[Live Stream] 5th International Conference on Digital Forensics & Cyber Crime ICDF2C 2013

The 5th International Conference on Digital Forensics and Cyber Crime (ICDF2C) will be held this week in Moscow (September 26-27, 2013). The program can be found here: http://d-forensics.org/2013/show/program-final

If you can’t make it to Moscow, you can access an online stream of the conference by following the instructions here (bottom of the page): http://d-forensics.org/2013/show/registration

I hope for a lot of people and interesting discussion!

~1 min read

Sending a manually encrypted email using a public key

Some web-based email services don’t have an encryption client available, but if you still want to be able to encrypt an email using someone’s public key, you can do it in the following way.

First, get GPG.

<ul><li>There is GPG4Win: http://www.gpg4win.org/ (I’ve not used it, but I assume there is a command line client)</li><li>GPGTools for Mac: https://gpgtools.org/ (I’ve used, and liked very well)</li><li>For Linux there are few different options, so see this for more information.</li></ul>

Once you have GPG installed, you should be able to run the command ‘gpg’ from a terminal.

*note - On Windows or Mac the commands may be slightly different than what is shown here.

For this tutorial, you will be encrypting an email using someone’s public key. I will not show you how to create your own keys in this single.

Once you can run gpg, we need to try to find the public key of the person you will send the message to. If they have uploaded their key to a public key server you can query the server with
<blockquote class="tr_bq">gpg –list-keys [email protected]</blockquote>You can then import the key you have found using –recv-keys with the key’s ID. For example, my key looks like: pub   2048R/606B15C4 2013-01-09 [expires: 2017-01-09]. The key’s ID is 606B15C4.
<blockquote class="tr_bq">gpg –recv-keys 606B15C4 </blockquote>Once we have successfully imported the key, we can use it to encrypt messages that only the holder of the associated private key can decrypt. So, for example, if you use my public key to encrypt a file, then only my private key can be used to decrypt the file.

Likewise, if I use my private key to encrypt a file, then only my public key can be used to decrypt the file. This is a good way to show that you are the originator of the information.

OK - so let’s make some text to send in our email. I will create a text file as a simple file container.
<blockquote class="tr_bq">echo “Question: Can security students encrypt their email?” >> encryption_test.txt
echo “Hypothesis: Security students are too lazy to encrypt their email.” >> encryption_test.txt </blockquote>So now I have a plain text file called “encryption_test.txt” with two lines in it.

(In Linux) I can read the contents of the file using ‘cat’, and pipe the output into gpg for encryption.
<blockquote class="tr_bq">cat encryption_test.txt
gpg –encrypt –armor -r 606B15C4</blockquote>The first command takes the contents of the file “encryption_test.txt” and send it to gpg, which encrypts the text with the public key 606B15C4. The output is as follows:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)

hQEMA999TJtS1eU1AQgAn09ngR2pGDGCfFH0aKUazQInd+HtYqqFq6UmFyszb5RX
OS5mWB3gEKMh3Ki0Qvgs2tA9nBx1+uzyxvkLoXrLwkfVg7mu821bjkh9OMsFO9hb
EeKkZjAAHHcf1rkpWKgc9mcmYyaNBEexyDJy648osWiGyDfedVMKog0k44NFf9iG
aBNsrrqmS+S6SllCgUhbMtkJYB4+BbCBIDA0laWQF+wcKGIsQfk3XxYdJUAfTFIK
vJwKyyPd9JBwG70XYaycBVIPMYhflmNB0MKVV65iQXQslN0dlTMu9CZGRYDJ4IMD
eC89NDsSVwVBWGPxo76cE19McXC5EHQvEBZk9XUIY9KQAaqZOu8vJlz5kehprSnm
OsYY24fuvsbZ4tglgQQ2FC7QLwB+rMLXNWPXor/EjUUYfeRAtbADfpFgNX/Kyzf8
9CxHSRO0ARj/caQQHCjfothIcR6J+vSGe5z+QA9IG9LhvRYOQkbyqoz9ZxRmBgrG
zD++fpC+hgv56WRHe5BzSBq4iaYJ+M1FGb5YbpCBzrPI
=Umsn
-----END PGP MESSAGE-----


If I copy from —BEGIN PGP MESSAGE — to —END PGP MESSAGE— and paste that into the body of my email, and send it to the person who owns the private key - they should be able to decrypt it.

2 min read

An Argument for Assumed Extra-territorial Consent During Cybercrime Investigations

As seen on DigitalFIRE.ucd.ie

During cybercrime investigations it’s common to find that a suspect has used technology in a country outside of the territorial jurisdiction of Law Enforcement investigating the case. The suspects themselves may also be located outside of the territory of the investigating group. A country may be able to claim jurisdiction over a suspect or device that is located outside of their territory [1], however, foreign Law Enforcement would not have jurisdiction within the territorial jurisdiction of another country unless explicitly granted. This means that if a suspect or digital device is located in another territory, the investigating country may need to request assistance from the country that has territorial jurisdiction. This request could be in the form of mutual legal assistance requests, international communication channels such as INTERPOL and United Nations networks, through a personal contact within the country of interest, etc.
<div class="separator" style="clear: both; text-align: center;"></div>
It appears to be increasingly common that Law Enforcement will use personal contacts to quickly begin the investigation process in the country of interest and request data be preserved, while at the same time making an official request for cooperation through official channels. This is simply because official channels are currently far too slow to deal with many types of cybercrime that rely on preserving data before the records are overwritten or deleted; a problem that has been communicated by Law Enforcement for over a decade.

For similar reasons, Law Enforcement in many countries commonly access data stored on servers in countries outside of their jurisdiction. When and how they access this data is usually not well defined because law too, in most — if not all — countries, is failing to keep up with changes in cross-border digital crime. However, a recent work by the NATO Cooperative Cyber Defence Centre of Excellence — Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual) — attempted to explicitly state some of these issues and their practical implications, albeit in the context of Cyber Warfare.

In the Tallinn Manual the expert group considered issues of jurisdiction applied to cyber infrastructure. Of these considerations, they claim that “… States may exercise sovereign prerogatives over any cyber infrastructure located on their territory, as well as activities associated with that cyber infrastructure” [2] with some exceptions. Further, Rule 1 paragraph 8 stipulates that:
<blockquote class="tr_bq">A State may consent to cyber operations conducted from its territory or to remote cybercrime operations involving cyber infrastructure that is located on its territory.</blockquote>In this rule, the expert group gives the explicit example that a State may not have the technical ability to handle a situation within their territory, and thus may give permission for another State to conduct cyber activities within their jurisdiction.

Much of the discussion on sovereignty, jurisdiction and control stipulate the scope of control a State possesses; however, Rule 5 specifies the obligation of the State to other states. Specifically that “the principle of sovereign equality entails an obligation of all States to respect the territorial sovereignty of other States”. The expert group elaborates with Rule 5 paragraph 3 claiming that:
<blockquote class="tr_bq">The obligation to respect the sovereignty of another State… implies that a State may not `allow knowingly its territory to be used for acts contrary to the rights of other States’.</blockquote>Rule 5 paragraph 3 has interesting implications in cyber space. For example, the infrastructure of many different countries may be used in an attack against a single victim. Because of this rule, each country whose infrastructure was involved is obliged to not allow these attacks to continue once they are aware of such attacks. A State, however, is not necessarily obliged to actively look for attacks against other countries from its infrastructure.

In other words, if an attack is made from (or through) State A to State B, and State B makes State A aware of the attack, then State A is normally obliged to help in stopping — and presumably helping to investigate — the attack on State B, if possible.

The Tallinn Manual goes on with Rule 7 stating that an attack originating from a State is not proof of a State’s involvement, but “… is an indication that the Sate in question is associated with the operation”. However, instead of assuming that the State could be guilty, in this work we propose to assume the innocence of the state whose infrastructure is being used in an attack.

Let’s assume State B is affected by a cyber attack apparently originating from State A. State B then attempts to make State A aware of the attack. There is essentially one of three responses that State B will receive from State A: Response to collaborate, Response to not collaborate, or no response. In the case of no response if there is an assumption of innocence of State A, then State B may also assume that State A — being obliged to help — cannot stop the attacks because of lack of technical ability, resources, etc. In this way, consent to conduct remote cyber investigations on infrastructure within State A could potentially also be assumed.

In this way, when requests for assistance are made between States, if one State does not, or cannot, respond to the request, then cyber investigations can continue. Under this assumption, countries with intention to collaborate but limited investigation capacity, convoluted political and/or communication processes, or just no infrastructure will gain increased capacity to fight abuses of their infrastructure from countries that have more resources.

By assuming innocence of a state, at least four current problem areas can be improved. First, by assuming a State’s consent for remote investigation upon no reply to international assistance requests, this will lead to a reduction in delay during cross-border investigations for all involved countries despite weaknesses in bureaucratic official request channels. Second, such an assumption will force States to take a more active role in explicitly denying requests, if so desired, rather than just ignoring official requests, which is a waste of time and resources for everyone involved. Third, depending on the reason for the denial, such an explicit denial to investigate attacks against other countries would be slightly more conclusive proof of State A’s intention to attack, or allow attacks, on State B, and could potentially help where attack attribution is concerned. And finally, such an assumption may also hold where mutual legal assistance currently — and oftentimes — breaks down; when dual criminality does not exist between two countries [3].

Essentially, if an attack on Country B occurs from infrastructure in Country A, Country A will either want to help stop the attack or not. By assuming that Country A does want to help but is simply unable to, this forces Country A to be explicit about their stance on the situation while at the same time ensuring that international cybercrime investigations can be conducted in a timely manner.


James, J. I. (2013) “An Argument for Assumed Extra-territorial Consent During Cybercrime Investigations”. VFAC Review. Issue 25. [PDF]

Bibliography


<li>Malanczuk, P. (1997). Akehursts modern introduction to international law (7th ed.). Routledge.</li><li>Schmitt, M. N. (Ed.). (2013). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press.</li><li>Harley, B. (2010). A Global Convention on Cybercrime?. Retrieved from http://www.stlr.org/2010/03/a-global-convention-on-cybercrime/</li>


Image courtesy of jscreationzs / FreeDigitalPhotos.net

6 min read

CybercrimeTech Interviewed!: Baby Got Bactria

Since the single went up in the middle of travelling for conferences and Police training, I didn’t get a chance to thank the very interesting history blog Baby Got Bactria for interviewing Cybercrimetech.
<div>
</div><div>In the single, Briana K. asked us about issues facing Central Eurasia in Cyberspace. To which I went off on a rant. See the rant here!: http://bactrianbria.blogspot.kr/2013/06/central-eurasia-and-internet-lovehate.html

Thanks again Baby Got Bactria!

</div>

~1 min read

Using XARGS to speed up batch processing

[Edit 24/7/2013] Be careful when using xargs to spawn multiple processes that write to the same file. I’ve been using it with md5sum and piping the output to a file. In data sets with a large number of files, several hundred hashes would be missing in the final file. A more reliable way is to use md5deep.


In our last single we compared md5sum, md5deep and openssl md5 to determine which is fastest at calculating different hashes. For that experiment we were using 1 thread. Essentially, a file comes in, it gets hashes, the next file comes in. With 1 threat, we saw 1 out of the 4 processors being used.

However, if we are processing a list of files, why not split the work into multiple jobs and use all of the processors. md5deep does this by default (4 threads), but splitting the jobs for any task is easily done with xargs.

xargs is a program that allows you to control arguments coming in from a pipe. For example, if we type ‘find -type f
md5sum’ then the list of found files would be hashed as one glob of data. To give each file name to md5sum, instead of all file names, we can use xargs to control how the output of find is piped to md5sum. For example, ‘find -type f xargs -n1 md5sum’ will feed one line at a time to md5sum, allowing md5sum to find the file and hash it.

You can also tell xargs how many threads to create using the -P switch. Since we have 4 processors, we will use 4 threads in this case.

Consider in the last single, were the times for hashing all files in a directory were as follows:
md5sum: real 3m46.117s
md5deep: real 3m57.595s
openssl: real 3m43.142s

(example: ‘find -type f
xargs -P4 -n1 md5sum’)
Using xargs (and all of the processors), the real times can be reduced to:
md5sum: real 1m57.196s
md5deep: real 2m5.408s
openssl: real 1m56.084s

md5deep recursive, default threads (4), no xargs:
real 2m0.521s

Note: the user and system time is the same as before because the same amount of processor time is being devoted to the tasks, however, there are more processors so the real time is much less.

Also, consider that all the files in the directory are different sizes, with the largest being 10GB. The majority of the time for each program was spent with 1 thread hashing the largest file, while the other processors had already finished hashing all the other files.
1 min read

md5sum vs. md5deep vs. openssl md5: MD5 calculation speed test

The following experiment is conducted to determine if md5sum, md5deep or openssl md5 hash calculations are faster than the others.

Methodology:
<div>Test 1: A directory of test files consisting of disk images and extracted Windows Registry files will be scanned with the command ‘find -type f | xargs -n 1 md5program’. The output of this command will be fed into each program, respectively. The time for the entire process to finish will be tracked with the time command. Xargs is being used to feed each line of output to the md5 program.</div><div>Test 1.1: After all programs have finished, the computer will be restarted, and the order the programs are ran in will be changed. For example, if md5sum was the first program in the first round, it will be the second program in the second round. This is to attempt to account for any caching that takes place in the operating system.</div><div>
</div><div>The result will be 9 timed runs for calculating the md5 sum of all files in a directory.</div><div>
</div><div>Test 2: Big files - In test 1, multiple files of different sizes will be continuously fed to the hashing program. In test 2, a single 10 GB disk image will be given to each program and timed.</div><div>
</div><div>Test machine:</div><div>Intel(R) Core(TM) i7-3537U CPU @ 2.00GHz (4 cores)</div><div>8 GB RAM</div><div>Timing cached reads: 8892.40 MB/sec</div><div><div>Timing buffered disk reads: 403.98 MB/sec</div></div><div>
</div><div>Results:</div><div><table border="1" style="text-align: center;"><tbody><tr><td>md5sum, run 1</td><td>md5sum, run 2</td><td>md5sum, run 3</td></tr><tr><td>real 3m46.457s</td><td>real 3m46.117s</td><td>real 3m59.198s</td></tr><tr><td>user 0m42.183s</td><td>user 0m39.254s</td><td>user 0m42.235s</td></tr><tr><td>sys 3m3.595s</td><td>sys 3m6.300s</td><td>sys 3m16.096s</td></tr><tr><td>md5deep, run 1</td><td>md5deep, run 2</td><td>md5deep, run 3</td></tr><tr><td>real 3m57.595s</td><td>real 3m57.666s</td><td>real 4m2.255s</td></tr><tr><td>user 0m43.743s</td><td>user 0m43.567s</td><td>user 0m44.551s</td></tr><tr><td>sys 3m17.552s</td><td>sys 3m17.192s</td><td>sys 3m22.881s</td></tr><tr><td>openssl md5, run 1</td><td>openssl md5, run 2</td><td>openssl md5, run 3</td></tr><tr><td>real 3m48.130s</td><td>real 3m43.142s</td><td>real 3m50.619s</td></tr><tr><td>user 0m37.878s</td><td>user 0m37.462s</td><td>user 0m38.558s</td></tr><tr><td>sys 3m9.436s</td><td>sys 3m5.112s</td><td>sys 3m11.136s</td></tr></tbody></table>
Overall processor time:
Run 1, md5sum 3m45.77s; md5deep 4m01.29s; openssl 3m47.32s.
Run 2: md5sum 3m45.55s; md5deep 4m00.76s; openssl 3m42.57s.
Run 3: md5sum 3m58.34s; md5deep 4m07.43s; openssl 3m49.7s.

Average (rounded to second):
md5sum: 3m50s
md5deep: 4m03s
openssl: 3m46s

Test 1 Conclusions
While the ‘real’ time may be an interesting factor for investigators, what we are more interested in is the time that the program was using the processor. In this case ‘user’ is the time taken by the program in user mode, and sys is time in kernel mode. The basic idea is that we want a program that takes the least amount of time on the processor to do the same amount of work.

Note: from the data it appears that another process, perhaps an OS update, was taking place that affected all the programs.

Based on the average of the three runs, it appears that openssl is slightly faster, followed by md5sum and then md5deep.

It should be noted, however, that md5deep is not really being used in the way it was designed. For example, md5sum does not include a recursive mode, where md5deep does. If we run md5deep using its recursive mode - instead of find and xargs - then the time is actually slightly better than the others:

md5deep recursive - restricted to 1 thread
real 3m43.963s
user 0m41.327s
sys 3m2.103s

md5deep: 3m43s

So, in conclusion, if you are are feeding a list of files into an md5 hash program, openssl appears to be a slightly better choice over md5sum and md5deep. However, if you can choose how the file list is ingested, md5deep is probably a better choice because of speed and available features.

Test 2: Testing the time for each program to hash a 10 GB disk image. This test will not use find and xargs - it will use the program directly. md5deep will be restricted to 1 thread.

<table border="1" style="text-align: center;"><tbody><tr><td>md5sum</td><td>md5deep</td><td>openssl md5</td></tr><tr><td>real 1m44.558s</td><td>real 1m49.491s</td><td>real 1m43.475s</td></tr><tr><td>user 0m19.369s</td><td>user 0m20.421s</td><td>user 0m18.233s</td></tr><tr><td>sys 1m24.877s</td><td>sys 1m30.534s</td><td>sys 1m24.889s</td></tr></tbody></table>
md5sum: 1m44s
md5deep: 1m51s
openssl: 1m43s

For a single large file, it appears that openssl is also the fastest, followed by md5sum and then md5deep.

Please note: all of these tests are, at best, quite shallow. A proper testing environment with many more runs should be conducted.
<hr />
Bonus observation: As set, xargs will send 1 line to the hashing program and spawn 1 process. This process seems to switch between processors, even while the same hash is calculating.

</div><div class="separator" style="clear: both; text-align: center;"></div>

3 min read