Showing blog posts from February 2011
I'm happy to announce that this blog is on Criminal Justice Degree Schools' Top 25 Forensics Blogs list. Other blogs listed under the Computer Forensics category are Harlan Carvey's Windows Incident Response blog, Forensics from the Sausage Factory and The Digital Standard, all three of them are very good blogs that I recommend following if you are in the computer forensics field.
I did a short Q-and-A with Charles Sipe, Executive Editor of Criminal Justice Degree Schools, in order to get some more information about who they are and what they are doing.
Q: Who is your target audience?
A: Our target audience are individuals interested in entering or advancing in criminal justice career fields, which includes law enforcement and forensics related careers.
Q: How many and what persons are running the website?
A: We are a small privately held corporation that is growing with a team of 4 people plus contractors. I am the Editor of the site.
Q: Is CriminalJusticeDegreeSchools.com a non-profit organization or company?
A: We are a for-profit company and our site is supported by advertising. It is free to use and there is no registration required.
Q: What is the goal/purpose with the website?
A: Our goal is to help those searching for career information to make informed decisions on fit and options for criminal justice careers and education. We gather information from a variety of sources to make it convenient for our readers to find information in one place. We feature thought leader interviews with law enforcement, paralegals, criminal justice professors, criminal justice association spokespeople and others to provide useful insights to prospective criminal justice students.
For more information, please check out their Forensics Degree and Career Center
Posted by Erik Hjelmvik on Friday, 25 February 2011 16:56:00 (UTC/GMT)
NetworkMiner for Network Forensics
Creator: Adrian Crenshaw (Irongeek)
Publication Date: December 2008
Featuring: NetworkMiner 0.87
Adrian Crenshaw, a.k.a. Irongeek, is a very active guy in the network security field. He was, not surprisingly, also an early adopter of NetworkMiner. Adrian has put together a great tutorial on NetworkMiner, which is best viewed by visiting the Irongeek webpage.
Hak5 do some great quality video productions, even though the show hosts (Darren and Shannon) might not always get all the technical details right.
In this episode of Hak5 Mubix joins the show to demo a couple of network forensics tools. Apart from showing how to access reassembled files, credentials and parameters Mubix also extracts the SA credentials for an SQL database from captured network traffic.
This tutorial unfortunately has no sound, but I still enjoy it. The tutorial shows web traffic being sniffed Wireshark and saved to a pcap file. The pcap is then loaded into NetworkMiner and various reassembled web pages are displayed. The tutorial also shows how credentials (username and password) can be extracted with NetworkMiner for unencrypted logins to the content management system webSPELL.
Steven shows how he was able to use NetworkMiner to extract his Twitter username and password while changing his account settings. Steven also has another video showing a related security flaw in Twitter.
I alerted email@example.com about this flaw on May 5 2010 and got a swift acknowledgment from Bob Lord. It did, however, take Twitter several months until they had mitigated the flaw by applying HTTPS for when users re-enter their passwords on their website.
In this tutorial Anton talks about OS fingerprinting and shows how to access extracted files, images and extracted login credentials. Anton also provides a nice example of how to use the keyword search functionality in NetworkMiner.
Creating new NetworkMiner videos
There to this date no video tutorials for NetworkMiner 1.0 published on the Internet. I would be happy to promote such new videos on this blog. It would also be fun to see a video showing how to solve one of the many network forensic challenges available on the Internet, such as the DFRWS 2008 challenge, the Tao Security TCP/IP Weapons School Sample Lab or any of the many puzzles at forensicscontest.com.
PS. You can find even more publicly available pcap files at our list of publicly available PCAP files.
Posted by Erik Hjelmvik on Tuesday, 22 February 2011 17:15:00 (UTC/GMT)
Switching protocol from unencrypted HTTP to encrypted HTTPS is a good move in order to help the users of a website to protect their privacy online. Many webmail providers have therefore started rolling out their encrypted services during the past few years. Google announced their optional “always use https” setting back in 2008 and also provided some guidance as to why it was important to use HTTPS:
Https keeps your mail encrypted as it travels between your web browser and our servers, so someone sharing your favorite coffee shop's public wifi can't read it.
It took Microsoft Hotmail until November 2010 to announce their optional support for HTTPS encryption, which users could activate by visiting https://account.live.com/ManageSSL.
Adding the option to manually turn on encryption seems to satisfy most people in the security community, probably since it enables us geeks to protect our privacy online through encryption. But the majority of the webmail users online are not aware of the risk of getting their traffic sniffed and do also not know how to turn the encryption feature on. The encryption must therefore be turned on by default in order to protect the broad mass of webmail users.
An open letter written by some well known security profiles, such as Jacob Appelbaum, Richard Clayton, Roger Dingledine, RSnake, Jeff Moss, Ronald L. Rivest and Bruce Schneier, was sent to Google in June 2009. In the letter the authors requested that Google should turn on encryption as part of the default settings:
Rather than forcing users of Gmail, Docs and Calendar to “opt-in” to adequate security, Google should make security and privacy the default.
The letter also mentioned that other competing webmail providers had even worse security since they didn't even provide any “opt-in” encryption at that time:
Google is not the only Web 2.0 firm which leaves its customers vulnerable to data theft and account hijacking. Users of Microsoft Hotmail, Yahoo Mail, Facebook and MySpace are also vulnerable to these attacks. Worst of all – these firms do not offer their customers any form of protection.
Just like most other webmail services Google's Gmail use HTTPS to encrypt the username and password while logging in. But Gmail now also provide encryption by default also after the user has logged in. This prevents hackers as well as investigators/analysts from extracting sent emails by sniffing network traffic.
Hackers have on the other hand been able to take over other users' logged in Gmail sessions for some time by sniffing the GX cookie and using it to fool Gmail that they are logged into the victim's user account. Google have now mitigated this issue by adding encryption and setting the GX cookie to “Secure connections only”, which means it will only be sent in HTTPS sessions.
There is, however, another cookie parameter used by Gmail that is allowed to be sent across an unencrypted HTTP session. This cookie is called “gmailchat” and is typically submitted when visiting http://mail.google.com/mail. This cookie parameter is picked up by NetworkMiner and displayed on both the Credentials tab as well as the Parameters tab.
The client IP address, login time and Gmail account of a gmailchat cookie can be used as evidence by an analyst in order to determine which person that was using a particular computer at a particular time.
The security in Hotmail is much worse than that of Gmail. With default settings only the login is protected with encryption, everything after that is sent in cleartext HTTP. This makes it possible to extract emails sent with Hotmail just by passively sniffing the network traffic from a logged in Hotmail user. In our recent “TCP/IP Weapons School” blog post we showed how NetworkMiner displays extracted emails in the Messages tab, this feature works just as well also with Hotmail traffic. By loading a pcap with Hotmail web traffic into NetworkMiner you would get something like this:
You can also use the Parameters tab to look for parameter names “fFrom”, “fTo”, “fSubject” and “fMessageBody” and thereby manually extract who sent and received the email as well as read the subject and message of the email. These parameters are all sent in an unencrypted HTTP POST to mail.live.com.
So if you're using Hotmail or Windows Live Mail, make sure to visit https://account.live.com/ManageSSL and enable the encryption functionality!
Posted by Erik Hjelmvik on Saturday, 12 February 2011 15:01:00 (UTC/GMT)
In IPv4 we denote each byte of the IP address with the word ”octet”, since it’s eight bits long of course. I.e. in the IP address “188.8.131.52” the first octet would be 194, the second 9 etc.
But how are we supposed to handle the various parts of IPv6? An IPv6 address might look like “2a02:0250:0000:0001:0002:0003:0004:0005”, where each address is made up of eight 16-bit segments separated by colons. But what do we call each such segment? Using the word “segment” might cause confusion since it is a word that has another meaning to network people (think “network segments”). Using the IPv4 word “octet” would also be terribly wrong since we’re talking about 16-bit values here, not 8-bit values.
IETF now seem to have realized that there is currently no standardized naming of the eight parts that make up an IPv6 address, and have therefore issued an Internet Draft called “Naming IPv6 address parts”.
The draft mentions some crazy name alternatives, such as “Chazwazza” and “Colonade”. The best proposal in the IETF draft is in my opinion “Chunk”, even though it doesn’t provide any clue about the bit-length.
There are currently two different online polls going on to give input as to what we should name the IPv6 parts. One on the My Etherealmind blog and one on Doodle. I like the Doodle poll better since it introduces a name that I prefer to use, namely “Hextet”.
Posted by Erik Hjelmvik on Saturday, 05 February 2011 08:05:00 (UTC/GMT)