Friday, June 24, 2011

Vishing and VoIP Forensics

Royal Canadian Mounted Police (2006) defines Vishing (or Voice Phising) as “the act of leveraging a new technology called Voice over Internet Protocol (VoIP) in using the telephone system to falsely claim to be a legitimate enterprise in an attempt to scam users into disclosing personal information”. Vishing could be viewed as natural evolution of Phishing which uses Email messages by the con artists to glean private information such as credit cards, social insurance numbers and PIN numbers. While the general public is getting more and more familiar with this type of con as well as Email software vendors include functionality to prevent Phishing attacks, the fraudsters are moving on to the technology still trusted by the users – telephony.
Traditionally, in the world of public switched telephone network (PSTN), although possible (Art of Hacking, 2000) it was much harder to spoof Caller ID (CID) as “each circuit on either end of the call is assigned a phone number by the phone company.” (Reardon M. 2009). Today, with the the move to SIP trunks and VoIP technology, spoofing caller ID is fairly trivial. Moreover, there are legitimate ways to acquire a telephone number in a any region in the world such as Skype Online Number. According to Adam Boone (2011), “telecom security researchers over the past two years have reported a very sharp rise in attacks against unsecured VoIP systems”. As a result, phishers have access to infrastructure which could be used to launch vishing attacks as demonstrated in scam targeting Motorola Employees Credit Union, Qwest customers and Bank of the Cascades (Krebs B. 2008).
In most cases, vishing attack involves calling someone using either a war dialler or legitimate voice messaging company. When call is answered, an automated message informs the caller that either the credit card or their bank account has an suspicious activity, and asks to call a predefined number to verify their account by entering their credit card number.
Digital forensic investigation of a vishing suspect is not a trivial matter. Since the attack is usually initiated by calling or texting (SMS) a large number of phone numbers, an investigator could look for unusual behaviour pattern. A number of forensic software can parse Skype artifacts, either in memory (RAM) or on an acquired image, such as Skypeex, Nir Sofer Skype Log Viewer and Belkasoft Skype Analyzer. For other software such as Astrix, a manual review of the log file will be required. Moreover, a forensic investigator utilize foremost command to look for .wav or .mp3 files which could be used as a recorded message. Finally, the SIP trunk service provide which was used by the frtaudsters could provide information such as user-id. This information could be used in the string search (srch_strings command) in acquired memory or non volatile storage images to identify suspected hardware.


  • 'Beware of phishing--and vishing' 2006, Nursing, 36, 12, p. 66, Academic Search Complete, EBSCOhost, viewed 24 June 2011.
  • Art of Hacking (2000), “Beating Caller ID” [online]. Available from: (accessed: June 24, 2011).
  • Boone, A 2011, 'Return of the Phone Phreakers: Business Communications Security in the Age of IP', Security: Solutions for Enterprise Security Leaders, 48, 4, pp. 50-52, Business Source Premier, EBSCOhost, viewed 24 June 2011.
  • Chow, S, Gustave, C, & Vinokurov, D 2009, 'Authenticating displayed names in telephony', Bell Labs Technical Journal, 14, 1, pp. 267-282, Business Source Premier, EBSCOhost, viewed 24 June 2011.
  • Krebs B. 2008, “The Anatomy of a Vishing Scam” [online]. Available from: (accessed: June 24, 2011).
  • Swarm, J 2007, 'A Closer Look at Phishing and Vishing', Community Banker, 16, 7, p. 56, Business Source Premier, EBSCOhost, viewed 24 June 2011.
  • Reardon M. 2009. “Protect yourself from vishing attacks” [online]. CNET News. Available from: (accessed: June 24, 2011).
  • Royal Canadian Mounted Police (2006), “Vishing or Voice Phishing” [online]. Available from: (accessed: June 24, 2011).

Thursday, June 23, 2011

Firefox 3 Forensic Analysis

Accessing information on the Internet leave variety of footprints such as visited websites, viewed content, downloaded documents, etc. The forensic information could be found in single files, directories, local databases and Windows registry. Moreover, Windows operating system maintains in registry a log of all local and wireless network connections (including the MAC address of the switch/router) which can further help forensic investigation to identify the physical location of the suspect (Laureate Online Education B.V., 2009) (Jonathan Risto, 2010).

According to W3School (2011), the five most used web browsers are Firefox (42%) followed by Chrome (25%) and Internet Explorer (25%), then Safari (4%) and Opera (2.4%). As such, digital forensic investigator should be knowledgeable in all four and geared up to perform extraction and analysis of the data collected by these Internet Browsers. In most cases, Internet browsers use local cache to store information to increase access time, history of visited web sites, favourites, etc. In some cases (Firefox), the stored information indicates if the suspect typed the Uniform Resource Locator (URL) showing intent of criminal or illegal activity. Furthermore, autocomplete history and cookies can provide the forensic investigator on information typed entered to the websites, or stored locally. In addition to that, the increasing use of web chats such as Yahoo! Chat and Gmail Chat allow provides potential access to additional information.

While Internet Explorer and Firefox traditionally stored the information in a file, from Firefox version 3 the information stored in the SQLite databases. For example, bookmarks and browsing history are stored in places.sqlite, passwords are stored in the key3.db and signons.sqlite, autocomplete history in formhistory.sqlite and cookies in cookies.sqlite (, n.d.) Numerous tools are available to perform forensic analysis of the information captured by the Firefox, including f3e and a simpel SQLite command line utility.

To locate SQLite 3 database, an investigator can utilize signature based search (i.e. foremost command) and look for the following hex value: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33. To make sure that the identified SQLite database file is indeed a file used by Firefox, the following signature could be used to validate the file: 43 52 45 41 54 45 20 54 41 42 4C 45 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73.

After curving the SQLite 3 database file (using dd or foremost commands), it could be accessed simply by using sqlite command. All Firefox SQLite 3 files, are in essense a database with multiple tables. For example, places.sqlite contains the following tables: moz_anno_attributes, moz_favicons, moz_keywords, moz_annos, moz_historyvisits, moz_places, moz_bookmarks, moz_inputhistory, moz_bookmarks_roots and moz_items_annos.

Since SQLlite does not require authentication to work with the database, SQL statements could be used to retrieve relevant information (case specific). For example, the following query will retrieve 20 most visited websites:
sqlite> SELECT rev_host FROM moz_places ORDER BY visit_count DESC LIMIT 20;
to retrieve all places associated with the word “drugs”:
sqlite> SELECT * FROM moz_places WHERE url like "%drugs%";
or, to display all completed downloads (, 2008):
SELECT url, visit_date
FROM moz_places, moz_historyvisits
WHERE = moz_historyvisits.place_id AND visit_type = "7"
ORDER by visit_date

Firefox Anti-forensic Features

Firefox includes a number of anti forensic features which could be either invoked by the suspect, or automatically by the Firefox itself such as removal of old history records after a period of 90 days. Moreover, a suspect could use “Private Browsing” functionality or manually invoke “Clear Recent History”. In these cases, Firefox fills the space of each record with zeros, effectively wiping the data.

Regardless, although the content of the records is wiped, Pereira, M (n.d.) has demonstrated that “when searching all disk, record vestiges was found in unallocated space” either due to reallocated data by the underlying OS or due to the “rollback” journal used by the SQLite engine.


Friday, June 17, 2011

Destruction of Sensitive Information

Destruction of sensitive information has being on the agenda of many organizations and governments. As a result, numerous standard were developed such as U.S. Department of Defence (DoD) 5220.22-M, National Institute of Standards and Technology (NIST) 800-88 and Canada Communications Security Establishment (CSE) ITSG-06, to provide guidance to the IT administrators and owners to protect against information retrieval when recycling or disposing of storage media.
NIST lists four types of sensitization types: disposal, cleaning, purging and destroying. In most cases, disposal of the storage media is not considered as secure method of discarding media containing sensitive information. The rest of this paper will review the defined standard for the data cleaning standards.
Cleaning refers to a method of removing sensitive infromation that would protect the data “against a robust keyboard attack” (Richard Kissel at. al., 2006). Simple deletion of files is not sufficient for clearing as operating systems simply mark the appropriate entries in the FAT File Allocation Table, or equivalent in other file systems, as deleted leaving in the Data Region unchanged. As a result, the data could be potentially recovered using forensic tools. Up until 2001, the standard method of securely clearing sensitive information was overwriting the data with zero, one, random or predefined patterns such as “Gutmann Method” (Peter Gutmann, 1996). For example, Communications Security Establishment (2006) defines overwrite process as “process itself must include a minimum of three passes including 1s, 0s, and a pseudo-random pattern over the entire accessible area of the magnetic tape or disk, followed by verification of results by the human operator.”
The intent of the overwriting process is to overcome the the track-edge phenomenon allowing recovery of the magnetic pattern residue from track boundaries using magnetic force microscope. Using the microscope, the researches examine the relative peaks of magnetic transitions, to recover the binary data. Although the attack on the track-edges were documented in the laboratory environment, “it requires a very well equipped research laboratory with costly microscopy equipment and highly trained researchers with a great deal of time and patience” Communications Security Establishment (2006). Moreover, as the data written to the magnetic media become and more dense. According to Seagate press release (2011), it has reached “areal density of 625 Gigabits per square inch”, which is 310 million times over the density of the first hard drive. As a result, the effort required to recover the data makes it virtually impossible. Richard Kissel et. al. (2006) writes that “studies have shown that most of today’s media can be effectively cleared by one overwrite.”
Furthermore, since about 2001, all ATA IDE, SATA and SCSI hard drive manufacturer include support for the "Secure Erase" or “Secure Initiate” commands which writes binary zeros using internal fault detection hardware. Although the method not does precisely follows the DoD 5220.22 “three writes plus verification” specification, the university of California Magnetic Recording Research (2008) “showed that the erasure security is at the level of DoD 5220, because drives having the command also randomize user bits before storing on magnetic media”. Moreover, NIST Special Publication 800-88 classifies “Secure Erase” command as acceptable method of purging, equivalent to media degaussing.


Saturday, June 11, 2011

Disclosure of Evidence

When an expert witness is required to disclose evidence that can damage its client's case, the conflict of interests could be examined from two standpoints: ethical and legal obligations.
In Ontario, Canada, under the Private Security and Investigative Services Act (PSISA) 2005, all individuals who conduct “investigations to provide information on the character, actions, business, occupation, or whereabouts of a person”, including digital forensic experts, require a Private Investigation license. The act, which came into force in 2007, is a way to professionalize the industry and ensure that all practitioners are qualified to act as private investigators (PI). The investigators are required to be familiar with criminal and civil legislation, privacy acts, and (hearing) procedural requirements. Moreover, the individuals must accept PSISA Code of Conduct (Government of Ontario 2005b) which states that every individual licensee must act with honesty and integrity, and comply with all federal, provincial and municipal laws.
In addition to that, private investigators should have the ability (skills and knowledge) to present evidence in the court of law. In Ontario, Canada, the act that governs the hearing procedures in the court of law is the Statutory Powers Procedure Act (SPPA). Section 5.4 of SIPPA states that the “tribunal may, at any stage of the proceeding before all hearings are complete, make orders for, (a) the exchange of documents; (b) the oral or written examination of a party; (c) the exchange of witness statements and reports of expert witnesses; (d) the provision of particulars; (e) any other form of disclosure. ” (Government of Ontario, 2009). The intent is to ensure fair hearing procedures and to prevent the conflict of interests of the expert witnesses hired by either the defence or the prosecution.
From the ethical standpoint, according to the PSISA Code of Conduct, an expert is required to act with “honesty and integrity” (Government of Ontario 2005b), therefore a licensed private investigator is expected to provide a full and truthful disclosure of the discovered evidence. Moreover, under SEPPA section 5.4, the tribunal may order for a full exchange of expert witness statements and reports. As a result, failure to provide a truthful and full disclosure may result in the revocation of the Private Investigation license and criminal case against the expert witness.


Thursday, June 9, 2011

Chain of Custody

Chain of custody is defined as “the order in which a piece of criminal evidence should be handled by persons investigating a case, specif. the unbroken trail of accountability that ensures the physical security of samples, data, and records in a criminal investigation” (, n.d.). Royal Canadian Mounted Police (RCMP), a branch of Canadian Government responsible for investigating digital crime in Canada, refers to chain of custody as “the tracking of evidence items from the scene of a crime to the item presentation in a legal proceeding.” (Royal Canadian Mounted Police, 2008a). In other words, chain of custody is a process of handling (digital) evidence in order ensure authenticity, therefore admissibility of the evidence in the court of law. It is imperative to maintain the chain of custody, especially in cases where there is a store reliance on the digital evidence since “altered [evidence] and a break in the chain of custody would undoubtedly compromise the evidential weighting in a criminal case” (Royal Canadian Mounted Police, 2008a).
As a result, in its guide for victims of copyright and trademark infringement (Royal Canadian Mounted Police, 2008b), RCMP instructs evidence handle to keep it under lock and key, and to maintain chain of custody – document all handling and movement of the exhibit, including date and signature of the individual handling the evidence. Furthermore, chain of custody has to be maintained (recorded and traced) from the initial evidence acquisition to the presentation in the court of law.
The importance to maintain the chain of custody is relevant not only to criminal cases. For example, a decision to dismiss an employee for violating corporate policy could end up in the court as a non criminal case. The employee could file a “wrongful dismissal” suit against the employer and the collected digital data could become a critical evidence. If a defence alleges that the digital evidence has been altered or could have been altered, it is up to the prosecution to prove otherwise (Douglas Schweitzer, 2003).
In many cases, the traditional methods of handling digital data are not sufficient to ensure admissibility of the digital evidence in the court of law. For example, standard file copying technique, such as using copy or cp commands, could alter access time of the original file therefore impacting the authenticity of a potential evidence. Furthermore, simply “pulling the plug” (as a way to preserve the data on the non-volatile storage) approach could result in a loss of a vast amount of volatile data such as encryption keys and “hacking tools and malicious software that may exist solely within memory” (Association of Chief Police Officers, 2008).


Saturday, June 4, 2011

Ethics, Law and Motivation

In order to discuss the differences between an unethical act and an illegal act, and motivation for these acts, we need to understand the definition of the words themselves. (n.d.) defines ethical as “in accordance with principles of conduct that are considered correct, especially those of a given profession or group” while the term legal is defined as “established by or founded upon law; lawful” (n.d.). Finally, motivation is defined as “desire to do; interest or drive; incentive or inducement” (n.d.).
From the definitions given above, it is clear that in order for an act or action to be considered unethical, it has to contradict the personal judgement of what is considered to be correct. Whereas illegal act is an act violating an official law or regulation. For example, in software development domain, when an employer forces employees (software developers) to develop only a partially functioning software in order to increase profitability of the company, while not illegal it could be considered as unethical act. On the other hand, when an European Union (EU) based hosting company stores personal records of its clients on servers in North America, as a backup or disaster recovery site, with the same or stricter security controls in place, although it does not violate any ethical principals it is forbidden by official EU rules (European Commission of Justice, 2009). In practice data transfer to non-EU entities is possible if the same core principals of data protection are provided to the personal records of the individuals. Furthermore, EU and the Department of Commerce (DoC) have developed a framework – Safe Harbor, to bridge between privacy approaches and streamline the trade between the EU and US (, 2011).
Moreover, when discussing motivations to conduct an illegal act and unethical act, there is a clear distinction between the two. Since ethical behaviour is dictated by personal principals, an individual would have no desire to conduct an unethical act. On the other hand, illegal acts as shown in the example above, not always contradict personal ethical principals, therefore an incentive or gain (financial, personal, etc.) could be a driver for an illegal act.
As a continuation of this topic, it would be beneficial to examine the potential conflict between corporate policies, as oppose to provincial or federal laws which were discussed above, and personal ethical principals. As highlighted by Verizon Business 2008 data breach investigations report, in finance and tech industries, 39 and 39 percent respectively of breaches originated from internal sources – internal employees (Wade H. Baker at al, 2008).