[Hash sets] Korea University DFRC Reference Data Set

If you work in the area of digital investigation, you probably know about NIST’s National Software Reference Library (NSRL).
<blockquote>The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.</blockquote>In other words, the NSRL is a very large collection of file hashes for ‘known’ software. In most cases it can be treated as a known good hash set, for filtering out potentially uninteresting files from a case.

The NSRL hashes are also hosted on hashsets.com, allowing you to query their database for a particular hash if you don’t want to store the files locally.

<div class="separator" style="clear: both; text-align: center;"></div>
NSRL is very useful, but it does have some limitations. The Korea University Digital Forensic Research Center is attempting to solve some of these limitations but providing the DFRC Reference Dataset.

Their Reference Data Set includes hash values from software used in South Korea as well as the NSRL. Currently, they have over 27 million hashes. Best of all, they provide a number of interfaces to test your data with. You can upload the suspect file directly, upload a list of hashes, search for a single sha1 or md5, or query their RDS via their REST interface! This way you can call their hash database directly from your tools.

Of course, you can also directly download their entire RDS.


1 min read

Journal of Digital Forensics, Security and Law now Open Access

The Journal of Digital Forensics, Security and Law (JDFSL) is now an Open Access Journal. They also have a new website that uses the Open Journal System for submission management. If you have never seen the JDFSL before, now is a great time to check out the current issue as well as all the new features.
<div class="separator" style="clear: both; text-align: center;">Journal of Digital Forensics, Security and Law</div>
This peer-reviewed, multidisciplinary Journal of Digital Forensics, Security and Law (JDFSL) focuses on the advancement of the field by publishing the state of the art in both basic and applied research conducted worldwide. We purposefully chose to use the word cyber in our tagline, instead of digital to emphasize the cyber culture surrounding computing, and the word cyber also extends itself beyond the technical domain of computing. The Journal’s main aims are to open up the landscape for innovation and discussion, and to continuously bridge the gap between the science and practice of cyber forensics, security and law. This journal encourages both scientists and practitioners to share their discoveries and experiences.

Submissions
Manuscripts should be submitted in Word, RTF, or PDF format using the JDFSL OJS Submission System.

~1 min read

[How-to] Cracking ZIP and RAR protected files with John the Ripper

After seeing how to compile John the Ripper to use all your computer’s processors now we can use it for some tasks that may be useful to digital forensic investigators: getting around passwords. Today we will focus on cracking passwords for ZIP and RAR archive files. Luckily, the JtR community has done most of the hard work for us. For this to work you need to have built the community version of John the Ripper since it has extra utilities for ZIP and RAR files.

<div class="separator" style="clear: both; text-align: center;"></div>For this exercise I have created password protected RAR and ZIP files, that each contain two files.

<pre>
test.rar: RAR archive data, v1d, os: Unix

test.zip: Zip archive data, at least v1.0 to extract
</pre>The password for the rar file is ‘test1234’ and the password for the zip file is ‘test4321’.

In the ‘run’ folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called ‘zip2john’ and ‘rar2john’. Run them against their respective file types to extract the password hashes:
<pre>
./zip2john ../test.zip > ../zip.hashes
./rar2john ../test.rar > ../rar.hashes
</pre>This will give you files that contain the password hashes to be cracked… something like this:
<pre>
../test.zip:$pkzip$221001ba80c95e4e9547dcfcde4b8b2f05a80aaeb9d15dd76e7526b81803c8bf7201bf7205131204401ba808cbafdd390bf49ea54064ab3ff9f486e6260b9854e37d1ee3a41c54*$/pkzip$
</pre>After, that you can run John the Ripper directly on the password hash files:
<pre>./john ../zip.hashes
</pre>You should get a message like: Loaded 1 password hash (PKZIP [32/64]). By using John with no options it will use its default order of cracking modes. See the examples page for more information on modes.

Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.

Now sit back and wait for the cracking to finish. On a 64bit quad-core i7 system, without using GPU, and while doing some other CPU-intensive tasks, the password was cracked in 6.5 hours.
<pre>
Loaded 1 password hash (PKZIP [32/64])

guesses: 0 time: 0:00:40:29 0.00% (3) c/s: 2278K trying: eDTvw - ekTsl
guesses: 0 time: 0:01:25:10 0.00% (3) c/s: 1248K trying: ctshm#ni - ctshfon9
guesses: 0 time: 0:02:56:40 0.00% (3) c/s: 1499K trying: BR489a - BR48jf
guesses: 0 time: 0:03:56:04 0.00% (3) c/s: 1703K trying: fjmis5od - fjmidia0
guesses: 0 time: 0:04:46:09 0.00% (3) c/s: 1748K trying: Difg1ek - DifgbpS
guesses: 0 time: 0:05:21:22 0.00% (3) c/s: 1855K trying: btkululp - btkulene
guesses: 0 time: 0:06:02:43 0.00% (3) c/s: 1857K trying: ghmnymik - ghmnyasd
test4321 (../test.zip)
guesses: 1 time: 0:06:32:34 DONE (Mon Jul 28 17:50:22 2014) c/s: 1895K trying: telkuwhy – test43ac
</pre>Now if you want to see the cracked passwords give john the following arguments:
<pre>
./john ../zip.hashes –show
</pre>It should output something like:
<pre>
../test.zip:test4321
1 password hash cracked, 0 left
</pre>Note: the hash file should have the same type of hashes. For example, we cannot put the rar AND zip hashes in the same file. But this means you could try to crack more than one zip/rar file at a time.

For the rar file it did not take nearly as long since the password was relatively common. If you take a look at john.conf in the run directory, it has a list of the patterns it checks (in order). The pattern 12345 is much more likely than 54321, so it is checked first resulting in a quick crack.
<pre>
Loaded 1 password hash (RAR3 SHA-1 AES [32/64])

guesses: 0 time: 0:00:00:10 1.38% (1) (ETA: Mon Jul 28 18:23:58 2014) c/s: 24.86 trying: rar.tsett - ttests

guesses: 0 time: 0:00:02:12 13.40% (1) (ETA: Mon Jul 28 18:28:19 2014) c/s: 25.98 trying: Test29 - Test2rar9

test1234 (test.rar)

guesses: 1 time: 0:00:17:03 DONE (Mon Jul 28 18:28:56 2014) c/s: 24.01 trying: test1234 - testrar1234

Use the “–show” option to display all of the cracked passwords reliably

</pre>

3 min read

[How-to] Compiling John the Ripper to use all your processors for password cracking

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

Today we are going to show you how to compile John the Ripper to use all of your processors (we will talk about compiling for NVIDIA GPUs later).

First you should visit Openwall's site and download the John the Ripper source code. I recommend getting the community-enhanced version since it contains support for many other hashes and ciphers. As of this writing, the current version of the community edition is 1.7.9.

You also need to install a compiler and ssl. On Ubuntu systems, you can just install the build-essential package, and libssl-dev.
sudo apt-get install build-essential libssl-dev

Download and verify the version suitable for your platform. In this example I am compiling on Linux Mint 17 (Ubuntu Trusty).

Extract the tar:
tar -xvf john*.tar.gz

Enter the newly created directory into the “run” directory:
cd john*/src

Important: This step enables parallel-processing in John using OpenMP.
nano Makefile

Remove the # before
OMPFLAGS = -fopenmp
and
OMPFLAGS = -fopenmp -msse2

Now save, and close.

Type “make | more” and choose the type of system that you are using. I am running a 64bit version of Linux, so I will choose linux-x86-64-native. If you have a 32 bit system, make sure to choose x86. If you don't know what to choose then “generic” will probably work for you.

Once you have edited the Makefile, and picked the system to compile for, then build the program:
make clean linux-x86-64-native

On multi-processor systems you can also add -j5 where 5 is the number of processors on your system.
make clean linux-x86-64-native -j5

Once the process is done – if it had no errors – then the binaries will be in the 'run' directory.
cd ../run

You can test it by running ./john --test

Troubleshooting


<div style="line-height: 100%; margin-bottom: 0in;">If there was an error building, try building “generic”. If it works, then you probably chose the wrong build options.</div>

1 min read

[CFP] Digital Forensic Research Workshop EU 2015

Digital Forensic Research Workshop (DFRWS) EU 2015 Call for Papers
Dublin, Ireland on the 23-26 March 2015
<div><ul><li>Important Dates:</li><ul><li>Papers / Panels: September 22, 2014</li><li>Presentation abstracts: September 22, 2014</li><li>Demos and singleers: January 12, 2015</li><li>Workshop proposal: October 20, 2014</li></ul></ul></div>See the full CFP: http://www.dfrws.org/2015eu/cfp.shtml

<div class="separator" style="clear: both; text-align: center;"></div>
The DFRWS is dedicated to the advancement of digital forensics research through open sharing of knowledge and ideas. Ever since it organized the first open workshop in 2001, the DFRWS continues to bring academics and practitioners together in an informal environment.

DFRWS conferences publicize and discuss high quality research outcomes selected in a thorough peer review process. In recent years, DFRWS conferences have added practitioner presentations and hands-on tutorials taught by leading experts in the fields. The continued expansion of DFRWS-EU conferences is intended as a focal point for the European digital forensic community, allowing practitioners and researchers to meet and exchange ideas without the need for transatlantic travel.

The proceedings of DFRWS-EU 2015 will be published on the DFRWS Website as well as in a special issue of Elsevier’s Digital Investigation journal. We invite original contributions as research papers, panel proposals, work-in-progress talks, tutorial and workshop proposals, and demo or singleer proposals on the following topics:

Topics of Interest

<ul><li>“Big data” approaches to forensics, including data collection, data mining, and large scale visualization</li><li>Addressing forensic challenges of Systems-on-a-chip</li><li>Anti-forensics and anti-anti-forensics</li><li>Case studies and trend reports</li><li>Data hiding and discovery</li><li>Data recovery and reconstruction</li><li>Database forensics</li><li>Digital evidence and the law</li><li>Digital evidence storage and preservation</li><li>Event reconstruction methods and tools</li><li>Incident response and live analysis</li><li>Interpersonal communications and social network analysis</li><li>Malware and targeted attacks: analysis, attribution</li><li>Memory analysis and snapshot acquisition</li><li>Mobile and embedded device forensics</li><li>Multimedia analysis</li><li>Network and distributed system forensics</li><li>Non-traditional forensic scenarios and approaches (e.g. vehicles, control systems, and SCADA)</li><li>Storage forensics, including file system and Flash</li><li>Tool testing and development</li><li>Triage, Prioritization, Automation: Efficiently processing large amounts of data in digital forensics</li><li>Virtualized environment forensics, with specific attention to the cloud and virtual machine introspection</li></ul>
The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: eu-papers dfrws org

1 min read

U.K. Adopts Open Document Formats to Improve Communication

According to UK.gov, the UK Government is adopting open formats for all of its government documents. The formats are PDF/A and HTML from viewing government documents, and ODF (the Open Document Format) for sharing and collaborating on government documents.

“Open Formats” are a way of saying “Publicly Available Standards”. The difference between these formats, especially ODF, and a format like DOCX, for example, is that anyone can easily get access to and understand the data structure of such documents. This means that any company could easily make a program that correctly opens or produces ODF documents.

<div class="separator" style="clear: both; text-align: center;"></div>But who cares about document formats? Well, anyone who has ever created content with a computer probably does. I remember we used ‘WordPerfect’ at home a (few) years ago. Any documents that were created with that program, and the “.wpX” file format, would now need to go through a conversion process to be viewed. Most likely the conversion process would not work very well. This means that the information in that document is mostly, if not completely, lost [without a great deal of effort]. Proprietary formats only last as long as the company that created it. Information about open formats will likely exist as long as the Internet.

Document formats directly relate to who can get access to information. South Korea has a company called Hancom that is a Microsoft Office replicate, except with better support for Korean. Although Hancom does support saving documents to DOCX and ODF formats, they also invented their own, called Hangul Word Processor (HWP), that is DOCX modified just enough to not work with MS Word. So what is the problem? Well, HWP can only be opened with the Hancom Word Processor or the viewer. The viewer is free, but available only for Windows. The problem then becomes that you have to use a version of Windows to view the document, and if you want to edit the document, you have to buy a copy of Hancom Word. In other words, if you are running OSX or Linux you cannot communicate. If you have any other office suite installed, you cannot communicate. This means that the only people Koreans can communicate with via HWP is other Koreans. Unfortunately, it is a national standard, which means that they have a huge problem communicating internationally. Best case, foreigners will pirate a copy of Hangul Word Process to view/edit the documents. Worst case, they wont bother opening the document at all.

The UK’s move is brilliant for the simple fact that more people can see what they are publishing (regardless of their computer setup), while at the same time potentially saving the Government some money.

Some groups have seen this as a move to boot out Microsoft, but I did not see it that way. They could still use Microsoft products, they are just making it easier for others who don’t use Microsoft to actually get access to information. Governments should try to improve communication nationally and internationally. And making documents available in easy to access formats is a step in the right direction.

2 min read