New Book Investigating Internet Crimes Released

February 15th, 2014
41wMbTIcmVL._SY300_

Investigating Internet Crimes

Investigating Internet Crimes:
An Introduction to Solving Crimes in Cyberspace

You can find the new book by Todd G. Shipley and Art Bowker on Amazon books and you can  also follow the authors on their blog. What’s being said about the book:

Neal Ysart, Director First August Ltd, likes Investigating Internet Crime by Shipley and Bowker

“At last….. Informed, pragmatic guidance from two highly experienced professionals who  have actually spent time on the front line, not just the classroom.  This book is relevant for  practitioners working in both law enforcement and within business – every aspiring cyber  investigator should have a copy.” Neal Ysart, Director First August Ltd, Information and  Corporate Risk Services

Google Analytics Update

August 29th, 2012

Last year I wrote about taking apart a MySpace cookie.  Included in that posting was some discussion on Google analytics tools found within the cookie.  It was interesting and I got some good feedback about the blog entry.  I was contacted by Jim Meyer of the DoD Cyber Crime Center about some further research they had done on the Google analytics within cookies and a presentation they were preparing at the time for the 2012 DoD Cybercrime conference (if you saw the presentation at DoD let me know how it went).

They were able to determine more information about the specific pieces of the Google analytics cookie placed on a user’s computer when they go to a webpage that contains Google Analytics.

The Google Analytics Cookie collects stores and reports certain information about a user’s contact with a webpage that has the embedded Google analytics java code. This includes:

  • Data that can determine if a user is a new or returning user
  • When that user last visited the website
  • How long the user stayed on the website
  • How often the user comes to the site, and
  • Whether the user came directly to the website,
    •  Whether the user was referred to the site via another link
    • Or, whether the user located the site through the use of keywords.

Jim Meyer and his team used Googles open source code page to help define several pieces of the code and what exactly it was doing when downloaded. Here is some of what they were able to determine (The examples are the ones I used in my last posting with a little more explanation about what everything means. I explained how I translated the dates and times in my last posting). For a complete review of their findings contact Jim at the DoD Cyber Crime Center.  

Example

Cookie:            __utma

102911388.576917061.1287093264.1287098574.1287177795.3

__utma This records information about the site visited and is updated each time you visit the site.
102911388 This is a hash of the domain you are coming from
576917061 This is a randomly generated number from the Google cookie server
1287093264 This is the actual time of the first visit to the server
576917061.1287093264 These two together make up the unique ID for Google track users. Reportedly Google not track by person information or specific browser information.
1287098574 This is the time of the previous visit to the server
1287177795 This is the time last visited the server
3 This the number of times the site was been visited

 Example

Cookie:            __utmz

102911388.1287093264.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) 

__utmz This cookie stores how you got to this site.
102911388  Domain hash
1287093264 Timestamp of when the cookie was last set
1 # of sessions at this time
1 # of different sources visitor has used to get to the site.
utmcsr Last website used to access the current website
=(direct) This means I went direct to the website, “Organic” would be from a google search, “Referring link” may show link coming from Search terms may.
|utmccn=(direct)  Adword campaign words can be found here
|utmcmd=(none) Search terms used to get to site may be in cookie here.

 Example

Cookie:            __utmb

102911388.0.10.1287177795 

__utmb This is the session cookie which is only good for 30 minutes.
102911388 This is a hash of the domain you are coming from
0 Number of pages viewed
10 meaning unknown
1287177795 The last time the page was visited

Remember though all of this can be different if the system deletes the cookies or the user runs an application that cleans the cookies out.  Also, it is all relative and depends on system and user behavior and when and how many times they have visited a particular site.

You can also go to find out more about the description of the cookies http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#cookiesSet

Google Analytics can set four main cookies on the users machine:      

__utma Unique Visitors
__utmb Session Tracking
__utmc Session Tracking
__utmz Traffic Sources

Optional cookies set by Google Analytics:

__utmv Custom Value
__utmx Website Optimizer

Google Analytics creates varying expiration times for its cookies: 

__utma The information on unique user detection expire after 2 years
__utmz The information on tracking expire until 6 months).
__utmv The information on “Custom Tracking” will expire after 2 years
__utmx The information on the “Website Optimizer” will expire after 2 years
  The information about a current visit (visits) will expire after 30 minutes after the last pageview on the domain.

The original code schema written by Urchin was called UTM (Urchin Traffic Monitor) JavaScript code. It was designed to be compatible existing cookie usage and all the UTM cookie names begin with “_utm” to prevent any naming conflicts. 

Tracking the Urchin- from an investigative point of view

Okay so for some additional new stuff on Google analytics when examining the source code of a webpage. What is the Urchin? Google purchased a company called Urchin who had a technology to do traffic analysis. The technology is still referred in the cookies Urchin’s original names.

When examining a live webpage that contains Google analytics code embedded in the website you will come across code that looks similar to this:

<script type=”text/javascript”><!–var gaJsHost = ((”https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);document.write(unescape(”%3Cscript src=’” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));// –></script><script type=”text/javascript”><!–try {

var pageTracker = _gat._getTracker(”UA-9689708-5″);

pageTracker._trackPageview();

} catch(err) {}

// –></script> 

Search the source code for “getTracker” and you will find the following line: var pageTracker = _gat._getTracker(”UA-9689708-5″); which contains the websites assigned Google analytics account number “UA-9689708-5”. So what does this mean and how can it be of value to me when I am investigating a website? Let’s identify what the assigned number means: 

UA Stands for “Urchin Analytics” (the name of the company Google purchased to obtain the technology)
9689708 Google Analytics account number assigned by Google
5 Website profile number

How can I use this Google analytics number in an investigation? First you can go to http://www.ewhois.com/ to run the UA # and identify the company/person assigned the number.

The reponse you will get is something similar to this:

google analytics

Then run the Google Analytics number through Reverseinternet.com:

urchin

This is a little more of investigative use in that it is showing domains that use the same Google analytics Id, the Internet Protocol addresses assigned to the domains and the DNS servers used by the domains.

Using Reverseinternet.com allows you to identify any webpage where this Google Analytics Id has been embedded in the source code.  This can be of investigative value if the target has used the same Id on more than one webpage they control or monitor. Why would this occur? Google allows the user to monitor data from multiple sites from a single control panel.

So how does Google analytics work?

Google is probably a better place to find this out. You can go to http://code.google.com/apis/analytics/docs/concepts/gaConceptsOverview.html for a complete overview of how it works.

In short Google Analytics java code embedded in the webpage you visit collects information from the following sources when you connect to a webpage:

  • The HTTP request of the visitors browser
  • Browser/system information from the visitor
  • And it sends a cookie to the visiting system

All of this gives the webpage owner the ability to track persons going to their webpage. From an investigative point of view there is a certain amount of exposure due to the browser tracking that occurs and the fact that a cookie is placed on your investigative system. But there is the possibility from examining the page source code to tie the website through the Google Analytics Id to other webpages of interest.

A forensic look at the installed IDrive backup service files

August 16th, 2012

I didn’t intend on dissecting files when I started looking at IDrive. My intent was to look at its operation and determine a method of file acquisition as a “Cloud” service. That is still an ongoing project. What I found though is a little disturbing from a user point of view, and fantastic from a forensic point of view. I originally wrote this last year and never got it posted.  When I originally looked at IDrive I found some interesting information. I thought after a year they would have changed their methods of obscuring their client information on the local machine. Alas, no….Here is what I found.

IDrive Background

From their corporate information page IDrive identifies them as a “service” of Pro Softnet Corporation based in Calabasas, California. Pro Softnet has been around since 1995 providing Internet-based solutions. They have several other products including IBackup and RemotePC.

Disturbing Findings or not so disturbing for the Forensic examiner

I downloaded the “Free” version of IDrive’s software.  I wanted to test it and potentially include it in our training as a discussion item on cloud investigation issues. IDrive is unique among the “Online Backup” providers in that they offer “Free” storage of up to 5 GB of data. The other companies in this space seem to only offer a free trial period of their product. IDrive was unique enough that I thought I needed to try it.

This short blog entry is not a review of the entire installation of the software. I did not look in to the registry or examine ever file. I did however find a few things that are worth mentioning for the forensic examiner. I quickly and easily installed their software and easily uploaded some test data into their storage.  I then started to poke around on my machine to identify where IDrive put files.  I did not have to go far. IDrive’s files are found on the local system hard drive under the IDrive folder in the “Program Files” folder.

In the main IDrive folder is the 128 bit “rc4.key” encrypted key file I am sure that is used by the system to communicate with the IDrive server. RC4 is almost 25 years old as an encryption scheme. It however is still in common use today.  I did not examine further its implementation in the communication scheme of the product or try to crack it..

IDrive Temp Folder

In the IDrive “Temp” folder there were two folders with files similarly named. The file “DLLOutput1.txt” contained only an IP address of 206.221.210.66 (and what appears to be a port number of 11663) which belongs to IDrives parent company Pro-Softnet.

The file DLLIntput1.txt similarly contained a small amount of important information. The format was: 

8-16-2012 11-52-21 AM

 We will discuss the username and password translation below.

LDB Folder

In the LDB folder is a file titled “IDriveLDB.IDr”. The file is an SQlite database containing file paths of the data to be backed up.

Log Folder

Under the “Log” folder is another file containing a file named “Realtime Trace.txt”. This file is a log file with connection dates and times.   This file contained the backup up operation to IDrive, which included the IDrive User name, data files names and paths, the start and end time of the backup, the number of files backed up and any excluded files from the backup.

Folder with local computer name

In the folder with the local computers name was found a file titled “Backupfile.txt”. This file contained a list of the files backed up to the IDrive server. In this same folder was another file “BackupSet.txt” that appeared to contain the dates and times of the backups.

IDdrive\”Username”

In the IDrive user folder there is a file called “IDriveE.ini”. The contents are a little lengthier but it is revealing.  At first glance there is the same IP address identified above, the port and much more information. I looked at the lines in the file and realized that some encryption scheme was used. The question is what was it?  Thinking I would not easily find out what the scheme was that was implemented, I used a program to simply try various cyphers common in obfuscation. Without much effort I revealed my passwords and my user name from the text. The obfuscation used by IDrive was a simple 2 position Cesar Cypher.

Text in File Translation
user 2 position Cesar Cypher and is my login user name
User Password=xxxxxxx 2 position Cesar Cypher and is my login password
gpercuuyqtf=xxxxxxxx 2 position Cesar Cypher and is “encpassword=mypassword”
Enc password=xxxxxx 2 position Cesar Cypher and is my encrypted Idrive password but only the first 6 characters of my password
wugtgocknkf=vqffBxgtguqhvyctg0eqo useremailid;todd@veresoftware.com

(Real password has been removed for my security….)

These were not the only lines that used the 2 position Cesar Cypher. In going through the entire file, the lines not in plaintext all used this same cypher to encode their data.

IDriveEUsername_Folder

In reviewing a file named “SerTraceFile.txt” I found a log file with more interesting information about the service and what it collects about my system. The file contained many pieces of information about the IDrive service and the local machine including the local PC name and the NIC card’s MAC address.

Conclusion

WOW….So in looking at IDrive, the “Encrypted” backup service, I found from a forensic point of view, some substantially important failings on the local machine. Well not failings from an investigative point of view, this is actually some great information.  I made no attempt at the writing of this blog entry to use the file information to login from a separate machine. Until Prosoft changes the IDrive local machine files Digital Forensic examiners will have access to some useful information from the IDrive files.

Post script

I am sure this will be changed in a follow-on version by Pro-Soft (at least I hope so), but for the record what I found is limited to my examination of these specific versions on a Windows 7 machine. The IDrive versions I used in this testing were 3.3.4 and3.4.1.

So you thought Tor was bad enough. Check out Tor’s Hidden Web Services.

July 25th, 2011

Recently and article appeared at NPR titled “Senators Target Internet Narcotics Trafficking Website Silk Road”. I only bothered to hit the link because I saw it mentioned on the website Anit-forensics.com. The short article complained of drugs blatantly sold on the Internet and something needed to be done about it and Congress is going to solve that one for us. Although selling drugs on the Internet is nothing new, the place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function.  The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the orient to the west.

For the power user of the Tor network Hidden Services is probably nothing new. For the average online investigator though you may have heard of Tor and may have even tried to use it (especially of you read my last article on using Tor in your investigations). But were you aware that webpages can be hidden within the Tor network? Have you ever seen a .onion domain name? if you haven’t then read on.

Hidden services were introduced to the Tor network in 2004. Tor’s Hidden Services are run on a Tor client using special server software. This “Hidden Service” uses a pseudo top-level-domain of “.onion”. Using this domain, the Tor network routes traffic through its network without the use of IP addresses.

To get to these hidden services you must be using the Tor Network and have your browser enable to use Tor.  How do you find sites using the hidden services? Start at the core…

http://eqt5g4fuenphqinx.onion/ 

Welcome to .onion Welcome to .onion

Core.onion according to its hidden services site has been in the network since 2007.

Once in the Core.onion you find a simple directory to start exploring Hidden Services on the Tor network.

TorDir TorDir

TorDir is a directory of Hidden Services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media type sites and marketplaces.

Black Market Black Market

 

In the markets a variety of things are for sale, most look to be illegal though. File sharing also looks to be popular and can be found in several .onion sites.

File Sharing File Sharing

 

To make purchases bitcoin seems to be the most popular virtual currency and is regularly mentioned throughout the .onion sites.

Bitcoin Bitcoin

 

Another good location to start finding out about what Tor’s Hidden Services have to offer is a wiki located at:

http://xqz3u5drneuzhaeo.onion/users/hackbloc/index.php/Mirror/kpvz7ki2v5agwt35.onion/Main_Page

 

Also, if you are an IRC fan Tor hidden services can be used there also. The Freenode website gives the instructions on how to access Freenode IRC servers on Tor’s Hidden Services.

If you are interested in learning more about Tor’s Hidden Services here are a few sites that can get you on your way:

http://www.onion-router.net/Publications/locating-hidden-servers.pdf

http://www.irongeek.com/i.php?page=videos/tor-hidden-services

http://www.torproject.org/docs/tor-hidden-service.html.en

 

Not to make it any worse but if you have not heard Ip2 (another anonymizing network that is becoming increasingly popular) also has its own “eeepsites” similar to the Hidden Services offered in Tor that a user can post content to like a website.

Hidden Services are going to increasingly become a location that will be misused by many. It will also become a place on the Internet that investigators will need to become increasingly familiar with if they are to further their online investigations.

Tor and its use during online investigations

July 18th, 2011

When investigating crimes on the Internet the investigator needs to consider how much information that he presents to servers and webpages that he may be investigating.  Hiding oneself on the Internet used to be the purview of hackers. However, technology changes and so has the ability to easily implement the same techniques hackers use to hide themselves during your investigations. There are many techniques for eluding identification on the Internet. Proxies have been used for years for this purpose. Proxies act as just that a “Proxy” or a go between. It’s a computer that acts on your behalf and forwards to the server you are looking at any requests you make. The server you are investigating only sees the “Proxy”.

Another significant tool in the “I need to hide on the Internet” world is the venerable tool “Tor”. Tor (The Onion Router) was developed from a concept originally written about by the U.S. Navy. According to the Tor website,  “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.”

Using Tor during online investigations is much easier now that it has been in the past. This is due to the increase in most users Internet bandwidth, the constant upgrading and improving of the Tor software and it easy integration into the popular browsers. So how does the investigator implement Tor during his investigations? Well the simplest method is to use the Tor network to hide browsing activity. If you are investigating a webpage or website we know that there is certain information that our browser tells that server or website about who we are and potentially where we are. Our browsers can reveal our IP addresses what kind of browser we are using and its version. We can use Tor to prevent a suspect webpage from identifying us.

Let’s take a look at how to install and implement Tor so we can us it during our investigations. Installation for Tor is pretty starting forward now. Go to the Tor project website and download the current “Vidalia” (like the onion) Windows installer. Click on the executable file and the project installs. The trick to using Tor is setting the proxy setting in your browser to use the Tor network. Your browser normally makes a call out through your Internet Service to servers on the Internet. These servers easily identify who you are by your Internet Protocol (IP) address so they can communicate back with you.  This exposure of your IP address is what can tell the bad guy who you are and possible who where you are in the world. The Tor network in its simplest description strips that information out and only provides the end user with an IP address belonging to the Tor network and not you. Thus you have effectively hidden from the end website you are visiting or target user that you may be communicating with through the Internet (Please note this is an over simplification of the process and exact details of how the Tor network works can be found on the project website).

So once Tor is installed your next actions are to set up your browser to use the Tor network as its proxy (proxy being a server acting as your entry point to the Internet and in this hiding your real IP address). Using Windows Internet Explorer version 8 go to Tools|Internet Options|

Changing Internet Explorer Settings

Changing Settings in Internet Explorer

 The select “Connections” and click on “LAN Settings”.

Image 2 -Tor IE LAN settings

IE LAN Settings

 

IE LAN Settings Address and Port IE LAN Settings Address and Port

In the Local Area Network (LAN) Settings box you need to click on the box “Use a Proxy server for your LAN” in the address box add 127.0.0.1 and add in the Port box 8118. Click OK twice to exit and you are now able to use the Tor network.  You will continue to use the Tor network as your proxy until you uncheck the “Proxy server” box. This will then return you to your normal web access.

The Tor Project has a page you can go to that will verify that you are using the Tor Network or you can go to one of the websites on the Internet that grabs your IP address like http://whatismyipaddress.com/

In the Windows taskbar a little Onion symbol when opened will show you the “Vidalia” Control Panel. The control panel lets you know you are connected to the Tor network  and can change the IP address you are coming from by clicking on the “Use new identify” button.

Tor Control Panel

Control Panel

Once connected click on the setting button in the control panel. For our investigative purposes click on “Run as client only”.  This will ensure that other users of the network are not using your system as a relay server on the network (Tor data would actually be passing through your computer). 

Tor Settings Tor Settings

To see the other computers, and their description, on the Tor system click on the “View the Network” button.

We are no ready to go online and start our investigation without being identified.

Things to note here, the online application being used by the tor network in this configuration is Windows Internet Explorer. If you send an email to the target from your normal email client on your desktop, use another browser, instant messaging, or use P2P software you will potentially expose who you really are by your IP address. To use any other applications through the Tor network you need to set them up to use the Tor proxy settings.

Other things to consider in your Browser set up that need to be turned off.  Turn off running scripts, ActiveX and cookies. Also block pop-ups. But “I can’t access all the good content on the Internet”. Correct you can’t but then the end user can’t identify you either. Each of these features enhance our web surfing experience, but they also require code be downloaded through your browser and run on your machine. This can allow for the code to default to a port it use that is not being redirected to the Tor network, thereby exposing who you are. This may not be important in all the cases you work, but be aware of it. If you lock down your browser and don’t get the content you want you can always relax the controls and go back and look at the site, but at least you are aware then of the risks and make that decision based on the investigation.

Using WebCase with Tor requires just installing Tor as described above. WebCase collects web –based evidence through Internet Explorer even when piped through the Tor Proxy. The collection times will be extended because of the way Tor functions and has nothing to do with WebCase.

A Cyber-Investigator’s Introduction to IPv6

July 13th, 2011

This article is a guest post from Jonathan Abolins, who will be leading the next webinar in our Online Investigations Series: “Internationalised Domain Names, Foreign Language Websites, & Investigations.” While the two topics are unrelated, they do have one thing in common: both present previously uncharted challenges for online investigators.

There’s no place like home.
There’s no place like 127.0.0.1. (IPv4 version)
There’s no place like ::1. (IPv6 version)

Introduction

The widely used Internet Protocol (Version 4) – IPv4 – was created approximately 30 years ago and it has served us well. But it’s also showing its age. Back in the early 1980s, it was almost impossible to anticipate the growth in the demand for IP addresses. Now we are running out of IPv4 addresses (”IPv4 address exhaustion”). Also various people have been seeing the need for various improvements in the Internet Protocol.

To address these issues, Internet Protocol (Version 6) – IPv6 – was proposed in the mid-1990s. IPv6 is not yet in wide use but it would be a big mistake to assume that IPv6 cannot affect our networks.

Most operating systems and systems now include IPv6 support by default. There is also the ability to tunnel IPv6 via IPv4 with Teredo, 6to4, etc. For those whose ISPs don’t provide IPv6 connections, there are services, such as Hurricane Electric Free IPv6 Tunnel Broker1, which allow people to tunnel with IPv4 to get to the service that will give them IPv6 connections.

win7_net_ipv6

Example of IPv6 Support in Windows 7

IPv6 is going to become a bigger part of our networking and investigations in the near future. Will our tools and methods be able to handle the changes?

IPv6 vs IPv4: A Few Key Points

Without going into much detail, here are some of the key differences between IPv6 and IPv4:

Number of bits and address space.

  • IPv4 has 32 bits, allowing just over 4 billion addresses. Not even enough to give a unique address to each human being on Earth.
  • IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 unique addresses. This is roughly like giving 252 addresses for every star in the known universe. Not likely to run out of of IPv6 addresses.

Address notation.

  • IPv4 usually uses dotted decimal notation. E.g., 192.168.2.12.
  • IPv6 uses groups of 16-bit hexadecimal numbers separated by colons (“:”). E.g., 2001:04c0:0000:0000:0000:c5ef:0000:0231.
  • The IPv6 addresses can be compacted. So the above example becomes 2001:4c0::c5ef:0:0231.
  • In a mixed IPv4/IPv6, the IPv6 32 bit address can be incorporated into an IPv4 address. E.g., 2001:04c0::192.168.1.1 or ::126.143.54.107 (Note the switch from colon separators to dotted format.)

IP security (IPsec) is built into IPv6, the ability to cryptographically sign the packets.

There are various IPv6 tools for defense (if we know how to use them).

This is barely scratching the surface. The Resources section (below) has IPv6 specifications and other documents for more in-depth information.

Security, Forensics & Investigations Issues for IPv6

As mentioned above, IPv6 has some security features. Also, some IPv6 feature might be helpful in investigations. For example, IPv6 may give the source’s MAC address in some cases. But there are security problems raised by IPv6 and the current networking environments.

The gigantic IPv6 address space means that scanning IPv6 networks with IPv4 methods where we can try each possible IP address is not going to work. It’s possible to scan the entire IPv4 address space this way in several days. Scanning the entire IPv6 address space the same way would take billions of centuries. Even an IPv6 subnet could take over 145,000 years. So we need IPv6 methods, such as neighbour discovery, of finding systems at IPv6 addresses.

Tools designed for IPv4 environments might not properly process IPv6 information. Some log processing applications truncate IPv6 addresses and many may not properly interpret IPv6 traits. Black listing tools may miss problem addresses because they cannot associate IPv6 with IPv4 or IPv4 within IPv6 notation. It is likely that some of the analysis tools for linking data such as IP address associated with crimes might have problems once IPv6 addresses come into play. What else might trip up with IPv6?

Keep in mind too that there are many tools available that can be used for attacking IPv6 systems or for using IPv6 to bypass security. Firewalls set up for IPv4 may ignore IPv6 connections and, thus, fail to protect the internal networks. Detection software may ignore the IPv6 or tunnelling.

Even many commonly used network tools can fail unless we have the right versions of the tools and suitable network connections. For example, here’s a part of a sample SMTP e-mail header with a reference to the IPv6 address of 2001:470:0:64::2:

From ipv6@he.net Tue Nov 23 09:51:00 2010
Return-Path:
Received: from ipv6.he.net (ipv6.he.net [IPv6:2001:470:0:64::2])
by Duncan-Server.duncan (8.14.3/8.14.3/Debian-9ubuntu1) with
<…>

Try “ping 2001:470:0:64::2” and it will likely fail. If you have ping6, it might work but not if your network connection doesn’t support IPv6. Same for traceroute and various other tools. Nslookup, dig, and whois work better. (Example of an IPv6 whois lookup via the ARIN Web site) But they are not enough for our security & forensics toolkit.

The most critical security & investigatory challenge is getting up to speed with IPv6.

Conclusion

IPv6 has much to offer. It is also outpacing many of the tools and methods for securing IPv4 networks and investigating activities on the networks. Our tools, methods, and our understanding of IPv6 will need to adapt.

Resources

IETF, RFC 2460 – Internet Protocol, Version 6 (IPv6) Specifications.
The Internet Society. Internet Issue – Ipv6.
Klein, Joe. Collection of IPv6 Security presentations. These presentations are an excellent resource for understanding the security issues with IPv6. Joe Klein is a great resource in this field.
Leinwebe, James. IPv6 and the future of network forensics. UW-Madison Information Security Team. June 6, 2011.
Nikkel, Bruce J. An introduction to investigating IPv6 networks. July 19, 2007 [Originally published by Elsevier in Digital Investigation: The International Journal of Digital Forensics and Incident Response, Vol. 4, No. 2 (10.1016/j.diin.2007.06.001)]

Wikipedia entries
Ipv6
IPv4 address exhaustion
List of IPv6 tunnel brokers

Wireshark Wiki. Sample PCAP Captures – Ipv6 and Tunneling.

Acknowledgements: Many thanks to Joe Klein, Joshua Marpet, and Jeremy Duncan for their insights and help.

Cell phones, the Internet and common evidence issues

July 6th, 2011

Our free webinar last week was on cell phones and the common apps used to connect them with the Internet. Mike Harrington of Teel Technologies talked about some of the items of evidence which those apps leave, both on the phones and on the Internet sites the apps lead to.

Todd has been talking for some time about how the normal crime scene has been changing over time and that investigators, both civil and criminal, need to be thinking of where there evidence is outside of the physical location they are at. The Internet, and the ability of most modern cell phones to connect to it, have greatly expanded our possible locations for evidence to be found – far beyond the physical crime scene. With this increase means of course more work. But with the additional locations for evidence, investigators can obtain a clearer picture of what occurred.

This means that evidence will be located at a minimum in the following places:

  1. The cell phone itself (forensic data extraction)
  2. The social media site (accessed from the web and properly documented). Depending on the number of apps on the phone this could be numerous sites.

Because we don’t generally let the cell phone access the web during data extraction (to prevent syncing and therefore data change), what is on the cell phone will undoubtedly be different then what is on the social media site.

This is particularly true if the user accesses the sites from places other than his cell phone, or his friends make posts to his wall (as themselves or even posing as him). So, to corroborate what they find on the phone, investigators should also plan to collect additional items through legal service (civil or criminal subpoena or search warrant):

  1. Cell phone/tower records from the provider
  2. Social media site records from the social media site. Again, depending on the number of apps on the phone, this could be numerous sites.

Each of these records contains a piece of the puzzle. Compiling all of them can give the investigator a more accurate picture of what occurred and when, but it all needs to be documented properly.

The investigator must also be prepared to investigate further when the two are inconsistent, and if necessary, explain the inconsistencies in court. For example, if phone artifacts have date/time stamps and content that are different from those found on social networking sites, investigators must question why. Likewise when a cell service provider’s records differ from phone or Internet evidence.

In short: none of this evidence – data on the cell phone, the social networking site, or in the cell or Internet service provider’s records – should be considered “nice to have.” With courts paying more attention to the authenticity and verifiability of digital evidence, gathering as much information as possible from as many sources as possible is a requirement to ensuring that victims and suspects alike get the due process they deserve.

Smartphones and the Internet: Finding evidence in 2 different places

June 22nd, 2011
How do Internet and mobile phone evidence support each other?

How do Internet and mobile phone evidence support each other?

On Thursday, June 30, we’ll be offering another webinar that is new to our series: Smartphones and the Internet, a discussion about how smart phones are changing the world of online investigations. Instructor Michael Harrington, Director of Training at Teel Technologies and a longtime expert in mobile device forensics, will cover the various apps and tools that tie smart phones to the Internet and the potential for evidence collection on both the phone and the websites tied to the apps.

We asked Mike for some more detail on what he’ll be talking about:

VS: What are the major apps and platforms you’ll be covering in your webinar, and why are they especially relevant?

MH: I’ll mostly be concentrating on iOS and Android and focusing attention on GPS, browser, cloud and social networking applications such as Facebook and Twitter. iOS and especially Android account for the vast majority of the consumer market. Android growth is particularly strong in emerging markets, and has arguably the number one market position.

I’ll be concentrating on social networking applications because research has shown that the vast majority of access to services such as Facebook and Twitter are done on mobile. Facebook in particular is relevant because of the recent controversies of underage access and of course its role in the Arab Spring. Twitter has also made the news with Weinergate, and controversy over ill-thought tweets by such people as Roger Ebert.

The ability to access cloud based services from smart phones (Evernote, logmein and the like) as well as the smartphones capturing of location information not just overtly through GPS applications makes discussion of the platforms relevant.

VS: How do online evidence and mobile evidence work in conjunction? What if one doesn’t match the other?

Online evidence and mobile evidence should be used to validate each other. They should match each other regarding similar data such as IP address. In some instances online evidence may contain more information and vice versa. If they don’t match further investigation and explanation is needed to account for differences.

VS: How deep should investigators dive when collecting evidence from the Internet and from a mobile device? How can they make the decision about how far to go?

I think these questions are tied together inextricably. The decision on how far to dive depends on the severity of the crime. In most instances a simple download of the logical data on the phone will be sufficient to corroborate online evidence or to gather additional evidence to support that gathered online. In some instances it may be necessary to try to recover deleted data off a mobile — this may require specialist equipment and certainly more time and training.

VS: Not all mobile examiners will collect online evidence, and not all online investigators will collect mobile evidence. What’s the best way for them to come together to work out case building?

Since most people on the planet carry mobile phones and the usage of smart phones to access more services is expected to rise by 55% in 2011 it is absolute folly not to look for evidence on mobile devices. I would recommend that a [standard operating procedure] be worked out that if mobile devices are seized, and the particular type of case being worked suggests that a device may be used to access online services where evidence could be collected — or the like is found on mobile devices — that [all] those leads are chased down.

Investigators have to aware of all ways in which criminals and victims access the online world. More and more it’s through their mobile devices.

VS: Anything else webinar attendees should know in advance?

Maybe some stats on the smartphone market. Here is an excerpt from the first chapter of the Android book (Apress, expected pub date December 2011) I’m working on:

The growth of the global smart phone market has been nothing short of explosive. According to the International Data Corporation (IDC), a leader in market research, the world wide smartphone market is expected to grow 55% in 2011, fueled by consumers eager to exchange their feature mobile phones for advanced devices with more features, and most importantly, apps.

The sheer number of devices being shipped is staggering. Again according to the IDC’s Worldwide Quarterly Mobile Phone Tracker there will be a total of 472 million smart phones shipped in 2011 up from 305 in 2010. Furthermore, this is expected to almost double to an unbelievable 982 million by the end of 2015.

The growth rate is over four times the rate of the overall mobile phone market due to the accessibility of devices to a wide range of users, and helped by falling prices, functionality and low cost data plans.

The growth is most pronounced in markets that are emerging and where the adoption of these devices is still in early days – the IDC predicts that the most stunning growth will be in the Asia/Pacific region and in Latin America.

Join us on Thursday, June 30 from 11am-12pm Pacific, and bring any questions you have for Mike!

Image: Johann Larsson via Flickr