Posts Tagged ‘WebCase’

New Book Investigating Internet Crimes Released

Saturday, February 15th, 2014
41wMbTIcmVL._SY300_

Investigating Internet Crimes

Investigating Internet Crimes:
An Introduction to Solving Crimes in Cyberspace

You can find the new book by Todd G. Shipley and Art Bowker on Amazon books and you can  also follow the authors on their blog. What’s being said about the book:

Neal Ysart, Director First August Ltd, likes Investigating Internet Crime by Shipley and Bowker

“At last….. Informed, pragmatic guidance from two highly experienced professionals who  have actually spent time on the front line, not just the classroom.  This book is relevant for  practitioners working in both law enforcement and within business – every aspiring cyber  investigator should have a copy.” Neal Ysart, Director First August Ltd, Information and  Corporate Risk Services

A forensic look at the installed IDrive backup service files

Thursday, August 16th, 2012

I didn’t intend on dissecting files when I started looking at IDrive. My intent was to look at its operation and determine a method of file acquisition as a “Cloud” service. That is still an ongoing project. What I found though is a little disturbing from a user point of view, and fantastic from a forensic point of view. I originally wrote this last year and never got it posted.  When I originally looked at IDrive I found some interesting information. I thought after a year they would have changed their methods of obscuring their client information on the local machine. Alas, no….Here is what I found.

IDrive Background

From their corporate information page IDrive identifies them as a “service” of Pro Softnet Corporation based in Calabasas, California. Pro Softnet has been around since 1995 providing Internet-based solutions. They have several other products including IBackup and RemotePC.

Disturbing Findings or not so disturbing for the Forensic examiner

I downloaded the “Free” version of IDrive’s software.  I wanted to test it and potentially include it in our training as a discussion item on cloud investigation issues. IDrive is unique among the “Online Backup” providers in that they offer “Free” storage of up to 5 GB of data. The other companies in this space seem to only offer a free trial period of their product. IDrive was unique enough that I thought I needed to try it.

This short blog entry is not a review of the entire installation of the software. I did not look in to the registry or examine ever file. I did however find a few things that are worth mentioning for the forensic examiner. I quickly and easily installed their software and easily uploaded some test data into their storage.  I then started to poke around on my machine to identify where IDrive put files.  I did not have to go far. IDrive’s files are found on the local system hard drive under the IDrive folder in the “Program Files” folder.

In the main IDrive folder is the 128 bit “rc4.key” encrypted key file I am sure that is used by the system to communicate with the IDrive server. RC4 is almost 25 years old as an encryption scheme. It however is still in common use today.  I did not examine further its implementation in the communication scheme of the product or try to crack it..

IDrive Temp Folder

In the IDrive “Temp” folder there were two folders with files similarly named. The file “DLLOutput1.txt” contained only an IP address of 206.221.210.66 (and what appears to be a port number of 11663) which belongs to IDrives parent company Pro-Softnet.

The file DLLIntput1.txt similarly contained a small amount of important information. The format was: 

8-16-2012 11-52-21 AM

 We will discuss the username and password translation below.

LDB Folder

In the LDB folder is a file titled “IDriveLDB.IDr”. The file is an SQlite database containing file paths of the data to be backed up.

Log Folder

Under the “Log” folder is another file containing a file named “Realtime Trace.txt”. This file is a log file with connection dates and times.   This file contained the backup up operation to IDrive, which included the IDrive User name, data files names and paths, the start and end time of the backup, the number of files backed up and any excluded files from the backup.

Folder with local computer name

In the folder with the local computers name was found a file titled “Backupfile.txt”. This file contained a list of the files backed up to the IDrive server. In this same folder was another file “BackupSet.txt” that appeared to contain the dates and times of the backups.

IDdrive\”Username”

In the IDrive user folder there is a file called “IDriveE.ini”. The contents are a little lengthier but it is revealing.  At first glance there is the same IP address identified above, the port and much more information. I looked at the lines in the file and realized that some encryption scheme was used. The question is what was it?  Thinking I would not easily find out what the scheme was that was implemented, I used a program to simply try various cyphers common in obfuscation. Without much effort I revealed my passwords and my user name from the text. The obfuscation used by IDrive was a simple 2 position Cesar Cypher.

Text in File Translation
user 2 position Cesar Cypher and is my login user name
User Password=xxxxxxx 2 position Cesar Cypher and is my login password
gpercuuyqtf=xxxxxxxx 2 position Cesar Cypher and is “encpassword=mypassword”
Enc password=xxxxxx 2 position Cesar Cypher and is my encrypted Idrive password but only the first 6 characters of my password
wugtgocknkf=vqffBxgtguqhvyctg0eqo useremailid;todd@veresoftware.com

(Real password has been removed for my security….)

These were not the only lines that used the 2 position Cesar Cypher. In going through the entire file, the lines not in plaintext all used this same cypher to encode their data.

IDriveEUsername_Folder

In reviewing a file named “SerTraceFile.txt” I found a log file with more interesting information about the service and what it collects about my system. The file contained many pieces of information about the IDrive service and the local machine including the local PC name and the NIC card’s MAC address.

Conclusion

WOW….So in looking at IDrive, the “Encrypted” backup service, I found from a forensic point of view, some substantially important failings on the local machine. Well not failings from an investigative point of view, this is actually some great information.  I made no attempt at the writing of this blog entry to use the file information to login from a separate machine. Until Prosoft changes the IDrive local machine files Digital Forensic examiners will have access to some useful information from the IDrive files.

Post script

I am sure this will be changed in a follow-on version by Pro-Soft (at least I hope so), but for the record what I found is limited to my examination of these specific versions on a Windows 7 machine. The IDrive versions I used in this testing were 3.3.4 and3.4.1.

Simplifying the webmail collection process

Thursday, January 13th, 2011

A recent ComputerWorld article discussed the security problems posed by webmail within organizations. In short, because webmail comes across HTTP rather than SMTP protocols, the organization does not protect against data leakage as it does from its own email system.

The reasons for this are many. In 2008, ComputerWorld ran an article that discussed ways webmail could breach even organizations with strong security. As always, the human factor can be a challenge. Well-meaning employees may use webmail to segregate business from personal email, when they are required not to conduct personal business on company accounts; employees may also use webmail to bypass overly complicated email security procedures.

At that point, even if employees’ personal webmail accounts aren’t being archived per the law, their email may become discoverable in the event of litigation. How to document the emails’ content?

In an October 2009 article for EDEN: The Electronic Data Extraction Network, Jonathan Yeh discussed various ways in which webmail could be captured for archival purposes. Among them:

  • Download the email locally using an email client with a POP or IMAP protocol. It can then be searched just like other digital evidence.
  • If these protocols cannot be used, screenshots, web page capture, or even printing.
  • Obtain data via browser artifacts.

Each of these methods is, however, complicated. Yeh goes into these issues in some detail, ending with the need to document each step of the collection process. While true that the courts accept expert testimony together with downloaded or screenshot data, there is still nothing about these collection methods to prove that the content was not manipulated in any way.

In addition, the procedures Yeh describes, along with some of the issues that the investigator must take into account, are time-consuming. Under such conditions, the margin for human error is greater, and as Yeh concludes, “The reliability of evidence can often only be gauged by the reliability of the methods used to collect it, and proper documentation can be the difference between admissibility and inadmissibility in court.”

Simplifying the “screenshots and web page captures” process, and in doing so addressing the reliability issue that Yeh brings up, is WebCase. That it is currently the only tool to do so should not be lost on e-discovery experts or other investigators.

Want more information? Schedule your free demo today!

By popular demand: WebCase adds new features

Friday, March 26th, 2010

WebCase users have been asking us for three things:

  • Full page capture
  • HTML, or “source,” code capture
  • 64-bit compatibility

We’re very pleased to have just released these features in WebCase 1.9, which is available now. Current WebCase users will find their efficiency improved via full page and HTML capture functions. Meanwhile, investigators who work exclusively on 64-bit systems can now take advantage of WebCase.

Full page and HTML capture

Full page capture improves efficiency, in part, with automatic scrolling. In previous WebCase versions, investigators had to scroll manually to areas of a page that were not immediately visible on the screen. Lengthy pages such as those seen on MySpace could result in numerous screenshots. Now with one click, WebCase captures an entire web page in a single JPEG graphic file.

WebCase 1.9 also introduces the ability to copy only the web page’s HTML (Hyper Text Markup Language), or underlying “source” code, to an evidence file. Some web pages are difficult to archive properly because of the embedded code, and previous versions of WebCase required several steps to archive the code. The HTML copy function allows just one step to document the source code for later review.

To see these two new features in action, watch our video here!

64-bit compatibility

64-bit systems have the performance to process more demanding applications, such as audio and video encoding, so 64-bit compatibility is important as WebCase users move to the latest in desktop computing technology.

Finally, WebCase 1.9 now also supports Windows 7 along with Vista and XP, and adds Internet Explorer 8 to its list of supported browser versions.

We’re still working on getting the demo version available, but meanwhile, please view the video (and the others we have available) — and please sign up for our next WebCase webinar on April 1st. (No April Fool’s!)

How important are date/time stamps to online investigations?

Thursday, February 25th, 2010

Recently I read a listserv posting wherein the poster described his use of the system clock to document the video evidence he was collecting. He described using the computer’s system clock as the source of the verification of the date and time, and recording with the video the system clock to show what the time is when you are recording the video.

Likewise, a WebCase user I spoke with told me that in the past, members of his unit would have to create a folder in which to keep case documents. Again, this used the system’s date/time stamping.

Date/time stamping is one of WebCase’s key features, but these two users bring up an excellent question: what, exactly, is the big deal about date/time stamping? More importantly, how can the defense challenge it in court?

Actually, it’s pretty easy to fudge a computer’s system clock. Not that an ethical investigator ever would, but the defense can introduce reasonable doubt with a simple demonstration. In Windows Vista, all it takes is a right-click on the time in the bottom right-hand corner. Then, select “Adjust Date/Time” and click on “Change date and time…”. System clock changed.

How does using WebCase prove you didn’t do this?

WebCase, when it starts, makes a system call to the National Institute of Science and Technology’s (NIST) atomic clock to obtain the correct time. It then dates and stamps all evidence collected in the current UTC (this stands for Universal Coordinated Time, or what we used to refer to as Greenwich Mean Time) time—not the system clock time.

WebCase automatically verifies the UTC and documents this in the reports users generate. This helps to ensure that any reliance on the system clock is avoided.

On the listserv, the poster went on to describe his collection process using a document program to cut and paste chats into. Again, he used the system date and time as the time stamp for the file.

Not only does WebCase negate the need to use two separate programs—video collection and document—but its date and time stamping, along with its automatic hashing function, guarantees the file integrity of any video recorded.

See it in action: download a free demo!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Todd on CyberCrime 101: Episode 7

Friday, February 5th, 2010

Last month while Todd was training in New York City, he had a chance to meet Joe Garcia, a computer crimes detective we connected with on Twitter. Joe has a podcast, CyberCrime 101, about all things computer forensics and information security. After reviewing the WebCase demo, he kindly invited Todd on the show to talk.

Their focus: Todd’s background, WebCase, and being president of the International High Tech Crimes Investigators’ Association (HTCIA). Joe voiced his approval for our tutorial screencasts, as well as our webinars and 2-day training; Todd told us that WebCase now offers 64-bit support, and will soon be released in a new version that has more features.

Thanks for having Todd on the show, Joe!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Podcast: Todd talks social media, online investigations

Monday, November 30th, 2009

Canada-based podcasting service provider The Daily Splice recently started its own podcast: Law Enforcement 2.0, in which marketer Mike Waraich interviews individuals who are involved with encouraging police departments to “join the conversation” online.

Social media is, of course, beginning to figure into much more than conversation: it’s playing a role in everything from online crime to police recruiting to intelligence. Because all of this information must be verifiable, police need a standard methodology to collect it.

Which is why Mike invited Todd on the show a few weeks ago. For just about half an hour, the two discussed the following:

Defining online investigation in terms of standard methodology.

Would online investigation be less “scary” if the people conducting it knew they could do it without their veracity being called into question? Standardized process counts for a lot, so being able to date/time stamp, “digitally fingerprint” (hash), and log Internet evidence in the same way other forms of evidence are authenticated can make investigators’ jobs a lot easier.

Social media as a “neighborhood.”

Most everyone under 30 (and many over 30) are, in some ways, members of this online space. Just as in a real-world neighborhood, the number of “residents” = number of potential victims. And crimes are being committed, not just on the Web, but in other areas of the Internet which are their own communities. (Think chat rooms, instant messaging and Usenet.)

Whether law enforcement can coexist with community relations.

As long as law enforcement is an active participant in the online community, it cannot be misconstrued as “Big Brother” watching. Instead, it brings community policing concepts to the Web: like a park in a bad section of town, it will stay “bad” unless law officers go there, partner with people who live there to clean it up.

Reputation management.

What people post on the Web is there forever. Some law enforcement officers need to be made cognizant of this fact. Employers look at people’s social media profiles not just to make hiring decisions, but also to ensure their employees are maintaining the standard expected of them.

Part of maintaining that standard is not to avoid parts of the neighborhood which are not well understood or liked. Investigators who do need to understand that the “conversation” goes on without them. Not to be there for it risks missing valuable intelligence and other information.

In other words, as Todd put it, “You may not want to go into a bad neighborhood because you know bad things can happen, but you still need to be there.”

Understanding the neighborhood.

Just as a good cop takes time to learn the landscape and culture of the neighborhood s/he is responsible for, a good Internet investigator takes time to understand where people are online–and where they are moving, what they are talking about, what they are doing.

With hundreds of social sites, this can be hard to figure out much less monitor. But the more investigators learn, the more they can make online investigation part of their everyday work lives, the more efficient they will become.

The conversation wrapped up, of course, with a short discussion about WebCase and where it fits in all this. Thanks again to Mike for the interest. We hope to be able to participate in future podcasts!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.