July, 2006
NII Consulting’s Chetan Gupta (GCFA) has published an article at ForensicFocus on the Alternate Data Streams in NTFS, and how these can be detected.
This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. This feature is known as Alternate Data Streams (ADS). The Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork tells the operating system how to interpret the data fork. Alternate Data Streams is the Microsoft way of implementing resource fork. The ADS is a hidden stream in addition to the regular data stream which contains the main data for the file. This hidden stream contains metadata for the file such as the file access/modification times, attributes etc. ”
Click here to read more.
By Bhushan Shah, NII Consulting
Windows passwords are stored in the registry (encrypted) in the form of a hash. LMHash was the first hash function used by Microsoft to secure their passwords. Eventually when the security issues popped up (as LMHash is quite insecure) they had to come up with NLTM and the most recent one being NTLM Version 2.
A hash function - is a way of creating a small digital “fingerprint” from any kind of data. The function chops and mixes the data to create the fingerprint, often called a hash value.
The LMHash - LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows use to store Windows user passwords that are less than 15 characters long.
Read the full article »
July, 2006
By Kush Wadhwa, NII Consulting
Welcome to the world of log analysis. Log analysis plays a crucial role in intrusion detection. If the compromised system is running on Linux platform one of the first steps which the investigator will perform is the analysis of log files.
Linux has an ability to store the logs of different services like for apache, squid logs, syslogs, and cron logs. These logs help users to resolve different problems and auditing of user actions. In this article we will talk about apache logs & squid logs since they are very closely related to each other and we will also see how to read apache & squid log files.
Read the full article »
By Chetan Gupta, NII Consulting
In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations.
Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.)
Here is a cool piece of code I found here that allows to decrypt the entries.
Read the full article »
July, 2006
Penetration Testing
Fyodor’s back with his top 100 security tools for 2006.
One of the most significant, but not surprising, entries is that of Metasploit Framework at #5 on the list. Since the launch of the 2.0 series, Metasploit has become one of the most popular security tools out there. The 3.0 series is a completely rehauled and very powerful piece of software. Re-written in Ruby and with extensive API’s, it is no longer simply a platform to develop and test exploits. It is now a platform to develop advanced security tools. Check out some cool features such as the recon modules and the sophisticated IDS-IPS evasion techniques. You can download the alpha version of the 3.0 series here.
July, 2006
K K Mookhey, NII Consulting
Two recent events bring to light how the lacunae in India’s privacy laws are now hitting where it hurts most - the bottomline. According to this report in the Economic Times, Apple and Powergen have moved their back-office operations out of India. This follows closely on the heels of the HSBC data theft scam, where an employee in HSBC’s BPO operations siphoned off close to a quarter million pounds from customers. This is just the latest in a series of BPO scandals that have left the Indian ITES industry floundering for explanations and NASSCOM issuing face-saving statements.
The other story is about a spy stealing sensitive data from the National Security Council Secretariat. The data was carried out using USB drives as well as print outs and SMSes. Apparently, Roasanne Minchew the spy in question did this under the cover of the much-hyped Indo-US Cyber Security Forum.
The fact of the matter is that all of the suggestions being put forward - such as establishment of a global database of BPO employees, frisking of employees, banning cellphones and cameras in offices - are ad-hoc. Nothing is likely to change until the IT Act is radically modified. And this has to be accompanied by the establishment of special courts for the quick dispensation of justice and punitive measures against violators of data privacy.
June, 2006
By Chetan Gupta, NII Consulting
A supposedly nightmarish tool for the investigator community! Recently this tool was released at the metasploit anti-forensics site and is available here.
Like the website mentions, this tool can be a headche for any forensic investigator and a handy tool for any mischevious since it has the ability to change all the four timestamps of NTFS and not only that, it has an option to change the timestamps in such a way that Encase shows blanks.
Read the full article »
June, 2006
by Chetan Gupta, NII Consulting
A small experiment…Create a new text file. Edit it using Notepad and type “Hello” in it. save and exit the editor. Right click the file and check its properties. Did you notice the two attributes “Size” and “Size on disk”. It looks something like this on my Windows XP system
Size: 5 bytes (5 bytes)
Size on disk: 4.00 KB (4,096 bytes)
Have you ever wondered why this difference? If the size of file contents is only 5 bytes, why are the remaining bytes assigned to the file? Do they serve any purpose? Well, atleast not to any average user of computer systems!
Read the full article »
June, 2006
by Chetan Gupta, NII Consulting
I was looking for a utility which allows me to remotely access running processes’ list of a suspect machine running Windows OS. I found this wonderful utility which allows to not only view the processses and their PIDs but also filter the processes according to the certain criteria such as username, memory usage, loaded modules, services, status of the services and even Windows title!
Read the full article »
May, 2006
by Chetan Gupta, NII Consulting
Windows XP has a built-in feature - UserAssist, that acts as a monitoring tool and greatly aids in the forensic investigation of Windows operating systems. UserAssist records user access of specific objects on the system, such as executables, Control Panel applets, shortcut files, etc. This is stored in the registry under the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist
Read the full article »
Next entries » · « Previous entries