Transcript National Training III, on Financial Investigation

Cyber criminal and computer
forensics
mag. Boštjan Kežmah
Certified Information Systems Auditor
Judicial expert for informatics and software
Judicial appraiser for informatics and software
Hacker‘s „modus operandi“
Depends on target
 Number of users without specific target
 Collection of e-mail addresses
 Collection of passwords
 Unauthorized access to computer resources
 Single, targeted users
 Information theft
 Financial gain
2
Attacker will choose weakest link
3
Massive attacks
Usually based on software tools
 Different types of malware
 Viruses
– Distributed with the help of users (e.g. infected USB keys,
web pages, e-mail)
 Worms
– Distributed because of software flaws (e.g. defects in
operating systems – Windows, defects in user software –
browsers etc.)
 Trojans
– Packaged with useful software
– Pirate (illegal) copies of software
4
Single targets
Very sophisticated attacks
Collection of information
 Publically available
 web (search engines, social networks)
 Garbage collection (dumpster diving)
 Eavesdropping
 Following persons in cafes, bars, restaurants
 Intercepting wireless traffic
 Following
 Establishing usual routes, timings
5
Single targets (organisations)
Single organisation attack
 Technical scan of publically available services
 Test for security vulnerabilities
 Unauthorized access to wireless networks
 Setting up evil twin wireless networks
 Stronger signal than official network
 Traffic interception
 Malicious customers
 Persuading users to use infected USB keys and
similar
6
Single targets (users)
Single user attack
 Implementation of malware
 Usually custom trojan horse software
 Crafting malicious e-mail
 With malware attachment
 Spoofing domain names
 Registering similar domain names to deceive users
 Implementing malicious, infected website
7
Massive attacks using BotNets
BotNet
 A number of infected computers
 Either of trojans, worms, viruses
 Running the same infection
 Usually BotNets are named under the „owner“
 Many BotNets with different owners and same
malicious code can exist at the same time
 Under control of the same C&C servers
 C&C – Command&Control Server
8
The case of massive infection
Mariposa botnet
 Even listed on Wikipedia!
 8-12 million individual infected computers
 One of the largest known BotNet networks
 Shut down 23rd December 2009
Alleged author from Slovenia (Iserdo)
 Sentenced at first instance in December 2013
Worldwide investigation
 Including FBI, claiming 30 MIO USD damage in
US alone
9
The tools
Malware
 Malicious code – zombie
 C&C Server
 Additional tools to hide infection
 Crypters/Packers
– Encrypt software to hide it from antivirus tools
 Injection
– Process injected under another legal process
– E.g. Malware running under the name „IExplore“ –
Internet Explorer browser
10
Very hard to trace the source
Hacker only creates malicious code
 Traceable only by financial transactions
 Selling software
 Selling upgrades
 Selling special versions for special purposes
 Financial transactions using „anonymous“
channels
 Western Union
 New methods - BitCoin
11
Bitcoin
Open source P2P protocol
Without central hub, distributed
List of bitcoin units maintained in
distributed unit list
Can transfer funds without financial
institution
Increased use
 Even for illegal transfer of funds
12
Seizure of evidence
13
Seizure
After identifying possible suspects
 Don‘t rush seizure!
 Be carefull – it‘s hard to predict in advance what you will find and
whether use of special procedures and resources is necessarry
 After seizure phone/internet taps are impossible!
 Even tapping encrypted communications may be
valuable evidence
 Use communication tapping and pursuit of the
suspect to collect evidence
 Gather evidence about wireless networks near
suspect‘s premises even before seizure!
14
When you get to the source
Seizure of computer equipment
 Create forensic copy of LIVE equipment
 Computer memory
– Entering premises by force
– Securing equipment
 Back at the lab - create forensic copy of data
from data mediums
 Forensic copy investigation
15
Keeping equipment alive
Ask professional what to do:
 Which devices should be kept on-line
 Which devices should be disconnected from
the network immediately
Even professionals will sometimes have to
rely on „professional guess“
16
Keeping equipment alive
If situation permits:
 Keep screensavers from locking the computer
 Use special mouse to simulate moves to prevent
auto-locking timeout
– Or do it by hand 
 Make forensic copies of memory of active
devices
 If it cannot be done on-site
– Pull out wall socket
– Connect UPS
17
Forensic procedure
Move people away from any computers
and power supplies
 Learn from our past mistakes
 Suspects may use
 Emergency shutdown buttons
 Extension cords connected to all computers
– Single cable plug may turn off all equipment
 Other innovations of suspects
– Even water may switch off FID switch or main fuse for the
whole premises
18
Forensic procedure
Photograph and video the scene
Allow printers to finish printing
DO NOT switch on or turn off computers
 When turned on – check the box, not only
monitor
DO NOT open equipment
 Laptops may power-up when opened
19
Forensic procedure
If laptops are completely turned off (not on
stand-by!)
 Remove the battery
Unplug devices and network from
computers turned off
 May be accessed remotely
 Label all devices and cables for later
reconstruction
20
Forensic procedure
Label and sign all equipment
 Seal equipment
Search the area for papers, diaries,
notebooks
 Look for passwords
Make notes of all procedures in relation to
computer equipment
21
Forensic procedure
Operational equipment
 Record (photograph, video) what is on screen
 Do not touch the keyboard or mouse
 Continue under specialist advice
 If no specialist present unplug the device (do not
use shutdown procedure!)
– Memory will be lost! This can not be undone!
 After switching off power remove other devices and
connections
 Take any manuals and other equipment
documentation
22
Transfer of evidence
Handle with care
 Put in upright position
 Avoid serious physical shocks
 Keep away from magnetic sources
 Loudspeakers, heated seats, police radio
 Beware of static electricity
Hard drives
 Put in anti-static bags
23
Storage of evidence
Normal room temperature
Avoid extreme humidity
Avoid magnetic influence
 Transformers (is there one in the cellar?),
antennas, radio receivers, amplifiers etc.
Aluminum fingerprint powder is harmful to
computer equipment
24
Mobile phones
Mobile devices
 Faraday cage for communications
 E.g. Aluminium foil
– Connect to the ground if possible
– Will prevent the phone to communicate with the GSM
network
 Higher energy use!
 Connect to power supply!
 How about data from environment sensors?
 Even on-site may be too late
25
Evidence found on the internet
Make a supervised copy as soon as possible
 Take note of
 Domain
 IP address where domain resolves to
 Use nslookup and whois on domain – domain
owner, administrator
 Use tracert to IP if possible
 Note IP address owner
 Simply put: you have to record all information
available because it can change momentarily!
26
Evidence found on the internet
Prepare HASH and written report
 Note equipment used and procedure
Use anonymous system to access internet
resources where needed!
 Avoid detection if it could compromise further
investigation
27
Historic evidence
Have a look at the Web archive
 Scans internet and archives web pages
periodically
 Users can not influence scan period
 Beware: Anyone can request data deletion!
 When usable information exists
 Follow procedure for evidence found on the
internet
Used e.g. in investigation of Forex frauds
28
Web archive – Wayback Machine
29
Networks
Detect available wireless networks
 Including signal strength where possible
 To be able to challenge possibility of outdoor access
later in court
Once computer equipment is disconnected
 Power down equipment, follow procedures for
computers (volatile data – other equipment
can have memory too!)
 Seize all network equipment
 Routers, switches
30
Networks
Trace all cables to the source to identify
connections
 Document layout of the network
 Put results in the report
This was essential information in many
cases!
31
Internet service providers (ISP)
Retention directive (EU)
 Court order
When there is no regulation
 Depends on ISP
 Extent of data in logs
 Time of storage
Request for data as soon as possible!
 Request as many data as possible – if permitted
request for larger time period for the same customer
not just for one point in time!
32
Cloud storage
Gmail
DropBox
Facebook
Can not make a copy of all data
On request – court order?
Request for data as soon as possible
 Usually long retention policies
33
Communications
How useful are communication taps?
 Most of the data is encrypted anyway
 https (used for e.g. e-banking)
 Skype
 Users may use communication anonymization
methods/networks
 VPN networks
 TOR networks
 Time correllation can be very important and
useful evidence
34
Iserdo case
Communications with buyers and users of
the software
 Provided link between suspects
 Provided insight in internal operation of the
software and business
35
Bundestrojaner
German government malware
 Allowed by court to tap phone calls only
 Analysis revealed support for acquiring images,
remote control of computers etc.
 Analysis revealed security vulnerabilities
Legal basis in consideration in Slovenia
 Many open questions
 E.g. When the police infects your compoter, is this
still your data?
 Will the evidence hold in court?
36
Forensic acquisition
37
Iserdo case
Evidence from other countries not
following professional forensic standards
 Question of validity in court
Considerations
 Seizure documentation
 Forensic documentation
 Protection of evidence when exchanging
between institutions/countries
38
Back in the lab
Never use original media for investigation
 It could get damaged and you could loose all
the evidence!
Create forensic copy of data media
 Should the owner be present?
Use forensic equipment
 It can take a very long time to make a copy
39
Forensic copy
Specialised software or hardware
 Protect data media – static electricity!
Long procedure
 Owner/user present?
 Calculate hash before copying
 Calculate hash after copying
40
Copy procedure
Does suspect have the right to attend copy
procedure?
 Any other „strange“ requirements
 Montenegro – 3 witnesses
– Small room full of witnesses and suspects in jail
– The procedure takes hours!
41
Storing forensic copy
Is the complete copy in the case file?
Media for storage
 Corruption of one bit makes the whole copy
useless
 Copies on DVDs?
Local legislation (Slovenia: ZVDAGA)?
 Use of accredited software, hardware and
internal rules
42
Questionable forensic copy sample
43
HASH
Is basic technology for protecting integrity
of information
Examples
 Fiscal number, social security number
Cryptographic hash function
 More sensitive to changes in information
 MD4, SHA-1, SHA-256, SHA-512
44
Hash/electronic signature
…
subject of the contract is leasing of a vacant
building No. 411, Parc. No. 605/1, owner John
Smith, resident Unknown Street 5,
...
Hash/electronic signature
…
subject of the contract is leasing of a vacant
building No. 411, Parc. No. 605/1, owner John
Smith, resident Unknown Street 5,
...
Hash/electronic signature
l e a s i n g
108
101
97
115
105
 739
110
103
Hash/electronic signature
…
subject of the contract is leasing of a vacant
building No. 411, Parc. No. 605/1, owner John
Smith, resident Unknown Street 5,
...
Hash/electronic signature
…
subject of the contract is purchase of a vacant
building No. 411, Parc. No. 605/1, owner John
Smith, resident Unknown Street 5,
...
Hash/electronic signature
p u r c ha s e
112
117
114
99
104
97
115
101
 859  739
Hash security
Free collision
 Looking for any kind of information (any data)
with the same hash
 May even be audio/video file, image or even a
number of bits without a meaning
 Possible with weak hash algorithms
Tied collision
 Looking for a document with specific content
with the sam hash
 Almost impossible to achieve
51
HASH
Sample for SHA-512
13ed241e5d2c6ba17b2bd3cdc031b772cc9
2bfc9ab42123e7f8183e5ee2bc3f0dc75c79
0e4d1c8d0afe8f4b0cf2dde70eee3e479f90d
65e1dda643aad30b8430
 Large hexadecimal number
52
Forensic investigation
Forensics procedures
Looking for deleted files
 File carving
File content search (documents, e-mail,
compressed files, encrypted files)
Looking for usage data
 Last used files
 Time the files were changed
 Statistics
54
Deleted data
Deleting data does not delete them?
 File system
 Properties of physical data store
Depending on media and number of
rewrites restore may be possible
For all devices, even mobile phones
55
Logs
Many operating systems have system logs
 Windows, Linux
 Web servers
Can be disabled by default
Default settings may be too low
 Deleting after 14 days
 Small reserved log space
56
Backup
Mirroring
 Technique for business continuity
 This is not a backup!
 Mirroring will change/delete data on all locations
(computers)
Backup copies
 Depends on rotation schedule
 Daily, weekly, monthly
57
Backup
Can be very important additional or
supporting evidence
 Can be checked for changes
 Compare seized data with backup data
 Can be used to prove existence of data in the
past
 Can be used to prove time of change
58
Email
 Can be used as evidence – usually stored for
prolonged periods
 Seize COMPLETE email not just text of the message
 Forging
 It is very easy to forge electronic mail
 Eavesdropping
 Messages are not encrypted by default
 Web clients
 Gmail (Google)
 Outlook.com (Microsoft)
59
Exchange of electronic messages
Sender
ISP mail
server
Domain
mail
server
Receiver
mail
server
Receiver
Connections not using encryption
60
Email header sample
Return-Path: <[email protected]>
Received: from out-2.mail.amis.net ([212.18.32.14])
by win3.slohosting.com
with hMailServer ; Tue, 16 Apr 2013 12:32:19 +0200
Received: from in-3.mail.amis.net (in-3.mail.amis.net [IPv6:2001:15c0:ffff:f::22])
by out-2.mail.amis.net (Postfix) with ESMTP id B117C8132F;
Tue, 16 Apr 2013 12:32:13 +0200 (CEST)
Received: from in-3.mail.amis.net (localhost [127.0.0.1])
by in-3.mail.amis.net (Postfix) with ESMTP id 83A2EC94A8;
Tue, 16 Apr 2013 12:32:13 +0200 (CEST)
Received: from in-3.mail.amis.net ([127.0.0.1])
by in-3.mail.amis.net (in-3.mail.amis.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id vtdk4DX4__HF; Tue, 16 Apr 2013 12:32:10 +0200 (CEST)
Received: from smtp1.amis.net (smtp1.amis.net [IPv6:2001:15c0:ffff:f::41])
by in-3.mail.amis.net (Postfix) with ESMTP id CD322C948B;
Tue, 16 Apr 2013 12:32:09 +0200 (CEST)
Received: from uporabni26db9f (cpe-92-37-118-18.dynamic.amis.net [92.37.118.18])
by smtp1.amis.net (Postfix) with SMTP id 67F11C2DDD;
Tue, 16 Apr 2013 12:32:07 +0200 (CEST)
Message-ID: <19B46BFEAF574DD6B7765259A1FF19D3@uporabni26db9f>
61
Surfing
Every browser maintains browsing history




Cache
Filled-in forms
Passwords
Cookies
 Pieces of data about a user
Some web pages or files may be
downloaded automatically!
 Child pornography?
62
Encryption
Operating systems
 Microsoft Bit Locker
Software solutions
 True Crypt
All solutions are sensitive to memory
attacks – COMPUTER TURNED ON
Hardware solutions
 Portable media
63
Encrypted files
TrueCrypt
 Popular open-source encryption tool
 Excellent encryption algorithms
 Impossible to break with reasonable resources in
reasonable time
 Statistical tests may show presence of an
encrypted file
 Double encrypted containers exist
– Encrypted file inside encrypted file
– Used for plausibe deniability
– Suspect may reveal first password but not the second
64
Iserdo case
Reasonable suspicion of existence of
encrypted file inside encrypted file
 Password never revealed
Was container encrypted open at the time
of seizure?
 Maybe the password was in computer memory
Without copy of the memory it is close to
impossible to recover the password
65
Source code
Is software in readable form
 As written by the developer
 Easy to understand for investigators – what are
the functions of the malicious code?
Computers can only run “executable code”
 Significantly less readable as source code
Executable code can be made from source
code
 It is impossible to recover source code from
executable code
66
Source code
Whoever has the code is able to produce
„executable code“ and change behavior of
the software
Iserdo case: was source code in encrypted
container that could not be opened?
67
IP as evidence
68
IP Address
Is a number of a computer on network –
computer address
 192.168.1.1
Granted by ICANN
Internal/external address
 Insufficient IP address space
 Even large users have one external IP address
 Do they keep track of mapping of internal
addresses to external addresses?
69
Dynamic or static?
Business users usually use static address
 Does not change over time
Individuals usually use dynamic address




Can change with each connection
Can change over time
Providers have mapping logs
Providers have a list of IP users
 Retention policy?
70
Proxy
Hides real address of the user
Legal
 Content filters (child protection)
 Cache – improving download speed
Illegal
 Infected computers
 Set up intentionally
71
TOR
Anonymity network
 Forward only encryption prohibiting tracing of
source IP
Sensitive to traffic correlation when
listening at both ends of the connection
(server and client)
72
Who is original user of IP?
2
Ljubljana
Maribor
2
1
Niš
Zagreb
3
1
2
Teslić
3
Skopje
73
The case of e-banking fraud
Suspect extensively used VPN and TOR
network to cover the trails
Only connection left is his ownership over
domain
 Malware is only usable for the owner of the
domain
 It would be much easier if internet tapping
data existed
74
DNS spoofing
address www.bank.com?
Napadalec
Attacker
2.2.2.2
address www.bank.com?
DNS strežnik
DNS
server
2.2.2.2
?
1.1.1.1
Vrhnji DNS strežnik
Top
DNS server
1.1.1.1
address www.bank.com?
Odjemalec
User
75
Malware is useless without DNS
BotNets need DNS
 Zombies need to know where to find C&C
server
 Whoever controls the server controls the
BotNet
 Useless in Iserdo case – only selling malware
 Very high value in latest e-banking case
– Only one IP was accessing DNS servers
76
Practical use
Latest case in Slovenia
 About 2 MIO EUR of damage
 50 businesses
 Funds withdrawn from electronic bank
Local DNS spoofing used to deny user
access to electronic bank
77
Practical use
Latest case in Slovenia
 DNS manipulation used to prevent users to use
electronic banking
 Buying more time to withdraw the money
 All other internet activities are working
 There was not a single user who would
immediately call the bank or notify his
computer support
78
Practical use
Latest case in Slovenia
 Another connection are money mules
 Money laundering is most critical and sensitive part
of the whole operation
Very high commissions for money
laundering
 Hacker may only get as low as 20%!
79
Responsibility avoidance
80
Suspect: My computer is infected
Owner does not have full control over
computer
 Effect of infection on evidence
 Is this really suspect‘s data?
Who is to blame for infection?
 Should you protect your equipment?
81
Suspect: My wireless is not secure
Owner does not have full control over
usage of his IP address
 Effect of unauthorized usage of wireless
network
 Is this really suspect‘s data?
Who is to blame for open network?
 Should you protect your wifi network?
 Unprotected wifi network is offense in Germany
82
Suspect: I am not the only user
Multi tenancy
Families
Who is the person that was using the
computer?
 Reliance on indirect evidence
 Content of files
 Times of files – was the person at home when the
files changed?
83
Discussion
[email protected]
84