Join Date: Feb 2018
Location: Behind you
This section will talk about data in general: how it gets stored and what happens when it is deleted. Furthermore, we will take about recent file lists and data caching. Knowing how Windows and other applications handle these files will help eliminate the risks associated with evidence left over after your session. You will learn how to find and remove this data completely and securely from your computer. In some instances, you will also learn how to prevent these risks from happening altogether.
4.1 A Quick Word
In this section, we will mainly be focusing on NTFS drives. I am not saying that the following information does not apply to XP or earlier, it just does not ALL apply to what we are talking about. Among improvements in NTFS file systems are increased file size potential (roughly 16TB versus 4GB for FAT32), increased volume size potential (roughly 256TB versus 2TB for FAT32), and the recording of Last Accessed times (in Windows NT/2k/ XP/2k3, and in Vista/2k8/7 if enabled). In addition, NTFS uses a data structure called the Master File Table (MFT) and entries called index attributes instead of a file allocation table (FAT) and folder entries in order to make the access and organization of data more efficient.
4.2 Deleted Data
A common misconception that computer users have is, when you delete a file, it is completely removed from the hard disk. However, you should know that highly sensitive files such as pictures, passwords, chat logs, and so forth still remain on the hard disk. Even after they are deleted from your recycle bin, they are still located on the hard drive and can be retrieved with the right software. Take for example when you use WinRAR to extract the file that someone sent you. The program extracts the data to a temporary file before it reaches its destination on your hard disk; this may lead to a data leak.
Any time that a file is deleted from a hard drive, it is not erased. When you delete a file, the two bytes located at record offset 22 within the file’s MFT record are changed from \x01\x00 (allocated file) to \x00\x00 (unallocated file). The operating system uses these pointers to build the directory tree structure (the file allocation table), which consists of the pointers for every other file on the hard drive. When the pointers are changed, the file essentially becomes invisible to the operating system. The file still exists; the operating system is just ready write over them. You should also know that the deleted file’s entry is removed from its parent index, and the file system metadata (i.e., Last Written, Last Accessed, Entry Modified) for the file’s parent folder are updated. It is also possible that the metadata for the deleted file itself may be updated because of how the user interacted with the file in order to delete it (e.g., right-clicking on the file).
There is another process when a file is deleted and is sent to the recycle bin. Post Windows Vista (XP, 95, etc.), when a file is sent to the recycle bin, a record in the INFO2 file is created. Starting with Windows Vista, Microsoft went away with the INFO2 file in favor of a new method of storing deleted data. Below is a table that shows where each record is located. Note that the <User SID>, or Security Identifier, is the unique identifier for each user on the machine. You can find your SID by following the steps in section 6.1 Disable Unnecessary Accounts. *Remember though, you do not need to delete the key from the registry.
Operating System Common File Structure Location of Deleted Files Windows 95/98/ME
FAT32 C:\Recycled\INFO2 Windows NT/2K/XP
NTFS C:\Recycler\<User SID>INFO2 Windows Vista/7/8/8.1
NTFS C:\$Recycle.Bin\<USER SID>\
I will not be getting into the actual process of examining the INFO2 files or the newest file format for Windows Vista on forward. Rather, I will give a very brief overview of what to expect when examining these two formats. Starting with INFO2, when a file is moved to the Recycle Bin, it is typically renamed to DC#.EXT, where “#” is an integer and “EXT” is the original file’s extension. The only thing that you really need to know, is that when you remove an individual file from the recycle bin, the file details are not removed from the INFO2 file. Instead, it is simply marked as deleted to avoid the process of rebuilding the INFO2 file. It is only when you completely empty the deleted files does the INFO2 file go away.
Moving along to Windows Vista, 7, and 8, Windows has significantly changed how the files and corresponding details are represented when sent to the recycle bin. As the table above illustrates, the new format still involves using the users SID but are now found in the C:\$Recycle.Bin\<USER SID>\ directory. In this new format, where Vista on forward begins to handle deleted files differently is that a deleted file is renamed to $R, followed by a series of six random characters and then the original file extension. Then a second file is created of the same name, with $1 instead of $R, containing information similar to that contained within the INFO2 file. However, this file contains only the original filename, the file’s original size, and the data/time the file was deleted.
A great program to investigate these “Index file” is rifiuti2, a free program to read both INFO2 files and the new file formats. You can download the program from the official page, here: Click here
Shadow data is the fringe data that remains on the physical track of storage media after it is deleted, sweeped, or scrubbed. A mechanical device called a head is used to write the data, and it is stored electronically in magnetic patterns of ones and zeros. The patterns are in the form of sectors which are written consecutively in concentric rings called tracks. However, head alignment is just a little bit different each time an attempt is made to erase data, and data remnants sometimes bleed over the tracks. This is the reason why government agencies require multiple scrubs or burning, because there is no guarantee of complete elimination of fringe, or shadow, data.
The only way that you can permanently delete this data is to override it with special software or wait for the operating system to overwrite the data. There are files on the hard disk that do not have any pointers in the file allocation table so it will eventually be overridden with something new. Even files that are fragmented or are partially written over are recoverable and can be used against you. Special software will overwrite these files securely and immediately. One such recommended software that securely cleans the white space is CCleaner and Recuva to erase the actual data left over. As a word of note, people suggest that's simply defragging a hard drive will overwrite these pointers; this is not true. Drives formatted using NTFS are especially not affected using this method. This is because of the way NTFS stores data; it essentially makes defragging the hard drive useless.
Try it out - CCleaner
4.3 Deleteing Data Securely
- Download and install CCleaner
- Open CCleaner press Tools on the left
- Select Drive Wiper
- Select Free Space Only in the drop-down box next to Wipe
- In the security drop-down box, I recommend selecting the complex overwrite
- Choose the drive letter you wish to clean and pressed Wipe
As mentioned before, when you delete data, it is not actually deleted and can be easily recovered. To prevent data from being recovered you must secure erase (or shred) the data. What special programs do to securely erase contents from a computer is they enumerate through each bit of data and replace it with a random bit. The shredding method I recommend is 7 passes. This process makes the bits unknown as recovery of this data difficult, if not impossible. This can be done with file eraser programs, or it can be done to the entire drive with bootable software. DBAN is recommended if you are trying to erase your entire drive. Note however, DBAN does not erase bad sectors or HPA/DCO areas. Some programs such as Blancco implement HPA/DCO wiping by default, other tools could allow the user to choose whether or not to wipe HPA/DCO while other tools are not able to wipe HPA/DCO at all.
HPA stands for Host Protected Area and is a section of the hard drive that is hidden for the operating system and the user. The HPA is often used by manufacturers to hide a maintenance and recovery system for the computer. For this reason, the HPA is not a big concern, but you can securely remove data here nonetheless. A DCO is a Device Configuration Overlay and is another hidden area of today’s hard drives. Similar to the HPA, the DCOs can be securely erased in such the same way.
While recovery of information wiped out in this manner is far more difficult, and in many cases impossible, some recovery techniques exist that specialists can employ to retrieve some of the data. Factors such as the size of the hard drive, the accuracy of the mechanical system in the drive, the power with which the information was recorded, and even the length of time the information was left on the drive prior to wiping all will have an effect on the probabilities for recovery.
Another method is to physically destroy the hard drive to a state that is irreparable. The best method for this is to open the hard disk and grind the platters to obliterate all data. Another method for hard drives that use disks is to use an industrial strength magnet to remove the data. Optical disks (CD’s, DVD’s, etc.) can be shredded if they are not writable. Also, optical disks can be destroyed be cooking them and is the best method for destroying data on optical media. Cooking them however is not recommended for practicing or everyday use as they release a toxic fume.
4.4 File Slack
To understand file slack, one first needs to understand how disks are organized at the lowest level. As can be seen in the diagram below, disks are subdivided into a set of tracks. These tracks are further subdivided into a set of sectors and collection of sectors form together to make a cluster. If you write a 1 KB file that has a cluster size of 4 KB, the last 3 KB is wasted. This unused space between the logical end-of-file and the physical end-of-file is known as slack space.
The perhaps somewhat unexpected consequence from this is that the file slack contains whatever data was on the disk before the cluster was allocated, such as data from previously deleted files. Using file slack, it would be possible not only to recover previously discarded (and potentially sensitive information) information, but also to effectively hide data. The ability to hide data arises because the operating system does not modify data within a cluster once it has been allocated. This means that any data that is stored in the slack is safe (provided the files size does not change). Using forensics examiner software such as EnCase or FTK, an investigator can recover this data contained in slack space.
To wipe this slack space, I use a software called “Eraser” which has utilities to wipe unallocated file space and slack space disk. I recommend utilizing the 3 pass method to ensure that no shadow data exists after the process is complete. You will notice after running the program to remove the slack space, that your secret message you just entered is erased.
Try it out - Hiding data in file slack space
4.5 Alternate Data Streams
- Open Microsoft Office and create a .Doc file. Enter anything you like.
- Download and install your favorite Hex Editor. I Hex Workshop Hex Editor is a good one and will fulfill our purpose for this example.
- Start the program. I will be covering the steps when using Hex Workshop.
- Select the file that you just created and load it in the program. The hex output will appear in the main portion of the screen
- Once the file opens, click on Edit/Find to open the Find dialog box.
- In the Find dialog box, click on the drop-down box next to “Type:” and select “Text String.” Enter the part of the text you entered in the first step.
- On the right side of the screen, navigate to a blank line and remember that position. On the blank line, type a secret message.
- Click on File/Save As and save the file to whatever you want (IMPORTANT: Save as Word 97-2003 format)
- Close Hex Workshop and open MS-Word
- In MS-Word, open the new file you just created in the Hex Workshop
- Confirm that your hidden message is not visible within MS-Word
ADS’s, or Alternate Data Streams, have been around since the very beginning of the NTFS file system. The invention was attributed to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. However, using ADS’s, you can hide data easily that will go undetected without specialized software or close inspection. This method requires nothing more than a Windows device that is formatted using NTFS – which is practically everyone now. It works by appending one file to another whilst hiding the sensitive data from view and keeping the file size of the original data. You need to know, that you hidden file is in no way encrypted. So, if an attacker knows the file is there, he will be able to read the contents.
A few commands before we get started:
Let’s start with the basics, hiding a text file within a text file:
- CD – Change Directory (cd \path\to\change\to or cd .. to reverse one directory or cd C:\Absolute\Path)
- DIR – List contents of directory (dir to show current folder or dir \folder)
- TYPE – Used to view small files
- Echo – Display text or write to a file
- Start – Starts an executable program
- Open command prompt. Start > Run > type “cmd”
- When opened, the directory is C:\Windows\System32. Change this directory to C:\ by typing cd C:\
- We are going to create our first text file and write data into it. The command to do that is echo This file is seen >seen.txt. If you get an Access Denied error, you might need to run cmd as Administrator or change the directory to your home directory (cd C:\Users\%YourUsername%\Docume nts). You can test to see if the file was created and if data was written to it by using type seen.txt[/li]
- Now we will use a colon as the operator to tell our commands to create or use an ADS. Type: echo You can't see me>seen.txt:secret.txt
- To read the file you will want to use the following syntax: type seen.txt:secret.txt
- Unfortunately, the use of the colon operator is a bit hit or miss in its implementation and sometimes does not work as we might expect. Since the type command does not understand the colon operator we will have to use notepad to read the file: notepad seen.txt:secret.txt
- If it all worked correctly, you should see the contents of secret.txt. You should also note that the file size did not change what you added the secret.txt file
- You should also note that you can hide data inside a directly as well. Type md test to create a directory and cd test to navigate to that directory. Then using the same syntax as above, we will hide our data by typing this: echo Hide stuff in a directory>:hide.txt
- You can test to see that the file is hidden by listing all the files in the directory by using the dir command. To open the file you will just enter notepad :hide.txt
So, now you have successfully hidden two files from view! But that is only the beginning as there are many more nifty features that can be used on the NTFS system. For the next example, we will be hiding executable files within a text file that can be run using the start command. This method is actually not much harder than then the method above:
- Open command prompt. Start > Run > type “cmd”
- When opened, the directory is C:\Windows\System32. Change this directory to C:\ by typing cd C:\. Again, you may need to change your directory to your documents folder or something similar: (cd C:\Users\%YourUsername%\ Documents)
- First, we are going to make a file to write to: echo Test>test.txt. you can check the size of the text document by typing in dir test.txt
- Next, we are going to hide an executable in the test.txt file: You can find any file that you wish to run. For this example, we will be using notepad: type notepad.exe>test.txt:note.exe. So, what we just said was copy and rename the program notepad.exe to note.exe and add it the text document test.txt. Again, to make sure the file size did not change, you can check the size of the text document by typing in dir test.txt
- To run the file, you will type in: start .\test.txt:note.exe
Finally, the last thing we will talk about is hiding videos in ADS’s. This method is the same as the above methods, however you will need to call the actual video player to play the videos.
- Open command prompt. Start > Run > type “cmd”
- When opened, the directory is C:\Windows\System32. Change this directory to C:\ by typing cd C:\. Again, you may need to change your directory to your documents folder or something similar: (cd C:\Users\%YourUsername%\ Documents)
- Make sure that a video exists in the same directory. The command to hide a video inside a text document is this: type "hello kitty.avi" >"sample.txt:hello kitty.avi". When dealing with files that include spaces, you always want to use quotes. And obviously, replace the file names with your own.
- Now, to play the video, you will need to know the exact path of the video player. Here is a sample syntax to open the video with Windows Media Player: "C:\Program Files\Windows Media Player\wmplayer.exe" " sample.txt:hello kitty.avi". This tells Windows to use wmplayer.exe to play “hello kitty.avi” that is hidden in sample.txt
4.6 Where to Hide Your Data
- HPA: Host Protected Area is an area of a hard drive that is not normally visible to an operating system and is protected from user activity. To hide data there, you will need to write a program, or find a program, to write information there.
- MBR: The Master Boot Record only requires a single sector thereby leaving 62 open sectors for hiding data
- Partition slack: File systems store data in block, which are made of sectors. If the total number of sectors in a partition is not a multiple of the block size, there will be some sectors at the end of the partition that cannot be accessed by the operating system using any typical means.
- Volume slack: If the partitions on a hard drive do not use up all of the available space, the remaining area cannot be accessed by the operating system by conventional means (e.g., through Windows Explorer). This wasted space is called volume. It is possible to create two or more partitions, put some data into them, and then delete one of the partitions. Since deleting the partition does not actually delete the data, that data is now hidden.
- File slack: This is the unused space between the end-of-file marker and the end of the hard drive cluster in which the file is stored.
- Unallocated space: Any space in a partition not currently allocated to a particular cannot be accessed by the operating system. Until that space has been allocated to a file, it could contain hidden data.
- Boot Sector in non-bootable partitions: Every partition contains a boot sector, even if that partition is not bootable. The boot sectors in non-bootable partitions are available to hide data.
- Good blocks marked as bad: It is possible to manipulate the file system metadata that identifies bad blocks (e.g. the File Allocation Table in a FAT file system or $BadClus in NTFS) so that usable blocks are marked as bad and therefore will no longer be accessed by the operating system. Such metadata will produce blocks that can store hidden data.
4.7 Changing File Headers to Avoid Detection
Major forensic software use two methods for identifying file types: file extensions (.exe, .jpg, .txt) and file headers (characters at the beginning of the file). A person trying to hide an image might simply change the extension from .jpg to .zip to try to fool an investigator. Most people will try to open the file, but they will encounter an error and they will probably move on to the next file. As this method might work on somebody whom doesn’t have specialized software to view the header information, it doesn’t fool those whom use products such as EnCase. This is because, as I said before, there is another method to determine to type of file they are reviewing. Yet, if the file extension and the header information matches, they might look over the file completely as it might not be the file type they are looking for.
When forensic investigator looks at a file that has a mismatch between the extension and the file header, he might get suspicious and further investigate the discrepancy. For this reason it is important to change both file extension and header information to match. By changing this information, you can effectively hide whatever it is you are trying to hide. You should note however, if an investigator opens the file with the correct program, he will still be able to view the contents of the file. For example, you can change a .jpg’s extension and header information to a .txt, but if the file is opened in Picture Viewer, you will still be able to see the picture.
First things first: change the file’s extension. For this example, we will be changing a .rar to an .exe. So find a .rar file on your machine and change the extension to exe. This part is the easiest part and can be done in only a few seconds:
- Start Windows Explorer and navigate to the folder that contains the file you wish to hide
- If you do not see the file extensions, you might have to change a setting to view them. For XP and 7, you will click Tools > Folder Options > View and uncheck Hide extensions for known file types
- Once you can see the file extension, you can now right-click the file and click Rename to change the file extension
I should also note that for the first couple of times before you feel comfortable testing this out on your own, to use a file that you don’t want or to create a copy of a file to test this on. The next part is to change the header information of the same file you just changed the extension for. This is done with a program that you can freely download over the internet. For this example, I am using HxD Hex Editor and can be downloaded from here and modifying a .rar file.
- Open HxD Hex Editor, click File > Open, select the file, and click Open
- You will notice that the hex view shows the file header for .rar files are 52 61 72 21 in hexadecimal and Rar! In ASCII (Figure 1). This is the information you are going to change
- Click you cursor right before the first hexadecimal character on the left, the 5. Now, when you start typing, the new characters will replace the existing characters and they will appear red
- To change the file signature of this RAR archive we simply take the file signature of an executable file and add it to the start of this file. In this case I will add 4D 5A to the start of the file (Figure 2)
- Save the file
This technique will fool the forensics software as it will not return the file when it is looking for .RAR files. However, even though you change the file type, you may not be able to fool the investigator depending on when is contained inside the file. Changing .doc or .docx files to .jpegs for example might not be the best idea in the world as they can still see all the text contained within the document. .RAR files might also contain the filename even though encryption is enabled if Encrypt file names is not used.
4.8 Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache
A swap file allows an operating system to use hard disk space to simulate extra memory. When the system runs low on memory, it swaps a section of RAM that an idle program is using onto the hard disk to free up memory for other programs. Then when you go back to the swapped out program, it changes places with another program in RAM. This feature ensures that Windows is usable when memory runs out. Even though this feature is helpful, sensitive information might be contained within the swap space that could incriminate you.
Let's say you download sensitive material and after you were done with it, you delete it securely. If you ran out of memory (RAM) the temporary data might have been saved to swap space thereby rendering your method of removing the file useless. The best way to attack this problem is to disable paging altogether while viewing sensitive information. If you are using applications that use large amounts of memory, you can turn paging back on during your session.
Try it out - Disable paging
- Open the Start Menu and go to Control Panel
- Click on the System icon
- Select the Advanced tab
- Under Performance, click Settings
- Go to Advanced
- Under Virtual Memory, click Change
- Select No Paging File and then click Set
- Click OK in all the menus
- To enable paging again, simply select Automatically manage paging file size for all drives
ReadyBoost is another caching feature introduced in Windows Vista and was continued with Windows 7. It works by using flash memory, a USB flash drive, SD card, CompactFlash or any kind of portable flash mass storage system as a cache. Data that is written to the removable drive is encrypted using AES-128bit encryption before written to the drive. This means that an examiner who recovers the drive with the ReadyBoost information will find it difficult to decipher this data.
Another way that Windows operates under the surface is when creating temporary internet files. Temporary Internet Files is a folder on Microsoft Windows which holds browser caches. The directory is used by Internet Explorer and other web browsers to cache pages and other multimedia content, such as video and audio files, from websites visited by the user. This allows such websites to load more quickly the next time they are visited. Not only web browsers access the directory to read or write, but also Windows Explorer and Windows Desktop Search.
You can see how this is a problem if you ever want to download (or view) pictures or files that contain sensitive material. Furthermore, other applications might use temporary files when handling content. For example, when I talked about WinRAR earlier, I explained that when you unpack data from an archive, the program creates a temporary file on your file system before it is moved to its destination. The only way around this (excluding internet cache) is to periodically wipe slack data as stated before. When dealing with internet data, you should be concerned with deleting internet cache and cookies. More information can be found here: https://support26v5pvkg6.onion/index.php?topic=1046.0
Try it out - Delete internet cache
- Start Firefox
- Click Tools (if you do not see the menu-bar press the Alt key on your keyboard. The menu-bar should appear.)
- Click Options
- Click Privacy
- Select TorBrowser will: Use custom settings for history and check Clear history when TorBrowser closes
Note: There are several other vulnerabilities that you need to be aware of concerning web browsers. I will not be covering those in this security guide and they have been thoroughly explained in another.
Note 2: You can change the location where WinRAR extracts the temporary data to. Navigate to Options > Settings > Paths. You can change the path under Folder for temporary files.
4.9 Temporary Application Files and Recent File Lists
Every time you open up a file from Windows Explorer or the Open/Save dialog box, the name of the file is recorded by Windows. This feature was introduced into Windows and other applications to make those applications more user friendly by allowing easy access to those recently used files. Such the same, some applications create cache that is stored on your computer so the application can run faster the next time it is loaded or a specific project is being worked on.
Recent file lists and application caching does make the experience more friendly, but it also added security risks. If for example, someone took a video and loaded it into a video editing software. The software might take pieces of the video and save it to your hard drive for fast access. The same goes for viewing videos/images that are sensitive by nature. Whoever is looking at the recent files list for your computer, will know what the names of files are as well as possibly knowing the location of those files.
First we are going to talk about what is known as thumbnail caching. Thumbnails are the little pictures that are loaded for every file in Windows Explorer as a little “preview” of sorts. A thumbnail cache is used to store thumbnail images for Windows Explorer's thumbnail view. This speeds up the display of thumbnails as these smaller images do not need to be recalculated every time the user views the folder. You can see where this is a problem when you open a folder containing sensitive pictures or videos. Thumbnail caches are stored in thumbs.db files and the locations will vary depending on the Operating System. In Windows XP, the thumbs.db files will be stored in every folder.
Windows 7 and Vista saves all the thumbnails in a central location. The cache is stored at %userprofile%\ AppData \Local \Microsoft \Windows \Explorer as a number of files with the label thumbcache_xxx.db (numbered by size); as well as an index used to find thumbnails in each database. This makes it easier for us to locate and remove the caches of these thumbnails. You can use CCleaner to remove the existing cache. I recommend using this page to enable/disable thumbnail caching. Click here
Try it out - View thumbnail cache
- Download Thumbcache Viewer from here
- Start the program and press File > Open
- Locate you thumb files, select them, and press Open
- The images that were cached will populate in the listbox. Select a file to view the image preview
Try it out - Delete thumbnail cache using CCleaner
- Open CCleaner
- Make sure Thumbnail Cache under Windows Explorer is check
- You can set all security setting in the Options > Settings menu
- Click Run CCleaner
Another feature of Windows and several applications is recent files lists. There are several locations where these lists can appear, yet there are only two ways they are saved: the registry or as a file. Windows XP saves file names in the registry and a centralized location in Windows Explorer whereas Windows 7 introduces yet another list known as a "jump list" which can also be cleaned by using CCleaner.
Jump Lists appear on the Start menu as well as on the Taskbar when you right-click on an icon. You can use it to perform specific actions, but for security purposes, it can record files that were recently opened.
Try it out â€“ Disable jump lists
- Right-click the Start Menu and click Properties
- Expand the Start Menu tab
- Uncheck Store and display recently opened items in the Start menu and the taskbar[b]
- Click OK
CCleaner erases most all (if not all) of the recent file lists for Windows as well as for a few other applications. Listed below are common locations where these recent file lists and application caches can be found at (I would look into winapp2.ini for more locations which is an add-on for CCleaner):
- (Windows) Software\Microsoft\ Windows\CurrentVersion\Explore r\ RecentDocs
- (Windows) Software\Microsoft\ Windows\CurrentVersion\Explore r\ ComDlg32\OpenSaveMRU
- (Windows) Software\Microsoft\ Windows\CurrentVersion\Explore r\ RunMRU
- (Windows) Software\Microsoft\MediaPlayer \Player
- (Windows) Software\Microsoft\ Internet Explorer\TypedURLs
- (Media Player Classic) Software\Gabest\Media Player Classic\Recent File List
- (Media Player Classic) Software\Gabest\Media Player Classic\Settings
- (Recent file list) %appdata%\Microsoft\Windows\Re cent
- (Jump list) C:\Users\<user name>\AppData\Roaming\Microsof t\Windows\Recent\AutomaticDest inations
- (Temp data â€“ Vista/7) C:\Users\<user name>\AppData\Local\Temp
- (Temp data â€“ XP) C:\Documents and Settings\<user name>\Local Settings\temp
Note: Note: Other applications include PrivaZer for Windows and Bleachbit for Linux.
Try it out - Setting up CCleaner
- Download and install CCleaner to your machine. Make sure when you download CCleaner from the internet, as with all programs, you download from the manufacturer's website only. The link has been provided for you: https://www.piriform.com/ccleaner/download/standard
- Once the program is open click the Options button on the left hand side of the window
- Next, click on Settings
- Make sure that Secure file deletion (Slower) is checked, Complex Overwrite (7 passes) is selected in the dropdown box and Wipe MFT Free Space is checked. Very Complex Overwrite can be selected instead of Complex Overwrite. The Complex Overwrite is the minimum you should choose
- Click Cleaner on the left
- Make sure they all the items are checked under Windows Explorer
Another thing I do is set CCleaner to perform a clean when the user logs into the machine and every hour thereafter. Cleaning your computer automatically will help with managing this program as you will not have to remember to manually run the program every so often. One drawback with this method however is if an application is using temporary data that is erased by CCleaner, the application might perform incorrectly or stop working altogether.
Try it out - Setting up CCleaner to automatically run (Windows Vista/7)
- Start CCleaner and select Options on the left
- Check Save all settings to INI file under the Advanced tab
- Open the Start Menu and enter Task Scheduler into the search box
- Click on the Action header in the menu bar and select Create Basic Task
- Follow the steps of the wizard to create the task. In the first window, name the task and give it a description to help you remember what it is later
- On the next page, select how often you want this to run. I checked the When I log on check box
- Select the option labeled Start a program on the next page
- Hit Browse and navigate to the directory you installed CCleaner to. Add /AUTO to the text field labeled Add arguments
- Click Finish
Finally, for those of you who switched to Windows 8 should know about the app data. Windows 8 for starters has made significant strides over Windows 7 in respects to the interface. They have added the Metro interface which hosts a plethora of apps that can possibly leak important data. Two such apps are the Windows Photos and Windows Video. When viewing a photo or video, you can immediately see that the photo or video cap is cached as they are still apparent even after the material is deleted. Obviously, you can see the glaring issue with this when it concerns security.
I have not too much research on the matter, so I am going to be brief. For starters, all your apps are located in your appdata folder. Specifically, the folder paths are as follows (per user settings):
- Location of all your apps: C:\Users\"Username"\AppData\Lo cal\Packages
- Windows Photos: C:\Users\"Username"\AppData\Lo cal\Packages\microsoft.windows photos_8wekyb3d8bbwe\LocalStat e
When the app is closed the cached images no longer appear on the Metro interface. Furthermore, the cached images don't appear when you open the app again. I did some more investigating into Windows Photos and notice that several files get increasingly larger after I view images in the Windows Photos app â€“ even after the app is closed. Specifically, those files are the Microsoft.WindowsLive.ModernPh otos.etl, Microsoft.WindowsLive.ModernPh otosLast.etl, and ModernPhoto.edb. Other files exist that show the last 5 images that were cycled through on the Windows Photos Metro app. These files are LargeTile1(through 5) and SmallTile1(through 5). The latter files should not be an issue unless they contained sensitive images.
I cannot read what is actually contained within the files themselves, but I can be reasonably sure that with everything Windows, image previews are being cached and stored to limit I/O usage and speed up the loading process. Saying this, it is recommended that you delete these files securely if you accidently â€“ or purposely â€“ open pictures using the Windows Pictures app (and it is going to happen, trust me). To do this you should close the Pictures app (from the gesture on the left side or the task manager) and securely erase those files using a program of choice.
When setting up a user profile in Windows 8, if you gave your actual name when creating the Hotmail profile you used when logging into Windows 8, that name will be automatically embedded as metadata in a variety of documents. So make sure that you have a metadata cleaner if you plan on uploading anything sensitive. If you use Bing which is the default search provider and included pre-installed as an app, you should know that Bing creates a separate web history of its own and stored the data over the internet. So make sure that anything sensitive gets purged. People also expressed concerns with ReFS, which is not used on Windows 8 devices moreso is it used with Windows Server 2012 (Windows Server . Also, with the advent of Office 2013, the default location that the documents will be saved is Windows Skydrive; so you can see how that might be a security concern if you save something sensitive without looking. Concerning content saved to Windows Skydrive, here is part of Microsoft's TOA:
You will not upload, post, transmit, transfer, distribute, or facilitate distribution of any content (including text, images, sound, video, data, information or software) or otherwise use the service in a way that:So, they scan your documents (and pictures) for anything that violates its TOA, and if they find anything, you are banned and possibly facing criminal charges. Hotmail accounts and Windows 8 account will have to be re-created, your XBOX live and Skydrive account will be disabled as well. They also actively scan for child pornography so make sure you don't accidentally save to a Skydrive account either. This seems like a huge invasion of privacy digging deep within all your documents and pictures (even if it is automatic) and the repercussions can be immense.
â€¢ depicts nudity of any sort, including full or partial human nudity, or nudity in nonhuman forms such as cartoons, fantasy art or manga.
â€¢ incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred, bigotry, racism, or gratuitous violence.
When you open a folder in Windows Explorer and customize the GUI display Windows uses the Shellbag keys to store user preferences. Everything from visible columns to display mode (icons, details, list, etc.) to sort order are tracked. If you have ever made changes to a folder and returned to that folder to find your new preferences intact, then you have seen Shellbags in action. In the paper “Using shellbag information to reconstruct user activities”, the authors write that "Shellbag information is available only for folders that have been opened and closed in Windows Explorer at least once.” So basically, if you visit that folder, a shellbag is created.
Thanks to the wonders of Windows Registry last write timestamps, we can also identify when that folder was first visited or last updated (and correlate with the embedded folder MAC times also stored by the key). In some cases, historical file listings are available. This means that even if you dismount a drive (let’s say you are only using a TrueCrypt container) or delete a folder, the folders that you opened will still be recorded. Normally, this would not be an issue because just the folder names are recorded here, but if you name your folder to that of something sensitive and the name alludes to criminal activity, you will be in trouble.
Windows uses the following Registry keys to save the folders information:
- HKEY_CURRENT_USER\Software\Mic rosoft\Windows\ShellNoRoam
- HKEY_CURRENT_USER\Software\Mic rosoft\Windows\Shell
- HKEY_CURRENT_USER\Software\Cla sses\Local Settings\Software\Microsoft\Wi ndows\Shell (Only in Windows Vista)
If you are curious as to what forensic data can be found out by using shellbags, a good program to view all of the shellbags is Shellbag Analyzer and can be found here. You can also remove the shellbags that contain sensitive information that you wish not be found.
To disable them all together you can do this:
Navigate here in the Registry (if you do not know what you are doing, then I DO NOT RECOMMEND THIS): [HKEY_CURRENT_USER\Software\Cla sses\Local Settings\Software\Microsoft\Wi ndows\Shell]
Left-click on the Shell key and in the right pane, if you can see BagMRU Size then there is no need to undertake this step. If it isn't there however, right-click and select New>DWORD 32-bit Value and name it BagMRU Size. Now set this value to 0 in Decimal view. In Windows 8, set the value to 1 (thanks to whomever pointed this out to me).
4.11 Prefetching and Timestamps
To start, there is a feature that began with Windows XP that is known as Windows Prefetching. Windows Prefetch files are designed to speed up the application startup process. Prefetch files contain the name of the executable (the program you are running), a Unicode list of DLLs (Dynamic Link Libraries; files that supports the program in order to run) used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. This means that if you are trying to use programs such as TrueCrypt or secure deletion programs or other file encryption programs, a Prefetch file will be created thus alerting the forensic investigators. This is not usually an issue unless you are trying to counter forensic techniques without letting the investigator know.
An example where Prefetching is troublesome is when you are trying to change the Windows Timestamps for files. Every time a file is created, accessed, or modified a Timestamp is created. Changing the timestamps are a good idea to throw the investigators off. Also, it is easy to change as there are programs that can do that for you. A popular program is TimeStop; but an investigator can investigate the Prefetch file and determine that the program was run. When this happens they can be reasonably certain that the timestamps were changed maliciously. So, before you download the file I would pack the file using a program such as UPX (Ultimate Packer for eXecutables). This will change the hash of the file so the investigator does not know TimeStop was used when examining the Prefetch files.
4.12 Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log that you can read by using Event Viewer. An investigator can determine security related information (These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful), application and service information, and more. As security information is not incriminating, investigators can tell when you attempted to log in and out of the computer, which can correspond to suspected times. Also, application data might not be incriminating, but depending on what the application actually logs, file names and other incriminating evidence might be recorded.
Try it out â€“ Erase event logs
- Open the Start Menu and go to Control Panel
- Click on Administrative Tools and open Event Viewer
- Expand Windows Logs on the left
- Right-click Application, Security, and System and click Clear Logâ€¦
4.13 Printers, Print Jobs, and Copiers
There are several things that you should be concerned about when printing sensitive documents. Print data might be left on your computer, on the printer's hard drive, or through transit. Before you can know where to look, you must first know how Windows prints a document. When you send something to a printer the document is first spooled and two files are created in the c:\windows\system32\spool\prin ters folder. These two files are the shadow file and a spool file. The files are named as complimentary pairs; for example, one job sent to the printer results in the creation of one FP00007.SDH file and one FP00001.SPL file for the same job, while the next job will create FP00002.SDH and FP00002.SPL.
The shadow file (.SHD) can contain information about the job itself, such as the printer name, computer name, files accessed to enable printing, user account that created the print job, the selected print processor and format, the application used to print the file, and the name of the printed file (which can be the URL if a file is printed from the web). All of this data can be seen in Unicode using a hex editor or forensic software.
Spool files (.SPL) on the other hand contain the actual data to be printed. This means that if you print a picture for example, a copy of the picture is created and temporarily stored in the spool folder. Next, the print job is finally sent to the printer and both the .SHD file and the .SPL file are deleted. If there is an error whereas the document waits in the queue list, these files can easily be read and the contents of the file revealed. It is also important to note that these two files were deleted insecurely, so there is the possibility of recovery.
Since 2002, every copier has the capacity to store copies of the documents that are copied or printed. Furthermore, copiers mark the documents they copy with a hidden code to provide an identifier for the copier. This means that printed documents and copies might be stored on the printer's hard drive, or they might be recoverable if they were already deleted. There is also a security concern whereas printed documents can be tied to specific printers. Lastly, print documents can be captured if you are sending them to a printer that is located over the network. Currently, it is up to the manufacturer to provide security when sending jobs to a printer.
Try it out - Read spool data
- I am going to assume that you already have a printer installed on your machine
- Disconnect the printer's power source. This will allow us to view the .SHD file and the .SPL file
- Send a print job to that printer that you just disconnected
- Open Windows Explorer and in the address bar, type in %windir%\ System32\spool\PRINTERS
- You should notice the two files I mentioned: a .SHD file and a .SPL file. If you have more than two files, then you might have additional print jobs in the queue
- Select the file with the extension .SPL, right-click and select Copy. Paste the file in the location of your choice.
- Download and install the program SPLView from the manufacturer's website: https://www.lvbprint.de/html/splviewer1.html
- Either open the file from within SPLView, or if you associate the .SPL extension with the program, you can simply double-click the file
- To view SHD file, I recommend downloading a using SPLViewer: https://www.undocprint.org/_media/for...ol/splview.zip. If the file is locked, you can follow Try it out â€“ removing services in section 5.2, and disable the Print Spooler service
- Turn the printer back on to finish printing the document or delete the files when the Print Spooler service is stopped (Try it out â€“ removing services in section 5.2)
4.14 Cameras, Pictures, and Metadata
Metadata may be written into a digital photo file that will identify who owns it, copyright & contact information, what camera created the file, along with exposure information and descriptive information such as keywords about the photo, making the file searchable on the computer and/or the Internet. Some metadata is written by the camera and some is input by the photographer and/or software after downloading to a computer.
EXIF information, the Exchangeable Image File format, describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and time information, camera settings, location information, textual descriptions, and copyright information. In some instances, especially with the use of cameras in cell phones, the location where the picture was taken might also be embedded with the use of geocaching. Furthermore, the images contain metadata images themselves that can reveal the image before any editing was done. This information should be removed before the photo is shared with someone else or stored unprotected.
To remove EXIF information from an image, or a batch of images, you will need to get a special program that strips this data. I recommend the program BatchPurifier that can remove this information from batch of files or a single file. A good program to read EXIF information from PEG, TIFF and EEIX template files is Opanda IEXIF. If you want to remove metadata from a RAW image, you will need to get a separate program such as Exiv2. Opanda IEXIF can’t remove the data, but it can show you what data is contained within each picture that you take (unless you purchase the professional version).
You cannot stop cameras from recording metadata and embedding them in pictures, so the above steps are the only way to ensure the pictures are clean. To further clean the image that you took, you will want to crop and remove identifiable information contained within the actual pictures itself. The best program that can do this is Adobe Photoshop, but a good, free program is Gimp. Identifiable information should include names, faces, logos, labels, prescriptions, anything that includes handwriting, toys specific to a particular regions or store, etc.
It is also important to know that digital cameras leave a telltale fingerprint buried in the pixels of every image they capture. Now forensic scientists can use this fingerprint to tell what camera model was used to take a shot. Furthermore, these scientists can tell the specific camera that took a specific picture if they had the camera in hand. I would either use a separate camera for on-topic material or change the photo by either resizing or re-rendering the image after making global changes (blurring, filtering, etc.). Photoshop, Paint.Net, or GIMP are all good program that enable you to edit a photo without making changes to the original. This allows you to go back and make further changes (or undo changes) in the future if needed.
You should also know that pictures are not the only material that can contain sensitive information. Documents can include Microsoft Office® documents (Word, Excel, PowerPoint), OpenOffice.org documents, PDF documents, and popular image and media file types such as JPEG, JPEG 2000, PNG, SVG, AVI, WAVE, AIFF, MP3, MP4, and F4V. It is best to either remove the data from these files before sharing them or it is best not to share them all together. You should know that changing the file extension does not trick the investigators. They use file header information to gather pictures/videos. Click here for a good list.
For example: When we look at a jpeg header there are multiple parts we can use to identify the type of image and formats used. The first part to look at is the first two bytes of the file. The hex values FF D8 will identify the start of the image file. This is often enough to know that you have an actual JPEG file. The next two bytes are the Application marker typically FF E0. This marker can change depending on the application used to modify or save the image. I have seen this marker as FF E1 when pictures were created by Canon digital cameras. The next two bytes are skipped. Read the next five bytes to identify specifically the application marker. This would typically be 4A 46 49 46 (JFIF) and 00 to terminate the string. Normally this zero terminated string will be "JFIF" but using the previous example of Canon digital cameras this string will be 45 78 69 66 (Exif). Most image editors handle all JPEG formats unless a proprietary format is used that does not follow the JPEG standard.
Case: During an investigation into an internal child porn ring, detectives tracked down a toy bunny, seen in a photo, was used to trace the suspect to Amsterdam. Investigators have discovered that the bunny was a character in a children's book popular in the Netherlands. The detective also traced the boy's orange sweater to a small Amsterdam store that had sold only 20 others like it. That led to the capture and arrest of 43 other individuals.
As we are talking about pictures, you should also be concerned what is in the pictures themselves. Law Enforcement Agencies have teams of analysts that pick apart background data to determine names, addresses, geographic data, demographics, and etc. As the case provided, detectives were able to determine where the suspect lived based on a toy bunny and an orange sweatshirt as seen in one of the photos. You should attempt to remove all information that includes names, dates, addresses, paraphernalia or anything in nature that is region specific, or anything else that can be identifiable. Tattoos, and other body parts (not specific to the face) are identifiable too. For example, characteristics on the genitalia can be linked to a specific person. Recently, somebody was taking photos of his underage daughter and posting them online. The problem is he posted one with a clear view of a prescription bottle in the background and got busted. They were able to use that information to locate the individual.
When editing a photo for the first time, I usually crop the sides of the image, add blurring (even though some investigators have recently been able to reverse the blurring process and render this useless) and the halo effect, smooth physical features of adults, remove items that are identifiable, and sometimes replace the background altogether. If you really want to get involved, you can change physical features such as eye or hair color. Doing this will not trick an investigator, but it will obscure the features of a photo making it harder for someone to identify you. Also, if done correctly, it will enhance the photo visually and the presentation will be much better.
4.15 USB Information
Whenever a device is plugged into the system, information about that device is stored in the registry and the setupapi.log file (Windows XP and earlier). The registry key can be found here: HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Enum\USBSTOR and the setupapi.log file can be found here: %windir%\setupapi.log. All of the subkeys under USBSTOR will contain information about every device that was plugged into your computer via the USB. The setupapi.log file contains information about device changes, driver changes, and major system changes, such as service pack installations and hotfix installations.
To delete this registry key and or subkeys you must first right-click the key and choose permissions. You can then set the "everyone" group with full permission to the key or subkeys so that they can then be deleted. I'm sure it isn't too difficult to whip up a script or piece of software to automate this. Also, if you have system restore enabled, the information might be contained in there as well. The setupapi.log file should be securely deleted as you would with anything sensitive. As pointed out to me by a forum that I frequent, here is a program that will do this for you: https://code.google.com/p/usboblivion/.
4.16 SSD - Solid State Drives
Unlike HDDs, SSDs have a feature known as a garbage collector wherein cells that are marked to be deleted are permanently erased in the background, usually within several minutes of being deleted. It is important to know that this process happens on the SSD hardware level, so simply leaving the SSD powered on regardless if it is attached to anything will result in the destruction of the data (also known as self-corrosion). Even though SSD's implement garbage collecting, encrypting or securely deleting the device is hard.
SSD's use load balancing, which is a feature that evenly balances I/O operations between allocation pools. This means that when you attempt to encrypt or delete a bit of data, it will move past the actual to the next bit. Also, SSDs should not be encrypted using programs that are meant to encrypt HDs because of another feature called "wear leveling". TrueCrypt for example recommends that "TrueCrypt volumes are not created/stored on devices (or in file systems) that utilize a wear-leveling mechanism (and that TrueCrypt is not used to encrypt any portions of such devices or filesystems)". You should know however, that was referring to existing data already stored on the hard drive. New data that has not been written to the disk will be secured because it is encrypted before physical storage on the hard drive. This still can allow for data leaks, so it is still not recommended.
On the SSDs you cannot save to a specific sector on the drive therefor if it theoretically possible that there are multiple instances of the same data stored on the drive. Let's say for example that you change the TrueCrypt volume header; the old header might still be accessible on the drive as you cannot write over it individually. An attacker, knowing this information can attack the container using the old header information.
4.17 Forensic Software Tools
Category of ToolsExamplesChat recovery toolsChat ExaminerComputer activity tracking toolsVisual TimeAnalyserDisk imaging softwareSnapBack DatArrest, SafeBack, HelixE-mail recovery toolsEmail Examiner, Network and Email ExaminerFile deletion toolsPDWipe, Darik's Boot and Nuke, BlanccoFile integrity checkersFileMon, File Date Time Extractor, Decode-Forensic Date/Time DecoderForensic work environmentsX-Ways ForensicsInternet history viewersCookie Decoder, Cookie View, Cache View, FavURLView, NetAnalysis, Internet Evidence FinderLinux/UNIX toolsLtools, MtoolsMultipurpose tools and tool kitsMaresware, LC Technologies Software, WinHEX Specialist Edition, ProDiscover DFT, NTI Tools, Access Data, FTK, EnCasePartition managersPartimagePassword recovery tools@Stake, Decryption Collection Enterprise, AIM Password Decoder, Microsoft Access Database Password Decoder, Cain and Able, OphcrackSlack space and data recovery toolsOntrack Easy Recovery, Paraben Device Seizure 1.0, Forensic Sorter, Directory SnoopSpecialized software for analyzing registries, finding open ports, patching file bytes, simplifying log file analysis, removing plug-ins, examining P2Psoftware, and examining SIM cards and various brands of phonesRegistry Analyzer, Regmon, DiamondCS OpenPorts, Port Explorer, Vision, Autoruns, Autostart Viewer, Patchit, PyFlag, Pasco Belkasoft RemovEx, KaZAlyser, Oxygen Phone Manager for Nokia phone, SIM Card SeizureText search toolsEvidor
Service and data continuity is the activity performed by you to ensure that files and services will be available to yourself and others for the applicable lifetime. There are several methods to provide continued support including: backing up data, using controls and techniques to restrict access, and implementing controls on servers, networks, and other devices. This step is often overlooked when securing your information but assures availability is met.
5.1 Security Concerns with Backups
To start, Windows backup and restore is a feature of Windows and does exactly as it implies; it backs up your data. Without much explanation, there are three types of Windows backups: full, differential, and incremental. A full backup provides a backup regardless of previous backups. A Differential backup only backs up data that was changed since the last full backup and an incremental backup backs up data that was changed from the last full backup, or the last incremental backup.
I know I am stating the obvious, but make sure that you do not backup anything that is confidential. Whether by accident or on purpose, once you backup sensitive data, it does not matter if you remove the file from your computer because a copy is already made. Personally, I keep all my sensitive information in an encrypted container by itself so I don't confuse it with my other stuff. After I move all of my sensitive information into a container by itself I have ensured two things, 1) my information is secured and 2) nothing is being backed up this is not supposed to.
5.2 Security Concerns with Sleep and Hibernation
There are two other features with Windows that you should know of: sleep and hibernation. If you need to walk away from your laptop for a small â€“or extended â€“ period of time but want your Windows session to resume quickly, you will use either of these two features. The difference is that with sleep mode, your computer stores everything in memory and with hibernation mode, everything in RAM is saved to your hard drive. Sleep is for short-term storage and hibernation is for long term storage.
If you use sleep or hibernation, the encryption keys and everything else that is open at that time is saved, allowing a third party to bypass the security measures you have in place. For example, everything that you have opened at this moment, including mounted containers and open documents, will be viewable by forensic investigators. The best mitigation technique is not to use them or to disable both hibernation and sleep altogether.
Note: Windows 8, the latest Operation System Microsoft is coming out with hibernates the system kernel, but does not put memory in storage
5.3 Ensuring Information and Service Continuity
Keeping a backup of all your private/sensitive materials is a good idea for the continuity of such data, as long as that data is secure. Securely storing data has been discussed in another section, so I will only make a recommendation. I would create a container with TrueCrypt and store all sensitive data within that container before saving the backup somewhere else. Doing this will achieve two goals in the CIA triad, confidentiality and availability.
There are two locations that need to be considered when backing up data: locally and remotely. A local copy is a good idea when data loss occurs and you want an immediate, speedy recovery of the backed up data. But what if a natural disaster or a fire occurs and it destroys both your computer and your local backup device? This is where a remote backup solution comes in; it prevents data loss in off-chance that this happens. Common methods of remote backups are remote backup services, tapes, external drives, or hosted services. Another common method is finding someone else in another location (another state preferably) and you each keep a backup for one another.
For example: let’s say that I have a friend (okay, I did say as an example) and that friend lives in another state. One good way that I can back up my data at his place and his at mine, is we setup a VPN to connect our networks together. This way, we can send the files securely over the internet without much complication. Make sure however, that you trust the other party as they will have your Public IP Address. Another device that allows for storage redundancy is a RAID device. RAID (redundant array of independent disks) is a storage technology that combines multiple disk drive components into a logical unit. Basically, it is a device that is comprised of several disks for the purpose that if one (or more) drive(s) fail, data is not lost. This can come in the form of a RAID controller (or software controller) on your computer, or a network device (such as a NAS box). A NAS box is a Network Attached Storage and is a device that plugs into your network so you can backup multiple devices. These devices are standalone devices and usually have RAID functionality.
There are a few more solutions if you are going to set up a service that you host and are concerned with continuity and service availability. All these methods are assuming that you have multiple servers available and can configure them and the network they reside in. Firstly, you can configure the site for mirroring which is the act is creating an exact copy of one server to another server. Clustering (or failover clustering) is another method of ensuring availability as it is a group of devices that act as a single device. When one device fails in a cluster, another device starts providing the service (a process known as a failover). And finally, you can implement load balancing on your network which distributes the traffic load between several devices in your network.
5.4 DoS and DDoS attacks
DoS (Denial of Service) attacks are the acts of making resources for legitimate users unavailable. DDoS (Distributed Denial of Service) attacks are the same thing as DoS attacks, but they use hundreds (even thousands) of machines to disrupt access to resources. Usually this is performed by flooding the service with ICMP packets forcing the router (or server) to respond to the attackers’ request (by replying to the ICMP packet). Other attacks including sending malformed ICMP packets, flooding the site with resource requests, or SYN flood attacks.
Even though ICMP traffic uses the TCP protocol, it is not supported via Tor. This attack will be best accomplished with Clearnet sites. Ping of Death attacks can be accomplished in two ways: the attacker can send too many packets or they can send malformed packets. For example, Windows has a packet size limit of 65500. So anything received that is higher, might crash the machine or enable the attacker to successfully perform a privilege escalation attack. Flooding the site with requests for resources (videos, pictures, login requests, etc.) is an example of a DoS attack that is more commonly used with Tor sites.
These attacks are mostly an issue that has to be prevented with hardware controls versus implementations within the website itself. Assuming that you are hosting and managing the website and the server the website resides on, you can implement ingress filtering on your network to help block some of the attack. The backscatter traceback method is a good strategy for that. Also, I would block ICMP packets on your external interface (WAN interface). You should also make sure that all "unallocated source address'" are blocked. This means that you should block all packets with private IP address that are coming into your network. You cannot stop DDoS attacks, only mitigate the effect.
Another type of DoS attack is known as an Application layer DoS attack. This type of attack bypasses the firewall as it uses legitimate traffic to attack the service directly. Application-layer attacks can affect many different applications. A lot of them target HTTP, in which case they aim to exhaust the resource limits of Web services. Often, they are customized to target a particular Web application by making requests that tie up resources deep inside the affected network. These attacks are typically more efficient than TCP- or UDP-based attacks, requiring fewer network connections to achieve their malicious purposes. They are also harder to detect, both because they don’t involve large amounts of traffic and because they look similar to normal benign traffic.
Tools for DDoS attacks
To initiate DDoS attacks, you will need to right tools based on your preferences and other factors such as your platform of attack. The following are samples of DDoS attack tools:
- Low Orbit Ion Cannon - LOIC attacks a server by flooding the server with TCP or UPD traffic. Specifically, it mostly floods the server with ICMP traffic which is ping traffic
- Trinoo - Trinoo is easy to use and has the ability to command and control many systems to launch an attack
- Tribal Flood Network - TFN can launch ICMP, ICMP Smurf, UDP, and SYN Flood attacks against a victim. This tool was the first publically available DDoS tool
- Stacheldraht - This tool features that are seen in both Trinoo and TFN and sends commands via ICMP and TCP packets to coordinate an attack. Another feature of Stacheldraht is that it can encrypt the communication between the client to the handlers
- TFN2K - An upgrade to TFN, this program offers some more advanced features including spoofing of packets and port configuration options
- Shaft - This works much the same way as Trinoo except it includes the ability for the client to configure the size of the flooding packets and the duration of the attack
- MStream - This program utilizes spoofed TCP packets to attack a designated victim
- Trinity - This performs several DDoS functions including: fraggle, fragment, SYN, RST, ACK, and others
- Slowloris - Application-layer attack that is a HTTP GET-based attack. The basic idea is simple: a limited number of machines, or even a single machine, can disable a Web server by sending partial HTTP requests that proliferate endlessly, update slowly, and never close
- SlowPost - This attack works in somewhat the same way as Slowloris, except that it uses HTTP POST commands—transmitted very, very slowly—instead of GETs to tie up Web services
- SIP INVITE Flood - The two attacks above both target HTTP; this one is a VoIP flood that targets SIP (Session Initiation Protocol)
- Torshammer - Slow post DOS testing tool written in Python. It can also be run through the Tor network to be anonymized
Do do they mean?
Let me take a second to define some of the attack turns as presented above:
- ICMP DOS â€“ An attacker can use either the ICMP "Time exceeded" or "Destination unreachable" messages. Both of these ICMP messages can cause a host to immediately drop a connection
- ICMP packet magnification - An attacker sends forged ICMP packets to bring down a host. As an example (as presented above), Windows has a packet size limit of 65500. So anything received that is higher will be fragmented. Since the machine cannot reassemble the packet, it might crash or reboot
- ICMP Smurf attack - An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. Doing this will tell all the systems on the network (inside the broadcast domain) to send ICMP echo replies to the victim, consuming the targets available bandwidth
- SYN flood attacks â€“ A SYN flood attack takes advantage of the TCP three-way handshake. In normal communication between a client and a server, the client sends a SYN message. The server returns a message called an ACK, which stands for acknowledged, to the client. The client then returns an ACK message back to the server. A SYN flood attacks spoofs the IP address thereby forcing the server to keep open the connection while waiting for the ACK message (which is never sent) from the client and uses resources in the process. Flooding the server with ACK messages causes its resources to dwindle, and the server becomes slow or unresponsive to other clients
- RST attacks â€“ This attack works by injecting RST packets into TCP packets tricking the server to close the connection. RST attacks are performed against other users trying to use a particular resource
- Fraggle attacks â€“ Fraggle attacks are similar to Smurf attacks except that Fraggle attacks uses UDP packets instead of TCP packets
6. System Hardening
System hardening is the process of securing a system by reducing its surface of vulnerability (attack surface). A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. We will also go over several other risk mitigating methods when dealing with Windows. This will include the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.
In the security field, an attack surface is the components of a system that an attacker can use to break into the system.
6.1 Uninstall Unnecessary Software
The first step in hardening a system is to remove unnecessary programs. Start by removing unnecessary third party programs that are installed on the machine. You also want to look at programs that were installed when downloading or installing other products, whether intentional or not. For example, when you purchase a machine there is a bunch of software that comes preinstalled that you probably never use. I would recommend reviewing everything that is installed and remove all software that you do not need.
Try it out â€“ Uninstalling software
- Open the Start Menu and go to Control Panel
- Select Uninstall a program or Add/Remove Program
- Right-click the unnecessary programs from the list and click Uninstall
6.2 Disable Unnecessary Services
Once all of the software has been uninstalled from the machine, you should then start by disabling all of the unnecessary services that are running in the background. Each service will provide support for the application that they support; many of them providing functionality for Windows. You should get a listing of all the system services running on the system and evaluate whether each service is needed. Also know that I am more referring to third-party services versus Windows services. Make sure to do your research on each service before disabling anything.
Try it out â€“ Removing services
- Open the Start Menu and go to Control Panel
- Select Administrative Tools and open Services
- Review and identify each unnecessary service
- Right-click the unnecessary service and select Disabled in the dropdown box next to Startup type. Stop the service and press OK
6.3 Disable Unnecessary Accounts
An aspect that is overlooked often is disabling accounts that are not currently being used. You will need to determine if you need information from that account (if you remove account data) or to use services that can only be used from within that account. Windows XP has the administrative account enabled with a blank password be default whereas Windows Vista and 7 disable the account by default. Also, a quick word from the real world, make sure when creating a user account to not use anything that can possibly identity you as doing something illegal. A real world example, someone actually created a separate account name “childporn”, so he can hide all his illegal materials in that account. Better yet, he hid all materials in a folder on his desktop named “childporn”! Not only can forensic investigators see all the accounts that are currently on the machine, but they can see previously deleted accounts as well.
Try it out - Removing user accounts
- Open the Start Menu and go to Control Panel
- Expand User Accounts and select the account you wish to delete
- Click Delete the account
Note: One good recommendation is to create and use a standard account with no Administrative privileges. This way, if a virus is executed, it only has the privileges of the account that you are in.
What I meant by that, if all the account data is contained in the Windows Registry and will contain user accounts that are being used now and those that were deleted from within the Control Panel. For this reason, forensics investigators use the registry keys when performing the analysis. Furthermore, they can view other sensitive artifacts from the users unique registry is they are left intact. The location to the registry keys that contain the user information is here: HKEY_LOCAL_MACHINE\SOFTWARE\Mi crosoft\Windows NT\CurrentVersion\ProfileList
As you can tell from the image, the selected user account has the username of admin. This can be seen from the ProfileImagePath registry key. Remember the SID for later use. Once you have gone through all the keys under ProfileList and have located yours, you can right-click the key as shown in the image above and selecting Delete. Now that you have deleted the user account from the registry, you should now delete the actual user data from the registry as well. You should now navigate to HKEY_USERS\%SID% to remove the data for the current user. This data can include recent file lists, open file dialogs, shell bags, etc.
Finally, you should locate the profile path in Explorer to remove all files that are contained within the hierarchy. For Windows Vista/7/8, the location will be C:\Users\%username% and for XP, this path will be C:\Documents and Settings\%username%. This should be done securely to ensure that no data can be recovered.
6.4 Update and Patch Windows and Other Applications
Another step in hardening the system is updating the Operation System and all software installed on the machine. When you patch the system, you are applying security fixes to known vulnerabilities to the software that is running on the system. These vulnerabilities are what remote attackers use to gain access to the system. Without patching the system, you are opening up your machine to attack by these malicious hackers.
Windows updates should be enabled as they provide many fixes concerning Windows security. Individual software and applications should also be updated as soon as a known stable version of the update is available. Usually, when vendors release an update, they are stable unless stated otherwise. I recommend the use of a tool that checks the programs installed on the machine and reports the ones that are out-of-date. A good program for this purpose is Secunia PSI. This program will constantly check the programs installed on your machine and report which ones are out-of-date, which ones are scheduled for an update, and which ones can be updated manually.
Note: A program that I would recommend looking into is Microsoft Baseline Security Analyzer (MBSA) which is a free security and vulnerability assessment (VA) scan tool to improve security management process and assess or determine security state in accordance with Microsoft security recommendations and offers specific remediation guidance.
6.5 Password Protection
A final practice you should incorporate in system hardening is password protecting your devices. On your computer, you should make sure that all of the user accounts that are enabled are password protected. This is especially true when folder shares are involved. Make sure that the passwords on your machine are all strong so an attacker cannot use that account to gain access to your machine. For example, Windows shares you primary drive that can be explored over the network. Worse yet, when you mount a TrueCrypt container in Windows; that will be shared as well!
Try it out â€“ Password protect computer accounts
- Open the Start Menu and go to Control Panel
- Expand User Accounts and select the account you want to create a password for
- Click Change Password
Try it out â€“ Explore your computer from another machine
- Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in Search Programs and Features. A black box should pop up
- Type in ipconfig and under the adapter you are using, record the IP address next to IPv4 (example: 192.168.1.5) *rarely will people use IPv6
- Hop onto the other computer and open up Windows Explorer
- In the address are, type in â€˜\\' followed by your computers IP address finished with a â€˜\', your drive letter and a â€˜$' (usually C). For example, I type in \\192.168.1.5\C$
- You will be prompted to enter the username and password for your machine
Note: When you mount a TrueCrypt container in Windows, it can be explored though another computer in the network using an account in Windows if they have the correct permission. For this reason, make sure that your Windows password is not easily guessed! You can test this out by trying the Try it out â€“ Explore your computer from another machine and replacing the "C$" with whatever the TrueCrypt container is. You can also see if your container is mounted via Windows Shares and if is, you can stop the share. Also, I would change the permissions for the TrueCrypt file.
7. Antivirus, Firewalls, DLP's, and HIDS's
Malware, short for malicious software, is software used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. This is not only annoying, but if malware is running on your machine, your security is at risk. Notice that all these solutions can be either hardware or software. Hardware solutions are usually on the perimeter as in the form of an all in one device (SonicWall or Fortigate for example).
'Malware' is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software. This software comes in several different flavors, but we will only be talking about Spyware and Trojan Horses. Trojan horses are often delivered through an email message where it masquerades as an image or joke, or by a malicious website, which installs the Trojan horse on a computer through vulnerabilities in web browser software such as Microsoft Internet Explorer. Spyware on the other hand covertly monitors your activity on your computer, gathering personal information, such as usernames, passwords, account numbers, files, and even driver’s license or social security numbers.
Antivirus software can protect you from viruses, worms, Trojan horse and other types of malicious programs. More recent versions of antivirus programs can also protect from spyware and potentially unwanted programs such as adware. Having security software gives you control over software you may not want and protects you from online threats is essential to staying safe on the Internet. Your antivirus and antispyware software should be configured to update itself, and it should do so every time you connect to the Internet.
Case: The Computer and Internet Protocol Address Verifier (CIPAV) is an illegal data gathering tool that the Federal Bureau of Investigation (FBI) uses to track and gather location data on suspects under electronic surveillance. The software operates on the target computer much like other forms of illegal spyware, whereas it is unknown to the operator that the software has been installed and is monitoring and reporting on their activities.
The CIPAV captures location-related information, such as: IP address, MAC address, open ports, running programs, operating system and installed application registration and version information, default web browser, and last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.
7.2 Hardware Keyloggers
Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users' keystrokes, including sensitive passwords. They can be implemented via BIOS-level firmware, or alternatively, via a device plugged inline between a computer keyboard and a computer. They log all keyboard activity to their internal memory. Hardware keyloggers have an advantage over software keyloggers as they can begin logging from the moment a computer is turned on (and are therefore able to intercept passwords for the BIOS or disk encryption software).
You might think that physical inspections are one way to defend against hardware keyloggers, but it is not. Nor is using a wireless keyboard, as that sort of keylogger, doesn't necessarily have to be hidden outside of the keyboard. A dedicated attacker may just as well place an extra chip inside of the keyboard or replace it all together by a manipulated keyboard of the same model to record keystrokes without any obvious visual cues. So, the best way may to the use different keyboard layouts before entering the password. Furthermore, you can also enter random data within the password and going back to remove them later. And finally, you can use tokens as well as a password when logging into your computer.
A firewall is usually your computer's first line of defense-it controls who and what can communicate with your computer online. You could think of a firewall as a sort of "policeman" that watches all the data attempting to flow in and out of your computer, allowing communications that it knows are safe and blocking "bad" traffic such as attacks from ever reaching your computer. Configuring your firewall can prevent Spyware or other confidential data from leaving your network entirely. It can also prevent remote attackers from "hacking" into your computer. Most AIO (all-in-one) security solutions such as Norton or McAfee or BitDefender have a firewall built in. For a free firewall, Comodo firewall is a good alternative: https://personalfirewall.comodo.com/.
Note: In most Linux distros including Redhat / CentOS / Fedora Linux installs iptables by default. It has become a standard option in all distros. If it is not installed, you can use the command yum install iptables or apt-get install iptables if you are using Ubuntu.
Data leakage prevention solution is a system that is designed to detect potential data breach incidents in timely manner and prevent them by monitoring data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). Importantly, personal DLP software can protect you from accidently disclosing confidential or sensitive data. Some AIO security software does this as well as free software.
The principle operation of a HIDS depends on the fact that successful intruders (hackers) will generally leave a trace of their activities. In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keystroke logging, identity theft, spamming, botnet activity, spyware-usage etc.) they envisage.
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings. Intrusion attempts can be keylogger attempts (spyware), Internet Explorer leaks, DLL injections, malware drivers, etc. HIDS's are installed on your machine and a baseline must be performed before HIDS's can detect any anomalies. Many anti-virus programs have a basic HIDS built into the software as an added feature.
Network IDS's on the other hand sit on your network to monitor all traffic coming into your network to alert you to any attacks. There are several methods of detecting an attack including anomaly based detection and signature based detection. Also, there is either a passive or active based detection depending on if you want the IDS to actually take action or not. You should know when setting up an IDS, that there will be false positives as it takes a while for the IDS to learn and for you to teach. Also, you will need to be there to monitor the alerts. Snort is a good, free NIDS and is widely used in businesses.
7.6 Other Considerations
8. Networks and Networking Protocols
Keeping your network secure is a must to ensure to keep intruders out and your information from getting into the wrong hands. Furthermore, it protects you from other people hopping on your network, doing something illegal, and having the evidence point to you. Network security covers a variety of computer networks, both public and private, and you should concern yourself with both. This chapter will explain some of the common methods of security and a brief introduction on a few networking terms as well as security concerns when hopping on another person's network. This will include both hardware and software methods to ensure this security.
8.1 Intro to Networking
Before we being diving into this section, we are going to discuss the fundamentals of networking. If you are wondering why, it’s because we are going to use networking terminology and the functionality they serve. So the first question you may ask will be answered first. What is a network?
A computer network or data network is a telecommunications network that allows computers to exchange data. There are two types of networks: a public and a private network. A private network is typically the devices within your home or place of business. Within the private network, you have interconnected devices such as computers, gaming devices, phones, media servers, and etc. Then we have a public network, which is an interconnected network of private networks reachable on the internet.
Now that you know what a network is, we are moving on to how these devices in a network physically connect to each other. Inside a private network, all the devices that connect via a cable (also called Ethernet cables), are plugged into a network switch – or the less popular device known as a network hub. I specify network switch as there are a couple different types of switches. Switches provide more speed and security then network hubs. We won’t get into the security features in this guide.
I will state later on in this guide that if the administrator of the network device is using a hub, they can capture all data easily. Most of you are familiar with a basic home router. But most of you don’t know that with a home router, the ports in the back are actually switch ports, which is built into the router itself. There are two primary differences between hubs and switches: hubs are half-duplex whereas switches are full-duplex and hubs have one collision domain versus switches which has a collision domain per port. Basically, full duplex means the hubs can send and receive information at the same time whereas half-duplex devices cannot. Wireless devices send data in half-duplex mode as well; this is one reason why wireless connections are slower than wired connections.
A network collision occurs when more than one device attempts to send a packet on a network segment at the same time. And a collision domain defines where packets can collide with one another. So for example, let’s say you have a 5 port hub. A hub has one collision domain; so all the information being sent through any one of those ports can collide with any data from the same port or another port. If you are plugged into port 1, information will be sent to port 1, 2, 3, 4, and 5. A switch on the other hand may have 5 ports, but each port only transfers packets through the host that is using that port. So, port 1 transfers packets only through port 1, port 2 through port 2, port 3 through port 3, and so on. I also said that a switch can send and receive packets at the same time, make collisions near impossible. As you can see in the illustration, when Host A wants to send information to Host B, a hub sends the data to all ports and a switch only sends the data to the port Host B resides on. An attacker can sit on Host C or D and capture all the traffic coming from another device.
Now you know how device are connected within a private network; with the use of switches. Next, we are going to talk about how different networks connect with one another and how devices within a network can talk with each other. Remember though; this is an intro to networking, so I will not be going into any technical details. Saying that, a group of networks are connected with one another using a router. And a router does just as the name implies; it routes between two or more networks. Look below for a basic network diagram.
So, let’s talk about the illustration above to learn more about how these devices communicate. As you can see, two or more networks communicate via a router. This can be seen in the diagram as Router A and Router B and specify two different types of networks. Branching off from the routers, a network switch is used. Again, the switch’s connects the devices within the network and the router routes traffic between networks. Finally, connected to each switches are the devices within each private network.
Moving on, what we just describes was how devices connect to each other physically, but not logically. I told you the basics on network switches and hubs and how they route traffic. But they cannot route traffic if the devices in the network do not have IP addresses. An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) so that they may communicate with one another. To help facilitate this, there is a service know as a DHCP service, which stands for Dynamic Host Configuration Protocol, and is responsible for leasing out IP addresses to devices connected to the network.
There are two types of IP address: a public IP address and a private IP address. Public IP addresses are used over the internet and private IP addresses are used within private networks. Private address’s fall within these ranges:
- 192.168.0.1 to 192.168.255.254
- 172.16.0.1 to 172.31.255.254
- 10.0.0.1 to 10.255.255.254
When dealing with IP addresses and networking, there are two other numbers that you should also know about: subnet masks and default gateways. A subnet allows the flow of network traffic between hosts to be segregated based on a network configuration. By organizing hosts into logical groups, subnetting can improve network security and performance. For example, most home devices give a subnet mask of 255.255.255.0 which looks like 11111111 11111111 11111111 00000000 in binary notation. Without getting into subnetting which can take me pages to explain, any device that has the same numbers in the first three octects with a subnet mask of 255.255.255.0 can communicate.
For example: 192.168.1.2 and 192.168.1.3 and 192.168.1.4 and so on can communicate with each other but devices with IP addresses of 192.168.1.2 and 192.168.2.2 cannot communicate. This is because they are in two different networks therefor are logically separated. Furthermore, by changing the subnet you can change the amount of hosts per network. We won’t into that at all as again, that deals with subnetting. You might also notice that if you network is full the first IP address and the last IP address is not used at all. In this case: 192.168.1.0 and 192.168.1.255 are not used. 192.168.1.0 is the network address and 192.168.1.255 is the broadcast address. Finally, the default gateway is the last resort gateway and is used to route traffic when it does not know where to go. Practically speaking, your home router acts as your default gateway (and your DHCP server) as it knows how to send data within the network and over the internet.
Another area concerning networking are ports and the actual process of data traversing networks. Every service is assigned a port and usually these ports do not change. For example, Port 80 is always used for HTTP (web traffic), port 433 for HTTPS, port 53 for DNS, and so forth. When you request a service, you are requesting the service by using that particular port, and not by the DNS name (Google.com) that you wish to use. Let’s say that you opened up FireFox and want to go to Google.com. Your computer will first be requesting the data on port 53 (DNS) to request an IP address for Google.com and port 80 to request the actual information. If you are using another service for Google.com, such as their music service, you will be requesting the service using a different port. More information on this process can be found in section 8.3.
Moving along, when your computer is requesting information, the socket (or communication flow) is actually assigned a random port number to make the request. This new port number is per connection and not per packet. So, for example, if you are requesting HTTP traffic (port 80), you are actually assigned a random port of, for example, port 1000001. This is if in case you have multiple applications requesting different information for the same service/port number. Opening up several tabs in FireFox provides good illustration of this; each tab is assigned a different port number, so your computer knows where to send to traffic once received by your computer. Not only does your computer do this, but your router does when using a feature called PAT, the other routers do this when being sent across the world, and the webserver (Google.com) does this when open a connection and sending information back to you. The easiest way to think of a reason why opening up random ports, is that the random ports are uniquely assigned names for each service requesting the information.
Note: PAT stands for Port Address Translation and is when multiple devices on the network must use one Public IP address. You may have heard people refer to this process as NAT, or Network Address Translation, which is accepted for use, but technically incorrect. Example: most home users that use a router are using PAT without knowing it. PAT is used so all the devices in your network can access the internet with the Public IP address that is assigned by your ISP.
The above illustration briefly, and simplistically, demonstrates how data is forwarded from one network to another. You will see that Bob wants to view the site Freepizza.com to get some delicious, free pizza. One fundamental concept you need to realize is that routers do not use MAC addresses. Without getting into the OSI model, MAC addresses, also explained in section 8.3, are only used for your local network. When data is sent through the internet, or across networks (as demonstrated by different routers), only the IP address is used. Let me go over the illustration above.
Bob wants to send the data to freepizza.com, but he does not know how to get there. So, Bob sends a packet to Router 1. He says, “This packet is going to 192.168.1.1 (Router 1) and is from 192.168.1.2.” Router 1 sees that Router 2 knows how to get to Freepizza.com so he proceeds by sending the packet to Router 2. Now again, routers do not care about MAC addresses so they remove the MAC address and replace the IP addresses (Source and Destination) with its own source and destination header. In this case, the Source IP Address or 192.168.1.2 and Destination IP Address of 192.168.1.1 are replaced with the Source IP address of 192.168.1.1 and Destination IP Address of 192.168.2.1. When Router 2 receives the packet, he will say, “Hey, I know where Freepizza.com is! He is at 192.168.2.2.” Again, without getting into how MAC addresses work and when they are used, Router 2 will replace that IP Address information with the Source IP Address of 192.168.2.1 and Destination IP Address of 192.168.2.2. The MAC address will be used inside the network between the switch (not in the diagram) and the router/pizza.com server.
Phew, aren’t you glad that’s over with? Not quite I say! We still have to describe how data is sent back through the network back to Bob. This part will go much quicker as we have already described the fundamentals on how the packet got there in the first place. So, when Freepizza.com is ready to send the information back to Bob, it follows the exact same process in getting there, except it uses the Source IP address to send the data back to whomever sent it in the first place. The data headers are still replaces and the MAC addresses are still removed.
It is for this very reason that when you are a Tor exit node, you are at risk at people coming to your house if someone does something illegal and gets caught doing it. The Tor exit node only has the IP address information of the Router it is at (known as the Public IP address). All the IP address information of the Tor user and all hops in-between are stripped away and only accessible by each individual hop. Now, Tor uses encryption and varies other methods of hiding the IP address information, but this a simple explanation on how data travels across networks.
Wrapping this up, when computers want to communicate in a network they send an ARP command that is used by the network devices and the network switch to send data to other devices within the same network. I described this process further down in the guide when explaining about ARP replay attacks, so I will skip it for now. Routers can communicate directly with one another using a DCE/DTE cable or through the internet via a modem. Old modems converted the incoming data from analog to digital and vice versa on the way out. Cable modems, which are used most nowadays, converts the cable feed into a format that can be used by several devices in your home. Your ISP uses DHCP services to lease you out an IP address so you have internet access. When you are finally able to communicate within your network or over the internet, data is sent in what is called packets. Packet and packet forensics is described below in section 8.4.
8.2 Private vs. Public IP Address
A private IP address (assigned by the owner's wireless device) is assigned per device in the network from a DHCP pool. DHCP pulls a list of available IP addresses and assigns it when a device is attached to the network. A certain IP address is not assigned to a specific device (there is no static mapping) therefor people cannot use IP addresses to located your specify device. Static IP addressing can be used, but typically is not used in a home environment. When you connect to a wireless device, it is possible that it changes each and every time you connect, depending on what else is connected to the network. Also, unless the IP address is currently leased out, nobody will be able to look in a log (typically) to determine what IP address what connected when.
The other IP address is known as a Public IP address. This type of address is what your ISP (Internet Search Provider) uses to identify you. When you log into a website, this is the IP address that is logged. When you use proxy or VPN services, the Public IP address that is hidden and the VPN/proxy IP address is exposed. If somebody has your IP address, they can get the geographical location of where you live whereas your ISP has your name, telephone number, home address, and whatever else you have given them. Lastly, when you are connected to a person directly (DCC, video chat, P2P, etc.); they can also log your Public IP address.
8.3 MAC Address
Think of a MAC address like a bank account number; we are each given a bank account number so when we make a purchase, at a grocery store for example, the grocery store knows how to send the payment to your bank and vice-versa. Similarly, a MAC address, which is unique to your wireless card, allows the router to know where to send the data. And if you really care, the MAC address is held in an ARP table, but we won't get into that.
When you connect to a network, the router logs the computers MAC address and temporary saves the computers IP address. People can also sniff the network to see what you are doing and record your MAC address that way. And yet another way people can get your MAC address is if they use software that monitors the network and records all the devices automatically. All these methods have one this in common (besides the obvious), they can only record the addresses that are broadcasted, meaning if you change your MAC address, these methods are useless.
People use MAC address changers for many reasons; mostly for getting free WiFi by bypassing MAC address filtering or performing MAC flood attacks. If you connect to a public network, or your neighbor's network, I would use a MAC address changer to make it hard to locate you. Earlier, we said that a MAC address is unique to your computer; so if they were to look at all of the devices in your house, they won't find the device with the MAC address that was logged because it has been changed. The easiest way to change the MAC address is to download a program to do it for you; otherwise you can change it in your network settings. Win7 MAC Address Changer Portable is a good program to do this for you.
As a quick note, another recent discovery that can identify individual computers that cannot be spoofed (as of yet) is with using the computers graphics card. The PUFFIN Project (physically unclonable functions found in standard PC components) has brought forward research suggesting that GPU manufacturing processes leave each product with a unique "fingerprint." The PUFFIN team has created software that can detect these physical differences between GPUs. This is another way that someone can determine whether your device was used in a crime if your GPU "fingerprint" was obtained. PUFFIN's research will run until 2015.
Note: To change the MAC address in Linux, you can use the hw ether command. ifconfig eth0 down > ifconfig eth0 hw ether 00:00:00:00:00:00 > ifconfig eth0 up > ifconfig eth0 |grep HWaddr. Notice, you will use a custom MAC address instead of 00:00:00:00:00:00 and run each command separately (as defined by the â€˜>' character). Also, you will want to replace eth0 with the adapter that you are using.
8.4 Public Wireless
It is up to you whether or not to stop using the neighbors wireless. But know they can see Tor traffic if they: use a packet sniffer and perform a MiTM attack if their wireless network is not protected, if they were using a network hub which broadcasts information out of all ports, if they have a managed switch and enable port mirroring, or if they change the MAC address of their computer to that of the AP (Access Point). Even though they can see Tor traffic, they cannot see what you are doing inside of Tor and they still will have no clue that it was you. If they could, the purpose of Tor would be defeated. They are other risks with using public networks (or your neighbor’s network) therefore it is not recommended (unless you are absolutely sure that you are safe).
These risks includes attackers remotely logging into your computer via a known backdoor or an exploit. The best known Operating System to attack a machine is Backtrack. BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. The methods of attack in BackTrack are against operating systems, applications, phones, networks, internet protocols, websites, and etc. The best part about BackTrack is that it is free! I would start with getting a good firewall and anti-virus for your computer. Also, make sure you follow System Hardening (Section 6) section to help correctly configure your machine.
As always, I would use Tor for all sensitive information in which you do not want anyone to learn your location or monitor your browsing habits. To protect all other sensitive data that does not require such autonymity, I would recommend the use of a VPN. A VPN reroutes all computer traffic through a secure tunnel to a trusted third-party (or a designated network) before the information reaches its destination. This provides security against anyone sniffing your computer traffic as all information is encrypted. Common reasons for a VPN is when: checking emails, checking your bank account, application data security, or transmitting insecure data over a secure data stream. The difference between Tor and a VPN is that when using Tor, nobody knows who you are whereas in a VPN somebody always does.
Network Sniffing Tools
- Wireshark â€“ One of the most popular packet sniffing programs available. Wireshark is a successor to Etheral and offers a tremendous number of features to assist dissecting and analyzing traffic
- Omnipeek â€“ Created and manufactured by Wildpackets, Omnipeek is a commercial product that is the evolution of Etherpeek
- Dsniff â€“ A suite of tools designed to perform sniffing as well as other tools to reveal passwords. Dsniff is designed for UNIX and Linux platforms and does not have a complete equivalent for Windows
- Cain and Able â€“ Cain and Able provides much of the same tools as Dsniff but also provides features such ARP Poisoning (MiTM attack can be performed inside a network), enumeration of Windows systems, and password cracking
- Etherape â€“ A UNIX/Linux tools that was designed to show the connection going in and out of the system graphically
- Netwitness Investigator â€“ A free tool that allows a user to perform network analysis tools as well as packet reassemble and dissection
Here is an example of what captured packets look like in Wireshark. If you want to learn more about network investigations, using packet sniffers and analyzing the data is a good way to start. Starting with the fundamentals, I would learn about simple networking and the basic port numbers and what they are used for. Let’s use the example above and learn what is going on.
- The first for packets we will talk about (No. 8 - 11) are all DNS packets. Packet 8 is a DNS request from IP address 192.168.82.133 to IP address 188.8.131.52 for the domain www. LINK HERE -----> file2hd.com/Default.aspx?url=https://www.youtube.com. The Source field is your IP address (or the address of the originating computer. The Destination field is the address where the data is going. The protocol is DNS as scene in the Protocol field. DNS is Domain Name Service and is the protocol used the get the IP address from a Domain Name. And finally, the Info field contains the data within the packet. In this case, packet 8 requests the packet (Standard query A www. LINK HERE -----> file2hd.com/Default.aspx?url=https://www.youtube.com) and packet 9 responds with the CNAME record and the IP address (Standard query response). The A record is the standard record that maps the domain name to the IP address and the CNAME record is a type of DNS record that specifies that the domain name is an alias of another, canonical domain name.
- oving on, packets 12 – 14 is the standard TCP three-way handshake. More information can be found in section 8.5 and is denoted by the packets [SYN], [SYN, ACK], then [ACK]. Once the final [ACK] packet has been sent, the connection is made and information can flow.
- The next packet is the GET request. This packet is telling the HTTP server that it is requesting resources (in this case, the content on the webpage). If you submit data you will see a POST request meaning that you are sending resources to the webserver.
- Finally, the user is sending and receiving information from the website as you can see by the Source port in the information pane. Port 80 (http) denotes webtraffic and is used when a user is trying to access a webpage.
This is the basic overview of webtraffic that can be captured and read. Protocols such as FTP and HTTP are all done in cleartext, meaning you can read all the data that is contained within the packets. This is especially a problem for the user if information such as usernames or passwords are being sent. FTP for example requires the user the login to the server, but does sends all the information in the clear. The picture below is an example of network traffic that captured the FTP username and password. The destination field tells you that the FTP server has an IP address of 10.0.8.126 and the user requesting it has an IP address of 10.0.4.232.
There are two more things that I want to discuss before moving on to the next section:
- When using Wirehark, you should familiarize yourself with filtering and Follow TCP Stream
- Reassembling packets to view data such as images and getting detailed view of packet analysis
One popular feature of Wireshark is to follow the stream of captured packets. Let’s say that a user is sending an email and has attached a compressed file along with it. Using Wireshark, you can find a packet in the stream, right-click the packet, and select Follow TCP Stream. A new window will open will all the data in the stream, which will contain the file you are trying to download. Once the new window is opened and fully loaded, you can click Save-as to save to data to a file. The file is now ready to be opened with the program that handles the file type.
Moving along to the second item on the list, you can also reassemble packets to view the information contained within those packets. Let’s say for example that someone views a bunch of images over the internet. Reassembling the packets will allow you to view the images the user viewed. Now, Wireshark is good for capturing packets and is a great program for a bunch of purposes, but it is not a great program when trying to do this. Personally, I use a program called NetWitness Investigator that will not only allow you to view the data that was captured, but it will allow you to do so graphically. Everything is point and click and there is no real need to know about packet analysis beyond the very basics. And finally, this program shows a detailed view of the packets captured.
8.4 Security Protocols
Securing your network should be as important as securing your computer. Allowing people access to your network opens you up to attack and as previously stated, legal issues, because they can got caught doing something they weren’t supposed to on your network. If you are doing everything secure on your network computer but someone gets caught downloading child porn, the government is coming after you. There are several ways to protect your network depending on your equipment and if you use custom firmware or not. If you get a router, plug it in, and start using it; you are NOT protected!
The first thing that anybody needs to do is change the default password for the device so nobody can log in and change the security settings. Followed by changing the device password, you should create a wireless password to limit the people who can get on the device in the first place. There are several types of protocols that limit access: WEP, WPA, WPA2, MAC Address Filtering, etc. WEP, WPA, and WPA2 are protocols that rely on password authentication to accept users who are trying to connect to your wireless device. MAC Address Filtering on the other hand only allows specific wireless devices access to the network depending on the MAC addresses.
WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer standards such as WPA and WPA2. WPA is also deprecated making the recommended security protocol WPA2. WPA2 is the strongest protocol as it has not been cracked, yet it might not be supported by all devices. If you want to get technical, WPA uses TKIP whereas WPA2 uses AES-CCMP. TKIP is Temporal Key Integrity Protocol and AES-CCMP is Advanced Encryption Standard- Counter Cipher Mode with Block Chaining Message Authentication Code Protocol. MAC address filtering filters wireless devices allowing only those that are allowed into the network. The problem is however, it can be easily defeated if someone changes their MAC address to one that is allowed.
Wireless Hacking Tools
- Kismet - Using Kismet one can see all the open wireless networks, as well as those Wireless Networks which don't broadcast their SSID's. It's a matter of minutes to use this tool and identify networks around you
- Netstumbler - NetStumbler is a freeware Wi-Fi hacking tool that's compatible with Windows only. It can be used to search open wireless networks and establish unauthorized connections with them
- Medieval Bluetooth Scanner - This program can analyze and scan your Bluetooth network finding Bluetooth devices that can be attacked (see bluejacking or bluesnarfing or bluebugging)
- Coreimpact - This it is widely considered to be the most powerful exploitation tool available. However, CoreImpact is not cheap and will set anybody back at least $30,000
- Wireshark - Wireshark Wi-Fi hacking tool not only allows hackers to find out all available wireless networks, but also keeps the connection active and helps the hacker to sniff the data flowing through the network
- AirSnort - Most Wi-Fi hacking tools work only when there is no encrypted security settings. While NetStumblr and Kismet fail to work if there is a wireless encryption security being used, AirSnort works to break the network key to get you inside the network
- CowPatty - CowPatty is an another Wi-Fi network hacking tool that has crack got a WPA-PSK protection feature and using this hackers can even break into more secure Wi-Fi environments
- Reaver - This program takes advantage of the weakness inherent with WPS (WiFi Protected Setup)
Common attack methods and terminology
- ARP Spoofing - Address Resolution Protocol (ARP), is a service that converts IP addresses to MAC addresses that are uses by the local LAN (Local Area Network). ARP spoofing is a technique whereby an attacker sends fake ("spoofed") ARP messages onto a LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.
- MAC Spoofing - ork interface on a networked device. The MAC address is hard-coded on a network interface controller (NIC) and cannot be changed. However, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is relatively easy. This can be an attack to get past security safeguards, to masquerade as another device, or to try a device into sending data to it.
- Fragmentation - IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size. Every network link has a characteristic size of messages that may be transmitted, called the maximum transmission unit (MTU). There are several attacks regarding IP fragmentation and can be used by services that do not protect themselves from these types of attacks.
- Buffer Overflow - an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited.
- DNS Poisoning - DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker's) or a website. Doing this, the attacker can capture all data, inject data, or log information such as IP addresses or other sensitive computer information.
- IMCP Redirect - An ICMP Redirect tells the recipient system to over-ride something in its routing table. It is legitimately used by routers to tell hosts that the host is using a non-optimal or defunct route to a particular destination, i.e. the host is sending it to the wrong router. The wrong router sends the host back an ICMP Redirect packet that tells the host what the correct route should be. If you can forge ICMP Redirect packets, and if your target host pays attention to them, you can alter the routing tables on the host and possibly subvert the security of the host by causing traffic to flow via a path the network manager didn't intend. ICMP Redirects also may be employed for denial of service attacks, where a host is sent a route that loses it connectivity, or is sent an ICMP Network Unreachable packet telling it that it can no longer access a particular network.
- Proxy Manipulation - This attack involves altering the proxy settings of the target machine to redirect traffic to the attacker’s computer or service. Doing this, the attacker can capture all data, inject data, or log information such as IP addresses or other sensitive computer information.
- Rouge DNS - DNS hijacking or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behavior of a trusted DNS server so that it does not comply with internet standards.
- Rouge AP - A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. For the purposes of the guide, a rouge AP can be setup by an attacker as so a victim will unknowingly connect the to the AP and send all data through the attacker.
- Honeypot - A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
- Padded Cell - A padded cell is a honey pot that has been protected so that that it cannot be easily compromised. In other words, a padded cell is a hardened honey pot. In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDS. When the IDS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no harm the nature of this host environment is what gives the approach its name, padded cell.
8.6 Virtual Private Networks
Throughout this guide I mention the use of Virtual Private Networks (VPN’s), and now I am going to explain exactly what it is. In the simplest of terms, a VPN transmits data from one network to another, as if they were on the same network. For example, let’s say that you have a file server on your home network that you will to access while on vacation. A VPN allows you to log into the network and view those files as if you were sitting at home. Furthermore, tunneling your connection through an untrusted network to a trusted network with the use of VPN’s, ensures that no private data is leaked to unscrupulous parties.
There are several reasons to use VPN’s and there are even more people who use them. Most often, you will see the use of this technology employed by businesses that have employees that want to connect to the office or several offices that need to connect to the home office. There are a few types of configurations that include: host-to-host, gateway-to-gateway, and host-to-gateway. Host-to-host is more often used when one person needs to directly communicate with another person (share files from one PC to another, chat, etc.), gateway-to-gateway is when two or more locations needs to share data between networks, and host-to-gateway is when users need to connect to a network to access network resources (like in our first example).
Saying this, the access of resources is not the only reason why you would want to use a VPN. As I said in the first example, a VPN can be used for a secure communication between the two nodes. What I mean is this: let’s assume that you are at an untrusted network or you are exchanging data over an untrusted medium, such as the internet. A VPN encrypts your data, creates a secure tunnel between you and the host machine (the device receiving the VPN traffic), and transfers the data without anyone being able to see or inject anything harmful along the way. Note: when I say they cannot inject, both sides perform a check of the data. If someone injects or modifies the data, it will be discarded and resent.
Moving on, the use of the acronym VPN does not implicitly refer to secure data transmission, but refers to how data is transfered from one point to another. You can break a VPN into two parts: the tunneling protocols and encryption protocols. Tunneling protocols defines how data transverses across networks and the internet. By its very nature, these protocols do not provide any encryption. It’s like driving a car without any airbags; it’s not worried about safety, it just cares that it gets there. Encryption protocols on the other hand are concerned with just that: encrypting the data.
Used together, VPN’s can provide for confidentiality, integrity, and authentication:
- Confidentiality: When the data is encrypted and sent to a secure, private network, you can mitigate the risk of third parties reading your data while in transit
- Integrity: VPN’s are also used to detect changes in data when received on either side
- Authentication: When you connect to a host or a client, you can be reasonably sure that the other person is who they say they are. This is because tunnel endpoints must verify the other party before a connection is established
Selecting both tunneling and encryption protocols will mostly depends on your needs and what you have at your disposal. For example, for a client to client connection, you can use LogMeIn Hamachi to establish a secure VPN between. Sonicwall’s use SSL VPN’s that can be used host-to-host or host-to-client and custom firmware routers use OpenVPN can do the same thing but adds host-to-host to the mix. For the purposes of this guide, I recommend using OpenVPN as it is free and open source.
Without getting into too much detail about how VPN’s works and what is happening behind the scenes, I will give you a broad overview of the types of tunnels and encryption protocols VPN’s use.
- Point-to-Point Protocol (PPP) - This protocol defines data that is transmitted over serial lines. Mostly, nowadays, PPP is not used but when using Dial Up connections between modems.
- Point-to-Point Tunneling Protocol (PPTP) - PPTP (Point to Point Tunneling Protocol) is a good, lightweight VPN protocol offering basic online security with fast speeds. PPTP is built-in to a wide array of desktop and mobile devices and features 128-bit encryption. PPTP is a good choice if OpenVPN isn't available on your device and speed is top priority.
- Layer Two Tunneling Protocol (L2TP)/IPSec - L2TP (Layer 2 Tunneling Protocol) with IPsec (IP Security) is a very secure protocol built-in to a wide array of desktop and mobile devices. L2TP/IPsec features 256-bit encryption, but the extra security overhead requires more CPU usage than PPTP. L2TP/IPsec is an excellent choice if OpenVPN is not available on your device, but you want more security than PPTP.
- Internet Protocol Security (IPsec) - IPsec is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution or simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model. If you are choosing to use IPSec, you should know about the two modes it uses to transport the data: tunnel and transport. Tunnel: In tunneling mode, the entire packet it encrypted, including the header information. The packet is then encapsulates the encrypted packet and adds a new header before sending the data. Specifically, Encapsulating Security Payload (ESP) and Authentication Header (AH) are the two IPSec security protocols used to provide these security services. However, we will not get into that in this guide. Transport: This mode encrypts the payload, but does nothing to protect the header information. Again, the header information provides information such as: source and destination IP address, port information, frame sequence, flags, etc.
- OpenVPN - OpenVPN is the premier VPN protocol designed for modern broadband networks, but is not supported by mobile devices and tablets. OpenVPN features 256-bit encryption and is extremely stable and fast over networks with long distances and high latency. It provides greater security than PPTP and requires less CPU usage than L2TP/IPsec. OpenVPN is the recommended protocol for desktops, including Windows, Mac OS X, and Linux.
- Secure Socket Layer (SSL) - An SSL VPN is a form of VPN that can be used with a standard Web browser. In contrast to the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does not require the installation of specialized client software on the end user's computer. It's used to give remote users with access to Web applications, client/server applications and internal network connections.
How a VPN connection is made:
Assume a remote host with public IP address 184.108.40.206 wishes to connect to a server found inside a company network. The server has internal address 192.168.1.10 and is not reachable publicly. Before the client can reach this server, it needs to go through a VPN server / firewall device that has public IP address 220.127.116.11 and an internal address of 192.168.1.1. All data between the client and the server will need to be kept confidential, hence a secure VPN is used.
- The VPN client connects to a VPN server via an external network interface.
- The VPN server assigns an IP address to the VPN client from the VPN server's subnet. The client gets internal IP address 192.168.1.50, for example, and creates a virtual network interface through which it will send encrypted packets to the other tunnel endpoint (the device at the other end of the tunnel). (This interface also gets the address 192.168.1.50.)
- When the VPN client wishes to communicate with the company server, it prepares a packet addressed to 192.168.1.10, encrypts it and encapsulates it in an outer VPN packet, say an IPSec packet. This packet is then sent to the VPN server at IP address 18.104.22.168 over the public Internet. The inner packet is encrypted so that even if someone intercepts the packet over the Internet, they cannot get any information from it. They can see that the remote host is communicating with a server/firewall, but none of the contents of the communication. The inner encrypted packet has source address 192.168.1.50 and destination address 192.168.1.10. The outer packet has source address 22.214.171.124 and destination address 126.96.36.199.
- When the packet reaches the VPN server from the Internet, the VPN server decapsulates the inner packet, decrypts it, finds the destination address to be 192.168.1.10, and forwards it to the intended server at 192.168.1.10.
- After some time, the VPN server receives a reply packet from 192.168.1.10, intended for 192.168.1.50. The VPN server consults its routing table, and sees this packet is intended for a remote host that must go through VPN.
- The VPN server encrypts this reply packet, encapsulates it in a VPN packet and sends it out over the Internet. The inner encrypted packet has source address 192.168.1.10 and destination address 192.168.1.50. The outer VPN packet has source address 188.8.131.52 and destination address 184.108.40.206.
- The remote host receives the packet. The VPN client decapsulates the inner packet, decrypts it, and passes it to the appropriate software at upper layers.
One last thing that I want to talk about is split tunneling. Split tunneling is the act of being connected to both a WAN network (VPN) and a LAN network (your local home network) at the same time. When enabled, data intended for the secure VPN might accidently leak out the insecure part of the network. Another negative risk, is that an attacker can gain access to your computer via the LAN network and have access to your private network you are connected to over the WAN. For best security, it is advised to have split tunneling disabled at all times.
8.7 Chat Sites - How Attackers Attack
Some people where asking me about the risks involved in Omegle and downloading pictures to your computer. So, briefly, I am going to describe here what I told them. Firstly and most obviously, Tor does not support cam sites for the reason listed in section 9.11. Quite simply, Tor does not support UDP traffic in which video streaming operates. So, if you wondering how people actually captures this traffic and obtains your IP address, this is how:
Try it out - Capture IP Address from Omegle
- First, you will need to download a packet sniffer. I would either use Wireshark, Ethereal, or NetWitness Investigator. The first two will simply capture the packets whereas the latter will captures the packets and has the ability to put them back together. This is useful if you want to rebuild the video that was streaming.
- Start Omegle (or an alternative chat site) and get connected to somebody on the other end. Capturing the IP address can also be done via text, but for this method, you must use your camera.
- Start the packet sniffer of choice; for this example I will be using "Wireshark."
- To select the interface you will need to select "Capture" than "Interfaces."
- Determine the interface that you are using (usually the one with the most packets) and press "Start" to start capturing the packets.
- All you need is a few packets, even though you will get a few hundred to a few thousand. Once you have enough packets press "Stop the running live capture". This is denoted by the forth icon at the top with the "X" or you can select "Stop" under "Capture." FAILURE TO STOP THE CAPTURE WILL CRASH YOUR MACHINE! THE AMOUNT OF PACKETS YOU CAN CAPTURE IS DEPENDENT ON THE AMOUNT OF MEMORY YOUR MACHINE HAS!
- You are only concerned with UDP traffic, so in the "Filter" field, enter "udp"
- Now, you will notice that there is more UDP traffic from two specific IP addresses than anything else; these IP addresses will be your IP address and the individual on the other end of the webcam. Your IP address will either start with a 192.x.x.x or a 10.x.x.x or possibly a 172.x.x.x. Most likely, a 192.x.x.x. There are restrictions, so if you have any questions, ask or refer to a Private IP address list. The other IP address will be theirs.
- Copy their IP address. This can be denoted via four octets separated by decimals or with dashes. It can also contain words or letters. 220.127.116.11, pd-93-53-23-231, or 93-52-23-231.abc.dgf.net will all be the same thing. In either case, you want to copy it down as 18.104.22.168. Notice that the words might be different; only concern yourself with the numbers.
- That is it; you can use a reverse IP address lookup to find basic information.
That described simply how to capture the IP address via a packet sniffer. When connected, this connection can also be seen in your netstat list; but familiarizing yourself with this might be a challenge if you don’t know what you are looking at. The reason being is UDP traffic connects directly to your machine. TCP traffic connects to a third party site such as Omelge. Another method is getting the person to go to a honeypot that captures the users IP address when they click on a link and navigate to that site. They are a few out there, and it is easy for people to be baited into navigating to these sites.
Looking at the illustration below, you will see an example of a netstat output. The local address (red) with be your computer and the foreign address (yellow) is the remote device. 127.0.0.1 is your computers loopback address. So, this is telling you that the computer with the IP address of 192.168.0.6 is connecting to a website at 22.214.171.124 and 126.96.36.199. You know this because the “:80” next to the foreign addresses. Port 80 is used for HTTP traffic when a user wants to connect to a website. The other ports next to 192.168.0.6 are random ports assigned by the system. And using an IP lookup tells you that the first IP address of 188.8.131.52 belongs to google whereas 184.108.40.206 belongs to Layered Technologies. Note: you can either find a website to lookup the IP address or you can try to enter the IP address directly into the address bar.
Proto – or protocol – is the internet protocol being used; this can being either TCP or UDP. TCP connection oriented and a lost packet will be resent so there is no loss of data during transmission. UDP on the other hand is connectionless and if a packet is lost, the packet is lost forever. There are about 12 states that you can familiarize yourself with, but we won’t get into that much in this guide. For this example, established means that the connection (socket) has been established, listening means that the socket (the program that created the connection) is waiting for incoming connections, and time_wait means that the socket is waiting after close to handle packets still in the network. Finally, the PID is the program that is handling the connection. This PID number is created per program and can change every time to program is started.
To look up the application associated with the particular PID, you can use Windows Task Manager. The Task Manager can be opened by right-clicking the Taskbar and selecting Task Manager. However, Task Manager does not display PID information by default. To display the PID value in Task Manager, go to Processes tab, click on View menu, then click on Select Columns…. In the “Select Columns” or “Select Process Page Columns” dialog, tick and check the checkbox for PID (Process Identifier), and click OK. You can right-click the process and click Properties to view which program is being run and where.
If you are really interested in learning more about gathering an IP address, there are two things that happen when you are connected via webcam. The first thing is the handshake - or the initial connection - and is facilitated by the chat website (Omegle, ChatRoulette, etc). This connection is the first step that is performed to connect you to the other person whom you are trying to connect with. After this initial process is complete, you are now directly connected to the person you are chatting with. At this point, the stream is no longer being passed through the chat website. The webcam traffic is UDP traffic, which is not supported by Tor. Continue below for an expanded explanation.
The picture above shows the typical three-way handshake when capturing traffic in Wireshark. You will see [SYN], [SYN, ACK], then [ACK]. Host A send a SYNchronize packet to Host B, Host B responds with the SYNchronize-ACKnowledgement packet back to Host A, and Host A once finalizes the connection with a ACKnowledgement packet to Host B. Once the handshake is complete you will see a flood of UDP traffic. Again, the UDP traffic is all the webcam traffic data and is the only traffic you are going to concern yourself with.
When looking at all this traffic, you want to concern yourself with three fields in particular: Source, Destination, and Protocol. The source is where the information is coming from, the destination is where the traffic is going to, and the protocol defines the protocol being used. The picture below shows what traffic will look like in Wireshark when the UDP protocol is being used. Notice that this picture only shows UDP traffic flowing through the network. This is because you can filter traffic in WireShark to show pretty much whatever you want it to show.
So, the three fields I will be describing are the Source and Destination fields. You will notice that there are two IP address being used: 192.168.0.103 and 220.127.116.11. If you followed the Try it out - Capture IP Address from Omegle you might remember that 192.168.0.103 is the address of local user that is capturing the traffic and the 18.104.22.168 is the user that is connected on the other side. Your IP address will either start with a 192.168.x.x or a 10.x.x.x or possibly a 172.x.x.x. Most likely, a 192.168.x.x. The other IP address will the address of the user that is connected to you; this is the IP address that you are looking for and is the IP address that attackers will look for as well.
Another popular method of getting IP addresses and other computer information such as usernames, passwords, keystrokes, screenshots and etc., if with the use of spyware. I am not going to go into detail about spyware (or a keylogger or malware), but I will go over a popular delivery method. When people send pictures – or videos – via TorChat or an alternative medium, they can use a binder program to attach a picture file to an executable. When the file is opened, the picture appears as normal along with the spyware in the background.
To protect yourself when dealing with UDP information (audio or video chat), you can use a UDP proxy, a VPN, or configure a VPN over Tor. I usually just use a VPN that claims to not log any traffic; but who knows if that claim holds merit. Simple text chat uses TCP packets which Tor can protect. Obviously, do not use shortlinks as they can link to a honeypot or another rouge site. And if you do decided to open links you are unsure about, make sure you do via Tor with JS disabled.
8.8 Other Considerations
Most people have home routers with stock firmware, so most of this does not apply. For those of you interested in having more granular control of your router, you can search the internet for custom firmware; for example, DD-WRT is a good Linux-based firmware. Also, you can purchase managed ports and wireless access points specifically for this purpose. Most commercial equipment can manage what I am about to talk about, but they usually run in the several thousands, if not hundreds of thousands.
One of the basic hardening techniques for wireless security is the use of VLAN's. If the attacker gets passed your wireless controls and into your network, VLAN's will ensure that they cannot read your network traffic. Let's say some ports on switch A are in VLAN 10 and other ports on switch B can are in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN. You should also know that VLAN's can be set up on the same switch.
WPS, or WiFi Protected Setup, is a way for individuals to easily connect devices to the wireless router. In this method, the standard requires a PIN to be used during the setup phase. As it is not a technique to add security to the network, you should know that WPS should be disabled at all times. The vulnerability discovered in WPS makes that PIN highly susceptible to brute force attempts. It takes approximately 4-10 hours to break WPS pins (passwords) with Reaver.
You should also know about rouge AP's; specifically when an attacker impersonates an SSID. Rouge Access Points are a security concern because an attacker can set up a device such as a router or computer to have a similar or the same SSID as the wireless Access Point you connect to. Unscrupulous parties can connect to this rouge device and all traffic can be logged and MiTM attacks can be performed. This threat is of low concern because it is not very likely to happen.
One final security configuration I am going to mention is a DMZ. The purpose of a Demilitarized Zone is to add an additional layer of security to your local area network (LAN â€“ Private network); an external attacker only has access to equipment in the DMZ, rather than your entire network. This would be if you were setting up anything that you want people from outside your network to have access to whilst protecting your internal network. Examples of such services would be Websites, IRC servers and relay servers.
8.9 Extra: MAC Address Spoofing and ARP Attacks - How they work
Two methods I want to talk about are: ARP poisoning and MAC address spoofing. As many of you already know MAC address spoofing is also a way to hide your computer or to get free Internet when places either filter computers by MAC addresses or have a pay to-use-system. A few of you have asked how this works and instead of reinventing the wheel each and every time I decided to create this fundamental, quick how-it-works section. These are a couple of reasons why you should lock down your private network and never use public networks.
When a computer decides it wants to talk to another computer on the network it has four primary fields it uses to communicate. In a packet, these fields are: source IP address, destination IP address, source MAC address, and destination MAC address. Again, most of you even know about IP addresses so we won’t get into that at all. But what most of you don’t know is the computer transfers traffic based on the computers MAC address (which is a unique identifier for each device) and not the computer’s IP address. The computer uses the IP address to learn the MAC address but does not actually send data with it. Let me explain.
Let’s say Bob wants to talk the Alisha on the same network (send data). There is a protocol called ARP, which stands for Address Resolution Protocol, that will send a request to the switch (or all of the devices in the network if you’re using a hub) that you are trying to communicate with Alisha. When Alisha responds, she will send back the MAC address of her computer to the switch. The switch, will then learn Alisha’s MAC address if it doesn’t already know and send it back to Bob. Now Bob, having Alisha’s MAC address, will fill in the destination MAC address (which is Alisha’s computer) and send data using that information.
Here’s an example: Bob wants to send Alisha a file over the network. Bob first sends an ARP request to the switch (most, if not all, home routers have a switch build in) saying “hey, I want to talk to Alisha, here is her IP address. What is her MAC address so I can send the data?” The switch looks in the MAC address table and determines that Alisha’s MAC address is F026:EA98:EB03:C68E (if the MAC address is not known, it sends the ARP request to ALL of the computers on the network, except for Bob’s, until Alisha responds back, “It’s me!”) Once the MAC address is determined, it is sent back to Bob so he can transfer the data.
This is where MAC address spoofing comes in, because as you just learned, computers do not transfer data using the IP address, but instead the MAC address. So MAC address spoofing, tricks the switch into thinking your computer (let’s say you are Steve), is actually Alisha’s computer. So now when Bob wants to send data to Alisha, half the packets will go to Alisha and half the packets will go to Steve. For the same reason this works, the pay to-use-system can be defeated as well. This pay to-use-system uses the MAC addresses to send data to already authorized computers which in turn is tricked and data is sent to you without charge.
ARP poisoning on the other hand when an attacker is able to compromise the ARP table on the other machine and changes the MAC address so that the IP address points to another machine. If the attacker makes the compromised device’s IP address point to his own MAC address then he would be able to steal the information, or simply eavesdrop and forward on communications meant for the victim.
THIS IS EDUCATIONAL AND PROVIDED TO HELP YOU PROTECT YOURSELF BY EXPLAINING THE METHODS OF ATTACKS BY OFFENDERS. I DID NOT WRITE THIS WITH THE INTENTION FOR ANYBODY TO USE IT AGAINST ANYONE ELSE. SO PLEASE DON'T!
ARP Poisoning Demonstration (you will need Cain and Able installed on your machine):
- Open Cain
- Click the Sniffer tab and turn on the network sniffer (the network interface button next to the folder icon on the second row)
- This should already be selected, but ensure that the Hosts tab is selected at the bottom
- At the top, click the blue Plus button to scan for MAC addresses. Alternatively, you can right-click anywhere in the datagrid (white box) and select Scan MAC Addresses
- Once populated with devices other than your Default Gateway (usually any IP address ending with the octet of 1) or your computer, select the APR tab at the bottom
- Make sure APR is selected over on the left and click anywhere in the top datagrid (the top field that is blank). The Plus button at the top should no longer be greyed out.
- Once the New APR Poisoning Routing dialog box appears, you will select the computers that you wish to attack
- Over on the left, you will select your Default Gateway and over on the right you will select the computer you wish to attack (the datagrid on the right will populate once the GW is selected on the left) *Doing this has the potential of causing a DoS attack whereas the victim cannot access the internet or any data in the network
- Finally, select the "session" that you just created (under Status, it will say Idle) and click the ARP Poisoning button on the top that is next to the sniffer button you clicked on earlier. If successful, the status will change from Idle to Poisoning
- From here, you can capture data packets, usernames, passwords, email addresses, and etc.
- The only way to defeat this is to use encryption such and client to hosts VPN's, PKI, or Tor
- To stop the attack, you can click the ARP Poisoning button and the Sniffer button once more
Again, I should provide the warning that there are other ways they can see your traffic if they: use a packet sniffer and perform a MiTM attack if their wireless network is not protected, if they were using a network hub which broadcasts information out of all ports, if they have a managed switch and enable port mirroring, or if they change the MAC address of their computer to that of the AP (Access Point) as mentioned above.
MiTM attack stands for Man in The Middle attack and is when an attacker inserts himself between you and the person – or service – you are connected to. As I said before, one this is accomplished, the attacker can then capture all information, strip SSL to obtain information such as passwords, insert malicious code, redirect the user, or block the user from a service all together. To prevent again MiTM attacks, you can use a VPN or encryption to authenticate you and the remote host alike. These attacks are used moreso on local networks then used over the internet; however, it is still possible.
9. Download Links
Listed below are the programs that I mentioned throughout this guide and the associated links: