The Future of Cybercrime Forensics

Posted on September 1, 2010 by Ali Jahangiri

Cybercrime Forensic investigation is a complicated science with its own history, implications and future. It is not sufficient merely to consider it a branch of criminology, or the study of cyber criminal behavior, or research into the relationship between the causes of tech related crime and social policies. For cyber criminals, their knowledge and their crimes are bound together. The possible suspects are rich in knowledge and technical skills. They have mastered the technology better than the technology’s creators, and they know how to use technology against technology.

A multidisciplinary approach is required to fully foresee the future of cybercrime forensics. It requires a team of specialists from different disciplines within the IT industry and related industrial and social segments such as telecom and law. However, in this article the author looks at the future of cybercrime forensics based on his knowledge and experience in this field.

Cybercrime Forensics for Governments

Cybercrime forensics at the governmental level will be more complicated in the future. Governments will need to turn more to their national security organisations to hunt down cyber criminals. In addition, they will need to invent anti-forensic tools and methods to keep their activities and information assets secret.

Cyberspace security and computer related technologies will be a real challenge for governments. The platforms and protocols for computer related technologies may have both domestic and international uses. Therefore, it will be difficult for governments to reach an agreement for international cyber security policies.

At the same time, some countries are the technology owners and this intellectual property ownership will give them an advantage compared to other countries without such a privilege. The technology ownership issue will force the other countries to utilise the open source platforms to develop their own customised operating systems and software.

Cybercrime Forensics for Corporates

Currently the cybercrime forensic markets have been dominated by a few companies. These are the pioneers in cybercrime forensics and analysis. They have the tools and the solutions for cyber forensic investigation. They train law enforcement agencies to use their tools and solutions and some of them even have special tools just for governmental use.

There are also many small companies with one or two consultant partners who are either retired law enforcement officers or former IT professionals from Fortune 500 companies. These people use their contacts and credentials to achieve some market share.  However, in the future, cybercrime forensics at the corporate level will be diversified to education and certain specialties and products. It will be difficult for small companies to build a team with the right core competencies. In addition, due to security clearance requirements and national security interests, most of these companies will only practice in their country of origin.

Furthermore, information security standards such as ISO27001 and ITIL will be implemented more in medium to enterprise size companies. Realistically, only these companies can afford the cost of compliance implementation. Therefore, it will be necessary for them to have proper incident response procedures and the corresponding cyber forensic investigation capabilities. These companies may well have their own cyber forensic investigation units.

Cybercrime Forensics in Professional Institutions

Cybercrime forensics is a new battle ground for professional institutions. Currently, there is no real internationally recognised authority to govern cybercrime forensics practices, regulations and certification.  Therefore, professional institutions are offering cybercrime forensic investigation training programs, certifications and conferences. Currently, some of these institutions are forming alliances (as trade and training partners) to achieve their sales targets. In the future, it is likely that these institutions will start to attack each other to gain market share.

Cybercrime Forensics in Universities

It is sad to note that more and more often information technology advances are coming from industry rather than universities. Within IT, a few companies dominate the industry and therefore the innovations. It will be the same for cybercrime forensics; the companies with market share have the money for research and development. The main issue with academic institutions is their approach, which is slow and traditional compared to the faster speed of development and implementation found in industry.

Furthermore, the training programs in universities are not aligned with the current job market and industry needs. The university students have a lack of practical knowledge compared to the IT professionals who are in the industry (and possibly without academic studies). This is the major reason why students choose further training to achieve professional certification and so distinguish themselves from other graduates.

Cybercrime Forensics in the Media

There will be more magazines, websites and blogs specialising in cybercrime forensics and analysis. They will be the voice of the industry with the power to review, promote and criticise books, products, solutions and training programs. They will sell advertising and help vendors sell their products. Whoever has more marketing budget and better relations will be the most successful in the cybercrime forensics industry. Nevertheless, there will be one or two magazines and websites that will remain independent, but they will find it difficult to survive in such a tough market.

Cybercrime Forensics and Technical Trends

The market will be divided to four main segments with specialised service providers for each segment. The segments are: Microsoft Windows related products, UNIX & Linux related products, Apple related products and computer network & telecom related products.

The solution providers will create more comprehensive tools and solutions to gain better market share. They will transform their solutions into a set of tools for non-IT professionals. They will also try to make their tools web based, for remote forensic investigations.

The open source community will be active for the UNIX & Linux platforms to accrue required legislation to accredit the open source tools in the various countries and judicial systems.

Apple created a giant market for those who want to develop Apple device related tools and solutions. This will be a new era for the professionals who are working in cybercrime forensics.

Cloud computing, cellular networks, WiMax and virtualization will be the other areas of the interest for study and product development. It is obvious that everything is merging towards IT and cyberspace plays an important role in the near future. This will lead governments and authorities to pursue other methods of intelligence gathering, such as web and data mining, to protect their interests.

This will lead to the biggest privacy issue in history. All the data communication, of all users, will be logged at the carrier level. Then the authorities will use data mining tools to identify suspicious behavior of a particular user or users in their own or an allies’ territory. All this information will be saved in massive databases and then the commercial, financial and personal information, in addition to the communication records and social behaviors, will be linked together.

And this will ultimately lead to a new chapter in the history of cybercrime forensics, namely Applied Artificial Intelligence in Cybercrime Forensics.

Posted in Cyberforensic, Opinion | Tagged , , | 1 Comment

Live Hacking V1.2 Released

Posted on August 25, 2010 by Ali Jahangiri

I am pleased to announce an update to the Live Hacking CD. The updated Live CD contains the tools and utilities you need to test and hack your own network in the same way a malicious hacker would. New in this version is the metasploit penetration testing framework and a range of IPv6 foot-printing tools.

The Live Hacking CD is a ‘Live CD’ meaning that it loads and runs directly from the CD and doesn’t need installing on your hard disk.

The metasploit framework, one of the new tools included with this release, can be used to test your network using the frameworks internal database of known weaknesses and exploits. Also included in this new release of the Live Hacking CD is the THC-IPV6 tool, a set of tools to attack the inherent protocol weaknesses of IPv6 and ICMP6.

See http://LiveHacking.com for more details.

Posted in Ethical Hacking, Live Hacking | Tagged , , , | 2 Comments

Excuse Me, There is No Private Browsing!

Posted on August 11, 2010 by Ali Jahangiri

From my point of view, there is no privacy as long as a user is connected to the Internet or a public network. Public networks such as the Internet, PSTNs and cellular networks are part of national and international telecommunication networks. These are the channels in which information flows from one side of the world to the other along with radio and satellite communications.

Currently, the Internet is one of the best communication channels available due to its capability, speed and cost. At the same time, it is the perfect place for the criminally minded to commit crimes or play under the radar. Because of this, the Internet is a place where the end-user needs to watch his/her activities and the law enforcement agencies need to watch the end-user. This paradox has created two market segments for software vendors, one to protect the end-user and other to violate the end-user’s privacy.

There are many often contradictory or complementary paradigms in IT security. Tools such as anti-virus, personal firewalls and private browsing functions are common examples of end-user privacy protection. But tools and appliances such as content monitoring systems, network traffic analyzers, data aggregators and cyber forensic tools can be used to violate end-user’s privacy.

The above mentioned tools have been built by engineers and IT practitioners. The functionality and the quality of these tools can be miss-judged, it has been known for engineers to change the functionality of a tool under political pressures by governmental regulatory authorities. But the end-user, who uses these tools or functions to enhance their online security, has no idea about such influences and pressures.

A recent research report about the private browsing functionality of the common Internet browsers is a good example. Millions of users trust the privacy mode on their browser, but the report shows that none of them are functioning at 100%, and it seems that nobody can be held accountable.

Posted in Opinion, Surveillance | Tagged | 2 Comments

Blackberry Is Not Alone

Posted on August 4, 2010 by Ali Jahangiri

There has been lots of recent news and articles about Blackberry service suspensions. India, the United Arab Emirates, Kuwait and the Kingdom of Saudi are all countries with national security concerns. These countries work to defend their national security interests, as does the USA and other western countries. It is important to respect such decisions and their requirements as long as other western countries or technology owners reserve the right to do the same.

All Research In Motion (RIM) facilities are in western countries and all the communication data is sent over the Internet and the Blackberry network. Although, data communications are encrypted within the Blackberry network, they can be aggregated at RIM’s facilities. Furthermore, those countries which host RIM facilities have the legal right to access RIM’s premises and cryptography algorithms for national security or regular monitoring.

Some countries, like the UAE, use Blackberry devices widely in their governmental institutions. Which raises questions about access to data which has been transferred over the RIM network especially with regards to criminal investigations and national security protection.

However the Blackberry is not alone. We should not forget other services such as the Nokia Messaging Service. This service is Nokia-hosted for Nokia devices. With one Nokia device, users can manage all their email, IM and social networking accounts. In other words, it provides services similar to that of RIM’s, but only for Nokia users.

It is obvious if RIM is a threat to national security because of its cloud network and infrastructure then similar services such as the Nokia Messaging Service have the same issues.

Posted in Opinion, Vulnerability | Tagged , , | 1 Comment

Who is really behind WikiLeaks?

Posted on July 30, 2010 by Ali Jahangiri

WikiLeaks has very much been in the headlines for the past two weeks. Its founder, Julian Assange has also been in the spot light and he has been interviewed by many news agencies. He was supposed to appear in Las Vegas at an International Reporters and Editors conference in the first week of July, but he has canceled his scheduled speech. It is rumored that federal agencies have been talking to the conference organizer about Assange’s presence.

Julian Assange, who in 2007 published a classified video of a U.S. helicopter attack in Baghdad which killed 12 people (including two Reuters reporters), is in a mysterious cat and mouse game with the U.S. government. Julian Assange, who is Australian born, has been convicted for cybercrimes in Australia and he is a known black hat hacker with Math & Physics degree.

In January, Wikileaks published a classified cable from the U.S. embassy in Reykjavik, Iceland. It appears to describe conversations with Reykjavik officials about the country’s economic crisis and what the United States had been asked to do.

In July 25, 2010, Wikileaks disclosed more than 75,000 confidential files related to the war in Afghanistan. WikiLeaks gave the documents in advance to The New York Times, Germany’s Der Spiegel, and the U.K.’s Guardian newspaper, which independently confirmed their authenticity.

The Guardian called the disclosure a “devastating portrait of the failing war in Afghanistan,” saying it reveals how the U.S.-led coalition has killed hundreds of civilians in unreported incidents, Taliban attacks have risen, and NATO commanders are worrying that neighboring Pakistan and Iran are aiding the insurgency.

WikiLeaks withheld 15,000 of the approximately 92,000 documents in the archive, that was released on Sunday July 25, 2010, to remove the names of informants in what Julian Assange called a “harm minimization” process. However, the 75,000 documents WikiLeaks put online, do provide detailed information about possible informants within Afghanistan.

In July 26, White House spokesman Robert Gibbs said it is “alarming” to find so many “top-secret documents” from the U.S. military in Afghanistan publicly available, thanks to the document-sharing site.

The Pentagon, spokesman Col. Dave Lapan said it could take weeks to evaluate the information that was released. Uncompressed, the files total about 100 megabytes, which is about 20 times the size of the complete works of William Shakespeare.

NBC News reported that David Lapan, deputy assistant secretary of defense for media operations, said that a preliminary review by a Pentagon team has so far not identified any documents whose release could damage national security. What’s more, Lapan said, none of the documents are classified above “secret”, meaning that the archive doesn’t contain any “top secret” documents.

The only things that I can see from the above statements, by the U.S. officials, is  contradiction. There is room to consider the possibility of a counter intelligence program by the United States security agencies.  WikiLeaks might be an intelligence honeypot trying to identify the possible security breaches within U.S. security agencies and military.

There is other evidence that could be useful in proving this theory. For instance, the released documents are mostly similar in their nature. There are from U.S. military overseas operations in Iraq and Afghanistan. In addition, the leaked documents are mostly related to U.S. foreign policy.  In other words, the leaked documents have been selected carefully and released in a controlled manner which Mr. Assange is calling the “harm minimization” process.

It is obvious that if WikiLeaks is a U.S. intelligence honeypot it must present itself as a legitimate and independent organization. Which it is managing to do by operating its website outside of the U.S. combined with the huge media coverage.

In addition, the U.S. government needs to align its foreign policies and military activities and this alignment may be triggered by the WikiLeaks document releases. The major changes in the top level of U.S. military service members in Afghanistan and Congress Approval for Supplemental War-Funding Bill might be other possible reasons.

Moreover, the U.S. government has recently demonstrated that it will not tolerate anything that jeopardize its national security. The best example is this CNET report about Blogetery.com.

CNET reported: Blogetery.com, a small blogging platform based in Toronto, was abruptly shut down on July 9 by Burst.net, its Web host, after FBI agents alleged Blogetery was home to links that led to bomb-making tips and the names of Americans targeted for assassination by al-Qaeda.

Now, I need to ask again, who is really behind WikiLeaks?

Posted in Opinion, WikiLeaks | 1 Comment

Smart Phone Spyware and Cell Phone Surveillance Tools

Posted on July 27, 2010 by Ali Jahangiri

I have been studying cell phone related trojans and spyware since April 2010 and it is clear to me this will become an new area of focus for information security professionals. We all use smart phones as they make our lives easier and not just for phone calls, we are now using smart phones for almost everything.

A Smart phone is a perfect all-in-one gadget, it has GPS, Internet access, email and entertainment capabilities. As such we carry them with us almost always and use them based on the occasion or need.

Smart phones vary greatly in terms of design and operating systems. This has forced the Trojan coders to create spyware programs for selected operating systems only such as Symbian and Windows Mobile. In addition, there are many Trojans and spyware applications which only work on certain models and operating systems. The variety of mobile phone models and operating systems has, in some way, limited the distribution and infection rate by mobile phone related Trojans and spyware programs.

However a new threat is now emerging; surveillance and spying tools which utilize cell phone networks for malicious activities. These tools have been used worldwide by security agencies and private investigators for a long time.

But now these tools are available to the public. They are easy to order online and can be delivered directly by courier to your home or office. So now, beside smart phone Trojans and spyware applications there are new tools and devices which could be use for information gathering and reconnaissance by hackers or intruders.

In my studies I found the following product which could be used for malicious activities:

Disclaimer: The following texts and pictures have been copied from uspy.me website.

Design Features:

This SIM device is a special system designed for audio surveillance or monitor by providing regular mobilephone SIM services. It has a magnetized core which helps itself easily fixed on any hidden metal surface.

A unique design, small frame and sturdy construction encompass the rich SIM technology beneath it’s compact shell. Embed condense, sensitive microphone, which could pick up any ambient sound.

Functionality

When the need comes, or unforgettable moment occurs, just dial up the SIM number, it runs silently at any circumstance, and help you capture needed sound of its surrounding.

Its internal battery could provide 2~3 hours working time, with external extra battery, it is capable of constantly running up to 6~7 hours. It is a covert surveillance tool made for everyone.

Other features

  • Frequency: 900\1800\1900
  • Embed microphone, powerful sound receiving effect (Can receive sounds even 10 meters far away from the device)
  • 24 hours non-stop power supply
  • All GSM SIM card compatible
  • Stand-by time: 15 days
Posted in Smartphone, Spy tools, Spyware, Surveillance, Trojan | 3 Comments

TrueCrypt version 7.0: Open Source Disk Encryption Tool

Posted on July 24, 2010 by Ali Jahangiri

TrueCrypt version 7.0  has been released. This  open source, cross platform, disk encryption tool provides disk encryption for Windows 7/Vista/XP, Mac OS X, and Linux.

With reference to TrueCrypt development team, this version has major update for on-the-fly encryption, includes several improvements, new features, security enhancements and bug fixes on all platforms.

Main Features:

  • Creates a virtual encrypted disk within a file and mounts it as a real disk.
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication).
  • Encryption is automatic, real-time (on-the-fly) and transparent.
  • Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
  • Encryption can be hardware-accelerated on modern processors.
  • Provides plausible deniability, in case an adversary forces you to reveal the password:
  • Hidden volume (steganography) and hidden operating system.
  • Further information regarding features of the software may be found in the documentation.

More information about TrueCrypt v 7.0 is available here:

http://www.truecrypt.org/docs/?s=version-history

TrueCrypt Download Page:

http://www.truecrypt.org/downloads

Posted in Cryptography, Open Source | Leave a comment

Cisco Internet Streamer Application: Directory Traversal Vulnerability

Posted on July 23, 2010 by Ali Jahangiri

Cisco security Advisory issued warning for the Cisco Internet Streamer application, part of the Cisco Content Delivery System for a directory traversal vulnerability.

This vulnerability is on Cisco Internet Streamer application web server component that allows for arbitrary file access. Intruders may be able to exploit this vulnerability to access sensitive information, including the password files and system logs.

More information is available at Cisco Security Advisory for affected products and software update procedure.

Posted in Cisco, Vulnerability, Web Server | Leave a comment

Suricata 1.0.0 Released: Free Intrusion Detection & Prevention System

Posted on July 23, 2010 by Ali Jahangiri

The Open Information Security Foundation (OISF) has released Suricata version 1.0.0. This non-profit foundation organized to build a next generation IDS/IPS engine. The OISF has formed a multi-national group of the leading software developers in the security industry.  In addition to developers and a consortium consisting of leading cyber security companies, OISF has engaged the open source security community to identify current and future IDS/IPS needs and desires.

The first stable release of Suricata, the Open Source Intrusion Detection and Prevention engine is available to download from here:
http://www.openinfosecfoundation.org/download/suricata-1.0.0.tar.gz

New features:

  • Support for the tag keyword was added.
  • Support for DCERPC over UDP was added.

Improvements:

  • CUDA was fixed and it’s performance was improved a lot
  • Fix short HTTP sessions sometimes not being parsed properly.
  • Duplicate signatures are now detected, the signature with the highest revision is used.
  • Uricontent inspection was improved.
  • Alert debuglog now also prints flow information, including flowbits.
  • Pattern searching was improved in general and specially also for DCE traffic.

Project Website: http://www.openinfosecfoundation.org/

Posted in Intrusion Detection, Intrusion Prevention, Open Source, Security Tools | Leave a comment

Metasploit Framework 3.4.1 Released

Posted on July 22, 2010 by Ali Jahangiri

This release has 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts. Metasploit Framework 3.4.1 has 567 exploits and 283 auxiliary modules. In this version more than 40 reported bugs have been fixed.

Links:

Posted in Metasploit, Penetration Test, Scanner, Security Tools | Leave a comment