Journal of Digital Forensics, Security and Law now Open Access

The Journal of Digital Forensics, Security and Law (JDFSL) is now an Open Access Journal. They also have a new website that uses the Open Journal System for submission management. If you have never seen the JDFSL before, now is a great time to check out the current issue as well as all the new features.
<div class="separator" style="clear: both; text-align: center;">Journal of Digital Forensics, Security and Law</div>
This peer-reviewed, multidisciplinary Journal of Digital Forensics, Security and Law (JDFSL) focuses on the advancement of the field by publishing the state of the art in both basic and applied research conducted worldwide. We purposefully chose to use the word cyber in our tagline, instead of digital to emphasize the cyber culture surrounding computing, and the word cyber also extends itself beyond the technical domain of computing. The Journal’s main aims are to open up the landscape for innovation and discussion, and to continuously bridge the gap between the science and practice of cyber forensics, security and law. This journal encourages both scientists and practitioners to share their discoveries and experiences.

Submissions
Manuscripts should be submitted in Word, RTF, or PDF format using the JDFSL OJS Submission System.

~1 min read

[How-to] Cracking ZIP and RAR protected files with John the Ripper

After seeing how to compile John the Ripper to use all your computer’s processors now we can use it for some tasks that may be useful to digital forensic investigators: getting around passwords. Today we will focus on cracking passwords for ZIP and RAR archive files. Luckily, the JtR community has done most of the hard work for us. For this to work you need to have built the community version of John the Ripper since it has extra utilities for ZIP and RAR files.

<div class="separator" style="clear: both; text-align: center;"></div>For this exercise I have created password protected RAR and ZIP files, that each contain two files.

<pre>
test.rar: RAR archive data, v1d, os: Unix

test.zip: Zip archive data, at least v1.0 to extract
</pre>The password for the rar file is ‘test1234’ and the password for the zip file is ‘test4321’.

In the ‘run’ folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called ‘zip2john’ and ‘rar2john’. Run them against their respective file types to extract the password hashes:
<pre>
./zip2john ../test.zip > ../zip.hashes
./rar2john ../test.rar > ../rar.hashes
</pre>This will give you files that contain the password hashes to be cracked… something like this:
<pre>
../test.zip:$pkzip$221001ba80c95e4e9547dcfcde4b8b2f05a80aaeb9d15dd76e7526b81803c8bf7201bf7205131204401ba808cbafdd390bf49ea54064ab3ff9f486e6260b9854e37d1ee3a41c54*$/pkzip$
</pre>After, that you can run John the Ripper directly on the password hash files:
<pre>./john ../zip.hashes
</pre>You should get a message like: Loaded 1 password hash (PKZIP [32/64]). By using John with no options it will use its default order of cracking modes. See the examples page for more information on modes.

Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.

Now sit back and wait for the cracking to finish. On a 64bit quad-core i7 system, without using GPU, and while doing some other CPU-intensive tasks, the password was cracked in 6.5 hours.
<pre>
Loaded 1 password hash (PKZIP [32/64])

guesses: 0 time: 0:00:40:29 0.00% (3) c/s: 2278K trying: eDTvw - ekTsl
guesses: 0 time: 0:01:25:10 0.00% (3) c/s: 1248K trying: ctshm#ni - ctshfon9
guesses: 0 time: 0:02:56:40 0.00% (3) c/s: 1499K trying: BR489a - BR48jf
guesses: 0 time: 0:03:56:04 0.00% (3) c/s: 1703K trying: fjmis5od - fjmidia0
guesses: 0 time: 0:04:46:09 0.00% (3) c/s: 1748K trying: Difg1ek - DifgbpS
guesses: 0 time: 0:05:21:22 0.00% (3) c/s: 1855K trying: btkululp - btkulene
guesses: 0 time: 0:06:02:43 0.00% (3) c/s: 1857K trying: ghmnymik - ghmnyasd
test4321 (../test.zip)
guesses: 1 time: 0:06:32:34 DONE (Mon Jul 28 17:50:22 2014) c/s: 1895K trying: telkuwhy – test43ac
</pre>Now if you want to see the cracked passwords give john the following arguments:
<pre>
./john ../zip.hashes –show
</pre>It should output something like:
<pre>
../test.zip:test4321
1 password hash cracked, 0 left
</pre>Note: the hash file should have the same type of hashes. For example, we cannot put the rar AND zip hashes in the same file. But this means you could try to crack more than one zip/rar file at a time.

For the rar file it did not take nearly as long since the password was relatively common. If you take a look at john.conf in the run directory, it has a list of the patterns it checks (in order). The pattern 12345 is much more likely than 54321, so it is checked first resulting in a quick crack.
<pre>
Loaded 1 password hash (RAR3 SHA-1 AES [32/64])

guesses: 0 time: 0:00:00:10 1.38% (1) (ETA: Mon Jul 28 18:23:58 2014) c/s: 24.86 trying: rar.tsett - ttests

guesses: 0 time: 0:00:02:12 13.40% (1) (ETA: Mon Jul 28 18:28:19 2014) c/s: 25.98 trying: Test29 - Test2rar9

test1234 (test.rar)

guesses: 1 time: 0:00:17:03 DONE (Mon Jul 28 18:28:56 2014) c/s: 24.01 trying: test1234 - testrar1234

Use the “–show” option to display all of the cracked passwords reliably

</pre>

3 min read

[How-to] Compiling John the Ripper to use all your processors for password cracking

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

Today we are going to show you how to compile John the Ripper to use all of your processors (we will talk about compiling for NVIDIA GPUs later).

First you should visit Openwall's site and download the John the Ripper source code. I recommend getting the community-enhanced version since it contains support for many other hashes and ciphers. As of this writing, the current version of the community edition is 1.7.9.

You also need to install a compiler and ssl. On Ubuntu systems, you can just install the build-essential package, and libssl-dev.
sudo apt-get install build-essential libssl-dev

Download and verify the version suitable for your platform. In this example I am compiling on Linux Mint 17 (Ubuntu Trusty).

Extract the tar:
tar -xvf john*.tar.gz

Enter the newly created directory into the “run” directory:
cd john*/src

Important: This step enables parallel-processing in John using OpenMP.
nano Makefile

Remove the # before
OMPFLAGS = -fopenmp
and
OMPFLAGS = -fopenmp -msse2

Now save, and close.

Type “make | more” and choose the type of system that you are using. I am running a 64bit version of Linux, so I will choose linux-x86-64-native. If you have a 32 bit system, make sure to choose x86. If you don't know what to choose then “generic” will probably work for you.

Once you have edited the Makefile, and picked the system to compile for, then build the program:
make clean linux-x86-64-native

On multi-processor systems you can also add -j5 where 5 is the number of processors on your system.
make clean linux-x86-64-native -j5

Once the process is done – if it had no errors – then the binaries will be in the 'run' directory.
cd ../run

You can test it by running ./john --test

Troubleshooting


<div style="line-height: 100%; margin-bottom: 0in;">If there was an error building, try building “generic”. If it works, then you probably chose the wrong build options.</div>

1 min read

[CFP] Digital Forensic Research Workshop EU 2015

Digital Forensic Research Workshop (DFRWS) EU 2015 Call for Papers
Dublin, Ireland on the 23-26 March 2015
<div><ul><li>Important Dates:</li><ul><li>Papers / Panels: September 22, 2014</li><li>Presentation abstracts: September 22, 2014</li><li>Demos and singleers: January 12, 2015</li><li>Workshop proposal: October 20, 2014</li></ul></ul></div>See the full CFP: http://www.dfrws.org/2015eu/cfp.shtml

<div class="separator" style="clear: both; text-align: center;"></div>
The DFRWS is dedicated to the advancement of digital forensics research through open sharing of knowledge and ideas. Ever since it organized the first open workshop in 2001, the DFRWS continues to bring academics and practitioners together in an informal environment.

DFRWS conferences publicize and discuss high quality research outcomes selected in a thorough peer review process. In recent years, DFRWS conferences have added practitioner presentations and hands-on tutorials taught by leading experts in the fields. The continued expansion of DFRWS-EU conferences is intended as a focal point for the European digital forensic community, allowing practitioners and researchers to meet and exchange ideas without the need for transatlantic travel.

The proceedings of DFRWS-EU 2015 will be published on the DFRWS Website as well as in a special issue of Elsevier’s Digital Investigation journal. We invite original contributions as research papers, panel proposals, work-in-progress talks, tutorial and workshop proposals, and demo or singleer proposals on the following topics:

Topics of Interest

<ul><li>“Big data” approaches to forensics, including data collection, data mining, and large scale visualization</li><li>Addressing forensic challenges of Systems-on-a-chip</li><li>Anti-forensics and anti-anti-forensics</li><li>Case studies and trend reports</li><li>Data hiding and discovery</li><li>Data recovery and reconstruction</li><li>Database forensics</li><li>Digital evidence and the law</li><li>Digital evidence storage and preservation</li><li>Event reconstruction methods and tools</li><li>Incident response and live analysis</li><li>Interpersonal communications and social network analysis</li><li>Malware and targeted attacks: analysis, attribution</li><li>Memory analysis and snapshot acquisition</li><li>Mobile and embedded device forensics</li><li>Multimedia analysis</li><li>Network and distributed system forensics</li><li>Non-traditional forensic scenarios and approaches (e.g. vehicles, control systems, and SCADA)</li><li>Storage forensics, including file system and Flash</li><li>Tool testing and development</li><li>Triage, Prioritization, Automation: Efficiently processing large amounts of data in digital forensics</li><li>Virtualized environment forensics, with specific attention to the cloud and virtual machine introspection</li></ul>
The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: eu-papers dfrws org

1 min read

U.K. Adopts Open Document Formats to Improve Communication

According to UK.gov, the UK Government is adopting open formats for all of its government documents. The formats are PDF/A and HTML from viewing government documents, and ODF (the Open Document Format) for sharing and collaborating on government documents.

“Open Formats” are a way of saying “Publicly Available Standards”. The difference between these formats, especially ODF, and a format like DOCX, for example, is that anyone can easily get access to and understand the data structure of such documents. This means that any company could easily make a program that correctly opens or produces ODF documents.

<div class="separator" style="clear: both; text-align: center;"></div>But who cares about document formats? Well, anyone who has ever created content with a computer probably does. I remember we used ‘WordPerfect’ at home a (few) years ago. Any documents that were created with that program, and the “.wpX” file format, would now need to go through a conversion process to be viewed. Most likely the conversion process would not work very well. This means that the information in that document is mostly, if not completely, lost [without a great deal of effort]. Proprietary formats only last as long as the company that created it. Information about open formats will likely exist as long as the Internet.

Document formats directly relate to who can get access to information. South Korea has a company called Hancom that is a Microsoft Office replicate, except with better support for Korean. Although Hancom does support saving documents to DOCX and ODF formats, they also invented their own, called Hangul Word Processor (HWP), that is DOCX modified just enough to not work with MS Word. So what is the problem? Well, HWP can only be opened with the Hancom Word Processor or the viewer. The viewer is free, but available only for Windows. The problem then becomes that you have to use a version of Windows to view the document, and if you want to edit the document, you have to buy a copy of Hancom Word. In other words, if you are running OSX or Linux you cannot communicate. If you have any other office suite installed, you cannot communicate. This means that the only people Koreans can communicate with via HWP is other Koreans. Unfortunately, it is a national standard, which means that they have a huge problem communicating internationally. Best case, foreigners will pirate a copy of Hangul Word Process to view/edit the documents. Worst case, they wont bother opening the document at all.

The UK’s move is brilliant for the simple fact that more people can see what they are publishing (regardless of their computer setup), while at the same time potentially saving the Government some money.

Some groups have seen this as a move to boot out Microsoft, but I did not see it that way. They could still use Microsoft products, they are just making it easier for others who don’t use Microsoft to actually get access to information. Governments should try to improve communication nationally and internationally. And making documents available in easy to access formats is a step in the right direction.

2 min read

Dark Nets and Why They Are a Challenge for Police

Based on the BBC News article “Dark net used by tens of thousands of paedophiles” (2014), one might wonder what “Dark Net” is, and why Police are having such a hard time catching criminals.

<div class="separator" style="clear: both; text-align: center;"></div>To understand “Dark Net” you first need to understand a little bit about how the Internet works. As an example, think about how you are connecting to this blog. Your computer has to have an IP address, that is used as a unique indicator to identify you online. This IP address is normally assigned by your Internet Service Provider. When you want to connect to this blog, you are sending information back-and-fourth from your IP address to the IP address of the server.

This is good, however, whenever I get an IP address to connect to the Internet, everyone else can also connect back to me. It is similar to having a phone number. You need a phone if you want to call someone else’s phone, but that means that anyone who finds your number can also call you whether you want them to or not.

The result of this is that when we send information on the Internet, it is possible for other people on the Internet to copy our information. For this reason, many services use different types of encryption to hide the information going from one point to another. Many critical services use (or should use) encryption (like Banks) to protect your information. Because people need to protect their legitimate information - like banking transactions, credit cards, emails, etc. - the Internet has to support mechanisms to protect this information.

Dark Nets
Dark Nets like Tor and FreeNet take advantage of two things that also make the Internet work. First, it uses Public IP addresses to connect other computers that are also running the program. This means that a computer is connected to several other computers on the network.

Once connected with a public IP address, the computers encrypt the connections between all computers. In this way, no one can see what information is being sent between the two computers, this is what we call an encrypted “tunnel”.

Then Dark Net usually does two things. First, if there are a lot of computers connected to the network, then they each connect to a few other computers. They use these encrypted tunnels to route traffic through other computers before coming to the final destination.

For example, if I am computer A, and I want to access a resource at computer D, normally I would try to make a direct connection A->D. If police investigate computer D, they can normally find information about computer A directly connecting. Dark Nets (or Onion Routing) would instead use other computers to hide my request. If I am computer A, and want to reach a resource at computer D, a Dark Net may send my request through C, then B, then to D [A->C->B->D]. The next time I make a request, it may change its path [A->B->C->D]. What’s more, other computers requests will be coming through MY computer. In this way, it is very difficult to determine if MY computer is making a request, or if it was someone else. And since all this traffic is encrypted, to investigate the traffic you must be in the network. So routing traffic through different computers over encrypted networks can be used to hide information and make it very difficult to determine which computer actually sent the request. These cannot be blocked, otherwise you would also block all the good uses of encryption.

But many Deep Net clients go a step further. When you install a client like FreeNet, it will allocate a part of your hard drive to store data (also encrypted). If every computer on the network gives a small part of their hard drive space, then the network has a lot of distributed storage. This storage can only be accessed if you are inside the encrypted network. This means that people can host blogs, web pages… basically any service they want on this encrypted space. The data will be spread across many computers in many different countries, none of which will know exactly what information they are sharing on this allocated space (since they cannot access it themselves).

What Can Police Do About It?
Now that you know some of the things that Dark Nets do (different networks do different things), why is it such a challenge for Police?

First, consider that cybercrime investigation is a relatively new field. Except for officers that enjoy self-study, most Police update knowledge only when the amount of cases requiring new knowledge get past a certain threshold. Granted, there is just too much to learn - too many types of cybercrime to focus on one area. And Dark Nets (until now) are too difficult a problem with too little return to seriously invest much time in. That being said, people are working on the problem, and other government organizations are also throwing a lot of resources at the problem of crime on Dark Nets.

Another problem is jurisdiction. Police, at most, have jurisdiction only at a national level. Since all governments have budgets, they don’t usually investigate other countries’ criminals (unless there is some benefit). Since it is difficult to establish where a criminal on a dark net is located, they take a risk of investigating thousands of people that are not in their country, not a citizen, etc, etc (investigation dead-end). This implies not only a waste of time, but a waste of resources - including taxpayer money. Since taxpayers usually want a visible ‘return on investment’, many forces think it is better to go after the easy cases that can make quick headlines and better statistics.

Establishing reliable information takes time. In most countries that I have worked with, they do not have the ability (or desire) to consistently conduct cyber operations. Working on dark nets requires long term operations and planning that many countries would not be capable of executing.

Countries like the U.S. and U.K. are quite obsessed with the investigation of child exploitation material (rightly so, IMO), but for many other countries it is hardly a consideration. Even if the talk is of protecting children, the resources and planning dedicated to the task reflects how low-priority it actually is.

And finally, hundreds of thousands of pedophiles on news groups, websites, peer to peer networks, chat programs, etc. Indeed, Dark Net is a problem, but it is just one (more) problem. Police have no shortage of pedophile-related cases, and they won’t until we take a look at the social problems are causing them. Focusing on one network wont solve the problem, and until that network becomes the primary sharing method it wont be a major focus.

5 min read