You are on page 1of 79

INFORMATIONSECURITY

andAntiForensics
Abstract
WherethereisadataleakthereisahelpfulLEOtopickupthe slackandthrowyouinjailforit.Thisguideattemptsto educateyouonsomeofthebestsecuritypracticesandanti forensicstechniquessothatdoesnthappen.Fromnews reporterstopeoplewhowanttodownloadandwatchchild porn;thisguidewillhelpkeepyousafe.

byMISSIONMAN|V2|FINAL

P a g e |1

Dedication
ThisguideisdedicatedtothewonderfulLawEnforcementAgenciesof theworld;iftheydidnttrytofuckusoverallthetime,Iwouldntcare enoughtomakethisguideinthefirstplace.

P a g e |2

Information Security and AntiForensics

Table of Contents
Dedication.....................................................................................................................................................1 Chapter1 _TheCIATriad........................................................................................................................... 5 Chapter2 _Recommendations................................................................................................................. 6 Chapter3 _Encryption............................................................................................................................ 10 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. 3.8. 3.9. EncryptionDealingwithConfidentiality..................................................................................... 11 EncryptingFilesortheHardDrive.............................................................................................. 12 SecurelyExchangingMessagesorData...................................................................................... 15 Steganography............................................................................................................................ 17 AuthenticationFactors ................................................................................................................ 18 PasswordAttacksandAccountRecoveryAttacks...................................................................... 18 CreatingSecurePasswords......................................................................................................... 19 Hashing,HashingCollisions,andBirthdayAttacks..................................................................... 19 ColdBootAttacks........................................................................................................................ 21

Chapter4 _Data......................................................................................................................................22 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 DeletedData............................................................................................................................... 23 DeletingDataSecurely................................................................................................................ 24 FileSlack......................................................................................................................................25 WheretoHideYourData............................................................................................................ 26 WindowsSwapFiles,ReadyBoost,TemporaryInternetFilesandBrowserCache .....................26 TemporaryApplicationFilesandRecentFilesLists.................................................................... 28 Shellbags.....................................................................................................................................32 PrefetchingandTimestamps...................................................................................................... 33 EventLogs...................................................................................................................................34 Printers,PrintJobs,andCopiers................................................................................................. 34 Cameras,Pictures,andMetadata............................................................................................... 36 USBInformation.......................................................................................................................... 37

P a g e |3 4.13 4.14 SSDSolidStateDrives.............................................................................................................. 38 ForensicSoftwareTools.............................................................................................................. 39

Chapter5 _Continuity............................................................................................................................. 40 5.1 5.2 5.3 5.4 SecurityConcernswithBackups................................................................................................. 41 SecurityConcernswithSleepandHibernation........................................................................... 41 EnsuringInformationandServiceContinuity............................................................................. 41 DoSandDDoSattacks................................................................................................................. 42

Chapter6 _SystemHardening................................................................................................................ 45 6.1. 6.2. 6.3. 6.4. 6.5. UninstallUnnecessarySoftware................................................................................................. 46 DisableUnnecessaryServices..................................................................................................... 46 DisableUnnecessaryAccounts................................................................................................... 47 UpdateandPatchWindowsandOtherApplications.................................................................48 PasswordProtection................................................................................................................... 48

Chapter7 _Antivirus,Keyloggers,Firewalls,DLPs,andHIDs ................................................................50 7.1. 7.2. 7.3. 7.4. 7.5. 7.6. Antivirus......................................................................................................................................51 HardwareKeyloggers.................................................................................................................. 51 Firewalls......................................................................................................................................52 DLPs............................................................................................................................................52 HIDSsandNIDs.......................................................................................................................... 53 OtherConsiderations.................................................................................................................. 53

Chapter8 _Networks.............................................................................................................................. 54 8.1. 8.2. 8.3. 8.4. 8.5. 8.6. 8.7. Privatevs.PublicIPAddress....................................................................................................... 55 MACAddress............................................................................................................................... 55 PublicWireless............................................................................................................................ 56 SecurityProtocols....................................................................................................................... 58 ChatSitesHowAttackersAttack ............................................................................................... 59 OtherConsiderations.................................................................................................................. 61 Extra:MACAddressSpoofingandARPAttacksHowtheywork ..............................................62

Chapter9 _WebBrowserSecurity.......................................................................................................... 64 9.1. 9.2. 9.3. 9.4. 9.5. DownloadingandUsingtheTorBrowserBundle....................................................................... 65 ConfiguringWebBrowsersandApplicationstoUseTor ............................................................67 WhatisSandboxingandWhatisJITHardening,andWhyDoICare?........................................68 JavaScript....................................................................................................................................68 CookieProtectionandSessionHijackingAttacks....................................................................... 69

P a g e |4 9.6. 9.7. 9.8. 9.9. 9.10. 9.11. 9.12. 9.13. Chapter10 Chapter11 Caching........................................................................................................................................69 Referers.......................................................................................................................................70 CSRF/CSRFAttacks(XSSAttack).................................................................................................. 71 ProtectBrowserSettings............................................................................................................ 71 DNSLeaks................................................................................................................................71 UserAwareness,AccidentsandSystemUpdates................................................................... 72 Limitations ............................................................................................................................... 73 Extra........................................................................................................................................73 _StandardAcronyms.......................................................................................................... 75 _DownloadLinks................................................................................................................ 76

P a g e |5

Chapter 1_The CIA Triad



In this guide I am going to reference a wellknown security policy that was developed to identify problem areas and the recommended solutions when dealing with information security. This policy is known as the CIA and stands for: Confidentiality, Integrity, and Availability. This triad was developed so peoplewillthinkabouttheseimportantaspectsofsecuritywhenimplementingsecuritycontrols.There should be a balance between these three aspects of security to ensure the proper use and control of yoursecuritysolutions. Confidentialityis,asthewordimplies,havingsomethingbeconfidentialorsecure.Inessence,privacyis security and confidentiality means that third party individuals cannot read information if they do not have access to it. Data to think about keeping confidential is data stored on a computer (temporary data, data saved, etc.), data stored for backup, data in transit, and data intended for another person. Confidentiality will be the main focus point of this article as it is most often referred to as the most importantaspectofsecurity. The I in CIA stands for Integrity and is specifically referring to data integrity. Integrity is the act of ensuring that data was not modified or deleted by parties that are not authorized to do so. It also ensures that if the data was changed, that the authorized person can make changes that should not have been made in the first place. Simply, if you send a message to someone, you want to make sure that the person does not receive a message that was altered during transit. Integrity also confirms that you are in fact speaking to who you think you are speaking to (for example: we download an addon from the website, you want to make sure that you are downloading from that website and not an unscrupulousthirdparty). Finally, the A stands for Availability and ensures that when you need the data it is available to you. Not only does data have to be available to you, but it has to be reasonably accessible. There's no point in security controls if you cannot access the data! This component is a concern, but for the average end user, there is not much that can be done to ensure availability when dealing with webpages, or IRC servers or anything else managed by a third party host. For this reason we will not be discussing Availabilityexceptforbackingupyourdatainthisguide.

P a g e |6

Chapter 2_ Recommendations

indows was not built with security in mind, therefor should not be used. Tails is recommended as it is a live DVD or USB that was created to preserve your anonymity and privacy. It allows you to browse the internet anonymously and safely as all applications are preconfigured to run through Tor. Other uses includes encrypting your files, sending and receiving emails and instant messaging, photo editing, document editing and more. Tails also operates completely in RAM so it does not leave a trace on your computer. RAM is Random Access Memory and iswipedwhenthemachineshutsdown.Everythingthatyouwantsavedisdonesoinsecure,encrypted persistent storage. Tails link: Here. A stepbystep for installing Tails can be found here. If you cannot useTailsorbetteryetdonotwanttouseTails,youshouldmakesurethatWindowsissecure. Windows: TruecryptIwoulddownloadTrueCryptandenableFDE(FullDiskEncryption)tomakesurethat allevidenceisencryptedthusallowingyoutoskipChapter4.IfyoudonotwanttoenableFDE,I wouldcreateacontainerandhaveaVirtualMachineinsidethecontainer.Otherwise, EVIDENCECANBEEASILYGATHEREDBYINVESTIGATORS.(Section3.2) TorBrowserBundleThisallowsyoutobrowsetheinternetanonymously.UsingTBBwillalso allowyoutovisit.onionsitesaswellastojointhe.onionIRCserverswithTBBsinstanceorTor. (Section9.1) AntiVirus(AV)andaFirewallThiswillkeepyourcomputerprotectedfromvirusesaswellas remoteintruders(mostallinoneantivirussoftwarehasthesefeatures).(Section7) Ihavedecidedtomovearecommendationfromlateroninthisguidetouphere.Onegood recommendationistocreateanduseastandardaccountwithnoAdministrativeprivileges.This way,ifavirusisexecuted,itonlyhastheprivilegesoftheaccountthatyouarein.Also,Iwould makesureyourusernamedoesnotcontainyourfullnameasmanyapplicationssuchasPidgin cansharethisinformation.Furthermore,makesurethatyoucreateaWindowspasswordthat isdifficulttoguess/attack,asyourcomputercanbeexploredusingthatpassword,overthe network. (Optional)TorChatTCisachatapplicationthatrunsoverTortoprovideananonymouswayto chat.(Section2) (Optional)IRCClientAnIRCclientallowsyoutoenterTorchatroomstotalktomany individualsatonetime.Youwillneedonewithproxysettingssoyoucanruntheclientthrough Tor.MakesuretoNOTuseDCCasitcanexposeyourIPaddress.ThereareseveralIRCservers

P a g e |7 thatrunoverTor(.onionaddresses)thatyoucanuse.Theyarealllogicallyconnected,so connectingtoonewillconnectyoutoall.(Section2) (Optional)GPGforsharingmessagesandfilesbackandforthoveracommonmedium,GPG ensuresconfidentialityandintegrity.(Section3.3) (Optional)TormailemailaddressTormailisanemailservicethatrunsthroughTor,soit providesanonymity.IrecommendusingTormailwithGPGwhencommunicatingviaemail.The linktotormailishttp://tormail.net/.Onceloadedyouwillbepromptedtovisit http://jhiwjjlqpyawmpjx.onion/viator.

Try it out Set up IRC client for Tor 1. DownloadyourIRCclient.Personally,IusePidgin.Thelinkisprovidedforyou: http://pidgin.im/.ThereisaportableversionofPidginavailableifyouplanonusingtheclienton severalmachines(whichisnotrecommendedasthecomputercancontainspyware).Also, Pidginallowsyoutoconnecttoseveralserversatonceinthechanceyougetdisconnectedfrom aserveroranetsplitoccurs. 2. Tocreateanaccount,ClickAccountsfollowedbyManageAccounts.Youcanaddasmany accountsasyouwant;IcreatedafewaccountstoconnecttothedifferentIRCserversforthe reasondescribedabove. 3. SelectAdd.UnderBasic,yoursettingsshouldlooklikethis:ProtocolIRC,Usernameyour username,ServerIRCserver(listedbelow),Localaliasyourusername.Again,youcanuse anyoftheseveralTorIRCserversastheyareallconnected.Alternatively,youcanuseoneof theseveralIRCrelaysinsteadofconnectingtotheTorserversdirectly. 4. UnderAdvanced,yoursettingsshouldlooklikethis:Port6667,Usernameyourusername. InPidgin,ifyoudonotspecifyausernameundertheAdvancedsettings,yourusernamewillbe exposed.Whenyouenterorleavethechatroomtheusernamewillappearbeforethe hostname.Forexample,ifyourIDisTheBestandyourusernameisBob,thenitwillappearas TheBest[Bob@OnionNet]. 5. UnderProxy,yoursettingsshouldlooklikethis:ProxytypeSOCKS5,Host127.0.0.1,Port 9050(TorPort).IfyouareusingPrivoxy,theportwillbe8118. 6. ClickBuddiesandJoinaChattojoinachannel.AddChatwillpermanentlyaddthechannelsto theChatslistsoyoudonthavetorememberthechannelnameeverytime.Rightclickingthe chatunderChatswillgiveyouahostofoptions.IselectedPersistenttoreceivethemessagesin thechatroomeventhoughtheyarenotcurrentlyopen.Youcanuse/listtogetalistofallthe channelsoryoucanuse/join#roomtojoinaspecificroom.#securityand#publicaretwogood channelswhenaskinggeneralquestionsorquestionsrelatedtoprivacyorsecurity. 7. Youcanusethe/msgusernamecommandtosendaprivatemessagetosomeoneorusethe /queryusernamecommandwhichwillopenanewwindowinbothclientsforprivate messaging.IwouldadviselookinguptheIRCclientcommandsforfullfunctionality.Also,even thoughIrecommendeddisablingDCC,theserversdisablethefunctionalityaltogether. 8. Lastly,youshouldknowthatmostifnotallIRCclientscacheyourusernameforfunctionality. Pidgin,takesthisfurtherbycreatinglogsforspecificchannelsandindividualusersthatyouchat withusingprivatemessagingbydefault.UnderPreferences>Logging,youshoulddisableLog allinstantmessagesandLogallchats.

P a g e |8 IRC Servers HereisalistoftheTorIRCservers(notethatallserversarelinked): Mixie:4eiruntyxxbgfv7o.onion(Down) FTW:ftwircdwyhghzw4i.onion Renko:renko743grixe7ob.onion(Down) PB:jkpos24pl2r3urlw.onion(Down) Nissehult:nissehqau52b5kuo.onion

IRC Channels HereisalistofsomeofthepopularTorIRCchannels(orderedbyusercountatthemomentofwriting): #boys! #pedo #cams #mjb #girls Try it out TorChat: 1. DownloadTorChatfromgithubasitisnowtheofficialsourcefortheTorChatproject.Atofthe timewritingthearticle,thedirectlinkishttps://github.com/prof7bit/TorChat.Oncethepageis loaded,clicktheDownloadsbuttonoverontheright.Selectthelatestbuildasdenotedbythe versionnumber.MakesuretodownloadtheWindowsexecutableversionforWindows, Debian/UbuntupackageforDebian/Ubuntu,orthePidginpluginifthatiswhatyouwantto do.IfthebuildisinAlpha,thenitisnotrecommended. 2. Thefilewillbedownloadedasa.zipfile.Oncethefileisfullydownloaded,openthefileand extractthecontentswithyourfavoritearchivefilemanager.Iextractedthefiletothedefault locationinWindowswhichistheDownloadsfolder.Youcanmovethefolderatanytimeas TorChatisportable. 3. OpentheTorChatfolder,expandthebinfolder,andruntorchat.exetostartTorChatforthefirst time.Onceloaded,youwillbeprovidedyourTorChatID(16charactersthatarecomprisedof lettersandnumbers). 4. Toaddacontact,justrightclickinthewhitespaceoftheprogramandclickAddContact Alternatively,youcaneditthebuddylistfileinthebindirectory.Doubleclickingacontactwill initiateachat(rightclickingandselectingChat,willaccomplishthesamething).Youcanalso editanddeleteacontactbyRightClickingtheuserandselectingtheappropriatefunction. Sendingafileisassimpleasdraggingthefileintothechatwindoworrightclickingthe usernameandselectingSendfile(Windowscanonlysendonefileatatimewhereas Debian/Ubuntucansendmanyatonetime). 5. IfyouareupgradingyourversionofTorChatthanmakesuretobackupandcopyover bin\buddylist.txt,bin\Tor\hidden_service\hostname,and bin\Tor\hidden_service\private_key.Ifyoudonotcopyoverthelattertwofiles,youwillbe providedanewTorChatID. #knaben #torchan #public #security #hackbb

P a g e |9 Try it out Installing Tails: 1. DownloadTailsfromtheofficialTailswebsite.YoucaneitherdownloadTailsviathedirectlink ortheTorrent;whichmightbefaster.However,thedirectlinkisrecommendedasis downloadingandverifyingtheTailsSignature.ThelinktotheTailsdownloadpageishere: Here.Underoption2,selectthelatestreleasetostartdownloading.Toverifythedownload, useGPGtoverifytheTailssignaturetoensurethatyourimagehasnotbeenmodifiedinany way 2. Oncedownloadedyouhaveacoupleofoptions:youcanburntheimagetoaDVDoraUSB(the imageistoobigtofitonaCD).IfyouburntheimageonaDVDR,anattackercannotmodifythe contentsasthediskisreadonly.Thisalsomeansthatyoucannotsaveanythingormakeany permanentchangesonthedisk.DVDRWandtheUSBcanbewrittentoandrewrittento, meaningfilesandsettingscanbesavedinpersistentstorage.But,thiscomesatariskasan attackercanmaliciouslymodifyTails 3. InstallinganimagetoaDVDiseasy,allyouneedistherightsoftware.ISOImageBurnerisa goodsoftwareforWindowsthatcandothisforyou.MacsandcomputersrunningUbuntucan burntheimagenatively.OnceyourISOburningprogramisopen,inserttheblankDVDintothe diskdriveandburntheTailsISOimagetotheblankdisk(oraDVDRWdisk) 4. WheninstallingtheTailsISOimageontoaUSB,itisrecommendedthatyoudownloadand installOracleVMVirtualBox,andusethatvirtualizationprogramtobootintoTails.Otherwise, youcannotcreatepersistentstorageforsavingfilesandsettings.Onceyousuccessfullyboot intoTails,youcanusethebuiltinTailsUSBinstallertoinstallTailsontheUSBdevice 5. IdownloadedandinstalledVirtualBoxfromhere.Onceinstalled,startVirtualBoxandClick NewtocreateanewVM.FillouttheNametextbox,selectLinuxfortheType,andselectOther Linuxfortheversion.ProceedpastthenextpageandselectDonotaddavirtualharddriveand clickCreate.AtthetopoftheOracleVMVirtualBoxManagerclickonSettingstomodifythe settingsoftheVMyoujustcreated.SelectStorageandnexttoController:IDEclickonthelittle diskicontoaddaCD/DVDdevice.ClickChoosediskandselecttheTailsISOyoujust downloaded.UnderController:IDEyoushouldseetheimageyoujustselected.Selectedthat imageandcheckLiveCD/DVDoverontherightunderAttributes.ClickOK.StarttheVMto bootintoTails. 6. Atthispointyoushouldbeaskedifyouwouldliketoviewmoreoptions.Iamgoingtokilltwo birdswithonestoneandcoverhowtoinstallTailsonaUSBaswellaswhatIrecommendafter youinstalltheISOontheUSB.SelectYesonthisscreenandcreateanAdministratorpassword onthenextscreen.UnderApplications>Tailsyoucancreateapersistentvolumeaswellasuse theTailsUSBInstaller.Whencreatingapersistentvolume,Iwouldselectalltheapplications youwilluseaswellasifyouaregoingtosaveanymaterials.

P a g e |10

Chapter 3_ Encryption
ncryption is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can. Using cryptography three purposes are fulfilled: confidentiality, integrity, and nonrepudiation. Encryption has long been used by militaries and governments to facilitate secret communication. It is now commonly used in protecting informationwithinmanykindsofciviliansystems.Also,manycompliancelawsrequireencryptiontobe used in businesses to ensure that confidential client data be secured if the device or data is stolen. In this section I will be talking about using encryption for confidentiality and integrity. Nonrepudiation is used,butisnotnormallyimplementedforourpurposes.

Topics

ThisChapterwillcoverthefollowingtopics: EncryptionDealingwithConfidentiality EncryptingFilesortheHardDrive SecurelyExchangingMessagesorData Steganography AuthenticationFactors PasswordAttacksandAccountRecoveryAttacks CreatingSecurePasswords Hashing,HashingCollisions,andBirthdayAttacks ColdBootAttacks

P a g e |11

3.1.

Encryption Dealing with Confidentiality

Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. The earliest forms of encryption where the scytales and the creation of cipher texts. These forms of cryptography would rely on both parties knowing the key used orthecorrectcipherbeforethemessagecouldbedelivered.Here'sanexampleofatypicalcipher,with agridoflettersandtheircorrespondingnumbers:
1 2 3 4 5 1 A F L Q V 2 B G M R W 3 C H N S X 4 D I/J O T Y 5 E K P U Z

If a general wanted to send the message I love ponies he would write the series of corresponding numbers: 42 13 43 15 51 53 43 33 42 51 34. Only the person with this cipher text would be able to reach the message. Now obviously, to make the message more difficult to decipher, the letters inside the table would be arranged differently. Computer encryption uses algorithms to alter plain text information into a form that is unreadable. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations. Todays AES standard is AES 256bitencryptionwhichhas256^2possiblecombinations. As we said before, there are many reasons for encryption. One purpose of encryption is the act of transforming data from a state that is readable to a state that cannot be read by a third party that does nothavepermission.Theresultoftheprocessisencryptedinformation(incryptography,referredtoas ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to as decryption (i.e., to make it unencrypted). It is also important to know that the word encryption can implicitly refer to the decryption process. For example, if you get an encryption program, it encrypts informationaswellasdecryptsit. There are two types of encryption that should be used for two different purposes: symmetric (private key encryption) and asymmetric (public key encryption). Symmetric encryption is used the most becauseitisfast,easytouse,andisthemostwidelyneeded.Youwillusethisformofencryptionwhen there is only one password being used (such as TrueCrypt or another simple file encryption utility). Asymmetric encryption on the other hand uses two keys, one to encrypt information and the other to decrypttheinformation.

P a g e |12

SymmetricEncryption

AsymmetricEncryption

3.2.

Encrypting Files or the Hard Drive

You will most commonly want to encrypt files for storage or if you want to upload them to several people securely. There are a couple of programs that support this type of encryption and most of you probably already heard of them. These programs I am referring to are TrueCrypt and WinRAR and they both provide symmetric file encryption. TrueCrypt is a program that allows you to encrypt your entire harddriveortocreateanencryptedcontainer.WinRARontheotherhandisaprogramthatallowsyou to create an encrypted archive. Remember that symmetric file encryption has only one key for the encryptionanddecryptionprocess.Soyouwillneedtosharethekeyifyouplanonsharingthefiles. Note:WinRARcanbecrackedandtheremightexistabackdoortoyourencryptedfiles.Thisprogram is only meant to exchange material in the public without any individual to see what is contained. DO NOTSTORESENSITIVEDATAENCRYPTEDWITHWINRARONYOURCOMPUTER.USETRUECRYPT. BelowisanexampleofaverysimpleencryptionprocessknownastheCaesarsCipher:

P a g e |13 In this example, as with the fundamentals of the Caesar Cipher, all the characters are shifted, usually by 3 characters. If he wanted to say "You will never guess this," for instance, he'd write down "BRXZLOO HYHU JXHVV WKLV" instead. As you can see, the text is also broken up into even groups in order to make the size of each word less obvious. You can change the orders of the letters and change the numberofshiftsperlettertocomplicatetheprocessfortheattackerevenfurther. Creating an encrypted container with TrueCrypt will allow you to store data within the encrypted container. When mounted, it will look as another drive on your computer. TrueCrypt containers are secure but using them still comes with the risks of leaving your recent files lists, thumb files, and other temporary and cache data exposed. It is recommended that you use TrueCrypt and encrypt the entire diskformaximumsecurity.Investigatorscannotdeterminewhetherornotyouhaveahiddenvolumein your TrueCrypt container unless you tell them. You can also use TrueCrypt to encrypt portable drives using the Traveler Disk Setup. For information about using TrueCrypt on SSDs, please reference SSD SolidStateDrives(section4.10). Try it out Create TrueCrypt Container 1. StartTrueCrypt 2. ClickonVolumes(menuitem)inTrueCrypt 3. ClickonCreateNewVolume...(menuitem) 4. SelectCreateanencryptedfilecontainer(radiobutton)andclickNext>(button) 5. SelectHiddenTrueCryptvolume(radiobutton)andclickNext>(button) 6. SelectNormalmode(radiobutton)followedbyNext>(button) 7. ClickSelectFile...(button) 8. InthisstepyouwillspecifythenameandlocationofyourTrueCryptcontainer.Ifyoutrytosave thefileandgetanaccessdeniederror,trycreatingthecontainerinyourDocumentsfolderor elsewhere.ChoosethelocationintheExplorerwindowandspecifytheFilename:(edit)in SpecifyPathandFileName[...].ClickSave(button)intheSpecifyPathandFileNamedialog box 9. ClickNext>(button)followedbyNext>(button)onthenextpage 10. Inthedropdown,IselectedAES(listitem)fortheEncryptionAlgorithm.Thisisthemostsecure andprovides256bitencryptionwhichisa32characterpassword.Youcanreadupontheother encryptionalgorithmsforfurtherexplanation.SHA512(listitem)wasmychoicefortheHash Algorithm.Youcanalsoreadfurtheronthehashingalgorithms.ClickNext>(button) 11. InthisstepyouwanttospecifythesizeoftheTrueCryptcontainer.Mostlikelyyouwillwantto selectGB(radiobutton)tospecifyyouwanttosizetobeinGigabytes.Thisisrecommendedif youaregoingtostorepicturesorvideos.Inthetextbox,enterthetotalsizethatyouwantto containertobeandnotjustthesizeofyourOuterVolume.So,ifyouwantyourOuterVolume tobe50GBandyourInnerVolumetobe25GB,youwillneedtoenter75here.ClickNext 12. EnterandreenteryourpasswordfortheOuterVolumePassword.Thisisthepasswordthat youwillbeabletorevealifyouareforcedtodoso.Youareallowedtoenterapasswordupto 64characters

P a g e |14 13. FortheLargeFilesstep,IselectedYes,soitwouldformatasNTFS;itisuptoyouthough.Click Next>(button) 14. Onceallthesettingsareset,moveyourmousearoundtoaddsecurity.ClickFormat(button)to startformattingthevolume.Dependingonthesizeandyourharddrivespeedandother factors,thisprocesscouldtakeseveralhours.OncecompleteclickNext>(button) 15. YouwillnowcreateyourHiddenVolume,orthevolumethatyoudonotwantotherstofind. SelectNext>(button)tostarttheprocess 16. Iusedthesamesettingsasbefore.ClickNext>(button)untilyouarepromptedtocreatethe HiddenVolumeSize.ThissizeislessthantheOuterVolumeSizeandshouldleaveampleroom soyoucanstoreenoughnonprivatedatainyourOuterVolumewhilstallowingplentyofroom forprivatematerialinthisHiddenVolume.ClickNext>(button) 17. CreateaHiddenVolumePassword.Thispasswordshouldbeassecureasthiscontainerwill holdyourprivatedata.Themaximumpossiblelengthforapasswordinthisstepisalso64 characters.Thisisthepasswordthatyoudonotwanttogiveoutunderanycircumstances.The governmentcannotdetermineifahiddencontainerexiststhereforetheywillnotknowthatthis passwordevenexists.Donotfallvictimtosocialengineeringattackswhereassomeonetricks youintogivingthemthepassword. 18. SelectNext>(button),choosewhetherLargeFilesaregoingtobeusedinthenextwindow,and clickFormat(button)tofinalizetheprocess(again,makesuretomoveyourmousearoundon thatstepforbettersecurity) 19. OpenTrueCryptagainandmounttheOutercontainer.Tostart,IwouldmounttheOuter Containersowecanaddsomedecoydatainthereincaseyouareforcedtogivethepassword. Todothis,justselectthedriveletter,clickSelectFile(button),selecttheTrueCryptfileyou createdinStep8,andpressMount.Simply,youwillentertheOuterVolumepasswordorthe HiddenVolumepassworddependingonwhichvolumeyouwanttomount.Makesurewhen movingdecoydataoverthatitiscompletelylegalandthatitCANNOTbeconfusedfor somethingillegal.Also,makesureitwouldbesomethingyouwouldtrulywanthidden.Porn, databackups,andetc.aregoodideas.Tomovethefilesovertoeitherofthesevolumesyou willsimplyopenWindowsExplorerandnavigatetothedriveletter. Try it out WinRAR: 1. IfyouareintheWinRARprogramwindow,selectthefile(s)andclicktheAddbutton.Thisis denotedasaniconofastackofbookswithbindingaroundthem.Alternatively,youcanright clickthefile(s)intheexplorerwindowandclickAddtoarchive 2. TheArchivenameandparameterspagewillopen.Pleasenotethesizeofthefileyouareabout touploadandthesizelimitthatyouareallowedtouploadoneachsite. 3. IntheSplittovolumes,bytesinputfieldundertheGeneraltab,entertheappropriatesizeof eacharchive.Forexample:Ifyouhaveafilethatis200MB(or204800KB)andthefileupload sizelimitis50MB,fortheSplittovolumes,bytesinputfield,youwillenter50MB.Inthiscase fourfileswillbecreated,each50MBapiece. 4. SelecttheAdvancedtabandhittheSetPasswordbutton.Enterthepasswordinthefirstfield andreenterthepasswordforverification.Rememberthispassword;ifitislostthefileisNOT recoverable.MostpeoplealsoselectEncryptfilenamesforextrasecurity.

P a g e |15 When using TrueCrypt, as presented in the Try it out section, it is a good idea to use a hidden container. Heres why Lets say you have two videos: video A and video B. Video A is of your pet hamsterfrolickingaroundinthefishtankwithyourpreciousnessgoldfishnamedGarry(thefish,notthe hamster). On the other hand, Video B is a recording of your grandmother doing the naughty with the pizza delivery man. Now, I am going to make a sweeping assumption in claiming that you don't mind other people seeing video A, so it is deemed that the video can be "public" or "not hidden." Video B on the other hand is just plain nasty and if the pizza delivery man were 12, and you needed to hide that video at all costs, this video would need to be "private" or "hidden." So, you would stick Video A in the container that you could give the key away to and Video B would go in a container that you would protectatallcosts.IfyouusethekeyforVideoA,youcanseevideoAandsoforth. So, on the same lines, a hidden container (or, a hidden OS), is a hidden, encrypted container that the LEA cannot prove exists. So, you have two keys: a key for the public container and a private container.Youcanunlockoneortheotheratonetime,butnotbothatthesametime.So,youcangive the LEA the key that opens up your public container whilst hiding the key for your private container.TheLEAcannotdetermineifyouhaveaprivate,hiddenOS,oraprivatecontainer.Ifyouuse thekeyforyournonsensitivecontainer,youwillbootintocontainer. In essence (when dealing with hidden OSs), think of two Operating Systems on one computer and you can choose which one to boot into depending on the password. A hidden OS, is hidden and the LEA cannot prove that it exists. The advantage of this is you can have one OS for normal data whilst hiding your other material and use it when you need it. A hidden OS also has all the sensitive data leaks inherent with any OS. So, instead of antiforensic techniques or saying, "opps, I forgot the password", youcanviewallsensitivematerialinthehiddenOSandnotworryaboutanythingsensitivebeingleaked (paging, recent file lists, db files, caching, etc). Remember this: if you are forced to give the encryption key,youcandosowhilstkeepingyourhiddencontainerhiddenwhichisthemainadvantageofahidden container.

3.3.

Securely Exchanging Messages or Data

The problem with symmetric encryption is that it only uses one password to encrypt and decrypt data. But what if you wanted to send a message to somebody? Somehow, you will need to share the key while reducing the risk of anyone being able to intercept the password and use it to decrypt the data. Asymmetric encryption tackles this problem by implementing a secure key exchange. With this form of encryption there are two keys used, a public key and a private key. The public key is given to the world and is used to encrypt data whereas the private key is used to decrypt the data and to verify the data being received is legitimate. A popular program to securely share data and messages between two people(usingasymmetricencryption)isPGPorGPG(GPGbeingafreereplacementforPGP).

P a g e |16 Try it out GPG: ForWindows(sincethisisaWindowsguide),IrecommenddownloadingandinstallingGpg4win.Ifyou areusingLinuxyoucansimplyusegpgandstickwithcommandline.Hereisaguidefromtheirwebsite onhowtoinstalltheprogram:http://gpg4win.de/handbuecher/novices_5.html.WhenGpg4winis installed,followthesestepstocreateyourkeypairforencryption/decryption(note:thefollowing instructionsareforcreatingakeysizeof4096whichIrecommend.Youcancreatea2048bitencryption keyusingtheprogramKleopatra): 1. Startthecommandprompt:Start>Run>cmd>OK*WindowsVista/7,typecmdinSearch ProgramsandFeatures.Ablackboxshouldpopup 2. Typeingpggenkey 3. Enter1andpressEnter 4. Thedefaultkeyis2048,Irecommend4096 5. Setthevalueto0here.Ifyousetthekeytoexpire,youwillneedtogothroughthissame processofcreatingandredistributingyourpublickeys.Whenisasksforaconfirmation,entery 6. Yourrealnamewillmostlikelybeyourscreenname.Iwillentermissionmanhere 7. Forthisstep,inputanemailaddress.ForthisIenteredmytormailemailaddress. 8. Enteracommentifyouwish,thisstepisoptional 9. Ifyouwishtochangesomething,nowisthetimetodoit.EverythingiscorrectandIamdoneso Iwillentero 10. Atthispointyoushouldseeapopuppromptingyoutocreateasecretkey.Thisisalsoreferred toasaprivatekey.Makesurewhencreatingthispasswordthatitconformstostrong passwordguidelines 11. Reenterthepasswordtoconfirmyouentereditcorrectly 12. Youwillnowwanttotypealotofrandomdatainatextprogramofyourchoiceormoveyour mousearoundthescreensothekeycanbegenerateduntilthekeygenerationiscomplete 13. Iftherearenoerrors,thenyouhavesuccessfullycreatedyourpublicandprivatekey! 14. Now,togivepeopleyourPublickey(whichtheyusetoencryptdatatheywanttosendtoyou) youwilltypeingpgexportausername>c:\public.key.ForexampleItypedingpgexport amissionman>c:\missionman.key Encrypting and decrypting a message/file: 1. First,findthelocationofyourfileorsaveamessagetoatextdocument 2. Thecommandtoencryptafileisgpgeoutput"outputfile"localuser"yourusername"r "recipient"armorsign"filename".Forexample,ItypedingpgeoutputC:\encrypted.txt localusermissionmanrtestuserarmorsignclear.txt.detachsigwillcreateaseparate signaturefile 3. Todecryptafileyouwillsimplyentergpgdlocaluserusernameooutputfileinput file.Forexample,IenteredgpgdlocalusermissionmanoC:\decrypted.txt C:\encrypted.txt.

P a g e |17

Note:armorspecifiestheoutputiseasilycopiedwhenyoucopythetextversussending thefileandsignattachesadigitalsignaturesothereceiverknowsitiscomingfromyou. Note:Ifyouwantpeopletosendyoumessagesorfiles,youwillgiveoutyourPUBLICkey. NEVERGIVEOUTYOURPRIVATEKEY,EVER!Also,makesurethatnobodystealsyour privatekey;keepitonanencrypteddrive.Youcanexchangepublickeysordataeithervia inafile,orplaintextinaforum.Hereisagoodsitewithsomeofthecommoncommands: http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpgcs.html

HereisanexampleofaGPGencryptedmessage:
-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v2.0.17 (MingW32) mQINBFAisdkBEADQeOmbSJ5acqwBAxAEKicWg50sPSR0oO0roRsrSziDpnJf+nxC Y5uUDPOCs/KDHeSv1XIvK0yv5rpesh7lZeIESpJSyBG9IlEl8vQhmt+Bohy53xWs r5NJIktmeU+whCil8X9SYndc63UrdOoEVlKLApLDrskR91NDbx/YAv/YeNYQO4iB jP38E0bRliO5yxHENZLdP0PAhksBnC/rYXOiilBHqUFMKZJzaH1flTBjpiawojb1 9jOQPcIQ8eNC3EKl0LkaZs9dzlmF69ore8A3swck+bHnII9dhzmJS09iMc1KQDHb xjeF3XzvaQzwq6TtZcRyzEpcHtnIBe2w6LNgSEzuEIPKHVLKqDWfzbuAL6/+DPGf -----END PGP PUBLIC KEY BLOCK-----

Whenyougivesomeonethemessageorkeyorsignatureyouwanttocopyallthetextincluding everythingyouseeintheexampleabove.

3.4.

Steganography

Another good form of encryption is steganography which is the act of hiding data within text, graphic files, or audio files. The purpose of this method is so that nobody will know that there is a private message inside the medium (photo, document, etc.) because it is hidden. Lets say Bob wants to send private messages to Steve over a public forum read by numerous people. Bob grabs a picture, puts a hidden message inside and uploads it to the website. Nobody knows the message is there except for Steve, which is able to save the picture to his computer and read the message hidden inside. Forensic examinerswillneedtobelookingateachindividualfiletodetermineifsteganographywasused.Sofor exampleifyouhave1000pictures,theywillneedtogothrougheachandeveryonetodeterminewhich oneshavesteganographyandwhichonesdonot.

P a g e |18 Using steganography is as easy as downloading the right software from the internet. I started out by downloading one of the more popular freeware tools out now: F5, then moved to a tool called SecurEngine,whichhidestextfileswithinlargertextfiles,andlastlyatoolthathidesfilesinMP3scalled MP3Stego. I also tested one commercial steganography product, Steganos Suite. These tools may contain backdoors as with all encryption programs therefor should not be used with data you are trying tohidefromanypartythatmayholdthedecryptionkey.

3.5.

Authentication Factors

There are three common authentication factors in the security field that people refer to often. This is somethingyouknow,somethingyouhave,andsomethingyouare.Ausernameand passwordfallsinto the something you know category. This is because you know in your mind what your username and password is. Something you have is a physical device such as a smart card or token. Finally, something youarereferstoafingerprint,anirisscan,oranotherphysicalfeature. When setting up TrueCrypt most people only use a password, which is adequate for most scenarios. Another feature of TrueCrypt allows for multifactor authentication, which is as it implies, when the user uses two or more authentication factors. Multifactor authentication relies on both factors when trying to decrypt the file or get into your system and is recommended to provide the best security. The link provided will elaborate more on key files, security tokens, and smart cards when using TrueCrypt: Click here

3.6.

Password Attacks and Account Recovery Attacks


There are several types of password attacks that people perform when trying to decrypt information. These are known as dictionary attacks, brute force attacks, and random guess attacks. Creating complex passwords will help prevent against dictionary attacks. Creating long passwords will help prevent against brute force attacks. And creating passwords that do not include your username or any other identifiable information will help againstrandomguessattacks.Thisiswhyyourpassword should be long, complex, and should not include any identifiableinformation.

Case:TheSarahPalinemailhackoccurred onSeptember16,2008,duringthe2008 UnitedStatespresidentialelection campaignwhentheYahoo!personalemail accountofvicepresidentialcandidate SarahPalinwassubjectedtounauthorized access.Thehacker,DavidKernell,had obtainedaccesstoPalin'saccountby lookingupbiographicaldetailssuchasher highschoolandbirthdateandusing Yahoo!'saccountrecoveryforforgotten passwords.

P a g e |19 Another common attack that people do not usually think of is account recovery attacks. This is when someone is trying to login into your account by attempting to reset your password by using your accountrecoveryquestions.Forthisreasonyoushouldmakesurewhencreatingsecurityquestionsand answersthattheyarenoteasilyguessed(orfound).Agoodrecommendationistomaketheanswersas complicatedasthepasswords,butstillcanbeeasilyremembered.

3.7.

Creating Secure Passwords

The problem with passwords is they are usually too easy to crack or they are too hard for the users to remember. Therefore, both of these problems should be considered when creating a new password. Start by creating a password that is at least 16 characters. Use as many different types of characters as possible, including: lowercase letters, uppercase letters, numbers, and symbols. Never reuse a previous password and never use the same password for more than one account. Dont use passwordstorage tools, whether software or hardware. Make sure that your password does not include anything identifiable such as: names, usernames, pet names, or words in a dictionary. Lastly, make sure that the password is not too hard for you to remember so you dont forget the password or have to write it downorsaveit.Hereisanexampleofasitethatcancreateasecurepassword:clickhere.

3.8.

Hashing, Hashing Collisions, and Birthday Attacks

When people refer to hashing, they are referring to a type of encryption. Hashing is the process of creating an encrypted output that cannot be decrypted (it performs a oneway encryption) and is used to ensure that a message or file was not modified from the original copy. Hashing is also commonly used to help authenticate somebody. For example, many websites store a hashed copy of your password instead of the password in the clear. There are several types of hashing algorithms and the newer versions are better than the outdated versions for security purposes. SHA256 is the newest versionandisrecommendedasofrightnowwhenyouarecheckingfileormessagehashes. Using asymmetric encryption provides integrity as well as the already explained confidentiality. When you successfully decrypt a message that another user sent you, you have verified its integrity. Another way to ensure integrity is to create the hash of a file or a message and allow people to check the hash theygenerateagainstthehashyougavethem.Forexample:letssayBobuploadsafileforSteve.Bob uploads a file and generates a hash (lets say a value of 456) so Steve can make sure that when he downloads the file, it was not changed along the way. After downloading and saving the file, Steve also generates a hash of the saved file. If Steve generates the same hash, the file was not altered. But if Steve generates a different value (lets say 334), than the file has been changed. Personally, I use HashMyFilesbecauseitiseasytouseandisastandaloneprogram.

P a g e |20 Try it out Hashing 1. Downloadingandsavethisfile:http://ocrlwkklxt3ud64u.onion/files/1343933815.txt.Ifthefile opensupinyourbrowser,thensaveeverythingtoatextfileandsaveashash.txt 2. DownloadtheprogramHashMyFilesandstartitwhenthatiscomplete 3. ClickFile>AddFilesandselecthash.txt 4. Recordthehashofthefile(pressF7onyourkeyboard)*IusedMD5forthistest 5. CompareyourhashtothehashIgeneratedbeforeuploadingthefile (83a814a08b5edfa57c003415224f8b46) Another good method of ensuring that a file is actually sent from someone who claims they sent it is if they digitally sign a message using their private key. What you need to know is that you can digitally signamessageorfilewithoutactually sendingthe messageorfile.Thisishelpfulifyouwanttosharea file in which everybody knows what the password is whilst allowing them to confirm that it came from you. Try it out Digital Signatures 1. IamassumingthathavealreadysetupGPGandhavecreatedyourPrivate/Publickeypair 2. Startthecommandprompt:Start>Run>cmd>OK*WindowsVista/7,typecmdinSearch ProgramsandFeatures.Ablackboxshouldpopup 3. Thecommandtocreateadigitalsignatureisgpgoutputoutputfilelocaluserusername detachsigninputfile.Forexample,Itypedingpgoutputfinal.siglocalusermissionman detachsigntest.txt 4. Toverifythedigitalsignature,typegpgverifysignaturefilename.Forexample,Itypedin gpgverifyfinal.sigc:\test.txt While talking about hashing, I should mention Hashing Collisions. Hashing Collisions occur when two distinctly different messages produce the same hash result. Birthday attacks attempt to exploit this vulnerability byrelyingon thelikelihoodofthecollisionsoccurredbetweentherandomattackattempts andthenumberofpermutations.As anexample, considerthe scenarioinwhicha teacherwithaclass of 30 students asks for everybody's birthday, to determine whether any two students have the same birthday. Intuitively, this chance may seem small. If the teacher picked a specific day (say September 16),thenthe chancethatatleastonestudentwasbornonthatspecificdayis1(364/365)^{30},about 7.9%. However, the probability that at least one student has the same birthday as any other student is around70.

P a g e |21

3.9.

Cold Boot Attacks

In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keysfromarunningoperatingsystemafterusingacoldreboottorestartthemachine.Theattackrelies on the data remanence property of DRAM and SRAM to retrieve memory contents which remain readable in the seconds to minutes after power has been removed. Basically, when a computer is restarted,theencryptionkeys(passwords)mightstillexistinRAMandmayberecoverabletotheextent thattheycanbeusedtodecryptyourdevice. There are a few ways to mitigate this risk. The best method is to make sure to dismount the drive before ending the program or shutting the computer down. Most software programswillerasethekeyfrommemoryafteryouperform this action. This method is the best way to prevent cold boot attacks. Shutting the computer down cleanly should also ensure that the key is erased from memory. Another mitigation technique is with using a security token or smart card.Thiscanbefooledthoughiftheattackergrabsthekey andhasthetoken/smartcardinhand. Note:Manyforensic investigatorscarryacanof compressedairwiththemto acrimescenetofreezethe RAMstickforfurtheranalysis.

P a g e |22

Chapter 4_ Data

his section will talk about data in general: how it gets stored and what happens when it is deleted. Furthermore, we will take about recent file lists and data caching. Knowing how Windows and other applications handle these files will help eliminate the risks associated with evidence left over after your session. You will learn how to find and remove this data completely and securely from your computer. In some instances, you will also learn how to prevent these risks from happeningaltogether.

Topics

ThisChapterwillcoverthefollowingtopics: DeletedData DeletingDataSecurely FileSlack WindowsSwapFiles,ReadyBoost,TemporaryInternetFilesandBrowserCache TemporaryApplicationFilesandRecentFilesLists EventLogs Printers,PrintJobs,andCopiers Cameras,Pictures,andMetadata USBInformation SSDSolidStateDrive WheretoHideYourData

P a g e |23

4.1

Deleted Data

A common misconception that computer users have is, when you delete a file, it is completely removed from the hard disk. However, you should know that highly sensitive files such as pictures, passwords, chat logs, and so forth still remain on the hard disk. Even after they are deleted from your recycle bin, they are still located on the hard drive and can be retrieved with the right software. Take for example when you use WinRAR to extract the file that someone sent you. The program extracts the data to a temporaryfilebeforeitreachesitsdestinationonyourharddisk;thismayleadtoadataleak.

Note:YoucanchangethelocationwhereWinRARextractsthetemporarydatato.Navigate toOptions>Settings>Paths.YoucanchangethepathunderFolderfortemporaryfiles.

Any time that a file is deleted from a hard drive, it is not erased. What are erased are the bits of information that points to the location of the file on the hard drive. The operating system uses these pointerstobuildthedirectorytreestructure(thefileallocationtable),whichconsistsofthepointersfor everyotherfileontheharddrive.Whenthepointersareerased,thefileessentiallybecomesinvisibleto theoperatingsystem.Thefilestillexists;theoperatingsystemjustdoesn'tknowhowtofindit. Shadow data is the fringe data that remains on the physical track of storage media after it is deleted, sweeped, or scrubbed. A mechanical device called a head is used to write the data, and it is stored electronically in magnetic patterns of ones and zeros. The patterns are in the form of sectors which are written consecutively in concentric rings called tracks. However, head alignment is just a little bit different each time an attempt is made to erase data, and data remnants sometimes bleed over the tracks. This is the reason why government agencies require multiple scrubs or burning, because there is noguaranteeofcompleteeliminationoffringe,orshadow,data. Theonlywaythatyoucanpermanentlydeletethisdataistooverrideitwithspecialsoftwareorwaitfor the operating system to overwrite the data. There are files on the hard disk that do not have any pointers in the file allocation table so it will eventually be overridden with something new. Even files that are fragmented or are partially written over are recoverable and can be used against you. Special software will overwrite these files securely and immediately. One such recommended software that securely cleans the white space is CCleaner. As a word of note, people suggest that's simply defragging a hard drive will overwrite these pointers; this is not true. Drives formatted using NTFS are especially not affected using this method. This is because of the way NTFS stores data; it essentially makes defraggingtheharddriveuseless.

P a g e |24 Try it out CCleaner 1. DownloadandinstallCCleanertoyourmachine.MakesurewhenyoudownloadCCleanerfrom theinternet,aswithallprograms,youdownloadfromthemanufacturerswebsiteonly.Thelink hasbeenprovidedforyou:http://www.piriform.com/ccleaner/download/standard 2. OpenCCleanerpressToolsontheleft 3. SelectDriveWiper 4. SelectFreeSpaceOnlyinthedropdownboxnexttoWipe 5. Inthesecuritydropdownbox,Irecommendselectingthecomplexoverwrite 6. ChoosethedriveletteryouwishtocleanandpressedWipe

4.2

Deleting Data Securely

As mentioned before, when you delete data, it is not actually deleted and can be easily recovered. To prevent data from being recovered you must secure erase (or shred) the data. What special programs dotosecurelyerasecontentsfromacomputeristheyenumeratethrougheachbitofdataandreplaceit with a random bit. The shredding method I recommend is 7 passes. This process makes the bits unknownasrecoveryofthisdatadifficult,ifnotimpossible.Thiscanbedonewithfileeraserprograms, oritcanbedonetotheentiredrivewithbootablesoftware.DBANisrecommendedifyouaretryingto erase your entire drive. Note however, DBAN does not erase bad sectors or HPA/DCO areas. Some programs such as Blancco implement HPA/DCO wiping by default, other tools could allow the user to choosewhetherornottowipeHPA/DCOwhileothertoolsarenotabletowipeHPA/DCOatall. HPA stands for Host Protected Area and is a section of the hard drive that is hidden for the operating system and the user. The HPA is often used by manufacturers to hide a maintenance and recovery system for the computer. For this reason, the HPA is not a big concern, but you can securely remove data here nonetheless. A DCO is a Device Configuration Overlay and is another hidden area of todays harddrives.SimilartotheHPA,theDCOscanbesecurelyerasedinsuchthesameway. While recovery of information wiped out in this manner is far more difficult, and in many cases impossible, some recovery techniques exist that specialists can employ to retrieve some of the data. Factorssuchasthesizeoftheharddrive,theaccuracyofthemechanicalsysteminthedrive,thepower with which the information was recorded, and even the length of time the information was left on the drivepriortowipingallwillhaveaneffectontheprobabilitiesforrecovery.

P a g e |25 Another method is to physically destroy the hard drive to a state that is irreparable. The best method for this is to open the hard disk and grind the platters to obliterate all data. Another method for hard drives that use disks is to use an industrial strength magnet to remove the data. Optical disks (CDs, DVDs, etc.) can be shredded if they are not writable. Also, optical disks can be destroyed be cooking them and is the best method for destroying data on optical media. Cooking them however is not recommendedforpracticingoreverydayuseastheyreleaseatoxicfume.

4.3

File Slack

To understand file slack, one first needs to understand how disks are organized at the lowest level. As can be seen in the diagram below, disks are subdivided into a set of tracks. These tracks are further subdividedintoasetofsectorsandcollectionofsectorsformtogetherto makea cluster. Ifyouwritea 1 KB file that has a cluster size of 4 KB, the last 3 KB is wasted. This unused space between the logical endoffileandthephysicalendoffileisknownasslackspace. The perhaps somewhat unexpected consequence from this is that the file slack contains whatever data was on the disk before the cluster was allocated, such as data from previously deleted files. Using file slack, it would be possible not only to recover previously discarded (and potentially sensitive information) information, but also to effectively hide data. The ability to hide data arises because the operating system does not modify data within a cluster once it has been allocated. Thismeans that any datathatisstoredintheslackissafe(providedthefilessizedoesnotchange).

P a g e |26

4.4

Where to Hide Your Data


Information HostProtectedAreaisanareaofaharddrivethatisnotnormallyvisibleto anoperatingsystemandisprotectedfromuseractivity.Tohidedatathere, youwillneedtowriteaprogram,orfindaprogram,towriteinformation there. TheMasterBootRecordonlyrequiresasinglesectortherebyleaving62 opensectorsforhidingdata Filesystemsstoredatainblock,whicharemadeofsectors.Ifthetotal numberofsectorsinapartitionisnotamultipleoftheblocksize,therewill besomesectorsattheendofthepartitionthatcannotbeaccessedbythe operatingsystemusinganytypicalmeans. Ifthepartitionsonaharddrivedonotuseupalloftheavailablespace,the remainingareacannotbeaccessedbytheoperatingsystembyconventional means(e.g.,throughWindowsExplorer).Thiswastedspaceiscalledvolume. Itispossibletocreatetwoormorepartitions,putsomedataintothem,and thendeleteoneofthepartitions.Sincedeletingthepartitiondoesnot actuallydeletethedata,thatdataisnowhidden. Thisistheunusedspacebetweentheendoffilemarkerandtheendofthe harddriveclusterinwhichthefileisstored. Anyspaceinapartitionnotcurrentlyallocatedtoaparticularcannotbe accessedbytheoperatingsystem.Untilthatspacehasbeenallocatedtoa file,itcouldcontainhiddendata. Everypartitioncontainsabootsector,evenifthatpartitionisnotbootable. Thebootsectorsinnonbootablepartitionsareavailabletohidedata. Itispossibletomanipulatethefilesystemmetadatathatidentifiesbad blocks(e.g.theFileAllocationTableinaFATfilesystemor$BadClusinNTFS) sothatusableblocksaremarkedasbadandthereforewillnolongerbe accessedbytheoperatingsystem.Suchmetadatawillproduceblocksthat canstorehiddendata.

Location HPA

MBR Partitionslack

Volumeslack

Fileslack Unallocatedspace

BootSectorinnon bootablepartitions Goodblocksmarkedas bad

4.5

Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache

A swap file allows an operating system to use hard disk space to simulate extra memory. When the system runs low on memory, it swaps a section of RAM that an idle program is using onto the hard disk tofreeupmemoryforotherprograms.Thenwhenyougobacktotheswappedoutprogram,itchanges places with another program in RAM. This feature ensures that Windows is usable when memory runs out.Eventhoughthisfeatureishelpful,sensitiveinformationmightbecontainedwithintheswapspace thatcouldincriminateyou.

P a g e |27 Letssayyoudownloadsensitivematerialandafteryouweredonewithit,youdeleteitsecurely.Ifyou ran out of memory (RAM) the temporary data might have been saved to swap space thereby rendering your method of removing the file useless. The best way to attack this problem is to disable paging altogether while viewing sensitive information. If you are using applications that use large amounts of memory,youcanturnpagingbackonduringyoursession. Try it out Disable paging 1. OpentheStartMenuandgotoControlPanel 2. ClickontheSystemicon 3. SelecttheAdvancedtab 4. UnderPerformance,clickSettings 5. GotoAdvanced 6. UnderVirtualMemory,clickChange 7. SelectNoPagingFileandthenclickSet 8. ClickOKinallthemenus 9. Restart 10. Toenablepagingagain,simplyselectAutomaticallymanagepagingfilesizeforalldrives ReadyBoostisanothercachingfeatureintroducedinWindowsVistaandwascontinuedwithWindows7. It works by using flash memory, a USB flash drive, SD card, CompactFlash or any kind of portable flash mass storage system as a cache. Data that is written to the removable drive is encrypted using AES 128bitencryptionbeforewrittentothedrive.Thismeansthatanexaminerwhorecoversthedrivewith theReadyBoostinformationwillfinditdifficulttodecipherthisdata. Another way that Windows operates under the surface is when creating temporary internet files. Temporary Internet Files is a folder on Microsoft Windows which holds browser caches. The directory is used by Internet Explorer and other web browsers to cache pages and other multimedia content, such as video and audio files, from websites visited by the user. This allows such websites to load more quickly the next time they are visited. Not only web browsers access the directory to read or write, but alsoWindowsExplorerandWindowsDesktopSearch. You can see how this is a problem if you ever want to download (or view) pictures or files that contain sensitive material. Furthermore, other applications might use temporary files when handling content. For example, when I talked about WinRAR earlier, I explained that when you unpack data from an archive, the program creates a temporary file on your file system before it is moved to its destination. The only way around this (excluding internet cache) is to periodically wipe slack data as stated before. Whendealingwithinternetdata,youshouldbeconcernedwithdeletinginternetcacheandcookies.

P a g e |28 Try it out Delete internet cache 1. StartFirefox 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.) 3. ClickOptions 4. ClickPrivacy 5. SelectTorBrowserwill:UsecustomsettingsforhistoryandcheckClearhistorywhen TorBrowsercloses

4.6

Temporary Application Files and Recent Files Lists

Every time you open up a file from Windows Explorer or the Open/Save dialog box, the name of the file is recorded by Windows. This feature was introduced into Windows and other applications to make those applications more user friendly by allowing easy access to those recently used files. Such the same, some applications create cache that is stored on your computer so the application can run faster thenexttimeitisloadedoraspecificprojectisbeingworkedon. Recent file lists and application caching does make the experience more friendly, but it also added security risks. If for example, someone took a video and loaded it into a video editing software. The softwaremighttakepiecesofthevideoandsaveittoyourharddriveforfastaccess.Thesamegoesfor viewing videos/images that are sensitive by nature. Whoever is looking at the recent files list for your computer,willknowwhatthenamesoffilesareaswellaspossiblyknowingthelocationofthosefiles. First we are going to talk about what is known as thumbnail caching. Thumbnails are the little pictures that are loaded for every file in Windows Explorer as a little preview of sorts. A thumbnail cache is used to store thumbnail images for Windows Explorer's thumbnail view. This speeds up the display of thumbnailsasthesesmallerimagesdonotneedtoberecalculatedeverytimetheuserviewsthefolder. You can see where this is a problem when you open a folder containingsensitivepicturesorvideos.Thumbnailcachesarestored in thumbs.db files and the locations will vary depending on the Operating System. In Windows XP, the thumbs.db files will be Note:JumpListsappearon storedineveryfolder. theStartmenuaswellason theTaskbarwhenyouright clickonanicon.Youcanuse ittoperformspecific Windows 7 and Vista saves all the thumbnails in a central location. actions, butforsecurity The cache is stored at %userprofile%\ AppData \Local \Microsoft purposes,itcanrecordfiles \Windows \Explorer as a number of files with the label thatwererecentlyopened. thumbcache_xxx.db (numbered by size); as well as an index used to find thumbnails in each database. This makes it easier for us to

P a g e |29 locate and remove the caches of these thumbnails. You can use CCleaner to remove the existing cache. Irecommendusingthispagetoenable/disablethumbnailcaching.Clickhere Another feature of Windows and several applications is recent files lists. There are several locations where these lists can appear, yet there are only two ways they are saved: the registry or as a file. Windows XP saves file names in the registry and a centralized location in Windows Explorer whereas Windows 7 introduces yet another list known as a jump list which can also be cleaned by using CCleaner. Try it out Disable jump lists 1. RightclicktheStartMenuandclickProperties 2. ExpandtheStartMenutab 3. UncheckStoreanddisplayrecentlyopeneditemsintheStartmenuandthetaskbar 4. ClickOK CCleaner erases most all (if not all) of the recent file lists for Windows as well as for a few other applications.Listedbelowarecommonlocationswheretheserecentfilelistsandapplicationcachescan befoundat(Iwouldlookintowinapp2.iniformorelocationswhichisanaddonforCCleaner): Registry(allareinHKEY_CURRENT_USER): (Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs (Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU (Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU (Windows)Software\Microsoft\MediaPlayer\Player (Windows)Software\Microsoft\InternetExplorer\TypedURLs (MediaPlayerClassic)Software\Gabest\MediaPlayer Classic\RecentFileList (MediaPlayerClassic)Software\Gabest\MediaPlayer Note:Otherapplications Classic\Settings includePrivaZerfor Files: WindowsandBleachbit for Linux. (Recentfilelist)%appdata%\Microsoft\Windows\Recent (Jumplist)C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent\ AutomaticDestinations (TempdataVista/7)C:\Users\<username>\AppData\Local\Temp (TempdataXP)C:\DocumentsandSettings\<username>\LocalSettings\temp

P a g e |30 Try it out Setting up CCleaner 1. DownloadandinstallCCleanertoyourmachine.MakesurewhenyoudownloadCCleanerfrom theinternet,aswithallprograms,youdownloadfromthemanufacturerswebsiteonly.Thelink hasbeenprovidedforyou:http://www.piriform.com/ccleaner/download/standard 2. OncetheprogramisopenclicktheOptionsbuttononthelefthandsideofthewindow 3. Next,clickonSettings 4. MakesurethatSecurefiledeletion(Slower)ischecked,ComplexOverwrite(7passes)is selectedinthedropdownboxandWipeMFTFreeSpaceischecked.VeryComplexOverwrite canbeselectedinsteadofComplexOverwrite.TheComplexOverwriteistheminimumyou shouldchoose 5. ClickCleanerontheleft 6. MakesuretheyalltheitemsarecheckedunderWindowsExplorer Another thing I do is set CCleaner to perform a clean whenever I log into the machine and every hour thereafter. Cleaning your computer automatically will help with managing this program as you will not have to remember to manually run the program every so often. One drawback with this method however is if an application is using temporary data that is erased by CCleaner, the application might performincorrectlyorstopworkingaltogether. Try it out Setting up CCleaner to automatically run (Windows Vista/7) 1. StartCCleanerandselectOptionsontheleft 2. CheckSaveallsettingstoINIfileundertheAdvancedtab 3. OpentheStartMenuandenterTaskSchedulerintothesearchbox 4. ClickontheActionheaderinthemenubarandselectCreateBasicTask 5. Followthestepsofthewizardtocreatethetask.Inthefirstwindow,namethetaskandgiveita descriptiontohelpyourememberwhatitislater 6. Onthenextpage,selecthowoftenyouwantthistorun.IcheckedtheWhenIlogoncheckbox 7. SelecttheoptionlabeledStartaprogramonthenextpage 8. HitBrowseandnavigatetothedirectoryyouinstalledCCleanerto.Add/AUTOtothetextfield labeledAddarguments 9. ClickFinish Finally, for those of you who switched to Windows 8 should know about the app data. Windows 8 for starters has made significant strides over Windows 7 in respects to the interface. They have added the Metro interface which hosts a plethora of apps that can possibly leak important data. Two such apps aretheWindowsPhotosandWindowsVideo.Whenviewingaphotoorvideo,youcanimmediatelysee that the photo or video cap is cached as they are still apparent even after the material is deleted. Obviously,youcanseetheglaringissuewiththiswhenitconcernssecurity.

P a g e |31 I have not too much research on the matter, so I am going to be brief. For starters, all your apps are locatedinyourappdatafolder.Specifically,thefolderpathsareasfollows(perusersettings): Locationofallyourapps:C:\Users\Username\AppData\Local\Packages. WindowsPhotos: C:\Users\Username\AppData\Local\Packages\microsoft.windowsphotos_8wekyb3d8bbwe\ LocalState When the app is closed the cached images no longer appear on the Metro interface. Furthermore, the cached images dont appear when you open the app again. I did some more investigating into Windows Photos and notice thatseveralfilesgetincreasinglylargerafterIviewimages intheWindowsPhotosappevenaftertheappisclosed. Specifically,thosefilesarethe: Microsoft.WindowsLive.ModernPhotos.etl, Microsoft.WindowsLive.ModernPhotosLast.etl,and ModernPhoto.edb. Other files exist that show the last 5 images that were cycledthroughontheWindowsPhotosMetroapp. These files are LargeTile1(through 5) and SmallTile1(through 5). The latter files should not be an issue unless they containedsensitiveimages. I cannot read what is actually contained within the files themselves, but I can be reasonably sure that with everything Windows, image previews are being cached and stored to limit I/O usage and speed up theloadingprocess.Sayingthis,itisrecommendedthatyoudeletethesefilessecurelyifyouaccidently orpurposelyopenpicturesusingtheWindowsPicturesapp(anditisgoingtohappen,trustme).To do this you should close the Pictures app (from the gesture on the left side or the task manager) and securelyerasethosefilesusingaprogramofchoice. When setting up a user profile in Windows 8, if you gave your actual name when creating the Hotmail profile you used when logging into Windows 8, that name will be automatically embedded as metadata in a variety of documents. So make sure that you have a metadata cleaner if you plan on uploading anything sensitive. If you use Bing which is the default search provider and included preinstalled as an app, you should know that Bing creates a separate web history of its own and stored the data over the internet. So make sure that anything sensitive gets purged. People also expressed concerns with ReFS, which is not used on Windows 8 devices moreso is it used with Windows Server 2012 (Windows Server 8). Also, with the advent of Office 2013, the default location that the documents will be saved is Windows Skydrive;so you can see how that might be a security concern if you save something sensitive withoutlooking.ConcerningcontentsavedtoWindowsSkydrive,hereispartofMicrosoftsTOA:

P a g e |32 Youwillnotupload,post,transmit,transfer,distribute,orfacilitatedistributionofany content(includingtext,images,sound,video,data,informationorsoftware)or otherwiseusetheserviceinawaythat: 1. depictsnudityofanysort,includingfullorpartialhumannudity,ornudityin nonhumanformssuchascartoons,fantasyartormanga. 2. incites,advocates,orexpressespornography,obscenity,vulgarity,profanity,hatred, bigotry,racism,orgratuitousviolence. So,theyscanyourdocuments(andpictures)foranythingthatviolatesitsTOA,andiftheyfindanything, you are banned and possibly facing criminal charges. Hotmail accounts and Windows 8 account will have to be recreated, your XBOX live and Skydrive account will be disabled as well. They also actively scan for child pornography so make sure you don't accidentally save to a Skydrive account either. This seems like a huge invasion of privacy digging deep within all your documents and pictures (even if it is automatic)andtherepercussionscanbeimmense.

4.7

Shellbags

WhenyouopenafolderinWindowsExplorerandcustomizetheGUIdisplayWindowsusestheShellbag keystostoreuserpreferences.Everythingfromvisiblecolumnstodisplaymode(icons,details,list,etc.) tosortorderaretracked.Ifyouhaveevermadechangestoafolderandreturnedtothatfoldertofind yournewpreferencesintact,thenyouhaveseenShellbagsinaction.InthepaperUsingshellbag informationtoreconstructuseractivities,theauthorswritethat"Shellbaginformationisavailableonly forfoldersthathavebeenopenedandclosedinWindowsExploreratleastonce.Sobasically,ifyou visitthatfolder,ashellbagiscreated. ThankstothewondersofWindowsRegistrylastwritetimestamps,wecanalsoidentifywhenthatfolder wasfirstvisitedorlastupdated(andcorrelatewiththeembeddedfolderMACtimesalsostoredbythe key).Insomecases,historicalfilelistingsareavailable.Thismeansthatevenifyoudismountadrive (letssayyouareonlyusingaTrueCryptcontainer)ordeleteafolder,thefoldersthatyouopenedwill stillberecorded.Normally,thiswouldnotbeanissuebecausejustthefoldernamesarerecordedhere, butifyounameyourfoldertothatofsomethingsensitiveandthenamealludestocriminalactivity,you willbeintrouble.

P a g e |33 Registry Keys Ifyouarecuriousastowhatforensicdatacanbefoundoutbyusingshellbags,agoodprogramtoview alloftheahellbagscanbefoundhere.Youcanalsoremovetheshellbagsthatcontainsensitive informationthatyouwishnotbefound. Todisablethemalltogetheryoucandothis: NavigatehereintheRegistry(ifyoudonotknowwhatyouaredoing,thenIDONOTRECOMMEND THIS):[HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell] LeftclickontheShellkeyandintherightpane,ifyoucanseeBagMRUSizethenthereisnoneedto undertakethisstep.Ifitisn'ttherehowever,rightclickandselectNew>DWORD32bitValueandname itBagMRUSize.Nowsetthisvalueto0inDecimalview. WindowsusesthefollowingRegistrykeystosavethefoldersinformation: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell (OnlyinWindowsVista)

4.8

Prefetching and Timestamps

To start, there is a feature that began with Windows XP that is known as Windows Prefetching. Windows Prefetch files are designed to speed up the application startup process. Prefetch files contain the name of the executable (the program you are running), a Unicode list of DLLs (Dynamic Link Libraries;filesthatsupportstheprograminordertorun)usedbythatexecutable,acountofhowmany times the executable has been run, and a timestamp indicating the last time the program was run. This meansthatifyouaretryingtouseprogramssuchasTrueCryptorsecuredeletionprogramsorotherfile encryption programs, a Prefetch file will be created thus alerting the forensic investigators. This is not usually an issue unless you are trying to counter forensic techniques without letting the investigator know.

P a g e |34 An example where Prefetching is troublesome is when you are trying to change the Windows Timestamps for files. Every time a file is created, accessed, or modified a Timestamp is created. Changing the timestamps are a good idea to throw the investigators off. Also, it is easy to change as there are programs that can do that for you. A popular program is TimeStop; but an investigator can investigate the Prefetch file and determine that the program was run. When this happens they can be reasonably certain that the timestamps were changed maliciously. So, before you download the file I wouldpackthefileusingaprogramsuchasUPX(UltimatePackerforeXecutables).Thiswillchangethe hashofthefilesotheinvestigatordoesnotknowTimeStopwasusedwhenexaminingthePrefetchfiles.

4.9

Event Logs

Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, WindowsrecordstheeventinaneventlogthatyoucanreadbyusingEventViewer.Aninvestigatorcan determine security related information (These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful), application and service information, and more. As security information is not incriminating, investigators can tell when you attempted to log in and out of the computer, which can correspond to suspected times. Also, application data might not be incriminating, but depending on what the applicationactuallylogs,filenamesandotherincriminatingevidencemightberecorded. Try it out Erase event logs 1. OpentheStartMenuandgotoControlPanel 2. ClickonAdministrativeToolsandopenEventViewer 3. ExpandWindowsLogsontheleft 4. RightclickApplication,Security,andSystemandclickClearLog

4.10 Printers, Print Jobs, and Copiers


There are several things that you should be concerned about when printing sensitive documents. Print data might be left on your computer, on the printers hard drive, or through transit. Before you can know where to look, you must first know how Windows prints a document. When you send something to a printer the document is first spooled and two files are created in the %system32%\spool\printers folder.Thesetwofilesaretheshadowfileandaspoolfile.Thefilesarenamedascomplimentarypairs; for example, one job sent to the printer results in the creation of one FP00001.SDH file and one FP00001.SPLfileforthesamejob,whilethenextjobwillcreateFP00002.SDHandFP00002.SPL.

P a g e |35 Theshadowfile(.SHD)cancontaininformationaboutthejobitself,suchasthe printer name,computer name, files accessed to enable printing, user account that created the print job, the selected print processor and format, the application used to print the file, and the name of the printed file (which can betheURLifafileisprintedfromtheweb).AllofthisdatacanbeseeninUnicodeusingahexeditoror forensicsoftware. Spool files (.SPL) on the other hand contain the actual data to be printed. This means that if you print a picture for example, a copy of the picture is created and temporarily stored in the spool folder. Next, the print job is finally sent to the printer and both the .SHD file and the .SPL file are deleted. If there is anerrorwhereasthedocumentwaitsinthequeuelist,thesefilescaneasilybereadandthecontentsof thefilerevealed.Itisalsoimportanttonotethatthesetwofilesweredeletedinsecurely,sothereisthe possibilityofrecovery. Since 2002, every copier has the capacity to store copies of the documents that are copied or printed. Furthermore, copiers mark the documents they copy with a hidden code to provide an identifier for the copier. This means that printed documents and copies might be stored on the printers hard drive, or they might be recoverable if they were already deleted. There is also a security concern whereas printed documents can be tied to specific printers. Lastly, print documents can be captured if you are sending them to a printer that is located over the network. Currently, it is up to the manufacturer to providesecuritywhensendingjobstoaprinter. Try it out Read spool data 1. Iamgoingtoassumethatyoualreadyhaveaprinterinstalledonyourmachine 2. Disconnecttheprinterspowersource.Thiswillallowustoviewthe.SHDfileandthe.SPLfile 3. Sendaprintjobtothatprinterthatyoujustdisconnected 4. OpenWindowsExplorerandintheaddressbar,typein%windir%\System32\spool\PRINTERS 5. YoushouldnoticethetwofilesImentioned:a.SHDfileanda.SPLfile.Ifyouhavemorethan twofiles,thenyoumighthaveadditionalprintjobsinthequeue 6. Selectthefilewiththeextension.SPL,rightclickandselectCopy.Pastethefileinthelocation ofyourchoice. 7. DownloadandinstalltheprogramSPLViewfromthemanufacturerswebsite:clickhere. 8. EitheropenthefilefromwithinSPLView,orifyouassociatethe.SPLextensionwiththe program,youcansimplydoubleclickthefile 9. ToviewSHDfile,IrecommenddownloadingausingSPLViewer:clickhere.Ifthefileislocked, youcanfollowTryitoutremovingservicesinsection5.2,anddisablethePrintSpoolerservice 10. TurntheprinterbackontofinishprintingthedocumentordeletethefileswhenthePrint Spoolerserviceisstopped(Tryitoutremovingservicesinsection5.2)

P a g e |36

4.11 Cameras, Pictures, and Metadata


Metadata may be written into a digital photo file that will identify who owns it, copyright & contact information,whatcameracreatedthefile,alongwithexposureinformationanddescriptiveinformation such as keywords about the photo, making the file searchable on the computer and/or the Internet. Some metadata is written by the camera and some is input by the photographer and/or software after downloadingtoacomputer. EXIFinformation,theExchangeableImageFileformat,describesaformatforablockofdatathatcanbe embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and time information, camera settings, location information, textual descriptions, and copyright information. In some instances, especially with the use of cameras in cell phones, the location where the picture was taken might also be embedded with the use of geocaching. This information should be removedbeforethephotoissharedwithsomeoneelseorstoredunprotected. ToremoveEXIFinformationfromanimage,orabatchofimages,youwillneedtogetaspecialprogram that strips this data. I recommend the program BatchPurifier that can remove this information from batchoffilesorasinglefile.AgoodprogramtoreadEXIFinformationfromPEG,TIFFandEEIXtemplate files is Opanda IEXIF. If you want to remove metadata from a RAW image, you will need to get a separate program such as Exiv2. Opanda IEXIF cant remove the data, but it can show you what data is containedwithineachpicturethatyoutake(unlessyoupurchasetheprofessionalversion). Youcannotstopcamerasfromrecordingmetadataandembeddingtheminpictures,sotheabovesteps are the only way to ensure the pictures are clean. To further clean the image that you took, you will want to crop and remove identifiable information contained within the actual pictures itself. The best program that can do this is Adobe Photoshop, but a good, free program is Gimp. Identifiable information should include names, faces, logos, labels, prescriptions, anything that includes handwriting,toysspecifictoaparticularregionsorstore,etc. It is also important to know that digital cameras leave a telltale fingerprint buried in the pixels of every imagetheycapture.Nowforensicscientistscanusethisfingerprinttotellwhatcameramodelwasused to take a shot. Furthermore, these scientists can tell the specific camera that took a specific picture if they had the camera in hand. I would either use a separate camera for ontopic material or change the photo by either resizing or rerendering the image after making global changes (blurring, filtering, etc.). Photoshop, Paint.Net, or GIMP are all good program that enable you to edit a photo without making changes to the original. This allows you to go back and make further changes (or undo changes) in the futureifneeded.

P a g e |37 You should also know that pictures are not the only material that can contain sensitive information. Documents can include Microsoft Office documents (Word, Excel, PowerPoint), OpenOffice.org documents, PDF documents, and popular image and media file types such as JPEG, JPEG 2000, PNG, SVG, AVI, WAVE, AIFF, MP3, MP4, and F4V. It is best to either remove the data from these files before sharing them or it is best not to share them all together. You should know that changing the file extensiondoesnottricktheinvestigators.Theyusefileheaderinformationtogatherpictures/videos. As we are talking about pictures, you should also be concerned what is in the pictures themselves. Law

Case:Duringaninvestigationintoaninternalchildpornring,detectivestrackeddownatoy bunny,seeninaphoto,wasusedtotracethesuspecttoAmsterdam.Investigatorshave discoveredthatthebunnywasacharacterinachildren'sbookpopularintheNetherlands. Thedetectivealsotracedtheboy'sorangesweatertoasmallAmsterdamstorethathadsold only20otherslikeit.Thatledtothecaptureandarrestof43otherindividuals.

Enforcement Agencies have teams of analysts that pick apart background data to determine names, addresses, geographic data, demographics, and etc. As the case provided, detectives were able to determinewherethesuspectlivedbasedonatoybunnyandanorangesweatshirtasseeninoneofthe photos. You should attempt to remove all information that includes names, dates, addresses, paraphernalia or anything in nature that is region specific, or anything else that can be identifiable. Tattoos, and other body parts (not specific to the face) are identifiable too. For example, veins on the penis can be linked to a specific person. Recently, somebody was taking photos of his underage daughter and posting them online. The problem is he posted one with a clear view of a prescription bottleinthebackgroundandgotbusted.Notsmart;dontmakethejobsoftheLEAeasier. When editing a photo for the first time, I usually crop the sides of the image, add blurring (even though some investigators have recently been able to reverse the blurring process and render this useless) and the halo effect, smooth physical features of adults, remove items that are identifiable, and sometimes replace the background altogether. If you really want to get involved, you can change physical features such as eye or hair color. Doing this will not trick an investigator, but it will obscure the features of a photo making it harder for someone to identify you. Also, if done correctly, it will enhance the photo visuallyandthepresentationwillbemuchbetter.

4.12 USB Information


Whenever a device is plugged into the system, information about that device is stored in the registry and the setupapi.log file (Windows XP and earlier). The registry key can be found here:

P a g e |38 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and the setupapi.log file can be found here: %windir%\setupapi.log. All of the subkeys under USBSTOR will contain information about every device that was plugged into your computer via the USB. The setupapi.log file contains information about device changes, driver changes, and major system changes, such as service pack installationsandhotfixinstallations. To delete this registry key and or subkeys you must first rightclick the key and choose permissions. You can then set the everyone group with full permission to the key or subkeys so that they can then be deleted. Im sure it isnt too difficult to whip up a script or piece of software to automate this. Also, if youhavesystemrestoreenabled,theinformationmightbecontainedinthereaswell.Thesetupapi.log file should be securely deleted as you would with anything sensitive. As pointed out to me by a forum thatIfrequent,hereisaprogramthatwilldothisforyou:https://code.google.com/p/usboblivion/.

4.13 SSD Solid State Drives


Unlike HDDs, SSDs have a feature known as a garbage collector wherein cells that are marked to be deletedarepermanentlyerasedinthe background,usuallywithinseveralminutesofbeing deleted.Itis important to know that this process happens on the SSD hardware level, so simply leaving the SSD powered on regardless if it is attached to anything will result in the destruction of the data (also known as selfcorrosion). Even though SSDs implement garbage collecting, encrypting or securely deleting the deviceishard. SSD's use load balancing, which is a feature that evenly balances I/O operations between allocation pools. This means that when you attempt to encrypt or delete a bit of data, it will move past the actual to the next bit. Also, SSDs should not be encrypted using programs that are meant to encrypt HDs because of another feature called "wear leveling". TrueCrypt for example recommends that "TrueCrypt volumes are not created/stored on devices (or in file systems) that utilize a wearleveling mechanism (and that TrueCrypt is not used to encrypt any portions of such devices or filesystems). You should know however, that was referring to existing data already stored on the hard drive. New data that has not been written to the disk will be secured because it is encrypted before physical storage on the hard drive.Thisstillcanallowfordataleaks,soitisstillnotrecommended. On the SSDs you cannot save to a specific sector on the drive therefor if it theoretically possible that therearemultipleinstancesofthesamedatastoredonthedrive.Letssayforexamplethatyouchange the TrueCrypt volume header; the old header might still be accessible on the drive as you cannot write overitindividually.Anattacker,knowingthisinformationcanattackthecontainerusingtheoldheader information.

P a g e |39

4.14 Forensic Software Tools


CategoryofTools Chatrecoverytools Computeractivitytrackingtools Diskimagingsoftware Emailrecoverytools Filedeletiontools Fileintegritycheckers Forensicworkenvironments Internethistoryviewers Linux/UNIXtools Multipurposetoolsandtoolkits Examples ChatExaminer VisualTimeAnalyser SnapBackDataArrest,SafeBack,Helix EmailExaminer,NetworkandEmailExaminer PDWipe,DariksBootandNuke,Blancco FileMon,FileDateTimeExtractor,Decode ForensicDate/TimeDecoder XWaysForensics CookieDecoder,CookieView,CacheView, FavURLView,NetAnalysis,InternetEvidenceFinder Ltools,Mtools Maresware,LCTechnologiesSoftware,WinHEX SpecialistEdition,ProDiscoverDFT,NTITools, AccessData,FTK,EnCase Partimage @Stake,DecryptionCollectionEnterprise,AIM PasswordDecoder,MicrosoftAccessDatabase PasswordDecoder,CainandAble,Ophcrack OntrackEasyRecovery,ParabenDeviceSeizure 1.0,ForensicSorter,DirectorySnoop RegistryAnalyzer,Regmon,DiamondCS OpenPorts,PortExplorer,Vision,Autoruns, AutostartViewer,Patchit,PyFlag,PascoBelkasoft RemovEx,KaZAlyser,OxygenPhoneManagerfor Nokiaphone,SIMCardSeizure Evidor

Partitionmanagers Passwordrecoverytools

Slackspaceanddatarecoverytools Specializedsoftwareforanalyzingregistries, findingopenports,patchingfilebytes,simplifying logfileanalysis,removingplugins,examining P2Psoftware,andexaminingSIMcardsandvarious brandsofphones Textsearchtools

P a g e |40

Chapter 5_ Continuity

ervice and data continuity is the activity performed by you to ensure that files and services will be available to yourself and others for the applicable lifetime. There are several methods to provide continuedsupportincluding:backingupdata,usingcontrolsandtechniquestorestrictaccess,and implementing controls on servers, networks, and other devices. None of these controls should be skippedastheyareallequallyimportant.Thisstepisoftenoverlookedwhen securingyourinformation butassuresavailabilityismet.

Topics

ThisChapterwillcoverthefollowingtopics: SecurityConcernswithBackups SecurityConcernswithSleepandHibernation EnsuringInformationandServiceContinuity DoSandDDoSattacks

P a g e |41

5.1

Security Concerns with Backups

Tostart,WindowsbackupandrestoreisafeatureofWindowsanddoesexactlyasitimplies;itbacksup your data. Without much explanation, there are three types of Windows backups: full, differential, and incremental.Afullbackupprovidesabackupregardlessofpreviousbackups.ADifferentialbackuponly backsupdatathatwaschangedsincethelastfullbackupandanincrementalbackupbacksupdatathat waschangedfromthelastfullbackup,orthelastincrementalbackup. I know I am stating the obvious, but make sure that you do not backup anything that is confidential. Whether by accident or on purpose, once you backup sensitive data, it does not matter if you remove the file from your computer because a copy is already made. Personally, I keep all my sensitive informationinanencryptedcontainerbyitselfsoIdontconfuseitwithmyotherstuff.AfterImoveall of my sensitive information into a container by itself I have ensured two things, 1) my information is securedand2)nothingisbeingbackedupthatisnotsupposedto.

5.2

Security Concerns with Sleep and Hibernation


There are two other features with Windows that you should know of: sleep and hibernation. If you need to walk away from your laptop for a small or extended period of time but want your Windows session to resume quickly, you will use either of these two features. The difference is that with sleep mode, your computer stores everything in memory and with hibernation mode, everything in RAM is saved to your hard drive. Sleepisforshorttermstorageandhibernationisforlongtermstorage.

Note:Windows8,the latestOperationSystem Microsoftiscomingout withhibernatesthe systemkernel,butdoes notputmemoryin storage

If you use sleep or hibernation, the encryption keys and everything else that is open at that time is saved, allowing a third party to bypass the security measures you have in place. For example, everything that you have opened at this moment, including mounted containers and open documents, will be viewable by forensic investigators. The best mitigation technique is not to use them or to disable both hibernation andsleepaltogether.

5.3

Ensuring Information and Service Continuity

Keepingabackupofallyourprivate/sensitivematerialsisagoodideaforthecontinuityofsuchdata,as long as that data is secure. Securely storing data has been discussed in another section, so I will only make a recommendation. I would create a container with TrueCrypt and store all sensitive data within

P a g e |42 that container before saving the backup somewhere else. Doing this will achieve two goals in the CIA triad,confidentialityandavailability. Therearetwolocationsthatneedtobeconsideredwhenbackingupdata:locallyandremotely.Alocal copy is a good idea when data loss occurs and you want an immediate, speedy recovery of the backed updata.Butwhatifanaturaldisasterorafireoccursanditdestroysbothyourcomputerandyourlocal backupdevice?Thisiswherearemotebackupsolutioncomesin;itpreventsdatalossinoffchancethat this happens. Common methods of remote backups are remote backup services, tapes, external drives, orhostedservices.Anothercommonmethodisfindingsomeoneelseinanotherlocation(anotherstate preferably)andyoueachkeepabackupforoneanother. Forexample:letssaythatIhaveafriend(okay,Ididsayasanexample)andthatfriendlivesinanother state. One good way that I can back up my data at his place and his at mine, is we setup a VPN to connectournetworkstogether.Thisway,wecansendthefilessecurelyovertheinternetwithoutmuch complication. Make sure however, that you trust the other party as they will have your Public IP Address.Anotherdevice thatallowsforstorageredundancyisa RAIDdevice.RAID (redundantarrayof independent disks) is a storage technology that combines multiple disk drive components into a logical unit. Basically, it is adevicethatiscomprisedofseveraldisksforthepurposethatif Note:NASstandsfor one (or more) drive(s) fail, data is not lost. This can come in the Network AttachedStorage form of a RAID controller (or software controller) on your andisintendedtostore computer,oranetworkdevice(suchasaNASbox). informationoverthe network. There are a few more solutions if you are going to set up a service that you host and are concerned with continuity and service availability. All these methods are assuming that you have multiple servers available and can configure them and the network they reside in. Firstly, you can configure the site for mirroring which is the act is creating an exact copy of one server to another server. Clustering (or failover clustering) is another method of ensuring availability as it is a group of devices that act as a single device. When one device fails in a cluster, another device starts providing the service (a process known as a failover). And finally, you can implement load balancing on your network which distributes the traffic load between several devices in yournetwork.

5.4

DoS and DDoS attacks

DoS (Denial of Service) attacks are the acts of making resources for legitimate users unavailable. DDoS (Distributed Denial of Service) attacks are the same thing as DoS attacks, but they use hundreds (even thousands)ofmachinestodisruptaccesstoresources.Usuallythisisperformedbyfloodingtheservice with ICMP packets forcing the router (or server) to respond to the attackers request (by replying to the

P a g e |43 ICMPpacket).OtherattacksincludingsendingmalformedICMPpackets,floodingthesitewithresource requests,orSYNfloodattacks. Even though ICMP traffic uses the TCP protocol, it is not supported via Tor. This attack will be best accomplished with Clearnet sites. Ping of Death attacks can be accomplished in two ways:the attacker can send too many packets or they can send malformed packets. For example, Windows has a packet size limit of 65500. So anything received that is higher, might crash the machine or enable the attacker to successfully perform a privilege escalation attack. Flooding the site with requests for resources (videos, pictures, login requests, etc.) is an example of a DoS attack that is more commonly used with Torsites. These attacks are mostly an issue that has to be prevented with hardware controls versus implementations within the website itself. Assuming that you are hosting and managing the website andtheserverthewebsiteresideson,youcanimplementingressfilteringonyournetworktohelpblock some of the attack. The backscatter traceback method is a good strategy for that. Also, I would block ICMP packets on your external interface (WAN interface). You should also make sure that all "unallocated source address'" are blocked. This means that you should block all packets with private IP addressthatarecomingintoyournetwork.YoucannotstopDDoSattacks,onlymitigatetheeffect. Tools for DDoS attacks ToinitiateDDoSattacks,youwillneedtorighttoolsbasedonyourpreferencesandotherfactorssuchas yourplatformofattack.ThefollowingaresamplesofDDoSattacktools: LowOrbitIonCannonLOICattacksaserverbyfloodingtheserverwithTCPorUPDtraffic. Specifically,itmostlyfloodstheserverwithICMPtrafficwhichispingtraffic TrinooTrinooiseasytouseandhastheabilitytocommandandcontrolmanysystemsto launchanattack TribalFloodNetworkTFNcanlaunchICMP,ICMPSmurf,UDP,andSYNFloodattacksagainsta victim.ThistoolwasthefirstpublicallyavailableDDoStool StacheldrahtThistoolfeaturesthatareseeninbothTrinooandTFNandsendscommandsvia ICMPandTCPpacketstocoordinateanattack.AnotherfeatureofStacheldrahtisthatitcan encryptthecommunicationbetweentheclienttothehandlers TFN2KAnupgradetoTFN,thisprogramofferssomemoreadvancedfeaturesincluding spoofingofpacketsandportconfigurationoptions ShaftThisworksmuchthesamewayasTrinooexceptitincludestheabilityfortheclientto configurethesizeofthefloodingpacketsandthedurationoftheattack MStreamThisprogramutilizesspoofedTCPpacketstoattackadesignatedvictim TrinityThisperformsseveralDDoSfunctionsincluding:fraggle,fragment,SYN,RST,ACK,and others

P a g e |44 What do they mean? Letmetakeasecondtodefinesomeoftheattackturnsaspresentedabove: ICMPDOSAn attacker can use either the ICMP "Time exceeded" or "Destination
unreachable" messages. Both of these ICMP messages can cause a host to immediately drop a connection ICMPpacketmagnificationAn attacker sends forged ICMP packets to bring down a host. As an example (as presented above), Windowshasapacketsizelimitof65500.So

anythingreceivedthatishigherwillbefragmented.Sincethemachinecannotreassemblethe packet,itmightcrashorreboot ICMPSmurfattackAn attacker sends forged ICMP echo packets to vulnerable
networks' broadcast addresses. Doing this will tell all the systems on the network (inside the broadcast domain) to send ICMP echo replies to the victim, consuming the targets available bandwidth

SYNfloodattacksASYNfloodattacktakesadvantageoftheTCPthreewayhandshake.ASYN floodattacksspoofstheIPaddresstherebyforcingtheservertokeepopentheconnectionwhile waitingfortheACKmessage(whichisneversent)fromtheclientandusesresourcesinthe process RSTattacksThisattackworksbyinjectingRSTpacketsintoTCPpacketstrickingtheserverto closetheconnection.RSTattacksareperformedagainstotheruserstryingtouseaparticular resource FraggleattacksFraggleattacksaresimilartoSmurfattacksexceptthatFraggleattacksuses UDPpacketsinsteadofTCPpackets

P a g e |45

Chapter 6_ System Hardening



ystem hardening is the process of securing a system by reducing its surface ofvulnerability (attack surfacewhichisthecomponentsofasystemthatanattackercanusetobreakintothesystem.).A systemhasalargervulnerabilitysurfacethemorethatitdoes;inprincipleasinglefunctionsystem is more secure than a multipurpose one. We will also go over several other risk mitigating methods when dealing with Windows. This will include the removal of unnecessary software, unnecessary usernamesorloginsandthedisablingorremovalofunnecessaryservices.

Topics

ThisChapterwillcoverthefollowingtopics: UninstallUnnecessarySoftware DisableUnnecessaryServices DisableUnnecessaryAccounts UpdateandPatchWindowsandOtherApplications PasswordProtection

P a g e |46

6.1.

Uninstall Unnecessary Software

Thefirststepinhardeningasystemistoremoveunnecessaryprograms.Startbyremovingunnecessary third party programs that are installed on the machine. You also want to look at programs that were installed when downloading or installing other products, whether intentional or not. For example, when you purchase a machine there is a bunch of software that comes preinstalled that you probably never use. I would recommend reviewing everything that is installed and remove all software that you donotneed. Try it out Uninstalling software 1. OpentheStartMenuandgotoControlPanel 2. SelectUninstallaprogramorAdd/RemoveProgram 3. RightclicktheunnecessaryprogramsfromthelistandclickUninstall

6.2.

Disable Unnecessary Services

Onceallofthesoftwarehasbeenuninstalledfromthemachine,youshouldthenstartbydisablingallof the unnecessary services that are running in the background. Each service will provide support for the application that they support; many of them providing functionality for Windows. You should get a listing of all the system services running on the system and evaluate whether each service is needed. Also know that I am more referring to thirdparty services versus Windows services. Make sure to do yourresearchoneachservicebeforedisablinganything. Try it out Removing services 1. OpentheStartMenuandgotoControlPanel 2. SelectAdministrativeToolsandopenServices 3. Reviewandidentifyeachunnecessaryservice 4. RightclicktheunnecessaryserviceandselectDisabledinthedropdownboxnexttoStartup type.StoptheserviceandpressOK

P a g e |47

6.3.
Anaspectthatisoverlookedoftenisdisablingaccountsthatarenotcurrentlybeingused.Youwillneed to determine if you need information from that account (if you remove account data) or to use services that can only be used from within that account. Windows XP has the administrative account enabled with a blank password be default whereas Windows Vista and 7 disable the account by default. Also, a quick word from the real world, make sure when creating a user account to not use anything that can possibly identity you as doing something illegal. A real world example, someone actually created a separateaccountnamechildporn,sohecanhideallhisillegalmaterialsinthataccount.Betteryet,he hid all materials in a folder on his desktop named childporn! (NOT smart) Not only can forensic investigatorsseealltheaccountsthatarecurrentlyonthemachine,buttheycanseepreviouslydeleted accountsaswell. Try it out Removing user accounts 1. OpentheStartMenuandgotoControlPanel 2. ExpandUserAccountsandselecttheaccountyouwishtodelete 3. ClickDeletetheaccount

Disable Unnecessary Accounts

Note:OnegoodrecommendationistocreateanduseastandardaccountwithnoAdministrative privileges.Thisway,ifavirusisexecuted,itonlyhastheprivilegesoftheaccountthatyouarein. Also,Iwouldmakesureyourusernamedoesnotcontainyourfullnameasmanyapplications suchasPidgincansharethisinformation.

P a g e |48

6.4.

Update and Patch Windows and Other Applications

AnotherstepinhardeningthesystemisupdatingtheOperationSystemandallsoftwareinstalledonthe machine. When you patch the system, you are applying security fixes to known vulnerabilities to the software that is running on the system. These vulnerabilities are what remote attackers use to gain accesstothesystem.Withoutpatchingthesystem,youareopeningupyourmachinetoattackbythese malicioushackers.

Note:AprogramthatIwouldrecommendlookingintoisMicrosoftBaselineSecurity Analyzer(MBSA)whichisafreesecurityandvulnerabilityassessment(VA)scantoolto improvesecuritymanagementprocessandassessordeterminesecuritystateinaccordance withMicrosoftsecurityrecommendationsandoffersspecificremediationguidance.

Windows updates should be enabled as they provide many fixes concerning Windows security. Individual software and applications should also be updated as soon as a known stable version of the updateisavailable.Usually,whenvendorsreleaseanupdate,theyarestableunlessstatedotherwise.I recommend the use of a tool that checks the programs installed on the machine and reports the ones that are outofdate. A good program for this purpose is Secunia PSI. This program will constantly check the programs installed on your machine and report which ones are outofdate, which ones are scheduledforanupdate,andwhichonescanbeupdatedmanually.

6.5.

Password Protection

A final practice you should incorporate in system hardening is password protecting your devices. On your computer, you should make sure that all of the user accounts that are enabled are password protected. This is especially true when folder shares are involved. Make sure that the passwords on your machine are all strong so an attacker cannot use that account to gain access to your machine. For example, when you mount a TrueCrypt container, it can be explored though another computer in the network using an account on the local machine if they have the correct permission. This means that even if you have the worlds strongest password for TC, an attacker can still gain access to its contents using your Windows password over the network. Also, by default Windows XP has the administrative account enabled without a password by default. Windows 7 and 8 has this administrative account disabledbydefault.

P a g e |49 Try it out Password protect computer accounts 1. OpentheStartMenuandgotoControlPanel 2. ExpandUserAccountsandselecttheaccountwhichyouwanttocreateapasswordfor 3. ClickChangePassword Try it out Explore your computer from another machine 1. FindyourIPaddressonyourcomputer.Startthecommandprompt:Start>Run>cmd>OK *WindowsVista/7,typecmdinSearchProgramsandFeatures.Ablackboxshouldpopup 2. Typeinipconfigandundertheadapteryouareusing,recordtheIPaddressnexttoIPv4 (example:192.168.1.5)*rarelywillpeopleuseIPv6 3. HopontotheothercomputerandopenupWindowsExplorer 4. Intheaddressare,typein\\followedbyyourcomputersIPaddressfinishedwitha\,your driveletteranda$(usuallyC).Forexample,Itypein\\192.168.1.5\C$ 5. Youwillbepromptedtoentertheusernameandpasswordforyourmachine

Note:WhenyoumountaTrueCryptcontainerinWindows,itcanbeexploredthough anothercomputerinthenetworkusinganaccountinWindowsiftheyhavethecorrect permission.Forthisreason,makesurethatyourWindowspasswordisnoteasilyguessed! YoucantestthisoutbytryingtheTryitoutExploreyourcomputerfromanothermachine andreplacingtheC$withwhatevertheTrueCryptcontaineris.Youcanalsoseeifyour containerismountedviaWindowsSharesandifis,youcanstoptheshare.Also,Iwould changethepermissionsfortheTrueCryptfile.

P a g e |50

Chapter 7_ Antivirus, Keyloggers, Firewalls, DLPs, and HIDs



Malware, short for malicious software, is software used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code,scripts,activecontent,andothersoftware.Thisisnotonlyannoying,butifmalwareisrunningon your machine, your security is at risk. Notice that all these solutions can be either hardware or software. Hardware solutions are usually on the perimeter as in the form of an all in one device (SonicWallorFortigateforexample).

Topics

ThisChapterwillcoverthefollowingtopics: Antivirus HardwareKeyloggers Firewalls DLPs HIDSs OtherConsiderations

P a g e |51

7.1.

Antivirus

'Malware'isageneraltermusedtorefertoavarietyofformsofhostile,intrusive,orannoyingsoftware. This software comes in several different flavors, but we will only be talking about Spyware and Trojan Horses.Trojanhorsesareoftendeliveredthroughanemailmessagewhereitmasqueradesasanimage or joke, or by a malicious website, which installs the Trojan horse on a computer through vulnerabilities in web browser software such as Microsoft Internet Explorer. Spyware on the other hand covertly monitors your activity on your computer, gathering personal information, such as usernames, passwords,accountnumbers,files,andevendriverslicenseorsocialsecuritynumbers. Antivirus software can protect you from viruses, worms, Trojan horse and other types of malicious programs. More recent versions of antivirus programs can also protect from spyware and potentially unwanted programs such as adware. Having security software gives you control over software you may notwantandprotectsyoufromonline threatsisessentialtostayingsafeontheInternet. Yourantivirus and antispyware software should be configured to update itself, and it should do so every time you connecttotheInternet.

Case:TheComputerandInternetProtocolAddressVerifier(CIPAV)isanillegaldatagathering toolthattheFederalBureauofInvestigation(FBI)usestotrackandgatherlocationdataon suspectsunderelectronicsurveillance.Thesoftwareoperatesonthetargetcomputermuch likeotherformsofillegalspyware,whereasitisunknowntotheoperatorthatthesoftware hasbeeninstalledandismonitoringandreportingontheiractivities. Locationrelatedinformation,suchas:IPaddress,MACaddress,openports,running programs,operatingsystemandinstalledapplicationregistrationandversioninformation, defaultwebbrowser,andlastvisitedURLwascaptured.Oncethatinitialinventoryis conducted,theCIPAVslipsintothebackgroundandsilentlymonitorsalloutbound communication,loggingeveryIPaddresstowhichthecomputerconnects,andtimeanddate stampingeach.

7.2.

Hardware Keyloggers

Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users' keystrokes, including sensitive passwords. They can be implemented via BIOSlevel firmware, or alternatively, via a device plugged inline between a computer keyboard and a computer. They log all

P a g e |52 keyboard activity to their internal memory. Hardware keyloggers have an advantage over software keyloggers as they can begin logging from the moment a computer is turned on (and are therefore able tointerceptpasswordsfortheBIOSordiskencryptionsoftware). You might think that physical inspections are one way to defend against hardware keyloggers, but it is not. Nor is using a wireless keyboard, as that sort of keylogger, doesn't necessarily have to be hidden outsideofthekeyboard.Adedicatedattackermayjustaswellplaceanextrachipinsideofthekeyboard or replace it all together by a manipulated keyboard of the same model to record keystrokes without anyobviousvisualcues.So,thebestwaymaytotheusedifferentkeyboardlayoutsbeforeenteringthe password.Furthermore,youcanalsoenterrandomdatawithinthepasswordandgoingbacktoremove themlater.Andfinally,youcanusetokensaswellasapasswordwhenloggingintoyourcomputer.

7.3.

Firewalls

A firewall is usually your computer's first line of defenseit controls who and what can communicate with your computer online. You could think of a firewall as a sort of "policeman" that watches all the data attempting to flow in and out of your computer, allowing communications that it knows are safe and blocking "bad" traffic such as attacks from ever reaching your computer. Configuring your firewall can prevent Spyware or other confidential data from leaving your network entirely. It can also prevent remote attackers from hacking into your computer. Most AIO (allinone) security solutions such as Norton or McAfee or BitDefender have a firewall built in. For a free firewall, Comodo firewall is a good alternative: https://personalfirewall.comodo.com/. Note:InmostLinuxdistros includingRedhat/CentOS/ FedoraLinuxinstallsiptables bydefault.Ithasbecomea standardoptioninall distros.Ifitisnotinstalled, youcanusethecommand yuminstalliptablesorapt getinstalliptablesifyouare usingUbuntu.

7.4.

DLPs

Data leakage prevention solution is a system that is designed to detect potential data breach incidents in timely manner and preventthembymonitoringdatawhileinuse(endpointactions), inmotion (network traffic), and atrest (data storage). Importantly, personal DLP software can protect you from accidently disclosing confidential or sensitive data. Some AIO securitysoftwaredoesthisaswellasfreesoftware.

P a g e |53

7.5.

HIDSs and NIDs

The principle operation of a HIDS (Host Intrusion Detection System) depends on the fact that successful intruders (hackers) will generally leave a trace of their activities. In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keystroke logging, identity theft, spamming,botnetactivity,spywareusageetc.)theyenvisage. Intheory,acomputeruserhastheabilitytodetectanysuchmodifications,andtheHIDSattemptstodo just that and reports its findings. Intrusion attempts can be keylogger attempts (spyware), Internet Explorerleaks,DLLinjections,malwaredrivers,etc.HIDSsareinstalledonyourmachineandabaseline must be performed before HIDSs can detect any anomalies. Many antivirus programs have a basic HIDSbuiltintothesoftwareasanaddedfeature. Network IDSs on the other hand sit on your network to monitor all traffic coming into your network to alert you to any attacks. There are several methods of detecting an attack including anomaly based detection and signature based detection. Also, there is either a passive or active based detection depending on if you want the IDS to actually take action or not. You should know when setting up an IDS, that there will be false positives as it takes a while for the IDS to learn and for you to teach. Also, you will need to be there to monitor the alerts. Snort is a good, free NIDS and is widely used in businesses.

7.6.

Other Considerations

Whatyoudownloadcanaffectsecurity.Makesurethatwhatyoudownloadissafe;itshouldgowithout saying, but is good to hear nonetheless. PDF, word documents, executables, broken pictures, and binders are all security issues. Make sure that you protect yourself by downloading alternative PDF viewers (or block your PDF application from connecting to the internet), disable Macros if you use Microsoft Office programs, disable JavaScript in Adobe Acrobat/Reader if you use it, etc. Lastly, make sure that you are updating your web browser, and if you are using the Tor Bundle, you update that as well. These releases are extremely important for security and often include patcheswhat for found vulnerabilities.

P a g e |54

Chapter 8_ Networks

eeping your network secure is a must to ensure to keep intruders out and your information from getting into the wrong hands. Furthermore, it protects you from other people hopping on your network,doingsomethingillegal,andhavingtheevidencepointtoyou.Networksecuritycoversa varietyofcomputernetworks,bothpublicandprivate,andyoushouldconcernyourselfwithboth.This chapter will explain some of the common methods of security and a brief introduction on a few networking terms as well as security concerns when hopping on another persons network. This will includebothhardwareandsoftwaremethodstoensurethissecurity.

Topics

ThisChapterwillcoverthefollowingtopics: Privatevs.PublicIPAddress MACAddress PublicWireless SecurityProtocols ChatSitesHowAttackersAttack OtherConsiderations

P a g e |55

8.1.

Private vs. Public IP Address

AprivateIPaddress(assignedbytheownerswirelessdevice)isassignedperdeviceinthenetworkfrom a DHCP pool. DHCP pulls a list of available IP addresses and assigns it when a device is attached to the network. A certain IP address is not assigned to a specific device (there is no static mapping) therefor people cannot use IP addresses to located your specify device. Static IP addressing can be used, but typicallyisnotusedinahomeenvironment.Whenyouconnecttoawirelessdevice,itispossiblethatit changes each and every time you connect, depending on what else is connected to the network. Also, unlesstheIP addressiscurrentlyleased out,nobodywillbeabletolookinalog(typically)todetermine whatIPaddresswhatconnectedwhen. The other IP address is known as a Public IP address. This type of address is what your ISP (Internet Search Provider) uses to identify you. When you log into a website, this is the IP address that is logged. When you use proxy or VPN services, the Public IP address that is hidden and the VPN/proxy IP address is exposed. If somebody has your IP address, they can get the geographical location of where you live whereas your ISP has your name, telephone number, home address, and whatever else you have given them.Lastly,whenyouareconnectedtoapersondirectly(DCC,videochat,P2P,etc.);theycanalsolog yourPublicIPaddress.

8.2.

MAC Address

ThinkofaMACaddresslikeabankaccountnumber;weareeachgivenabankaccountnumbersowhen we make a purchase, at a grocery store for example, the grocery store knows how to send the payment to your bank and viceversa. Similarly, a MAC address, which is unique to your wireless card, allows the routerto knowwheretosend thedata.Andifyoureallycare, theMACaddressisheldinanARP table, butwewontgetintothat. When you connect to a network, the router logs the computers MAC address and temporary saves the computers IP address. People can also sniff the network to see what you are doing and record your MAC address that way. And yet another way people can get your MAC address is if they use software thatmonitorsthenetworkandrecordsallthedevicesautomatically.Allthesemethodshaveonethisin common(besidestheobvious),theycanonlyrecordtheaddressesthatarebroadcasted,meaningifyou changeyourMACaddress,thesemethodsareuseless.

P a g e |56 People use MAC address changers for many reasons; mostly for getting free WiFi by bypassing MAC address filtering or performing MAC flood attacks. If you connect to a public network, or your neighbors network, I would use a MAC address changer to make it hard to locate you. Earlier, we said that a MAC address is unique to your computer; so if they were to look at all of the devices in your house, they wont find the device with the MAC address that was logged because it has been changed. The easiest way to change the MAC address is to download a program to do it for you; otherwise you can change it in your network settings. Win7 MAC Address Changer Portable is a good program to do thisforyou. Asaquicknote,anotherrecentdiscoverythatcanidentifyindividualcomputersthatcannotbespoofed (as of yet) is with using the computers graphics card. The PUFFIN Project (physically unclonable functions found in standard PC components) has brought forward research suggesting that GPU manufacturing processes leave each product with a unique "fingerprint." The PUFFIN team has created software that can detect these physical differences between GPUs. This is another way that someone can determine whether your device was used in a crime if your GPU fingerprint was obtained. PUFFINsresearchwillrununtil2015.

Note:TochangetheMACaddressinLinux,youcanusethehwethercommand.ifconfig eth0down>ifconfigeth0hwether00:00:00:00:00:00>ifconfigeth0up>ifconfigeth0 |grepHWaddr.Notice,youwilluseacustomMACaddressinsteadof00:00:00:00:00:00 andruneachcommandseparately(asdefinedbythe>character).Also,youwillwantto replaceeth0withtheadapterthatyouareusing.

8.3.

Public Wireless

It is up to you whether or not to stop using the neighbors wireless. But know they can see Tor traffic if they: use a packet sniffer and perform a MiTM attack if their wireless network is not protected, if they were using a network hub which broadcasts information out of all ports, if they have a managed switch and enable port mirroring, or if they change the MAC address of their computer to that of the AP (Access Point). Even though they can see Tor traffic, they cannot see what you are doing inside of Tor and they still will have no clue that it was you. If they could, the purpose of Tor would be defeated. They are other risks with using public networks (or your neighbors network) therefore it is not recommended(unlessyouareabsolutelysurethatyouaresafe). These risks includes attackers remotely logging into your computer via a known backdoor or an exploit. The best known Operating System to attack a machine is Backtrack. BackTrack is a Linuxbased

P a g e |57 penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. The methods of attack in BackTrack are against operating systems, applications, phones, networks, internet protocols, websites, and etc. The best part about BackTrack is that it is free! I would start with getting a good firewall and antivirus for your computer. Also, make sure you follow System Hardening (Section 6) section to help correctly configure yourmachine. As always, I would use Tor for all sensitive information in which you do not want anyone to learn your location or monitor your browsing habits. To protect all other sensitive data that does not require such autonymity,IwouldrecommendtheuseofaVPN.AVPNreroutesallcomputertrafficthroughasecure tunneltoatrustedthirdparty(oradesignated network)beforetheinformationreachesitsdestination. This provides security against anyone sniffing your computer traffic as all information is encrypted. Common reasons for a VPN is when: checking emails, checking your bank account, application data security, or transmitting insecure data over a secure data stream. The difference between Tor and a VPNisthatwhenusingTor,nobodyknowswhoyouarewhereasinaVPNsomebodyalwaysdoes.

Network Sniffing Tools Thereareseveralsniffingtoolsavailable.Listedbelowaresomeofthecommontools: WiresharkOneofthemostpopularpacketsniffingprogramsavailableandisasuccessorto Etheralofferingatremendousnumberoffeaturestoassistdissectingandanalyzingtraffic OmnipeekCreatedandmanufacturedbyWildpackets,Omnipeekisacommercialproductthat istheevolutionofEtherpeek DsniffAsuiteoftoolsdesignedtoperformsniffingaswellasothertoolstorevealpasswords. DsniffisdesignedforUNIXandLinuxplatformsanddoesnothaveacompleteequivalentfor Windows CainandAbleandAbleprovidesmuchofthesametoolsasDsniffbutalsoprovidesfeatures suchARPPoisoning(MiTMattackcanbeperformedinsideanetwork),enumerationofWindows systems,andpasswordcracking EtherapeAUNIX/Linuxtoolsthatwasdesignedtoshowtheconnectiongoinginandoutofthe systemgraphically NetwitnessInvestigatorAfreetoolthatallowsausertoperformnetworkanalysistoolsas wellaspacketreassembleanddissection

P a g e |58

8.4.

Security Protocols

Securing your network should be as important as securing your computer. Allowing people access to yournetworkopensyouuptoattackandaspreviouslystated,legalissues,becausethey cangotcaught doingsomethingtheywerentsupposedtoonyournetwork.Ifyouaredoingeverythingsecureonyour network computer but someone gets caught downloading child porn, the government is coming after you. There are several ways to protect your network depending on your equipment and if you use customfirmwareornot.Ifyougetarouter,plugitin,andstartusingit;youareNOTprotected! Thefirstthingthatanybodyneedstodoischangethedefaultpasswordforthedevicesonobodycanlog in and change the security settings. Followed by changing the device password, you should create a wireless password to limit the people who can get on the device in the first place. There are several types of protocols that limit access: WEP, WPA, WPA2, MAC Address Filtering, etc. WEP, WPA, and WPA2 are protocols that rely on password authentication to accept users who are trying to connect to your wireless device. MAC Address Filtering on the other hand only allows specific wireless devices accesstothenetworkdependingontheMACaddresses. WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer standardssuchasWPAandWPA2.WPAisalsodeprecated makingtherecommendedsecurityprotocol WPA2. WPA2 is the strongest protocol as it has not been cracked, yet it might not be supported by all devices. MAC address filtering filters wireless devices allowing only those that are allowed into the network. The problem is however, it can be easily defeated if someone changes their MAC address to onethatisallowed. Wireless Hacking Tools IrecommendobtainingacopyofBacktrackastherearemanywirelesshackingtoolsalreadyinstalled. KismetUsingKismetonecanseealltheopenwirelessnetworks,aswellasthoseWireless NetworkswhichdontbroadcasttheirSSIDs.Itsamatterofminutestousethistooland identifynetworksaroundyou NetstumblerNetStumblerisafreewareWiFihackingtoolthatscompatiblewithWindows only.Itcanbeusedtosearchopenwirelessnetworksandestablishunauthorizedconnections withthem MedievalBluetoothScannerThisprogramcananalyzeandscanyourBluetoothnetwork findingBluetoothdevicesthatcanbeattacked(seebluejackingorbluesnarfingorbluebugging) CoreimpactThisitiswidelyconsideredtobethemostpowerfulexploitationtoolavailable. However,CoreImpactisnotcheapandwillsetanybodybackatleast$30,000

P a g e |59 WiresharkWiresharkWiFihackingtoolnotonlyallowshackerstofindoutallavailable wirelessnetworks,butalsokeepstheconnectionactiveandhelpsthehackertosniffthedata flowingthroughthenetwork AirSnortMostWiFihackingtoolsworkonlywhenthereisnoencryptedsecuritysettings. WhileNetStumblrandKismetfailtoworkifthereisawirelessencryptionsecuritybeingused, AirSnortworkstobreakthenetworkkeytogetyouinsidethenetwork CowPattyCowPattyisananotherWiFinetworkhackingtoolthathascrackgotaWPAPSK protectionfeatureandusingthishackerscanevenbreakintomoresecureWiFienvironments ReaverThisprogramtakesadvantageoftheweaknessinherentwithWPS(WiFiProtected Setup)

8.5.

Chat Sites How Attackers Attack

Some people where asking me about the risks involved in Omegle and downloading pictures to your computer.So,briefly,IamgoingtodescribeherewhatItoldthem.Firstlyandmostobviously,Tordoes not support cam sites for the reason listed in section 9.11. Quite simply, Tor does not support UDP trafficinwhichvideostreamingoperates.So,ifyouwonderinghowpeopleactuallycapturesthistraffic andobtainsyourIPaddress,thisishow: Capture IP Address from Omegle 1. First,youwillneedtodownloadapacketsniffer.IwouldeitheruseWireshark,Ethereal,or NetWitnessInvestigator.Thefirsttwowillsimplycapturethepacketswhereasthelatterwill capturesthepacketsandhastheabilitytoputthembacktogether.Thisisusefulifyouwantto rebuildthevideothatwasstreaming. 2. StartOmegle(oranalternativechatsite)andgetconnectedtosomebodyontheotherend. CapturingtheIPaddresscanalsobedoneviatext,butforthismethod,youmustuseyour camera. 3. Startthepacketsnifferofchoice;forthisexampleIwillbeusingWireshark. 4. ToselecttheinterfaceyouwillneedtoselectCapturethanInterfaces. 5. Determinetheinterfacethatyouareusing(usuallytheonewiththemostpackets)andpress Starttostartcapturingthepackets. 6. Allyouneedisafewpackets,eventhoughyouwillgetafewhundredtoafewthousand.Once youhaveenoughpacketspressStoptherunninglivecapture.Thisisdenotedbytheforth iconatthetopwiththeXoryoucanselectStopunderCapture.FAILURETOSTOPTHE CAPTUREWILLCRASHYOURMACHINE!THEAMOUNTOFPACKETSYOUCANCAPTUREIS DEPENDENTONTHEAMOUNTOFMEMORYYOURMACHINEHAS! 7. YouareonlyconcernedwithUDPtraffic,sointheFilterfield,enterudp 8. Now,youwillnoticethatthereismoreUDPtrafficfromtwospecificIPaddressesthananything else;theseIPaddresseswillbeyourIPaddressandtheindividualontheotherendofthe webcam.YourIPaddresswilleitherstartwitha192.x.x.xora10.x.x.xorpossiblya172.x.x.x. Mostlikely,a192.x.x.x.Therearerestrictions,soifyouhaveanyquestions,askorrefertoa PrivateIPaddresslist.TheotherIPaddresswillbetheirs. 9. CopytheirIPaddress.Thiscanbedenotedviafouroctetsseparatedbydecimalsorwithdashes.

P a g e |60 Itcanalsocontainwordsorletters.93.53.23.231,pd935323231,or935223 231.abc.dgf.netwillallbethesamething.Ineithercase,youwanttocopyitdownas 93.53.23.231.Noticethatthewordsmightbedifferent;onlyconcernyourselfwiththe numbers. 10. Thatisit;youcanuseareverseIPaddresslookuptofindbasicinformation. That described simply how to capture the IP address via a packet sniffer. When connected, this connection can also be seen in your netstat list; you should not worry yourself about this. The reason being is UDP traffic connects directly to your machine. TCP traffic connects to a third party site such as Omelge. Another method is getting the person to go to a honeypot that captures the users IP address whentheyclickonalinkandnavigatetothatsite.Theyareafewoutthere,anditiseasyforpeopleto bebaitedintonavigatingtothesesites. If you are really interested there are two things that happen when you are connected via webcam. The first thing is the handshake or the initial connection and is facilitated by the chat website (Omegle, ChatRoulette, etc). This connection is the first step that is performed to connect you to the other person whom you are trying to connect with. After this initial process is complete, you are now directly connected to the person you are chatting with. At this point, the stream is no longer being passed throughthechatwebsite.ThewebcamtrafficisUDPtraffic,whichisnotsupportedbyTor. Another popular method of getting IP addresses and other computer information such as usernames, passwords,keystrokes,screenshotsandetc.,ifwiththeuseofspyware.Iamnotgoingtogointodetail about spyware (or a keylogger or malware), but I will go over a popular delivery method. When people send pictures or videos via TorChat or an alternative medium, they can use a binder program to attachapicturefiletoanexecutable.Whenthefileisopened,thepictureappearsasnormalalongwith thespywareinthebackground. To protect yourself when dealing with UDP information (audio or video chat), you can use a UDP proxy, a VPN, or configure a VPN over Tor. I usually just use a VPN that claims to not log any traffic; but who knowsifthatclaimholdsmerit.SimpletextchatusesTCPpacketswhichTorcanprotect.Obviously,do not use shortlinks as they can link to a honeypot or another rouge site. And if you do decided to open linksyouareunsureabout,makesureyoudoviaTorwithJSdisabled.

P a g e |61

8.6.

Other Considerations

Most people have home routers with stock firmware, so most of this does not apply. For those of you interested in having more granular control of your router, you can search the internet for custom firmware;forexample,DDWRTisagoodLinuxbasedfirmware.Also,youcanpurchasemanagedports andwirelessaccesspointsspecificallyforthispurpose.MostcommercialequipmentcanmanagewhatI amabouttotalkabout,buttheyusuallyrunintheseveralthousands,ifnothundredsofthousands. One of the basic hardening techniques for wireless security is the use of VLANs. If the attacker passes your security controls and into your network, VLANs will ensure that they cannot read your network traffic.LetssaysomeportsonswitchAareinVLAN10andotherportsonswitchBcanareinVLAN10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However,thesedevicescanallcommunicatebecausetheyareonthesameVLAN.Youshouldalsoknow thatVLANscanbesetuponthesameswitch. WPS,orWiFiProtectedSetup,isawayforindividualstoeasilyconnectdevicestothewirelessrouter.In this method, the standard requires a PIN to be used during the setup phase. As it is not a technique to add security to the network, you should know that WPS should be disabled at all times. The vulnerability discovered in WPS makes that PIN highly susceptible to brute force attempts. It takes approximately410hourstobreakWPSpins(passwords)withReaver. You should also know about rouge APs; specifically when an attacker impersonates an SSID. Rouge Access Points are a security concern because an attacker can set up a device such as a router or computer to haveasimilarorthesameSSIDas the wirelessAccessPointyou connect to. Unscrupulous parties can connect to this rouge device and all traffic can be logged and MiTM attacks can be performed.Thisthreatisoflowconcernbecauseitisnotverylikelytohappen. One final security configuration I am going to mention is a DMZ. The purpose of a Demilitarized Zone is to add an additional layer of security to your local area network (LAN Private network); an external attackeronlyhasaccesstoequipmentintheDMZ,ratherthantheentirenetwork.Thiswouldbeifyou were setting up anything that you want people from outside your network to have access to whilst protecting your internal network. Examples of such services would be Websites, IRC servers and relay servers.

P a g e |62

8.7.

Extra:

MAC Address Spoofing and ARP Attacks How they work

Two methods I want to talk about are: ARP poisoning and MAC address spoofing. As many of you already know MAC address spoofing is also a way to hide your computer or to get free Internet when places either filter computers by MAC addresses or have a pay tousesystem. A few of you have asked how this works and instead of reinventing the wheel each and every time I decided to create this fundamental, quick howitworks guide. These are a couple of reasons why you should lock down your privatenetworkandneverusepublicnetworks. Whenacomputerdecidesitwantstotalktoanothercomputeronthenetworkithasfourprimaryfields it uses to communicate. In a packet, these fields are: source IP address, destination IP address, source MAC address, and destination MAC address. Again, most of you even know about IP addresses so we wontgetintothatatall.Butwhatmostofyoudontknowisthecomputertransferstrafficbasedonthe computers MAC address (which is a unique identifier for each device) and not the computers IP address. The computer uses the IP address to learn the MAC address but does not actually send data withit.Letmeexplain. Lets say Bob wants to talk the Alisha on the same network (send data). There is a protocol called ARP, whichstandsforAddressResolutionProtocol,thatwillsendarequesttotheswitch(orallofthedevices in the network if youre using a hub) that you are trying to communicate with Alisha. When Alisha responds,shewillsendbacktheMACaddressofhercomputertotheswitch.Theswitch,willthenlearn Alishas MAC address if it doesnt already know and send it back to Bob. Now Bob, having Alishas MAC address, will fill in the destination MAC address (which is Alishas computer) and send data using that information. Heresanexample:BobwantstosendAlishaafileoverthenetwork.BobfirstsendsanARPrequestto the switch (most, if not all, home routers have a switch build in) saying hey, I want to talk to Alisha, here is her IP address. What is her MAC address so I can send the data? The switch looks in the MAC addresstableanddeterminesthatAlishasMACaddressisF026:EA98:EB03:C68E(ifthe MACaddressis not known, it sends the ARP request to ALL of the computers on the network, except for Bobs, until Alisha responds back, Its me!) Once the MAC address is determined, it is sent back to Bob so he can transferthedata. This is where MAC address spoofing comes in, because as you just learned, computers do not transfer datausingtheIPaddress,butinsteadtheMACaddress.SoMACaddressspoofing,trickstheswitchinto thinking your computer (lets say you are Steve), is actually Alishas computer. So now when Bob wants to send data to Alisha, half the packets will go to Alisha and half the packets will go to Steve. For the samereasonthisworks,thepaytousesystemcanbedefeatedaswell.Thispaytousesystemusesthe MACaddressestosenddatatoalreadyauthorizedcomputerswhichinturnistrickedanddataissentto youwithoutcharge.

P a g e |63 ARP poisoning on the other hand when an attacker is able to compromise the ARP table on the other machines and changes the MAC address so that the IP address points to another machine. If the attacker makes the compromised devices IP address point to his own MAC address then he would be able to steal the information, or simply eavesdrop and forward on communications meant for the victim. THIS IS EDUCATIONAL AND PROVIDED TO HELP YOU PROTECT YOURSELF BY EXPLAINING THE METHODS OF ATTACKS BY OFFENDERS. I DID NOT WRITE THIS WITH THE INTENTION FOR ANYBODY TO USE IT AGAINSTANYONEELSE.SOPLEASEDON'T! ARP Poisoning Demonstration: 1. OpenCain(youwillneedCainandAbleinstalledonyourmachine) 2. ClicktheSniffertabandturnonthenetworksniffer(thenetworkinterfacebuttonnexttothe foldericononthesecondrow) 3. Thisshouldalreadybeselected,butensurethattheHoststabisselectedatthebottom 4. Atthetop,clickthebluePlusbuttontoscanforMACaddresses.Alternatively,youcanright clickanywhereinthedatagrid(whitebox)andselectScanMACAddresses. 5. OncepopulatedwithdevicesotherthanyourDefaultGateway(usuallyanyIPaddressending withtheoctetof1)oryourcomputer,selecttheAPRtabatthebottom 6. MakesureAPRisselectedoverontheleftandclickanywhereinthetopdatagrid(thetopfield thatisblank).ThePlusbuttonatthetopshouldnolongerbegreyedout. 7. OncetheNewAPRPoisoningRoutingdialogboxappears,youwillselectthecomputersthat youwishtoattack 8. Overontheleft,youwillselectyourDefaultGatewayandoverontherightyouwillselectthe computeryouwishtoattack(thedatagridontherightwillpopulateoncetheGWisselectedon theleft)*DoingthishasthepotentialofcausingaDoSattackwhereasthevictimcannotaccess theinternetoranydatainthenetwork 9. Finally,selectthesessionthatyoujustcreated(underStatus,itwillsayIdle)andclicktheARP Poisoningbuttononthetopthatisnexttothesnifferbuttonyouclickedonearlier.If successful,thestatuswillchangefromIdletoPoisoning 10. Fromhere,youcancapturedatapackets,usernames,passwords,emailaddresses,andetc. 11. TheonlywaytodefeatthisistouseencryptionsuchandclienttohostsVPNs,PKI,orTor 12. Tostoptheattack,youcanclicktheARPPoisoningbuttonandtheSnifferbuttononcemore Again, I should provide the warning that there are other ways they can see your traffic if they: use a packetsnifferandperformaMiTMattackiftheirwirelessnetworkisnotprotected,iftheywereusinga network hub which broadcasts information out of all ports, if they have a managed switch and enable port mirroring, or if they change the MAC address of their computer to that of the AP (Access Point) as mentionedabove.

P a g e |64

Chapter 9_ Web Browser Security



n this section, I will talk about several vulnerabilities, what they accomplish, and the mitigation techniques. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer to websites obtaining your IP address and running malicious scripts when you navigate to their webpage. I will briefly go over some other security considerations, dealing primarily with web browsers.Thissectiondoesnotencompasseverything,sofurtherresearchisnecessarily!

Topics

ThisChapterwillcoverthefollowingtopics: DownloadingandUsingtheTorBrowserBundle WhatisSandboxingandWhatisJITHardening,andWhyDoICare? JavaScript CookieProtectionandSessionHijackingattacks Caching Referers CSRF/CSRFAttacks(XSSAttack) ProtectBrowserSettings DNSLeaks UserAwareness,AccidentsandSystemUpdates ConfiguringWebBrowsersandApplicationstoUseTor

P a g e |65 Lets start by talking about the browser itself. Personally, I use the Tor Bundle with Firefox, as do most. Moreso, using Tails is recommended because of way it was designed; all traffic will run through Tor regardlessofthesourceandifisnotrunningthroughTor,itisdropped.Astudywasdonethoughandit wasconcludedthat GoogleChromeisthemostsecurebrowserlargelybecauseofChromessandboxing and plugin security. Comparatively, Internet Explorer implemented (lacking industry standard) sandboxing and JIT Hardening whereas Firefox falls behind on sandboxing and does not implement JIT hardening.

9.1.

Downloading and Using the Tor Browser Bundle

The Tor Project describes Tor as Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers,instantmessagingclients,remotelogin,andotherapplicationsbasedontheTCPprotocol. I recommend downloading and using the Tor Browser Bundle even though I provided a stepbystep exercise on how to configure your existing browsers to run through Tor (Section 9.11). Many people in the past have used the Tor Button for Firefox which is no longer supported due to its fairly new rapid releasecycle ofFirefox.Also,theuseofawebproxy isnotneededifyouarejustbrowsing theinternet usingthe Tor Browser Bundle. I would recommend using the hardening techniques as described below. YoushouldknowthateventhoughyouareusingTor,youdataiscompromisedattheTorExitNodeif youarebrowsingtheinternet(nononionwebsites).

P a g e |66 Download and Start the Tor Browser Bundle 1. NavigatetotheTorwebsite. 2. UnderTorBrowserBundleforWindows/Mac/Linux,selecttheappropriateversion(32bitvs. 64bit).ForWindows,justselecttheappropriatelanguage. 3. ClickSaveFile 4. Oncethefileisdownloaded,openit.AnexamplefileIjustdownloadedwas,torbrowser 2.2.391_enUS.exe.Yourversionwillprobablybedifferentthanmine. 5. Itisaselfextractingarchive.SelectyourpreferredlocationandpressExtract. 6. NavigatetoandopenthefolderandrunStartTorBrowser. 7. OnceTorestablishesaconnection,aFirefoxbrowserwillopen. 8. YoucannowbrowsetheinternetasyouwouldnormallywithoutyourISPoranotherpartyfrom seeingwhatyouaredoingwithinToritself.Thereareothervulnerabilitiesthatshouldbe addressed,soIrecommendreadingon. Tor Links When you download and use Tor you can go to many .onion sites that are hidden from the clear internet. Using these sites are completely anonymous as nobody knows you specifically are navigating there;notevenyourexitnode.HereisalistofafewTorsites: MainPagehttp:/kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page.Thislinkistothemain HiddenWikithathostslinkstootherhiddenTorwebsites.Viewthissiteforthefulllisting. SilkRoadhttp://silkroadvb5piz3r.onion/.SilkRoadPrivatemarketplacewithescrow(Bitcoin). Youcanpurchaseanythingfromillegalpicturesandvideo,todrugsanddrugparaphernalia,to armsandammunition. HackBBhttp://clsvtzwzdgzkjda7.onion/.Forumsforhacking,carding,cracking,programming, antiforensics,andothertechtopics.Alsoamarketplacewithescrow. TorMailhttp://jhiwjjlqpyawmpjx.onion/.Cansend/receivemailfrominsideandoutsideTor withayou@tormail.netaddress. FreedomHostinghttp://xqz3u5drneuzhaeo.onion/.HostingServicewithPHP/MySQL.Asof 20110604,ithostsabout50%oftheliveOnionWebbyonion. HardCandyhttp://kpvz7ki2v5agwt35.onion/wiki/index.php/Hard_Candy.HiddenWikilinkto sitescontainingmaterialthatisintendedforpeoplewhoareattractedtochildren. LolitaCityhttp://m3hjrfh4hlqc67gb.onion/.DescribedasthebiggestCPsiteintheOnionland. Light,moderatelyfastcollection,witha(ofteninvaluable)tag,searchandcommentsystem.As ofNovember2012ithostsover1000000images. OPVA2(OnionPedoVideoArchive)http://opva2pilsncvtwmh.onion/.Videoarchivewith comments,tagsandsearchsystem.MostlycontainsCP. PedoSupportCommunityhttp://f3wjuyqroxyz2z3w.onion/.Supportandresourcecommunity forpeoplewholovechildren.Thissitedoesnotcontainanypictures/videosofCPandonly allowsforindividualstojoiniftheylovechildrenanddonotseektohurtthem.

P a g e |67

9.2.

Configuring WebBrowsers and Applications to Use Tor

Here, I am going to be talking about using Tor to encrypt HTTP traffic as well as FTP and SSL. To accomplishthiswewillbeusingToraswellasPolipo,awebcachingwebproxy.Basically,wearegoing to send all the traffic to the port that Polipo is listening on and forwarding that traffic through Tor. DoingthiswillencryptallHTTP,FTPandSSLtraffic.ThisisasubstitutetousingtheTorBrowserBundle. As stated above, you should know that even though you are using Tor, you data is compromised at theTorExitNodeifyouarebrowsingtheinternet(nononionwebsites).

The first thing we need to do is download the Vidalia Bundle. This bundle includes Tor, Vidalia, and Polipo. We are going to be configuring Firefox for this article. You should know however that all other browsersandapplicationsthatallowforproxysettingswillusethesameconfigurations.Howeverthere arelimitationswhichwewilldiscussfurtherdown. Starting the services 1. StartPolipo. 2. StartVidalia. 3. OnceyouareconnectedtoTor(ConnectedtotheTornetworkintheVidaliaControlPanel) wewillbeginsettingtheproxysettingsforFirefox. Firefox 1. StartFirefox. 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.). 3. ClickOptionsfollowedbyAdvanced.SelecttheNetworktab. 4. UndertheConnectiongroupselectSettings 5. ChecktheManualproxyconfigurationcheckbox. 6. ForHTTP,SSL,SOCKSandFTPyouwilluse(127.0.0.1withPort8118).

P a g e |68

9.3.

What is Sandboxing and What is JIT Hardening, and Why Do I Care?

Wikipedia defines a sandbox as a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified thirdparties, suppliers, untrusted users and untrusted websites. Basically, think of it as, well a sandbox. If you put a whole bunch of kidsinasandboxandwantthemtostaythere,theycantleave.Sandboxesrestrictsysteminformation, whichisextremelyimportantforourpurposes.Furthermore,asanadditionallayerofsecurity,IuseThe TorBundleinavirtualenvironment(avirtualapplicationbutavirtualmachineisalsorecommended). JIThardeningkeepsthebrowserfromcompilingJavaScriptthatcannotberunontheuserscomputer. Basically, it is code that is compiled (compiling is like writing a book; you write several pages before you bind the book together) onthefly to improve the runtime performance of the JS. Attackers have long relied on JIT techniques to convert JavaScript into malicious machine code that bypasses exploit mitigationssuchasASLR.

9.4.

JavaScript

Javascript is just as it implies; a script that is executed in the browser or where it is run from. JavaScript is a programming language that allows access to system resources of the system running the script. It runs when the webpage is loaded or an event is triggered and is denoted by <script> and </script> alike. These scripts can interface with all aspects of an OS just like programming languages, such as the C language. This means that JScript, when executed, can potentiality damage the system or be used to send information to unauthorized persons. Obviously, this is not allinclusive and further vulnerabilities/exploitscanbemanagedbyusingJavaScript. What should be pulled out of this is Javascript only runs scripts that are on the webpage;it cannot magically get your IP address without it being explicitly written in the script. Thus, enabling JS on sites that are known to be trusted, such as this site, you can be relatively safe in knowing that system information(oryourPublicIPaddress)isnotbeingleaked.But,however,asyoumayhaveguessed,this is assuming that the scripts are not compromised which is a possibility at any time (though unlikely). In anyotherscenario,youshoulddisableJSforthesitecompletely. NoScript is recommended when dealing with JavaScript as it blocked all scripts unless explicitly defined (as per script or site). Make sure when using NoScript, that Disable Scripts Globally is checked, because if it enabled globally, you would defeat the purpose of the addon. By default, it is already turned on. When using The Tor Bundle or the outdated Tor Button, it is also good to know that dangerous JavaScript is already hooked. Javascript is injected into pages to hook the Date object to

P a g e |69 mask your timezone, and to hook the navigator object to mask OS and user agent properties not handled by the standard Firefox user agent override settings. You can also disable JavaScript directly fromthebrowser.

9.5.

Cookie Protection and Session Hijacking Attacks

Wikipedia defines a cookie as a small piece of data sent from a website and stored in a user's web browserwhileauseris browsingawebsite.When theuserbrowsesthesame websiteinthefuture,the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.Whenyoulogintoawebpage,thatsessionisalsostoredonyourcomputerasacookie.More onionwebsitesareusingcookiesforseveralreasons,includingDoSattacksandsessionhijackingattacks. Asessionhijackingattack basicallyallowsathirdpartyattackertoconnectto awebsiteandaccesstheir session.Forexample,whenyoulogintoawebsite,youhavejustcreatedasession.Therearetwomain waysthey performasessionhijacking attack:sessionIDguessingandstolen sessioncookies.Sessionis usually not as big of an issue because of the length of the session ID (mostly). And the other way someone could steal a session cookie, is at the Tor Endpoint when they are performing a MiTM attack. Sadly,MiTMattackscannotbemitigatedandcookiehijackingisarealthreat. Cookies,ingeneralarenotdangerous,howeverallthirdparty cookiesshould beblockedinthe browser settings to stop tracking from a third party. A third party cookie places a cookie from one site for another site. For example, if you visit www.widgets.com and the cookie placed on your computer says www.statsforfree.com,thenthisisathirdpartycookie. Firefox (version 10.0.5) 1. StartFirefox 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.) 3. ClickOptions 4. ClickPrivacy 5. Check,TellwebsitesIdonotwanttobetrackedandeitherTorBrowserwill:neverremember myhistoryORuncheckAcceptthirdpartycookies.Note,thisdoesnotstopalltrackers websitesdoNOThavetoabidebytheTellwebsitesIdonotwanttobetrackedfeatureand thisisnottheonlymethod.

9.6.

Caching

Internetcacheisisacomponentthattransparentlystoresdatasothatfuturerequestsforthatdatacan be served faster. Whenever you go to a website, internet cached is created and saved on your computer for faster viewing. This means that when you go to a picture site, all the pictures that are

P a g e |70 loaded on the screen are saved on your computer for future viewing. Obviously, this is a huge security risk and if someone were to gain access to your system and view the cache, they would know what you havebeenlookingat. As a real quick side note, in the USA at least, it is not illegal to view the images, just download them. Now,ifyouhaveadequateknowledge,theycanclaimthatyouknewthecachedimageswerethereand you kept them there as an attempt to download the images. You can configure the browser settings or have a program erase the cache securely. CCleaner is a good, recommended (and free!) program that doesthat. Firefox (version 10.0.5) 1. StartFirefox 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.) 3. ClickOptions 4. ClickPrivacy 5. SelectTorBrowserwill:UsecustomsettingsforhistoryNote,thisisnottheonlymethod

9.7.

Referers

Wikipedia defines referers as occurs as an HTTP header field identifies, from the point of view of an Internet webpage or resource, the address of the webpage (commonly the Uniform Resource Locator (URL). Basically, when you click on a picture for example (or when a picture loads in a webpage), the website that hosts the information is sent a request that contains the last page you were in. Most recently, on one of the sites that I frequent, there was an attack done whereas somebody performed sessionhijackingattacksusingreferrerinformation This was possible because the session ID was in the URL (again, the address of the webpage) and with the use of referers, when a user loaded a page with live previews (or when a link was pressed), the sessionwasgiventotheattackerwhichallowedthemtodowhatevertheywantedtotheusersaccount. Disablingreferersonthebrowserisrecommended.Thistypeofattackisanotherreasonsomesitesare notrequiringcookies. Disabling referers in the browsers setting or downloading an addon is recommended. RefControl, https://addons.mozilla.org/enUS/firefox/addon/refcontrol/ is a good addon that accomplishes this. Youcanalsodisablereferersinthebrowsersettingsassuch:

P a g e |71 Firefox Intheaddressbar,typeabout:configpressEnter Accepttheprompt Typenetwork.http.sendRefererHeaderintotheFilterfield Doubleclicknetwork.http.sendRefererHeaderunderPreferenceName Inthewhitebox,enter1.Thedefaultvalueistwo Next,typenetwork.http.sendSecureXSiteReferrerintotheFilterfield Doubleclicknetwork.http.sendSecureXSiteReferrerunderPreferenceName.Thevalue shouldchangetoFalse 8. Click"OK"andclosetheabout:configwindow 1. 2. 3. 4. 5. 6. 7.

9.8.

CSRF/CSRF Attacks (XSS Attack)

Wikipedia defines this attack as a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. I wont go into much detail about XSS attacks because there are so many. Basically, this is another way that an attacker might be able to gain control of your session. I recommend the addon RequestPolicy: https://addons.mozilla.org/en US/firefox/addon/requestpolicy/

9.9.

Protect Browser Settings

No amount of configurations will help if maleware on your machine is able to change your browser settings. One popular attack is changing the proxy settings of the browser which will transmit anything to a third party location versus through Tor. Another example is if software or maleware changes your search settings. You might unknowing type something in that you did not want searched with a particular search engine. For this, I would recommend BrowserProtect: https://addons.mozilla.org/en US/firefox/addon/browserprotect/ which protects your browsers settings and preference from being changed.

9.10. DNS Leaks


Basically, a DNS leak is when your Public IP is leaked versus it going through Tor. If any traffic leaks, a third party monitoring your connection will be able to log your webtraffic. There is a great howto for Linux found here: https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks. For Windows users, I would block TCP port 53 on your firewall. Note that blocking port 53 will block ALL attemptsfromanywebbrowserwhetherinToror otherwise.Also,IwouldchangeyourDNSsettingsto localhost(takenfromMicrosoftandMintywhite,whateverthatis):

P a g e |72 Vista/7 1. OpenNetworkConnectionsbyclickingtheStartbutton ,clickingControlPanel,clicking NetworkandInternet,clickingNetworkandSharingCenter,andthenclickingManagenetwork connections. 2. Rightclicktheconnectionthatyouwanttochange,andthenclickProperties. Ifyouare promptedforanadministratorpasswordorconfirmation,typethepasswordorprovide confirmation.LocalAreaConnectionisusuallythewiredconnectionandWirelessiswireless. Forotheradapters(dongles,etc.),youwillhavetorightclickthoseorusethesoftwareprovided withthedevice. 3. ClicktheNetworkingtab.UnderThisconnectionusesthefollowingitems,clickeitherInternet ProtocolVersion4(TCP/IPv4). 4. TospecifyDNSserveraddresssettings,dooneofthefollowing: 5. TospecifyaDNSserveraddress,clickUsethefollowingDNSserveraddresses,andthen,inthe PreferredDNSserverandAlternateDNSserverboxes,typetheaddressesoftheprimaryand secondaryDNSservers(127.0.0.1). XP 1. 2. 3. 4. 5. LocateandopenNetworkConnections. DoubleClickyourdefaultNetworkConnectionfromtheavailablelist. ClickProperties. HighlightInternetProtocol(TCP/IP)andclickonPropertiesagain. TospecifyaDNSserveraddress,clickUsethefollowingDNSserveraddresses,andthen,inthe PreferredDNSserverandAlternateDNSserverboxes,typetheaddressesoftheprimaryand secondaryDNSservers(127.0.0.1).

Furthermore,IwouldconfigureyourbrowsertodisableDNSprefetching: Firefox 1. Intheaddressbar,typeabout:configpressEnter. 2. Accepttheprompt. 3. Typenetwork.dns.disablePrefetchintotheFilterfield. 4. Doubleclicknetwork.dns.disablePrefetchunderPreferenceName. 5. Inthewhitebox,enterTrue. 6. Click"OK"andclosetheabout:configwindow.

9.11. User Awareness, Accidents and System Updates


Weareallhumanandthereformakemistakes;itisasimplefactoflife.Onethemostcommonmistake is accidently searching for something in a web browser when it contains sensitive information. Unfortunately, common user errors are not preventable and cannot be completely solved. You can change the search provider to ensure it does not log your IP address in the first place, which should be doneregardless.ForthisIrecommendDuckDuckGo:https://duckduckgo.com/privacy.html.

P a g e |73

9.12. Limitations WhenusingTorpeoplebelievethatalltrafficisencrypted;thisisnotthecase.Itisagoodidea that people know when traffic will be sent in cleartext. As I said before, Tor works with many applications including your instant messaging applications, remote logins and many other applications based on the TCP protocol, but not the UDP protocol. Voice and video traffic are examples of data that will likely be using UDP traffic; this means they are generally not safe to use. This includes programs such as Skype, Google Voice, ChatRoulette, or Omegle. Those
programs/websites(whenusingwebcam)willnotbeencryptedtherefortheyhavenoanonymity.

Eventhough Iwouldnotrecommendit,youcansendalltraffic throughaVPN andrun the VPNthrough Tor. Make sure to configure the VPN to use TCP traffic instead of the default UDP traffic though first. Also know that there will be extreme performance degradation when doing this, so you might not even considerthisfeasible.

9.13. Extra
There are also more advanced features of Polipo that you could look into that offer additional security. Polipo offers the option to censor given HTTP headers in both client requests and server replies. The main application of this feature is to very slightly improve the user's privacy by eliminating cookies and some contentnegotiation headers.This can also be done using the FireFox windows (about:config) by configuring the Header and Referrer information. As a number of HTTP servers and CGI scripts serve incorrect HTTP headers, Polipo uses a lax parser, meaningthatincorrectHTTPheaderswillbeignored(awarningwillbeloggedbydefault).Ifthevariable laxHttpParser is not set (it is set by default), Polipo will use a strict parser, and refuse to serve an instance unless it could parse all the headers. Recently, as per a new vulnerability, you should set network.websocket.enabled to False.

P a g e |74 If you are using Linux you can create rules in the firewall (iptables) to only allow traffic through Tor and block everything else. Doing so ensures that nothing is accidently leaked (traffic wise). When using the Tor Browser Bundle, or a computer that is multipurpose, I would recommend blocking UDP port 53. Port 53 is used for DNS, or Domain Name Service, and will ensure that your computer will not resolve websiteswithoutgoingthroughTor.

P a g e |75

Chapter 10 _ Standard Acronyms



AES: Advanced Encryption Standard ARP: Address Resolution Protocol AV: Antivirus CGI: Common Gateway Interface DBAN: Dariks Boot and Nuke DDoS: Distributed Denial of Service DLL: Dynamic Link Library DMZ: Demilitarized Zone DoS: Denial of Service EXIF: Exchangeable Image File Format FTP: File Transfer Protocol HIDS: Host Intrusion Detection System HTTP: Hypertext Transfer Protocal IP: Internet Protocol ISP: Internet Search Provider JS: JavaScript LAN: Local Area Connection MBR: Master Boot Record MFT: Master File Table NAS: Networkattached Storage P2P: Peer to Peer RAID: Redundant Array of Independent Disks SHA: Secure Hash Algorithm SSD: Solid State Drives TBB: Tor Browser Bundle TCP: Transmission Control Protocol URL: Uniform resource locator VLAN: Virtual Local Area Network WAN: Wide Area Network WPS: WiFi Protected Setup AP: Access Point ASLR: Address Space Layout Randomization BIOS: Basic Input Output System CIA: Confidentiality, Integrity, and Availability DCC: Direct Client to Client DHCP: Dynamic Host Configuration Protocol DLP: Data Leakage Prevention DNS: Domain Name Service DRAM: Dynamic randomaccess memory FDE: Full Disk Encryption GPG: GNU Privacy Guard HPA: Host Protected Area ICMP: Internet Control Message Protocol IRC: Internet Relay Chat JIT Hardening: Just in Time Hardening KB: Kilobyte MAC Address: Media Access Control Address MD: Message Digest MiTM: Man in The Middle NIDS: Network Intrusion Detection System PGP: Pretty Good Privacy RAM: Random Access Memory SRAM: Static randomaccess memory SSL: Secure Socket Layer TC: TorChat/TrueCrypt UDP: User Datagram Protocol USB: Universal Serial Bus VPN: Virtual Private Network WiFi: Wireless Fidelity XSS: Cross Site Scripting

P a g e |76

Chapter 11 _ Download Links


Download Links ListedbelowaretheprogramsthatImentionedthroughoutthisguideandtheassociatedlinks: Truecrypt(Encryption)http://www.truecrypt.org/downloads WinRAR(Encryption)http://www.rarlab.com/download.htm GPG(Encryption)http://gnupg.org/download/index.en.html GPGforWindows(GUI)(Encryption)http://gpg4win.de/index.html TorBrowserBundle(InternetSafety)https://www.torproject.org/download/download easy.html.en TorChat(AnonymousChat)https://github.com/prof7bit/TorChat Pidgin(ChatProgram)http://pidgin.im/ Tormail(AnonymousMail)http://jhiwjjlqpyawmpjx.onion/ Tails(SecureOperatingSystem)https://tails.boum.org/download/index.en.html HashMyFiles(FileHash)http://www.nirsoft.net/utils/hash_my_files.html CCleaner(PrivacyEraser)http://www.piriform.com/ccleaner/download/standard PrivaZer(PrivacyEraser)http://privazer.com/download.php Bleachbit(PrivacyEraser)http://bleachbit.sourceforge.net/download DBAN(SecurePartitionDelete)http://www.dban.org/download Blancco(SecurePartitionDelete)http://www.blancco.com/us/download/ UPX(ExecutablePacker)http://upx.sourceforge.net/ SPLView(SPLFileViewer)http://www.lvbprint.de/html/splviewer1.html SPLViewer(SPLFileViewer) http://www.undocprint.org/_media/formats/winspool/splview.zip BatchPurifier(MetaDataRemover)http://www.digitalconfidence.com/BatchPurifier.html Exiv2(MetaDataViewer)http://www.exiv2.org/download.html OpandaIEXIF(MetaDataViewer)http://www.opanda.com/en/iexif/download.htm Photoshop(PhotoEditor)http://www.photoshop.com/ Paint.Net(PhotoEditor)http://paint.net/ GIMP(PhotoEditor)http://www.gimp.org/downloads/#mirrors USBOblivion(EvidenceRemover)https://code.google.com/p/usboblivion/ ForensicSoftwareTools4.13(DOWNLOADPATHSNOTLISTED) LOIC(DoSAttackTool)http://sourceforge.net/projects/loic/

P a g e |77 TFN(DDoSAttackTool)http://packetstormsecurity.org/distributed/tfn2k.tgz Stacheldraht(DDoSAttackTool)http://packetstormsecurity.org/distributed/stachel.tgz SecuniaPSI(UpdateTool)http://secunia.com/vulnerability_scanning/personal/ SuperAntiSpyware(SpywareRemover)http://superantispyware.com/download.html Comodo(Firewall)https://personalfirewall.comodo.com/ Snort(IDS)http://www.snort.org/start/download BackTrack(PenetrationTestingTool)http://www.backtracklinux.org/downloads/ Wireshark(PacketSniffer)http://www.wireshark.org/download.html Ethereal(PacketSniffer)http://ethereal.com/download.html Omnipeek(PacketSniffer)http://www.wildpackets.com/ Dsniff(NetworkAuditing)http://www.monkey.org/~dugsong/dsniff/ CainandAble(VariousTools)http://www.oxid.it/cain.html Etherape(PacketSniffer)http://etherape.sourceforge.net/ NetwitnessInvestigator(PacketSniffer)http://www.netwitness.com/ Kismet(PacketSniffer)http://kismetwireless.net/download.shtml NetStumbler(PacketSniffer)http://stumbler.net/ MedievalBluetoothScanner(BluetoothScanner)Unknownmanufacturespage CoreImpact(PenetrationTesting)http://www.coresecurity.com/ AirSnort(WirelessHacking)http://sourceforge.net/projects/airsnort/files/ CowPatty(WirelessHacking)http://www.willhackforsushi.com/Cowpatty.html Reaver(WirelessHacking)http://code.google.com/p/reaverwps/

P a g e |78 ThankstoCuriousVendettaandallforreviewingtheguide

You might also like