Posts Tagged ‘online evidence’

So you thought Tor was bad enough. Check out Tor’s Hidden Web Services.

Monday, July 25th, 2011

Recently and article appeared at NPR titled “Senators Target Internet Narcotics Trafficking Website Silk Road”. I only bothered to hit the link because I saw it mentioned on the website Anit-forensics.com. The short article complained of drugs blatantly sold on the Internet and something needed to be done about it and Congress is going to solve that one for us. Although selling drugs on the Internet is nothing new, the place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function.  The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the orient to the west.

For the power user of the Tor network Hidden Services is probably nothing new. For the average online investigator though you may have heard of Tor and may have even tried to use it (especially of you read my last article on using Tor in your investigations). But were you aware that webpages can be hidden within the Tor network? Have you ever seen a .onion domain name? if you haven’t then read on.

Hidden services were introduced to the Tor network in 2004. Tor’s Hidden Services are run on a Tor client using special server software. This “Hidden Service” uses a pseudo top-level-domain of “.onion”. Using this domain, the Tor network routes traffic through its network without the use of IP addresses.

To get to these hidden services you must be using the Tor Network and have your browser enable to use Tor.  How do you find sites using the hidden services? Start at the core…

http://eqt5g4fuenphqinx.onion/ 

Welcome to .onion Welcome to .onion

Core.onion according to its hidden services site has been in the network since 2007.

Once in the Core.onion you find a simple directory to start exploring Hidden Services on the Tor network.

TorDir TorDir

TorDir is a directory of Hidden Services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media type sites and marketplaces.

Black Market Black Market

 

In the markets a variety of things are for sale, most look to be illegal though. File sharing also looks to be popular and can be found in several .onion sites.

File Sharing File Sharing

 

To make purchases bitcoin seems to be the most popular virtual currency and is regularly mentioned throughout the .onion sites.

Bitcoin Bitcoin

 

Another good location to start finding out about what Tor’s Hidden Services have to offer is a wiki located at:

http://xqz3u5drneuzhaeo.onion/users/hackbloc/index.php/Mirror/kpvz7ki2v5agwt35.onion/Main_Page

 

Also, if you are an IRC fan Tor hidden services can be used there also. The Freenode website gives the instructions on how to access Freenode IRC servers on Tor’s Hidden Services.

If you are interested in learning more about Tor’s Hidden Services here are a few sites that can get you on your way:

http://www.onion-router.net/Publications/locating-hidden-servers.pdf

http://www.irongeek.com/i.php?page=videos/tor-hidden-services

http://www.torproject.org/docs/tor-hidden-service.html.en

 

Not to make it any worse but if you have not heard Ip2 (another anonymizing network that is becoming increasingly popular) also has its own “eeepsites” similar to the Hidden Services offered in Tor that a user can post content to like a website.

Hidden Services are going to increasingly become a location that will be misused by many. It will also become a place on the Internet that investigators will need to become increasingly familiar with if they are to further their online investigations.

How important are date/time stamps to online investigations?

Thursday, February 25th, 2010

Recently I read a listserv posting wherein the poster described his use of the system clock to document the video evidence he was collecting. He described using the computer’s system clock as the source of the verification of the date and time, and recording with the video the system clock to show what the time is when you are recording the video.

Likewise, a WebCase user I spoke with told me that in the past, members of his unit would have to create a folder in which to keep case documents. Again, this used the system’s date/time stamping.

Date/time stamping is one of WebCase’s key features, but these two users bring up an excellent question: what, exactly, is the big deal about date/time stamping? More importantly, how can the defense challenge it in court?

Actually, it’s pretty easy to fudge a computer’s system clock. Not that an ethical investigator ever would, but the defense can introduce reasonable doubt with a simple demonstration. In Windows Vista, all it takes is a right-click on the time in the bottom right-hand corner. Then, select “Adjust Date/Time” and click on “Change date and time…”. System clock changed.

How does using WebCase prove you didn’t do this?

WebCase, when it starts, makes a system call to the National Institute of Science and Technology’s (NIST) atomic clock to obtain the correct time. It then dates and stamps all evidence collected in the current UTC (this stands for Universal Coordinated Time, or what we used to refer to as Greenwich Mean Time) time—not the system clock time.

WebCase automatically verifies the UTC and documents this in the reports users generate. This helps to ensure that any reliance on the system clock is avoided.

On the listserv, the poster went on to describe his collection process using a document program to cut and paste chats into. Again, he used the system date and time as the time stamp for the file.

Not only does WebCase negate the need to use two separate programs—video collection and document—but its date and time stamping, along with its automatic hashing function, guarantees the file integrity of any video recorded.

See it in action: download a free demo!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

A DFI News double feature

Friday, February 5th, 2010

We were pleased and honored in December when Digital Forensics Investigator (DFI) News opted to give two of Todd’s articles top billing on its site.

The articles, a two-part series, addressed whether collection of electronic evidence from the Internet is feasible. Some say no; obviously, we say yes!

In Part I, Todd drew from his 2007 white paper, “Collecting Legally Defensible Online Evidence,” to discuss the need for and development of a standard methodology for Internet evidence collection. In Part II, he addressed the application of that methodology specifically to “cloud” computing.

The cloud does present different challenges to evidence collection than do conventional Internet sources. But that doesn’t mean evidence collection from the cloud is impossible.

Read Part I here and Part II here. And please be sure to come back and tell us what you think. Do you agree? Disagree? Have you encountered the need for Internet evidence collection methodology… or investigative issues specific to the cloud? Comments are open!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

MySpace Investigations Basics: Some Background

Tuesday, November 3rd, 2009

A senior detective in Corona (California), Frank Zellers first realized the power of MySpace evidence during a 2006 homicide investigation. The suspect had a MySpace page, and not only were investigators able to recover current photos and intelligence from the site’s internal messaging system, they were also able to identify his location.

“Under a court order, MySpace provided us with the suspect’s IP address and subscriber ID, which we were then able to tie to his physical address,” says Zellers. “We watched him log in at 1 a.m., and we had him in custody nine hours later.”

That experience led Zellers to create an investigations course around MySpace, one that was designed not for task force members or computer forensic examiners, but for “novice” investigators. “For our basic class, we set up accounts to show the site’s internal functionality,” he says. “We show the students things like determining whether an image was uploaded to the site, or is embedded from another site. That helps them figure out where to serve search warrants.”

The “MySpace Investigations Basics” webinar grew out of that course. Zellers will discuss the site’s functionality, different ways to find different kinds of evidence, and how to save it, along with how advanced searches via Google and Yahoo figure into an investigation.

He’ll also cover how investigation of a MySpace page translates into investigation of other sites. “vBulletin forum software is very prevalent among the more obscure social networks,” he explains, “like the bulletin boards that host communities of online gamers, hard-core rappers, and others.”

That’s because many social networks retain the same general features which MySpace pioneered, including profile pages, comment space for friends, private messaging, and ability to share images and videos.

This varies by site—MySpace is more versatile than Facebook or Twitter—and the way the features are cataloged change, so investigators must take care to keep current with what each site does.

They should also stay up-to-date on site demographics. MySpace, with its longtime reputation for being a teen hangout, remains more popular among young people than Facebook, which is popular among older generations.

More social networks are also moving toward integration. MySpace, for instance, has partnered with Skype, a Voiceover IP application which allows both instant messaging and voice communications between members. A MySpace member can therefore IM a Skype user. (Zellers notes, however, that the chat conversation is archived on the user’s machine rather than on MySpace servers, making it a computer forensic job.)

Just because the MySpace user interface is complicated to adult eyes doesn’t mean plenty of evidence can’t be recovered and used either as intelligence, or to solve crimes—even in unexpected ways, as Zellers’ team discovered. And the continued popularity of social networking sites both new and old means investigators need to have these skills sooner rather than later.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.