Windows or Mac that is booted but password locked has always been a problem, however with TB now appearing on all Macs this could be rather a useful technique. It is notable that Lion appears to turn off DMA in certain circumstances but more work needs to be done to understand this fully.<br />
<br />
Enter '<a href="http://www.breaknenter.org/projects/inception/" target="_blank">Inception</a>', a very nice proof of concept tool from the <a href="http://www.breaknenter.org/" target="_blank">Break n Enter</a> blog. Some work has been done in this area and it seems to work pretty well in certain situations. I won't bother re-blogging everything, but I strongly recommend reading the page I linked to above and also the <a href="http://www.breaknenter.org/2012/02/video-hacking-os-x-filevault2-over-thunderbolt-with-inception/" target="_blank">video</a> which shows the extraction of RAM and the pwning of the FileVault password (loving the music too). Big shout out to them for the tool and the work.<br />
<br />
I'll try and spend some time on this in the next few weeks and let you know how I get on.<br />
<br />
<br />
<br />
<br />Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-67150673074350669972012-04-29T00:30:00.000+01:002012-04-29T00:30:04.059+01:00Skype IP addresses - in the clear<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX8-U5e_J1kslQPSri39n_0n8673A51Cz_mOWKazhtH6zMibnus4DnyFqnxax6afpoyyX_lHCEG_SgklZTk_EMlK-6zX9nuY_wculzSGAjFxBjZ0MCmsF_M8N4RcNqm36d5PfA3o0QhB8/s1600/skype.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX8-U5e_J1kslQPSri39n_0n8673A51Cz_mOWKazhtH6zMibnus4DnyFqnxax6afpoyyX_lHCEG_SgklZTk_EMlK-6zX9nuY_wculzSGAjFxBjZ0MCmsF_M8N4RcNqm36d5PfA3o0QhB8/s200/skype.jpg" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
The security forums and blogosphere have been buzzing for the past few days with an 'undocumented feature' of Skype, the ability to discover the internal and external IP addresses of any Skype account currently logged in. I don't mean people on your buddy list - I mean ANYONE!<br />
<br />
Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy.<br />
<br />
I've tested this and it does what it says on the tin. I was able to extract the external and internal IP's of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road. More concerningly the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype's global address book.<br />
<br />
The details seem to have come initially from Russian hackers and appeared on PasteBin on April 26th but there is a site which will do it all for you. I won't copy the whole thing as there is a perl script to assist with parsing the logs but here is the gist:-<br />
<br />
<a href="http://pastebin.com/rBu4jDm8">http://pastebin.com/rBu4jDm8</a><br />
<br />
<blockquote class="tr_bq">
1. Downloading this patched version of Skype 5.5:<br />http://skype-open-source.blogspot.com/2012/03/skype55-deobfuscated-released.html<br /><br />2. Turn on debug-log file creation via adding a few registry keys.<br />https://github.com/skypeopensource/skypeopensource/wiki/skype-3.x-4.x-5.x-enable-logging<br /><br />3. Make "add a Skype contact" action,
but not send add request, just click on user, to view his vcard(general
info about user). This will be enough.<br /><br />4. Take look in the log of the desired skypename.<br />The record will be like this for real user ip: -r195.100.213.25:31101<br />And like this for user internal network card ip: -l172.10.5.17<br /><br />21:16:45.818 T # 3668 PresenceManager:
aїљ noticing skypetestuser1 0x3e54a539a91a19fc-s-s65.55.223.23
:40013-r195 .100.213.25:31101-l172 .10.5.17:22960 23d23109 82f328ff<br /><br />5. Catch user via whois service.<br />http://nic.ru/whois/?query=195.100.213.25<br /><br />This is help you to get info about skype user: City, Country, Internet provider and internal user ip-address. </blockquote>
I don't want to overstate this, but this is a big deal.<br />
<br />
There is also a web site now if you don't want to bother with the log route - <a href="http://skype-ip-finder.tk/">http://skype-ip-finder.tk/</a>, just type in your targets Skype name and bingo, the IP's are even helpfully linked to! If they are not currently online it does not seem to provide the last known address, only if they are currently online. Please be cautious with this URL, I have not tested it for a browser payload etc and wouldn't be surprised if something nasty awaits! However, using it on a VM would be advisable.<br />
<br />
Also if you are going to try the patched Skype be 'super' cautious and also some users have reported having their Skype accounts terminated.<br />
<br />
I appreciate that Skype is both free and P2P meaning that IP's are often visible when in a conversation, file transfer etc but at least you are in a conversation with a 'known' person. This technique can be used by and against, anyone with a Skype account, regardless of whether they are a buddy.<br />
<br />
I hope that Skype take a serious look at this, simply proxying contact requests would likely solve it which wouldn't be awfully hard for them. I for one really appreciate the Skype service and use it daily, however, I live in nice, reasonably safe England, not one of the many Countries where it is used for secure comms, free from Government intervention. For them alone, this needs to be solved.<br />
<br />
<br />Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com12tag:blogger.com,1999:blog-8795951467435737498.post-18055374364524951142012-02-15T10:48:00.000+00:002012-02-28T21:38:18.210+00:00Visualizing Online Investigations - LIVE<br />
<br />
This is my 3rd blog post on data visualization, its becoming a bit of a hobby if Im honest. Its really good fun! Aside from fun, I am beginning to believe that there is a significant future in enabling investigators and juries alike to be able to ‘see’ data in a way that is meaningful and useful. In my last post I outlined how Facebook chat was graphed for an abuse case and I had many interesting emails on the subject.<br />
<br />
There is a lot of work to do but I decided to move on to a more challenging area, visualizing online data in a LIVE setting. It seemed that there were 2 areas worth looking at, Twitter and investigating web sites.<br />
<br />
For both of the examples below I used the free graphing tool <a href="http://www.gephi.org/" target="_blank">Gephi</a> with a variety of plugins. <br />
<br />
<b>Twitter</b><br />
<br />
I'm sure no one reading this needs to have an explanation of Twitter, however, there are areas where an investigator may want to use Twitter to understand how an event was panning out live. An example would be the Police monitoring the ring leaders of a riot or a journalist looking for the movers and shakers in the development of a news event. <br />
<br />
An example of the latter came up when I was playing early on with live mapping of Twitter feeds. I had set a filter to intercept all #syria hashtags during the bombardment of the Syrian city of Homs. As the tweets hit 3000 a pattern began to exist in the spherical graph, a cluster of someone who was a tweeter being heavily retweeted. Zooming into the graph gave me his username. A bit of research indicated that this guy was IN homs at the time tweeting what he was seeing in real time. If I was a journalist, I would be wanting to talk to this guy.<br />
<br />
Using Gephi with a plugin written specifically for Twitter data I started working with different filters and displays. The plugin taps into the global Twitter feed and applies the filter to decide what to capture. Eventually, I got it sorted and I have posted a slightly less serious example on Youtube with ‘appropriate’ music. I was working on it when I heard that Whitney Houston had sadly died. I quickly started a Twitter capture with hashtags associated with the singer and started a video screen capture. It is fascinating to watch the Tweets arrive and clusters begin to take shape. Initially the busy tweeters were the news outlets such as CNN, but these were quickly replaced with ‘people’, some of which were very popular to retweet.<br />
<br />
This is definitely a capability that many investigators should examine. Check out the Whitney video or watch it on YouTube - <a href="http://www.youtube.com/watch?v=E70smI9hY_I" target="_blank">http://www.youtube.com/watch?v=E70smI9hY_I</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://i.ytimg.com/vi/E70smI9hY_I/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/E70smI9hY_I?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" />
<param name="bgcolor" value="#FFFFFF" />
<embed width="320" height="266" src="http://www.youtube.com/v/E70smI9hY_I?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash"></embed></object></div>
<br />
<br />
<br />
<b>Internet Investigations</b><br />
<br />
For any investigator, whether it be Police, Corporate investigator, Social Engineer or Journalist the ability to understand the web presence of their subject can be invaluable. Being able to simply browse to their targets web site and see what links exist, what services are in use, who handles their credit cards, whether they use analytics, so many different aspects.<br />
<br />
Again using Gephi along with an http plugin I set Firefox up to proxy through the plugin and started recording. Using Firefox I then browsed to the web site of OccupyWallSt.org and navigated through its pages. The results can be seen (with appropriate music again!) below or at YouTube - <a href="http://www.youtube.com/watch?v=oXgEEznpyvg" target="_blank">http://www.youtube.com/watch?v=oXgEEznpyvg</a>.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/oXgEEznpyvg?feature=player_embedded' frameborder='0'></iframe></div>
<br />
Forensic visualization is probably best used to see data in a clearer way from results gleaned from a disk or RAM dump etc. However, these live feeds provide a fascinating view of the world or an investigation tool that should not be overlooked.<br />
<br />
<br />Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-73392993250295741182011-12-17T16:08:00.000+00:002011-12-17T16:14:23.905+00:00Forensic visualization Part 2 - Court Case<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb2WCTqChshxrfqBLdgKV_QgAse17hBzbs0ciuRAuFqfofqQZEXRWW9oT8ahQi32vae9MF_LXBE5A1INclZcdOsU1dpl_zOedekIgii-lDfDifrlym4yCgYbSvFSZhTYNcdvUp3ytDXEA/s1600/Screen+Shot+2011-11-03+at+10.48.30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
<b>Visualization gone serious</b><br />
<br />
I blogged some weeks back on research I was doing around visualization of forensic data which was well received with some very interesting comments from readers (both of you!). However, the week after the posting I was asked to be involved in a prosecution of a man who was accused of various forms of grooming, sexual assault, voyeurism etc of several teenage girls in his community centre.<br />
<br />
The case has now concluded and the man received 4 years prison, so a good result, however I wont name the case as I refer to the victims and they deserve as much anonymity as possible.<br />
<br />
The case revolved around a large amount of Facebook chat between the accused and the girls, and between the girls themselves. Some of the chat was quite damning and on the face of it, it was clear that he was trying to talk the girls, one in particular, out of coming forward with what had been happening using emotional blackmail.<br />
<br />
His defense on the Facebook chats was that the girls had logged in as him and had chats between themselves, implicating him in wrongdoing. <br />
<br />
I was asked to consider the workings of Facebook, could they log in at the same time as him on a different computer, would he have a record on his own machine and what were the ‘relationships’ between the parties involved.<br />
<br />
The word, relationships, got me thinking, could we visualize the data to ‘see’ the relationships and would it be easier for a jury to understand and interpret? Now, it is easy to map out Facebook ‘Friends’, the excellent <a href="http://www.lococitato.com/facebookvisualizer/" target="_blank">Facebook Visualizer</a> as well as the Facebook transform in <a href="http://www.paterva.com/web5/" target="_blank">Maltego</a> will help with that task, but that doesn't really help us understand the activity that exists between those people. Although Im not much of a Facebook user I have load of buddies on Skype but some of them I haven't spoken to in years. Just because the accused and Girls A,B, and C were on each others Facebook lists and the fact that there was some chat doesn't ‘a relationship make’!<br />
<br />
I used IEF 4(<a href="http://www.jadsoftware.com/?page_id=1083" target="_blank">Internet Evidence Finder</a>) to carve all the Facebook chats and fragments out of the 4 hard drives, it even did a great job on the accused’s Mac hard drive and I was left with 4 CSV files with thousands and thousands of chats. Now to make some sense of it.<br />
<br />
I tidied up the CSV’s, removing some of the metadata that I didn't need and essentially just left the FROM, TO and the CHAT columns. Next I imported this data into Maltego as an Edge weighted graph. I expected this to cluster the chats around the person who made them and it worked better than expected.<br />
<br />
Fig 1 shows the recovered chats on the accused’s computer and who he was talking to. Each orange dot is a person he has chatted with and the surrounding green dots are each individual chat. The primary cluster, centre left, is the accused with all his chats; being his machine we would expect this to be the largest cluster. As we can see there are many chats to many different people, however, our eye is quickly drawn to the 2nd largest cluster on the centre right. This is a person he talks to more than anyone. Rolling our mouse over the orange dot in the centre of the cluster, surprise, surprise, it is our 13 year old Girl B. The 3rd largest, at the bottom, is his best friend, but top right, Girl A. <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb2WCTqChshxrfqBLdgKV_QgAse17hBzbs0ciuRAuFqfofqQZEXRWW9oT8ahQi32vae9MF_LXBE5A1INclZcdOsU1dpl_zOedekIgii-lDfDifrlym4yCgYbSvFSZhTYNcdvUp3ytDXEA/s1600/Screen+Shot+2011-11-03+at+10.48.30.png" style="margin-left: auto; margin-right: auto;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb2WCTqChshxrfqBLdgKV_QgAse17hBzbs0ciuRAuFqfofqQZEXRWW9oT8ahQi32vae9MF_LXBE5A1INclZcdOsU1dpl_zOedekIgii-lDfDifrlym4yCgYbSvFSZhTYNcdvUp3ytDXEA/s200/Screen+Shot+2011-11-03+at+10.48.30.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 1</td></tr>
</tbody></table>
<br />
<br />
This graph gives us an excellent tool, aside from just numbers and statistics as to who was important to him in a Facebook setting. The question, was this just a girl or girls with a crush, that it was one way traffic, is quashed by this graph, Girl B and Girl A are the 1st and 3rd most frequently communicated with persons on his extensive Facebook buddy list.<br />
<br />
Encouraged by the success I did the same process on the machine of Girl B. This time, as there were many different chat partners I also removed the chats that only existed once or twice, the boy at school saying Hi, a friend inviting to a party etc, but which were not repeated with that person. The results in Fig 2 are fascinating:-<br />
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpIqGDpj0bM9aRpDP1RIhkhMfL_0Vs-4ds1KcJFF_mbXN1kx337o6TmeZ8P-NHYwrSfFY77HttDX8iv7QrR7QF0Gc4bQoBzBRPChybRnkalTCdtlkT9GChwKl26clqACTvVGD-ypk-62s/s1600/Screen+Shot+2011-11-03+at+14.09.12.png" style="margin-left: auto; margin-right: auto;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpIqGDpj0bM9aRpDP1RIhkhMfL_0Vs-4ds1KcJFF_mbXN1kx337o6TmeZ8P-NHYwrSfFY77HttDX8iv7QrR7QF0Gc4bQoBzBRPChybRnkalTCdtlkT9GChwKl26clqACTvVGD-ypk-62s/s200/Screen+Shot+2011-11-03+at+14.09.12.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 2</td></tr>
</tbody></table>
<br />
<br />
The primary cluster is of course Girl B herself, but no prize for guessing which cluster is the accused?? You’ve got it, the 1st next biggest cluster top left, in fact their chats are almost twice as many as any other person. Remember we are talking about a teenage girl here with lots of people to chat too and he was chatting with her more than twice as much as her best friends at school.<br />
<br />
I then moved on to looking at the relationships with all those involved. I again used Maltego and imported all the chats from all the machines but removed the actual chat. This provided a link graph between the Girls and the accused and their friends, also showing connections between those friends. I will not present that graph as it includes the names of the persons involved but it showed the accused front and centre with chat connections with all the girls involved and showed the connections between those girls and their friends. <br />
<br />
I felt this was very useful to a jury and so included it in my report to the prosecution barrister. It went on to form part of the jury pack so I can say that my graphs have made it to Court. Sadly, I was not called to give evidence on this occasion as the defense agreed all our findings and signed a statement to that effect. Shame really as I was looking forward to presenting this data in open Court and judging the reaction from a jury. Not that I am expecting wild applause and fist pumping whooping but it would be interesting all the same.<br />
<br />
So far I’ve been using Maltego but have been given heads up of other free tools that might do the same job. The primary tool is Gephi, thanks @danmcquillan for the tip, a superb, free graphing application for Windows or Mac which supports many different output graphs. So far Im liking it, it takes a little more work pre-application as you need to define your Nodes and Edges for it to successfully graph the links. I’ve also had problems with the Preview and output elements which keep crashing, I need to pop a message on the forums really.<br />
<br />
<br />
<b>A Bump on the Node</b><br />
<br />
<br />
Just for your information, the visualization industry seems to be dominated by research groups in Universities ‘visualizing’ everything that moves and then posting them on Youtube with no information about how it was done except the message ‘Arn’t we clever!’. <br />
<br />
However, if you want to learn about it you appear to need the brain the size of planet, a doctorate in statistics and a student card. It is a very difficult area to start learning as a beginner. For example, search Google for - <a href="http://www.google.co.uk/search?q=what+are+edges+and+nodes&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-GB:official&client=firefox-a" target="_blank">What are Nodes and Edges</a>. Go on, try it. The top link is Wikipedia that presents you with a series of equations that make up graphing theory. Its a nightmare.<br />
<br />
Anyway, for those of you out there with a shriveled 40-something brain like me, a Node is an element such as the person on my graphs and the Edges are the links between them. <br />
<br />
Eg<br />
<br />
I am Nick Furneaux.<br />
My friends are Ed, Toby and Chris<br />
I talk to Ed and Toby<br />
I never talk to Chris<br />
<br />
The Nodes are:-<br />
<br />
Nick<br />
Ed<br />
Toby<br />
Chris<br />
<br />
The Edges are:-<br />
<br />
Nick - Ed<br />
Nick -Toby<br />
<br />
The graph would show links between me and Ed and Toby but Chris would be an unlinked orphan node floating around the graph on his own. Sorry Chris.<br />
<br />
Clear? Good.<br />
<br />
Hear endeth the lesson!Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com4tag:blogger.com,1999:blog-8795951467435737498.post-41148320735243198642011-10-26T14:35:00.002+01:002011-10-26T14:37:34.163+01:00Evidence visualisation<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQtQoc1lRxZs6GOYsKIllqSgTYbXDPo9gsYBSTNBkT7lhqpKNChXF4lTaM8YhSAynVnGpoTgS62v1HtFKYEK6hk7smctl24a1hX0jXFUtak6hUlahgD6OyQtMyUbVwKYB1-Jk_7p07yw/s1600/Screen+Shot+2011-10-25+at+14.26.12.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQtQoc1lRxZs6GOYsKIllqSgTYbXDPo9gsYBSTNBkT7lhqpKNChXF4lTaM8YhSAynVnGpoTgS62v1HtFKYEK6hk7smctl24a1hX0jXFUtak6hUlahgD6OyQtMyUbVwKYB1-Jk_7p07yw/s200/Screen+Shot+2011-10-25+at+14.26.12.png" width="200" /></a></div>
I've been doing a load of research on trying to easily visualize digital forensic data with the hope that patterns, frequencies and clusters would stand out easily. There are already excellent tools that do a great job for primarily email such as <a href="http://www.nuix.com/">NUIX</a> and <a href="http://www.vound-software.com/">Intella</a>, but these are pretty expensive beasts. You can also look at software such as I2's Analyst Notebook but now we are talking stratospheric money, out of my league.<br />
<br />
My mind was focused when a friend at the Met Police introduced me to a new tool call <a href="http://www.afflib.org/">Bulk Extractor</a> from <a href="http://simson.net/page/Main_Page">Simson Garfinkle</a> which scans across an image and extracts data strings, very quickly, based on a plugin structure. I set out to run Bulk Extractor against a RAM image and had tremendous results. The tool will extract email addresses, URL's, search terms, Credit card numbers, telephone numbers and others, and does so with aplomb. The tool generates a list of text files which can be analyzed with the Bulk Extractor Viewer. You can run it against disk images, phone memory dumps and RAM. This is great, but when faced with a list of 10,000+ URLS where do you start. This is where some visualisation help really comes in.<br />
<br />
After alot of looking around I came back to a tool I have used many times, <a href="http://www.paterva.com/">Maltego</a>. Maltego is primarily used for the enumeration of Internet data, connecting IP's, WHOIS, email and domain information to enable the mapping of an online infrastructure. It also enables the importing and graphing of text/csv files.<br />
<br />
I ran Bulk Extractor against an old 512meg RAM dump and amongst other things it extracted URL links between over 3000 IP addresses. Normally I would move on quietly(!), however, I tidied up the columns in Excel and imported into Maltego, mapping the URL address columns. This is what I saw:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_t7se1MvoNEaXtCqeYYA1sdB9SkEVgrK55TU9PymOhrcR0JRB6EujlLvHNm8NlkXXusGcgnVcBmv1vNGgGuuWzeYFAiqYcQzwuI47v5_ZEz5EcJvIZp-qKVa2OjqUahaiwAikb0HTQqU/s1600/Screen+Shot+2011-10-25+at+13.56.54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_t7se1MvoNEaXtCqeYYA1sdB9SkEVgrK55TU9PymOhrcR0JRB6EujlLvHNm8NlkXXusGcgnVcBmv1vNGgGuuWzeYFAiqYcQzwuI47v5_ZEz5EcJvIZp-qKVa2OjqUahaiwAikb0HTQqU/s400/Screen+Shot+2011-10-25+at+13.56.54.png" width="400" /></a></div>
<br />
Each little cluster represents URL's linking to a central URL in the hub. A quick look shows the most popular URL's at the top with many links. Straight away the list of 3,000 is somewhat more manageable if we are interested in popular links.<br />
<br />
Zooming down we see:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtJtocdQspRJVRWS9IwH-b8Ct2qNo2gDhxZVsVtVthOfu-ndwBRnealsptdIsRhPBbVVeiqR0BOFje5kbVWfjoC8eFyQM5Q1Vp0NBQ2HtMfkANrj8vQw9WgMvxF2ClkI09-dGmXSFvkSI/s1600/Screen+Shot+2011-10-25+at+13.58.42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtJtocdQspRJVRWS9IwH-b8Ct2qNo2gDhxZVsVtVthOfu-ndwBRnealsptdIsRhPBbVVeiqR0BOFje5kbVWfjoC8eFyQM5Q1Vp0NBQ2HtMfkANrj8vQw9WgMvxF2ClkI09-dGmXSFvkSI/s400/Screen+Shot+2011-10-25+at+13.58.42.png" width="400" /></a></div>
<br />
Although a tad tricky to see there are little links between the nodes with URL addresses linking to the primary URL. We simply draw around a cluster and then we see:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh65_Na6V2UJY4RjTs1CcLVZutmbm9sTOX7pYxEXMmpSF5PPdot-zdYKtmBT7boRAR4CrLCmCOwfCkgwMxvAAf5TubwdhCUYGHVcS3UsZt8X7Uu4zcl1N7KlN767mPr1CLmFE0DwazFIrY/s1600/Screen+Shot+2011-10-25+at+13.58.07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh65_Na6V2UJY4RjTs1CcLVZutmbm9sTOX7pYxEXMmpSF5PPdot-zdYKtmBT7boRAR4CrLCmCOwfCkgwMxvAAf5TubwdhCUYGHVcS3UsZt8X7Uu4zcl1N7KlN767mPr1CLmFE0DwazFIrY/s400/Screen+Shot+2011-10-25+at+13.58.07.png" width="400" /></a></div>
<br />
Although the URLS linking in are hard to see, believe me they are there, showing all the URLS that link to the central Mozilla.org URL. How cool is that?<br />
<br />
Next I thought IP addresses would be fun, except we had over 10000 entries from the one RAM dump. However, it mapped very well:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQtQoc1lRxZs6GOYsKIllqSgTYbXDPo9gsYBSTNBkT7lhqpKNChXF4lTaM8YhSAynVnGpoTgS62v1HtFKYEK6hk7smctl24a1hX0jXFUtak6hUlahgD6OyQtMyUbVwKYB1-Jk_7p07yw/s1600/Screen+Shot+2011-10-25+at+14.26.12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQtQoc1lRxZs6GOYsKIllqSgTYbXDPo9gsYBSTNBkT7lhqpKNChXF4lTaM8YhSAynVnGpoTgS62v1HtFKYEK6hk7smctl24a1hX0jXFUtak6hUlahgD6OyQtMyUbVwKYB1-Jk_7p07yw/s400/Screen+Shot+2011-10-25+at+14.26.12.png" width="400" /></a></div>
<br />
Again there are some very obvious clusters which may be of interest. Scrolling in we see a very definite structure:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXj9uvF41ITpdYGuJHrsCFLm63lgb8jJKmdyyTzXc0weANzcPpkH2x14nuletfTkPuTNJPpexRpy0qaM36YwZdHNVQwlVbL-8FYyK1qEWaF9Q3vc14c_u30HNaLCnAAHlrs589U-URGaI/s1600/Screen+Shot+2011-10-25+at+14.06.04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXj9uvF41ITpdYGuJHrsCFLm63lgb8jJKmdyyTzXc0weANzcPpkH2x14nuletfTkPuTNJPpexRpy0qaM36YwZdHNVQwlVbL-8FYyK1qEWaF9Q3vc14c_u30HNaLCnAAHlrs589U-URGaI/s400/Screen+Shot+2011-10-25+at+14.06.04.png" width="373" /></a></div>
<br />
Scrolling in further we see all the interconnected IP's with a very interesting structure with clusters grouped together into super-clusters.<br />
<br />
Further again and we see the individual addresses:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW1X_rhqGE2YQrAluRNCnryMQueD-LbQMV7-s0OJTxEkK2mNlVukqQM8UbDJr5NBBylQnx3mDvxWNS4ge_ACX_JO9GHdU2sEfNdbnb2yVKilchcWlS1n55ssgckMrRJ5pRbenrvIBJcdo/s1600/Screen+Shot+2011-10-25+at+14.06.21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW1X_rhqGE2YQrAluRNCnryMQueD-LbQMV7-s0OJTxEkK2mNlVukqQM8UbDJr5NBBylQnx3mDvxWNS4ge_ACX_JO9GHdU2sEfNdbnb2yVKilchcWlS1n55ssgckMrRJ5pRbenrvIBJcdo/s400/Screen+Shot+2011-10-25+at+14.06.21.png" width="400" /></a></div>
<br />
Now we can see each individual connected IP and their port numbers. Now Maltego really comes into its own. We select the centre of the cluster and select the Transform to reverse look up the domain and TLD. As if by magic the graph redraws this cluster and we get:-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOcbG7c24jnScH_zPNloFmhu5xDnzIR3IZZZhKOPDbKZa0h9QO_nGYgt265p2cln7vtYQ532mHe-vUgsZJ4OOMOKU9pr3MgveL6ZrB_0tzI09nD-4VhFiaaOu-W4sRjSMtHjvwptheWRQ/s1600/Screen+Shot+2011-10-25+at+14.10.12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOcbG7c24jnScH_zPNloFmhu5xDnzIR3IZZZhKOPDbKZa0h9QO_nGYgt265p2cln7vtYQ532mHe-vUgsZJ4OOMOKU9pr3MgveL6ZrB_0tzI09nD-4VhFiaaOu-W4sRjSMtHjvwptheWRQ/s400/Screen+Shot+2011-10-25+at+14.10.12.png" width="400" /></a></div>
<br />
We now can see that all of these IP's are referencing back to Yahoo.com and it is a very popular cluster in the RAM dump.<br />
<br />
Being able to 'see' data in this way can help the investigator to quickly zone in on the important areas, seeing, if you like, the wood for the trees.<br />
<br />
I'm now doing work on mapping outputs from Volatility and will blog again in a few days.<br />
<br />
Cheers<br />
<br />
Nick FurneauxNick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com2tag:blogger.com,1999:blog-8795951467435737498.post-57673523420424351132011-09-14T10:02:00.000+01:002011-09-14T10:02:03.194+01:00Downloading files on your iPhoneI just cannot believe how long its been since a blog post, there are just not enough hours in a day. Then, when I do pop a post up its nothing to do with forensics, great!<br />
<br />
I wondered if you have ever had the issue of browsing on your iPhone when you find just the file you are looking for, perhaps a tar, zip, dmg or some other file type that the iPhone does not let you download but that you don't want to browse away from and risk losing for good. I've found a simple way to achieve it.<br />
<br />
If you download the Dropbox app it becomes a option to 'Open with' when browsing the web. Simply:-<br />
<br />
1. Browse to the file you want to download<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWvJ4fIE9K6RmrzyfYzyW-wulQVdItf8h9l11qHm_gKAK0quuA0S7-V1JcKZ-YWUbhcVDSanYAE7aj8AG07A3EFSRrYL7YRfLe0UrDUc0onJkSs4ECPG1b-VOJcSaoGZir7Auc9Gz9Aj4/s1600/IMG_0587.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWvJ4fIE9K6RmrzyfYzyW-wulQVdItf8h9l11qHm_gKAK0quuA0S7-V1JcKZ-YWUbhcVDSanYAE7aj8AG07A3EFSRrYL7YRfLe0UrDUc0onJkSs4ECPG1b-VOJcSaoGZir7Auc9Gz9Aj4/s320/IMG_0587.jpg" width="213" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<br />
2. Select Open in Dropbox from the screen and it will copy the file from the site to your Dropbox box account letting you access it from your computer later.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNK1EmCD7Vb2FBNYZ_qv7cO0JRzLnEoxoSCjCwEFHP-KoxASf4AxlC50uzvgUqeKSafqlfRDmZ9g3ALswxW0hXWZdRznPz-G5GW2tA1maJA8YqIh7twvQqqOXArSP0Xw0h35qXeYLlMI0/s1600/IMG_0588.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNK1EmCD7Vb2FBNYZ_qv7cO0JRzLnEoxoSCjCwEFHP-KoxASf4AxlC50uzvgUqeKSafqlfRDmZ9g3ALswxW0hXWZdRznPz-G5GW2tA1maJA8YqIh7twvQqqOXArSP0Xw0h35qXeYLlMI0/s320/IMG_0588.jpg" width="213" /></a></div>
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwNTx_e9woPh9ftriDuBj0x_bU9VoCjZeUwwdWQLRv4OcnHhITjm2lfP1G5nt_68ktUS69-z5vlezd86DtxRSwSbVeo-3ftpnRZxjn0DFmqoCKYutxY3XToBfbCv_GkhZaHae_qC2l7AY/s1600/IMG_0590.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwNTx_e9woPh9ftriDuBj0x_bU9VoCjZeUwwdWQLRv4OcnHhITjm2lfP1G5nt_68ktUS69-z5vlezd86DtxRSwSbVeo-3ftpnRZxjn0DFmqoCKYutxY3XToBfbCv_GkhZaHae_qC2l7AY/s320/IMG_0590.jpg" width="213" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Its already proving to be very handy indeed. Give it a go.<br />
<br />
One other small thing, if you hold down shift on your Mac whilst minimising or maximising a window it does it in cool slowmo! Who knew!Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-63355775726953540712011-03-31T22:23:00.004+01:002011-03-31T22:43:59.135+01:00Intel SSD's have default AES encryption - worried?<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwcNGTwTAdDyKCzb78hQgp7JRzjOuur32hdK2O4NUzlROnLJ4IBL_EIn-b60vd-T_s1c9OubVwVqHZVPQW13k8BlACNeP-6nIoZxCbdlrdLDclnCP1zBOkmNjz3TYg2YuLoeVAxAfx85U/s1600/intel-320-series-ssds%252CD-C-286896-1.jpg"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 200px; height: 128px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwcNGTwTAdDyKCzb78hQgp7JRzjOuur32hdK2O4NUzlROnLJ4IBL_EIn-b60vd-T_s1c9OubVwVqHZVPQW13k8BlACNeP-6nIoZxCbdlrdLDclnCP1zBOkmNjz3TYg2YuLoeVAxAfx85U/s320/intel-320-series-ssds%252CD-C-286896-1.jpg" alt="" id="BLOGGER_PHOTO_ID_5590360379485313298" border="0" /></a><br />Intel have announced their range of new SSD's with a range of security and data stability tools, the 320 range. The include sizes from 40gig to 600gig (if you have the money!) and my experience is that they are crazy fast. Putting your OS on one of these would make a huge difference to the speed of the overall machine.<br /><br />However, Intel state that they come with a default AES 128 full disk encryption system which apparently successfully finds the trade off of speed and encryption/decryption. The thought of new machines coming already set up with an AES flavour is enough to make the average digital investigator hang up his mouse and go stack shelves in Salisbury's (small print - other supermarkets also offer shelf stacking opportunities) . Should we be worried?<br /><br />No.<br /><br />It is true that the disk, out of the box comes running a AES 128 key providing full disk encryption. However, plug the disk into your machine and it will run with no seeming encryption involved at all? How so? Simply because there is no user key set up as default. To make the encryption 'work' as a security layer the user has to set up an ATA BIOS user password to secure the encryption key. Don't set up a BIOS password, no useful encryption. Excellent!<br /><br />You can check out the security document <a href="http://newsroom.intel.com/.../Intel_SSD_320_Series_Data_Security_Features_Technology_Brief.pdf">here</a>.<br /><br />Knowing bad guys, and most of us have the misfortune of knowing their computers rather well, they are notoriously mistrusting of encryption and it is unlikely that the computer they buy will come with a big sticker saying how vital it is that they set a BIOS password. Indeed, many people believing that they are experts will read the drive specs, see AES 128 and believe that they are more secure than NASA. All which makes me think I should delete this blog post? Ah well, no one reads it!Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com10tag:blogger.com,1999:blog-8795951467435737498.post-48509218274962036692011-03-04T10:11:00.004+00:002011-03-04T10:20:41.763+00:00Exif and GPS data on a MacI was kicking around yesterday looking for a decent Exif viewer for the Mac, I found one or two but they didnt support extraction of GPS data. Turns out my time was wasted and OSX supports and reports Exif data including GPS location data.<br /><br />Step 1. Open your image in Preview mode.<br /><br />Step 2. Cmd-i to Open Inspector<br /><br />Step 3. Click the 'i' tab and select Exif or GPS button<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWs2N-v7mW3eq1RdVOdU2w8mcFFB4110t9Mtz9C4OJiQ2oKDY2zANZDPjfotLq4-l78s7CbP5Zpodt9tc96jeiKzUIWnsTbLlQ5t1cVFhfaIY05Fg0b5jZSSWTXsST6FUxwFwyvN5Yv0g/s1600/Screen+shot+2011-03-04+at+10.16.52.png"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 167px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWs2N-v7mW3eq1RdVOdU2w8mcFFB4110t9Mtz9C4OJiQ2oKDY2zANZDPjfotLq4-l78s7CbP5Zpodt9tc96jeiKzUIWnsTbLlQ5t1cVFhfaIY05Fg0b5jZSSWTXsST6FUxwFwyvN5Yv0g/s200/Screen+shot+2011-03-04+at+10.16.52.png" alt="" id="BLOGGER_PHOTO_ID_5580167142289756594" border="0" /></a><br />It even has a 'Locate' button to fire the coordinates up in Google maps. Simple and brilliant.<br /><br />Although there isn't an export feature, the dialogue does allow you to copy and paste the data out into a text program.<br /><br />Gotta love your Mac!Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-54902988593348247882011-02-16T22:23:00.002+00:002011-02-16T22:34:50.438+00:00Volatility 1.4This is just an initial post about the beta availability of Volatility 1.4. I've been teaching 1.3 as part of my Advanced Live Forensics course for 18 months or so but it only supports XP SP2 and 3 RAM images. The new 1.4 version from the devs and helpers at <a href="www.volatilesystems.com">www.volatilesystems.com</a> have been toiling over this version for somewhile and its great to at last have a play with it.<br /><br />First things first you can find proper 'how to' resources at <a href="http://code.google.com/p/volatility/">http://code.google.com/p/volatility</a>/ but downloads are currently limited to within svn. If this is new to you its easy enough. If you are using a Mac with Snow Leopard just open a terminal and type 'svn checkout http://volatility.googlecode.com/svn/branches/Volatility-1.4_rc1'. This will download the 1.4 version and put the Volatility files in your user root folder.<br /><br />Once downloaded just 'cd Volatility-1.4_rc1'. Anyone used to the old version will see a small difference in the running of the commands. Instead of-<br /><br />python volatility pslist -f [pathtoRAM]<br /><br />..you have quite a different syntax. It breaks down like this-<br /><br />python vol.py [plugin] --profile=[PROFILE] -f [image]<br /><br />vol.py replaces the old volatility framework command<br />plugin is the command such as pslist, psscan2 etc<br />profile is completely new but a vital component of the new framework. For all RAM images except from Windows XPSP2 x86 should have the profile defined at the --profile switch. The BasicUsage document lists them as:-<br /><br />PROFILES<br />--------<br />VistaSP0x86 - A Profile for Windows Vista SP0 x86<br />VistaSP1x86 - A Profile for Windows Vista SP1 x86<br />VistaSP2x86 - A Profile for Windows Vista SP2 x86<br />Win2K8SP1x86 - A Profile for Windows 2008 SP1 x86<br />Win2K8SP2x86 - A Profile for Windows 2008 SP2 x86<br />Win7SP0x86 - A Profile for Windows 7 SP0 x86<br />WinXPSP2x86 - A Profile for Windows XP SP2<br />WinXPSP3x86 - A Profile for windows XP SP3<br /><br />So running a basic pslist against myram.dd imaged from a Windows SP3 box would look like this-<br /><br />python vol.py pslist --profile WinXPSP3x86 -f myram.dd<br /><br />In the previous version outputing the results to a file could be achieved by using '>' or '>>' to output to a text file etc such as - <br /><br />python volatility pslist -f myram.dd >> pslist.txt<br /><br />However, in 1.4 we have many more options, by adding - <br /><br />--output= you can specify numerous output types if the module being invoked supports it. This includes -<br /><br />--output=text<br />--output=html<br />--output=csv<br /><br />To check what a module/plugin supports just check help - python vol.py pslist --h and look for the output section.<br /><br />You can add - <br /><br />--output-file=myoutputfile.csv to name your output file. So our previous command line could look like this - <br /><br />python vol.py pslist --profile WinXPSP3x86 -f myram.dd --output=text --output-file=myfile.txt<br /><br />That should get you started.<br /><br />There are also some exciting new modules to play with such as bioskbd a plugin based on <a href="http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more">Andreas Schusters work</a>. It enables the reading of input text from the BIOS area of memory which can include the BIOS password or even Full Disk Encryption passwords. Check out the link to Andreas site for more information. This plug in has apparently been around for a while but I'd completely missed it. If you do check it out take note that some RAM dumping tools dont image that area of RAM. For example if you are using Matthieu Suiches win32dd tool you need to add '-t 1' to grab page zero.<br /><br />Also there are some exciting malware analysis plugins such as svcscan which can list Windows services from both usermode and kernelmode and also ldrmodules for detecting unlinked DLL's.<br /><br />Anyway, thats all for now, I'll try and post more in due course once I've had a proper play.<br /><br />NickNick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com1tag:blogger.com,1999:blog-8795951467435737498.post-15359352677471622011-01-20T14:24:00.004+00:002011-01-20T14:38:57.806+00:00Mac Ram DumpsWell its finally happened, at last a tool to dump RAM from OSX. Big thanks to <a href="http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-home">ATC-NY</a> for their Mac Memory Reader which can be downloaded for free <a href="http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/mac-memory-reader">here</a>.<br /><br />The tool is very easy to use, simply unpack and open a terminal.<br /><br />cd to the folder MacMemoryReader (For newbies something like - cd /Users/name/Desktop/MacMemoryReader<br /><br />Run - sudo ./MacMemoryReader filename<br /><br />..where the 'filename' is the path to a connected storage device<br /><br />You will prompted for your admin password and off it will go.<br /><br />Remember to check that your connected storage has enough space for the entire RAM dump.<br /><br />If you want to feel part of the action you can throw a -g into the command line and it will provide a percentage notifier.<br /><br />The program outputs a Mach-0 raw file which should respond well to data carvers and the like. Well I've only conducted a couple of tests but <a href="http://www.cgsecurity.org/wiki/PhotoRec">Photorec</a> and <a href="http://foremost.sourceforge.net/">Foremost</a> do a cracking job of getting at the files. They both successfully retrieved HTML, jpg, zips and a whole variety of other files including web pages going back 3 months. My 8 Gig of Ram offered up over 38000 files. Many of them were fairly uninteresting txt files so you need to wade through to find the good stuff.<br /><br />If you are trying Foremost just bear in mind the 3Gig limit, perhaps take a look at Scalpel.<br /><br />The next step is to start looking for running process information, fairly critical in basic RAM analysis. I'm away teaching next week so will have some evening time to play.<br /><br />I'll try and blog again soonNick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-12031137018373270192010-07-20T14:36:00.003+01:002010-07-20T15:08:59.734+01:00I Won Something!I've never been big on entering competitions, mostly because maths gets in the way. You do a quick calculation on the odds of winning anything of note and realise your time is better spent working to actually earn some money the old-fashioned way.<br /><br />It was rather a surprise to learn that I'd been shortlisted on the <a href="http://forensic4cast.com/2010/07/09/forensic-4cast-awards-results-forensicsummit/">Forensic4Cast awards</a> as Digital Investigator of the Year. It was even more surprising to win it! I would have loved to have been in Washington for the award ceremony but there we go.<br /><br />Anyway, thanks to Forensic4Cast and everyone that voted for me, I'm over the moon, and looking forward to getting the award.<br /><br />Thanks also to my makeup artist, my parents for all their hard work and Yoda for sticking with me throughout my Jedi training. I may cry.Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com1tag:blogger.com,1999:blog-8795951467435737498.post-83880739871194547412010-06-18T18:07:00.002+01:002010-06-18T18:10:51.850+01:00Im Famous, or infamous, or neither.Short blog this time with some shameless electioneering. I've been shortlisted as Digital Forensic Investigator of the Year.<br /><br />Visit <a href="http://forensic4cast.com/2010/06/16/forensic-4cast-awards-2010-voting-is-open/">http://forensic4cast.com/2010/06/16/forensic-4cast-awards-2010-voting-is-open/</a> to vote. Doesn't have to be for me of course!Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-33042128410031040382010-05-12T15:46:00.007+01:002010-05-12T17:25:54.553+01:00OSX RAM Acquisition<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIEFsd-YwHl719DX6xuXLpWrVdvpTlRsxs-_FLQHNbWsIKSvJZlFV3RZ5QciXCXmFqW3g2IXQfHs4fjRX2f6R_cKCiNnjjLYH300oLK_CAfxjqH0F9P3Y80f0KXlkmV3sqa5JGDn7uNc4/s1600/osxbox"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 200px; height: 192px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIEFsd-YwHl719DX6xuXLpWrVdvpTlRsxs-_FLQHNbWsIKSvJZlFV3RZ5QciXCXmFqW3g2IXQfHs4fjRX2f6R_cKCiNnjjLYH300oLK_CAfxjqH0F9P3Y80f0KXlkmV3sqa5JGDn7uNc4/s200/osxbox" border="0" alt=""id="BLOGGER_PHOTO_ID_5470418312413557106" /></a><br />Acquisition of OS X RAM is a bit of a holy grail of memory analysis, quite simply because no-one has done it, or has admitted to it. It is always good form to realize that whatever we think of as secure has probably been undermined by Dark Forces working from <a href="http://12121.hostinguk.com/peace%20003.htm">bunkers under grassy fields</a>, or desert, or tundra depending on your Government Agency of choice.<br /><br />In Leopard there were some significant weaknesses in OS X RAM, well researched and documented by <a href="http://www.theta44.org/research.html">Dai Zovi</a> (We're not worthy!) who demonstrated in 2009 a number of different attacks on the OS through the poorly implemented memory stack which enabled heap allocated memory to be executable, unlike Vista/7 etc - Windows more secure - who knew!!<br /><br />Snow Leopard with its 64bit architecture has gone a long way to solve that. But with the incredible amount of information available from a Windows RAM dump it would be great to achieve the same from a Mac. Work has been done with DMA (Direct Memory Access) via Firewire which can theoretically work and some researchers had some success with Leopard but its all gone quiet with Snow Leopard. So where does that leave us?<br /><br />Well, unless you are prepared to <a href="http://www.zdnet.com/blog/security/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/900">freeze the chips</a> you need to acquire the RAM whilst the machine is live. On a Linux machine you can simply dd /dev/mem and /dev/kmem but no such luck with OS X.<br /><br />For the time being our best bet is the OS X counterpart of hiberfil.sys. In Windows hiberfil is a file generated in the root of C when the PC is put into hibernate state. The resulting file can be converted into a raw RAM dump using either tools from <a href="http://www.msuiche.net/">Matthieu Suiche</a> with the Sandman project or the version produced for <a href="https://www.volatilesystems.com/">Volatility</a>. OS X has a similar file called sleepimage. You can see if your Mac has one at the moment by doing the following:-<br /><br />Open terminal<br />Type - cd /var/vm<br />Type - ls<br /><br />If your machine has been hibernated you should see a sleepimage file with a file size that is the same as your RAM.<br /><br />If you come up against a running Mac and will be seizing it then it is possible to force the machine to create the sleepimage file.<br /><br />Suggested 'Forensic' methodology:-<br /><br />Open Terminal<br />Type - sudo pmset –a hibernatemode 1<br /><br />When you shut the lid it now creates a hibernate file and shuts machine down rather than putting it into sleep mode. The problem is that it will likely ask for the admin password. You could run <a href="http://subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=200&products_id=195">MacLockpick</a> which will extract the Keychain and possibly give you the password you need. <br /><br />Next, you need to set it back - sudo pmset –a hibernatemode 3<br /><br />Shut the lid, take the machine.<br /><br />Now simply image the drive as normal and extract the sleepimage file and analyze.<br /><br />If you were doing a live data acquisition or search of the machine it is simply the case of plugging in a USB drive and typing:-<br /><br />sudo cp /var/vm/sleepimage /Volumes/USBkey (Where USBKey is the name of your drive.)<br /><br />Now the problems:-<br /><br />Changing the hibernatemode makes a technical change to the machine.<br />The technique forces you to shut the machine down which is no good if you want the RAM live whilst leaving the machine running.<br />There are currently no tools available for the analysis of the sleepimage. The tools we use for Windows RAM analysis such as Volatility, Foremost, <a href="http://www.mandiant.com/products/free_software/memoryze/">Memoryze</a> etc do not work. Get coding!<br /><br />This post is not desperately useful as it just explains how to get a pseudo-Ram dump out, what you then do with it is up to you. If you figure anything out I'd love to hear about it!Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com12tag:blogger.com,1999:blog-8795951467435737498.post-45324966741300237512010-04-12T22:09:00.003+01:002010-04-12T22:51:16.176+01:00IPad, the non iPhone and non net bookWell I'm doing what thousands of bloggers will do in the next few weeks and writing a post about their shiny new iPad whilst writing it on said device. And here it is. An iPad. It's thin, fairly weighty and I feel like a very small person in a Lilliputian universe typing on an iPhone. <br /><br />The iPad box arrived via DHL from the US the day after release and the family sat down for the social and yet rather sensual task of unwrapping an Apple product. The top slid off with a satisfying whooshing sound, possibly in my mind, and there it was, covered by the familiar cellophane wrapping, a big iPhone. I unwrapped it and held the big iPhone in my hands. It felt like it wanted to be dropped, slim and too slippy until I discovered the Apple sign on back in more grippy material which just a finger on makes it feel more secure.<br /><br />Plug it into the Mac and turn it on. No iPhone\iPod clone here. Oh yes it is, just bigger icons. ooh and look you can swish your finger from page to page just like....umm my iPhone. First job, connect wifi, no issues here, straight on. Open Safari, key news.BBC.co.uk and .... Oh my goodness it looks fantastic. I spent the next half hour just browsing the web, especially news sites. No question, this is the best way to browse the web. It is so natural, so like holding a book, just sit on the sofa and read, sweeping between sites with ease. Sorry, if you wanted to hate the iPad, then never try browsing BBC news or The Times. It is just awesome.<br /><br />Next I downloaded several new apps, the Epicurious recipe app, which is fantastic, the new accuweather app, beautiful, Real Racing HD for my son which is brilliant. I have to apologize but I just love this device.<br /><br />Now seriously what "is it"? Is it a net book with no keyboard or a big iPhone? Simply neither. This is a new device, a perfect form factor for reviewing and browsing data. For producing data it is honestly a bit rubbish, the keyboard is ok and I can now type pretty fast but it's no replacement for a proper keyboard. I think I would happily write a few emails and if stuck on a plane with no laptop battery life I would write another blog post but it wouldn't be my first choice. However the last paragraph was written without editing or deleting mistakes and I think it's all ok.<br /><br />Now what about battery life, Apple say 10 hours. I first charged this Thursday of last week in the evening, it got a pretty heavy hammering by the whole family including games and lots of browsing and kindle style book reading. It didn't go back on charge until Sunday evening which I think is pretty blooming brilliant. It's been off charge all day and been in use constantly for the past 3 hours and the battery life still shows 66%. Not bad. The battery got a real hammering at my local Apple store today, none of the guys there had seen an iPad and wanted me to pop in with it. It was interesting to see them having their photos taken with it, star status!<br /><br />The other app I have is Air Sharing, this let's me set the iPad as a hard drive on my Mac. I can drag and drop files onto the iPad and review them on the go, very easy. I tend to carry a lot of research stuff, PDFs etc so this will be excellent. The reading size is perfect and with no boot time you can be reading your document in 5 secs. <br /><br />I'm flying to Hong Kong next week and this will be my device of choice on the plane, I can read a book, very clear actually, watch a film, superb screen quality and play a few games, what else do you need sat still for 14 hours? Yes it is just a big iPhone but the form factor makes it a superb device, not a laptop, not an iPhone, it's an iPad.Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-20941348537283508922010-03-11T15:41:00.002+00:002010-03-12T15:04:08.990+00:00Skypeex - additional commentsI've had some very good feedback about the Skypeex tool and I appreciate all your comments.<br /><br />One or two have not really seen the point of the tool as there are plenty of Skype log viewers around such as from Nirsoft and Skypr. I will repeat what I posted on the LinkedIn discussion board. <br /><br />"the Nirsoft tool, and others, are log viewers and this presupposes that you have access to the disk/logs. A covert live acquisition will often just take RAM and other volatile data, RAM may be taken before the plug is pulled only to discover that the disk is Full Disk Encrypted or that the logs are in a Truecrypt container. The user could even be using 'Portable Apps' Skype on a USB key which would mean no log files at all on the disk, however the data could still be in RAM.<br /><br />This little tool is not meant to be a replacement for the excellent chat log viewers out there but provides a way of getting the data from RAM where circumstances dictate."<br /><br />I'm working on an improved version where Strings isnt needed and hope to have that sorted in the next couple of weeks.Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-50755323266296063762010-03-09T17:33:00.008+00:002010-03-09T18:04:32.995+00:00Skype Chat Carver from RAM - SkypeexWell I was going to keep testing but it just seems to keep working, so here it is in version 0.5.<br /><br /><a href="http://csitraining.co.uk/skypex.aspx">Download</a><br /><br />I’ve been teaching my RAM analysis course for about a year now and enjoy working with Volatility and some other open source tools. I’ve been making use of Jeff Bryners cool little Python script (http://www.jeffbryner.com/code/pdgmail) to extract Gmail artifacts and was motivated to do the same for Skype chat and any other Skype stuff that might be hanging around in a RAM dump.<br /><br />The only problem was that, although I’ve done a bit of programming in the past, Python was a long hissy thing you wouldn’t want to meet on a dark night. Having gone through the pain of programming ‘Hello, world’, simple Pokemon text games for my lad and tedious maths exercises, I’ve actually managed to produce something meaningful.<br /><br />The idea is to extract Skype chat lines with their associated meta-data, which includes timestamps, the Skype names in the conversation and the author etc.<br /><br />The complete Skype line in RAM starts with the magic value ‘INTO Messages” followed by column headers then the values of the chat line including the chat body.<br /><br />This is very much work in progress but will simply do the following:-<br /><br />1. Run Strings against your RAM dump<br />2. Run the Skypeex tool against the resulting Strings file<br />3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created. <br /><br />It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.<br /><br />This has been tested on dump files from Windows XP2 and XP3 with Skype 3.8 through 4.2.<br />I don't currently have a Windows 7 box up and running, if anyone has one available please let me know.<br /><br />Please do not hesitate to get in touch with ideas and improvements.<br /><br />Usage:<br /><br />There are 2 versions in the zip file.<br /><br />skypeex.py is designed for use under Python 3.1.1 and above<br /><br />skypeex26 is designed for use under Python 2.6<br /><br />Due to changes with several commands between 2.6 and 3 they are not interchangeable, although the differences in this code are only in the input and print lines.<br />For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):<br /><br />I recommend Win32dd (or Win64dd) from Matthieu Suiche - http://windd.msuiche.net/<br /><br />Run strings against the RAM image (e.g. Windows version can be found in Helix distro)<br />example: strings c:\ramdump.dd > c:\stringsout.txt<br /><br />On linux box do:<br />strings ramdump.dd > stringsout.txt<br /><br />Script usage -<br />from command shell - python skypeex.py - then, when prompted, simply provide the path to the strings output file.<br /><br />The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.<br /><br />In the CSV file the 'Timestamp' column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I'm writing a UNIX time decoder but it doesn't work yet.<br /><br />The primary message content is in the 'body_xml' column.<br /><br />Code:<br /><br />The key elements of the code are:-<br /><br />if "INTO Messages" in line:<br /> def extract(text, sub1):<br /> return text.split(sub1)[-1]<br /> str2 = extract(line, 'VALUES (')<br /><br />This searches for the magic value, strips out the rubbish and returns the comma delimited values we are interested in. This includes:-<br /><br /> Chatname – the initiator and recipient of the session<br /> Timestamp – The time and data the message was sent in UNIX time<br /> Author – the sender of the message<br /> From_dispname – the screen name being used by the sender<br /> Body_xml – the body of the message, can slip into the chat_msg column<br /> GUID – session identifier<br /><br />Next:<br /><br />if "#" and "/$" in line:<br /> outfile.write(line)<br /> nxt = next(data)<br /> outfile.write(nxt)<br /><br />This time we look for the existence of the # and /$ characters in the same line. This refers to the pattern written to RAM of each Skype session, which looks like this:<br /><br />#nfurneaux/$bennyboy1982;810b0fd9ef04db08<br /><br />This shows the 2 persons in the Skype session with the first name being the initiator of the conversation. I’m still trying to figure out the hex value at the end, but it seems to be a GUID session number, any ideas let me know.<br /><br />Sometimes we recover session line like the following:<br /><br />#bennyboy/$nfurneaux;9fa7c85b71354392Jd1bbennyboy1982Ben Brown<br />#andyw/$nfurneaux;9fa7c85b71354392Jd1TnfurneauxNick Furneaux<br /><br />We are able to see the actual Skype name as well as the screen name being used during the session. The cool thing is that we also grab the next line with often includes actual chat associated with the recovered session. Hence we capture:-<br /><br />#bennyboy/$nfurneaux;8f915423c984767aJ[VonfurneauxNick Furneaux<br />ok quite close<br /># bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown<br />Aug 23<br /># bennyboy /$nfurneaux;8f915423c984767aJ[VQnfurneauxNick Furneaux<br />when are you presenting at HTCIA<br /># bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown<br /><br />Interestingly this conversation is carved in reverse. We can ascertain that bennyboy started the conversation but see the sender in the second part of the session line, followed by the chat.<br /><br />I've never released a tool to the community before so be kind! Let me know how you get on.<br />Nick Furneaux<br /><br /><a href="http://csitraining.co.uk/skypex.aspx">Download</a>Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com10tag:blogger.com,1999:blog-8795951467435737498.post-86816296117892635352010-03-09T17:23:00.002+00:002010-03-09T17:29:16.225+00:00Unfit and unblogged!Im just preparing to release a Skype RAM carver written in Python and I thought that my blog would be the best place to put it. However, I just checked it to make sure I remembered how to log in and noticed that my last blog was in Oct. This is a coincidence as Oct was the last time I went for a run! I was thinking that there was no correlation but actually, moving house, traveling all over the place and a very busy work 6 months has contributed to both.<br /><br />Yesterday I went out with my lad and ran for 2.5 miles, including loads of up hill and was pretty surprised at my retained fitness, which is good, however my blogging looks in much worse shape.<br /><br />It doesn't help that the eponymous <a href="http://happyasamonkey.wordpress.com/">Happy Monkey</a> is regularly blogging fabulously funny and insightful ditties that anything I do will be put to shame. However, watch this space for a free, and rather cool, Skype Chat RAM Carver.Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0tag:blogger.com,1999:blog-8795951467435737498.post-90327401074013479662009-10-23T14:53:00.001+01:002009-10-23T15:09:04.537+01:00Although I quite like this blogging lark, you will notice from the total lack of activity in recent months that I’m not very good at it. Fact of the matter is that I’ve been extremely busy, which I guess in the current climate I should be thankful for. Computer Forensics is a good career choice in a recession as, simply put, there are always bad people. In fact there is some evidence that white collar crime (and today that almost always involves computers) is on the rise as people worry about jobs, mortgages etc and when an opportunity to pilfer away a quick buck is found, many will succumb.<br /><br />I’m writing this on a train to the Midlands where I’m helping a Bank improve its analysis of Malware written specifically to target its customers. This too is on the rise with phishing attacks commonplace. The problem with Malware written specifically for a task is that the AV products often don’t have a signature for it and hence it renders itself fairly invisible even from the ‘Heuristic’ scanners. To counter this it seems that the AV companies are lowering the bar, almost every time I write a script or compile a new piece of code, Kaspersky or AVG or McAfee scream that its Root Ware, or a Trojan or something equally nasty. <br /><br />If you download virtually any of the fabulously useful tools from Nirsoft (www.nirsoft.com) such as their password recovery, USB key parser or Wifi tool and, wham, ‘It’s a virus!!’. No its not. Cain and Able password recovery tool recently started triggering an alert, Nessus fires an alert….what is going on. It feels at the moment that any software tool not in their database is automatically a Trojan come to steal your car, wallet and way of life.<br /><br />Anyhow, rant aside, there has to be a better way of analysing Malware and I think RAM is the answer. Nothing can hide in RAM, processes hidden from the OS can be uncovered in RAM. Many tools do a process called List Walking to discover processes running in live RAM or a RAM dump however manipulating the DKOM object can render a process out of the ‘flow’ and essentially invisible from the OS or from list walking programs. Psscan2 in the volatility suite overcomes this by scanning the dump file for process objects whether or not they are connected to others. Outputting this view in a dot format and opening in something like graphwiz provides a fantastic, clean view of the running processes and their threads. Simply invoke by:-<br /><br />Python volatility psscan2 –d –f <pathtodump> > output.dot<br /><br />Analysing the process start times, thread and parents, exe path and other variables provides a very ‘quick win’ when searching for malware of any type.<br /><br />This is a manual process and would be tricky to automate but very worthwhile to do if malware analysis is your business.<br /><br />Few minutes til the train is due in so will speak later, hopefully sooner!Nick Furneauxhttp://www.blogger.com/profile/17224384959913801461noreply@blogger.com0