So you thought Tor was bad enough. Check out Tor’s Hidden Web Services.

July 25th, 2011

Recently and article appeared at NPR titled “Senators Target Internet Narcotics Trafficking Website Silk Road”. I only bothered to hit the link because I saw it mentioned on the website Anit-forensics.com. The short article complained of drugs blatantly sold on the Internet and something needed to be done about it and Congress is going to solve that one for us. Although selling drugs on the Internet is nothing new, the place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function.  The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the orient to the west.

For the power user of the Tor network Hidden Services is probably nothing new. For the average online investigator though you may have heard of Tor and may have even tried to use it (especially of you read my last article on using Tor in your investigations). But were you aware that webpages can be hidden within the Tor network? Have you ever seen a .onion domain name? if you haven’t then read on.

Hidden services were introduced to the Tor network in 2004. Tor’s Hidden Services are run on a Tor client using special server software. This “Hidden Service” uses a pseudo top-level-domain of “.onion”. Using this domain, the Tor network routes traffic through its network without the use of IP addresses.

To get to these hidden services you must be using the Tor Network and have your browser enable to use Tor.  How do you find sites using the hidden services? Start at the core…

http://eqt5g4fuenphqinx.onion/ 

Welcome to .onion Welcome to .onion

Core.onion according to its hidden services site has been in the network since 2007.

Once in the Core.onion you find a simple directory to start exploring Hidden Services on the Tor network.

TorDir TorDir

TorDir is a directory of Hidden Services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media type sites and marketplaces.

Black Market Black Market

 

In the markets a variety of things are for sale, most look to be illegal though. File sharing also looks to be popular and can be found in several .onion sites.

File Sharing File Sharing

 

To make purchases bitcoin seems to be the most popular virtual currency and is regularly mentioned throughout the .onion sites.

Bitcoin Bitcoin

 

Another good location to start finding out about what Tor’s Hidden Services have to offer is a wiki located at:

http://xqz3u5drneuzhaeo.onion/users/hackbloc/index.php/Mirror/kpvz7ki2v5agwt35.onion/Main_Page

 

Also, if you are an IRC fan Tor hidden services can be used there also. The Freenode website gives the instructions on how to access Freenode IRC servers on Tor’s Hidden Services.

If you are interested in learning more about Tor’s Hidden Services here are a few sites that can get you on your way:

http://www.onion-router.net/Publications/locating-hidden-servers.pdf

http://www.irongeek.com/i.php?page=videos/tor-hidden-services

http://www.torproject.org/docs/tor-hidden-service.html.en

 

Not to make it any worse but if you have not heard Ip2 (another anonymizing network that is becoming increasingly popular) also has its own “eeepsites” similar to the Hidden Services offered in Tor that a user can post content to like a website.

Hidden Services are going to increasingly become a location that will be misused by many. It will also become a place on the Internet that investigators will need to become increasingly familiar with if they are to further their online investigations.

Tags: , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

Tor and its use during online investigations

July 18th, 2011

When investigating crimes on the Internet the investigator needs to consider how much information that he presents to servers and webpages that he may be investigating.  Hiding oneself on the Internet used to be the purview of hackers. However, technology changes and so has the ability to easily implement the same techniques hackers use to hide themselves during your investigations. There are many techniques for eluding identification on the Internet. Proxies have been used for years for this purpose. Proxies act as just that a “Proxy” or a go between. It’s a computer that acts on your behalf and forwards to the server you are looking at any requests you make. The server you are investigating only sees the “Proxy”.

Another significant tool in the “I need to hide on the Internet” world is the venerable tool “Tor”. Tor (The Onion Router) was developed from a concept originally written about by the U.S. Navy. According to the Tor website,  “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.”

Using Tor during online investigations is much easier now that it has been in the past. This is due to the increase in most users Internet bandwidth, the constant upgrading and improving of the Tor software and it easy integration into the popular browsers. So how does the investigator implement Tor during his investigations? Well the simplest method is to use the Tor network to hide browsing activity. If you are investigating a webpage or website we know that there is certain information that our browser tells that server or website about who we are and potentially where we are. Our browsers can reveal our IP addresses what kind of browser we are using and its version. We can use Tor to prevent a suspect webpage from identifying us.

Let’s take a look at how to install and implement Tor so we can us it during our investigations. Installation for Tor is pretty starting forward now. Go to the Tor project website and download the current “Vidalia” (like the onion) Windows installer. Click on the executable file and the project installs. The trick to using Tor is setting the proxy setting in your browser to use the Tor network. Your browser normally makes a call out through your Internet Service to servers on the Internet. These servers easily identify who you are by your Internet Protocol (IP) address so they can communicate back with you.  This exposure of your IP address is what can tell the bad guy who you are and possible who where you are in the world. The Tor network in its simplest description strips that information out and only provides the end user with an IP address belonging to the Tor network and not you. Thus you have effectively hidden from the end website you are visiting or target user that you may be communicating with through the Internet (Please note this is an over simplification of the process and exact details of how the Tor network works can be found on the project website).

So once Tor is installed your next actions are to set up your browser to use the Tor network as its proxy (proxy being a server acting as your entry point to the Internet and in this hiding your real IP address). Using Windows Internet Explorer version 8 go to Tools|Internet Options|

Changing Internet Explorer Settings

Changing Settings in Internet Explorer

 The select “Connections” and click on “LAN Settings”.

Image 2 -Tor IE LAN settings

IE LAN Settings

 

IE LAN Settings Address and Port IE LAN Settings Address and Port

In the Local Area Network (LAN) Settings box you need to click on the box “Use a Proxy server for your LAN” in the address box add 127.0.0.1 and add in the Port box 8118. Click OK twice to exit and you are now able to use the Tor network.  You will continue to use the Tor network as your proxy until you uncheck the “Proxy server” box. This will then return you to your normal web access.

The Tor Project has a page you can go to that will verify that you are using the Tor Network or you can go to one of the websites on the Internet that grabs your IP address like http://whatismyipaddress.com/

In the Windows taskbar a little Onion symbol when opened will show you the “Vidalia” Control Panel. The control panel lets you know you are connected to the Tor network  and can change the IP address you are coming from by clicking on the “Use new identify” button.

Tor Control Panel

Control Panel

Once connected click on the setting button in the control panel. For our investigative purposes click on “Run as client only”.  This will ensure that other users of the network are not using your system as a relay server on the network (Tor data would actually be passing through your computer). 

Tor Settings Tor Settings

To see the other computers, and their description, on the Tor system click on the “View the Network” button.

We are no ready to go online and start our investigation without being identified.

Things to note here, the online application being used by the tor network in this configuration is Windows Internet Explorer. If you send an email to the target from your normal email client on your desktop, use another browser, instant messaging, or use P2P software you will potentially expose who you really are by your IP address. To use any other applications through the Tor network you need to set them up to use the Tor proxy settings.

Other things to consider in your Browser set up that need to be turned off.  Turn off running scripts, ActiveX and cookies. Also block pop-ups. But “I can’t access all the good content on the Internet”. Correct you can’t but then the end user can’t identify you either. Each of these features enhance our web surfing experience, but they also require code be downloaded through your browser and run on your machine. This can allow for the code to default to a port it use that is not being redirected to the Tor network, thereby exposing who you are. This may not be important in all the cases you work, but be aware of it. If you lock down your browser and don’t get the content you want you can always relax the controls and go back and look at the site, but at least you are aware then of the risks and make that decision based on the investigation.

Using WebCase with Tor requires just installing Tor as described above. WebCase collects web –based evidence through Internet Explorer even when piped through the Tor Proxy. The collection times will be extended because of the way Tor functions and has nothing to do with WebCase.

Tags: , , , , , , ,
Posted in Investigative Tools | No Comments »

A Cyber-Investigator’s Introduction to IPv6

July 13th, 2011

This article is a guest post from Jonathan Abolins, who will be leading the next webinar in our Online Investigations Series: “Internationalised Domain Names, Foreign Language Websites, & Investigations.” While the two topics are unrelated, they do have one thing in common: both present previously uncharted challenges for online investigators.

There’s no place like home.
There’s no place like 127.0.0.1. (IPv4 version)
There’s no place like ::1. (IPv6 version)

Introduction

The widely used Internet Protocol (Version 4) – IPv4 – was created approximately 30 years ago and it has served us well. But it’s also showing its age. Back in the early 1980s, it was almost impossible to anticipate the growth in the demand for IP addresses. Now we are running out of IPv4 addresses (”IPv4 address exhaustion”). Also various people have been seeing the need for various improvements in the Internet Protocol.

To address these issues, Internet Protocol (Version 6) – IPv6 – was proposed in the mid-1990s. IPv6 is not yet in wide use but it would be a big mistake to assume that IPv6 cannot affect our networks.

Most operating systems and systems now include IPv6 support by default. There is also the ability to tunnel IPv6 via IPv4 with Teredo, 6to4, etc. For those whose ISPs don’t provide IPv6 connections, there are services, such as Hurricane Electric Free IPv6 Tunnel Broker1, which allow people to tunnel with IPv4 to get to the service that will give them IPv6 connections.

win7_net_ipv6

Example of IPv6 Support in Windows 7

IPv6 is going to become a bigger part of our networking and investigations in the near future. Will our tools and methods be able to handle the changes?

IPv6 vs IPv4: A Few Key Points

Without going into much detail, here are some of the key differences between IPv6 and IPv4:

Number of bits and address space.

  • IPv4 has 32 bits, allowing just over 4 billion addresses. Not even enough to give a unique address to each human being on Earth.
  • IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 unique addresses. This is roughly like giving 252 addresses for every star in the known universe. Not likely to run out of of IPv6 addresses.

Address notation.

  • IPv4 usually uses dotted decimal notation. E.g., 192.168.2.12.
  • IPv6 uses groups of 16-bit hexadecimal numbers separated by colons (“:”). E.g., 2001:04c0:0000:0000:0000:c5ef:0000:0231.
  • The IPv6 addresses can be compacted. So the above example becomes 2001:4c0::c5ef:0:0231.
  • In a mixed IPv4/IPv6, the IPv6 32 bit address can be incorporated into an IPv4 address. E.g., 2001:04c0::192.168.1.1 or ::126.143.54.107 (Note the switch from colon separators to dotted format.)

IP security (IPsec) is built into IPv6, the ability to cryptographically sign the packets.

There are various IPv6 tools for defense (if we know how to use them).

This is barely scratching the surface. The Resources section (below) has IPv6 specifications and other documents for more in-depth information.

Security, Forensics & Investigations Issues for IPv6

As mentioned above, IPv6 has some security features. Also, some IPv6 feature might be helpful in investigations. For example, IPv6 may give the source’s MAC address in some cases. But there are security problems raised by IPv6 and the current networking environments.

The gigantic IPv6 address space means that scanning IPv6 networks with IPv4 methods where we can try each possible IP address is not going to work. It’s possible to scan the entire IPv4 address space this way in several days. Scanning the entire IPv6 address space the same way would take billions of centuries. Even an IPv6 subnet could take over 145,000 years. So we need IPv6 methods, such as neighbour discovery, of finding systems at IPv6 addresses.

Tools designed for IPv4 environments might not properly process IPv6 information. Some log processing applications truncate IPv6 addresses and many may not properly interpret IPv6 traits. Black listing tools may miss problem addresses because they cannot associate IPv6 with IPv4 or IPv4 within IPv6 notation. It is likely that some of the analysis tools for linking data such as IP address associated with crimes might have problems once IPv6 addresses come into play. What else might trip up with IPv6?

Keep in mind too that there are many tools available that can be used for attacking IPv6 systems or for using IPv6 to bypass security. Firewalls set up for IPv4 may ignore IPv6 connections and, thus, fail to protect the internal networks. Detection software may ignore the IPv6 or tunnelling.

Even many commonly used network tools can fail unless we have the right versions of the tools and suitable network connections. For example, here’s a part of a sample SMTP e-mail header with a reference to the IPv6 address of 2001:470:0:64::2:

From ipv6@he.net Tue Nov 23 09:51:00 2010
Return-Path:
Received: from ipv6.he.net (ipv6.he.net [IPv6:2001:470:0:64::2])
by Duncan-Server.duncan (8.14.3/8.14.3/Debian-9ubuntu1) with
<…>

Try “ping 2001:470:0:64::2” and it will likely fail. If you have ping6, it might work but not if your network connection doesn’t support IPv6. Same for traceroute and various other tools. Nslookup, dig, and whois work better. (Example of an IPv6 whois lookup via the ARIN Web site) But they are not enough for our security & forensics toolkit.

The most critical security & investigatory challenge is getting up to speed with IPv6.

Conclusion

IPv6 has much to offer. It is also outpacing many of the tools and methods for securing IPv4 networks and investigating activities on the networks. Our tools, methods, and our understanding of IPv6 will need to adapt.

Resources

IETF, RFC 2460 – Internet Protocol, Version 6 (IPv6) Specifications.
The Internet Society. Internet Issue – Ipv6.
Klein, Joe. Collection of IPv6 Security presentations. These presentations are an excellent resource for understanding the security issues with IPv6. Joe Klein is a great resource in this field.
Leinwebe, James. IPv6 and the future of network forensics. UW-Madison Information Security Team. June 6, 2011.
Nikkel, Bruce J. An introduction to investigating IPv6 networks. July 19, 2007 [Originally published by Elsevier in Digital Investigation: The International Journal of Digital Forensics and Incident Response, Vol. 4, No. 2 (10.1016/j.diin.2007.06.001)]

Wikipedia entries
Ipv6
IPv4 address exhaustion
List of IPv6 tunnel brokers

Wireshark Wiki. Sample PCAP Captures – Ipv6 and Tunneling.

Acknowledgements: Many thanks to Joe Klein, Joshua Marpet, and Jeremy Duncan for their insights and help.

Tags: , , , , ,
Posted in Legal & Policy Issues | No Comments »

Cell phones, the Internet and common evidence issues

July 6th, 2011

Our free webinar last week was on cell phones and the common apps used to connect them with the Internet. Mike Harrington of Teel Technologies talked about some of the items of evidence which those apps leave, both on the phones and on the Internet sites the apps lead to.

Todd has been talking for some time about how the normal crime scene has been changing over time and that investigators, both civil and criminal, need to be thinking of where there evidence is outside of the physical location they are at. The Internet, and the ability of most modern cell phones to connect to it, have greatly expanded our possible locations for evidence to be found – far beyond the physical crime scene. With this increase means of course more work. But with the additional locations for evidence, investigators can obtain a clearer picture of what occurred.

This means that evidence will be located at a minimum in the following places:

  1. The cell phone itself (forensic data extraction)
  2. The social media site (accessed from the web and properly documented). Depending on the number of apps on the phone this could be numerous sites.

Because we don’t generally let the cell phone access the web during data extraction (to prevent syncing and therefore data change), what is on the cell phone will undoubtedly be different then what is on the social media site.

This is particularly true if the user accesses the sites from places other than his cell phone, or his friends make posts to his wall (as themselves or even posing as him). So, to corroborate what they find on the phone, investigators should also plan to collect additional items through legal service (civil or criminal subpoena or search warrant):

  1. Cell phone/tower records from the provider
  2. Social media site records from the social media site. Again, depending on the number of apps on the phone, this could be numerous sites.

Each of these records contains a piece of the puzzle. Compiling all of them can give the investigator a more accurate picture of what occurred and when, but it all needs to be documented properly.

The investigator must also be prepared to investigate further when the two are inconsistent, and if necessary, explain the inconsistencies in court. For example, if phone artifacts have date/time stamps and content that are different from those found on social networking sites, investigators must question why. Likewise when a cell service provider’s records differ from phone or Internet evidence.

In short: none of this evidence – data on the cell phone, the social networking site, or in the cell or Internet service provider’s records – should be considered “nice to have.” With courts paying more attention to the authenticity and verifiability of digital evidence, gathering as much information as possible from as many sources as possible is a requirement to ensuring that victims and suspects alike get the due process they deserve.

Tags: , , , , , ,
Posted in Investigative Techniques, Legal & Policy Issues | No Comments »

Authenticating the inauthentic

June 28th, 2011
How easy is it to tell if an image was manipulated?

How easy is it to tell if an image was manipulated?

Last week, USAToday.com ran a story about the use of social media to investigate the Vancouver riots:

Vancouver police say they cannot keep up with the unprecedented number of tips and photos of people who torched cars, looted businesses and pounded on officers in a riot following the Canucks loss to Boston in the Stanley Cup finals….

Police use of social media is exploding, and the Vancouver riot illustrates both unique opportunities and challenges for investigators.

Todd was quoted as saying, “Law enforcement has to go where the people are, and the fact is, the people are online. The crime scene has expanded. It’s no longer just the physical world, but it’s that Internet cloud. There’s actionable information out there.”

What if the information is inauthentic?

Another article posted the previous day, however, notes:

Social media have, in some ways, been a blessing for riot investigators, providing evidence that otherwise might never have seen the light of day. But it could also prove to be a curse, with police confirming they’re aware that images could be digitally altered, and social-media experts predicting the “That picture was photoshopped!” defence will be popular.

The article goes on to note that some of the “photoshopping” is obvious; other instances, less so. The onus is on police to sift through the images to determine what is real, and what isn’t:

Constable Jana McGuinness, a Vancouver police spokeswoman, wouldn’t confirm how many doctored images police have received, but said investigators are aware of the possibility of fraud.

“We have experts assisting the investigation that will validate the authenticity of all photographs and images that will be entered as evidence in future court proceedings,” she wrote in a statement.

Photoshopped images are nothing new. More recent cases have been tried in which defendants had photoshopped the faces of children to make them appear to be engaged in sex, or gone even further in manipulating images of women to make them look like young girls.

As the Globe and Mail article notes, image metadata can help investigators authenticate the image, including creation and modification date/time stamps. However, sites like Facebook strip the metadata. Investigators should therefore take pains to document both images and metadata, including their own observations about images’ appearance. As in Vancouver, they should also have access to digital video experts.

What does this mean for actual investigations?

The evidence may not fit the original crime, but in some cases, it can lead to new charges, or lead to civil litigation. Interfering with a police investigation may be one charge leveled against those who actually alter the images (assuming the photo can be traced back to a source). Consider cyber-bullying cases, in which children have created false profiles, complete with fake pictures, to get their peers in trouble.

On the civil side, defamation suits might result from individuals falsely represented as having been involved in a crime or other illicit activity. Corporate espionage, intellectual property violations or even extramarital affairs can be falsified.

The more people become accustomed to using the internet and all it has to offer, the easier it will be for those with the wrong intentions to exploit the various tools. This complicates online investigations, but not insurmountably so.

What wrinkles have you encountered in your online investigations, and how have you dealt with them?

Image: oskarsson photography via Flickr

Tags: , , , , , , , , , , , , ,
Posted in Legal & Policy Issues, Online Investigations in the News | No Comments »

Smartphones and the Internet: Finding evidence in 2 different places

June 22nd, 2011
How do Internet and mobile phone evidence support each other?

How do Internet and mobile phone evidence support each other?

On Thursday, June 30, we’ll be offering another webinar that is new to our series: Smartphones and the Internet, a discussion about how smart phones are changing the world of online investigations. Instructor Michael Harrington, Director of Training at Teel Technologies and a longtime expert in mobile device forensics, will cover the various apps and tools that tie smart phones to the Internet and the potential for evidence collection on both the phone and the websites tied to the apps.

We asked Mike for some more detail on what he’ll be talking about:

VS: What are the major apps and platforms you’ll be covering in your webinar, and why are they especially relevant?

MH: I’ll mostly be concentrating on iOS and Android and focusing attention on GPS, browser, cloud and social networking applications such as Facebook and Twitter. iOS and especially Android account for the vast majority of the consumer market. Android growth is particularly strong in emerging markets, and has arguably the number one market position.

I’ll be concentrating on social networking applications because research has shown that the vast majority of access to services such as Facebook and Twitter are done on mobile. Facebook in particular is relevant because of the recent controversies of underage access and of course its role in the Arab Spring. Twitter has also made the news with Weinergate, and controversy over ill-thought tweets by such people as Roger Ebert.

The ability to access cloud based services from smart phones (Evernote, logmein and the like) as well as the smartphones capturing of location information not just overtly through GPS applications makes discussion of the platforms relevant.

VS: How do online evidence and mobile evidence work in conjunction? What if one doesn’t match the other?

Online evidence and mobile evidence should be used to validate each other. They should match each other regarding similar data such as IP address. In some instances online evidence may contain more information and vice versa. If they don’t match further investigation and explanation is needed to account for differences.

VS: How deep should investigators dive when collecting evidence from the Internet and from a mobile device? How can they make the decision about how far to go?

I think these questions are tied together inextricably. The decision on how far to dive depends on the severity of the crime. In most instances a simple download of the logical data on the phone will be sufficient to corroborate online evidence or to gather additional evidence to support that gathered online. In some instances it may be necessary to try to recover deleted data off a mobile — this may require specialist equipment and certainly more time and training.

VS: Not all mobile examiners will collect online evidence, and not all online investigators will collect mobile evidence. What’s the best way for them to come together to work out case building?

Since most people on the planet carry mobile phones and the usage of smart phones to access more services is expected to rise by 55% in 2011 it is absolute folly not to look for evidence on mobile devices. I would recommend that a [standard operating procedure] be worked out that if mobile devices are seized, and the particular type of case being worked suggests that a device may be used to access online services where evidence could be collected — or the like is found on mobile devices — that [all] those leads are chased down.

Investigators have to aware of all ways in which criminals and victims access the online world. More and more it’s through their mobile devices.

VS: Anything else webinar attendees should know in advance?

Maybe some stats on the smartphone market. Here is an excerpt from the first chapter of the Android book (Apress, expected pub date December 2011) I’m working on:

The growth of the global smart phone market has been nothing short of explosive. According to the International Data Corporation (IDC), a leader in market research, the world wide smartphone market is expected to grow 55% in 2011, fueled by consumers eager to exchange their feature mobile phones for advanced devices with more features, and most importantly, apps.

The sheer number of devices being shipped is staggering. Again according to the IDC’s Worldwide Quarterly Mobile Phone Tracker there will be a total of 472 million smart phones shipped in 2011 up from 305 in 2010. Furthermore, this is expected to almost double to an unbelievable 982 million by the end of 2015.

The growth rate is over four times the rate of the overall mobile phone market due to the accessibility of devices to a wide range of users, and helped by falling prices, functionality and low cost data plans.

The growth is most pronounced in markets that are emerging and where the adoption of these devices is still in early days – the IDC predicts that the most stunning growth will be in the Asia/Pacific region and in Latin America.

Join us on Thursday, June 30 from 11am-12pm Pacific, and bring any questions you have for Mike!

Image: Johann Larsson via Flickr

Tags: , , , , , , , , , , , , ,
Posted in Investigative Techniques, Online Investigations in the News | No Comments »

Examining video file metadata

May 25th, 2011

Digital forensics examiners are very aware of the benefits of identifying metadata in files from word processing documents to image files. The metadata in image files, referred to as Exif (Exchangeable image file format), has been a source of information in forensic examinations for some time. Many files, including video files, have metadata.

If metadata is important in other investigations, can video metadata be a similar potential treasure trove? In our basic course I have extolled the examination of metadata during internet investigations, because in online documents or images, metadata can be incredibly damaging evidence.

For example, recently I was asked to examine a website set up on a “free” domain to find out who the the owner might be. Examination of the website failed to ascertain anything until I downloaded the files embedded in the site. A quick look at the files’ metadata ascertained their author – who was well known to the plaintiff.

Two types of video metadata

So video metadata does exist, and it is important. To deal with video metadata, we have to understand where it comes from. There are two sources, which one article describes as:

a) Operational, automatically gathered video metadata, which is typically a set of information about the content you produce, such as the equipment you used, the software you employed, the date you created your video, GPS coordinates of shooting location, and more.

b) Human-authored video metadata, which can be created to provide more search engine visibility, audience engagement, and better advertising opportunities for online video publishers.

Most of what we are currently dealing with in metadata examination is the “operational” metadata. However, human-authored metadata may become more important.

Interestingly enough, video metadata is getting some heavy discussion from a marketing point of view. Online video providers are looking at the use of video metadata to describe the video better for two reasons: first, better coverage in the search engines, and second, so end users have more descriptive information about the video.

Additionally, video-sharing sites seek to make videos more “social” by enabling users to add metadata to the videos they host. For instance, Metacafe’s Wikicafe section allows all its users to add “human authored” comments to video metadata.

Although few standards currently exist for video metadata, this is changing as video delivery becomes more important. Acceptance of standards such as the Dublin Core Metadata Element Set are becoming common. With standards in the metadata, investigators will have an ability to look for common items of information in the file.

Standard metadata also makes it easier to build tools to extract this data. The continuing conversation, and the acceptance of “human authored” metadata, will undoubtedly provide investigators with additional information regarding videos they find on the internet during investigations.

File formats and what they contain

Search Google for “video metadata forensics”, and you won’t find much of anything useful. It is mentioned in some places that video has metadata, but little describes the metadata in depth. However, search for RIFF (Resource Interchange File Format) and you will find a lot more. Riff, the term similar in usage to Exif data, is the format that describes the usage of metadata in many video and audio files.

Riff data can include:

riff-data

The amount of Riff data available depends on the file format. Riff data is a proprietary format originally developed by Microsoft and IBM for Windows 3.1. The format was released in the 1991 in the Windows Multimedia Programmer’s Reference. Riff was never adopted as a standard and few new video formats have adopted the file format since the 1990’s. Common files formats still in use that use Riff include .wav and .avi. Microsoft has since 2004 been using the ASF format (Advanced Systems Format) since 2004 in its .wma files.

From the Microsoft Advanced Systems Format specifications, we can find that the ASF file can contain potentially valuable information.

asf-file

And,

asf-file-2

Okay….so we have looked at the underlying structure for the metadata present in video. The question now becomes, how do we look at that data? There are a few free tools out there to assist you. Let’s talk about three:

Gspot

Gspot has been the heavy lifter for most investigators looking at metadata in video files. It provides a single screen view of the available data in a video file (of the files it can translate). Most of the data is “operational” data found in the file, but it does provide you with the “human authored” data if it is present. Gspot has an export function to allow the user to save the metadata information for inclusion in a report or to add to WebCase. Gspot’s failing is that it has had no recent updates since 2007.

gspot-interface

The Gspot report looks like this:

gspot-report

MediaInfo

To me, MediaInfo is a newer tool. Its basic view is much simpler than Gspot’s, but it offers several different views of the data that allow you to determine what metadata is present. I personally like the “tree” view as it lays out all of the metadata present in an easy to view screen. The export options for reporting also allow the user to quickly make reports in a text or html format for inclusion in their reports or to add to WebCase. MediaInfo also adds during installation a right click function to Windows Explorer to easily access the tool.

mediainfo-interface

Media Info report (txt, html, or CSV) looks like:

mediainfo-report

Video Inspector

A very basic tool, Video Inspector provides the user with the essential metadata present in the video file. The export function allows for exporting a text document with the metadata it finds, but it is limited. The tool was designed to assist the user in identifying missing codecs required to play the video, so reading all the available metadata is not its main function.

videoinspector

Video Inspector Report looks like:

videoinspector-report

In comparing the tools I used a video that I know had “operational” metadata in it to determine whether each program reported the data. Gspot and MediaInfo both located and reported the data. MediaInfo included the “Master date” which could either be the date the video was “mastered” or possibly the date it was uploaded to the site (I have to do some more research on that date and time stamp).

gspot-metadata

mediainfo-metadata

vi-metadata

So there is some usefulness in reviewing video files for metadata. Something to remember is that some sites may strip the metadata when posted on line. Also, other tools used to download videos from the Internet, like savevid.com, save the video in flash and not the original file format containing the original metadata . Investigators need to find the original video uploaded to get to the metadata.

Additionally, as previously discussed, investigators may encounter challenges in the form of social media. For example: Metacafe’s attempt to add metadata to videos it hosts. Its Wikicafe section allows all its users to add “human authored” comments to video metadata.

If you are more interested in reading about metadata in video files here are some resources:

Riff Info

http://www.digitalpreservation.gov/formats/fdd/fdd000025.shtml

http://en.wikipedia.org/wiki/Resource_Interchange_File_Format

http://www.blitzbasic.com/codearcs/codearcs.php?code=2582

http://code.google.com/speed/webp/docs/riff_container.html

ASF File Format

http://www.digitalpreservation.gov/formats/fdd/fdd000067.shtml

What experiences have you had collecting video file metadata? Comment below!

Todd Shipley is Vere Software’s president and CEO.

Tags: , , , , , , , , , , , ,
Posted in Investigative Techniques | 3 Comments »

Dissecting a MySpace cookie

May 18th, 2011

myspace_logoI previously looked at the MySpace source code and as an aside, I decided to look at the MySpace cookie placed on my computer through Internet Explorer. I need to spend some more time with it, but I found one tidbit of interest. Here are the contents of that cookie:

MSCulture
IP=76.232.69.187&IPCulture=en-US&PreferredCulture=en-US&Country=VVM%3D&ForcedExpiration=0&timeZone=-7&USRLOC=QXJlYUNvZGU9Nzc1JkNpdHk9UmVubyZDb3VudHJ5Q29kZT1VUyZDb3
VudHJ5TmFtZT1Vbml0ZWQgU3RhdGVzJkRtYUNvZGU9ODExJkxhdGl0dWRlPTM
5LjU1NDUmTG9uZ2l0dWRlPS0xMTkuODA2MiZQb3N0YWxDb2RlPSZSZWdpb25
OYW1lPU5WJkxvY2F0aW9uSWQ9MA
myspace.com/
1600
1450779520
30110255
767532288
30108847*
SessionDDF2
WecgMpqrHOI4tePW304hLLYkIoD8e+hqZQakpBfhu0bf+3YNd9a3gLJAKgrhd57+klMP1U9u
DlEKYfXnDvXE8w==
myspace.com/
1536
2677308160
31578165
1536619600
30108650
*__utma
102911388.576917061.1287093264.1287098574.1287177795.3
myspace.com/
1600
522347392
30255698
765392288
30108847
*
__utmz
102911388.1287093264.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
myspace.com/
1600
428951552
30145363
1564109600
30108650
*__utmb
102911388.0.10.1287177795
myspace.com/
1600
1584863104
30108851
765392288
30108847
*
__unam
7639673-12bb1c67c3e-6a4aaea5-1
myspace.com/
1600
3491813376
30163644
781442288
30108847
*

Here is an interesting part in Base64:

QXJlYUNvZGU9Nzc1JkNpdHk9UmVubyZDb3VudHJ5Q29kZT1VUyZDb3VudHJ5
TmFtZT1Vbml0ZWQgU3RhdGVzJkRtYUNvZGU9ODExJkxhdGl0dWRlPTM5LjU1NDUmT
G9uZ2l0dWRlPS0xMTkuODA2MiZQb3N0YWxDb2RlPSZSZWdpb25OYW1lPU5W
JkxvY2F0aW9uSWQ9MA

Here is the Base 64 Translation:

USRLOC=AreaCode=775&City=Reno&CountryCode=US&CountryName=United States&DmaCode=811&Latitude=39.5545&Longitude=-119.8062&PostalCode=&RegionName=NV&LocationId=0

The investigator should be aware that the latitude and longitude is generally based on the IP address geolocation. Again this is something you are revealing to the website when you visit it. The website automatically geolocates the IP address for general marketing purposes. As an investigator you need to be aware that you are exposing this information to the websites you surf. I’ll comment more on geolocation in another post.

Not that we all did not know that companies use tracking codes to identify us, but here is the type of information that might be on a suspect’s system if you go looking for it in his cookies. It also shows how much MySpace is tracking about you during an investigation and collecting about you when you go to a suspect’s MySpace page. I found a nice article at http://helpful.knobs-dials.com/index.php/Utma,_utmb,_utmz_cookies describing some of the cookie’s contents of the cookie.

The cookies named __utma through __utmz are part of Google Analytics, originally by the urchin tracking module, also by the newer ga.js. These cookies track usage on sites that use Google Analytics.”

The article goes on to describe the various pieces of the cookie.

__utma tracks each user’s amount of visits, first, last visit.
__utmz tracks where a visitor came from (search engine, search keyword, link)
__utmb and __utmc are used to track when a visit starts and approximately ends (c expires quickly).
__utmv is used for user-custom variables in Analytics
__utmk – digest hashes of utm values
__utmx is used by Website Optimizer, when it is being used

Another good description of the Google Analytic cookies and their contents can be found at MoreVisibility (A marketing website). There are many other sites that collect similar information such as NetcraftAlexa, and WMtips (each of these can be accessed from our free Internet Investigators Toolbar.

The __utma cookie appears to be a string with six fields, delimited by a “.”. The last field is a single integer which records the number of sessions during the cookie lifetime

Here are the various pieces of the cookie with the date and times translated:

Cookie Code Section Date and Time Translation*
myspace.com/
1600
1450779520
30110255
767532288
30108847		 1450779520,30110255
Fri, 22 October 2010 13:23:15 -0800
767532288,30108847
Fri, 15 October 2010 13:23:15 -0800
SessionDDF2
WecgMpqrHOI4tePW304hLLYkIo
D8e+hqZQakpBfhu0bf+3YNd9a3g
LJAKgrhd57+klMP1U9uDlEKYfXn
DvXE8w==
myspace.com/
1536
2677308160
31578165
1536619600
30108650		 2677308160,31578165
Mon, 14 October 2030 13:54:22 -0800
153661960,30108650
Thu, 14 October 2010 13:52:03 -0800
__utma
102911388.576917061.1287093264.
1287098574.1287177795.3
myspace.com/
1600
522347392
30255698
765392288
30108847		 522347392,30255698
Sun, 14 October 2012 13:23:15 -0800
765392288,30108847
Fri, 15 October 2010 13:23:15 -0800
__utmz
102911388.1287093264.1.1.utmcsr=
(direct)|utmccn=(direct)|utmcmd=(none)
myspace.com/
1600
428951552
30145363
1564109600
30108650		 428951552,30145363
Fri, 15 April 2011 01:54:24 -0800
1564109600,30108650
Thu, 14 October 2010 13:54:24 -0800
__utmb
102911388.0.10.1287177795
myspace.com/
1600
1584863104
30108851
765392288
30108847		 1584863104,30108851
Fri, 15 October 2010 13:53:15 -0800
765392288,30108847
Fri, 15 October 2010 13:23:15 -0800
__unam
7639673-12bb1c67c3e-6a4aaea5-1
myspace.com/
1600
3491813376
30163644
781442288
30108847		 3491813376,30163644
Thu, 14 July 2011 23:00:00 -0800
781442288,30108847
Fri, 15 October 2010 13:23:16 -0800

*Decoding of the dates and times are thanks to the free “Dcode” tool by Digital Detective.

Todd Shipley is Vere Software’s president and CEO.

Tags: , ,
Posted in Investigative Techniques | No Comments »

Dissecting a MySpace page

May 17th, 2011

myspace-300x81Having not seen this done anywhere else, I decided to look at some basic MySpace pages at random and determine if I could find anything in the source code that might be of any investigative interest.

In general, the source code of a MySpace page has lots of HTML code, but much of it is of no use to the investigator because it does not identify the user or provide investigative leads. There are, however, a couple of interesting things to be found if you look for them.

The actual server location of an image file

Images on a MySpace main page are not embedded in the page. They are linked to a separate web address at www.msplinks.com. Here is a real example randomly gathered from a MySpace page of an image that was on the page:

href=”http://www.msplinks.com/MDFodHRwOi8vdmlld21vcmVwaWNzLm15c3BhY2
UuY29tL2luZGV4LmNmbT9mdXNlYWN0aW9uPXZpZXdJbWFnZSZmcmllbmRJRD0y
ODYzNDc4JmFsYnVtSUQ9MjExNDE2NSZpbWFnZUlEPTQ0OTU4MTY2″>

This highlighted portion of the code which is obfuscated and is actually encoded in Base64:

MDFodHRwOi8vdmlld21vcmVwaWNzLm15c3BhY2UuY29tL2luZGV4LmNmbT9mdXNl
YWN0aW9uPXZpZXdJbWFnZSZmcmllbmRJRD0yODYzNDc4JmFsYnVtSUQ9MjExNDE
2NSZpbWFnZUlEPTQ0OTU4MTY2

The Base64 translation of this portion of the code is:

01http://viewmorepics.myspace.com/index.cfm?fuseaction=viewImage&friendID=2863478&albumID=2114165&imageID=44958166

The Base64 translated link contains the friendID of the page it is from and what appears to be a uniquely assigned imageID.

The www.msplinks.com address is just a white page when you go there. However, when you look at the source code for this page you see some “old school letters” spelling out myspace.com:

myspace

Embedded video files and their original location

If you right click on an embedded video and select “copy embedded HTML” and paste that into a separate document, you can review the code and find the video location.

Actual example of an embedded video from a random MySpace page:

<imgsrc=”<object width=”640″ height=”390″><param name=”movie” value=”http://www.youtube.com/v/Xz2MWedTbP0&hl=en_US&feature=
player_embedded&version=3″></param><param name=”allowFullScreen” value=”true”></param><param name=”allowScriptAccess” value=”always”></param><embed src=”http://www.youtube.com/v/Xz2MWedTbP0&hl=en_US&feature=
player_embedded&version=3″ type=”application/x-shockwave-flash” allowfullscreen=”true” allowScriptAccess=”always” width=”640″ height=”390″></embed></object>

The actual page location on YouTube of the embedded video from above example:

http://www.youtube.com/v/Xz2MWedTbP0

Finding the FriendID

I also found the MySpace FriendID in several different locations in the pages source code. A simple search for “FriendID” will find the numerical Friend ID used by MySpace.

Here is a random example of a FriendID found in MySpace source code:

var MySpaceClientContext = {”UserId”:-1,”DisplayFriendId”:281346014,”IsLoggedIn”:false,”FunctionalContext”:
“UserViewProfile”,”UserType”:1};

This is the Myspace ID # that corresponds with the MySpace user name:

DisplayFriendId”:281346014

Add the Friend ID to the MySpace URL and it will take you to that friend’s page.

http://www.myspace.com/281346014

Tracking Code

I also found something of interest to the investigator and a good reason not to use your agency/company computer network to look at a MySpace page. Without much effort I found the code for MixMap. MixMap is tracking code that can be used to identify the IP addresses of anyone viewing a MySpace page. You can register at www.mixmap.com for access to your account and to prepare unique code for insertion on your MySpace page.

In a real example I found the following tracking code located in the MySpace page’s source code:

<a href=”http://www.msplinks.com/MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v”
target=”_new” title=”MySpace Tracker”>
<img src=”http://www.mixmap.com/661165/no_image_tracker_strict.jpg” border=”0″ height=”1″ width=”1″ style=”visibility:hidden;” alt=”MySpace Tracker” /></a></style></span>

<a href=”http://www.msplinks.com/MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v” target=”_new” title=”MySpace Tracker”><img src=”http://www.mixmap.com/661165/no_image_tracker_strict.jpg” border=”0″ height=”1″ width=”1″ style=”visibility:hidden;” alt=”MySpace Tracker” /></a></style></span>

This portion of the code is actually encoded in Base64:

MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v

The Base64 translation of this portion of the code is:

01http://www.mixmap.com/

MySpace beacon data

Another thing I found a little disturbing about MySpace was what it is collecting on its pages. I located the following code labeled MySpace.BeaconData, which indicates that MySpace appears to be tracking persons viewing MySpace pages. Not that this is unusual from a marketing point of view. But the investigator should be aware that s/he is being tracked.

In the abbreviated random example below, you can see in the bolded portions the city, state and country I am coming from, as well as my computer’s operating system and the version of Internet Explorer I was using.

MySpace.BeaconData={”dsid”:”2″,”dsv”:”1″,”rd”:”browseusers.myspace.com”,”rqs”:”",”refpg”:
“/Browse/Browse.aspx”,”rpf”:”Browse”,”d”:”www.myspace.com”,”qs”:
“friendID=2863478″,”pf”:”UserViewProfile”,”fa”:”",”pgnm”:
“/Modules/Profiles/Pages/Display/Profile.aspx”,”cip”:”1290290619″,”pc”:”en-US”,”pid”:”405384887825081977″,”pidf”:”0″,”ABtd”:”0″,”t”:
“1287086098069″,”ct”:”1287086098069″,”ci”:”Reno“,”st”:”NV“,”co”:”US“,
“dmac”:”811″,”uff”:”0″,”uatv”:”br=MSIE 8.0&os=Windows NT 6.1“,”sip”:”170659174″,”uid”:”-2″,”pggd”:
“e327762c-2571-4e8f-b47f-d5fb46a670e5″,”prid”:”2863478″,”ili”:”0″,”at”:”1″,”cfv”:”0:0:0″,”cef”:
“0″,”sliu”:”0″,”pref”:”0″,”kvp”:”bt=0

In the following abbreviated random example I used the Tor network to hide myself, and you can still see (in the bolded portions) the city, state and country the Tor exit node was located:

MySpace.BeaconData={”dsid”:”2″,”dsv”:”1″,”rd”:”",”rqs”:”",”refpg”:”",”rpf”:”",”d”:”www.myspace.com”,
“qs”:”friendID=542455573″,”pf”:”UserViewProfile”,”fa”:”",”pgnm”:
“/Modules/Profiles/Pages/Display/Profile.aspx”,”cip”:”3493170727″,”pc”:”en-US”,”pid”:”405384887825081977″,”pidf”:”0″,”ABtd”:”0″,”t”:”1287100961997″,”ct”:
“1287100961997″,”ci”:”Woodstock“,”st”:”IL“,”co”:”US“,”dmac”:”602″,”uff”:
“0″,”uatv”:”br=MSIE 8.0&os=Windows NT
6.1“,”sip”:”170663537″,”uid”:”281346014″,”pggd”:”c1834a83-d897-44a8-adfe-
93e8f959c60e”,”prid”:
“542455573″,”ili”:”0″,”at”:”2″,”cfv”:”0:0:0″,”cef”:”0″,”sliu”:”0″,”pref”:”0″,”

In this example the Tor exit node just happened to be in Illinois. From an investigative standpoint, the investigator should know what s/he is exposing to the target website.

I’ll continue to review pages and comment as I find anything interesting. If anyone else has any good tidbits about MySpace or any other social networking sites let me know in comments.

Todd Shipley is Vere Software’s president and CEO.

Tags: , , , , , ,
Posted in Investigative Techniques | No Comments »

Where’s the WebCase 30-day demo?

April 21st, 2011

3In recent weeks, we’ve gotten a number of questions about why our 30-day demo is no longer available for download, and how investigators can get to know WebCase without it.

To answer the second part first: we found that our customers had a much better experience with WebCase when they used it after a walk-through. That’s why we take you through a one-hour webinar — you can either register for one of our monthly demos, or contact us to set up a time that is convenient for you and your team.

As for the software demo itself, we’ve recently made changes to WebCase that necessitated our retooling the demo. We don’t have a firm launch date, but we’ll let you know when we do.

Meanwhile, please do register for a webinar demo (be sure it’s a WebCase demo, though we’d love to see you for our Online Investigation Series too), and be sure to ask us if you have any further questions for us!

Tags: ,
Posted in Company News, WebCase | No Comments »

« Older Entries