The Quarterly Magazine for Digital Forensics Practitioners

Competition!
Win 3 Digital Forensics
books from Syngress

ISSUE 09
November 2011

INSIDE
/ Using Wireshark
/ Deep Packet Inspection
/ Cryptanalysis
/ Social Network
Monitoring

BIG BROTHER
FORENSICS
Chad Tilbury takes a look at the
rise of Geo Location data and how 04

geo-artifacts can add a crucial 9 772042 061110

dimension to investigations Issue 9 / £11.99 TR Media

/ REGULARS / FROM THE LAB / INTRODUCING / Book Reviews

robservations, 360, PART 2 OF TED SMITH’S our new FEATURE ON XBOX Forensics
news, irq & more… X-Ways Forensics Forensic Uncertainty Extrusion Detection

DF9_OFC_Cover - Online.indd 1 14/10/2011 15:54

AD9117a 19/01/2010 14:20 Page 1

Shape your future

Forensic Computing MSc Forensic Computing BSc Honours

Computer Security MSc Computer Security BSc Honours

To find out more visit dmu.ac.uk/technology or contact us:

T: (0116) 257 7456
E: [email protected] AD9117A

DF9_IFC_Ad.indd 2 11/10/2011 10:20

 / EDITORIAL

EDITORIAL
Digital Forensics Magazine is a quarterly magazine, published by
TR Media Ltd, registered in the UK. It can be viewed online at:
www.digitalforensicsmagazine.com

Editorial Board

I
t is a very interesting time for
digital forensics, everywhere I look
I find numerous organisations and
individuals who are doing great things
to establish standards and codes of
practice that will ensure that all of us
who adhere to them operate at the
pinnacle of professionalism in all that
we do. Rob Lee takes a look at one
single organisation which is attempting to unite the work that
is being done, I am sure that we will hear more from them and
we will be following their progress.
This issue we take a look at all things GEO! With the number
of news items over the recent months that have raised concerns
over the information that Google’s mapping activities may have
collected along with what Microsoft is purported to be collecting/
recording with respect to geo-location data and local WiFi
information, it was only right that we took a look at what this
could mean to the digital forensic investigator. Once again we
are likely to be faced with protecting the privacy of the individual
whilst looking for geo-location artifacts that might just help solve
a serious crime. We hope you find the articles useful in your work.
Whilst watching a well known UK crime scene forensics
program called “The Body Farm”, followed a few days later by
news reports of two very high profile and widely publicised
court cases, reminded me of an article we had been sent
some time ago regarding what is seen by some, as a huge
miscarriage of justice. The first of the cases was the appeal
by Amanda Knox of her conviction for the murder of Meredith
Kercher. Figuring largely in this trial was the forensic evidence,
not only the analysis and results but also the way that the
evidence was handled. The second case was that of Dr. Conrad
Murray and the death of the singer Michael Jackson this case
recently included evidence collected from an iPhone.
The article that I was reminded of is not a digital forensics
article; however, it does have lessons that can be learnt by
those practicing digital forensics. The article looks at the case
of James Hanratty and the evidence used to convict him; he
was hanged for murder in April 1962. Subsequent appeals
looked in detail at the forensic evidence, especially DNA
evidence and upheld the conviction. It is not our intention to
pass judgement in any way, however it is important that we
look at these cases and identify any lessons that can be learnt
as we carry out investigations, analyse the results and present
the results as expert witness testimony. I think that not only
will you enjoy the article but it will prove thought provoking
enough to relate the case to your own work. The article is a
long one and whilst we have contained the bulk of the article
in this issue, we have saved some good bits for next issue.
/ ROY ISBELL
Roy Isbell, Alastair Clement, Scott C Zimmerman, Rob Lee,
Angus Marshall & Sean Morrissey
Acquisitions
Roy Isbell, Sean Morrissey, Rob Lee & Scott Zimmerman
Editorial
Roy Isbell
News Desk
Matthew Isbell
Sales & Marketing
Matthew Rahman
Production and Design
Matt Dettmar (www.freelancemagazinedesign.co.uk)
Contributing Authors
Angus Marshall, Chad Tilbury, Charmaine Anderson,
Christiann Beek, Curt Schwaderer, Mark Osborne, Rob Harriman,
Rob Lee, Ronnie Smyth, Scott C. Zimmerman, Sean Morrissey,
Sian Haynes, Ted Smith, Willem Knot
Technical Reviewers
Dr. Tim Watson, Scott C. Zimmerman, Sean Morrissey, Rob Lee
& Angus Marshall
CONTACT DIGITAL FORENSICS MAGAZINE
Editorial
Contributions to the magazine are always welcome; if you are
interested in writing for Digital Forensics Magazine or would
like to be on our technical review panel, please contact us on
[email protected]
Alternatively you could telephone us on:
Phone: +44 (0) 844 5 717 318
News
If you have an interesting news items that you’d like us to cover,
please contact us on: [email protected]
Advertising
If you are interested in advertising in Digital Forensics Magazine
or would like a copy of our media kit, contact the marketing team
on: [email protected].
Subscriptions
For all subscription enquiries, please visit our website at
www.digitalforensicsmagazines.com and click on subscriptions.
For institutional subscriptions please contact our marketing
department on [email protected].
Feedback
Feedback or letters to the Digital Forensics Magazine editor
should be sent to [email protected].
Copyright and Trademarks
Trademarked names may appear in this magazine. Rather than
use a trademark symbol with every occurrence of a trademarked
name, we use the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement
of the trademark.
Digital Edition Provider
Digital Forensics Magazine uses ZMags for its Digital Editions,
allowing the creation of carbon neutral publications.

DF9_03_Editorial.indd 3 20/10/2011 17:15

DF9_04_Ad.indd 4 15/10/2011 11:59
 / CONTENTS

CONTENTS
/ DIGITAL FORENSICS MAGAZINE ISSUE 09

REGULARS
/ NEWS
/ 360°
06
14
16
/ ROBSERVATIONS 28
/ LEGAL EDITORIAL 31
/ COMPETITION 37
/ APPLE AUTOPSY 47
/ BOOK REVIEWS 80
/ IRQ 82

FEATURES
/ Hunting Malware with a (Wire)shark 09
Using Wireshark to detect if Malware is on your system
/ Big Brother Forensics 16
Device tracking using browser-based artifacts
/ Social Network Monitoring 22
63
Monitoring socal networks to support law enforcement
/ Meet the DF Professionals 38
An interview with Dr Andrew (Andy) Jones
/ Management of Knowledge Based Grids 42
Managing security in Knowledge Based Grids
/ Geo Tagging the Mac 48
42
Sean Morrissey looks at Geo-tagging in the Mac world
/ Cryptanalysis Using Distributed Systems 58
Investigating a project to create middleware for
distributed cryptanalytic applications
/ Digital Archiving and Data Recovery
Archiving data at The National Museum of Computing
63 24
/ Deep Packet Inspection 68
How to build DPI devices on High-speed networks
/ A Case of Forensic Uncertainty 75
75
Rob Harriman takes a look into the Hanratty conviction

LEGAL
/ Geo-location and Privacy in the EU 32
Taking a legal look at the implications for geo-location

FROM THE LAB

/ X-Ways Forensics
Part 2 of our look at this often-misunderstood tool
53 32

DF9_05_Contents.indd 5 20/10/2011 17:31

 / NEWS

NEWS
DHS claims Cyber Crime rate on the increase Windows 8 Secure Boot Blocks Secondary OS’s

Cyber experts working on the In the past month there has been great controversy over the
Control System Security claim that Windows 8, certified 64bit hardware, will carry
Program, for the Department a specific security measure that prevents the installation
of Homeland Security of secondary operating systems (such as Linux) until the
(DHS), have so far software is regarded as trusted by Microsoft.
tackled more than 300 The newest version of Microsoft’s Operating System will
requests for assistance use the Unified Extensible Firmware Interface (UEFI) and a
this year, compared secure-boot feature to boot Windows 8 rather than the more
to last year’s figure commonly used BIOS boot facility.
of 116. The Emergency The decision to use UEFI has been described by Microsoft
Response Team has had Programmers as being based on security, with the organisation
to be deployed seven times hoping to reduce the amount of malicious software (malware),
so far this year, but was only such as rootkits, infecting PC’s that use Windows.
deployed twice in 2010. However, the decision to choose the new boot method will
According to Greg Schaffer, Deputy Undersecretary of the mean that a secondary operating system or even a second copy
DHS, in a comment to All Voices Global News, most of the of windows is increasingly difficult to install and any software or
requests came from Utilities and Industries, which are now hardware must be previously signed by Microsoft or the original
more vulnerable after linking systems to the Internet. The equipment manufacturer in order to work as intended.
systems that are now at risk are considered to be part of the
critical infrastructure, which could account for the dramatic
increase in cyber attacks.
“We are connecting equipment that has never been
connected before to these global networks,” Schaffer said.
“Disgruntled employees, hackers and perhaps foreign
governments are knocking on the doors of these systems, and
there have been intrusions.”
Hackers are becoming increasingly more deceptive and are
using much more sophisticated attacks as security software
tries to keep up with the influx of new cyber threats, and
many of these attacks are beyond the resources available
to the DHS.
Most attacks consisted of monitoring personal
information of a consumer and then exploiting the
consumer’s power and Internet access. The biggest
problem is that, once compromised, these systems provide
access to a high degree of highly confidential data but also
allows for storage and transfer of illegal content through
use of covert channels.
The increase in sophisticated cyber attacks is costing
governments millions in losses each year and this figure
is ever increasing until something is done to prevent
further attacks.
The Pentagon is aiming to extend a pilot program in
the hopes that it will make networks more secure by
sharing intelligence with the private sector. This could
prove beneficial with at least twenty defence companies
already involved.

6 Digital / ForensicS

DF9_06-07_News.indd 6 20/10/2011 17:32

 In order to install software, a user
would have to disable the secure
boot facility from within the UEFI
should a signature not be provided.
However, there is no guarantee
that the firmware support to
disable the secure boot will be
permitted by Microsoft.
The use of UEFI and secure boot
presents a specific problem to many
Computer Forensic professionals who use
a dual-boot system of both Windows and a Linux distribution
to perform key investigations, analysis and research.
Since the announcement, Linux Australia members have
complained to the Australian Competition and Consumer
Commission (ACCC) and have been told by the regulator, that
they may, indeed, have a case as long as they provide the
regulator with more information surrounding their complaint.
Further comment from the ACCC describes how Linux Australia
will be within their rights to pursue legal action against
Microsoft, should the ACCC decide not to pursue the case.
DF9_06-07_News.indd 7
/ NEWS ROUND-UP
CYBERWAR FINDS ITS DEFENCE
THROUGH FORENSICS
As the threat of cyberwar ever
increases, various ideas have
been put forward to reduce the
risk. The idea that is considered
the most farfetched is to scrap
the Internet altogether, but
it is this idea that has most
professionals convinced.
Digital Forensics has often
played a minor part in Computer
Security and is often the last
resort, however, it has become
more and more popular and more
recognised in the last decade. Andrew
Hoog, of viaForensics, stated that
forensics, when applied pro-actively
and aggressively to a cyber security
issue, can become a ‘game-changer’.
Hoog believes that Computer Forensics
could hold the future to Cyber defence
and regards the idea to scrap the
Internet as ‘not very viable’.
UK ECONOMY SPARED £140m
THROUGH ACTIONS OF CYBERCRIME UNIT
Due to a number of successful operations,
the Metropolitan Police e-Crime Unit
is to exceed previously set targets. The
PCeU claim to have already saved the UK
economy a staggering £140m in the past
six months and is well on course to exceed the
four-year ‘harm reduction’ target. This value
contributes to 30% of the intended £504m
target and relates to the amount of money saved by
successful cyber crime operations and prosecutions. The
e-Crime unit is currently using a £30m grant to build up its
resources in order to combat computer intrusion, denial of
service attacks and Internet fraud.
ELCOMSOFT CRACKS BLACKBERRY ENCRYPTION
Russian firm, Elcomsoft, has unveiled a new tool that allows
them to crack the encryption security employed by Research
In Motion (RIM) on their Blackberry Smartphones. The tool is
an upgraded version of a phone password-cracking suite that
now has the ability to decrypt the master device password on
the smartphones. The smartphones are set up so that all data
is wiped if the password is entered incorrectly 10 times in a
row and it was believed impossible to figure out this master
password. The software apparently also works on Apple
devices such as the iPhone and iPad and comes as part of
Elcomsoft’s Phone Password Breaker.
20/10/2011 17:32
 Mobile Development
from Apress
The largest catalog of quality books for
Android, iPhone and iPad developers
www.apress.com/mobile

DF9_08_Ad.indd 8
Ad_A4_DigitalForensics_Apress.indd 1 11/10/2011 10:25
12/3/10 1:49 PM
 / FEATURE

HUNTING MALWARE
WITH A (WIRE)SHARK
The malware threat landscape has changed. How agile is your defence and how
can you detect if malware used in a targeted attack is present on your network?
by Christian Beek
/ ADVANCED

O
ver the years use of malware has dramatically
changed, ranging from programmers exploring the
malicious possibilities of their programming code,
copycats trying to combine code snippets, through to
organized crime and governments using custom made
malware for their purposes. Where financial gratification is
the main motivator for cybercrime, it seems that espionage
i.e. the hunger for secrets and intellectual property is
significantly on the rise. Examples include: Operation Aurora,
Night-Dragon and recently Shady-RAT. These investigations
started with the detection of unknown customized
malware, hiding on corporate networks and ended in large
investigations regarding Data Loss.
So how is it possible that this malware was undetected?
All companies connected to the Internet have Intellectual
Property (IP), Personal Identifiable Information (PII) or
other interesting/sensitive data stored or used in their
systems and are therefore potential targets for criminals.
Almost all organisations today need or use Internet and
email connectivity. This means that network ports
regarding Internet traffic, DNS and email are open to at
least a part of the network or in some cases direct to the
desktop without any filtering or layered defence. Many
companies have their network defence technology, like a
firewall, poorly configured to monitor outgoing traffic for
suspicious patterns.
Those organisations that do monitor outgoing internet
traffic mainly monitor and filter based upon categories, but
what if the malware uses the Internet Relay Chat traffic over
http, or is using encrypted URL’s? Malware authors know how
business operates and are using these channels to infect
or create a backdoor that allows communication with the
Command and Control servers, or sites that host multiple
malware samples.
Using spear phishing (targeted), drive by downloads
(opportunistic) and many other techniques, the Malware
authors try to infect the end-user. In addition they make
detection or reverse engineering difficult. Blocking access
to security-vendor websites, encrypting the malware source
code, VM detection, DNS changer component, timing
mechanisms, URL generators and hiding malware traffic in
‘regular traffic’ are just some of the techniques used.
Social media sites like Facebook and Twitter are explored for
their functionality and the malware authors adopt these into their
malware design. Twitter botnets along with malware infections
caused by adding a friend in Facebook are known to be in use.
Platforms of choice are also shifting from desktops, servers and
laptops to mobile smartphones with Android in the lead.
Authors also hide malware traffic within regular traffic and
use encrypted communications to circumvent detection by
Internet Gateway security devices, IDS/IPS or Content filters
(figure 1). Recent examples of malware using encrypted
communication over http are TDSS and RimeCud.
Figure 1. Malware using encrypted URL’s
IF YOU DO NOT HAVE THESE
DEPLOYED AND YOU ARE
POTENTIALLY FACING A MALWARE
INCIDENT, HOW COULD YOU
USE THE OPEN SOURCE TOOL
WIRESHARK TO INVESTIGATE,
MITIGATE AND CREATE FIREWALL
RULES TO DETECT AND BLOCK
/ Wireshark
There are many security technology vendors offering in-line
devices that scan for malware threats on the network. But if
you do not have these deployed and you are potentially facing
a malware incident, how could you use the Open Source tool
Wireshark to investigate, mitigate and create firewall rules
to detect and block this traffic? Once familiar to the basic
workings of Wireshark, many options become available.

DF9_09-12_Wireshark.indd 9 20/10/2011 17:32

 / FEATURE
First it is important to understand where to place your
Wireshark sniffer. You should install the software on a
dedicated machine with enough resources to capture the
traffic from your network. Next step is placing the ‘Sniffer’
in your network. If it is only one machine that is infected,
you could decide to place a hub between the host and its
network connection to sniff the traffic of that specific host.
It is not recommended that you install Wireshark on the
infected host itself. It might sound like an easy solution
but for the malware investigation you do not want to alter
an infected system. To investigate a network segment,
there are two options; using an in-line network tap or
using a Span port (aka port mirroring) on the switch that
is relevant. Using a tap versus a Span port on a switch
has some items you have to consider or could face during
Incident Response:
• An engineer will need to configure the switch; if the owner of
the switch mistakenly configures the Span port not to show all
traffic, you may not discover this misconfiguration;
• Switch configuration is not available;
• Span port is shared for other (undocumented) purposes;
• Switches introduce mechanisms on ingress ports that
eliminate packets below a certain size or corrupt packets;
• Switches will drop packets; Spanning traffic is the switch’s
lowest priority. In case of overload the first traffic that will be
dropped is the Span traffic.
• Delay on the switch while packets are copied to the Span port;
• Capturing traffic from a 100Mb link, the Span port needs
200Mb of capacity.
IF IT IS ONLY ONE MACHINE THAT
IS INFECTED, YOU COULD DECIDE
TO PLACE A HUB BETWEEN
THE HOST AND ITS NETWORK
CONNECTION TO SNIFF THE
TRAFFIC OF THAT SPECIFIC HOST
Using Wireshark in a pro-active mode, there are several
places where you can sniff for malware traces. You can scan for
example for DNS traffic, Internet traffic, SMB traffic, RDP, FTP or
IRC traffic. It will depend on the architecture of your network in
order to decide the optimal placement for effectiveness.
In the next example, traffic from a Palevo Dropper will be
examined starting with some basic Wireshark filters.
The dropper makes use of DNS, UDP and IRC traffic. A pcap
file was created by sniffing one of the network segments that
the malware was reported from (figure 2). In Figure 2 we see a
sample of suspicious network traffic.
Figure 2. Network Capture
10
DF9_09-12_Wireshark.indd 10
/ Mal-WareHouse
Recent investigations showed that cybercriminals are using
several domains as a warehouse for hosting malware. They
program a Dynamic DNS component (using FastFlux) into their
Dropper that tries to reach several of these domains. Once the
malware is detected by more than half of the AV companies,
they remove it from the domains and upload another variant
which is yet undetected.
In this dump a DNS query was made for the domain “arta.
romail3arnest.info” with the IP address “46.166.147.230” this
query is followed by an outgoing UDP session to this address
using port 11110. Analyzing this domain, it becomes clear that
it is hosting a Palevo Command & Control server. Since it is
known that UDP traffic is used to communicate with the C&C
server; you want to know which machines are attempting to
connect to this server. A basic filter, filtering on destination,
would look like the following:
ip.dst == 46.166.147.230
To be more specific you could combine this filter with the
UDP destination port:
ip.dst== 46.166.147.230 && udp.dstport == 10111
By following the outcome of this filter, another traffic stream
is discovered; a DNS request for ‘ip.ipwhois.co.uk’.
The picture of how this malware is communicating starts
to become clear. Once the malware is activated, it tries to
discover the IP address of the infected host by requesting this
information from ipwhois.co.uk. Once verified, communication
is established over UDP to interact with the C&C domain
that for the moment is active. Several times the malware
communicates with the C&C domain and the domain is
changing now and then using fastflux technology.
Mitigate this malware on the network and identify
compromised hosts, by blocking and monitoring outgoing
traffic on UDP port 10111. In Figure 1 we saw that encrypted
http requests were made. So how do we filter those requests
out of the traffic dump? Combine the following filters:
tcp.dstport == 80 and http contains “GET” and ip.dst_host == xxx.
xxx.xxx.xxx
/ Looking for Malicious Domains
In general there are some domain extensions that are often
used for hosting malware. DNS queries are made to these
domains before a GET request is done. If you don’t know if
malware is on your network, you could create a filter like this
to get a sneakpeek:
Digital / ForensicS
20/10/2011 17:32

dns contains “ru” or dns contains “cn” or dns contains “biz” or dns
contains “dyndns.org” or dns contains “cc”
Remember Conficker and other worms that propagate over
the network? They are scanning for open-shares to put a copy
of themselves into these open-shares. Microsoft is using TCP
port 445 for SMB traffic on the network including share-
access. Statistics from SANS show that this port is highly used
during attacks (http://isc.sans.edu/port.html?port=445).
To filter for Conficker, the following filters could be used:
smb.services contains “NetPathCanonicalize” request
smb.cmd = = 0xa2 and smb.file contains “\\System32\\”
One example of a recent piece of malware using network-
share propagation is Qakbot (or PinkSlipBot). Early variants
used software vulnerabilities in order to infect systems. The
malware copies itself and tries to steal information from the
infected computer e.g. Internet Explorer “autocomplete”
information username/password and stores them encrypted
on the victim’s hard disk; then at a scheduled time (malware
creates a task) these files are transferred by using FTP to
compromised servers.
Detecting this malware on the network can be achieved
by filtering for FTP or SMB traffic. The recent variants
discovered are using several infection vectors including using
default network shares (ADMIN$, C$, D$ etc.) These default
administrative network shares are created by each system.
Qakbot makes use of these default shares and enumerates
them. After the enumerating process, the bot tries to connect
with SMB over TCP using the user’s rights. After performing
some checks, the malware copies itself onto the C$ or Admin$
share, binding the SVCCTL interface and starts a remote
service to execute the dropped (and hidden) file on the
victim’s computer.
Filtering out the traffic with Wireshark, you could build
filters that search for SMB, FTP and SVCCTL traffic. In the past
you could use a filter like below to filter out any executables in
the SMB traffic:
smb.file contains “exe”
After filtering out these lines, you could try to re-assemble
the files and check if they contained malware. In the past, the
company Tadong developed a plugin to filter out SMB traffic
in Wireshark. Since Wireshark developer version 1.5.1, this
plugin has been integrated and is working very well. After
you have captured the traffic or loaded a previous capture,
go to the menu option ‘File’; choose the path Export/objects
followed by the option SMB. This will export all SMB traffic in
a new pane, as shown in Figure 3.
After exporting the file ‘keygen.exe’ a checksum (MD5)
is made of the binary. The generated hash and binary were
uploaded for scanning and verification to the website
http://www.virustotal.com/search.html. This website
checks the file against 41 anti-virus engines or verifies if
the hash is known. After submission the results page
DF9_09-12_Wireshark.indd 11
/ Daily Rootkit Detection
Rootkits, used primarily for stealth and resilience, makes
malware more effective and persistent; its popularity is rising.
Rootkits such as Koutodoor and TDSS appear with increasing
frequency. More than 2 million unique rootkits; 1,200 new
rootkits are detected every day, which means 50 rootkits per
hour every single day. (Source McAfee Labs)
Figure 3. SMB Object List
Figure 4. Morto DNS Queries
shows the antivirus product name, the product version and
results of the malware analysis. On the same website an
upload tool or browser plugin can be downloaded to submit
malware samples.
As mentioned before, malware tries to hide itself in regular
traffic streams. In the examples mentioned the sniffing
software was used to scan for websites, destination address,
DNS traffic and SMB traffic. FTP and IRC traffic can be filtered
out in the same way by using these filters:
tcp.port==21
tcp.port==6667
Sometimes the malware tries to hide IRC traffic into http
URL’s. In that case you could use the following filter:
http contains “irc”
Recently the Morto worm was discovered. This piece
of malware is trying to spread by compromising admin
passwords of remote desktop connections. To compromise
the admin passwords, it contains a hardcoded list of 103
unique items based on the leaked RockYou password list.
It also could be used to perform a denial-of-service attack.
The malware generates a lot of network traffic once active:
RDP scans, downloading files, receiving commands and DNS
queries for Command and Control Servers. After running the
sample in a controlled sandbox environment, the traffic shows
a lot of DNS queries, as shown in Figure 4.
11
20/10/2011 17:32
 / FEATURE
Following the data stream it became clear that this malware
also is trying to download a binary file (Figure 5).
After a while the malware also tries to attack an IP-address
belonging to Google. So to detect if this piece of malware
is running on your network and which hosts are infected,
following filters could be created for Wireshark:
Dns contains “flt1.qsl” or dns contains “t.qsl”
http contains “/160.rar”
ip.dest== [ip-address of Google’s site]
/ Countermeasures
Just using Wireshark to detect malware on your network
or study malware behaviour is not enough to defend your
company’s network. A structured malware defence supported
by policies is needed including understanding the threats
and the traffic streams that maybe and are used by malware.
One technical solution could be the proper implementation
of an IDS/IPS; this device should complement the company’s
security policy for investigations and access control; until now,
an IDS/IPS does not monitor protected accounts.
PROTECTED ACCOUNTS
ARE EXECUTIVES, LOCAL
ADMINISTRATORS AND DOMAIN
ADMINISTRATORS, PEOPLE WHO
WILL BE THE POINT OF INTEREST
DURING A TARGETED ATTACK
Protected accounts are executives, local administrators
and domain administrators, people who will be the point of
interest during a targeted attack. Controlled access methods
like RDP, VNC, Shell or CMD are not monitored by IDS/IPS.
Custom rules regarding this inbound traffic should be created.
Since we are talking about Open Source tools, let’s have
a look at Snort. To monitor traffic from the Internet facing
internal regarding RDP and VNC the following Snort rules
could be used for detection:
RDP = “|43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68|“
TPKT (RDP) = “|03 00 00 0b 06 e0|”; “|b8 e5 0d 3d 16 00|“
VNC = “|52 46 42 20 30 30 33 2e 30 30|”
Creating a rule to monitor command shell usage over the
network or across firewalls would look like this:
CMD = “|0a 0a|C|3a 5c|”; “|0a 0a|C|3a 5c|WINDOWS|5c|”;
Along the way you will learn and implement the new rules
to monitor malicious traffic; additional suggestions for
monitoring traffic would be:
• Filter outbound GET requests for files by type (.exe, .bat, .dll)
• Filter for encoded URL extensions
• Filter for MIME/BASE64 encoded URL extensions
12
DF9_09-12_Wireshark.indd 12
/ Commercial Solutions
In this article an open-source solution was discussed to
analyze network traffic for malware behavior/patterns. There
are also some commercial solutions that could be placed
in-line to scan the network. Most of them are appliances with
different capacity and a subscription model for the malware/
malicious detection signatures. Some of these commercial
solutions are:
• FireEye Malware protection systems – FireEye has several
systems that can detect, protect and analyze (0-day) malware
inline. (http://www.fireeye.com)
• Netwitness Spectrum – Spectrum is build upon the
NetWitness network monitoring platform to perform behavior
analysis of malware in the network. (http://netwitness.com/
products-services/spectrum)
• McAfee NTR – McAfee Network Threat Response is an out-
of-band appliance that captures, deconstructs, and analyzes
malware specific to your network. (http://www.mcafee.com/
us/products/network-threat-response.aspx)
Figure 5. Morto Binary Download
/ Summary
The battle for malware creating versus detection and
prevention has been going on for years; do not believe that
you’re network is malware proof. The tool Wireshark may
be used for several purposes including troubleshooting
network related failures. In this article we have discussed
using it for detection of malware. For this purpose it should
be part of any malware incident responder’s kit and be part
of a malware behaviour analysis lab. It is important to keep
a learning mind and most of all share your knowledge with
the community.
Sharing and a learning attitude will bring us more together
to win the battle against malware. /
/ Author Bio
Christiaan Beek has been working in the
security field for more than 12 years.
Working for national and international
companies, he gained knowledge of
hacking techniques, forensic analysis,
malware investigations and incident
response. He is responsible for the
McAfee Foundstone IR & Forensics services in EMEA and
instructor of the Malware Forensics & IR class. Frequently he
shares his knowledge in several media outlets and speaks at
events like BlackHat.
20/10/2011 17:32
DF9_13_Ad.indd 13 11/10/2011 10:26
 / LETTERS
360°
Your chance to have your say …
H
ere at digital forensics magazine we welcome feedback
and are using email and social media to allow you to
let us know your thoughts. The following has been
extracted allowing us to respond and let you know what we
are doing to answer your concerns.
Send your letters and feedback to:
[email protected]
Letters & Emails
Attenex Document Mapper – Update
In issue 08 August ‘11 the article by Andrew Pimlott mentioned
a bit of kit called “Attenex Document Mapper”. This product
no longer exists as a standalone product and hasn’t for a
couple years. They were bought by FTItech and integrated
into Ringtail, which is very expensive.
Brian Martin
Digital Trust, LLC
Thanks for the update. Whilst we do technical reviews it is
not possible for us to check every fact, especially regarding
software mergers and acquisitions and we rely on our authors
to make sure that this sort of information is as up to date as is
possible when submitting an article.
Secure Subscrition
I would like to subcribe to your online magazine but I noticed
that your subscription page connection in not encrypted.
Don’t you think that is a little bit strange for a forensic and
security magazine? Is there a secure way to send my personal
information for the subscription?
Wilko van der Maas
Thanks for pointing this out to us. Rest assured that this
has been rectified and all links to the subscription pages are
now linking securely. We do take the whole process seriously
and have spent some time ensuring that the whole system
is as secure as we can make it, so it did come as a surprise
when you pointed this out. As with any online service we
are at the mercy of those who wish to exploit weaknesses
in our systems and it is an ongoing task to make sure that
we are as secure as possible and respond quickly when
vulnerabilities are identified.
14
DF9_14-15_360.indd 14
/ TWITTER
Our Twitter following has now reached over
the 2100 mark and the growth from 1750 last
quarter is a testament to the tweets that we are
putting out there, we are obviously providing a service that
you want to receive. Almost every day we try and tweet the
latest news and comment from our comprehensive newsfeed
monitoring facility allowing us to identify what is hot and what
is not in digital forensics and related subjects
FBI & Facial Recognition
We recently tweeted the following “FBI to launch nationwide facial
recognition service bit.ly/r41axI Upgrade and add on to AFIS”
which prompted the following response from @cybertheorist; I
mean, really, what could go wrong? “FBI to launch nationwide
facial recognition service” and this was not the only comment.
Clearly many of you foresee some dangers and problems with
what the FBI is planning and rightly so. However what I will
say is that this technology has been deployed in the UK for
some time and to date we have not heard of any miscarriages
of justice, indeed during the recent riots it is our belief that the
system came in very handy!
Research, Tools & Alerts
We often do not get direct responses to our tweets but know we
have struck a cord when we see a large number of those following
us re-tweeting something we have put out there. By looking
at these responses we see that many of your are interested in
information relating to new research, tools and especially any
tweets that provide in-depth information on attacks.
This prompts us to look specifically for these types of news
story and tweet all that we find. To find out more you will just
have to follow us “@dfmag”.
LinkedIn
The DFM LinkedIn Group now
has over 880 members, an increase of over 130 since last
issue and new members are joining almost daily. Every day
members of this group post interesting news items, job
prospects and start discussions related to our industry. Here
are a few of the more interesting ones:
PhD Programs in Digital Forensics
I am hunting down Phd programs in digital forensics in Europe;
possibly online. Can anyone who has “been there”, “done that”,
give me some recommendations please?
Donald Tabone
Digital / ForensicS
20/10/2011 17:32
 Following Donald’s post, Amer Aljaedi also mentioned that he
was interested in learning the same information. This prompted
a number of responses from members of the group, some of
which have been reproduced here:
• Andrew Jones – You could try the university of Glamorgan –
they have a well established programme and a good lab
• David Billard – The program at the University of Stockholm
is a new one. They have a well equiped lab with many leading
software (Encase, FTK, Smart, X-Ways, Sawmill) and hardware
(XRY, Cellebrite, Paraben) tools. Courses in Digital Forensics
(BsC) and Cyber Forensics (MsC) have been launched last year.
I think there are some open PhD positions right now but I
can’t see any on the web pages
• Roy Isbell – There are also Forensic PhD’s at De Montfort
University in the UK and I can put you in touch with the people
running them if that would help.
Clearly demonstrating that the collective knowledge of the
group is very powerful.
[email protected]
.
Forensic Examination of a Windows XP SP2 dd Image
Milton posted the following question. “Please could any one
guide/advise me on performing forensic analysis of a Windows
XP SP2 dd image?” Now a question like this was bound to get
a response and I do not think Milton was disappointed with the
information he got back, however what he did find was that the
DF9_14-15_360.indd 15
ever helpful community needed more information before they
could provide the answer he was looking for.
Milton Markose
To see all the responses that Milton received you will need to
join our LinkedIn Group as there were just two many useful
responses to repeat them all here.
Support
Our dedicated Support Ticketing System available on the DFM
website is where users can raise a trouble ticket if they are
having issues logging in or problems viewing the online version
of the magazine, or just want to point out anything related to
our website.
Only 2 support tickets were raised this quarter dealing with
2 main issues:
• Subscription Upgrade – To upgrade from a digital
subscription to a print subscription please contact the team
by sending an email to
• Change of address – This issue came up last quarter so
please do make sure you let us know promptly if you change
your address to avoid missing your print issue.
If you think you can contribute in any way to the magazine or to
any of the discussions taking place via social media, please make
sure that you join the groups and follow us as appropriate.
15
20/10/2011 17:32
 / LEAD FEATURE

BIG BROTHER FORENSICS

One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data.
Geo-location gives us the means to accurately identify the physical location of an item on
Earth. It is now possible to determine where in the world a laptop or mobile phone has been,
solely using host-based forensics. In a world of increasingly mobile devices, geo-artifacts can
provide a crucial extra dimension to our investigations. With it, we now have the potential to
answer who, what, when, why, and where…
By Chad Tilbury

/ INTERMEDIATE

T
he trend towards mobile computing is unmistakable,
with laptop computers outselling desktops for several
years. Forrester Research estimates tablets, netbooks,
and laptops to be 73% of computer sales in 2011. While an
increasing number of smartphones contain Global Positioning
System (GPS) radios, the technology has been slower to
be adapted to mobile computers. However, devices can be
geo-located and can store location artifacts even if they
do not contain a GPS capability. In fact, in urban locales
and particularly indoors, GPS can be highly unreliable.
Technologies like WiFi network positioning and cell tower
triangulation are commonly used to augment or replace GPS.

/ An Inside Look at a
Geo-location Service
Google Latitude is a free, popular geo-location service used to
pinpoint locations. The host device first collects environmental
information about itself, including IP address and any GPS,
cell tower, and WiFi information available. This information
is formatted into a Javascript Object Notation (JSON) file and
sent to Google. The more distinct data provided, the higher
accuracy the location estimate will be.

Google Latitude HTTPS POST Request:

{ “version”:”1.1.0”, “request_address”:true, “wifi_towers”:
[ {“mac_address”:”00-15-e9-35-8e-3d”,
“ssid”:“JOHN HOME”, signal_strength”:-70 },
{“mac_address”:”00-02-6f-79-57-ca”,
“ssid”:“DAY-SEC”,”signal_strength”:-83} ] }

The initial POST request includes data collected from the host:
the SSID and MAC address for two wireless access points
along with their relative signal strengths. Google Latitude will
perform database lookups using the provided data and return
an approximate location. Notice that coordinates, a street
address and estimated accuracy (in meters) are returned.

Google Latitude JSON Response:

{“location”:
{“latitude”:40.6441499
“longitude”:-111.4809164
“address”:
{“country”:”United States”,
“country_code”:”US”,
“region”: “Utah”,
county”: “Summit”,
“city”:“Park City”,
“street”:“Deer Valley Drive N”,
“street_number”:“1554”,
“postal_code”:“84060”},
“accuracy”:72.0} }

16 Digital / ForensicS

DF9_16-20_Big Brother Forensics.indd 16 20/10/2011 17:32

 If a device is connected to the Internet and has access to GPS,
a cellular modem, or a wireless network card, geo-location
data in some form is likely already being generated and
stored. This capability has sparked a creative gold rush, with
an ever-increasing number of software applications racing to
become “location aware”. At stake is a slice of the $billion
mobile marketing industry. Envision walking by a restaurant
and being alerted to a half price lunch special via your
mobile device; or arriving at a conference and immediately
pinpointing the bars and restaurants where your contacts
are located. These applications exist and digital forensic
examiners can use the data generated to pinpoint the location
of a device at a specific time.
/ Introducing HTML5
To see the future of geo-location artifacts, we need only
to review the new HTML5 standard for web development.
While the specification is not yet final, the Internet is
moving rapidly towards HTML5 adoption. The World Wide
Web Consortium (W3C) presciently included a geo-location
application-programming interface (API) within HTML5,
providing scripted access to geo-location information via
the host system browser. With every major browser now
DF9_16-20_Big Brother Forensics.indd 17
supporting HTML5, there is instantly a common language
for Internet applications to request and utilize the location
of a given device. The HTML5 geo-location API can facilitate
device location lookups using WiFi positioning, cell tower
triangulation, GPS data, and in the worst case, simple IP
address geo-location. Real-time location updates can be
requested via the “watchPosition()” function, creating a
breadcrumb trail of a device’s whereabouts. From a forensic
perspective, the HTML5 API is the best possible scenario.
Standardized methods lead to dependable forensic artifacts,
and interactions take place using the web browser, which is
well understood by forensic examiners. With web browsers
available on nearly every mobile device, we should expect
consistent cross-platform artifacts on laptops, tablets,
netbooks, and even smartphones.
/ Understanding Browser Artifacts
Geo-location artifacts demonstrate an interesting concept
with regard to browser-based evidence. Among the various
browser artifacts, Internet history is a fan favourite because
it provides such rich information. There is no easier place to
look to identify sites visited by a specific user at a specific
time. Browser history is so useful, a critical shortcoming is
17
20/10/2011 17:32
 / LEAD FEATURE
Image 1
Image 2
often ignored; with today’s dynamic web pages, the vast
number of web page requests goes unrecorded. When a
user visits a website, a multitude of requests are completed
in the background to retrieve images and advertisements,
populate web analytics, and load content from third parties.
The content retrieved from these requests is stored within
the cache, and an entry within the cache database is created.
While the browser history database may only show the page
visited, the cache holds most of the components retrieved to
dynamically build that page.
As it turns out, most browser-based geo-location artifacts
are not stored within the browser history. Looking back at
the HTML5 standard, this makes perfect sense. The fact that
the API is JavaScript dependent is the first clue. Also, the
multiple steps and asynchronous nature of a geographical
lookup indicate a lot is going on behind the scenes when
that initial web page is accessed. Luckily, data collected from
the host must be passed to a geo-location service and those
interactions are often recorded within the browser cache.
When content is cached, the URLs associated with the web
request are also stored. It is within these requests that we can
mine geo-location parameters and coordinates passed to third
parties such as Google Maps.
18
DF9_16-20_Big Brother Forensics.indd 18
/ How HTML5 Location
Sharing Works
In order to identify what forensic artifacts are left behind by
geo-location, we need to understand how location aware
applications interact with the web browser, and ultimately
the host system. When an application requests the current
location, the following steps occur:
1. The browser notifies the user that location data has been
requested. If the user previously shared location information
with the application, this step may be skipped.
2. Assuming the user gives permission, the browser queries the
host device using javascript and the getCurrentPosition() function.
3.The host device returns available data, including IP address, GPS
data, nearby cell towers, WiFi access points, and signal strengths.
4.Information collected is sent to a geo-location service
for database lookups. In this example, the Firefox browser
defaults to Google Latitude. Data is sent to Google via Secure
Socket Layer (SSL) by default.
5.The geo-location service returns an approximate longitude
and latitude, which is stored in the browser document object
model (DOM) as position.coords.longitude and position.coords.
latitude and made available to the requesting application.
/ Geo-location via Mapping Services
A vast number of websites utilize mapping services from
Google, Yahoo & Microsoft for visually displaying locations.
The HTML5 geo-location features allow further customization
of these maps and sites are increasingly using it to identify
visitor locations. Instead of a hamburger franchise showing
all of its locations on a map, it can first determine the visitor’s
location and show only the closest locations. Only a few lines
of code are required to make this change; hence we should
expect to see an increasing number of geo-artifacts during
our examinations. If we can find the co-ordinates used by the
site to create its map, then that information can be used to tie
that device to a location at a specific time, with some degree
of accuracy. These co-ordinates are routinely found as URL
parameters within the browser cache.
In an ideal world, we would be able to determine the device
location via the initial communication with the geo-location
service. In practice, little of this is stored on the host system
because it is conducted via the HTTPS protocol, which
explicitly does not cache data. Thus we are required to analyze
the by-product of the geo-location, which are the changes
made to the page as a result of the new location information
(such as a new map being drawn). The difficult part of this
Digital / ForensicS
20/10/2011 17:32
 process is determining what requests give information about
device location. Consider finding an entry for a Google Maps
request using a specific set of coordinates. How can we
determine definitively if those coordinates are a result of the
device being geo-located? In general, we can use the presence
of coordinates within URL parameters as an indication
of possible geo-location and then test our hypothesis by
gathering additional data. Context is extremely important
when attempting to identify geo-location artifacts from cached
map requests. A search of an address at http://maps.google.
com looks much different than a geo-location event triggered
by http://twitter.com. A few heuristics:
• Place the map requests in context with the concurrent pages
being visited. Do those pages implement a geo-location feature?
• If an explicit location search was accomplished in close
proximity to the map request (for instance, via the “q=”
parameter in Google Maps), it is a good sign that geo-location
did not occur
• Conversely, specific latitude and longitude coordinates used
by mapping applications in the absence of a search often
indicate the use of a geo-location sensor
An example can better illustrate this process. Review the
browser cache entries shown in IMAGE 1 taken from the Flickr
mobile site. Specific coordinates are used in the absence of
an obvious location search, suggesting that geo-location may
have taken place. Our next step is to conduct a review of the
page visited, http://m.flickr.com/nearby. In this case, we find
the page will not function without the ability to geo-locate,
strongly supporting our initial hypothesis.
/ Application Specific Geo-location
Web applications can often leave their own geo-location clues
similar to those found via the mapping services. Evidence
of this is seen in the Flickr example in IMAGE 2. The URL
http://m.flickr.com/nearby/40.760779,-111.891047 clearly
shows where that site believes the device to be located.
While mapping artifacts are largely consistent, geo-artifacts
referenced by applications are more haphazard. Thus the
number of available artifacts can be as numerous as the
applications using geo-location services. To put this in
perspective, we will analyze the artifacts left by another
popular application with geo-location support, Twitter.
Twitter uses geo-location to allow users to tag their posts
(tweets) with a specific neighbourhood, city, or exact location.
It can use an HTML5 capable browser to request latitude and
longitude and if that is unavailable will default to geo-location
using the device’s IP address. Interestingly, Twitter stores
the last IP address for a device along with the time the IP
was recorded within a cookie; even if geo-location was never
authorized. Since an IP address can sometimes be geo-
located, this can be a great artifact. A sample Twitter cookie
might contain:
k66.169.216.161. 1310063489493350twitter.com/1536250595571230
135028186098848030133620*
DF9_16-20_Big Brother Forensics.indd 19
/ Identifying Google Maps
Geo-location Data
Google Maps is the most widely used mapping service so
we will use it to demonstrate the analysis process. Similar to
reviewing search URLs to identify what a user was searching for,
we can identify requests to Google Maps, which include location
information. This location information is often passed via query
string parameters, which are dutifully recorded, by the browser
cache. As an example, you might find the following:
http://maps.google.com/maps?ll=40.760779%2C-111.891047
Query string parameters for this request are denoted after the
question mark. In this case, we see the parameter “ll” used to
request a map centred on latitude 40.760779 and longitude
-111.891047. Google Maps accepts a multitude of parameters,
but the ones most useful to identify device location are:
Query Description
String
Parameter
q= Replicates a search conducted in the query box of
http://maps.google.com
ll= These three different parameters can denote
center= latitude and longitude of the center of a map. When
vp= a device has been geo-located, its coordinates will
often be used with one of these options.
sll= Latitude and longitude used during a business search
cbll= Latitude and longitude for Google Street View
spn= Source address for driving directions
spn= Creates a map spanning a certain latitude and
longitude. If specific coordinates for a device
cannot be determined, spn= can be used to show
approximate location.
saddr= Source address for driving directions
sensor= Required for some queries. A true value indicates
coordinates were determined via a measurement
sensor, such as the HTML5 geo-location API
The IP address starts with the second character
(66.169.216.161), and the timestamp immediately follows
(1310063489493350). The timestamp is stored in PRTime,
which records the number of milliseconds since Jan 1, 1970 UTC.
In this case, the value converts to August 2, 2011 22:18:45 UTC.
Using an IP address geo-location database like Maxmind, we
can determine the IP belongs to Charter Communications and
appears to be located in Roanoke, Texas. Therefore, with some
level of confidence we can say the device containing that cookie
was in Texas on August 2, 2011. Of course geo-location by IP
19
20/10/2011 17:32
 / LEAD FEATURE
Image 4
Image 5
address can be wildly inaccurate, so we would prefer to have
additional artifacts to help bolster that claim.
It turns out that Twitter also makes web requests using URL
query string parameters like we have seen previously. You
might find any of the following supporting information in the
browser cache database:
• http://api.twitter.com/1/geo/search.json?ip=66.169.216.161
• http://api.twitter.com/1/geo/nearby_places.json?
• http://api.twitter.com/1/geo/reverse_geocode.
json?lat=33.0227&long=-97.2324
• http://twitter.com/#!/search/realtime/
place%3Adallas%2Btexas
If no evidence was found in the cache, our next step might
be to review a memory dump or unallocated space. Similar to
Google Maps, Twitter can transmit geo-location data via JSON
and HTTP Post requests, circumventing our ability to spy data
in the cache. The following keyword search terms have shown
success at finding Twitter data in unallocated space:
• “coordinates”:[[[
• geo_enabled
• screen_name
Thus, even a small-scale location aware implementation like the
one in Twitter can reap very useful artifacts to the investigator.
Our computing devices are becoming increasingly more
mobile, and software applications are evolving to take advantage
of this. As a result, geo-location artifacts are permeating
operating systems, applications and file formats. Nowhere is this
20
DF9_16-20_Big Brother Forensics.indd 20
/ Browser Forensics: History
versus Cache Artifacts
To see the difference between what is recorded in browser
history versus what may be found within the cache, we will
profile a simple location aware website that calculates the
driving distance between any two points and displays a map.
The specific page we will visit is www.mileage-charts.com/
search/calc.php. For HTML5 compliant browsers, an option is
given to automatically determine the starting point based on
your current location.
For this example, we will use the Firefox browser, which
provides easy live access to both the history and cached data.
Before accessing the site, all browser artifacts were cleared.
When we enter our URL into the browser, we see only one entry
in our history library (IMAGE 4). However, when the browser
cache is reviewed using the about:cache function in Firefox,
we see a total of 116 entries representing 11 separate domains
(IMAGE 5). Each entry in the cache has multiple timestamps, a
visit count, and the ability to extract and review the cached data
(including the pictures used to generate the Google map). The
entry for maps.google.com in IMAGE 5 provides the location
coordinates identified through geo-location.
Tip: When profiling sites, you might also consider employing
a web proxy, like Paros. A web proxy can capture all inbound
and outbound web traffic and give the most complete view of
what is occurring behind the scenes, including connections
which do not result in cached data.
more obvious than in the latest web standard, HTML5, which
includes native support for device geo-location. With the major
browser’s adoption of HTML5, nearly every Internet connected
device on Earth can transmit its location. Taking advantage of the
artifacts left behind will give forensic analysts tremendous new
resources to track devices and build cases with stronger user
attribution. This article represents just a sliver of the currently
available geo-location artifacts and I look. /
REFERENCES
http://dataplusinsight.com/general/the-us-personal-computer-
consumer-market-in-2015/
http://www.w3.org/TR/geo-location-API/
http://mapki.com/wiki/Google_Map_Parameters
http://code.google.com/apis/maps/documentation/javascript/
basics.html#Geo-location
http://www.maxmind.com/app/locate_demo_ip
http://www.parosproxy.org/
/ Author Bio
Chad Tilbury, M.S, GCFA, ENCE, has spent
over twelve years conducting computer
crime investigations ranging from hacking
to espionage to multi-million dollar
fraud cases. Formerly a Special Agent
with the US Air Force Office of Special
Investigations, he currently works as a
computer forensic and incident response consultant. Chad
serves as a certified instructor with the SANS Institute for the
digital forensics track. Find him on Twitter @chadtilbury or at
http://ForensicMethods.com
Digital / ForensicS
20/10/2011 17:32
 Cell
site
analysis

Computer
forensics

Audio
visual

Questioned
documents

Mobile
phone
forensics

Understanding the digital picture

MP3 players, mobile phones, laptops,
Blackberries, SatNavs, printers, CCTV,
digital cameras and more.
These are the tools of a modern society,
painting a digital picture of our everyday
As part of the UK’s largest independent
provider of forensics services, our digital
and document investigators take a
holistic approach that draws on a whole
range of innovative and traditional
For the complete picture visit
www.digital.lgcforensics.com
LGC Forensics
Tel: +44 (0)844 2641 999
Email: d&

[email protected]
methods to reveal high quality digital
lives in images, emails and text. What
and documentary evidence that will
can they tell us about someone’s PLEASE QUOTE REF: DFM0410
stand up in court. Using the latest
behaviour and movements? How can IN ANY CONTACT
forensic techniques, we will work
we combine and present this evidence
closely with you to establish the facts,
to support reliable verdicts in criminal
applying years of forensics experience
and civil proceedings?
and understanding to uncover and
follow all potential lines of inquiry.

© LGC Limited, 2010. All rights reserved. 2456/OR/0210

DF9_21_Ad.indd
LGC_Digital 21 - CB2.indd 1
A4 Ads-v5 11/10/2011
07/04/2010 10:28
13:07:45
 / FEATURE
SOCIAL NETWORK
MONITORING
LEARNING TO DRINK FROM THE FIRE HOSE
Social media has moved from casual chatter
to a mainstream communication channel
by Curtis Schwaderer
/ INTERMEDIATE
S
ocial networking may have started as a vehicle
for casual chatter among friends, but it has gone
mainstream over the past few years as a communication
vehicle for businesses to interact with their customers. It has
also emerged as a new way for bad guys to communicate their
plans of destruction. With the increasing use of the medium
for illegal activity comes the need to monitor the channel
when appropriate to facilitate law enforcement.
/ Why Monitor Social Networking Services?
A social network service is an online service, platform,
or site that focuses on building and reflecting relations
among people who share interests and/or activities. Social
network services essentially consist of a representation of
each user (often a profile), his/her social links, and a variety
of additional services. Most are web-based and provide
several means for users to interact, such as email and
instant messaging. The combination of an easily accessible,
widely-used medium (the Internet) and a ‘social’ culture of
like-minded individuals has created an effective forum for
criminal and terrorist networks, propaganda broadcasting, as
well as yet another means for sensitive information to escape
protected/secure networks.
Here are a few examples of potentially dangerous outcomes
of improper social networking use:
• A clerk with access to sensitive information unwittingly
communicates a seemingly innocent ‘status update’: “…gotta
work late tonight…this Egyptian embassy situation is breaking
my back …”
• A terrorist group creates a Facebook page with video
instructions of how to use and repair AK47’s
• An insider purposely leaks secrets by using private
messages or sending files using an instant messaging client
/ Challenges in Keeping up with
Social Network Changes
There are a multitude of challenges for agencies that are
chartered with analyzing social network communications in
pursuit of law enforcement. As the technologies evolve, the
22
DF9_22-26_Social Network Monitoring.indd 22
underlying protocols are changing. There’s a period of time
when law enforcement personnel need to be able to capture
messages sent the old way and the new way. Since the
networks are growing organically, with no specifications being
published, companies involved in social network surveillance
need to reverse engineer the way that the systems work.
Another challenge that must be met relates to how the
social media applications are growing together. In the past
communications would be made through discrete vehicles;
a bulletin board, an audio conference, email or a chat
service. Now the applications are becoming intertwined, and
following multiple communication sessions is difficult. Viewed
independently, a particular communication stream could look
innocuous, but looking at multiple related streams together
could reveal dangerous information. Effective surveillance
requires correlation between the channels that a single source
is emanating. The bad guys are now clever enough to use
multiple types of communication platforms in parallel.
/ Common Techniques for Monitoring
Social Networking Services
There are a few popular techniques for monitoring social
network services. Here’s a look at three of them:
Open Source Intelligence (OSINT)
Open Source Monitoring (no relation to Open Source
Software) is essentially finding, selecting and acquiring
information from publically-available sources. Applied to
social networking services, this means monitoring/inspecting
the information on social networking sites, which could
include ‘friending’ or ‘following’ specific users or groups.
This type of monitoring can yield everything from simply
determining relationships (“Sally is friends with Rita”) to real-
time location information (“Sally checked in at Starbucks on
10th and Grand”).
There are some key advantages to this method. Since the
information is public, there are no jurisdiction/authority issues.
Since this is often done manually, there is little technological
investment required. Finally, this method can lead to an ‘active’
monitoring, including gaining the target’s trust and getting
Digital / ForensicS
20/10/2011 17:33
 access to privileged information. But, there are some obvious
drawbacks. OSINT can be a very manual operation, and since
the social networking sites need to be monitored 24X7, can be
costly to staff and generally don’t scale well. The monitoring can
be automated using specialized technology, but the investment
is often not worth the information gained, since only public
communications can be obtained.
Legal or Diplomatic Means
Another method is to use legal (e.g., subpoena) or diplomatic
routes to access stored data (archives) and/or real-time
access via back-doors or mirror accounts. These almost
always require cooperation from the service provider, and
often times (like in the US) the legal system has vehicles
to support this. For example, a social networking service
provider could be subpoenaed to provide access to stored
messages, information on social connections (‘friends’), IP
logs, etc. Additionally, back doors and/or mirror accounts
could be enabled that provided a real-time view into all of
the target’s activity. These scenarios are not uncommon in US
criminal investigations.
There are, however, limitations and restrictions that make
this approach impractical for certain uses. For example, there
are obvious jurisdiction and foreign policy issues for out-of-
country requests. Also, the existing subpoena mechanisms
likely don’t apply for requests outside of criminal investigation
and homeland security boundaries, such as monitoring activity
on private, secure networks or trusted government networks.
Passive Network Monitoring
The last common approach is to use intelligent probes
to monitor the network. In this innovative approach, the
intelligent probe is constantly monitoring the network for
social networking service activity (e.g., logins, messaging,
etc.), extracting pertinent information, and automatically
generating the relevant records as they are detected.
This extracted information can be in the form of IPDRs
(Internet Protocol Data Records, or activity logs) or the full
Figure 1
DF9_22-26_Social Network Monitoring.indd 23
communications stream (e.g., the message contents). Using
intelligent probes offers several advantages over the other
methods, including:
• The approach monitors multiple targets (potentially the
entire network) using multiple services and delivers the
monitored information in real-time
• Intelligent probes monitor and deliver information
independently of other network elements, including the
equipment used to host the IP service, which might not be
controlled by or accessible to the monitoring organization
• Probes are completely passive and don’t negatively impact
the network transport paths or network elements
• The approach requires only the authority/jurisdiction of the
network owner, not the social networking service owner
INTELLIGENT PROBES
CAN BE INTEGRATED INTO
COMPREHENSIVE INTERCEPT,
DATA RETENTION, AND
SECURITY SOLUTIONS,
ESSENTIALLY APPEARING AS
NETWORK ‘SENSORS’
Intelligent probes can be integrated into comprehensive
intercept, data retention, and security solutions, essentially
appearing as network ‘sensors’. In each case
the probes are typically provisioned and
controlled by a centralized system such
as a mediation system or SIEM (security
incident and event manager). The probes
deliver the collected data to the same
centralized system or to another storage
and analytic system.
23
20/10/2011 17:33
 / FEATURE

/ Examples of Passive Monitoring

using Intelligent Probes
Let’s take a look at a few scenarios where one network
monitoring solution, DeepProbe by IP Fabrics, Inc. is used to
generate monitor social networking activity.

Monitoring Facebook Activity

Facebook is a very popular social networking service that
connects people via several communications mechanisms,
including public messages, private messages, photos, and
videos. At the time of this writing, Facebook is ranked as
the #2 most popular Internet site by Alexa and has over 500
million users.
From Figure 2, we see that Facebook enables users to send
public messages (“wall writes”), send private messages,
instant messages, and ‘check in’ at various locations. Like
most social networking service sites, Facebook has concepts
of a profile and access control (‘friending’), where visibility to
information can be viewable by all, or just those users who
have the approval of the profile owner.
Clearly the OSINT and subpoena methods can be effective
for monitoring some Facebook communications, but what
about private messages restricted to ‘friends’ in situations
where there isn’t sufficient jurisdiction to obtain historical
records or a mirror account?
/ A Brief History of Social
Networking Services
So, where and when did all this get started? Think back to the
‘70s, when computers were used by some businesses and a
handful of hobbyists.
Hobbyists: The 70s and 80s
Most credit BBS (Bulletin Board Systems) as the first social
networking service. These systems were independent servers
allowing users to communicate and download software. They
were often run by hobbyists and accessed using direct dial-up
modems.
Early Adopters: The 90s
The Internet was just gaining popularity in the 90s and online
service providers like CompuServe and Prodigy not only gave
users access to the Internet, but also allowed members to
share files, access news, and communicate using something
dubbed “email.” AOL soon followed and essentially ‘provided
the Internet’ before users had access to the real Internet.
Trendsetters: The Early 2000s
The Internet had boomed and people were wondering who
they could connect with. Sites like Friendster and Classmates.
com popped up and gained popularity as ‘themed’,
demographically-driven social networking sites.
Mainstream: The Mid 2000s
By the mid 2000s, social networking services were
mainstream, and included the introduction of LinkedIn,
MySpace, Facebook, Twitter, and at least 200 more sites
providing sophisticated communications mechanisms such as
the ability to send public messages, private messages, instant
messages, and broadcasts (status, micro blogging).
Table 1
Table 2
In this case, passive monitoring is the only solution. The
primarily reason for this is because location of the social
networking servers and their owners are outside of the
jurisdiction of the organization wanting the information and
the desired information isn’t available via OSINT. An example
of this would be an organization outside of the USA wanting to
monitor Facebook activity traversing their country’s networks.
Another example is a private organization that can use either
manual means or other technology to monitor their user’s
Facebook pages, but are not ‘friends’ and therefore cannot see
private messages or pages.
Referring back to Figure 1, the network monitor would be
placed at a point in the network with visibility to the network
traffic between the targeted user(s) and the Facebook
servers. This would typically be at the organizational Internet
connection (for a private network) or at the Internet Service
Provider (for a public network). The probe is constantly
monitoring the network for the Facebook activity, intercepting
the communications or generating the IPDRs, and delivering
the collected information to another system (e.g., mediation
system, SIEM, intercept monitoring centre) for collection,
storage, and analysis. Solving this problem presents some
technical challenges, since in order to detect Facebook
activity; the monitoring system must have application and
protocol knowledge used by the Facebook servers.
DeepProbe provides this capability through its IM/Chat
Surveillance Modules (SMs) which offer options to intercept
and deliver only Facebook ‘events’, which align with social
networking service-related IPDR records. The IPDRs are
delivered to the mediation system using a well-defined,
secure, and reliable delivery protocol. For example, TCP is the
transport protocol, messages are optionally authenticated and
encrypted, and all are formatted in ASN.1. Additionally, the
IPDRs can be delivered to multiple mediation systems, and/or
failover to hot standby mediation systems.

24 Digital / ForensicS

DF9_22-26_Social Network Monitoring.indd 24 20/10/2011 17:33

 Table 1 gives an example of Facebook communications
mechanism that DeepProbe monitors, and the resultant data
that is extracted. Note that in this example, the full message
content is delivered (e.g., messages, wall write content, etc)
and not just the IPDR.

Monitoring Twitter Activity

Twitter is another very popular social networking service,
currently ranked as the 10th most popular web site, with
over 300 million subscribers. Twitter’s unique service allows
users to broadcast real-time updates using Internet instant
messages, mobile phone SMS messages, or web updates.
Twitters messages are limited to 140 characters and due to
this limitation, Twitter’s service is sometimes called ‘micro-
blogging’. This character restriction has not diminished Figure 2
Twitter’s popularity, and instead seems to have encouraged
frequent, small updates, nicknamed ‘tweets’. Twitter boasts
600 tweets per second.
Some have speculated that two of these aspects have
made Twitter one of the most important services to monitor.
The first is the real-time nature of the broadcast updates,
which obviously could be used for coordinating potentially
damaging activities. The second aspect is the cultural effect of
the short tweets, which some users treat as comments under
one’s breath or spurious thoughts, which, when tweeted, are
broadcast to multiple ‘followers’ and could represent insider
information leaks. From Figure 3 we see that Twitter offers
access control (approving followers), broadcasting messages
via SMS, IM/chat, and web page access, as well as the ability
to send private messages.
Table 2 illustrates the Twitter communications monitored for Figure 3
fictitious user ‘ipfabricsme’. Similar to the
Facebook example, Table 2 includes the full content of the
monitored communications (e.g., tweets, message bodies,
DEEPPROBE PROVIDES THIS
etc.) in addition to the event data. CAPABILITY THROUGH ITS IM/
Other Applications Such as Chat and Webmail
CHAT SURVEILLANCE MODULES
Although not social networking services, webmail-based (SMS) WHICH OFFER OPTIONS TO
communications offer similar monitoring challenges and
requires a similar approach. The primary reason for this is
INTERCEPT AND DELIVER ONLY
the location of the Webmail servers and their owners are FACEBOOK ‘EVENTS’, WHICH
outside of the jurisdiction of the organization wanting the
information. An example of this would be an organization
ALIGN WITH SOCIAL NETWORKING
outside of the USA wanting access to Yahoo mail or Hotmail SERVICE-RELATED IPDR RECORDS
activity traversing their country’s networks. Another
example is an organization that can use their internal email Table 3 gives an example of some of the webmail events that
system (e.g., Outlook) to log traditional email, but not are detected for the Microsoft Hotmail service, and the resultant
webmail activity. data that is extracted from the event and delivered as the IPDR.
Solving this problem presents the technical challenges as The IPDR’s are delivered to the mediation system using
exist in monitoring social networking services, since in order a well-defined, secure, and reliable delivery protocol. For
to detect Webmail activity, the monitoring system must have example, TCP is the transport protocol, messages are
application and protocol knowledge of the specific Webmail optionally authenticated and encrypted, and all are formatted
services. DeepProbe provides this capability through its in ASN.1. Additionally, the IPDRs can be delivered to multiple
Webmail Surveillance Modules (SMs) which offer options to mediation systems, and/or fail-over to hot-standby mediation
intercept and deliver the full content of the communications systems. DeepProbe can be used to generate many other
or only Webmail ‘events’, which align with Webmail-related types of IPDRs, such as basic Internet access, SMTP/POP/
IPDR records. IMAPbased email, and various chat/IM services.

25

DF9_22-26_Social Network Monitoring.indd 25 20/10/2011 17:33

 / FEATURE
THE IPDR’S ARE DELIVERED TO
THE MEDIATION SYSTEM USING
A WELL-DEFINED, SECURE, AND
RELIABLE DELIVERY PROTOCOL
/ Selecting a Probe:
Guidelines for Law
Enforcement Personnel
As social network monitoring will become a critical tool for
law enforcement worldwide, here are some guidelines for law
enforcement personnel to use in evaluating different suppliers
of passive monitoring equipment.
The probe must be able to fully inspect every network packet
and decode application-level protocols, so the controlling
mediation systems don’t need to rely on billing systems,
subscriber databases, CRM systems, or other networking
equipment for filtering, intercept and IPDR generation.
The system should be capable of identifying and/or
discovering targets based on a sophisticated and flexible set
of criteria, such as:
• DHCP or RADIUS dynamically assigned IPv4 or IPv6 addresses
• Email address or partial email address
• VoIP user name or phone number
• Webmail address or domain
• Social networking or IM/Chat username
• Keyword/signature in a specific application
(e.g., webmail, email, etc)
• Application-level criteria can optionally include an IP/
subnet/DHCP/RADIUS pre-filter, giving flexibility to further
segment/qualify the monitored network
The probe should also be able to be configured to deliver
varying amounts of intercepted information, including the
complete application flow with related content such as
attachments, a summary of the content, IRI (Pen-Register
equivalent) or just the application session events.
For IP traffic intercepts, the probe should be able to
qualify the intercepted traffic by layer 4 ports or application
identifiers and will monitor all subsequent dynamic IP address
(re)assignment. For email interception, the probe should be
able to deliver the entire email, even if the email address
identifier was discovered after the first packet(s) in the email
flow. Or, in IPDR applications, the probe should generate and
deliver complete IPDRs.
26
DF9_22-26_Social Network Monitoring.indd 26
Table 3
/ Selecting a Probe for Social
Network Monitoring
The attached box “Guidelines for Law Enforcement Personnel
provides some basic information on selecting probes for
lawful social network monitoring applications. But since
the landscape of social networking is always changing,
selecting the equipment vendor is as important as selecting
the equipment in order for an agency to stay on top of
developments in the field.
For their part, probe suppliers need to continually update
their products to follow the fast-evolving technologies
and provide support to their customers with an ongoing
monitoring service. IP Fabrics for example runs through a
set of service monitoring procedures every week, initiating
communications and looking at resulting outputs to identify
changes that have been made. With this level of vigilance,
law enforcement personnel have a tool to reduce the
opportunities for lawbreakers to abuse the great benefits
that social networking has to offer. /
REFERENCES
USA Today story, “Facebook says membership has grown to 750
million,” 6 July, 2011
alexa.com list of Top Internet Sites
BBC News story, “Twitter co-founder Jack Dorsey rejoins company,”
28 March, 2011
/ Author Bio
Curtis Schwaderer is the Chief Software
Architect and cofounder of IP Fabrics,
responsible for the DeepSweep™ and
DeepProbe™ network surveillance
and data retention product lines.
Curt has over 25 years of experience
in the design, implementation, and
deployment of networking hardware, software,
and multimedia systems technologies. Curt has spent
the last 12 years focusing on multicore processor software
technologies and the last 6 on Deep Packet Inspection
(DPI) and Deep APplication Inspection (DAPI)
technologies relating to internet communications
applications. Curt holds two patents in the area of
multimedia networks and multicore software processing
and holds bachelor and master degrees in Computer
Engineering from Iowa State University.
Digital / ForensicS
20/10/2011 17:33
DF9_27_Ad.indd 27 11/10/2011 10:29
 / ROBSERVATIONS
ROBSERVATIONS
Our Profession: The Launch of CDFS
by Rob Lee
T
his past month saw the launch of the Consortium of Digital
Forensic Specialists (CDFS – www.cdfs.org), an organisation
formed to help professionalise the field of Digital Forensics
and Incident Response. The CDFS mission statement:
“Serving the profession, our membership, and the
community by providing leadership and advocacy as the
global representative of the digital forensics profession”.
CDFS is trying to help shape the future of digital forensics
by helping unite industry groups and organizations so that
all parties have a say in the direction of the profession. The
stated aims of CDFS is to help influence agreed upon ethical
and technical standards in the community and consequently
help to shape the future of the digital forensics profession.
Unfortunately, some form of digital forensic licensing will be
barrelling down on our profession. There are proposed bills
in U.S. congress as well as legislative actions that are taking
place in many states and countries around the world that will
begin to regulate the digital forensic profession to ensure
a common standard that all must attain in order to perform
their jobs. In many countries, you need a license to cut hair,
be a plumber or to babysit. As a result, an alarming trend has
developed in several states regarding legislation of licensing
for digital forensic specialists as private investigators
without regard to digital forensics qualifications. Many in
our profession would rather have practitioners develop the
standards than another group such as private investigators.
CDFS started through a discussion amongst HTCIA, SANS,
HTCC, ISCFE, and many other groups leaning on one another
to help ensure that the profession would not be held hostage
to someone else’s standards. It is human nature to become
complacent with the status quo when it does not affect one
personally and immediately; however, regulation is coming
and it will affect you, if it has not already. So do you want to
have a voice in the outcome of such pending initiatives?
CDFS STARTED THROUGH A
DISCUSSION AMONGST HTCIA,
SANS, HTCC, ISCFE, AND MANY
OTHER GROUPS LEANING ON ONE
ANOTHER TO HELP ENSURE THAT
THE PROFESSION WOULD NOT
BE HELD HOSTAGE TO SOMEONE
ELSE’S STANDARDS
28
DF9_28_Robservations.indd 28
I started working with CDFS as a board member as I
believed that many industry groups had a lot in common
already. While many competed with each other, I also
saw unified approaches to the profession. I also saw a
potential misunderstanding among lawmakers over what
digital forensics is and how best to regulate and manage
professionals making a living performing these services
for the information security, legal, and law enforcement
communities. As a result, I pushed to get myself more
involved with the fledging organization as a whole as my
views were aligned with the other members of the board
regardless the organization that we represented. If many
different organizations have different, competing standards,
there are, in fact, no standards at all. The goal is to bridge the
gap between organizations to develop a cohesive standard
appropriate to diverse sectors of the profession. Further, our
mission is to speak on behalf of digital forensic practitioners
to achieve self-regulation by professionals who understand
the industry and its needs.
We would like to encourage you and your organization
to consider joining CDFS to help form the correct ethical,
professional, and technical standards. Without a group such
as CDFS, we will have many independent groups trying to
describe the elephant by describing the only way that they see
the elephant. By working together though a single umbrella
organization and maintaining the smaller groups we will be
able to form a consistent approach to Digital Forensics and
Incident Response across all communities. It will also allow
us to help guide the profession properly. We would like to get
in front of the challenge. Licensing discussions has created
a great debate in our profession on what is appropriate and
who writes the standards. I would prefer the standards to
originate from true practitioners. Have a voice… participate;
join CDFS today at www.cdfs.org and help shape the future of
our profession. /
Digital / ForensicS
20/10/2011 17:33
 Reviewing the latest
sports highlights

Attending a Review
Seminar online

Put your time to better use. In pursuit of your (ISC)²®

certification, attend an Official (ISC)² CBK® Review Seminar
live online, in person or on site. You’ll ready yourself for an
(ISC)² exam by refreshing your knowledge in information
security. You’ll also send a message to peers and current
employers that you’re in this game for real.
Learn more at www.isc2.org/reviewseminar

Look for an (ISC)2 Authorized Education Provider.

DF9_30_Ad.indd 29 11/10/2011 10:29

 Digital
ForensicS
/ magazine
Digital Forensics magazine keeps you up to date on all the latest
developments in the world of computer and cyber forensics.

The magazine covers the following topics areas:

/ Cyber terrorism
/ Law from the UK and rest of the world
/ Management issues
/ Investigation technologies and procedures
/ Tools and techniques
/ Hardware, software and network forensics
/ Mobile devices
/ Training
/ eDiscovery
/ Book/product reviews

CHECK OUT
digitalforensicsmagazine.com
for all the latest news and views on the world
of digital forensics (special feature articles are
available for registered users).

SPREAD THE WORD

www.digitalforensicsmagazine.com/subscribe

DF9_30_Subs Ad.indd 30 12/10/2011 17:31


LEGAL EDITORIAL
The difficulty in prosecuting malware authors
by Scott C Zimmerman
S
eptember 18th, 2011 is the ten-year anniversary of
the release of the Nimda worm. This worm suddenly
appeared on the technology scene in the aftermath of
the Code Red epidemic of August 2001. The precise point of
origin of Nimda has not been identified and the identity of
the original author remains a mystery. Why is it that malware
authors seem never to be caught and prosecuted?
Consider the difficulties involved in catching a traditional
intruder; we’ll use the example of an individual attacking
and compromising a single remote system owned by
another entity.
• There must be sufficient evidence captured on the
compromised system or on network devices near the
compromised system.
• There must be clear indicators of which source machine(s)
interacted with the compromised system.
• Once the source machine has been identified, the
geographic location must be determined. A source machine
in a country that does not cooperate diplomatically with
the country hosting the compromised system, one having
no extradition treaty for example, is unlikely to provide any
assistance to the investigators.
• If the source machine can be identified, then ownership
must be clearly established. If the IP address of the machine
belongs to an ISP that allocates addresses dynamically, the
ISP’s cooperation will be necessary. Without it, ownership
cannot be established.
• If ownership can be established, the next step is to
determine who was operating the computer at the time of the
attack. If the source machine is not logging or tracking such
activity, the identity of the operator cannot be confirmed.
If any of these steps breaks down, the investigation into the
attack-and-compromise is very likely doomed to failure.
One of the major differences between prosecuting a
traditional intruder and prosecuting a malware author is
the fact that there need be no direct connection between
the author and the affected remote system. The traditional
attacker who operates over the Internet creates a temporary
path between his machine and the destination machine:
even if he is using another host as a jumping-off point, the
commands and instructions he uses must trace a path from
the source to the destination. The malware author has no such
requirement: he can develop malware, attach it to a bogus
email message, and relay the message through a poorly
configured SMTP server in an unfriendly country. In one fell
swoop he has placed essentially insurmountable hurdles
DF9_31_Legal Editorial.indd 31
/ LEGAL EDITORIAL
in the way of any investigator. Since there is no clear path
from the malware author to the destination system, how can
investigators even begin to determine what happened? They
can look at the malware itself.
Each piece of compiled malware, distinct from something
like Javascript or HTML, is based on source code.
Source code is what the program author actually types to
create a piece of software; the source code is then passed
through a compiler that creates the binary. The binary
may also be called the executable, since it can be run on a
particular type of system. The binary is not a human-readable
chunk of data, but it can be reverse-engineered into source
code that humans can read. Clues in the binary can be used
as bases for additional searches: if there are unique markers
in code that can be linked to a particular individual, the
investigators may have a place to start. However, a sufficiently
sceptical examiner will be inclined not to treat such markers
as infallible truth.
As an example, a number of computer systems at Mitsubishi
Heavy Industries of Japan were recently infected with some
unusual malware variants. Close examination of the incidents
revealed the presence of simplified Chinese characters [text]
in the attack payload. The presence of the Chinese language
brings up two questions:
• Did the malware actually originate in mainland China?
• Did the author simply wish to give the impression that the
malware originated in mainland China?
The answer is this: no one knows. It is impossible to identify
authoritatively the country of origin without a significant
quantity of additional, and reliable, evidence. Please do wish
any malware investigators all the luck in the world, for they
shall need it.
I hope you enjoy the Legal Section and I would love to hear
your thoughts and comments via 360. /
31
20/10/2011 17:33
 / LEGAL FEATURE

MOBILE PHONES,
GEO-LOCATION, AND
PRIVACY IN THE EU
A look at mobile phone positioning systems and their legal standing in the EU
by Scott Zimmerman

/ INTERMEDIATE

M
any current smartphone models – including but The aforementioned action was brought against Microsoft
not limited to those from Apple and Microsoft – are by a citizen of the United States within the United States.
capable of acquiring and storing location information. The US does not have the same legislative approach to
Global Positioning System (GPS) satellites may provide this user privacy that is found in the EU. The US does have the
information or it may be derived from the mobile phone tower Fourth Amendment to the Constitution, but that is applicable
from which the handset receives its signal. Whatever the generally to information control between individuals and the
method involved, the end result is that the location of the US government (including law enforcement).
handset may be tracked. In some cases this capability may In the EU, the sort of privacy under examination in the
be desirable, as when a parent wishes to monitor a child who Microsoft case is governed by a document titled Directive
has borrowed the car. However, in this case the features are 2002/58/EC of the European Parliament and of the Council of
enabled with the user’s knowledge and consent. (“User” here 12 July 2002 concerning the processing of personal data and
refers to the parent who owns the mobile service plan.) the protection of privacy in the electronic communications
Mobile phone manufacturers recognize the user’s desire to sector (Directive on privacy and electronic communications),
control the generation and use of such information, and most hereafter simply called the “Directive”.
(if not all) current phone models provide an option for the user
to disable any geo-location utilities. This will of course prevent
some applications, such as street-by-street navigational
guidance, from working but this is the tradeoff for preserving
some of the user’s privacy.
Problems arise when a device’s behavior does not match
what the user expects. Normally this phenomenon is
demonstrated by a device that simply does not function when
the user expects it to do so; a crash or freeze for example.
However, there is another set of circumstances that is
arguably more problematic; when the device ignores user-
selected options and functions in an undesirable manner,
either through a malfunction or through a configuration set by
the manufacturer. We will examine the latter.
In the Legal News section of Issue 8, we saw that Google
was sanctioned by a French body for gathering unauthorized
information through the use of its Street View vehicles. They
experienced similar roadblocks in Germany over the same sort
of privacy violations against EU citizens. Now a lawsuit has
been filed against Microsoft, alleging that Windows Phone 7
devices continue to transmit geo-location data back to the
manufacturer when the camera is activated, even if the user
has disabled all such functionality. Microsoft has denied the
claims; it’s still early days, but at the time of writing it appears
that the litigation will proceed.

32 Digital / ForensicS

DF9_32-34_Mobile Phones.indd 32 20/10/2011 17:34

 As with earlier treatments of legal statutes, we will not
examine every clause in detail. Instead we shall look at those
potentially most germane to the Microsoft case.
Within the Directive itself, each clause is numbered; the
reader will note (and may be grateful) that we will bypass the
majority of the items.
/DISSECTING THE EU PRIVACY DIRECTIVE
(14) Location data may refer to the latitude, longitude and
altitude of the user’s terminal equipment, to the direction of
travel, to the level of accuracy of the location information, to
the identification of the network cell in which the terminal
equipment is located at a certain point in time and to the time
the location information was recorded.
Note that the Directive does not specify any particular
technology, such as GPS. The definition was likely left open to
allow for future changes in technology.
(15) … Traffic data may, inter alia, consist of data referring to
the routing, duration, time or volume of a communication, to
the protocol used, to the location of the terminal equipment
of the sender or recipient, to the network on which the
communication originates or terminates, to the beginning, end
or duration of a connection. They may also consist of the format
in which the communication is conveyed by the network.
This item is fairly straightforward: traffic data may include
several data types such as those shown above. One term in
this clause that is not entirely straightforward, and that is inter
alia. Inter alia is defined in the eighth edition of Black’s Law
Dictionary as simply “Among other things”. The reader can
also think of it as “including but not [necessarily] limited to”
as used elsewhere in this very article. This wording, as above,
is likely designed to allow for technological progress.
DF9_32-34_Mobile Phones.indd 33
(32) … Where the provision of a value added service
requires that traffic or location data are forwarded from an
electronic communications service provider to a provider
of value added services, the subscribers or users to whom
the data are related should also be fully informed of this
forwarding before giving their consent for the processing of
the data.
Now we’re starting to move toward the type of data
transaction that could include a firm like Microsoft. Essentially
this item covers data that moves from the mobile phone
service provider (e.g. Vodafone) to a third-party organization
such as a restaurant guide: the provider of value added
services in this case might be providing discounts or similar
at restaurants in the immediate vicinity of the mobile phone
user. (This is a common business model for such providers.)
However, it is at this point that the user’s consent is
required: under the Directive, the mobile phone server
provider may not provide geo-location information to the
value added service provider without the user’s consent.
Note that the Directive does not indicate which form the
consent must take; it is common for end users to accept
such terms and conditions when they download, install, and/
or run an application on their mobile phones. This consent
is then passed to the phone’s OS and translated into the
configuration, e.g. the Widget application may access data of
types A, B, and C but not of D, E, or F.
In the lawsuit currently aimed at Microsoft, the plaintiff
alleges that the MS mobile phone operating system (OS)
provides location information to Microsoft regardless of the
user’s choices. If these allegations are true, it appears the
company has run afoul of the EU Directive.
(35) In digital mobile networks, location data giving
the geographic position of the terminal equipment of the
mobile user are processed to enable the transmission of
communications. Such data are traffic data covered by
Article 6 of this Directive. However, in addition, digital mobile
networks may have the capacity to process location data
which are more precise than is necessary for the transmission
of communications and which are used for the provision of
value added services such as services providing individualised
traffic information and guidance to drivers. The processing
of such data for value added services should only be allowed
where subscribers have given their consent. Even in cases
where subscribers have given their consent, they should have
a simple means to temporarily deny the processing of location
data, free of charge.
UNDER THE DIRECTIVE, THE
MOBILE PHONE SERVER PROVIDER
MAY NOT PROVIDE GEO-LOCATION
INFORMATION TO THE VALUE
ADDED SERVICE PROVIDER
WITHOUT THE USER’S CONSENT
33
20/10/2011 17:34
 / LEGAL FEATURE
The first part of (35) describes the need for the mobile
phone provider to know which communications tower the
user’s phone is accessing; this is necessary for the provider
to route voice and data traffic appropriately and does not
pinpoint the user’s location to any significant degree. The
user’s general location could be determined, possibly to a
circular area a half-kilometer in diameter in the case of a tower
in a city, and a somewhat larger area in the country since
towers there are farther apart.
The second part of (35), after “However”, alludes to more
precise geo-location mechanisms such as GPS, though it does
not do so by name. The mobile phone service provider does
not need to know that the user is on the corner of X Street and
Y Avenue in order to deliver voice and data traffic. The key
differentiator here is the Directive’s use of the word “processing”.
“Processing” in the data context is generally understood to
mean accessing, storing, or performing operations on data.
The value added service provider described above, offering
discounts at restaurants, would be processing the user data.
34
DF9_32-34_Mobile Phones.indd 34
Let us look at (35) in the context of the Microsoft case and
consider a user who has not given (or has revoked) permission
to share geo-location data from his phone. According to the
EU Directive, the only such data that should be generated or
processed is that of the phone’s connection to a particular
tower, i.e. the minimum required for successful mobile phone
operation. The user’s precise latitude and longitude should
not be calculated, let alone transmitted to another party
without the user’s consent.
(36) Member States may restrict the users’ and subscribers’
rights to privacy with regard to calling line identification
where this is necessary to trace nuisance calls and with regard
to calling line identification and location data where this is
necessary to allow emergency services to carry out their tasks
as effectively as possible. For these purposes, Member States
may adopt specific provisions to entitle providers of electronic
communications services to provide access to calling line
identification and location data without the prior consent of
the users or subscribers concerned.
It is important to note that in this clause of the Directive,
the geo-location information is reserved for the use of the
Member States and then only for emergency services, e.g. to
respond to a traffic collision. Readers should also note that
user permission to make use of the information under these
very limited circumstances is not required if the Member State
should request geo-location information from the mobile
phone service provider. The manufacturer of the handset has
no privileges in this area.
Clause 36 goes on to provide some definitions to ensure
all readers of the Directive are using common language (so to
speak), I have extracted one of specific interest.
The following definitions shall also apply:
(c) “location data” means any data processed in an
electronic communications network, indicating the geographic
position of the terminal equipment of a user of a publicly
available electronic communications service;
/ CONCLUSION
The European Union is very clear about how the data
relating to mobile phone users may be handled. Aside from
knowing which tower a user’s phone is accessing, any and
all user location information is under the strict control of
the user. Without consent, mobile phone providers may
not track users by latitude and longitude. If the user give
consent to have detailed location information generated,
the holder of that data may not share it with any other entity
(outside of law enforcement) without the user’s consent.
Any third parties to whom the user has given consent to
process the location data may do so only in the fashion
to which the user has consented. Finally, at all times any
organization to which the user has given such consent must
provide a timely and no-cost method for the user to revoke
said consent.
There will be a number of industries, inter alia IT, mobile
communications, legal etc. who are all waiting with great
interest to see how the current action against Microsoft
might proceed. /
Digital / ForensicS
20/10/2011 17:34
DF9_35_Ad.indd 52 15/10/2011 13:50
 / LEGAL NEWS ALERT

LEGAL NEWS ALERT

Summer of 2011 has seen some very
interesting legal actions. In this issue we will
examine some groundbreaking items

Lawsuit Filed Against Microsoft Alleges Windows

Phone 7 Tracks Users Without Consent

01 September 2011, an individual filed a lawsuit against Microsoft

in the Seattle, Washington Federal court. The suit alleges that
Microsoft’s Windows Phone 7 gathers and transmits the user’s
geo-location information, even when the user has explicitly
configured the mobile device not to do so. The filing was brought
as a class action suit on behalf of all users of Windows Phone 7.
Spring 2011, the US Congress had sent letters of inquiry to
mobile phone vendors to gain some additional insight into
how much and what type(s) of information their respective
devices might gather. May 2011, Microsoft sent a response
to Congress and indicated that “Collection is always with the
express consent of the user and the goal of our collection is
never to track where a specific device has been or is going”. The
suit alleges that when the still-frame camera application under
Windows Phone 7 is activated, the device captures the current
geographical coordinates – latitude and longitude – of the user,
along with information regarding any wireless access points
in the immediate area. The suit further alleges that the mobile
device then transmits all of this information back to Microsoft.
The suit seeks punitive damages as well as an injunction to stop
Microsoft’s alleged information gathering activity.
/ Samsung and Apple, Inc.
in Patent Tussle
In September, Apple, Inc. filed a complaint in a German court
against Samsung, claiming that the South Korean manufacturer
had infringed on the design of the iPad. The judge in the
Duesseldorf court agreed and ordered the sale of the Samsung
Galaxy tablet computer stopped across the whole of the
European Union. On further reflection, the judge realized
that such an injunction rather overstepped the bounds of the
court’s jurisdiction and amended the restriction to include only
Germany. Samsung plans to appeal the restriction, stating
that Apple’s claims are without merit and the restriction
inappropriately limits consumer choice in Germany.
Apple is claiming that Samsung “slavishly” copied the
exterior appearance of the iPad when designing the Galaxy.
However, while the Galaxy and the iPad both have rounded
corners and a central control area for the user, they have
different physical aspect ratios. Samsung maintain that design
cues as simple and obvious as rounded corners cannot be
considered unique to a single organization or product.
Spamhaus Wins Protracted Legal Battle with Spammer
In the mid-2000s, Spamhaus, a UK entity, was offering a
service designed to counter spam. They tracked domains and
IP addresses that had been shown to distribute unsolicited
commercial email (UCE) and provided the data in the form of a
blacklist to customers who could then choose to drop inbound
email traffic from the listed offenders. This resulted in greatly
reduced amounts of unwanted email for the subscribers to the
service. Naturally the organizations that were sending the UCE
were not happy with these events and some of them pursued
litigation against Spamhaus, claiming the blacklists interfered
with their business model.
One such organization was e360 Insight, which was based
in Chicago, Illinois. In 2006, they filed a suit in US court against
Spamhaus for allegedly hobbling their business practices.
Despite the fact that Spamhaus is located in the United Kingdom;
and thus not subject to United States law; the suit was allowed
to proceed. The judge ruled in favour of e360 Insight and decreed
that Spamhaus should pay the plaintiff $11.7US million. On
appeal, the damages were reduced to approximately $27,000US.
A second pass through the US Court of Appeals reversed the
earlier decisions and e360 Insight was ordered to pay Spamhaus
the princely sum of $3US along with paying for Spamhaus’ court
costs. By this time, e360 Insight had gone out of business; the
company’s owner claims the closure was due solely to the vast
expenses required to pursue Spamhaus.
While no real money changed hands as a result of the extended
litigation, the finding in favour of Spamhaus sets a potentially
useful precedent in the worldwide battle against spam.

36 Digital / ForensicS

DF9_36_Legal News.indd 36 20/10/2011 17:34

 / COMPETITION

COMPETITION
/ This issue we have 3 books to give away courtesy
of Syngress: Digital Forensics with Open Source Tools,
Windows Registry Forensics & Penetration Tester’s Open Source Toolkit

/ Question
As we’re focussing on Geo-location in this issue,
we thought we’d ask a geography question –
What famous building is located at:
TERMS AND CONDITIONS
This competition is open to anyone aged 18 or over, except for
employees of TR Media Ltd and their immediate families. Only
one entry is permitted per person. Entries can be submitted
by email only to competition@digitalforensicsmagazine.
com. TR Media shall not be responsible for technical errors in
telecommunication networks, Internet access or otherwise,
preventing entry to this competition. Closing date for all entries

38 53’ 51.75” N, 77 02’ 11.32” W

is on 31 November 2011 at 9.30am GMT. Any entries received
after that time will not be included. The correct winning entries,
chosen at random by the DFM team, will be notified by email on
01/06/2011. The winners may also be announced in Issue 8 of

/ To Enter
the magazine and on the Digital Forensics Magazine website.
Submitting your entry constitutes your consent for us to use
your name for editorial or publicity purposes, should you be
To enter the competition all you need to do is send an one of the winners. TR Media Ltd reserves the right to change or
email to: [email protected], withdraw the competition and/or prize at any time. By entering
writing ISSUE9COMP in the subject line, include your the competition, entrants are deemed to have accepted these
terms and conditions.
name address and phone number with your entry.

Digital Forensics with Open Source Tools Windows Registry Forensics Penetration Tester’s Open Source Toolkit,
By Cory Altheide, Harlan Carvey By Harlan Carvey Third Edition By Jeremy Faircloth
Digital Forensics Harlan Carvey Great commercial
with Open Source brings readers an penetration
Tools is the advanced book on testing tools can
definitive book Windows Registry. be very expensive
on investigating Windows Registry and sometimes
and analyzing Forensics provides hard to use or
computer systems the background of questionable
and media using of the Registry to accuracy. This
open source help develop an book helps
tools. The book understanding solve both of
is a technical of the binary these problems.
procedural guide, and explains the use structure of Registry hive files. Approaches The open source, no-cost penetration
of these tools on Linux and Windows to live response and analysis are included, testing tools presented do a great job
systems as a platform for performing and tools and techniques for postmortem and can be modified by the user for
computer forensics. analysis are discussed at length. each situation.

37

DF9_37_Competition.indd 37 20/10/2011 17:34

 / MEET THE PROFESSIONALS
MEET THE DF
PROFESSIONALS
Dr Andrew Jones
Interviewer: Roy Isbell
/ Interviewee Bio
Dr. Andy Jones joined Khalifa University of Science Technology
and Research (KUSTAR) in August 2009 to set up and manage
the MSc in Information Security and Computer Crime. Prior
to this he had been at British Telecommunications (BT) as
the head of security technology research. He also holds a
post as a visiting Professor at Edith Cowan University and the
University of South Australia.
Previously he was a principal lecturer at the University
of Glamorgan in Wales where he created a digital forensics
research laboratory and lectured on Information Security
and Computer Crime. His background prior to this was 25
years in Military Intelligence during which time he was
awarded the MBE.
Andy has a PhD in Information Security from the
University of Glamorgan and is a member of MENSA, the
British Computer Society, the High Tech Crime Consortium
and the Institute of Information Security Professionals. He
has published numerous articles on information security
and computer forensics and five books on information
warfare, information risk management computer crime and
digital forensics.
Andy is 59 years old, is married with two grown children and
is currently residing in Abu Dhabi in the United Arab Emirates.
His interest include, sub aqua, reading and, strangely enough,
computer forensics.
What got you involved in digital forensics?
I first got into the world of digital forensics while still serving
in the Army. I was running the information security inspection
team and felt that I needed to know what actions I should
take if, during a security investigation, I needed to preserve
evidence for a potential criminal action. After much asking
around, I was eventually pointed to the then Metropolitan
Computer Crime Unit, run by John Austen, the only such unit in
the country at the time.
What are your thoughts on the current state of education
and training, accreditation of courses etc. as they relate to
digital forensics?
This is a subject close to my heart, as you might imagine.
On the education side, there has been significant progress
and there are now a number of universities and colleges
that offer academic courses at all levels to meet the ever-
growing need. While this is to be applauded, I do still have
38
DF9_38-39_Meet the Professionals.indd 38
reservations that some of the courses are being offered as
digital forensics or computer crime are actually re-branded
security courses.
On the training side, courses are delivered to meet specific
needs, normally based around the tools that the vendor
provides. It is almost a moot point with many of the tools
that the providers will potentially gain significantly more
revenue from the training courses than they will from the
sale of the tool. This begs the question as to whether it is
actually in their interest to provide good robust forensic
tools that have an intuitive and well-documented GUI and
a respectable user manual. In many cases, the only way to
obtain a decent manual for the product is to attend the range
of courses offered.
As to accreditation, I am all in favour and have spent
some time over the last few years working with Edith Cowan
University and the Australian Federal and Local police trying
to map out the requirements for qualifications and training
for the digital forensic environment. As to who should own
the accreditation, in the UK this should be the Forensic
Science Regulator. It cannot be the vendors, academia or the
practitioners, all of who have a vested self interest and must
be independent and at a high level.
How do you see the future of your research as it relates to
digital forensics?
My main research interests are in residual data and the
recovery of information from ‘dead’ disks, however some
of the research that I am undertaking is to gain knowledge,
not of the technologies involved, but of the reasons for
the failure of the user to understand the risks. Through the
research we are trying to understand why the systems that
should be in place to prevent the exposure are not working
and find processes, procedures and tools that will improve
the situation. The dead disk study is in the very early stages
but has huge potential for the recovery of data from media
that that has been damaged or failed. I am also looking to
extend this to investigating solid-state memory.
What are your views on the industry standard tools used
to investigate digital forensics and the fact that so few are
actually validated other than by mass use?
The tools that are available vary considerably in quality
and scope. On the one hand you have the universal toolkit
type tool that carries out all of the major functions that
Digital / ForensicS
20/10/2011 17:34
 are required during a standard investigation. The problem
with these tools is that in many cases, they have become
‘too’ commercial and have now reached the point in the
software development cycle where they have to rely on
getting the next version of the tool to market, (as with
most applications) and as a result there have been several
instances recently where the tools have failed for one reason
or another. On the other hand, there are the single function
tools that are very good at addressing a particular issue.
These tend to be very well crafted and are produced by
individuals or groups that have identified a specific need.
I much prefer the scientific approach of being able to
replicate the results with different tools as the best test of
whether a tool is operating as expected
What do you think about the relationships between digital
forensic investigations, eDiscovery, operational analytics and
malware analysis?
The fields of digital forensic investigations and eDiscovery
have a relatively common root, although the output may
vary. Both are about discovering the facts about what has
taken place and both are required to be carried out in a
manner that does not damage the source data and which can
be repeated. Malware analysis also has a strong affiliation to
the basic search for facts, although the tools that are used
may differ. Operational analytics varies slightly in a number
DF9_38-39_Meet the Professionals.indd 39
of ways. The first of these is that this is to try and understand
from a business perspective what is happening from the
streams of data that are available, so this is not necessarily
about discovering something but of understanding the
optimum state. The second is that, while seeking to
understand the relevance of the available data, it is not
trying to understand a specific event, but to understand the
implications of many events. The third is that for operational
analytics to be of value, it must operate in near real time,
while the others have the ‘luxury’ of being able to take a
more leisurely approach.
With the Internet crossing national borders how do you
see digital forensics evolving to deal with the wider
investigations required in this environment?
The Internet has always existed in an international
environment since it became a publically available service.
What has been slow to catch up is the law enforcement
and legal powers to address the new environment. This is not
a new problem, as can be seen if you look back in history to
the law of the sea. The reality is that creating and updating
laws take a long time and we are operating in a highly
volatile environment, so the two will almost certainly never
be synchronized. What is happening and improving is the
harmonization of laws and cross border agreements that make
the capture and transportation of evidence easier. /
39
20/10/2011 17:34
DF9_40-41_Ad.indd 40 20/10/2011 17:35
DF9_40-41_Ad.indd 41 20/10/2011 17:35
 / FEATURE

MANAGEMENT
OF KNOWLEDGE
BASED GRIDS
Using a combination of public and private keys and X.509 certificates
to manage security in knowledge-based grids
by Sian Haynes & Stilianos Vidalis

/ INTERMEDIATE

F
ujitsu is set to bring high-performance computing (HPC) Going back to the HPC Wales Project the project is planned
to Wales. They are to provide a distributed grid under a to use a minimum of nine sites including Swansea, Cardiff,
project that is expected to take over five-years and cost Aberystwyth, Bangor, Glamorgan, Swansea Met, Newport,
up to £40 million. The grid will include over 1400 nodes spread Glyndwr and a number of other sites. The grid will allow all
across more than eight sites, linked using Fujitsu’s middleware of the sites to share and distribute resources freely and a
technology SynfiniWay that will deliver an aggregated number of pilot applications will be sponsored via HPC Wales
performance of more than 190 petaflops. to test the capabilities of the grid; for example in Newport we
Grid computing is a technology that enables people and are considering a Grid for Crime Prevention (G4CP).
machines to effectively capture, publish, share and manage
resources. There are several types of grids but the main types
are; data grids, computational grids and knowledge grids.
Data and computational grids are quite similar in
that they are used to manage and analyse data. With
technology increasing and developing at such a dramatic
rate, average computers cannot cope with the amount of
data or the calculations they are being asked to perform.
For example if a scientist is doing research about cancer
cells and their development, using conventional methods
on one machine, it could take years to complete the
calculations. However, if a grid were used to perform
the calculation, its combined computational power
would significantly reduce the time frame. To analyse a
complicated set of data could take a standard computer
a few days or even weeks to analyse. Whereas if a
grid was used to perform the same analysis it would
take considerably less because it would harness the
computational power available on the grid, parallelise the
load and allow the calculations to be performed with a
small turnaround time.
Knowledge grids are self-explanatory; their purpose is
to share knowledge. In this day and age we have come to a
point where we are using computers to create vast amounts
of data. The information overload is so big that human
beings are not able to absorb and analyse the data in a
timely manner and extract the much sought after knowledge
that will further science and better our lives. We are now at a
point where we now have to teach computers how to extract
knowledge from raw data.

42 Digital / ForensicS

DF9_42-45_Knowledge Based Grids.indd 42 20/10/2011 17:35

 Figure 1. G4CP Centre of Gravity
/ Grid for Crime Prevention
The Grid for Crime Prevention, also known as G4CP will
stimulate, promote and develop horizontal methods and
tools for strategically preventing and fighting cybercrime
and guaranteeing security and public order in the Welsh
cyberspace. Furthermore, G4CP will promote a coherent Welsh
strategy in the fields of cyber security through the exploitation
of the project’s artefacts, it will also play an active role in the
DF9_42-45_Knowledge Based Grids.indd 43
establishment of global standards in the areas of cybercrime
prevention, identification and prosecution.
The centre of gravity of G4CP is to design and implement
an application that promotes collaborative working, using
data fusion and data mining techniques, and allow knowledge
discovery from raw security incident data. The application
was originally called Inter-Organisational Intrusion Detection
System (IOIDS).
Trying to defend European cyberspace against organised
cybercrime can be seen as a complex problem with one of the
problems being that companies are afraid to report security
incidents because they feel their reputation will be damaged.
This results in many private organisations and law enforcement
agencies being forced to tackle cybercrimes with next to no
help from other organisations in the same supply chain. The
G4CP project felt that there was a need for the defenders of the
European Information Infrastructure to come together to form a
number of virtual communities in order to take action collectively
against the perpetrators of cybercrime and promote a culture of
security amongst and across the members of these communities.
The communities should allow for secure information
sharing and facilitate organisations to be proactive in
defending their networks against on-going cyber attacks.
G4CP will make grid technology attractive to those
establishments fighting cybercrime. It will also help the
uptake of grid type architectures and extend their concept
from computation grids to knowledge grids.
/ Data Grid vs. Knowledge Grids
Both grids involve the networking services and connections
of a potentially unlimited number of computing devices. The
difference is the service they provide; data grids usually
provide a service such as a “power utility grid” provides
electricity to homes and business etc. Whereas a Knowledge
Grid harnesses the power of the grid and uses it for scientific
research; e.g. if a scientist needed to analyse a data set it
could take up to a third of less time using the grid than if an
average computer was used.
43
20/10/2011 17:35
 / FEATURE
The application that G4CP plan to develop will effectively
police the cyberspace and minimise the threats against
computing infrastructures. This will promote a coherent
European strategy in the field of crime prevention through the
exploitation of the projects products and will play an active role
in the establishment of global standards in the area of crime
prosecution through the dissemination of the projects results.
G4CP also raises a lot of questions around grid
management, for example if a user wanted information
regarding denial of service attacks against web servers in
Wales, once they received the result what would happen with
it? The knowledge would be stored so that if another user
needed the same information then it would be available and
instead of using up resources creating the same query it could
just locate the knowledge and deliver it to the user. However,
THERE ARE TWO METHODS,
WHICH CAN CONTROL AND
HELP, MONITOR USERS ON THE
GRID AND THEIR SECURITY;
PUBLIC & PRIVATE KEY
CRYPTOLOGY ALONG WITH
X.509 CERTIFICATES
44
DF9_42-45_Knowledge Based Grids.indd 44
/ Is Public & Private Key
authentication secure?
It is true that Public & Private Key Authentication has been used
for many years but it is a proven secure authentication method.
As long as the Private Key is kept secret by the main user they
will be the only one who can de-crypt the message. The Public
& Private Key facility is well known and used for many things
such as applications online. When applying for the E-Science
certificate they ask for you to create a Private Key which will
later be used to authenticate your application.
if this occurred with every search then the knowledge base
could become overloaded with information and cause the
system to slow as the storage ran out. To store every query
would use thousands of terabytes. The solution would be to
keep the information available for a short period of time and
if the query was not called for during that time frame then to
delete the query. If it occurs again outside of the time frame
then the query will be developed again and held on the server.
The demand for information and harnessing the power of the
grid to deliver information and knowledge faster is the key.
/ Managing a Knowledge Grid
In a communication network, a node is a connection point,
either a redistribution point or a communication end point.
However, the definition of a node does depend upon the
network and protocol layer referred too. The main goal of grid
management is to measure and publish the state of resources
at a particular point in time. To be effective, monitoring must
be done from end to end, meaning that the entire environment
and its components must be monitored.
Understandably this is no easy task, if we take HPC Wales
for example; it will provide to G4CP, 1400 nodes located
across 9 different sites. It is a huge task on its own just to
manage all the components that are required to control that
grid and its environment.
/ User Management
There has to be some form of security and authentication on
the grid to ensure that the users on the grid are accessing
material that is appropriate to them. There are two methods,
which can control and help, monitor users on the grid and
their security; public and private key cryptology along with
X.509 certificates.
Public and private key cryptology is used regularly in many
different kinds of computing projects and environments for a
secure authentication method. The main reason it is still in use is
that it helps indicate the true authors of a piece of information.
E.g. If Sian wanted to send a message to Stelios, she would
encrypt it with her private key so that when Stelios received
the message he would be able to unlock it with his public key
and read the message but because Sian encrypted it with her
private key he knows it is from Sian. There are flaws in public and
private key cryptology along with all methods of authentication,
however; this method of secure authentication is put in place as
a ‘contract’ of trust between the user and the manager of the grid.
Digital / ForensicS
20/10/2011 17:35

Figure 2. E-Science Certificate (X.509)
Figure 3. Conga GUI
To ensure that the grid is used on appropriate applications
or web browsers an X.509 certificate could be issued to
authorities who use the grid. The X.509 certificates are
standard for a public key infrastructure for a single sign on
and privilege management infrastructure. It basically specifies
(amongst other things) standard formats for public key
certificates, certificate revocation lists, attribute certificates
and a certification path validation algorithm.
If we go back to the example of G4CP, we could manage
the users on the grid via a X.509 certificate (similar to
an E-Science Certificate). For example; when a user joins
the G4CP (or attempts to join) they will have a face-to-
face meeting with a member from the G4CP authority
management team who will then run through an application
process; this process will identify whether they have a need
for accessing the grid. If they were suitable then an X.509
certificate with the correct permissions for accessing the grid
would be issued to them. The certificate however will have
sufficient permissions built in stating which sections they
are allowed access to and IP rights stating that it can only be
installed on one computer. There will also be an expiration
date on the certificate whereby the user would have to
re-apply for a certificate close to the time of expiration,
therefore, if a user doesn’t wish to continue having access
to the grid or doesn’t have a need for it anymore there won’t
be any rogue accounts which could become vulnerable and
used maliciously. /
DF9_42-45_Knowledge Based Grids.indd 45
/ HPC Wales Facts
A few interesting quick facts about HPC Wales:
• Fujitsu has a £15million 5 year contract
• HPC Wales is a £40 million project that is a bid to boost the
region’s economy
• The two primary hubs will be Cardiff and Swansea which
then stretches across 8 other sites including Newport.
• Fujitsu will use primergy cluster servers based on Intel
Xeon and InfiniBand interconnect with Linux and Windows
operating systems
• More than 1400
compute nodes will
be deployed across
all the sites
with aggregated
performance of
nodes exceeding
190 teraflops.
THE CERTIFICATE HOWEVER WILL
HAVE SUFFICIENT PERMISSIONS
BUILT IN STATING WHICH
SECTIONS THEY ARE ALLOWED
ACCESS TO AND IP RIGHTS
STATING THAT IT CAN ONLY BE
INSTALLED ON ONE COMPUTER
/ Author BioS
Siân Louise Haynes – Currently a final year
student at University of Wales, Newport
studying BSc (Hons) Forensic Computing
due to complete my studies in June 2011.
Aspiring toward getting a job as a digital
evidence technician or a role within the
forensic evidence technician field.
Dr Stilianos Vidalis was born in Athens,
Greece, and was raised on an island in
the Aegean Sea. He moved to Wales in
1995 where he did his undergraduate
and postgraduate studies. He received
his PhD in Threat Assessment in July
2004 from the University of Glamorgan.
He joined the Department of Computing
of the University of Wales, Newport in
2006 where he is currently the Head of
the Centre for Information Operations. He is the programme
leader for the BSc Computer Forensics, and BSc Information
Security. Dr. Vidalis is a member of the BCS South Wales
Committee, a member of the E-Crime Wales Steering Group,
and a member of the Military Educational Committee of
the Welsh OTC. His research interests are in the areas of
information operations, digital forensics, threat assessment,
and effective computer defense mechanisms. Dr Vidalis
is involved in a number of R&D projects with the Welsh
Assembly Government, Law Enforcement Agencies, and
private companies.
45
20/10/2011 17:35
 VENDOR INDEPENDENCE
the difference

ASSESSMENT | GUIDANCE | MANAGEMENT

CALL | +44 (0)1274 736223 | TODAY

www.ecsc.co.uk

DF9_46_Ad.indd 46 11/10/2011 17:11

 / APPLE AUTOPSY

APPLE AUTOPSY
As Apple loses its greatest innovator and
co-founder, Steve Jobs, new CEO, Tim Cook,
takes over the reins to introduce the new
iPhone 4S… What does this latest model
tell us about the company’s future?
by Sean Morrissey

T
he Apple world lost its greatest innovator, Steve Jobs.
His long battle with cancer came to an end on October
5, 2011. Steve had influenced generations of people and
created magical products for the world to use. His business
style, his outlook on technology was far beyond us mere
mortals. Steve revived a failing Apple and rebuilt it to become
the technology giant that it is today. But does Steve Jobs The new iPhone 4S has the dual core A5 processor, CMDA
passing signal the end of Apple, as we know it? and GSM, which gives it truly world phone capabilities.
In some ways yes, but Apple is more than one man and it The iPhone 4S has a redesigned 8-megapixel camera and
will move on. I did read that some commentators thought Apple have now added a 64GB variant to the fold; this with
that Steve believed he was immortal; the reality is quite the addition of iOS 5 and the improvements the upgraded
the contrary. Steve Jobs was cognizant enough to know his operating system brings, most notably notifications, game
mortality and therefore surrounded himself with some of the play and web browsing are faster as is the speed of the
greatest designers, innovators, managers, and engineers camera and associated functionality.
in the world. They are leaders in their respective fields, and Then there is “Siri”, an awesome application that just adds
are still hard at work at Apple innovating, designing and another dimension of getting information, dictating just about
producing some of the most anything. Siri uses Artificial
sort after technology products Intelligence (AI) to create
in the world today, building and send texts and e-mails,
upon the legacy left by Steve. set reminders, schedule
Tim Cook has been passed meetings, place phone calls,
the torch from Steve, and in get directions, play music
Steve’s first leave of absence, and is believed to be able
we saw Apple stock just to answer context sensitive
continue to grow. Tim Cook questions, like “will I need a
will be a great steward of raincoat today?”. The Siri app
Apple. I have to wonder what was originally a spinoff of a
was going through his mind project co-developed by SRI
as he launched the iPhone Ventures and the Department
4S knowing that Apples co- of Defense’s innovation arm,
founder was in his final hours. the Defense Advanced
He can surely be forgiven if his Research Projects Agency,
mind was elsewhere. or DARPA and was launched
On October 4, 2011 Tim Cook as an iPhone app in February
the new CEO of Apple introduced 2010. Apple bought the app
the iPhone 4S and not the some two months later for an
iPhone 5 as some pundits undisclosed sum. All in all, this
thought would be announced. is something really impressive.
Some critics think this was a let Apple is alive and well and
down; my opinion is that as the I am sure that we will see
iPhone 4 sold so well, why not more innovation and “cool
just improve what is there? “If it products” from this company
aint broke don’t fix it”! in the future. /

47

DF9_47_Apple Autopsy.indd 47 20/10/2011 17:35

 / FEATURE
FOOTPRINTS ON MACS –
GEOGRAPHIC ARTIFACTS
The apple world can be both stationary and mobile; from the Mac Pro to the iPhone all
have one thing in common, the Apple universe. Apple has given its customers the ability
to do many things including the ability of devices to become interconnected with ease.
This facility provides users an intuitive ability to save all kinds of data. With the coming
iCloud, more and more content will be moved to the cloud; however the move of the
content does not eliminate geographic data from the content
by Sean Morrissey
/ ADVANCED
T
oday we have OS X and iOS as the two operating
systems; OS X for Apple personal computers and iOS
for the Apple mobile devices. The interoperability of the
two operating systems provides the facility to store the same
data on multiple devices. Before the rise of iOS, the Apple
universe consisted of the MacBook, iMac, and the Mac Pro.
These all had the ability to store geographic data, mainly from
cameras that had included the Geo Positioning System data
(GPS) in picture files.
This was first associated with high-end cameras, but
today relatively cheap mobile devices can embed GPS
data. Unbeknownst to Apple they also gave digital forensic
examiners a free forensic utility to examine this data from
within the operating system; that utility is Preview. The
Preview application is, by default, located on the dock
(task bar).
The preview application can be used to view all “exif ”
(Exchangeable Image File Format) and GPS data from images
that contain such.
On most newly purchased Mac devices the iLife application
suite is included; the iLife suite includes the iPhoto
application and just like Preview it is installed by default in the
task bar.
iPhoto is the default container application used by Apple for
all images & video that is imported either from an iDevice, or
other source.
From within iPhoto, there is a facility called “Places”.
In order to utilize places, the system however needs to be
connected to the Internet to view the pins on a map. What this
provides an examiner is a visual representation of all geo-
tagged data identifying the areas of the world that a suspect
may have travelled.
From a locked .dmg (disk image) the iPhoto library may
be exported from the suspect system and copied over to
another system that has access to the Internet to mimic
the user’s system and places within iPhoto using the
following steps:
48
DF9_48-51_Footprints on Macs.indd 48
• Navigate to the following path, ~/username/pictures/
iPhoto Library.
• Copy the entire file from the suspects system and then paste
it to the same path on your system, ~/username/pictures/
iPhoto Library.
• Open iPhoto and view the results.
iPhoto is an application that provides the examiner a lot
of information about a particular image. This may be done
from a forensic workstation or other system connected to
the Internet. The following procedure will provide the same
information both online and offline except for geo-mapping
which will require access to the Internet.
• Use the copy over technique from the previous step action to
transfer data from a locked .dmg to the same location on the
forensic workstation.
• Scroll through the images until an image of relevance
is seen.
• Click on the image to highlight it.
• At the bottom of the window to the right, is seen an “info”
button. Click on this button to see the information pane as
shown in Figure 1.
From the Info pane the following artifacts are identified:
• First the Camera model is shown, in the example above, this
image came from an iPhone 4
• Underneath the camera model, is the EXIF data from the device
• Next one can see the filename and MAC timestamps.
• Date and time when the photo was taken
• Last Modified date and time
• Date and time that the image was imported.
• Below the MAC times, is a pinpoint on a map where the
image was taken; this information is gathered from the GPS
data of the image. (Again the system needs to be connected to
the Internet to populate this data.)
Digital / ForensicS
20/10/2011 17:35
 So what if I wanted to know the GPS coordinates of the
image? There are two ways that we can do this. One is from
within iPhoto and the other is to navigate the file system and
use another tool that will give the same information, that
application is “Preview”. From within iPhoto, follow the steps
listed below,

• Scroll through iPhoto until a image of relevance is identified

• Select and highlight the image, go to the top menu bar
• From the top menu select “Reveal in Finder” and
“Original File”.
• This will automatically open “Finder” and show the location
within the file system that the image resides.
• From this location all you have to do is press the space
bar and “quick look” the full resolution image. From the
“quick look” view there is a button at the top of the image Figure 1. iPhoto Information Panel
that allows you to open the image with Preview.
• Once selected, the image will open in the Preview application.
• From the top Menu bar, select “tools | show inspector”
• The inspector can provide a wealth of information in regards
to images of relevance.
• Image Exif Data
• GPS Data
• Altitude
• Altitude Reference
• Image compass heading
• Direction reference – True North or Magnetic North
• Latitude
• Longitude
• GPS Time stamp

See the following image as an example of the geo-tagged data.

This procedure can be done with any image and it is not

necessary to do it from within iPhoto. Any image can be
opened with Preview providing you know where the image file
is located and connected to the Internet. The same data can
be retrieved, including all EXIF and GPS data.
Videos also contain Geo-tagged data and again it is
Apple’s mobile devices which provide the bulk of the artifacts
generated. The iDevices are able to create video and embed
geographic data within the file. As with the images, movies
can be added to the iPhoto Library when synchronising the Figure 2. Image Geo-Tagged Data
iDevice with the Mac and “exif ” and GPS data can be viewed
just like with photographs: • Locate your video of interest
• Double click on the video and QuickTime is the default
• Camera Model viewer, if not right click and select “open with” and from the
• Video dimensions and compression list select “Quicktime”
• Filename and Timestamps, • From the menu bar in Quicktime, select Tools | Inspector
• Taken • View the EXIF and Geo data
• Modified
• Imported The bulk of the geographical data is derived from Apple’s
• Geographic Data Mobile Devices, the iPad, iPhone, and iPod Touch. All these
devices now have the ability to take pictures with front and
If you wish to view the data and do not have iPhoto, you rear cameras, and populate the file with EXIF and GPS data.
are able to view the geo-tagged data with the “QuickTime” (Note: The iPad 1G and the all iPods prior to the 4th generation
application. Follow these steps: devices, weren’t capable of taking pictures).

49

DF9_48-51_Footprints on Macs.indd 49 20/10/2011 17:36

 / FEATURE

The iPhone 1G was able to take pictures, but even with

iOS upgrades did not have the necessary GPS hardware to
create GPS Data. However in iOS 3, the 2G iPhone was able to
create and populate files with GPS data, but that data actually
came from the triangulation of cell towers that the phone
was close to. Even the accuracy of the 3G, 3GS and iPhone 4
has improved over time; however sometimes the data can be
degraded in accuracy when the device is indoors.
It isn’t just GPS data from images that is found on any
iDevice, but also location-based data was found on devices
that had versions of iOS 3 and iOS 4. This was the data
set that made headlines all over the world and made the
“consolidated.db” something that made everyone in the
forensics, security, and political arenas takes notice.
Law enforcement, however, knew about location based data
way before it came to light. It was a shining moment for law Quicktime Geo-data
enforcement that was able to keep this data quiet and gave
investigators information that saved lives and solved cases. Now,
all that data is gone, but if an investigator or examiner was given
a device with iOS 3 and iOS 4.0 up to v4.3.2 the location-based
data is still there, however after v4.2.1 it now only lasts for 7 days.
This is still enough time to assist an investigation.
So, where do we look for that data if the investigator is
lucky enough to have a device that still contains location-
based data? First lets look at iOS 3.
In this version of IOS, all the data was populated into a
property list. At the time this data was not backed up and the
only way to access the data was to jailbreak the device and
acquire a physical image. Once an image was obtained; it was
easy enough to locate and view the data.
In order to view property lists, there are free and paid for
utilities. Apple has released Xcode, which is a package of free
utilities designed to assist developers. Within Xcode version 3,
there used to be a utility called “property list editor” this gave
examiners on the Mac platform a utility to view xml formatted
property lists in a human readable form.
The drawback with this application was that it was difficult
to output the artifacts. In Xcode 4 however this utility was
removed from the package. The Xcode 4 application is a Xcode Property List
suitable replacement and solves the output problem. There
has been along with Xcode and property list editor a paid • Latitude and Longitude
application that could also view property lists, Omni Outliner. • H-cells.plist (Harvested) Each is broken down by cell tower
This application can be found at, http://www.omnigroup.com encountered and separate fixes by date/time and Lat/Long.
Within the iOS 3-file system are property lists that contain Looking at the data there could be numerous fixes for the
the precursor to consolidated.db. Located at, private/var/ same tower but at different dates and time.
root/Library/Caches/locationd. Here are a few property lists • Latitude and Longitude
that may contain data relevant to an investigation. • Date and time (Absolute Time)
• Accuracy data
• Cache.plist • Compass Heading
• Date and time of the last GPS fix (Absolute Time) • H-wifi.plist (Harvested) Each set is broken down by the MAC
• The latitude and longitude of the last fix address of the Wi-Fi hotspot encountered and as the h-cells.plist ,
• Date and time of last Wi-Fi fix (Absolute Time) • Date and Time (Absolute Time)
• Cells-local.plist • Latitude
• Cell Tower information • Longitude
• Latitude and Longitude • Accuracy data
• Cells.plist • Compass heading
• Cell tower information • Altitude

50 Digital / ForensicS

DF9_48-51_Footprints on Macs.indd 50 20/10/2011 17:36

 In iOS 4 all these property lists were then combined in
to one SQLite database. Not only did this database have
up to a year’s worth of data but it was also backed up. This
was better known as consolidated.db. Even the file name
alludes to the combination of all the property lists from
iOS3. In order to view SQLite databases, there is a free utility
SQLite Database Browser, which can be obtained at http://
sourceforge.net/projects/sqlitebrowser/. Another paid
application is “Froq”. Available at http://www.colourful-
apps.com/products/mac/froq . This application is helpful in
exporting data into various formats.
The location of the consolidated.db was at /private/var/
root/Library/Caches/location.d/. First lets use the free
application to view the data, from the SQLite Database
Browser application:
Lantern Parsed Geo-data
• From the Menu bar, select File | Open Database
• Navigate to the Consolidated.db
• Select Open.

The default pane is the Database structure, which shows

all the tables within the database. To view the data go to the
Browse Data pane. From this pane, there is a drop down list
labelled “Table:” For example select Cell Location Local as
seen in the following example,
The Following data can be viewed:

• Cell Tower identification

• Time Stamp (Absolute Time)
• Latitude Lantern Visualised Data
• Longitude
• Altitude As we have previously discussed, the Apple world can
• Speed contain a large amount of geographic data designed for
• Course (Compass Heading) the user to share experiences with others and to give a
graphical representation of where people have been. As
The following tables contain the following data: stated previously, Forensic Application Developers like Katana
Forensics, Inc. have been mining and visualizing such data
Wi-Fi Location Table prior to it becoming front-page news.
• MAC Address As we wait for the coming iOS 5 and the newer iPhone(s),
• Time Stamp (Absolute Time) what do we believe these devices and the new iCloud give
• Latitude examiners? What we can expect is that there will be multiple
• Longitude copies of the same artifacts on numerous platforms. Apple
keeps changing the game to keep ahead of competitors, which
Cell Location Harvest in turn makes it incumbent on the forensic community to keep
• Cell Tower Identification up with the changes as they evolve. /
• Provider (for Example AT&T)
• Time Stamp (Absolute Time)
• Latitude / AUTHOR BIO
• Longitude Sean Morrissey is presently employed
• Altitude by Paradigm Solutions and assigned
as a Computer/Mobile Forensic
Analyst, in the Department State
Cell Location Computer Investigations and Forensics
• Cell Tower Identification Division. Sean was an Instructor of
• Time Stamp (Absolute Time) Forensics at the Defense Cyber Crime
Center, a former Law Enforcement Officer and U.S. Army
• Latitude Officer. He also authored Mac OS X, iPod and iPhone Forensic
• Longitude Anaylsis and the upcoming book iOS Forensic Analysis.
• Altitude

51

DF9_48-51_Footprints on Macs.indd 51 20/10/2011 17:36

DF9_52_Ad.indd 52 15/10/2011 11:27
 / FROM THE LAB

DISCOVERING THE EASE

OF X-WAYS FORENSICSart
P 2
In the last issue, I illustrated how easy it is to do many of the routine digital forensic processes
using X-Ways Forensics. Despite only being an overview, I still could not cover all of the
important points within a single article, so here is Part II! By the time you have read to the end,
you should have attained sufficient knowledge of XWF to pick it up and run with it.
by Ted Smith

/ INTERMEDIATE

T
he Gallery View is like no other gallery system! Not
only can the size of the pictures be resized as already
mentioned (via the General Options), but they can be
sorted by colour detection (using the ‘SC’ filter) for skin tone
or the volume of black and white pixels in the image; this is
especially useful for fraud or pornography related investiga-
tions because you can sort by skin tone for nudity or black
and white for scanned typed documents. Not only that, but
the whole file item pane can be docked or undocked from the
main interface so if you have a dual screen system you can
drag the pane (with Gallery button selected) across to one Figure 16. [Un] Dock the File Item Pane
screen and maximise it to show a larger list of graphics, leav-
ing the other screen with the remaining XWF panes. To [un]
dock, click the 3 vertical dots to the left of the ‘Preview’ button
in the bottom right pane, see Figure 16.
Like all areas of XWF, what the gallery view shows you
depends on the options and filters you have set. If you right
click a folder to recursively explore its content, but don’t
have any other filters enabled, the Gallery View will attempt
to show you a thumbnail of every file, and it will obviously
succeed if the file is a picture, whereas it will fail if it is not as
shown in Figure 17.
Based on what you have read so far, you have probably
realised that the Gallery View can be further refined to not
show files that are known system files, duplicate files, already
viewed files, and so on, so that you are then only shown Figure 17. Gallery View with no file filters enable
pictures that are actually pictures in the Gallery view, Figures
18 and 19. The list of display options is practically endless. the image into a new case has facilitated everything you have
seen so far. With other tools, it would have taken hours to
/ Refine the Volume Snapshot (RVS) have arrived at this point, or it may even have required the
At this point, readers who routinely use XWF will be installation and configuration of huge database systems
wondering why I have not yet covered the central aspect of the requiring a considerable installation and configuration effort,
tool called the ‘Volume Snapshot’, and the refinement of it, not to mention a restriction on case portability; something
which is found via the ‘Specialist > Refine Volume Snapshot’ that is no issue with XWF.
menu. I have left the explanation of it until now because I The RVS is effectively a built-in ‘pre-processing’ facility
wanted to demonstrate to you just how much you can do that allows you to specify how the data in your case is further
with XWF in just a couple of minutes, without actually having refined and/or expanded, following that initial and brief file
processed much more of the forensic image. Just dropping system traversal of the image when it was first added.

53

DF9_53-56_X-Ways Forensics, Part 2.indd 53 20/10/2011 17:36

 / FROM THE LAB
Figure 18. Changing the filter to show files of type ‘Pictures’
The options are fairly self-explanatory, see Figure 20; suffice
to say that it conducts a sequence of further analysis across
the image, such as examining and expanding all compressed
archives (zip, tar etc) and e-mail cabinets (pst, dbx, edb etc),
files are hashed using one of many hashing algorithms and
matched against any hash set you wish, a thorough search for
lost partitions and files along with data carving if requested
and, as usual, you can dictate whether to apply the refinement
to all files, files that meet a certain filter criteria, just files that
have not already been excluded/hidden or a list of selected/
tagged files. The ability to then go straight on and conduct
indexing is also available and files that you have already
Figure 19. Gallery view with ‘Pictures’ filter enabled
54
DF9_53-56_X-Ways Forensics, Part 2.indd 54
excluded or those that are excluded during the RVS process
will not be indexed subject to you ticking the appropriate
options when the indexing parameters dialogue is shown.
Again, the RVS can be conducted at a global case basis (by
clicking on the root symbol, top of left hand pane) for every
evidence object, or it can be done at a partition level of just
one evidence object (option at the bottom of the RVS dialog
box); as always, it depends what you select, or do not select,
in the left hand pane.
In addition, you might, for example, only be interested in
quickly seeing all of the e-mail in your case, so you might
untick everything else in the RVS apart from the option to
“extract e-mail messages” to save time and allow rapid
examination of what you are really after, in this example,
e-mail communications.
Once the RVS has completed, you will then have further
options available to you with regard to how you filter your
data using the Directory Browser Options again.
/ Disk Imaging
Besides the obvious benefits of using XWF for analysis, it also
makes for a superb imaging system. So much so that the stripped
down “Imaging Only” version is not free of charge (though it only
costs about £100), despite many mainstream digital forensics
outfits releasing free imaging solutions. The reason it is not free,
I expect, is because it blows the socks off every other Windows
based imaging system that I know of. As with most aspects of
XWF, I can’t explain all of its advantages and features here, but I
encourage you to explore it and the help manual.
Without creating a case, you can simply add any connected
device by either pressing F9 (or ‘Tools > Open Disk’ and then
selecting either the logical or physical device to add. Once
chosen, simply press Ctrl + C to capture an image (or ‘File>
Create Disk Image’). You are then presented with the dialogue
box shown in Figure 21.
Just as with most tools, you can choose either the raw or
E01 image formats; both have various options but I’ll discuss
the commonly chosen E01 format here.
You can define the sector range to capture (useful if you
have a problematic disk), you can choose what hash algorithm
to use, whether to encrypt the image or not, how much to
split the image by (if at all) but most impressive of all are the
compression options.
Most forensic tools utilise the open-source gzip
compression system that provides the familiar “1 to 9” scale
but XWF have devised their own levels of compression and
they are very effective indeed at intelligently compressing
only data that can be compressed in accordance to the level
you specify, as opposed to blindly compressing everything, or
not, to a specified level, regardless of whether it can actually
be compressed, or not. I conducted some tests of the imaging
speeds at various levels of compression and compared it to
FTK Imager and the Tableau Imager (TIM). I found it to be the
most versatile and efficient of them, only losing out to TIM
when using the very highest compression option that XWF
allows, and even then, the generated image was the same size
as the one created by TIM.
Digital / ForensicS
20/10/2011 17:36

Figure 20. The ‘Refine Volume Snapshot’ dialogue
In addition to the imaging aspects, you can also ‘simply’
clone a disk. With version 16.0 onwards, not only can you
clone from the start to the end of the disk, but you can also
clone backwards! To clone a disk, add the media in the same
way as before but choose ‘Tools > Disk Tools > Clone Disk’
and select, or deselect, the option you require (Figure 22, from
XWF 15.9).
Our team has encountered many disks over the years
that can only be imaged from the start to a certain point on
the disk; perhaps 75% through. At that point the imaging
process may fail. Using most forensic imaging and analysis
tools, you have to accept that the evidence might be lost
from that disk because the partial image cannot be used due
to being incomplete. However, with XWF, not only will it (in
most instances) still be able to open the partial E01 image
and present you with the majority of the data but you can
then go on to clone the remaining area of the disk beyond
the damaged region and then add the “mini image” into your
case to conduct a file carve using the “RVS > Particularly
thorough file system search” to recover any other remaining
files. In a case we had recently, a further 20K files were
recovered in this way beyond a damaged area of the disk,
not to mention the ability to examine the partitions, folders
and files of the partial incomplete image. Something that
was not possible without XWF.
DF9_53-56_X-Ways Forensics, Part 2.indd 55
Figure 21. Imaging disks using XWF
/ Evidence Containers
Lastly, this article would be incomplete without mention of the
evidence containers of XWF, which incorporate their own file
system that is optimised for the number of files to be added to it.
Those of you who attend large business addresses will often
be in a situation where you cannot conduct a full disk image but
will instead opt to capture a certain directory or directories of
files. Though all mainstream tools have incorporated this idea
in some way, XWF does it very well! It is specifically designed
for capturing variable amounts of live files in a very robust
and rapid way. Very recently a practitioner on our team had to
capture 12Gb of live files from a running server. Having started
this process using the AD1 custom image format of FTK Imager
and it reporting that the expected time remaining was three
hours, he tried using XWF. The resulting time taken was just 62
minutes. FTK Imager might be free, but if you work in an arena
where the option of capturing live files much faster is appealing,
then I suggest you invest in XWF and use their evidence
container format. The only ‘issue’ is that you have to use XWF to
examine the evidence container, but this is no different from the
other forensic tools that incorporate the idea.
To create a container, Specialist –> Evidence File Container
> New. Select or deselect the options you require (including
a decision as to how many files you want to optimise the
container to hold), add some additional metadata and click
“Next” (Figure 23). Having given XWF a location to save the
container to, you then just continue to work in the program as
normal until you find files that you want to add to the container.
As and when you want to add folders or files to
the container, just right click them and select “Add to
ContainerName.ctr” and you are presented with options for
the folder(s) and file(s) you have selected (Figure 24). As
usual, select or deselect the options you want (the lesser the
options, the faster the process) to use and click “OK” to start
the acquisition process.
/ RAID Analysis
XWF is famous for its ability to reconstruct RAIDs. It’s a huge
topic and I cannot cover it here and do it justice, but trust me
if you need to rebuild a RAID (any RAID), try XWF. I have even
used it to add two physical disk RAID components connected
via write blockers to XWF, reconstructed the striped RAID as a
new evidence object within XWF, and then captured a physical
image of that reconstructed RAID, as a complete and single
55
20/10/2011 17:36
 / FROM THE LAB

E01, that can then easily be used with any forensic tool of
your choice, EnCase, XWF, FTK and so on without any further
rebuilding. This is as opposed to imaging each disk separately
and then having to use XWF to piece them together as a RAID;
it’s all about providing options. My colleagues and I have had
great success in this area with XWF.
To rebuild a RAID, just add the images of your physical
disks, go to ‘Specialist > Reconstruct RAID System’, enter the
images in the order you suspect them to be (you can re-order
them as many times as needed), select the RAID type and then
the stripe size. If successful, a new evidence object will appear Figure 22. Cloning a disk
with your directory structure for the RAID.

/ Memory Analysis
If you capture the RAM of a running computer using a tool like
“DumpIt” (http://www.moonsols.com/2011/07/18/moonsols-
dumpit-goes-mainstream), you can add the image to XWF as
a logical image and it will recognise it as a memory image and
parse for you! You can conduct a header search for complete
files by again using the RVS feature.

/ Summary
XWF is fast, portable and powerful requiring minimal hardware
to run well and it’s a fraction of the cost of most mainstream
applications. Though powerful hardware is not essential
to run and use XWF, if it is used on powerful hardware with
plenty of RAM, it will process a case of dozens of images Figure 23. Preparing an XWF Evidence Container
containing millions of files and not even break a sweat.
Recently introduced features include the long awaited ability
to examine Microsoft Exchange e-mail systems (16.1-SR6 or
above recommended).
The X-Ways Software Technology team are hugely
responsive to feedback and ideas and generally respond to
support requests within a day or less (www.winhex.net) and
often provide individual replies to specific users who have
reported problems.
Once learnt, it is a tool for everyday forensics; more so than
most, in fact. Of course, you can also use it for all the in-depth
stuff, just as everyone knows.
It allows you to get things done quickly and effectively. Yes,
there is a learning curve to begin with that exceeds that of Figure 24. Adding files to an XWF Container
most forensic tools but only due to the immense features and
options provided. If you are reading this then you should not
be someone who is averse to learning. There is a saying in / Author Bio
the Linux community “When we are children, we look at the Ted Smith has been attached to HM
pictures. As we grow up, we learn to read”. In other words, just Revenue & Customs, Criminal Investigation
Directorate in the United Kingdom as a
because something is a little more difficult to use initially does digital forensics investigator for 9 years.
not mean we should shy away from learning how to use it at all. His work entails the examination of digital
I recommend the official training course delivered by evidence for a range of subjects from
X-Ways Software Technology AG that really enables you to various tax and VAT related frauds to the
importation of indecent images and other border offences.
use the tool at its best. Also, Jens Kirschner provides training He has sat on the committee of ‘F3 – The First Forensic
classes for budding XWF users; he delivered a course to my Forum’ since 2005 and has conducted in-depth studies
colleagues and I recently, and we were very satisfied with the of Linux cryptographic filesystems whilst conducting
standard of training (http://www.jens-training.com/). Other postgraduate education at Cranfield University
He is also a freelance photographer (www.
than that, the best way to learn anything is “by doing” so I tedsmithphotography.com) and, for fun, dabbles in
encourage you all to just keep using XWF, read the manual, programming. Contact him at [email protected]
and you’ll soon be hooked. /

56 Digital / ForensicS

DF9_53-56_X-Ways Forensics, Part 2.indd 56 20/10/2011 17:36

AD9117b 19/01/2010 12:49 Page 1

Forensic Computing
12-month student placements

Undergraduates: Postgraduates:
August 2010–July 2011 June 2010–May 2011

Shape your future

To find out more visit dmu.ac.uk/technology or contact us:
Technology Placement Unit
T: (0116) 257 7465/66
E: [email protected] AD9117B

DF9_57_Ad.indd 57 11/10/2011 10:43

 / FEATURE
CRYPTANALYSIS USING
DISTRIBUTED SYSTEMS
A project to create middleware for distributed cryptanalytic applications
by Charmaine Anderson & Stilianos Vidalis
/ INTERMEDIATE
N
ormally if you ask a person “what is a password?” all
they can tell you is that it is something you need to log
into a computer, email account or social networking
site. Although passwords are one of the most common
phenomena in the computing world, not many people can fully
appreciate what they are or why they are needed.
A password is a form of user authentication, they are
assigned to a user through a ‘unique identifier’ (UI), such as a
username or email address, and are only associated with that
UI. The user is then able to input the UI and password, the
computer or website will check these against each other and
decide whether or not they are associated with each other,
which then allows or denies access.
Within Windows, this is known as an NTLM or SAM Hash.
This is an encryption scheme created by Microsoft which
will make a password ‘unreadable’. This is stored within
the registry and/or SAM File (a username and password
storage file for every account on the machine); when a user
inputs the password, Windows will encrypt it and check it
against what has been stored. Under Linux, passwords are
stored within the “.passwd” file (similar to the SAM File
found in Windows).
There are many password crackers and brute-forcers that
have been made available over the years, such as:
• Brutus
• Cain and Abel
• John the Ripper
• L0phtcrack
• RainbowCrack
However, these tools use the processing power from a
single node or computer in order to crack the passwords;
this can often become time consuming depending upon the
strength of the password under scrutiny.
The solution to this is to utilise the method of parallelism
found under the subject area of distributed systems. So
far, I have only come across a few tools which utilise this
method. An example is Distributed Network Attack (DNA), it
was created by AccessData in order to utilise the processing
power of many nodes for the purpose of speeding up
password and data recovery. After having some trouble
managing the parallelism they teamed up with Parabon
58
DF9_58-61_Cryptanalysis.indd 58
Computation to merge DNA with Frontier Grid. This product
is now used within the United States Ministry of Defence and
various businesses across the country.
/ Cryptanalytic Algorithms
Due to the different types of cryptography available, there
are number of different attacks that can be used in brute-
force applications:
• Ciphertext-only
• Known-plaintext
• Chosen-plaintext (chosen-ciphertext)
• Related-key attack
There are a great variety of attacks that fall under the categories
mentioned above, some of the more popular attacks are:
• Differential Cryptanalysis (mathematical)
• Linear Cryptanalysis (mathematical)
• Exhaustive Key Search (trial-and-error)
There is one significant difference that separates hashes
from all other encryption methods; in an encryption, it is
possible to encrypt plaintext to ciphertext and back again,
whereas once plaintext has been hashed to ciphertext it
is not possible to retrieve the original plaintext from the
resulting value. Therefore, mathematical attacks on these
are not possible; the only attack that can be used is the
exhaustive key search.
Exhaustive key search is a term used by cryptographers,
otherwise known as a brute force attack. A simple description
of the attack is that it is “a trial and error method of trying
every possible combination of characters against the
encrypted data in an attempt to discover the key” (Cobb,
2004). However, Ferguson et al. (2010) say that it is used on a
“target object”, this is usually the key but the generalisation
leaves this open for other forms of data as well.
It is possible to say that this attack is a simple yet effective
method of cryptanalysis that is confirmed successful when
“the resulting plaintext is meaningful” (Schneier, 1996); on
the other hand, “in practice, a brute-force attack can be more
complicated because incorrect keys can give false positive
results” (Paar and Pelzl, 2010).
Digital / ForensicS
20/10/2011 17:36
 Figure 1. Example password files provided by hackinthebox.org
Paar and Pelzl (2010) also state “It is important to note
that a brute-force attack against symmetric ciphers is always
possible in principle. Whether it is feasible in practice depends
on the key space ... If testing all the keys on many modern
computers takes too much time, the cipher is computationally
secure against a brute-force attack.”
It is for this reason that Schneier (1996) states that “without
special purpose hardware and massively parallel machines,
brute-force attacks are significantly harder” (Schneier, 1996).
Cobb (2004) is able to back this up with her statement that
“in some cases, computers working in parallel can be more
powerful than one of the most powerful computers used by the
NSA”. She also provides the example of RSA Laboratories RC5
competitions when, in 1997, a ‘distributed computing effort’
was able to crack the 56-bit encryption in less than 250 days.
/ Distribution
It is very difficult to define a distributed system; Oxford
Dictionaries (2010) use the definition of “a number of independent
computers linked by a network”. Although this is true, it does not
explain the purpose. Professionals and practitioners in the area
argue that there is no single universal definition of a distributed
system, there are too many grey areas that cause confusion;
instead, it is best to define these through their properties:
• Several independent ‘computational entities’ where each
has its own local memory
• Communication is made through message passing
• Failure toleration of individual computers by the system
• The structure of the system may change during the
execution of a distributed program due to different kinds of
computers and network links existing on the system
• Each computer has a limited, incomplete view of the system,
and may know only part of the input
• There are different elements and objects of a program being
run or processed using different computer processors
Distributed systems cover a wide variety of computational
networks such as the Internet or more localised computer clusters.
There are systems available that connect computers together to
work as one, traditionally for scientific or mathematical research
that is far too complicated and time consuming for a single
machine to calculate in a reasonable amount of time.
DF9_58-61_Cryptanalysis.indd 59
Supercomputers can also be found under the title of
distributed systems; although a supercomputer sounds like
a single machine, it is in fact made of a variety of different
components in a cluster. However, this method can be quite
expensive, therefore newer methods of distribution and
parallelism are being utilised across the globe. Grids and
virtualisation are being used in order to reduce procurement
and power costs.
Over time, it has become the ‘norm’ to test crypto-systems
using various methods of distributed computing and parallelism.
Providing more computational power to solve the various
algorithms and equations that are available enables researchers
to quickly and efficiently find weaknesses; which in turn allows
for the recommendation of new and improved ciphers.
/ Middleware
Using a distributed system to perform the complex
calculations works by taking a large task and splitting it into
smaller, more manageable tasks for each machine to perform.
The results are then relayed back to a server and stored ready
for the ultimate task to be complete. Middleware is used
in order to manage the smaller tasks and provide a reliable
method of message passing between the nodes.
We are designing a multi-server distributed application,
which runs on a client-server environment and brute-forces
passwords. Brute-force refers to a style that does not include
any shortcuts to improve performance, but instead relies on
sheer computing power to try all possibilities until the solution
to a problem is found. The application, named ‘Vrutos’, will
be designed for implementation within a new Government
initiative named ‘High Performance Computing Wales’, or
HPCW, in which 1,400 nodes across Wales will be utilised to
create an easily accessible Network Grid; the aim of which is
to provide a high-performance computing infrastructure to
education, businesses and a variety of research areas.
Vrutos is making use of a three-tier architecture. Three-tier
architecture introduces a server (or a “controller”) between
the client and the server. The controller can provide translation
services, metering services, or intelligent controller services (as
in mapping a request to a number of different servers, collating
the results, and returning a single response to the client).
This three-tier architecture is part of the Multi-tier
model, they are incredibly useful for flexible and reusable
59
20/10/2011 17:36
 / FEATURE
Figure 2. Summary of the RSA Labs RC5 Cipher Competitions
applications; by breaking an application up into tiers it
is possible to modify specific layers as opposed to entire
applications. The three-tier architecture that we used for the
pilot consists of the following layers:
Presentation
• Providing the user interface,
• Communicating with the middle layer,
• Logic/Data Access:
• Authenticating the Clients,
• Maintaining and managing history and back-up logs,
• Maintaining system and data integrity,
• Analyzing, fragmenting and assigning to nodes
brute-force requests.
Data
• Consists of database servers
• Information is stored and retrieved
• Improves scalability and performance
/ Experiment
In order to prove this concept, a research cycle was conducted
to create the pilot application so that it could be tested
against a benchmark. The pilot application was not designed
to break passwords, but instead to perform cryptanalysis on
a well researched cipher; this ensured that all features of the
application were working correctly.
/ Platform
After careful research and consideration it was decided that
a Distributed Virtual Machine (DVM) would be used as the
platform from which to work; an open source platform known
as Parallel Virtual Machine (PVM) was selected.
The terms DVM and PVM can be used interchangeably;
some may describe this form of middleware as Distributed
Parallel Virtual Machine (DPVM). PVM is a project that aims
to create middleware for use in parallel computing; it is
designed to “Allow a network of heterogeneous Unix and/or
Windows machines to be used as a single distributed parallel
processor... The software is very portable; the source code,
available free through netlib, has been compiled on everything
from laptops to Crays” (ORNL, 2011).
60
DF9_58-61_Cryptanalysis.indd 60
The application can be controlled by the user to add or
remove machines within the host pool; single-CPU machines
and hardware multiprocessors can be used. The ability to add
and remove machines is an important feature of fault tolerance.
Applications running in the PVM may view the hardware
environment as an “attributeless collection of virtual
processing elements” or the environment may be viewed
to allow for selection of appropriate hardware for specific
tasks. “The PVM system supports heterogeneity in terms of
machines, networks, and applications” (netlib, 2011).
The programming languages that are supported are C, C++
and FORTRAN. New applications can be written using available
PVM libraries, or existing commercial software may be altered
in order to support the use of PVM (the aim of which is to
utilise the shared resources within the virtual machine).
/ Benchmark
RSA Laboratories held a number of competitions during a
ten-year period starting in 1997. There were different cipher
messages that each used an RC5 encryption key, the purpose
was to find the correct key by deciphering the message. The
keys for the ciphers increase in size, which in turn increases
the time taken to solve each:
Over the 10 years that the competitions were run, only 4 were
completed. Distributed.net is currently still running the 72-bit
competition, having completed only 1.527% of the key search in
March 2011; the time that this has been running has totalled 3,023
days so far with an estimation of a further 31,113 days before
completion. The estimated completion is based on the number
of keys that need to be examined (4.722 x1021) and how many
keys are examined per second (2.76 x1011), as this a volunteer
distributed computing effort the number of keys per second varies
depending on the number of nodes connected at any one time.
/ Test algorithm
RC5 is a block cipher designed by Ron Rivest in 1994, RC is
sometimes known as Rivests Cipher; it was given patent in
1998 by RSA laboratories. It consists of variable parameters
for block size, key size and number of rounds, presented as
RC5-w/r/b where w is the word size (not to be confused with
block size), r is the number of rounds and b is the key length
(in bytes) (Schneier, 1996). The number of rounds can range
Digital / ForensicS
20/10/2011 17:36
 anywhere from 0 to 255, while the key can be of length 0 to
2040 bits, the block size can be either 32, 64 or 128 bits.
RSA Laboratories (2010) have provided recommendations
that a 32-bit block size is used only for experimentation
and evaluation, a 64-bit block size is used for a ‘drop-in’
replacement for DES, and 128-bit provides the best security;
they also state that “such built-in variability provides flexibility
at all levels of security and efficiency”.
RC5 consists of three routines; these are key expansion,
encryption and decryption. Key expansion is used for ‘user-
provided’ secret keys in order to expand them to fill a key
table “whose size depends on the number of rounds” (RSA
Laboratories, 2010). The key table is then used for both
encryption and decryption.
Encryption then consists of three different operations: integer
addition, bitwise XOR (exclusive or), and variable rotation.
Schneier (1996) describes rotations as “constant-time operations
on most processors” whilst a variable rotation is a “nonlinear
function”. The rotations themselves depend on both the key and
the data, therefore they are known as ‘data-dependant’.
RSA Laboratories (2010) state that “the heavy use of data-
dependent rotations and the mixture of different operations
provide the security of RC5”, they also mention that these
data-dependant rotations help to defeat the attacks known as
differential cryptanalysis and linear cryptanalysis.
/ Conclusion
A pilot application to brute-force Windows and Linux passwords
via distributed computing and parallelism was created. The
application would be tested for functionality using a well
researched cipher as a benchmark. Research was conducted in
order to discover the best tools and methods for an experiment
to be carried out. It was decided that the RC5 cipher was to be
used, utilising the RSA Lab challenges that were run between
1997 and 2007; the application was created using PVM in C++
in order to use the exhaustive key search method of brute-
force. This pilot can then be developed in order to brute-force
passwords found in operating systems such as Windows and
Linux, for possible use within the HPCW initiative. /
REFERENCES
BIC INNOVATION LTD. 2009. High Performance Computing Wales
Memorandum of Information. [WWW] www.bic-innovation.com/
knowledge/download/162/
COBB, C. 2004. Cryptography for Dummies. Indianapolis: Wiley
Publishing Inc.
DISTRIBUTED.NET. 2011. Node Zero. [WWW] http://www.distributed.
net/Main_Page/en
GHOSH, S. 2007. Distributed Systems – An Algorithmic Approach,
USA: Chapman & Hall/CRC.
GRIFTER. 2002. SAM Files and NT Password Hashes. [WWW] http://
www.hackinthebox.org/modules.php?op=modload&name=News&fil
e=article&sid=5721&mode=thread&order=0&thold=0
KOCH, D. KORBER, M. and TEICH, J. 2006. Searching RC5-Keys with
Distributed Reconfigurable Computing. Germany.
ORNL. 2010. PVM: Parallel Virtual Machine. [WWW] http://www.csm.
ornl.gov/pvm/
DF9_58-61_Cryptanalysis.indd 61
PAAR, C. & PELZL, J. 2010. Understanding Cryptography: A Textbook
for Students and Practitioners. Germany: Springer.
PARABON COMPUTATION INC. 2011. Distributed Network Attack
Enterprise. [WWW] http://www.parabon.com/case-studies/
distributed-network-attack-enterprise.html
PERRIN, C. 2007. A little more about passwords. [WWW] http://www.
techrepublic.com/blog/security/a-little-more-about-passwords/342
RIVEST, R. 1997. The RC5 Encryption Algorithm. USA: MIT Laboratory
for Computer Science.
RSA LABORITORIES. 2000. Frequently Asked Questions about Today’s
Cryptography, Version 4.1. USA: RSA Security Inc.
SCHNEIER, B. 1996. Applied Cryptography. USA: John Wiley & Sons, Ltd.
SECTOOLS.ORG. 2003. Top 10 Password Crackers. [WWW] http://
sectools.org/crackers.html
THEPCSPY. 2005. Passwd Files. [WWW] http://thepcspy.com/read/
passwd_files/
ENCRYPTION THEN CONSISTS OF
THREE DIFFERENT OPERATIONS:
INTEGER ADDITION, BITWISE
XOR (EXCLUSIVE OR), AND
VARIABLE ROTATION
/ Author Bios
Charmaine Anderson was born in Harare,
Zimbabwe, immigrating to the UK in 1992.
She has recently completed a BSc in
Forensic Computing from the University
of Wales, Newport, class of 2011. After
a key academic strength in the subjects
of Mathematics and Computing, and
receiving a number of recognised mathematical achievements,
she has developed a very keen interest in cryptography
and aims to pursue a career in the area. She is extremely
ambitious, with memberships to MENSA UK, Institute for
Information Security Professionals, International Association
for Cryptologic Research, and the Chartered Institute for IT
Professionals (BCS).
Dr Stilianos Vidalis was born in Athens,
Greece, and was raised on an island ithe
Aegean Sea. He moved to Wales in 1995
where he did his undergraduate and
postgraduate studies. He received his PhD
in Threat Assessment in July 2004 from
the University of Glamorgan. He joined the
Department of Computing of the University
of Wales, Newport in 2006 where he
is currently the Head of the Centre for
Information Operations. He is the programme leader for the BSc
Computer Forensics, and BSc Information Security. Dr. Vidalis
is a member of the BCS South Wales Committee, a member
of the E-Crime Wales Steering Group, and a member of the
Military Educational Committee of the Welsh OTC. His research
interests are in the areas of information operations, digital
forensics, threat assessment, and effective computer defense
mechanisms. Dr Vidalis is involved in a number of R&D projects
with the Welsh Assembly Government, Law Enforcement
Agencies, and private companies.
61
20/10/2011 17:36
 Maximise
Prioritise
Visualise

Call IntaForensics on 0845 0092600 for a demo and

to discuss how Lima’s end-to-end forensic case
management can work for you

tel: 0845 0092600

fax: 0845 0092601
email: [email protected]
web: www.intaforensics.com

DF9_62_Ad.indd 62 13/10/2011 15:44

 / FEATURE

DIGITAL ARCHIVING
AND DATA RECOVERY
The challenges facing a computer museum in their attempt to preserve and archive digital data
by Ronnie Smyth

/ ENTRY

D
uring World War II a manor house and associated huts The museum starts its history of computing with a rebuild of
in Buckinghamshire, England was home to the Gov- the very first computer, Colossus. Again, this was the machine
ernment Codes and Cypher School. This organisation that was developed in secrecy to crack the German Lorenz
developed into what is more commonly known today as the code. Next is the Harwell Dekatron computer or “WITCH” as
Government Communications HeadQuarters (GCHQ). Bletch- it became known. This is believed to be the oldest working
ley Park was the primary decryption centre for intercepted original computer in the world. It is a machine that was
communications from German and other Axis countries. The originally designed to process complex maths equations for the
work done here provided vital information for the war effort physics department and works using decimal based Dekatron
and saw phenomenal advances in technology including the valves rather than binary. Continuing on we move into the
creation of Colossus, the first electronic programmable digital mainframe era of computing when massive machines would
computer, designed to crack the German Lorenz codes. service multiple users at a time. As examples the museum has
a working Elliot 803, an ICL 2209 and currently in the process
/ The National Museum of Computing of being restored is an Elliot 903. Moving on from mainframe
Important work continues at the Bletchley Park site and computers we move into the personal computing era starting
is currently home to The National Museum of Computing. from the PDP8 through BBC microcomputers, Amiga, Spectrum,
Its mission is to preserve and archive the development Dragon, Atari and Macintosh. There are also examples of
of computing from the Colossus computer onwards for specialist machines designed to assist industry such as the Cray
future generations to enjoy. The museum is run entirely by Supercomputer, Air Traffic Control, and analogue computers.
volunteers on a shoestring budget with the aim to get as
many working examples as possible to create an interactive
experience rather than a dead box display.
THE WORK DONE HERE
So much can be learnt from the previous experiments in the PROVIDED VITAL INFORMATION
early days of computing when there were no standards and so
many different approaches were taken. It is possible that the
FOR THE WAR EFFORT AND SAW
next brilliant idea and step forward in computing is lurking in PHENOMENAL ADVANCES
one of these ideas but sadly at the time the technology was
not available to make it work properly. We are already seeing
IN TECHNOLOGY
a flow back to previous ways of thinking with the movement
from a standalone PC to working on the cloud. This is only
one step away from multiple dumb terminals working from a
single central mainframe computer. A further example is the
movement towards Solid State Drives, which is based on the
core memory storage technologies of the 60’s. Without the
preservations of these machines it would be impossible to
make the comparisons or learn from past experience. Often on
the very early machines we come across undocumented hacks
that have been developed by the engineers to get a little more
out of the limited technologies of the time. This makes it even
more important to preserve the original machines rather than
the associated documentation.

63

DF9_63-66_Museum Archival Project.indd 63 20/10/2011 17:37

 / FEATURE
All of these machines store data in some way that is
important to the heritage of computing and will be lost if we
are unable to acquire and archive what is stored on them.
The data recovery process for unique machines using non-
standardised techniques can cause major problems.
/ The Archiving Process
The archiving process is not too dissimilar to that of forensic
acquisition. Ultimately we are attempting to get an exact
copy of the media for the purpose of archiving and potentially
further research. Occasionally the media that we are working
on is the only remaining copy available and as a result it is
imperative that we take the proper precautions to avoid the
original being written to or damaged in another way.
Often the media is decaying as a result of aging, and also
the hardware is not performing as well as it used to. As a
result errors during the acquisition phase are not uncommon
and require cataloguing, just as with evidence. A lot of the
problems encountered by the museum are caused by the
lack of standardisation during the early developing years of
computing. With such a wide variety of hardware and media
all utilizing different protocols, different methods of storing
the data and a variety of different data standards; simply
plugging a device into a write blocker are often not an option.
/ Laser Disc Example
As an example of the variety of media that is encountered at
the museum let’s take the optical laser disc. This is the bigger
brother of the Compact Disc (CD) and is roughly the size of
a dinner plate. It is dual sided and holds roughly 200MB of
data. Originally intended to work with the BBC microcomputer
as part of the “domsday project”, the disc would be used to
display OS maps, text on area’s that have been highlighted
and display high quality photo’s which had been sent in and
scanned by the BBC. This was quite literally “Google Maps” in
the 1980’s! Unfortunately the BBC microcomputers were not
capable of displaying the high quality images, and, as a work
around, the images were piped directly to the monitor. As a
result, the laser disc containing the BBC “domsday project”
/ COLUSSUS REBUILD
To celebrate the rebuilding of a functioning Colossus a
challenge was set in 2007 for anyone to try to decode a Lorenz
encrypted message. Colossus completed the task in about 3
hours 15 minutes, but Joachim Schueth using specially written
software and a laptop with 1.4 GHz CPU completed the job in
46 seconds. As Schueth said: “My laptop digested ciphertext
at a speed of 1.2 million characters per second – 240 times
faster than Colossus. If you scale the CPU frequency by that
factor, you get an equivalent clock of 5.8 MHz for Colossus.
That is a remarkable speed for a computer built in 1944. Even
40 years later many computers did not reach that speed. So
the Cipher Challenge would have been very much closer had it
taken place 20 years ago.”
64
DF9_63-66_Museum Archival Project.indd 64
has on it both digital data for the computer to process and
analogue data for the image on the monitor. For this example,
a process needs to be developed that can interact with the
specialised BBC laser disk reader and use it to extract both
digital and analogue data, converting the analogue data into a
digital form that can be archived.
/ Ticker Tape Example
Early computer programs were stored on ticker tape or
punch card. These are literally either special post cards or
long strips of paper with holes punched into them to create
binary sequences for computers (including mechanical
computers) to process. With both ticker tape and punch
cards being used to store both programs and data it is
not as simple as capturing the ones and zeros (holes and
paper) because certain sequences had a set meaning for
a specific machine and also the data being processed
wasn’t always numerical or text. This means that the
context in which the tape or cards were being used is as
vitally important as the data itself. In order to capture the
data, specialist hardware has been developed which can
run through the tapes or cards at low speed, so that the
original fragile paper is not damaged. Utilising light sensors
to detect the holes in the paper these can then be stored
digitally. This digital data is then catalogued with the
contextual data where available.
/ Magnetic Tapes & Disks
Magnetic tapes come in a wide variety of form factors and data
types. These have been the main form of backup and archive
for a very long time. Unfortunately these multiple form factors
means multiple types of hardware to read the individual tapes,
which can be very expensive. Also due to the nature of the
media they are easily damaged, can become distorted and
generally loose the magnetic properties over time.
This makes the recovery of these the highest priority, just
as in evidence you acquire the most volatile information first.
Luckily the cassette tapes used for home computing were
simply being used to store a sound wave and these can be
copied and stored as a sound file as long as the recording is
a lossless file type. This makes the preservation of many 80’s
classics a lot easier.
20/10/2011 17:37
 / Emulation
It is pointless saving all of this digital data if we are not
able to view and process the data in the form in which it
was originally intended. Whilst every effort is being made
to preserve and maintain the aging hardware it is inevitable
that some machines will simply become inoperable without
serious and costly refurbishment. Even this may not be
viable in some cases. As a result there is a requirement for
the creation of emulators that are capable of processing and
running the programs as they were originally intended. These
programs need to accept input from whatever format has been
used to archive the data and process it in the same way as
the original hardware. This is a long-term goal and the priority
should always be to preserve both the machines and the data
that we have first.
/ Storage
Once we have managed to extract the data into a format that
can be processed by a modern PC, we have to catalogue
the information and store the data in a format that will
be accessible for many years to come. There is no point
in extracting the data if it cannot be used, searched and
process. In the not too distant future there will be historians
who will want to study computers and the development of
computers who may well want the original data in the original
format for comparisons. The storage problem comes in two
parts. Firstly it is important to have a standardised format
for archiving. Archiving is a very costly business in terms of
both time and the amount of storage. Also the archive must
be correctly catalogued to enable the recovery from the
archive. This archiving format must have the foresight to be
almost ever expanding and also take into account the scale of
data archiving in the future. Whilst the museum is currently
archiving media megabytes in size, it will not be long before
the requirement expands to gigabytes and beyond as today’s
computers become “relics”.
To help reduce costs, lossless compression is a
requirement, and from a cataloguing point of view metadata
should be used to store information such as the original
hardware format, the file format, and hash of the original data.
The second issue with the archiving and storage of data is
the media that is used to hold the archives. A large amount
of time is spent by the museum attempting to access data
from media that has degraded over time, utilising hardware
that is not performing as well as it used to. There is little to
suggest that today’s archiving media will not suffer the same
fate. The aim of the archive would be to preserve the data for
future generations and so something that will fail in 50 years
time is not acceptable. In an ideal world a medium would
be found that simply does not degrade and is cost effective.
As an alternative it might be the case that a medium is used
that requires periodic maintenance to ensure good data
retention. For example I would not trust a hard disk that had
simply been placed in storage for 50 years not to seize up and
DF9_63-66_Museum Archival Project.indd 65
/ Tony Sale
Sadly during the writing of
this article the Co-Founder
of The National Museum
Of Computing, Tony Sale,
sadly passed away. Born in
1931 Sale was a talented
engineer from an early age.
Unfortunately he was unable
to fund a university education
and so chose to join the
Royal Air Force. He quickly
gained his commission and
the rank of Flying Officer and began lecturing on radar. He
went on to join Marconi’s Research Laboratories in 1952. From
1957 he joined MI5 and ultimately became their Principle
Scientific Officer, specialising in communication interception.
Throughout the 70’s and 80’s Sale created several successful
software companies as the software industry was in its
infancy. It was in 1989 that Sale first became involved in
computer restoration when he was employed by the Science
Museum. He used his position there and his active role
within the British Computer Society to create the Computer
Conservation Society. The society’s role is to preserve and
restore historical computers and software.
In 1991 Sale began the campaign to save the Bletchley Park
site that had been earmarked for redevelopment. Recognising
the importance of the site in the history of World War II Sale
wanted the story to be saved and told to the nation. In 1993
he embarked on the formidable challenge of rebuilding the
classified Colossus computer that was used for the decryption
of Lorenz encrypted messages of the German High Command.
In 2007 the Colossus was finally completed and became the
centrepiece of the Bletchley Park experience. 2007 also saw
the opening of the National Museum of Computing based in
Bletchley Park of which Sale was a founding member and
trustee. He continued his work with the museum until the end,
proudly presenting the Colossus computer to the many tours
that visited Bletchley Park and The Museum of Computing. We
hope that the museum can continue that fantastic work that
was started by this remarkable man.
65
20/10/2011 17:37
 / FEATURE
remain in alignment. However if the hard disk was powered
up and a read and re-write was performed then I would have
faith in the medium and any failing devices could be cycled
out. Ultimately as part of the maintenance schedule the data
could be moved on to the larger and better backup systems.
A further advantage of a hard disk is it modular design. If
the main PCB fails it is possible to replace it with another
working PCB. If the heads fail it is possible to replace those
or alternatively if it is found that there is a greater problem
then the platter could be removed. At all stages the data has
a reasonable chance of being recovered should the worst
happen, thus preserving the data for future generations.
/ Copyright
Copyright laws have posed a problem for the archiving of
digital material for a very long time. This is especially so in the
museum where we are attempting to archive the programs
rather than the data. The current copyright law is based upon
the law that has been applied to written works and in some
cases musical copyright. This has never really suited the
requirement for digital media and has been very restrictive.
Further complications arise as to who owns the copyright.
With software companies being acquired all of the time
and many software companies going bankrupt it is almost
impossible to trace the ownership of the code. Luckily this has
been recognised in parliament and new legislation is being
proposed to exempt museums from copyright liabilities for the
purpose of archiving.
/ Archiving Evidence
Whilst this article has focused on the current difficulties faced
in digitally recovering and archiving data from old machines
there is a direct implication for the ways in which the industry
stores its digital evidence. It isn’t unforeseeable that in
the future we may be required to reinvestigate computer
evidence from more than 30 years ago, just as today cases
are reinvestigated due to new evidence or new processing
66
DF9_63-66_Museum Archival Project.indd 66
/ ENIGMA
Colossus is often misquoted as being used to crack the enigma
code. Whilst the enigma code was being cracked at Bletchley
Park using the bombe machines, Colossus was being used to
crack the much more difficult Lorenz code. The Enigma was
based on a 3 wheel rotation. After every key stroke the lower
wheel would rotate around a single step. Once in every 26
steps of the first wheel changing it would engage with the
second wheel and the second wheel would rotate. The third
wheel would have the same mechanism with the second
wheel. In the later years of the war the German navy used an
enigma machine with 4 wheels. With every rotation it would
change the pathway through the machine and therefore
the outputted letter. The Lorenz codes worked on a similar
principle but with an encryption machine of 12 wheels making
it far more difficult to crack.
techniques. Within this time the standards for backups
may have changed multiple times and the backup media
may have degraded. With the higher assurance required of
evidential integrity we might find that the backup media that
are currently in use are not suitable for long-term storage.
There is a requirement for an archiving standard to provide
future proofing. This archiving standard should allow for
easy emulation and lossless compression. There is also
is requirement for a tested and trusted medium for which
the backups should be stored on. This medium should be
easy to interact with, have well defined standards, be easily
maintainable if maintenance is required and have a modular
approach to assist in data recovery should it be required.
/ Conclusion
As you have seen there are many challenges being faced in
the archiving and preservation of digital media. Whilst many
of these issues have been resolved through standardisation
of hardware key questions still remain about how best to
preserve and archive digital material. This has impact on
digital investigations that are expected to preserve and store
digital data in evidentially sound conditions for extended
periods of time. These questions require answers now to avoid
serious problems in the future. /
/ Author Bio
Ronnie graduated from De Montfort
University with a First Class Honours in
Forensic Computing. During that time
he also worked for CY4OR as a Forensic
Computing Technician. He is currently a
research student at the Centre of Secure
Computing within De Montfort University
working towards a PhD. He is also a member of the Royal Corp
of Signals where he is involved in transmitting encrypted data
for UK Operations. In his spare time he is a volunteer at The
National Museum of Computing.
20/10/2011 17:37
 / NEXT ISSUE

COMING SOON…
A Roundup of Features and Articles for Issue 10

T
he next issue is focussing on mobile phone forensics. The release of many operating systems and the almost weekly
release of new variants, coupled with the ever expanding capabilities of the mobile device make the field of mobile phone
forensics more and more exciting. Here’s what’s coming in Issue 10:

/ Investigating the iPhone 4S

Sean Morrissey looks at the iPhone 4S and looks at what is in
store for those who are tasked with investigating these devices.

/ Challenges in Obtaining Information from

Mobile Devices for Criminal Investigations
In this feature article David Bennett looks at dealing with
the various types of mobile devices that have large storage
capacities and the challenges for forensics experts in
gathering information from the devices for use in criminal
investigations. The paper describes various forensics tools,
law challenges for the forensics examiner such as the Fourth
Amendment, and chain of custody issues that a forensics
expert could endure while gathering info from mobile devices.

/ Advanced Forensic Analysis

on Windows Mobile Systems
Raffaele Olivieri takes a look at how in the last few years
the market for hand-held devices has experienced explosive
commercial growtrh. As a consequence, their use in criminal
activities has also grown. The forensic investigation techniques
applied to phone devices have, therefore, become an
important aid to law enforcement. In this paper, we adopt a
newly introduced technique based on RAPI Tools to extract
information from the system registries and the databases of a
Windows Mobile based smartphone.

/ Chip-Off Forensics
This article is about the practice of forensic investigations – NEXT ISSUE PUBLISHED
when chips have been removed from the circuit boards, the
investigation becomes a complex and technically challenging FEBRUARY 2012
one. Some of the following areas will be covered; what it is,
how you do it, problems encountered and solutions found. Note: DFMag may change the planned
content of future issues without notice.

/ Security Testing in Real Time Systems

This feature article by Peter Wood is all about the perils and
pitfalls of security testing in Real Time Systems. Using case
studies, Peter identifies what can go wrong if security testing
is not carried out correctly.

PLUS
All of our usual features: Apple Autopsy, 360, IRQ,
Robservations and Legal news & alerts.

67

DF9_67_Next Issue.indd 67 21/10/2011 10:10

 / FEATURE

SIFTER10
PROBES
A successful new approach to building
Deep Packet Inspection devices on
High-speed networks
by Mark Osborne

/ ADVANCED

T
his article describes the current strategies for performing
Deep Packet Inspection functions for security and network
management on high-speed networks; it illustrates the
significant drawbacks of these methods. The paper introduces
CyberSifts’ HANAC architecture and the patented massively
parallel search technology Dynamic Parallel Inspection.
You don’t need to be a technologist to realise that network
usage is escalating rapidly. Smart phones, mobile broadband,
WiFi and high-speed, even fibre-optic broadband in every
home is the cause of this network phenomenon. This massive
demand for cheap network capacity has caused a technology
convergence away from expensive, legacy technology so that
most large backbone networks within network providers,
telecoms companies or large corporate and utilities use TCP/
IP on high-speed 10 Gigabit Ethernet (Gbe).
However, as these technologies have become more ubiquitous,
so has their abuse, whether from malware/spam/phishing, DDoS
attacks, terrorism and or copyright infringement. In the last year
or so, there has been an increasing volume of regulation both in
US and Europe encouraging network providers to counter these
threats to the network economy.
But many practitioners are finding that at the higher
network speeds of 10Gb/s, 40Gb/s or even 100 Gb/s, the
traditional PC server based SPAM/AV UTM appliances, Web
filters and IDS simply can’t keep up; they are just too slow.

/ The problem
How can this be when 10Gb/s routing and switch hardware is
so plentiful and cheap? The answers are the same old story for
IP based networking; it is easier to send (or route) a packet in
the IP/Ethernet world than it is to secure it. Correspondingly,
the devices doing this security work need a lot more muscle.
Most of the security tasks described above, like SPAM
protection or Intrusion monitoring require Deep Packet
Inspection technology. Fundamentally, this means processing
every byte of the transmitted packet and comparing it to a
database of a 1000 security vulnerabilities – whilst a router
typically has to compare the four bytes of the packet address
to usually a much smaller routing database.

68 Digital / ForensicS

DF9_68-72_Deep Packet Inspection .indd 68 20/10/2011 17:37

 Typically, PC based software security products like Web
filters or IPS work at speeds of up to 1 Gb/s. After this
point, the supervising operating system uses a massive
amount of resource simply moving data packets from the
NIC into memory where the application can process it. Yet
the sad truth is the majority of these “costly packets” are
of no interest to the application. In fact, it is highly likely
the first act of the system will be to read the packet and
then immediately reject it. For example, if our application
is a simple web filter, it will only need to process HTTP
GET requests on TCP port 80. On an average 10Gb/s link
over 90% of the packets will be outside this population.
Unfortunately, our application has to sort through this
majority of uninteresting packets sequentially to find the
packets that meet its processing needs. In doing this, at
10 Gb/s, the typical operating system and application
collectively will drop the majority of the packets.

/ Strategies for 10Gb/s or 40Gb/s

To overcome this problem, vendors usually adopt one of
two strategies:

• A Total Hardware solution;

• Use an Enhanced Network card;

/ The Total Hardware solution Figure 1. Interface Colouring as a solution

The Total Hardware solution often can cope with the speed
and volume of the traffic. Many vendors have developed
hardware-based solutions to a number of security and
management issues in the 10Gbe or 40Gbe space. Their
disadvantage is that they tend to be very expensive as each
of them is based on bespoke, unique ASIC architecture, and
because of the burnt-in nature of this type of device they are
hard to change. This makes them unsympathetic to modern
applications as protocols and their exploitation (benevolent or
malevolent) generate a fast moving environment.
This type of solution is effective but unattractive; it holds no
utility advantage, as it is a “one box, one function” solution.
Any CTO that invests in a security solution of this type is
unlikely to be rewarded with better usage information (for
example) as a reward.
between these different interfaces and programs makes it
clumsy and unmanageable
Over the last few years a more successful hybrid
approach has been developed where packets can be
blocked or forwarded completely within hardware. In other
cases, where there is a need for sophisticated server based
analysis software, our hardware reduces computational
load by either passing only the selected packets to the
application (based on layer 2-7 DPI) or by sharing the
computational load by producing traffic metrics and counts
on behalf of the application. In this way a platform has
been developed that offers complex hardware functions
to an application, in the same way the Unix kernel offers
services to any application.

/ Enhanced Network cards / HANAC

Alternatively several vendors push a 10Gbe enhanced
network card, these cards are highly advanced; using a
variety of techniques such as polling & zero copy drivers,
mutli-channel PCI interfaces, multiple DMA buffers and
interface colouring. However, their main objective is to
move as many packets from the wire into memory as
possible. These can overcome in the short term many of
the problems of operating at high speed.
Basically, these cards help the PC server cope with
volume of traffic by shifting different traffics types to a
number of distinct virtual network interfaces. As shown
in figure 1, different processes then can be presented
packets at a rate their programs can handle. However,
over any period of time the task of balancing traffic
The Sifter10 range of probes are advanced appliances
combining powerful server technology, state of the art
software and revolutionary Hardware Assisted Network
Application Co-operation (HANAC) support. HANAC provides
full Deep Packet Inspection (Layer2-7) plus Packet filtering,
Counting/Classification and Redirection in hardware at full
line-rate with an extremely low latency before any resource on
the server platform is utilised.
Using this approach the probes break the paradigm of
serialisation and allow bespoke packet-processing hardware
to run in parallel with complex Intel CPU based applications.
This can extend the useful life of your software assets or allow
you to develop flexible Linux packet applications without the
need to develop special hardware.

69

DF9_68-72_Deep Packet Inspection .indd 69 20/10/2011 17:37

 / FEATURE

Each of the inspection rules, which are embedded in the

execution units, can be changed dynamically. As new needs
emerge, new rules can be written and pushed into the units.
This can be done online, on the fly, or offline. In fact, these
rules can be changed in a production system and are applied
in less than 1/1000th of a second. During the application of
new rules, the system will maintain all state and continue to
apply all existing rules without interruption.
By splitting analysis rules into many discrete engines that
can run on the same data in parallel, and by embedding these
rules in the gates of an FPGA, we can achieve record-breaking
inspection throughputs of 14.88 million packets per second.
By using true hardware separation from the action
engines, there is isolation between action processing and
signature inspection logic performance. This leads to identical
performance, identical throughput, and identical latency with any
traffic load, and under full use of the system’s analysis policies.
The probes can also track state for each flow through
the use of an external memory table. This memory table
provides very high performance state memory management
to handle up to 300,000 new flows per second (10x better
than traditional firewalls), and up to 8 million concurrent
stateful flows.
The power of HANACs’ processing capability makes it a
flexible and utility platform, with a number of deployment
strategies that can be used individually for simplicity or
Figure 2. Data Stream Processing combined for sophisticated, near intelligent applications.

/ The N-tier Architecture / Deployment

Most network security and network control applications are The probe can be deployed in three typologies.
extremely parallel in their nature. For example URL filters
which check a packet for a specified URL against a blacklist • Static in-line
of 1000s or a SPAM filter, which examines an email for a list • Passive monitoring
of 1000s of blocked addresses. None of these tasks need • Advanced Co-operative processing
to be done in a serial manner (only split into one or two
concurrent tasks), this has been forced upon us because of /Static in-line deployment
the way most general-purpose computers function. It works In this scenario, users deploy the technology mainly as an
because general-purpose computers are relatively fast but alternative to a hardware appliance, where the primary
with the emergence of faster networks, the relative speed requirements are for speed and the filtering functions can
advantage of general-purpose computers has been eroded. It be specified in a static rule set and there is no need for
would be much better if the comparison work were distributed interaction with software on the host.
simultaneously amongst numerous simple processors.
This is known as a Multiple Instruction Single Data (MISD)
computational model. Using this paradigm, one data record
is shared amongst multiple computational units, each
executing different instructions on the same data. The HANAC
architecture uses this model with a patented inspection
process called Dynamic Parallel Inspection. This massively
parallel processing technique manipulates data packets into
1024 bits units and distributes them inside multiple separate
processors. Thus a large number (thousands) of simple
execution units share the data and concurrently implement
different packet matching operations.
In Figure 2, the data stream is concurrently presented to a
number of execution units (Rule 1, Rule 2, through Rule n).
Each unit is responsible for independently performing wire-
speed packet processing and outputting a number of signals.
Figure 3. Layer 1 active bridge processing

70 Digital / ForensicS

DF9_68-72_Deep Packet Inspection .indd 70 20/10/2011 17:37

 The physical network interfaces (PHY) on the Sifter10
range are provided in the form of two full duplex 10 Gigabit
pluggable XFP “sensing” modules. As shown in Figure 3,
data signals received from one PHY are directly transmitted
to the other PHY unchanged, creating a Layer 1 bridge with
latency less than 1μ second. An FPGA “forwarding engine”
controls this process and can block any packet based on the
signature patterns.
When configured in this way, the probe is a “stealth mode”
device, implemented entirely at the OSI layer 1. There is no MAC
address, or need for any layer 2/3-topology changes – making Figure 4. Snort Benefiting from Our Technology
implementation simple and detection practically unlikely.
As the device is implemented as a bump-in-the-wire,
the card has been designed to withstand host failure; for
example traffic forwarding will continue in the event of
a hard drive failure or operating system panic. However,
given the modern day requirement for five nines (99.999%)
availability, we have developed implementation scenarios
that take advantage of Linux clustering technology to
provide uninterrupted service.

/ Passive monitoring
The features of HANAC are impressive, but they have been
implemented in Linux as a normal network driver. This means
that you don’t need to learn a whole book of commands to
use it; the standard ifconfig that is used for a normal Ethernet
card works just fine (Note – there are also a full set of web
and gui based management tools for those that don’t like the
command line)
Also because the hardware appears as an NIC and uses
standard driver module conventions, we don’t require a
special version of the network capture library (libpcap) and we
have no unusual restrictions on its usage or serialisation. This
means the probes can run virtually any popular, proprietary
Linux or Open-source network applications at these much
faster speeds. The bottom-line: you can use free/cheaper/
better tools on your carrier class networks.
For example, everyone’s favourite open-source software
IDS, Snort, is designed primarily for enterprise networks
and is a typical example of a high quality monitoring
application. Normally, it can monitor a few hundred
megabits of traffic with a standard NIC [1]. Using HANAC’s
pre-emptive selection technique, Snort can monitor a
full 10GBps of traffic without modification or the need for
clumsy load balancing across the interfaces.
Figure 4 shows attack detection by Snort under increasingly
higher loads. Notice that without HANAC, as the packet rate
per second increases beyond a few hundred Mbps, Snort
loses more and more attacks, quickly becoming ineffective.
HANAC insulates Snort’s performance from extremely high
traffic loads.
This isn’t magic; it is because HANAC is using full layer2-7
deep packet inspection to pre-emptively select a population of
packets or pre-qualify packets that Snort will be interested in.
The other packets that are of no interest are not captured. This
keeps the effective data rate at the operating system much
lower and is shown in Figure 5.
Figure 5. Snort Benefiting from Our Technology
THE SIFTER10 RANGE OF PROBES
ARE ADVANCED APPLIANCES
COMBINING POWERFUL SERVER
TECHNOLOGY, STATE OF THE ART
SOFTWARE AND REVOLUTIONARY
HARDWARE ASSISTED NETWORK
APPLICATION CO-OPERATION
(HANAC) SUPPORT
Without HANAC, the effective bit rate measured at the Linux
interface is about 3.5 Gb/s because some have already been
lost by the operating system and the hardware. With HANAC,
the interface only receives the pre-selected packets, which in
this case produce a traffic rate below 200Mb/s, well within the
safe operating range of most software applications.
/ Co-operative processing
In addition to extending the lifetime of your existing software
assets, the Sifter10 has a powerful programming API so
advanced server software can task the hardware to collect
network meta-data or programmatically modify access-lists to
block/forward particular types of traffic.
This cooperative model is exceptionally powerful as
it lets traditional software development technology be
used to develop high-speed real-time network control
applications. Until now, these types of applications had to
be developed in hardware or relied on indirect/inaccurate
sampling techniques.

71

DF9_68-72_Deep Packet Inspection .indd 71 20/10/2011 17:37

 / FEATURE

As an example, network analysis and reporting software,

which detects resource abuse, can be coded with one API call
to detect the Top-n subnets sending traffic on a particular
link. Using another call to the API, the software can set an
access-list to capture all traffic from that subnet for analysis
purposes. A third could be used to block that traffic while
the server application analyses it and forwards it on another
regular Ethernet interface. Examples of these programming
techniques are freely available for download.
Using these techniques developing your own version of
NTOP would be a few hundred lines of code.

/ Packaging
As briefly mentioned above, the Sifter10 comes as a Linux
platform. It has Web based and GUI based rule management
software. This means straight-out of the box, it can be
deployed as a passive monitoring Snort IDS on a high-speed
10Gbe network.
The appliance can also be used to monitor up to about
ten 1Gb/s LAN segments using a hierarchy of aggregation
switches [2]. Also straight out-of-the-box, the unit can be
used as a hardware version of in-line snort. If the uptime is
a particular concern, high availability and cluster options
are available. For event management, the system is fully
integrated with Sguil. As an alternative, many customers
prefer the web-based software BASE.

/ Conclusion
More and more security and network professionals are using
utility hardware in conjunction with standard PC tools to solve
complex problems in a parallel manner but also in a cost
effective manner. CUDA the use of graphics card hardware is
another example of this.
The Sifter10 is the first product that is designed to enhance
PC software with hardware assisted massive parallel packet
inspection processing. It offers the discriminating user:

• The possibility to extend the life of software assets or allows

software vendors to launch their enterprise products into the
backbone market;
• The ability to implement high speed filtering and management;
• To deploy advanced value added features into your network,
reducing churn and increasing competitive advantage.

These opportunities allow a level of visibility into networks

not previously feasible or affordable; an attractive proposition
to those with 10Gbe backbones. /
REFERENCES
Kerry Cox and Christopher Gerg, Managing Security with Snort and
IDS Tools. O’Reilly, 2004, pp. 226-227
[2] Mark Osborne, How to cheat at Managing Information Security.
Syngress, 2006, pp. 212-213
ACKNOWLEDGMENTS
I would like to thank Livio Ricciulli and Ajoy Aswadhati for their
sizable contribution to this paper.
/ Author Bio
Mark Osborne ran the KPMG security
practice for many years (1993-2003). He
has published several Zero-Day security
vulnerabilities (e.g. Fatajack), and has
also been an expert witness in the “cash-
for-rides” case. Mark has designed the
popular open-source wireless IDS/IPS
(WIDZ), as well as the largest Cyber Security System in Europe.
He is the author of “How To Cheat at Managing Information
Security”, which reached the Amazon.com Top-500.

72 Digital / ForensicS

DF9_68-72_Deep Packet Inspection .indd 72 20/10/2011 17:37


GET INVOLVED
/ Authors
As we continue to strive to bring you the latest happenings
in the world of digital forensics, we are on the look out for
anyone who has a story to tell or something to share that
would benefit the wider profession.
If you are…
• researching a particular aspect of digital forensics
• have developed a new tool that you would like to share
• been involved in a case that has raised specific issues
…then we want to hear from you.
If you have already written an article that has not been
published or even one that has been published with a limited
distribution and you would like a wider audience, we are
happy to discuss its suitability for any of our publications:
• Magazine
• Web White Paper
• Newsletter
/Bloggers
If you want a slightly less formal outlet than the web site or
magazine, but still have something to say, we still want to hear
from you for the DFM Blog and/or newsletter, if you:
• have an opinion on a recent news item
• a short story to impart
• need an outlet for your frustration
We are looking to identify a number of you who would like
to be regular contributors to the Blog or maybe provide less
formal articles for the newsletters.
DF9_73_Get Involved.indd 73
/ GET INVOLVED
/ Technical Tools/Application Developers
Have you created a tool or application that you would like to
share with others? If so, then contact us immediately.
Many practitioners develop their own tools and applications
to deal with specific situations that arise. Rest assured that
you would not be the only one who will meet that situation. So
if you are prepared to share your tools with others, we have
established a tools download section on the DFM website.
All tools will come with the normal safety warnings
regarding their use, and using our outlet will get you feedback
from your peers.
/ Technical Reviewers
Do you have the time and ability to technically review an
article or tool/application? Then we want to hear from you.
At DFM we are always on the look out for people who are
willing to carry out technical reviews of articles or tools/
applications. We already have a waiting list of vendors who
would like us to provide a technical review of their products,
if you would like to join our team of technical reviewers; then
contact us now.
Technical reviews will be published on the website and on
occasion in the magazine, with the review fully attributed to
the reviewers, if they so wish. You must not be a competitor
or employee of the vendor who is supplying the technology
for review, and you must have the skills and facilities to carry
out any review. This is ideal for universities or those who have
access to labs or those who have their own lab.
/ DO YOU WANT TO GET INVOLVED?
If you would like to get involved in any way, then drop us a line
or send an email to [email protected]
providing a short biography and what aspect of DFM you would
like to get involved with. We will then send you further details
on how to proceed, in the area you have chosen.
Join the virtual team here at DFM and “Get Involved”
Roy Isbell MSc IEng FIET FBCS CITP
Acquisitions Editor
Digital Forensics Magazine
Visit www.digitalforensicsmagazine.com
Supporting the Professional Computer Security Industry
Digital Forensics Magazine bridges the
gap between the researcher and the
practitioner… It is a well-known fact that
some of the best learning comes from
“on the job” experiences
73
20/10/2011 17:37
 Digital
ForensicS
/ magazine

BACK ISSUES
Digital Digital
The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners The Quarterly Magazine for Digital Forensics Practitioners

HAPPY 1ST Competition! Competition!

BIRTHDAY!

ForensicS ForensicS
Books, books and Win one of 3 copies of
yet more books… WinHex Professional

ISSUE 05 ISSUE 06 ISSUE 07 ISSUE 08

/ magazine / magazine
1 NOVEMBER 2010 1 FEBRUARY 2011 1st may 2011 AUGUST 2011

INSIDE INSIDE INSIDE INSIDE

/ Scott Zimmerman on / Scott Zimmerman ON / bill dean on detecting / e-Discovery Tools
Chain of Custody Search & Seizure commercial grade spyware / Image Processing
/ Survey Results / Wi-Fi Forensics / cell site analysis / Hacking the Cloud
/ Criminal Profiling / Criminal Profiling / imaging a macBOOK air / Digital Forensics
/ Ethics In Computer COMPETITION! / Operational Forensics / advanced cyber probes in Sri Lanka
Forensics Bundles of goodies for on the Mac
our Anniversary Issue!
Competition!
Win copies of Kuiper
Forensics Peerlab

TRAINING & GENETIC

EDUCATION
ISSUE ALGORITHMS
& DIGITAL FORENSICS LATENT
LAW ENFORCEMENT
CYBER SECURITY
Tim Watson looks at the way that genetic
algorithms can be used in forensic tools SEMANTIC
TRAINING
Bev Nutter analyses the digital forensics challenges 04
SITUATIONAL AWARENESS
Ian Murphy looks at how Digital Forensics techniques 01 02
INDEXING
Dr Michael R Taylor explains why
conceptual search is vital in the 03

and training requirements for law enforcement & tools are used as a result of Situational Awareness analysis of large multi lingual
9 772042 061103 9 772042 061110 9 772042 061110 9 772042 061110
Issue 5 / £11.99 TR Media Issue 6 / £11.99 TR Media Issue 7 / £11.99 TR Media
data sets Issue 8 / £11.99 TR Media

/ REGULARS / INTRODUCING / Book Reviews / FROM THE LAB / REGULARS / INTRODUCING / Book Reviews / FROM THE LAB / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews
LEGAL NEWS, 360, Sean Morrissey’s brand 3 great books from Frazer Lewis on LEGAL NEWS, 360, ROB LEE’S brand new Dissecting the Hack George Bailey on more robservations, 360, peter jones looks our new legal editor hacking the human robservations, 360, Ted Smith looks at our new FEATURE ON Digital Forensics
IRQ… AND MUCH MORE new column: Apple Autopsy Syngress and Apress Anti ForensicS Tools IRQ… AND MUCH MORE column: ROBSERVATIONS Pro-Pen Testing Netflow forensics news, irq & more… at cellebrite pa v2 scott zimmerman windows registry forensics news, irq & more… X-Ways Forensics Biometrics & Forensics with Open Source Tools

DF5_OFC_Cover - Online.indd 1 2/11/10 08:00:27 DF6_OFC_Cover - Online.indd 1 29/01/2011 15:22 DF7_OFC_Cover - Online.indd 1 20/04/2011 17:57 DF8_OFC_Cover - Online.indd 1 22/07/2011 10:09

Issue 5 Issue 6 Issue 7 Issue 8

November 2010 February 2011 May 2011 August 2011

/ The Ideal DF Course / Imaging Tool Performance / Genetic algorithms / Latent Semantic Indexing
/ Training in Law Enforcement / Netflow Forensics & digital forensics / E-discovery tools
/ DFM Training Survey Results / Cyber Security / Commercial grade spyware / Image processing
/ Mac Forensics Training Situational Awareness / Cell site analysis / Hacking the Cloud
/ Ethics in Computer Forensics / WiFi Forensics / Imaging a MacBook Air / Digital forensics in
/ Certiifications and their Role / WARPS – a Framework for / Advanced cyber probes Sri Lanka
/ Criminal Profiling Timely Information / Cellebrite pa v2
/ Effectiveness of Public / Mac OS X Network Primer
Domain Anti-Forensics Tools / Criminal Profiling
/ Steganography Application
/ Artifact Detection

ORDER ONLINE
www.digitalforensicsmagazine.com

DF9_74_Back Issues Ad.indd 74 12/10/2011 18:38

 HANRATTY REVISITED
What should the legal system do it if the forensic evidence contradicts the bulk of other evidence?
by Rob Harriman
/ ENTRY
A
s a digital forensics practitioner you ‘accept’ the
evidence presented to you by your tools; as they
say “data cannot lie” as long as your methodology
adheres to scientific principles, that is. Practising in the US
you will observe the ‘Daubert Principles’ [Daubert v. Merrell
Dow Pharmaceuticals] so that yours will not be junk science
testimony based on idiosyncratic, invalid, or unreliable
science. Practising in the UK it may be that your concern is
with the weight of the evidence rather than the methodology
you have employed. Wherever your location you are properly
qualified so that the court can have faith in the evidence you
present and for all those qualifications you are aware that
‘facts’ in the courtroom are rarely black or white. As Houdini,
you extricate with integrity, from the intentions of lawyers
with axes to grind while simultaneously explicating science
and technology beyond the normal understanding of jury,
judge and learned lawyer. Yours it is to capture truth in a
kernel and with forensics to focus the court upon it. The task
is Herculean, the wages of failure, hopes and reputations lost,
perchance life too. So it was not all that long ago in the United
Kingdom that the directed gaze of the court extinguished the
life of James Hanratty.
This discussion is not about digital forensics directly but
focuses on DNA forensics. Nevertheless I hope you will find
it relevant, and thought provoking. The way that evidence is
collected, analysed and reported may have a serious impact
on the life and liberty of individuals and as such deserves all
the care and attention we can muster and the avoidance of
certainty where uncertainty exists.
I came upon the case of R v. Hanratty in 2007 when
researching for an Honours degree in Forensic Computing. The
research remit was crime scene protocols and R v. Hanratty
seemed to provide fertile ground. In this particular case it
appears that due to the intent of the court to focus on one
particular aspect of the forensic evidence presented to it that
other highly relevant and potentially critical decision altering
information was missed. I shall leave it to you to decide if the
decision of the Appeal Court was correct.
Hanratty’s execution in 1962 elicited from the outset
claims of a miscarriage of justice. Finally the Criminal Cases
Review Commission (CCRC) in 2002 referred the evidence to
the Court of Appeal. The Forensic Science Service (FSS) in
the UK conducted fresh DNA investigations using the latest
techniques on a handkerchief in which the murder weapon
was found and on a piece of semen stained underwear.
Results were compared with DNA from Hanratty’s mother
DF9_75-79_Forensic Uncertainty.indd 75
and brother and Hanratty’s exhumed body. Ultimately the
CCRC endeavours were declared by the Court of Appeal to
have made “a strong case even stronger” and the CCRC was
criticised for bringing the case in the first place.
Yet why, if the case against Hanratty really was so
strong, did the CCRC refer it? If the forensic evidence flatly
contradicted the weight of evidence supporting Hanratty’s
innocence how did the Court deal with this conflict? Most
importantly how careful was the court in 2002 in examining
whether the forensic evidence justified its findings? When
I started my analysis I underestimated how little real
information exists in the public domain, or how unhelpful
the FSS and the Court services would be to my investigation.
Nevertheless a careful reading of the available documentation
raises a number of points calling into question the
surefootedness of the Appeal Court ruling.
PRACTISING IN THE UK IT MAY BE
THAT YOUR CONCERN IS WITH THE
WEIGHT OF THE EVIDENCE RATHER
THAN THE METHODOLOGY YOU
HAVE EMPLOYED
/ So What Is This Case All About?
At approximately 9.30pm in August 1961 near Slough in
Buckinghamshire someone hijacked a car driven by Michael
Gregsten and containing his lover Valerie Storie. About 9 hours
later Gregsten and Storie were found in a layby. He had been shot
twice in the back of the head with a .38 Enfield revolver and was
dead; she was alive but had been raped and shot five times.
Since Hanratty’s execution for the murder of Gregsten, and
by inference, the rape and shooting of Storie copious copy
has been produced highlighting areas of dispute between
those believing in Hanratty’s innocence and those believing
in his guilt. Elucidatory starting points are the BBC Horizon
program “The A6 Murder” at http://www.bbc.co.uk/science/
horizon/2001/a6murder.shtml., HANRATTY- The Final Verdict
by Bob Woffinden, or Paul Foot’s Who Killed Hanratty?
It is important to reiterate that the evidence was deemed
convincing enough to persuade the CCRC to take it to the
Court of Appeal. For the purposes of this article I am just going
to concentrate on the handling of the forensic evidence within
the investigations and by the Court of Appeal.
75
20/10/2011 17:38
 / FEATURE
/ Caveat
I was not granted access to any of the FSS records regarding
the case and nor would they answer my questions. Instead
I was politely referred to the Court of Appeal Judgement for
answers. Secondly I was not granted access to the transcript
of the Court of Appeal hearing on the grounds of accessibility
and costs. This means that where forensic facts or opinions are
not directly attributed within the Court of Appeal judgement,
whether they are attributable to the FSS, or represent the
opinions of the judges is open to question. It also means that
I am completely unable to satisfy my key aim of ascertaining
how much challenging of the forensic certainties had taken
place during the hearing by the judges or by Mr Mansfield, the
counsel representing Hanratty’s family and the CCRC.
/ The DNA Testing
The forensic evidence available at trial was seminal fluid
on Valerie Storie’s knickers and on her slip, identified
as being from a blood group ‘O’ secretor, which profile
matched Hanratty’s taken from his trousers and that of the
other prime suspect Peter Alphon. Interestingly 40%-50%
of the population is blood group ‘O’, of which 80% are
group ‘O’ secretors (Woffinden 1997:152). As for Gregsten
he was a group AB secretor establishing the semen did
not come from him. A handkerchief found with the murder
weapon bore traces of nasal mucus (incapable then of
being analysed for blood type), and evidence based upon
comparison of hairs and fibres was inconclusive (Court of
Appeal Section 106, 2002).
In March 1995, according to Horizon, the FSS “scientists
knew that Exhibit 26 (the fragment of knickers) could
hold a vital clue to the killer’s identity, if only they could
resurrect DNA from the decayed 30-year-old evidence.
The tiny piece of fabric was immersed in sterile solution,
shaken and centrifuged. Chemicals were added to destroy
any cellular debris, the DNA rich fluid refined to produce a
clear, colourless liquid containing pure DNA. Each drop of
refined solution will usually contain hundreds of strands of
DNA, but with evidence as old as this the question was if the
minute amount of DNA extracted would be enough to create
a profile. Unfortunately no such profile was obtained at this
time (BBC Horizon, 2002).
In 1997 Exhibit 35 had emerged from police files. This was
a man’s white handkerchief in which the murder weapon had
been found. The scientists decided to renew their attempts
at DNA profiling, testing “the small remaining piece of
fabric from the knickers (part having been used in the 1995
experiment), a piece of material from one of the slips and the
areas of staining from the handkerchief ” (Court of Appeal
Section 108). According to Horizon “They had failed two years
earlier, but were now hopeful because of advances in a DNA
copying technique called PCR.”
This is slightly misleading in that it cannot mean the
introduction of PCR since the Cetus Corporation team had
developed the first commercial PCR typing kit for forensic use
(DQA1) in 1988. I must assume that it refers to the introduction
of the SGM technique in 1995.
76
DF9_75-79_Forensic Uncertainty.indd 76
According to Horizon the polymerase chain reaction “works
by subjecting the target DNA to intense heat, splitting the
double stranded DNA into two separate, single stranded
segments. As the mixture is cooled an enzyme called a
polymerase starts to lock on to each separated single
stranded DNA creating an exact copy of the missing half to
make a new complete double stranded segment of DNA. Each
cycle of PCR doubles the target DNA. By repeating the process
scientists can soon have billions of exact copies of the DNA
they want to test. The minute quantities of DNA extracted from
both exhibits were subjected to 34 separate cycles of PCR
magnification and this time there were results.”
In April 1998 saliva samples were taken from Hanratty’s
mother for comparison with samples taken in November 1997
from her other son Michael. These confirmed that the DNA
profile from the knickers almost certainly came from either a
son of Mrs Hanratty or a brother of Michael. At a much lower
level of probability results showed it was a son of Mrs Hanratty
or a brother of Michael who had deposited the mucus stains
on the handkerchief (Court of Appeal Section 108, 2002).
These variations in the levels of certainty ascribed to each
exhibit are notable in light of the conviction with which they
were previously ascribed to Hanratty and Dr Whitaker’s view
expressed here in the Horizon programme.
“We calculated that it was 2.5 million times more likely
of obtaining the DNA profile from the underwear and the
handkerchief if it had originated from a son of and a brother
of Mary and Michael, as compared to somebody unknown and
unrelated to them.”
Since there appears to be no clarification in the public
domain as to how these statistics were arrived at I am unable
to assess their likely veracity.
On March 22nd 2001 the Forensic Science Service recovered
material from Hanratty’s teeth and profiled the DNA. The
findings again substantiated a match with the DNA found on
the handkerchief and on the knickers thereby strengthening
the case against Hanratty. The Appeal Court placed the
evidence from the handkerchief centre stage “it has been
possible for Dr Whitaker… to state with what a non-scientist
would regard as equivalent to absolute certainty or almost
absolute certainty as makes no difference that the DNA profile
recovered from the fragment of knickers and the DNA profile
recovered from the mucus staining on the handkerchief have
come from Hanratty.” (Court of Appeal Section 109,2002)
/ Key Dates
Unfortunately that is all the evidence in the public domain
regarding the testing carried out with little detail of the tests
performed and no information regarding the results that can
be subsequently verified by a competent forensic scientist.
Nevertheless key dates in the development of DNA testing
technology and comments published by the FSS in three
fact sheets indicate the technology that would have been
available. Factsheet 1 entitled ‘What is DNA?’ provides the
timeline of developments:
Digital / ForensicS
20/10/2011 17:38
 1990 – Single Locus Profiling (SLP) replaces the less sensitive
Multi Locus Profiling.
1994 – Short Tandem Repeat (STR) technique introduced
1995 – Second Generation Multiplex used to generate the
first profiles for the NDNAD. It looked at (six STR Loci, plus
a sex indicator area) to generate a profile. The average
discriminating power of a full SGM profile is in the order of one
in fifty million.
1999 – June SGM Plus® replaced SGM testing. It looks at (ten
STR loci plus a sex indicator area). The average discriminating
power of a full SGM Plus is less than one in a billion.
In Factsheet 2 the FSS states DNA Low Copy Number is
an extension of the SGM Plus profiling technique. It is more
sensitive and enables scientists to produce DNA profiles from
samples containing very few cells even if they are too small to
be visible to the naked eye.
The FSS also makes the following interesting comments
about the LCN technique in Factsheet 6:
“As with all forensic evidence, the context and interpretation
need to be considered carefully. This is even more important with
DNA LCN, due to its sensitivity and the possibility that the DNA
detected is unconnected with the offence under investigation.
DNA LCN has the same discriminating power as the routine
technique – about one in a billion. This means that if the DNA
found at a crime scene matched a suspect, then the chance of
obtaining the profile if it had originated from someone other than,
and unrelated to that suspect, is approximately one in a billion.”
Note the important caveats regarding LCN highlighted in
the first paragraph of Factsheet 6. I’ll let you draw your own
conclusions regarding their importance to this case.
On the basis of the above I assume that the test in March 1995
used the STR technique, with the 1997-1998 tests, including
those involving Hanratty’s relatives, using the SGM Plus®
technique. The 2001 test on Hanratty’s remains is assumed
to have involved the use of the DNA LCN technique, in light of
references to the minute size of the sample from his teeth.
It is interesting that when testing Hanratty’s DNA against
the other samples the FSS claimed the DNA found on the
exhibits was hundreds of millions of times more likely to have
come from him than a random individual, and not definitely
from him. This implies that the testing of Hanratty’s DNA still
just looked at the 10 STR loci and sex indicator area of the
SGM Plus/ Low Copy Number profile technique, hence the
provisional status of the match. This is as opposed to the 13
STR loci and sex indicator match of the CODIS technique used
in the USA or the greater discriminatory power of the 16 loci
used in the recently developed Powerplex test.
/ Discounting Contamination
Whatever testing was done the evidence convinced the Appeal
Court, not least because the FSS categorically dismissed the
possibility of contamination. As Roger Mann of the FSS put it
“We only have one profile. That profile matches James Hanratty.
If that was a contaminant, if that was due to contamination we
DF9_75-79_Forensic Uncertainty.indd 77
would expect two profiles, one from James Hanratty due to the
contamination and one from the original killer.”
So this is the forensic case against Hanratty as far as I have
been able to ascertain, although how it was presented to the
Appeal Court hearing, must remain a matter of speculation.
However a close reading of the Court ruling reveals some
disquieting aspects to this case, as we’ll now see.
/ Considering the Handkerchief
The connection of Hanratty to the murder weapon consisted
of his DNA found in mucus on the handkerchief enfolding
the gun when police found it under the seat of a London bus.
Contrary to the conclusion of the court this merely proves
that he blew his nose on the handkerchief and does not prove
contact with, let alone deployment of, the murder weapon. No
testing took place on the remainder of the handkerchief and
no test exists to determine the identity of the person wrapping
an already used handkerchief around a weapon.
To my amazement this lacuna seems to have been
overlooked by all participants; the judgement fails to consider
it and it is not mentioned in any other documentation I found or
was permitted sight of. This is even more disturbing since the
person who led the police to the seat in the bus was Charles
‘Dixie’ France, with whom Hanratty often stayed. France, like
Hanratty was a low-level criminal and prior to the trial behaved
erratically, finally committing suicide days before the latter’s
execution. No reason for France’s suicide is in the public
domain; still it is not infeasible that he ‘planted’ the gun where
it was found, in the knowledge that it was a hiding place used
by Hanratty to dispose of unwanted items after a robbery.
THE WAY THAT EVIDENCE IS
COLLECTED, ANALYSED AND
REPORTED MAY HAVE A SERIOUS
IMPACT ON THE LIFE AND LIBERTY
OF INDIVIDUALS
The investigating officers do not appear to have openly
considered the possibility of France’s duplicity, and though of
key concern to such as Woffinden and Foot it is unmentioned
in the Appeal Court judgement. Unavailability of full
court transcripts again precludes certainty of the matter’s
consideration by the court.
Two spent cartridge cases from the murder weapon were
found at the Vienna Hotel in the Maida Vale area of London
shortly after Hanratty stayed there. Oddly these were not
relied upon in the forensic case though there were claims that
they had been planted. Therefore their connection to Hanratty
may be legitimately considered no more than circumstantial.
So, as is clear this evidence is far from the conclusive proof
of Hanratty’s involvement with the murder weapon as claimed
by the Appeal Court judgement and for the court to conclude
as it did, then someone was seriously misrepresenting the
evidence involved.
77
20/10/2011 17:38
 / FEATURE
/ Considering the clothing
Regarding the evidence of semen on Valerie Storie’s slips
and knickers, Hanratty’s trousers and the opportunities for
contamination. In Section 106 and 114 Hanratty’s trousers
were described as semen stained when they were first
received at the Metropolitan Police Laboratory (MPL) on
October 9th. On December 28th 1961 pathologist Dr Grant
examined the trousers, the following day he examined the
slip and knickers. A portion of the crotch area of the knickers
was removed and stored “as seems clear”, separately“(Court
of Appeal Section 116, 2002). One might ask whether it is
satisfactory to conclude the items were separated on grounds
that merely seem clear. The possibility of transference is
strengthened by there being no awareness of DNA in the
forensic community in 1961, or of the minute amount of
cellular material required to produce a DNA sample.
At the trial which took place between 22nd January and
17th February 1962 all the exhibits with the exception of a
portion of the slip and the fragment of the knickers referred
to previously were produced and taken out by the jury on
retirement. The Court of Appeal (Section 117, 2002) states
that on 9th April 1962 Hanratty’s clothing was returned to
his father and on 22 May 1962 Valerie Storie’s slips, knickers
and various samples were all destroyed. This does appear
to be what happened to Hanratty’s trousers, but contradicts
that stated regarding Miss Storie’s slips at section 108 which
states, “However, in November 1997 after much consultation
further DNA analyses were commissioned this time using
highly sensitive DNA amplification techniques. The test was
conducted on the small remaining piece of fabric from the
knickers (part having been used in the 1995 experiment),
a piece of material from one of the slips and the areas of
staining from the handkerchief.”
ALTHOUGH MANY SCIENTISTS
HAVE SOME FAMILIARITY
WITH STATISTICAL METHODS,
STATISTICS REMAINS A
SPECIALISED AREA
What happens thereafter to the slips material is not
documented in the judgement. Testing subsequently only
takes place on the handkerchief and the piece of knicker
crotch, which had been stored separately.
With regard to the semen stain on the knickers:
“The knickers arrived at the Metropolitan Police Laboratory
(MPL) on 23 August 1961 where they were examined by Dr
Nickolls, the director and his assistant, Henry Howard. They
were found to be stained with seminal fluid in the area of the
crotch and at the back for five inches upwards from the crotch.
Vaginal fluid from Valerie Storie was also present. There were
smaller quantities of seminal fluid of blood group AB assumed
to have come at some earlier stage from Michael Gregsten.
78
DF9_75-79_Forensic Uncertainty.indd 78
/ Dark times
The following is taken from the BBC Horizon, 2002:
DR JONATHAN WHITAKER (FSS): “PCR, or the polymerase
chain reaction, is a process that we use in the laboratory to
copy the bits of DNA that we’re interested in lots of times to
enable us to get enough DNA to generate a DNA profile. When
we generated profiles from the handkerchief and the knickers,
the first observation we saw was that these DNA profiles
matched each other and this is what we would expect to find if
they’d originated from the same person.”
NARRATOR: The same matching DNA profile appearing on
both exhibits meant that for the first time evidence had been
linked forensically, science suggesting that the person who
had raped Valerie Storie had also handled the murder weapon.
This is a critical over-statement as we shall see shortly,
however, whether it has come from the FSS and was then used
in the Appeal Court hearing by them, or whether it was the
interpretation of the BBC production team is unfortunately a
matter of conjecture.
ROGER MANN (FSS): The profiles in this case were very
rare, something like one in several hundred millions, so the
chances of them coming from two independent people I would
say are quite small, beyond reasonable doubt that they came
from the same person, I would say.
NARRATOR: But for the moment that was all. Although
scientists now had an exact DNA profile for the killer they were
no closer to knowing who that person might be.
Although the laboratory records are not dated, the notes
are numbered sequentially and we are confident that the
knickers were examined almost immediately and in any event
no later than 23 September 1961 when the notes show that
certain samples taken from Peter Alphon were examined at
the laboratory. The handkerchief came to the laboratory on 25
August, was screened for blood and semen and, none being
found, seems to have been put to one side.”
(Court of Appeal Section 113, 2002)
The judgement makes one further comment regarding the
highlighted point:
“With regard to the knicker fragment we have what
Dr Whitaker would describe as a typical distribution of
male and female DNA following an act of sexual intercourse
leading to the obvious inference that the male contribution
came from James Hanratty. For that not to be the case we
would have to suppose that the DNA of the rapist, also
of blood group O, had either degraded so as to become
undetectable or had been masked by James Hanratty’s
DNA during the course of the contaminating event.
Moreover we would also have to suppose that Valerie
Storie’s DNA had remained in its original state, or at least
detectable, and had escaped being overridden by DNA from
James Hanratty. The same would have to be true of the DNA
attributed to Michael Gregsten. Finally we must visualise a
pattern which is wholly consistent with sexual intercourse
having taken place in which Valerie Storie and James
Hanratty were the participants.”
(Court of Appeal Section 125, 2002)
Digital / ForensicS
20/10/2011 17:38
 But what happened to Gregsten’s seminal fluid during the
course of the investigation? Why was no trace of this found
during the investigations during the 90s? How had the cutting
of a piece from the crotch of Storie’s knickers removed any
trace of Gregsten’s DNA and left the FSS investigators with
their single male DNA profile, with which to discount any
chance of contamination?
Unfortunately I cannot answer these questions due to the
absence of court transcripts.
/ Relevant considerations?
It is also worth bearing in mind the following:
“Unlike modern forensic DNA analysis that can use
multiple nuclear DNA markers for identification, historic
DNA cases are usually restricted to analyzing mitochondrial
DNA, which is more likely to survive degradation over time
due to its high copy number per cell (O’Rourke et al. 2000;
Kaestle and Horsburgh 2002). Since mtDNA serves as a
single DNA marker, it has limited discrimination power.”
~ “Extreme care should be taken when collecting and
handling reference DNA samples from assumed living
relatives. To control contamination, the reference DNA
should be collected after the bone samples have been
processed and DNA-profiled.” Yang, DY. and Speller,
CF. (2006) Technical Tips for obtaining reliable DNA
identification of historic human remains. Technical Briefs In
Historical Archaeology, 1: pp.11–15.
This paper is referring to archaeological specimen
DNA, though I have been unable to find any authoritative
estimates of the expected levels of DNA decay from a human
body buried for 40 years. I would also remind the reader that
in this case the reference DNA from the Hanratty family was
collected and analysed before that of Hanratty himself.
The possibility of human error in such interpretive activity
is also rather more likely than may be acknowledged. “If the
nature of the mind and cognitive processing can give rise to
error in fingerprint individualization, then these errors are
inherent to the domain. Nevertheless, they do not reflect a
basic ontological scientific flaw in the domain nor are they
the fault of a specific practitioner. They are, in essence,
epistemological problems that derive from the mechanisms
of human cognition and the workings of the mind.” (Dror, IE.
and Charlton, D. (2006) Why experts make mistakes. Journal
of Forensic Identification, 56 (4) pp. 600-616)
There is one final caveat that is worth considering with this
case. As has been seen from the limited information above the
FSS have stated the statistical probability of the DNA being
that of Hanratty as ranging from 1 in 2.5 million, through to 1
in a billion. The Court of Appeal ruling makes no comment on
the various estimations.
However the Royal Statistical Society says, “Although many
scientists have some familiarity with statistical methods,
statistics remains a specialised area. The Society urges the
courts to ensure that the statistical evidence is presented only
by appropriately qualified experts, as would be the case for any
DF9_75-79_Forensic Uncertainty.indd 79
other form of expert evidence.” (Mahendra, B. The lawyers guide
to DNA evidence in criminal cases. New Law Journal, 152, p.1110)
The relevance of these factors to the case is moot, but the FSS
experts and the Court of Appeal appear to have overstated the
certainty, when using a technique that is much more interpretive
and subjective than has been credited in this case. /
THE SOCIETY URGES THE COURTS
TO ENSURE THAT THE STATISTICAL
EVIDENCE IS PRESENTED
ONLY BY APPROPRIATELY
QUALIFIED EXPERTS
REFERENCES
BBC (2002) The A6 Murder (Horizon – Transcript) [WWW]. Available
from: http://www.bbc.co.uk/science/horizon/2001/a6murder.shtml
– [Accessed 13/1/07]
Court of Appeal Criminal Division (2002) Case No: 199902010_S2,
London [WWW]. Available from:
http://www.hmcourts-service.gov.uk/judgmentsfiles/j1166/
HANRATTY.htm – [Accessed 5/2/07].
Dror, IE. and Charlton, D. (2006) Why experts make mistakes. Journal
of Forensic Identification, 56 (4) pp. 600-616
Foot, P. (1971) Who Killed Hanratty? London, Jonathan Cape
Forensic Science Service (2007) Casefiles [WWW]. Available from
http://www.forensic.gov.uk/forensic_t/inside/news/casefiles.php –
[Accessed 5/2/07]
Forensic Science Service (2007) Fact Sheets [WWW]. Available from
http://www.forensic.gov.uk/forensic_t/inside/news/documents/
DNA_Low_Copy_Number_000.doc – [Accessed 5/2/07]
Forensic Science Service (2007) Fact Sheets [WWW]. Available from
http://www.forensic.gov.uk/forensic_t/inside/news/docs/What_is_
DNA.doc – [Accessed 5/2/07]
Mahendra, B. The lawyers guide to DNA evidence in criminal cases.
New Law Journal, 152, p.1110
Mason, D. (2002) The last word on Hanratty. New Law Journal, 152, p. 777
Sunday Mirror (1998) Frail mum is final key to Hanratty mystery.
Sunday Mirror 26th April [WWW]. Available at:
http://www.findarticles.com/p/articles/mi_qn4161/is_19980426/
ai_n14477222 – [Accessed 14/1/07]
Woffinden, B. (1997) HANRATTY The Final Verdict. London, Macmillan
Yang, DY. and Speller, CF. (2006) Technical Tips for obtaining reliable
DNA identification of historic human remains. Technical Briefs In
Historical Archaeology, 1: pp.11–15.
/ Author Bio
Having spent over 30 years in the business IT world including
nearly 15 years focused on data storage technologies for the
likes of IBM, Perot Systems and Computacenter, Rob decided
to change career direction into the digital forensic arena and
recently graduated with a 1st Class Honours degree in Forensic
Computing. He is currently researching and writing a book
whilst taking on the odd investigation.
79
20/10/2011 17:38
 / BOOK REVIEWS
BOOK REVIEWS
Extrusion Detection:
Security Monitoring for
Internal Intrusions
Author: Richard Bejtlich
Publisher: Addison-Wesley
Date of Publication:
8th November 2005
Price: £39.99 (UK),
$54.99 (USA)
ISBN: 978-0321349965
Reviewer: Willem Knot
Verdict:
Despite being over six years old now, this book is certainly not
outdated in the slightest. While most network security books
and guides would focus on perimeter defence from outsider
threats, Bejtlich concentrates on attacks launched within the
organisation. At the time of publishing, this book was unique
in its approach to defensive practices and is aimed to go hand
in hand with Bejtlich’s ‘Tao of Network Security’, picking up
where Tao left off and concentrating solely on defence, where
Tao started from the point of view of the attacker.
First thing to notice about this book is the foreword by
Marcus Ranum, which, unusual to most books, consists of
an interview with the author and highlights how different
extrusion detection is from other network security guides.
The book is aimed at all those who have an intermediate
to advance knowledge of network security and so should be
used by those just starting out in the industry, especially as
Bejtlich talks about tools and techniques that, at the time of
writing, were not common practices amongst professionals.
However, it holds great potential value as an addition to
anyone’s security/information assurance library.
Traditionally, the main focus of network security has
been about keeping the hackers and malicious users out.
The book is split into three specific sections, Detecting and
Controlling Intrusions, Network Security Operations and
Internal Intrusions, taking the reader on a journey from
the reasons to look for extrusions through to the various
types of extrusion, such as malicious IRC Bots. Bejtlich
uses various technologies, such as Proxies and IDS/IPS, as
demonstrations using commands that can easily be adapted
into organizations’ own technologies.
To those specifically interested in network forensics, Bejtlich
devotes an entire chapter to just this and discusses the links
between the security practices discussed throughout the book
and the forensics practices used within the chapter. Incident
response is also explained prior to forensics. Bejtlich gives a
80
DF9_80-81_Book Reviews.indd 80
detailed introduction to network forensics and describes it as
being different from digital forensics in that it is focused on
packet capture, using tools such as Wireshark/Ethereal. The
emphasis here, however, is the network forensics is a valuable
and crucial part in the defence of a network infrastructure
both from internal and external threats.
Followers of Richard Bejtlich’s Tao security blog will
instantly recognise his unique method of describing and
demonstrating the various tools and techniques required to
put extrusion detection into practice. Throughout the book
there are valuable diagrams, screenshots and actual packet
captures that help the reader to fully understand each point
that is made, a feature that is often overlooked in many
security guides.
This book is a valuable read for anyone interested, or
working, in the security and forensics industry. Betjlich provides
a refreshing approach to defensive methods and illuminates the
potential damage of insider threats. Highly recommended as a
partner guide to ‘The Tao of Network Security’, which together
provide an ultimate guide to network security.
XBOX 360 Forensics:
A Digital Forensic Guide
to Examining Artifacts
Authors: Steven Bolt
Publisher: Syngress/Elsevier
Date of Publication:
7th February 2011
Price: £36.99 (UK), $59.95
(USA)
ISBN: 978-1597496230
Reviewer:
Willem Knot
Verdict:
XBOX 360 Forensics offers a fairly in-depth introduction
into the world of games console forensics and the tools and
techniques required to carry out investigations into next-
generation games consoles.
As popular gaming platforms become more and more
sophisticated, using their own operating systems and accessing
the Internet for various types of transactions, the potential for
illegal and malicious activity is dramatically increasing.
Bolt starts the book with a detailed description of the XBOX
360 system, the setup process and how to sign up, and connect
to, the social aspects of the XBOX 360 gaming experience:
XBOX Live. It is this social outlet that is the main cause of
Digital / ForensicS
20/10/2011 17:38
 concern for the population with news reports about paedophilia
and child abuse stemming from meetings organised using the
mail and chat functions inbuilt into the online portal.
Bolt does not provide much information on other crimes that
can be committed using the console such as malicious activity
as the result of installing a secondary operating system (for
example, Linux), but the emphasis of the malicious potential is
made quite clear and the need for a set method of investigating
consoles is prominent.
With very little documentation on the investigation of consoles
available to the investigator, Bolt has provided the perfect starter
guide for forensic investigation all the way from acquisition
through to analysis. Rather than just provide the tools and
techniques, however, Bolt takes the reader along the journey of
investigation and provides a very detailed walkthrough of the
baseline contents of the XBOX 360 hard drive, explaining the
various different file types (such as PIRS, LIVE and CON files) and
sector locations of valuable information.
The guide describes the use of only a few tools but within
this provides an in-depth and efficient investigation method to
DF9_80-81_Book Reviews.indd 81
analyse the hard disk drive. The tool that takes the spotlight
in the investigation, Xplorer 360, is not strictly a forensic tool
but more of a console management tool used to connect the
XBOX 360 to a computer via the network and interact with it.
It is interesting that this piece of software should provide a
solution to the investigator to find artifacts previously unfound
by the standard forensic tools such as Guidance Software’s
EnCase and AccessData’s Forensic Toolkit Imager. A criticism
of the guide is that its main focus is on the hard disk drive,
which, while holding some of the user information and game
saves, does not contain information of the operating system
or memory stack. Bolt mentions that this information is held
within specific hardware inside the console itself and it would
seem prudent to provide methods to investigate these artifacts,
especially when the need for live analysis is increasing.
The book does seem quite basic throughout, providing
technical details that most investigators would probably be
able to figure out for themselves, however, it is an easy read
and one that would prove interesting to most who do not know
much about the investigation of games consoles.
81
20/10/2011 17:38
 / COLUMN
IRQ
Planes, packets and IP mobiles...
A
few years ago, I was called in to help with an interesting
little job. It’s one of those where it’s probably best not
to go into too much detail, but suffice to say we were
dealing with a fairly serious conspiracy.
Intelligence had led to successful observation and arrest
of a few suspects and one in particular was thought to be the
ringleader. The problem was that all the relevant activity was
conducted on an online forum, and the suspect had no computer
with which to access it. However, he did have a mobile phone,
which never left his side. Of course, it was a smartphone, running
Windows Mobile (not that the O/S has any particular relevance).
I’VE ALWAYS BEEN A LITTLE
SUSPICIOUS OF GEO-DATA
ASSOCIATED WITH IP ADDRESSES
AS MOST OF IT IS VOLUNTARY, BUT
OVER THE YEARS IT HAS BECOME
A BIT MORE RELIABLE AND SOME
SENSIBLE ASSUMPTIONS ABOUT
ASSOCIATED FQDNS CAN HELP IN
THE INTERPRETATION
At the time in question, the agency conducting the investigation
had two separate units – one for mobile phones and one for
computers. The mobile phone unit only dealt with phone activity
(call logs, SMS, cellsite analysis) and the computer unit didn’t do
mobile phones. Of course, because this was a phone, it had been
examined as a phone and no one had tried to extract any other
data from it. After a few minutes of incredulity, I asked the obvious
question: “Can anyone get the web cache off this thing? “
If time had allowed, I was pretty sure that we would have
found fragments of pages from the forum somewhere in the
cache. Unfortunately, time didn’t permit. However, we did have
a copy of the forum, including times, dates and IP addresses
for all the messages posted by the ringleader under his online
identity. (Approximately 600 in total)
So, could I perhaps tell where they came from? Well, I’ve
always been a little suspicious of geo-data associated with IP
82
DF9_82_IRQ.indd 82
addresses as most of it is voluntary, but over the years it has
become a bit more reliable and some sensible assumptions
about associated FQDNs can help in the interpretation. Given
the nature of the case, I was willing to at least try.
Most of them related to a common UK mobile phone
network and didn’t really help much as they could have
been anyone, but there was a batch of around 150 that
looked useful. They covered a one-month period and were all
associated with a mobile phone network in another country.
Curiously, the same country that the main suspect had been
visiting at exactly the same time! Now, of course, that’s not
enough to be conclusive, after all, many people visit other
countries and buy local SIMs to keep costs down while they’re
there. Still, it was a nice coincidence.
Then we hit paydirt. A single IP address registered to a civil
aviation authority and clearly labelled in DNS as being for
one of their airport “pay as you go” Internet terminals. It had
been used right in the middle of the suspect’s time in transit
through that airport on his way back from the other country,
and it never appeared in the forum again. Neither, for that
matter, did any of the other country IP addresses.
Either our man was very unlucky to have travelled at exactly
at the same time as the real ringleader, or he had a stalker
who was setting him up. Funnily enough, he didn’t suggest
either of those explanations in court and is now spending
a considerable amount of time in one of Her Majesty’s
establishments for the criminally unlucky.
What’s the moral of this story? Location in 3D space is nice,
but it works even better if you can add the 4th dimension. /
Twitter: marshalla99, Blog: marshalla99.wordpress.com,
e-mail: [email protected]
/ Author Bio
Angus Marshall is an independent digital
forensics practitioner, author and researcher,
currently working on the ‘fitness for purpose’
challenge. In a past life he was an academic
course leader in Digital Forensics and Forensic
Computing and still retains strong links with
academia, professional bodies and regulators.
He can be contacted through his company,
n-gate ltd. (http://www.n-gate.net).
Digital / ForensicS
20/10/2011 17:38
DF9_IBC_Ad.indd 63 11/10/2011 10:24
DF9_OBC_Ad.indd 84 12/10/2011 17:29