Archive for July, 2011

So you thought Tor was bad enough. Check out Tor’s Hidden Web Services.

Monday, July 25th, 2011

Recently and article appeared at NPR titled “Senators Target Internet Narcotics Trafficking Website Silk Road”. I only bothered to hit the link because I saw it mentioned on the website The short article complained of drugs blatantly sold on the Internet and something needed to be done about it and Congress is going to solve that one for us. Although selling drugs on the Internet is nothing new, the place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function.  The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the orient to the west.

For the power user of the Tor network Hidden Services is probably nothing new. For the average online investigator though you may have heard of Tor and may have even tried to use it (especially of you read my last article on using Tor in your investigations). But were you aware that webpages can be hidden within the Tor network? Have you ever seen a .onion domain name? if you haven’t then read on.

Hidden services were introduced to the Tor network in 2004. Tor’s Hidden Services are run on a Tor client using special server software. This “Hidden Service” uses a pseudo top-level-domain of “.onion”. Using this domain, the Tor network routes traffic through its network without the use of IP addresses.

To get to these hidden services you must be using the Tor Network and have your browser enable to use Tor.  How do you find sites using the hidden services? Start at the core…


Welcome to .onion Welcome to .onion

Core.onion according to its hidden services site has been in the network since 2007.

Once in the Core.onion you find a simple directory to start exploring Hidden Services on the Tor network.

TorDir TorDir

TorDir is a directory of Hidden Services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media type sites and marketplaces.

Black Market Black Market


In the markets a variety of things are for sale, most look to be illegal though. File sharing also looks to be popular and can be found in several .onion sites.

File Sharing File Sharing


To make purchases bitcoin seems to be the most popular virtual currency and is regularly mentioned throughout the .onion sites.

Bitcoin Bitcoin


Another good location to start finding out about what Tor’s Hidden Services have to offer is a wiki located at:



Also, if you are an IRC fan Tor hidden services can be used there also. The Freenode website gives the instructions on how to access Freenode IRC servers on Tor’s Hidden Services.

If you are interested in learning more about Tor’s Hidden Services here are a few sites that can get you on your way:


Not to make it any worse but if you have not heard Ip2 (another anonymizing network that is becoming increasingly popular) also has its own “eeepsites” similar to the Hidden Services offered in Tor that a user can post content to like a website.

Hidden Services are going to increasingly become a location that will be misused by many. It will also become a place on the Internet that investigators will need to become increasingly familiar with if they are to further their online investigations.

Tor and its use during online investigations

Monday, July 18th, 2011

When investigating crimes on the Internet the investigator needs to consider how much information that he presents to servers and webpages that he may be investigating.  Hiding oneself on the Internet used to be the purview of hackers. However, technology changes and so has the ability to easily implement the same techniques hackers use to hide themselves during your investigations. There are many techniques for eluding identification on the Internet. Proxies have been used for years for this purpose. Proxies act as just that a “Proxy” or a go between. It’s a computer that acts on your behalf and forwards to the server you are looking at any requests you make. The server you are investigating only sees the “Proxy”.

Another significant tool in the “I need to hide on the Internet” world is the venerable tool “Tor”. Tor (The Onion Router) was developed from a concept originally written about by the U.S. Navy. According to the Tor website,  “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.”

Using Tor during online investigations is much easier now that it has been in the past. This is due to the increase in most users Internet bandwidth, the constant upgrading and improving of the Tor software and it easy integration into the popular browsers. So how does the investigator implement Tor during his investigations? Well the simplest method is to use the Tor network to hide browsing activity. If you are investigating a webpage or website we know that there is certain information that our browser tells that server or website about who we are and potentially where we are. Our browsers can reveal our IP addresses what kind of browser we are using and its version. We can use Tor to prevent a suspect webpage from identifying us.

Let’s take a look at how to install and implement Tor so we can us it during our investigations. Installation for Tor is pretty starting forward now. Go to the Tor project website and download the current “Vidalia” (like the onion) Windows installer. Click on the executable file and the project installs. The trick to using Tor is setting the proxy setting in your browser to use the Tor network. Your browser normally makes a call out through your Internet Service to servers on the Internet. These servers easily identify who you are by your Internet Protocol (IP) address so they can communicate back with you.  This exposure of your IP address is what can tell the bad guy who you are and possible who where you are in the world. The Tor network in its simplest description strips that information out and only provides the end user with an IP address belonging to the Tor network and not you. Thus you have effectively hidden from the end website you are visiting or target user that you may be communicating with through the Internet (Please note this is an over simplification of the process and exact details of how the Tor network works can be found on the project website).

So once Tor is installed your next actions are to set up your browser to use the Tor network as its proxy (proxy being a server acting as your entry point to the Internet and in this hiding your real IP address). Using Windows Internet Explorer version 8 go to Tools|Internet Options|

Changing Internet Explorer Settings

Changing Settings in Internet Explorer

 The select “Connections” and click on “LAN Settings”.

Image 2 -Tor IE LAN settings

IE LAN Settings


IE LAN Settings Address and Port IE LAN Settings Address and Port

In the Local Area Network (LAN) Settings box you need to click on the box “Use a Proxy server for your LAN” in the address box add and add in the Port box 8118. Click OK twice to exit and you are now able to use the Tor network.  You will continue to use the Tor network as your proxy until you uncheck the “Proxy server” box. This will then return you to your normal web access.

The Tor Project has a page you can go to that will verify that you are using the Tor Network or you can go to one of the websites on the Internet that grabs your IP address like

In the Windows taskbar a little Onion symbol when opened will show you the “Vidalia” Control Panel. The control panel lets you know you are connected to the Tor network  and can change the IP address you are coming from by clicking on the “Use new identify” button.

Tor Control Panel

Control Panel

Once connected click on the setting button in the control panel. For our investigative purposes click on “Run as client only”.  This will ensure that other users of the network are not using your system as a relay server on the network (Tor data would actually be passing through your computer). 

Tor Settings Tor Settings

To see the other computers, and their description, on the Tor system click on the “View the Network” button.

We are no ready to go online and start our investigation without being identified.

Things to note here, the online application being used by the tor network in this configuration is Windows Internet Explorer. If you send an email to the target from your normal email client on your desktop, use another browser, instant messaging, or use P2P software you will potentially expose who you really are by your IP address. To use any other applications through the Tor network you need to set them up to use the Tor proxy settings.

Other things to consider in your Browser set up that need to be turned off.  Turn off running scripts, ActiveX and cookies. Also block pop-ups. But “I can’t access all the good content on the Internet”. Correct you can’t but then the end user can’t identify you either. Each of these features enhance our web surfing experience, but they also require code be downloaded through your browser and run on your machine. This can allow for the code to default to a port it use that is not being redirected to the Tor network, thereby exposing who you are. This may not be important in all the cases you work, but be aware of it. If you lock down your browser and don’t get the content you want you can always relax the controls and go back and look at the site, but at least you are aware then of the risks and make that decision based on the investigation.

Using WebCase with Tor requires just installing Tor as described above. WebCase collects web –based evidence through Internet Explorer even when piped through the Tor Proxy. The collection times will be extended because of the way Tor functions and has nothing to do with WebCase.

A Cyber-Investigator’s Introduction to IPv6

Wednesday, July 13th, 2011

This article is a guest post from Jonathan Abolins, who will be leading the next webinar in our Online Investigations Series: “Internationalised Domain Names, Foreign Language Websites, & Investigations.” While the two topics are unrelated, they do have one thing in common: both present previously uncharted challenges for online investigators.

There’s no place like home.
There’s no place like (IPv4 version)
There’s no place like ::1. (IPv6 version)


The widely used Internet Protocol (Version 4) – IPv4 – was created approximately 30 years ago and it has served us well. But it’s also showing its age. Back in the early 1980s, it was almost impossible to anticipate the growth in the demand for IP addresses. Now we are running out of IPv4 addresses (”IPv4 address exhaustion”). Also various people have been seeing the need for various improvements in the Internet Protocol.

To address these issues, Internet Protocol (Version 6) – IPv6 – was proposed in the mid-1990s. IPv6 is not yet in wide use but it would be a big mistake to assume that IPv6 cannot affect our networks.

Most operating systems and systems now include IPv6 support by default. There is also the ability to tunnel IPv6 via IPv4 with Teredo, 6to4, etc. For those whose ISPs don’t provide IPv6 connections, there are services, such as Hurricane Electric Free IPv6 Tunnel Broker1, which allow people to tunnel with IPv4 to get to the service that will give them IPv6 connections.


Example of IPv6 Support in Windows 7

IPv6 is going to become a bigger part of our networking and investigations in the near future. Will our tools and methods be able to handle the changes?

IPv6 vs IPv4: A Few Key Points

Without going into much detail, here are some of the key differences between IPv6 and IPv4:

Number of bits and address space.

  • IPv4 has 32 bits, allowing just over 4 billion addresses. Not even enough to give a unique address to each human being on Earth.
  • IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 unique addresses. This is roughly like giving 252 addresses for every star in the known universe. Not likely to run out of of IPv6 addresses.

Address notation.

  • IPv4 usually uses dotted decimal notation. E.g.,
  • IPv6 uses groups of 16-bit hexadecimal numbers separated by colons (“:”). E.g., 2001:04c0:0000:0000:0000:c5ef:0000:0231.
  • The IPv6 addresses can be compacted. So the above example becomes 2001:4c0::c5ef:0:0231.
  • In a mixed IPv4/IPv6, the IPv6 32 bit address can be incorporated into an IPv4 address. E.g., 2001:04c0:: or :: (Note the switch from colon separators to dotted format.)

IP security (IPsec) is built into IPv6, the ability to cryptographically sign the packets.

There are various IPv6 tools for defense (if we know how to use them).

This is barely scratching the surface. The Resources section (below) has IPv6 specifications and other documents for more in-depth information.

Security, Forensics & Investigations Issues for IPv6

As mentioned above, IPv6 has some security features. Also, some IPv6 feature might be helpful in investigations. For example, IPv6 may give the source’s MAC address in some cases. But there are security problems raised by IPv6 and the current networking environments.

The gigantic IPv6 address space means that scanning IPv6 networks with IPv4 methods where we can try each possible IP address is not going to work. It’s possible to scan the entire IPv4 address space this way in several days. Scanning the entire IPv6 address space the same way would take billions of centuries. Even an IPv6 subnet could take over 145,000 years. So we need IPv6 methods, such as neighbour discovery, of finding systems at IPv6 addresses.

Tools designed for IPv4 environments might not properly process IPv6 information. Some log processing applications truncate IPv6 addresses and many may not properly interpret IPv6 traits. Black listing tools may miss problem addresses because they cannot associate IPv6 with IPv4 or IPv4 within IPv6 notation. It is likely that some of the analysis tools for linking data such as IP address associated with crimes might have problems once IPv6 addresses come into play. What else might trip up with IPv6?

Keep in mind too that there are many tools available that can be used for attacking IPv6 systems or for using IPv6 to bypass security. Firewalls set up for IPv4 may ignore IPv6 connections and, thus, fail to protect the internal networks. Detection software may ignore the IPv6 or tunnelling.

Even many commonly used network tools can fail unless we have the right versions of the tools and suitable network connections. For example, here’s a part of a sample SMTP e-mail header with a reference to the IPv6 address of 2001:470:0:64::2:

From Tue Nov 23 09:51:00 2010
Received: from ( [IPv6:2001:470:0:64::2])
by Duncan-Server.duncan (8.14.3/8.14.3/Debian-9ubuntu1) with

Try “ping 2001:470:0:64::2” and it will likely fail. If you have ping6, it might work but not if your network connection doesn’t support IPv6. Same for traceroute and various other tools. Nslookup, dig, and whois work better. (Example of an IPv6 whois lookup via the ARIN Web site) But they are not enough for our security & forensics toolkit.

The most critical security & investigatory challenge is getting up to speed with IPv6.


IPv6 has much to offer. It is also outpacing many of the tools and methods for securing IPv4 networks and investigating activities on the networks. Our tools, methods, and our understanding of IPv6 will need to adapt.


IETF, RFC 2460 – Internet Protocol, Version 6 (IPv6) Specifications.
The Internet Society. Internet Issue – Ipv6.
Klein, Joe. Collection of IPv6 Security presentations. These presentations are an excellent resource for understanding the security issues with IPv6. Joe Klein is a great resource in this field.
Leinwebe, James. IPv6 and the future of network forensics. UW-Madison Information Security Team. June 6, 2011.
Nikkel, Bruce J. An introduction to investigating IPv6 networks. July 19, 2007 [Originally published by Elsevier in Digital Investigation: The International Journal of Digital Forensics and Incident Response, Vol. 4, No. 2 (10.1016/j.diin.2007.06.001)]

Wikipedia entries
IPv4 address exhaustion
List of IPv6 tunnel brokers

Wireshark Wiki. Sample PCAP Captures – Ipv6 and Tunneling.

Acknowledgements: Many thanks to Joe Klein, Joshua Marpet, and Jeremy Duncan for their insights and help.

Cell phones, the Internet and common evidence issues

Wednesday, July 6th, 2011

Our free webinar last week was on cell phones and the common apps used to connect them with the Internet. Mike Harrington of Teel Technologies talked about some of the items of evidence which those apps leave, both on the phones and on the Internet sites the apps lead to.

Todd has been talking for some time about how the normal crime scene has been changing over time and that investigators, both civil and criminal, need to be thinking of where there evidence is outside of the physical location they are at. The Internet, and the ability of most modern cell phones to connect to it, have greatly expanded our possible locations for evidence to be found – far beyond the physical crime scene. With this increase means of course more work. But with the additional locations for evidence, investigators can obtain a clearer picture of what occurred.

This means that evidence will be located at a minimum in the following places:

  1. The cell phone itself (forensic data extraction)
  2. The social media site (accessed from the web and properly documented). Depending on the number of apps on the phone this could be numerous sites.

Because we don’t generally let the cell phone access the web during data extraction (to prevent syncing and therefore data change), what is on the cell phone will undoubtedly be different then what is on the social media site.

This is particularly true if the user accesses the sites from places other than his cell phone, or his friends make posts to his wall (as themselves or even posing as him). So, to corroborate what they find on the phone, investigators should also plan to collect additional items through legal service (civil or criminal subpoena or search warrant):

  1. Cell phone/tower records from the provider
  2. Social media site records from the social media site. Again, depending on the number of apps on the phone, this could be numerous sites.

Each of these records contains a piece of the puzzle. Compiling all of them can give the investigator a more accurate picture of what occurred and when, but it all needs to be documented properly.

The investigator must also be prepared to investigate further when the two are inconsistent, and if necessary, explain the inconsistencies in court. For example, if phone artifacts have date/time stamps and content that are different from those found on social networking sites, investigators must question why. Likewise when a cell service provider’s records differ from phone or Internet evidence.

In short: none of this evidence – data on the cell phone, the social networking site, or in the cell or Internet service provider’s records – should be considered “nice to have.” With courts paying more attention to the authenticity and verifiability of digital evidence, gathering as much information as possible from as many sources as possible is a requirement to ensuring that victims and suspects alike get the due process they deserve.