ID Theft: It’s Not Just For Credit Cards Anymore

March 10, 2010

George Jenkins, the writer for the “I’ve Been Mugged” blog (http://ivebeenmugged.typepad.com) writes about a recent survey release discussing medical identity theft.  While this has been going on for a while (I had my first case involving electronic MedID theft 8 years ago) it serves as an excellent proactive warning:  THINK about any and all information systems that you give your ID to and QUESTION the flow of information.  We are not living in an age where blind trust/acceptance is acceptable.

The study was performed by the Poneman Institute and sponsored by Experian.  One of the Privacy analysts with Poneman was quoted (emphasis added):

“The two results that stood out to me were the more than $20,000 average cost to consumers who suffered ID/credit fraud as a result of a medical data breach, as well as the potential for physical harm to those who have their medical records ‘polluted’ due to healthcare fraud,” says Mike Spinney, a senior privacy analyst at Ponemon Institute.

The residual issue of “physical harm’ due to a corruption of medical records gives plenty to ponder – especially given the efforts to aggregate medical records in an electronic environment.  Also particularly interesting are the number of people that were aware they had a problem and did not report it.  I wonder about the psychology of that.

By the way – George is an excellently informed writer on these types of stories, and his blog is definitely worth a follow.

George Jenkins’ Link:

Survey: 5.8% Of US Adults Have Been Medical Identity Theft Victims

Leave a Comment » | Inforensics News | Permalink
Posted by inforensics

Please Disseminate:  Abused Women and Electronic Trace Information (in memory of Sandy B)

February 12, 2010

As many of you know, I recently had a case that ended tragically in a murder/suicide.

My client was an incredible woman who was trying to escape an abusive situation.  She had already fled her home and was working with a safe house.

It is my opinion that her husband used a specific electronic method to obtain information and identify her location.  He then followed her and waited until she came out of a store, ran her down with his vehicle and then took his own life.

Since this occurred I have spoken with a few safe house organizations and have come to realize that, while there is a marked increase in the use of electronic means to track an abused spouse, there is not a corresponding level of information on how to “Cut The Electronic Cord”.

In a recent Houston Chronicle article (Mary Flood, ”Till Texts Do Us Part”, Houston Chronicle, Front Page, 12/17/2009) I covered with Ms. Flood a few of the areas that can be abused on cell phones and mobile devices.  While the article was helpful to a number of people, for some of them it was helpful in a way we had not intended — they were planning to use the information to further their own nefarious ends.

Realizing all of this, I have developed a web seminar that I will offer free to safe house organizations, divorce and family attorneys and abused women to attempt to share my knowledge base in the area of cutting electronic trails.  The webinar is entitled “Cutting the Electronic Cord: Managing Electronic Trace Information” and runs approximately 30 minutes.  I will provide the web seminar facility, call in number, and other resources to make this available.  There will also be a facility to handle live questions.

The seminar is NOT a marketing ploy and there will be absolutely NO commercialization or pitching of any products.

I have chosen my cause – and this is it.

If you are a family attorney or safe house organization you may contact me and schedule the webinar on your timetable.  Please be ready with at least three dates and times so that we can correlate calendars more efficiently.

On a go forward basis, I invite attorneys, safe house organizations and abused women to contact me free of charge for consultation.  I will supply safe house organizations with my direct cell phone for emergency events regarding questions related to electronic tracking means.

I am asking my business contacts, Facebook and Twitter contacts to disseminate this information, as well as my contact information, to appropriate sources so that we can start an education program in earnest.

With regards,

Aaron Hughes, CISSP
Vidoc Razor, LLC
Aaron.Hughes@VidocRazor.com
713-474-2286

1 Comment | Forensics Beyond the Hard Drive | Tagged: , , , | Permalink
Posted by inforensics

UCB Data Breach

August 17, 2009

I picked up the following from SC Magazine:

University College Berkeley hit by second data breach in six months

The standout here is the quote:

“…a website hacker may have had access to their social security numbers and birthdates.”

This could simply be sloppy reporting, but if it is true that someone accessed the PII via the Journalism School website then this is a fundamental architecture flaw and probably a rookie information security mistake.

Leave a Comment » | Inforensics News | Tagged: , | Permalink
Posted by inforensics

Forensics Beyond the Hard Drive: Kindle 2 Logging

June 26, 2009

Platform: Kindle 2

Artifact Type: Log

Information Type: GPS Location

Caveats: Debug mode and 611 logging must be on.

Usefulness: Very Limited

I was interested in what information was available via a Kindle 2 to assist in investigations.  In poking around to see what work others have done I found two sites that were really in depth and had great information:

Kindle Hacking: http://kindle2hacks.com/

Igorsk Blogspot: http://igorsk.blogspot.com/

These two sites do a great job dissecting the Kindle and Kindle 2.

Because inquiring minds want to know, I did a cursory review via FTK and Encase of a brand new Kindle 2, and did not find a whole lot that was very interesting.  Based on my reading of the two blogs above, it seems the more useful bits occur once you have access to the actual filesystem.

One item caught my attention: the “611 Log”.  Upon activating debug mode and turning on this log, one thing immediately stood out:  Latitude and Longitude information.

It is important to say that this log is going to be limited in an actual investigation, but it is worthy of note just the same.

The primary items that limit its usefulness are:

  • It is not on by default
  • It only logs GPS coordinates when the Kindle 2 is actually turned on (screensaver is not “On” for our purposes)
  • The readings are from cell towers, and not actual queries to GPS satellites, so the information is definitely not as accurate.

*** Important Note:  I am not forcing you to do stuff to your Kindle 2, if you do and mess your device up you have no one to blame but yourself.  These steps worked great for me, you take the life of your Kindle 2 in your own hands if you decide to play along. ***

Now that I have doused you with cold water, here is how you actually turn the logging on:

Follow the excellently written directions found on the Kindle2 hacking blog here. Look for the “Enable Debug Mode” section.  Do not continue on through the USB networking section… unless you just want to!

Next, type:   ‘help

That is a single hash, found near the “}” under the Sym menu, followed by the word help.  All of your commands from here on out will be prefaced with that character.  You should see an informational pop-up that looks like this.  Take a moment to enjoy some of the possibilities of what you are seeing.

Next, close the pop-up and type the following: ‘log611

There will be a short hesitation, a screen blink and that is it.  When you plug your Kindle 2 into the USB cable and attach to your system you will find a folder called “611″ and a log that is formatted: YYYY.MM.DD.HH  (Hour in military time).  Open that log and peruse to the “1xRTT” section.  In this section you will find “Latitude” and “Longitude”.  These are the coordinates supplied by the cell tower.

If you turn off the Kindle 2 (ie. hit the slide button so the screensaver comes on) and travel, this log will not add information until you hit the slide again and it has a chance to hop back on the network.

To turn off the logging:  Go to “Menu”> “Settings”.  Then hit “Menu”>Restart.

Leave a Comment » | Forensics Beyond the Hard Drive | Permalink
Posted by inforensics

Microsoft Powerpoint Vulnerability

April 3, 2009

IMPORTANT INFORMATION REGARDING: Microsoft PowerPoint Vulnerability

OVERVIEW:
A vulnerability has been discovered in various software versions of
Microsoft PowerPoint.  Exploitation of this vulnerability can lead to
code execution at the rights level of the logged in user.  No patches or
workarounds have been released.

Microsoft has stated that exploit attempts have been seen in the wild,
on a limited/targeted basis.

AFFECTED VERSIONS:
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office XP
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Powerpoint 2003

MITIGATING FACTORS:
As previously stated, successful exploitation limits malicious code
execution to the rights of the logged on user. Steps should be taken to
ensure permissions for various account types are regulated per
applicable policies.

Successful exploitation of this vulnerability requires user interaction
with the specially crafted PowerPoint file.  Users would therefore have
to to click links in malicious e-mails, or otherwise convinced to visit
websites hosting malicious PowerPoint files.  The best defense against
this is educating users on the dangers of accepting files and acting
upon links to websites provided to them via e-mail, IM, or other means
from unknown parties.

REPORTING AGENCIES:

Microsoft:

Microsoft Security Advisory (969136)

Leave a Comment » | Inforensics News | Tagged: , , , , | Permalink
Posted by inforensics

Crimes Against Children Research Center: Trends in Arrests of “Online Predators”

April 2, 2009

The Crimes Against Children Research Center has released a new report noting that the types of online sex crime  offenses haven’t changed much, but the profile of your average online predator has been shifting.

I have read the actual report as well as the methodology (methodology available here, report available here) and, while I am no expert in report methodology, I can not spot any serious flaws.  This seems to be a well thought out study that avoids the typical hysteria and FUD that is oh-so-common in this type of work.

Some notable findings:

  • Online sex crimes only account for 1% of all arrests for sex crimes committed against children and youth.
  • Most of the arrests involved solicitation of undercover officers and not actual youth.
  • The percentage of internet users ages 12-17 rose by 20% between 2000 and 2006, at the same time there was a 21% increase in arrests of offenders who solicited youth online for sex and a 381% increase in arrests of offenders who solicited undercover officers.
  • There was a significant increase in arrests of offenders between the ages of 18-25.

There were some distinct differences between this report’s findings and my own perceptions:

  • Most offenders were open about their motives in their online communication with youth.
  • Only 4% of those arrested (in total) were registered sex offenders.
  • The majority of contacts did not occur through social network sites (social network sites accounted for just over 30%).

For those that have kids or are involved in family law, internet crime or data forensics and investigations this is likely to be an interesting read.

Any further comments and observations would be great too!

Leave a Comment » | Inforensics News | Tagged: , , , , , , , | Permalink
Posted by inforensics

Mac != Automatically Safe (Take It From a Mac Fan!)

April 1, 2009

I love my Macbook Pro – ask anyone who knows me.

Before you Windows users leave thinking that this is YAFBR (Yet Another Fanboy Rant) you should all know that I believe strongly in using the right tool for the job – which does not always mean using the trusty Macbook, and sometimes using MS Windows instead (lord help me, but I said it and there is no taking it back).  Sometimes it involves Linux or a BSD variant.  I love them all for different reasons.

I am concerned with the number of Tweets I saw related to Conficker this morning that stated (not an exact quote) “Thank goodness I have a Mac – it is safer than a PC…Macs never get viruses” and other sentiments that denigrated MS Windows in a sometimes more, sometimes less manner.

Before you get too happy consider the information discussed at CanSecWest last week and published by Milw0rm prior to vendor notification.  Check it out here (but come back!)

It is important to note that you are only as safe as your habits and software, Apple system or not.

I have worked a number of Apple forensics cases involving intrusion and interception of electronic communication.  In each case the firewall was turned off (the user wasn’t aware of how to control the firewall) and there was an astounding lack of logging (the user didn’t know how to control or review logs on the Apple system).

I can also tell you that the number of these types of cases is definitely on the rise.

Here is a quick test:  If your Apple (you can also insert Linux, *BSD, Windows) system was potentially compromised, how would you know?  Can you pull up, right now, failed connection attempts, firewall logs, running process logs?

If not, then take that as your sign and make sure to get yourself battle-ready.

As bot-nets become more and more prevalent if you are not part of the solution you are truly a large part of the problem.

Leave a Comment » | Inforensics Opinion | Tagged: , , , , , | Permalink
Posted by inforensics

Open Source and the Digital Forensics Lab

March 18, 2009

A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs.  In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.

At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.

Here is a summary of the “Seven”, the original article is here:

  1. Case Management: Although designed for CRM functions, SugarCRM actually makes a great inexpensive case management system.  It has the added advantage of allowing you to maintain a local copy instead of “the cloud”.
  2. Acquisition: The flexibility of “dd” for everything from imaging to memory and file carving makes it the number one contender in this category.  If you must have a MS based solution then you can also try FTK’s Imager lite (not mentioned in the original article).
  3. Analysis: Brian Carrier’s work on The Sleuth Kit with the optional graphical front-end of Autopsy is very worthy of support (tip of the hat to Dan Farmer and Wietse Venema for their original work on “The Coroner’s Toolkit”).  TSK has the added benefit of being scriptable (I use shell or PERL to get the job done).  You can check out TSK here.
  4. Miscellaneous: Stegdetect for dealing with steganography, Ophcrack for system passwords, Foremost or Scalpel for scriptable file carving.
  5. OS support: Linux.  You have access to libraries for NTFS, HFS++, etc. as well as everything you need for MS documents via OpenOffice 3.0. I have had great success with Ubuntu and variations (Mint).
  6. Virtual Platforms: At the time I wrote the article VMWare was offering their player and pre-made virtual systems for download.  If you are running off of a Mac you can use Parallels (not free, but very inexpensive) to run various pre-builds of Linux.  Even more compelling is Live View, which allows you to virtually mount and run a dd image without modifying the underlying image.  You can find Live View here.
  7. Mobile Acquisition and Analysis: Helix is no longer free, but those guys at e-fense  have given so much value to the rest of the world for so long via Helix that I say “Good on them!”.   You can also check out Backtrack 3 – just be aware that you run the risk of altering data if you boot up incorrectly with Backtrack.

What are some other “Can’t miss tools”?  Drop a comment in and tell the rest of us.

Leave a Comment » | Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

Kwame Kilpatrick Asks Skytel for $100M

March 10, 2009

It is being reported that Mayor Kwame Kilpatrick is going after Skytel for the release of the text messages that led to the settlement of the police whistleblower lawsuit against him.

(source: The Detroit News)

It appears that the grounds for this action is the Stored Communications Act.  As a non-attorney I am guessing that this will boil down to a few factors:

  1. Was the police department involved in the production of the text messages (4th amendment),
  2. Was the contract with Skytel to provide messaging services, or storage/retrieval and reporting?

The Stored Communication Act does differentiate between a provider of services, and a provider of storage, so the Skytel contract wording will likely make a difference.

With all of the Kwame Drama aside, this could actually be interesting for providers, contract attorneys, e-discovery and forensics folks as well.

Here is a reference to another case with similar characteristics:

Quon v. Arch Wireless

Leave a Comment » | Admissibility | Tagged: , , , , | Permalink
Posted by inforensics

Firewire Target Mode and Other Apple Goodness

March 5, 2009

When performing information forensics on Apple platforms we have a few options for acquisition:

  • Firewire Target mode
  • BackTrack or Helix 3 (tested on intel platforms – works great, some caveats, though)
  • Pull the drive and do your thing!

Here is an article that describes yet another use for Firewire target mode.  It is good to be reminded of the flexibility available through some of these features:

Macworld: “Firewire target disk mode to the rescue

While I am at it, here is some more wonderful Mac goodness:

TUAW: “Keyboard Shortcuts During Mac OSX Startup

Somewhat related to the Firewire target mode discussion above.

Download YouTube (in HD as well) using Safari or FireFox

(Also useful for other streams).  Make sure to use the “HD” format so you can get .mp4 format in iTunes – otherwise you will need an FLV player.

Teleport: Control Multiple Macs With One Keyboard Mouse (Mac-centric Synergy-like program)

I have long used Synergy, but if you watch your logs you quickly realize that Synergy on a Mac is very “chatty”.  This is a good stand in for Mac only control.  If you need multiple OS support, then Synergy is for you.  Here is a Synergy version that is friendlier to Macs.

Are there any “Can’t live without them” features I have left out?

Leave a Comment » | Tools and Tips | Permalink
Posted by inforensics

« Previous Entries