Friday, July 29, 2011

Forensic Software Analysis

Linux/GNU provides a wealth of tools which can be used to analyze binaries such as file, strings, md5sum, hexdump, ldd, strace and gdb. Moreover, profiling tools such as AppArmor could be useful when analyzing behaviour of an unknown binary. For the purpose of demonstrating forensic software analysis process and recoverable artifacts, a number of Linux/GNU tools will be used to investigate Skype application. Conclusions of the investigation will be presented at the end of the document.


file command helps identifying file type and displays general information about the suspected binary.

file command


ldd command can be used to identify all shared libraries used by the suspicious software.

ldd command


gdb is a GNU debugger useful for debugging executable “see what is going on 'inside' another program while it executes—or what another program was doing at the moment it crashed” (Free Software Foundation, Inc. 2002). gdb allows an investigator to run a suspicious program step by step, view a value of a specific expression or print a stacktrace using bt command.

gdb command

gdb stacktrace


strace can be used to display system calls and signals, including access to local and remote resources such as /etc/passwd. strace command could be used with -o parameter to output the content to a specified file.
The information includes:
  • a name of a system call
  • arguments; and
  • return values

strace command

strace output

The output file could be parsed with grep with appropriate regular expression to identify accessed and/or modified system resources.

grep strace output


strings prints all printable characters in a specified file. It could be useful to identify system calls, resources, URLs, IP addresses, names, etc. when analyzing a suspected software.

strings command

strings output


AppArmor is a “Linux application security system” (AppArmor Security Project, 2011) using whitelist approach to protect the operating system and its users. It is done by enforcing “good” behaviour including open ports, allowed resources, etc. to prevent from known and unknown application flows.

AppArmor includes a “a combination of advanced static analysis and learning-based tools” (AppArmor Security Project, 2011) which could be helpful when investigator a malicious software behaviour. For purpose of forensic investigation aa-genprof command can be used to record all software activities which could be analyzed at the later stage.

When using aa-genprof to analyze potential malware behaviour, the investigator has to invoke all possible functionality to force the software to access all local and remote resource. In many cases, it is required to let the software run for a few days as some malware such as infected bots communicate with the bot controller periodically.

aa-genprof command

skype command

Skype main window

Skype calling echo123

Skype messaging echo123
aa-genprof analyzing Skype access to Pulse resources

aa-genprof analyzing Skype access to system fonts configuration

aa-genprof analyzing Skype access to local chat

aa-genprof analyzing Skype access to Firefox bookmarks

aa-genprof analyze Skype access to Firefox extensions


Skype application access resources required to display a graphic user interface (GUI) using Qt library, interact with audio devices through Pulse framework and resources required to use a network, all of which could be considered ass legitimate behaviour for a VoIP application.

On the other, Skype access to resources such as Firefox bookmarks and extensions such as LassPass (advance password manager), and system resources such as /etc/passwd raise suspicious as it resembles typical malware behaviour.


Tuesday, July 19, 2011

Criminal Activity On Peer-To-Peer (P2P) Networks

Criminal activity on peer-to-peer (P2P) networks are usually associated with sharing of illegal such as copyrighted or offensive material (music, movies, snuff films or pornography). There are a number of cases when a law enforcement agencies successfully taken down the sites such as the case with Elite Torrents group (Charles Montaldo, 2005). But recently different peer-to-peer protocols such BitTorrent and Kad are being used to command and control an army of digital zombies (botnet). Botnet, controlled by a botmaster, can be used to attacks such as spam and denial of service.
As bots are getting more and more sophisticated allowing the controller to capture keystrokes, take screen shots, send spam and participate in denial of service attacks, and much harder to detect due to inclusion of rootkit capabilities, “the most significant feature, however, is the inclusion of peer-to-peer technology in the latest version of the botnet's code” (Peter Bright, 2011). Moreover, some bots allow controllers to “sublet”, for a price, an IP address to be used as anonymous proxy.
Peer-to-peer technology allows hacker to eliminate a “single point of failure” - a single (sometimes multiple) Internet Relay Chat (IRC) server or a Really Simple Syndication (RSS) feed to command the botnet. Over the years, there were a number of attempts by a botnet developers to develop the next generation utilizing peer-to-peer control mechanism such as “Slapper, Sinit, Phatbot and Nugache have implemented different kinds of P2P control architectures” (Ping Wang, Sherri Sparks, Cliff C. Zou, 2007), each with its weaknesses. For example, Sinit bot used random probing techniques to discover other Sinit infected machines which resulted in easily detected network traffic. Insecure implementation of authentication mechanism made Slapper easy to hijack. Whereas Nugache contained a list of static IP addresses used as initial seed (David Dittrich, Steven Dietrich 2008) (David Dittrich, Steven Dietrich 2009).
Modern implementation of the bots utilizing peer-to-peer protocol with combination of encryption (based on TLS/SSL) of the network traffic, public-key based authentication mechanism, randomly used ports with protocol mimicking to avoid anomalies detection on the network level and prevent hijacking of the botnet network by competing botmasters and law enforcement agencies. The TDL4 (or Alureon) dubbed as “the ‘indestructible’ botnet” and it is running on over 4.5 million infected computers at the time of writing (Sergey Golovanov, Igor Soumenkov 2011).
To make botnet more resilient, a hierarchical structure is used with each servant (a hybrid of bot and server) communicates with a small subset of bots, and each not contains a small list of other peers (in case servant is not available). The servants themselves are rotated (dynamic) and updated periodically to prevent capturing and disturbing the botnet network. Locally, the malware uses rootkit functionality to avoid detection by anti-viruses. For example, Alureon botnet “infects the system's master boot record (MBR), part of a hard disk that contains critical code used to boot the operating system” (Peter Bright 2011), meaning that rootkit is loaded before operating system and an antivirus software.
Forensic investigation of crime involved advanced peer-to-peer botnet involves a combination of reverse engineering, operating system and network forensic. For example, TDL4 infects victims MBR which, up on investigation, immediately identify the presence of the rootkit. Moreover, a presence of certain files (recoverable from offline forensic image) such as cfg.ini and ktzerules in certain locations could indicate infection. On a network level, upon infection the malware downloads and “installs nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot” (Sergey Golovanov, Igor Soumenkov 2011) making it possible to monitor and detect the botnet activity.


Friday, July 8, 2011

Legal Aspect of Remote Monitoring

Regardless of the device owners awareness, remote monitoring of a computer or mobile device can be done by an agent deployed on the device, or by analyzing the traffic generated by the device. Each of these approaches have its own pros and cons that will be discussed below.
Remote monitoring of a computer utilizing locally deployed agent (such as event log monitor or key logger) can provide a wealth of information such as currently running processes, existing and active users, access to installed applications, etc. Legitimate deployment of such agents usually done by installing the software on a workstation or laptop by a system administrator either with or without users knowledge, while tools such as key loggers used by malicious users or criminal are usually deployed using existing vulnerabilities in the operating system, web browser or other installed applications. It is interesting to note that many legitimate monitoring software packages are using technology and methods previously used my malware. For example, many of employee monitoring software have capabilities such as keystroke monitoring, send and received Email messages logging, website activity, accessed documents, etc (TopTenReviews, 2011).
On the other hand, monitoring computer activities by analyzing the generated network traffic does not require the installation of a user agent (malware), means it leaves no traces on the computer itself which can be uncovered by a digital forensic investigator. The disadvantage, of course, is that the information can be deducted only from services and applications generating network traffic. For example, laptops connected to a domain will try to communicate to a domain controller, Java JRE and Adobe Reader periodically checks for available updates therefore providing the intruder with a list of potential targer (services and applications). In some cases, when devices communicates using insecure protocols, it is possible to gather information such as user names and passwords. Moreover, there are some attack vectors which can subvert the traffic such as DNS poisoning, ARP poisoning and Man In The Middle (MiTM) Proxy to servers/devices controlled by the intruder.
From a legal point of view, the technical aspect of data acquisition could fall into a different category. For example, in the US data collected while in transit, such as Email message, falls under the Wiretap Act therefore requires special permission. On the other hand, “dropping” a key-logger and collecting data as it is being drafted does not violate the Wiretap Act. Similarly, “at the recipient’s end, the U.S. District Court of New Hampshire in Basil W. Thompson v. Anne M. Thompson, et al., ruled that accessing email stored on a hard drive was not an "interception" under the Wiretap Act” (Ryan, DJ. & Shpantzer, G. 2005). Moreover, the age of the acquired data impacts the applicable legal requirements; Recent data, less than 180 days, which would include network log files, even logs, etc. “requires a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant, while older communications can be accessed without notice to the subscriber or customer” (Ryan, DJ. & Shpantzer, G. 2005).
Finally, network environment introduces unique challenges to the digital forensic process, such as inability to take a snapshot, distributed geographic locations with different legal requirements and the amount of available data, requires some adaptation of the AAA principals (Laureate Online Education B.V., 2009). In order to be admissible in the court of law, the handling of network traffic as a digital forensic evidence, has to be in accordance with Daubert guidelines which “assess the forensic process in four categories: error rate, publication, acceptance and testing” (John Markh 2011). Moreover, due to the high volatility of the artifacts, the investigators are required to pay additional attention to the chain of custody.


  • Laureate Online Education B.V. 2009, “Computer Forensics Seminar for Week 6: Network Forensics I”, Laureate Online Education B.V.
  • Markh J. 2011, “Week 5 Discussion Question - UNIX Forensic Tools”. Laureate Online Education B.V.
  • Ryan, DJ. & Shpantzer, G. 2005. “Legal Aspects of Digital Forensics” [online]. Available from: (accessed: July 07, 2011).
  • TopTenReviews 2011, “2011 Monitoring Software Review Product Comparisons” [online],, Available from: (accessed: July 7, 2011).

Thursday, July 7, 2011

Criminal Profiling in Digital Forensic

Criminal profiling has been used by crime investigators for centuries. It gained world wide attention after being used in England in Jack the Ripper case. Diamon A. Muller (2000) describes criminal profiling as a process “designed to generate information on a perpetrator of a crime, usually a serial offender, through an analysis of the crime scene left by the perpetrator” allowing law enforcement agencies to better utilize limited resources. Criminal profiling has two distinct approaches: inductive and deductive analysis (Rogers M. 2003). The inductive approach relies on the statistical analysis of behaviour patterns from previously convicted offenders while deductive focuses on the case specific evidence. One of the examples of criminal profiling methodologies is “diagnostic evaluation (DE), crime scene analysis (CSA), and investigative psychology (IP)” (Diamon A. Muller, 2000).
There are two contradicting points of view on criminal profiling; some claim it is an art while others claim it is a science similar to criminology and psychology. Moreover, as oppose to criminology or physiology, human lives may be depended on accuracy of criminal profiling: “if a profile of an offender is wrong or even slightly inadequate police maybe misled allowing the offender to escape detection for a little while longer—and innocent people may be dead as a result.” (Diamon A. Muller, 2000). As a result, many law enforcement agencies are still evaluating the adoption of criminal profiling.
Since digital forensic investigation is in essence crime investigation, that has similar investigation phases (acquisition of evidence, authentication, analysis and reporting/presentation), criminal profiling can be used as well to predict offenders behaviour. Just like in the traditional crime investigation, “digital” offenders have motives, different skill levels and tools. Regardless on the profiling methodology (inductive or deductive), the results of criminal profiling can greatly aid digital forensic investigation.
The network evidence acquisition process often results in a large amount of data” (Laureate Online Education B.V. 2009) and the results of criminal profiling can help the investigator conduct a more specific keyword search, focus of specific area (i.e. allocated and unallocated space) and geographical location (IP addresses). Moreover, the profiling information can pinpoint supporting or corroborating evidence such as IRC chat channels, FTP sites, underground forums and newsgroups (Rogers, M 2003).
Just like traditional criminals, “digital” offenders have weaknesses that could be used when interviewing/interrelating suspects or witnesses. Although the interview process itself could be completely different from what we traditionally understand as “interview” (i.e. IRC chat rooms, forums, mailing lists, etc.), Rogers M. notes that “individuals who engage in deviant computer behaviour share some common personality traits, and given the proper encouragement, show a willingness to discuss and brag about their exploits” (Rogers, M 2003).


  • DAMON A. MULLER 2000, “Criminal Profiling: Real Science or Just Wishful Thinking?” [online], HOMICIDE STUDIES, Vol. 4 No. 3, August 2000 234-264. Sage Publications, Inc. Available from: (accessed: July 7, 2011).
  • Laureate Online Education B.V. 2009, “Computer Forensics Seminar for Week 6: Network Forensics I”, Laureate Online Education B.V.
  • Rogers, M 2003, 'The role of criminal profiling in the computer forensics process', Computers & Security, May, Business Source Premier, EBSCOhost, viewed 7 July 2011.

Saturday, July 2, 2011

Forensic Investigation of Celullar and Mobile Phones

In general, the same forensic principles that apply to any computing device also apply to mobile devices in order to enable others to authenticate acquired digital evidence.” (Casey E. at. al. 2011) therefore a forensic investigator should follow the same forensic process as with any computing device. When an acquired digital evidence involves a recovered phone call, the investigation process usually include accessing data collected by the cellular network provider. A number of countries have erected laws to expedite the access of the law enforcement agencies to the client information, such as The Regulation of Investigatory Power Act of 2000 (RIPA) in UK, USA Patriot Act, The Surveillance Devices Bill 2004 in Australia and The Search and Surveillance Powers Bill 2008 in New Zealand. These laws require (telephone and internet) service providers to maintain a log of all communication such as calls, Email messages, SMS (text messages), MMS (multimedia messages), established Internet connection, etc.
With appropriate legal documents (as required), the investigator can obtain information such as customer name, billing name, geographic locations (based on the Base Station Transceiver), list of calls, etc. which could be helpful for the investigation process. More over, while it is generally believed that prepaid cellular phones are cheap enough and difficult to trace (Casey E. at. al. 2011), the device can still contain useful information. In addition, service provider could maintain information such as “credit card numbers used for purchases of additional time or an email address registered online for receipt of notifications” (Jansen W. and Ayers R. 2007).
Due to the diversity in the functionality and capabilities of the mobile devices (cellular phones, smart phones, etc) there is no one single investigation methodology of the cellar phone. In general, the process involves manual review of the information available through the menu such as address book, last call, text messages, etc. Specialized tools are used only when extraction of deleted information or access to “hidden” data (such as Apple iPhone cell towers and Wi-Fi hotspots database) is required (Laureate Online Education B.V. 2009). The potential evidences related to the mobile device include:
  • handset identifier - International Mobile Equipment Identity (IMEI)
  • Subscriber Identifier (SIM)
  • call register
  • address book
  • calendar
  • photographs
  • videos
  • voice mail
  • passwords such as Internet Mail accounts, desktop (for synchronization), etc.
  • installed applications
  • attached peripheral devices and special modification
  • accessed Wifi hotspots
  • cell towers