1www.eForensicsMag.com

Issue 1/2012 (1) July

ORACLE FORENSICSDetection of Attacks Through Default Accounts and Passwords in Oracle

FREEVOL. 1 NO. 1

• ADVANCED STEGANOGRAPHY:

ADD SILENCE TO SOUND

• LIVE CAPTURE PROCEDURES

• MOBILE PHONE FORENSICS:

HUGE CHALLENGE OF THE FUTURE

• ISSUES IN MOBILE DEVICE FORENSICS

• INVESTIGATING FRAUD IN WINDOWS-BASED DRIVING

EXAMINATION THEORY SYSTEMS AND SOFTWARE

• DRIVE AND PARTITION CARVING PROCEDURES

2

As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing sys-tems installed and maintained by experienced peo-ple, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wire-less networking and a variety of network protocols and firewall devices. Any security issues identi-fied within those technologies will then have to be explained in a way that both management and system maintainers can understand.

The network scanning phase of a penetration assessment will quick-ly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having admin-istrative access in order to exam-ine in detail how they have been configured. In the case of firewalls,

switches, routers and other infrastructure devices this could mean manually reviewing the configura-tion files saved from a wide variety of devices.

Improve your Firewall Auditing

Device Auditing Scanners Nipper Studio

Password Encryption Settings

Physical Port Audit

Network Address Translation

Network Protocols

Time Synchronization Warning Messages (Banners) * Network Administration Services * Network Service Analysis * Password Strength Assessment * Software Vulnerability Analysis * Network Filtering (ACL) Audit * Wireless Networking *

* * Limitations and constraints will prevent a detailed audit

enquiries@titania.comT: +44 (0)845 652 0621

adv_titania.indd 1 2012-07-19 14:58:09

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that en-ables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the abil-ity to identify device, version and con-figuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other

infrastructure devices, you can speed up the audit process without compro-mising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the de-vice to that policy and then create the report detailing the issues identified. The reports can include device spe-cific mitigation actions and be custom-ized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of produc-ing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institu-tions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

www.titania.com

adv_titania.indd 2 2012-07-19 14:58:09

3www.eForensicsMag.com

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that en-ables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the abil-ity to identify device, version and con-figuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other

infrastructure devices, you can speed up the audit process without compro-mising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the de-vice to that policy and then create the report detailing the issues identified. The reports can include device spe-cific mitigation actions and be custom-ized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of produc-ing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institu-tions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

www.titania.com

adv_titania.indd 2 2012-07-19 14:58:09

4

Dear Readers!

Digital forensics is a very young field of science but nowadays it’s becoming more and more popular. Although it was originally designed for investiga-ting crimes, soon it has become a big part of com-puter systems engineering and contributed to the development of mobile devices. To meet your pro-fessional interests we have created a new publica-tion devoted to digital forensic issues. I present to you our first eForensics offspring - eForensics Free Magazine. It’s a monthly compilation of the best articles from four titles: eForensics Mobile, eForen-sics Computer, eForensics Database and eForensics Network.Within the issue of eForensics Free you will find two positions concerning mobile forensics, an ar-ticle about network forensics, three pieces focused on computer forensics and an article about databa-se forensics.The article created by M-Tahar Kechadi and La-mine Aoud will discuss an increasingly important role of mobile forensics in criminal investigations, law disputes and in information security. Eamon Doherty will describe tools used to recover data from mobile devices.Craig S. Wright will introduce you to free tools which can be used to create a powerful network forensics and incident response toolkit. Arup Nan-da will show you how to identify potential attacks by adversaries through default accounts. George Chlapoutakis guides you step by step through digi-tal forensic investigation.Last but not least, I would like to announce the beginning of two article series. One of them, by Craig S. Wright, will take you through the process of carving files from a hard drive . The other, by Praveen Parihar, will take you on a journey through advanced Steganography.

Thank you all for your great support and invaluable help.

Enjoy reading!Aleksandra Bielska& eForensics Team

Logo eForensics Magazine napis Free

TEAM

Editor: Aleksandra Bielskaaleksandra.bielska@software.com.pl

Associate Editors: Sudhanshu Chauhan (sudhan-shu.chauhan@software.com.pl), Praveen Parihar (praveen.parihar@software.com.pl), Hussein Rajabali (hussein.rajabali@software.com.pl)

Betatesters/Proofreaders: Nicolas Villatte, Jeff We-aver, Danilo Massa, Cor Massar, Jason Lange, Himan-shu anand, Dan Hill, Raymond Morsman, Alessandro Fiorenzi, Nima Majidi, Dave Mikesch, Brett Shavers, Cristian Bertoldi, Jacopo Lazzari, Juan Bidini, Olivier Caleff, Johan Snyman

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzicewa.dudzic@software.com.pl

Art Director: Mateusz Jagielskimateuszjagielski@gmail.comDTP: Mateusz Jagielski

Production Director: Andrzej Kucaandrzej.kuca@software.com.pl

Marketing Director: Ewa Dudzic

Publisher: Software Media Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.eforensicsmag.com

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

5www.eForensicsMag.com

6 . ISSUES IN MOBILE DEVICE FORENSICSby Eamon DohertyThis article discusses some of the mobile devices and accessories that one may encounter on a suspect during an investigation, examples of usage of these mobile devices and accessories and the tools that one can use to examine them. The article also starts off with some certifications that make one more marketable in this emerging field. In this article author discusses using tools such as Access Data’s FTK, Guidance Software’s Encase, and RecoverMyFiles to recover evidence from a digital camera with a FAT file system.

12. MOBILE PHONE FORENICS: HUGE CHALLENGE OF THE FUTUREby M-Tahar Kechadi, Lamine AouadWhile the processes and procedures are well established in traditional hard drive based computer forensics, their counterparts for the rapidly emerging mobile ecosystem have proven to be much more challenging. In this article author shares some thoughts about the reasons leading to this, as well as the current state of mobile digital foren-sics, what is needed, and what to expect in the future.

8. LIVE CAPTURE PROCEDURESby Craig S. WrightAs we move to a world of cloud based systems, we are increasingly finding that we are required to capture and analyse data over networks. Once, analysing a disk drive was a source of incident analysis and forensic material. Now we find that we cannot access the disk in an increasingly cloud based and remote world requiring the use of network captures. This is not a problem however. The tools that are freely available in both Windows and Linux offer a means to capture traffic and carve out the evidence we require. In this article author introduces a few tools that, although free, can be used together to create a powerful network forensics and incident response toolkit.

24. ADVANCED STEGANOGRAPHY: ADD SILENCE TO SOUNDby Praveen Parihar Steganography is a very comprehensive topic for all techno-geeks because it involves such an interesting and comprehensive analysis to extract the truth, as we have heard this term many times in the context of terrorist acti-vities and their communications. In this article author discusses methods of Steganography.

28. INVESTIGATING FRAUD IN WINDOWS-BASED DRIVING EXAMINATION THEORY SYSTEMS AND SOFTWAREby George ChlapoutakisFraud can take many forms, can take place practically anywhere, any when and any how. Theoretical driving exa-minations are now computerized in most parts of the world and the overwhelming majority of such systems tend to have some to no security at all, relying instead on the invigilators of the exam to catch those suspected of fraud. But, what happens when the invigilators fail and you, the digital forensic investigator, is asked to look into the ca-se?In this article author shares his experience from the point of view of the digital forensics investigator.

32. DRIVE AND PARTITION CARVING PROCEDURESby Craig S. WrightThis article is the start of a series of papers that will take the reader through the process of carving files from a hard drive. We explore the various partition types and how to determine these (even on formatted disks), learn what the starting sector of each partition is and also work through identifying the length the sector for each partition. In this, we cover the last two bytes of the MBR and why they are important to the forensic analyst. We start by learning about hard disk drive geometry. In this article author takes the reader through the process of carving files from a hard drive.

38. DETECTION OF ATTACKS THROUGH DEFAUL ACCOUNTS AND PASSWORDS IN ORACLEby Arup NandaAn Oracle database comes with many default userids (and, worse, well known default passwords), which ideally shouldn’t have a place in a typical production database but database administrators may have forgotten to remo-ve the accounts or lock them after setting up production environment. This provides for one of the many ways an adversary attacks a database system – by attempting to guess the presence of a default userid and password, either by brute force or by a social engineering techniques. In this article author will show you how to identify such attacks and trace back to the source quickly and effectively. You will also learn how to set up a honey pot to lure such adversaries into attacking so as to disclose their identity.

MOBILE

NETWORK

COMPUTER

DATABASE

6

MOBILE

CYBER CRIME LAWYERS

Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies.

We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way. 

Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice.

www.pannone.com

Please contact David Cook on

0161 909 3000

for a discussion in confidence or email

david.cook@pannone.co.uk

7www.eForensicsMag.com

CYBER CRIME LAWYERS

Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies.

We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way. 

Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice.

www.pannone.com

Please contact David Cook on

0161 909 3000

for a discussion in confidence or email

david.cook@pannone.co.uk

8

MOBILE

MOBILE PHONE FORENSICS: HUGE CHALLENGE OF THE FUTUREWhile the processes and procedures are well established in tra-ditional hard drive based computer forensics, their counterparts for the rapidly emerging mobile ecosystem have proven to be much more challenging. This article shares some thoughts about the re-asons leading to this, as well as the current state of mobile digital forensics, what is needed, and what to expect in the future.

The information and data era is rapidly evolving. As a result, there has been an exponential growth of consumer electro-nics, and especially mobile devices over the past few years, with ever-increasing trends and forecasts for the coming years. Mobile devices have already overtaken PCs, and mobi-le data traffi c is expected to increase 18-fold over the next fi ve years to approach 11 Exabyte per month, according to Cisco systems [1]. Their computing power, storage, and functionality have tremendously increased. Phones have been transfor-med from simple handheld devices, essentially emitting and receiving calls or text messages, into highly effective devices capable of doing more or less everything a desktop or a laptop computer can do, and even more. A large range of Android-based smartphones, iPhones, BlackBerrys, and even tablets products, are all examples of these mobile devices. Their ty-pical storage capacity today is higher than a powerful desktop back in the late 1990s! And the vast majority can also be fed memory cards.

This tremendous computational and storage capacity have turned mobile devices into data repositories capable of com-puting and storing a large amount of personal, organisatio-nal and also sensorial information. Indeed, although these devices can be input limited, they have remarkable context awareness because of all the sensors and various connectivi-ty options. Unfortunately, criminals use this technology. They have not missed this proliferation of mobile systems and its data revolution, and these devices are being used as a sup-port to criminal activities. For instance, earlier this year, a US offi cer found out that the

suspect he was about to arrest was using his smartphone to listen to the police secure channels streaming via the Inter-net! [2]. All classes of crimes can involve some type of digital evidence (a photo, a video, a received or emitted call, messa-ges, web pages, etc.). These devices are also commonly used is social networking nowadays, and in carrying out sensitive operations online, including online banking, shopping, electro-nic reservations, etc. Hacking becomes then a huge problem. In February 2011, hackers were remotely monitoring the calls made and received from about 150,000 infected mobile de-vices in China [3]. Another example is the Zeus man-in-the-mobile Trojan, discovered in September 2010, which was the fi rst Trojan in the mobile devices environment to compromise the online banking’s two-factor authentication mechanism [4][5]. It is indeed quite easy for cyber criminals to build a Trojan application nowadays [6], because these mobile systems are at their early stages.

Valuable information can then be obtained from a mobile de-vice: text messages, e-mails, communication logs, contacts, multimedia fi les, geo-location information (GPS and Wi-Fi hot-spots), etc. These can only help answering crucial questions in cybercrime investigations, and solve the related cases. Ho-wever, there are still a huge number of challenges facing a forensics investigator in obtaining forensically sound evidence from these devices. In this article, we present the process of recovering digital evidence and its challenges, and then share some information about current methods and tools, and few prospects for the future.

9www.eForensicsMag.com

F o r g i n g I T S e c u r i t y E x p e r t sse cu ren in ja .com

• Security+

• CISSP®

• CEH (Professional Hacking) v7.1

• CAP (Certified Authorization Professional)

• CISA

• CISM

• CCNA Security • CCNA Security

• CWNA

• CWSP

• DIACAP

• ECSA / LPT Dual Certification

• ECSP (Certified Secure Programmer)

• EDRP (Disaster Recovery Professional)

• CCE (Computer Forensics) • CCE (Computer Forensics)

• CCNA Security

• CHFI

• ISSEP

• Cloud Security

• Digital Mobile Forensics

• SSCP

• Security+• Security+

• Security Awareness Training

… And more

Sign Up & Get Free Quiz EngineFrom cccure.org

Free Hotel Offer on Select Boot CampsOffers ends on Jan 31, 2012 – Call 703-535-8600 and

mention code: PentestNinja to secure your special rate.

Welcome Military – Veterans Benefits & GI Bill Post 9/11 ApprovedWIA (Workforce Investment Act) ApprovedWIA (Workforce Investment Act) Approved

Expert ITSecurity

Training &Services

7 0 3 5 3 5 8 6 0 0w w w . s e c u r e n i n j a . c o m

10

NETWORK

LIVE CAPTURE PROCEDURESAs we move to a world of cloud based systems, we are increasingly fi nding that we are required to capture and analyse data over ne-tworks. Once, analysing a disk drive was a source of incident analysis and forensic material. Now we fi nd that we cannot access the disk in an increasingly cloud based and remote world requiring the use of network captures. This is not a problem however. The tools that are freely available in both Windows and Linux off er a means to capture traffi c and carve out the evidence we require.

As we move to a world of cloud based systems, we are in-creasingly fi nding that we are required to capture and analyse data over networks. To do this, we need to become familiar with the various tools that are available for these purposes. In this article, we look at a few of the more common free tools that will enable you to capture traffi c for analysis within your organisation. Once, analysing a disk drive was a source of incident analy-sis and forensic material. Now we fi nd that we cannot access the disk in an increasingly cloud based and remote world requiring the use of network captures. This is not a problem however. The tools that are freely available in both Windows and Linux offer a means to capture traffi c and carve out the evidence we require. For this reason alone we would require the ability to capture and analyse data over networks, but when we start to add all of the other benefi ts, we need to ask, why are you not already doing this?

LIVE CAPTURE PROCEDURES In the event that a live network capture is warranted, we can easily run a network sniffer to capture communication fl ows to and from the compromised or otherwise suspect system. There are many tools that can be used (such as WireShark, SNORT and others) to capture network traffi c, but Tcpdump is generally the best capture program when set to capture raw traffi c. The primary benefi t is that this tool will minimize any performance issues while allowing the data to be captured in a format that can be loaded into more advanced protocol analy-sers for review. That stated there are only minor differences between Tc-pdump and Windump and most of what you can do in one is the same on the other (some fl ags do vary).

Tcpdump Tcpdump uses the libpcap library. This can capture traffi c from a fi le or an interface. This means that you can save a capture and analyse it later. This is a great aid in incident re-sponse and network forensics. With a fi le such as, “capture.pcap”, we can read and display the data using the „-r” fl ag. For instance: tcpdump -r capture. pcap will replay the data saved in the fi le, “capture.pcap”. By default, this will display the output to the screen. In reality, the data is sent to STDOut (Standard Out), but for most purposes the console and STDOut are one and the same thing. Using BPF (Berkley Packet Filters), you can also restrict the output - both collected and saved. In this way, you can collect all data to and from a host and then strip selected ports (or services) from this saved fi le. Some of the options that apply to tcpdump include (quoted with alterations from the Redhat tcpdump MAN fi le):

-A Print each packet (minus its link level header) in ASCII.-c Exit after receiving a set number of packets (defi ned after c).-C Before writing a raw packet to a savefi le, check whether the fi le is currently larger than a given fi le_size. Where this is the case, close the current savefi le and open a new one.-d Dump the compiled packet-matching code in a human

readable form to standard output and stop.-dd Dump packet-matching code as a C program fragment.-ddd Dump packet-matching code as decimal numbers (prce ded with a count).-D Print the list of the network interfaces available on the system and on which tcpdump can capture packets.

11www.eForensicsMag.com

COMPUTER

ADVANCED STEGANO-GRAPHY: ADD SILENCE TO SOUNDSteganography is a very comprehensive topic for all techno-geeks because it involves such an interesting and comprehensive analysis to extract the truth, as we have heard this term many times in the context of terrorist activities and their communications.

Steganography means covert writing: hiding confi dential Information into a cover fi le. This cover fi le can be in the form of pdf, xls, exe, jpeg, mp3 or mp4, etc.

Least Signifi cant Bit (LSB) Method is very famous & fascinating when Steganography is discussed because when we discuss the case study of hiding a secret text behind an image it actually sounds interesting, To understand this con-cept, fi rst we need to understand how an image is classifi ed and what happens when a small bit is altered in an image which has been described below:Images are composed of small elements which are called pixels and we have basically three types of images. A pixel is the essential component of an image:1) Black and white – each pixel is composed of a single bit and is either a zero or a one.2) Grayscale – each pixel is composed of 8 bits (in rare cases, 16 bits) which defi nes the shade of grey of the pixel, from zero (black) to 255 (white).3) Full color – also called 24-bit color as there are 3 primary colors (red, green, blue), each of these are defi ned by 8 bits.Although we can have different types of images, but we assu-me that a grayscale image has been used and 8-bit grayscale consists of pixels which have 28 = 256 possible levels of grey, and each component in an image contributes its different parts such as:

1. LSB (Least Signifi cant Bit) contributes 1/256th of the information

2. MSB (Most Signifi cant Bit) contributes ½ of the in-formation

So, changing that LSB only affects 1/256th of the intensity and humans simply cannot perceive a difference. In fact, it is diffi cult to perceive a difference in 1/16th of an intensity chan-ge, so we can easily alter the 4 LSBs with little or no percep-tible difference.Here we have shown these two images which illustrates why Steganography has become famous and how an image does not get distorted even if we embed secret or confi dential in-formation.

(Original Image)

12

COMPUTER

INVESTIGATING FRAUD IN WINDOWS-BASED DRI-VING EXAMINATION THEORY SYSTEMS AND SOFTWAREFraud can take many forms, can take place practically anywhere, any when and any how. Theoretical driving examinations are now com-puterized in most parts of the world and the overwhelming majo-rity of such systems tend to have some to no security at all, relying instead on the invigilators of the exam to catch those suspected of fraud. But, what happens when the invigilators fail and you, the di-gital forensic investigator, is asked to look into the case? Where does one start, where does one go and where does one end up? What do we investigate, how do we go about it and what tools with?

In this article, I will attempt to share my experiences investi-gating such systems from the point of view of the digital foren-sic investigator who fi rst arrives in the scene of the crime, from the moment of arrival to the end report submitted to the client.

Let us, then, start our journey from the moment we (the di-gital forensic investigators) get the fateful call, where we are told it’s a case of fraud in the Driving Test Centre and we have been called to investigate it and present a report.

To begin with, it should be stated that, as most driving test centres are part of a country’s internal services, we are going to always be dealing with a mixture of government offi cials (of middle-management persuasion) and local law enforcement, and we are always going to be needing to deal with red-tape-style bureaucracy, where everything is moving much more slowly than when dealing with the private sector.

This means we are going to be dealing with the nightmare scenario where our crime scene is possibly several months old and very seriously tainted (as non-essential government bodies tend to respond fairly slowly and after much red-tape to such cases), and where normal digital forensic processes and practices don’t usually work. The nightmare comes from the fact that, in such a scenario, you cannot explicitly trust the data you collect or any information that you are given and cannot corroborate in a straightforward way. The data has been tainted, the exams are running 2-3 times a week and the test centre cannot be closed down for the du-ration of the investigation, so we are told we have to release the (many, plus servers) computers within a very specifi c and fi nite length of time (1-2 days at most).

So, we arrive in the vicinity of the crime scene (the building).

13www.eForensicsMag.com

COMPUTER

DRIVE AND PARTITION CARVING PROCEDURESThis article is the start of a series of papers that will take the reader through the process of carving fi les from a hard drive. We explore the various partition types and how to determine these (even on formatted disks), learn what the starting sector of each partition is and also work through identifying the length the sector for each partition. In this, we cover the last two bytes of the MBR and why they are important to the forensic analyst. This process is one that will help the budding analyst or tester in gaining an understanding of drive partitions and hence how they can recover and carve these from a damaged or formatted drive. We start by learning about hard disk drive geometry. This article is the start of a series of papers that will the re-ader through the process of carving fi les from a hard drive. We explore the various partition types and how to determine these (even on formatted disks), learn what the starting sector of each partition is and also work through identifying the length the sector for each partition. In this, we cover the last two by-tes of the MBR and why they are important to the forensic analyst. This process is one that will help the budding analyst or tester in gaining an understanding of drive partitions and hence how they can recover and carve these from a damaged or formatted drive. We start by learning about hard disk drive geometry.

The format of this article is a step by step process that is de-signed to take the reader through the analysis of a hard drive. Although the process may vary somewhat for each drive, the fundamentals remain the same and following these steps will allow the analyst to recover drive partitions that have been damaged or formatted even when the automated tools fail.

THE BEGINNING There are a number of commands we shall be using in this article that are fairly standard on most Linux distro’s. In this article, it is assumed that the analyst has already creates a bitwise raw image of the hard disk drive to be examined using “dd” or a similar tool.

The commands we will start with to copy our MBR (master boot record):

• dd if=Image.dd of=MBR.img bs=512 count=1• ls -al *img• khexedit MBR.img &

Here, we fi rst extract the MBR from our image fi le (in this case IMG.dd) and extract the data to a fi le called MBR.img. Note that we have extracted only the fi rst 512 bytes and we can vali-date the size of this image fi le using the command “ls -al *img”.

MASTER BOOT RECORD (MBR) In most drive formats (there are exceptions with some RISC systems etc.) that we will analyse, each Partition entry is al-ways 16 bytes in length. More, the end of any MBR marker is 0x55AA (ALWAYS)! Many modern Linux, Macintosh and the most recent of Intel PCs have started using GPT instead of MBR. MBR limits the size of partitions to 2.19TB, this is why it starts to be replaced. We will look at other partition formats in later papers.

Partition Off set Byte Place1st 0x01BE 4462nd 0x01CE 4623rd 0x01DE 478 4th 0x01EE 492

Table 1 The HDD table

14

A Network breach...Could cost your Job!

GENERAL SECURITY TRAININGCISSPTM CISSP & Exam PrepC)ISSO Certi�ed Information Systems Security O�cerC)SLO Certi�ed Security Leadership O�cerISCAP Info. Sys. Certi�cation & Accred. Professional

PENETRATION TESTING (AKA ETHICAL HACKING)C)PTETM Certi�ed Penetration Testing EngineerC)PTCTM Certi�ed Penetration Testing Consultant

SECURE CODING TRAININGC)SCETM Certi�ed Secure Coding Engineer

WIRELESS SECURITY TRAININGC)WSETM Certi�ed Wireless Security EngineerC)WNA/PTM Certi�ed Wireless Network Associate / Professional

DR&BCP TRAININGDR/BCP Disaster Recovery & Business Continuity Planning

VIRTUALIZATION BEST PRACTICESC)SVMETM Certi�ed Secure Virtual Machine Engineer DIGITAL FORENSICSC)DFETM Certi�ed Digital Forensics Examiner

IS Y

OUR

NETW

ORK

SECU

RE?

Wor

ldw

ide L

ocat

ions

Global I.T. Security Training & Consulting

In February 2002, Mile2 was established in response to the critical need for an international team of IT security training experts to mitigate threats to national and corporate secu-rity far beyond USA borders in the aftermath of 9/11.

Other Mile2 services available Globally:1. Penetration Testing2. Vulnerability Assessments3. Forensics Analysis & Expert Witnesses4. PCI Compliance5. Disaster Recovery & Business Continuity

We practice what we teach.....

1-800-81-MILE2+1-813-920-6799

INFORMATION ASSURANCESERVICES

mile2 Boot Camps

www.mile2.comTM

1. F2F Classroom Based Training2. CBT Self Paced CBT3. LOT Live Online Training4. KIT Study Kits & Exams5. LHE Live Hacking Labs (War-Room)

Available Training Formats

Other New Courses!!ITIL Foundations v.3 & v.4CompTIA Security+, Network+ISC2 CISSP & CAP

SANS GSLC GIAC Sec. Leadership CourseSANS 440 Top 20 Security ControlsSANS GCIH GIAC Cert Incident Handler

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.

11928 Sheldon Rd Tampa, FL 33626

15www.eForensicsMag.com

A Network breach...Could cost your Job!

GENERAL SECURITY TRAININGCISSPTM CISSP & Exam PrepC)ISSO Certi�ed Information Systems Security O�cerC)SLO Certi�ed Security Leadership O�cerISCAP Info. Sys. Certi�cation & Accred. Professional

PENETRATION TESTING (AKA ETHICAL HACKING)C)PTETM Certi�ed Penetration Testing EngineerC)PTCTM Certi�ed Penetration Testing Consultant

SECURE CODING TRAININGC)SCETM Certi�ed Secure Coding Engineer

WIRELESS SECURITY TRAININGC)WSETM Certi�ed Wireless Security EngineerC)WNA/PTM Certi�ed Wireless Network Associate / Professional

DR&BCP TRAININGDR/BCP Disaster Recovery & Business Continuity Planning

VIRTUALIZATION BEST PRACTICESC)SVMETM Certi�ed Secure Virtual Machine Engineer DIGITAL FORENSICSC)DFETM Certi�ed Digital Forensics Examiner

IS Y

OUR

NETW

ORK

SECU

RE?

Wor

ldw

ide L

ocat

ions

Global I.T. Security Training & Consulting

In February 2002, Mile2 was established in response to the critical need for an international team of IT security training experts to mitigate threats to national and corporate secu-rity far beyond USA borders in the aftermath of 9/11.

Other Mile2 services available Globally:1. Penetration Testing2. Vulnerability Assessments3. Forensics Analysis & Expert Witnesses4. PCI Compliance5. Disaster Recovery & Business Continuity

We practice what we teach.....

1-800-81-MILE2+1-813-920-6799

INFORMATION ASSURANCESERVICES

mile2 Boot Camps

www.mile2.comTM

1. F2F Classroom Based Training2. CBT Self Paced CBT3. LOT Live Online Training4. KIT Study Kits & Exams5. LHE Live Hacking Labs (War-Room)

Available Training Formats

Other New Courses!!ITIL Foundations v.3 & v.4CompTIA Security+, Network+ISC2 CISSP & CAP

SANS GSLC GIAC Sec. Leadership CourseSANS 440 Top 20 Security ControlsSANS GCIH GIAC Cert Incident Handler

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.

11928 Sheldon Rd Tampa, FL 33626

DATABASE

DETECTION OF ATTACKS THROUGH DEFAULT ACCO-UNTS AND PASSWORDS IN ORACLEAn Oracle database comes with many default userids (and, worse, well known default passwords), which ideally shouldn’t have a place in a typical production database but database administrators may have forgotten to remove the accounts or lock them after setting up production environment. This provides for one of the many ways an adversary attacks a database system – by attempting to guess the presence of a default userid and password, either by brute force or by a social engineering techniques. In this article you will learn how to identify such attacks and trace back to the source quickly and ef-fectively. You will also learn how to set up a honeypot to lure such adversaries into attacking so as to disclose their identity. Besides, you will also be able to determine why a legitimate user account gets locked out that needs unlocking or a password reset.

BACKGROUND

An Oracle database typically comes with several default ac-counts. Some of them are necessary for database operations. Examples of such userids are SYS and SYSTEM which have the DBA privileges. Other default accounts such as SCOTT, SH, BI, etc. are for demonstration only and are never needed by an application using that database. These accounts should not have been created in the fi rst place. The database creation assistant (DBCA) has a checkbox to install samples schema (the SCOTT user), which should have been unchecked for a production database. Many DBAs, while creating the databa-

se, likely ignore it resulting in the schema being present. In other cases, the production database may be an upgrade from its earlier incarnation as a development or QA database where these sample schemas were indeed necessary and created. With the upgrade, these schemas have lost signifi cance; but in the spirit of changing as little as possible during the database upgrade, they are usually left untouched and continue to lin-ger. Whatever the reason was, these default accounts leave a backdoor entry to the database. Another problem is the presence of default passwords.

16

In the Upcoming Issue of

Smartphone Forensics & More...

Available to download on August 13th

If you would like to contact eForensics team, just send an email to en@eforensicsmag.com. We will reply a.s.a.p.

eForensics Magazine has a rights to change the content of the next Magazine Edition.

FREE

Quality

Integrity

Sense of SecurityCompliance, Protection

and

info@senseofsecurity.com.auwww.senseofsecurity.com.au

Now Hiring

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

Teamwork

Innovation

Passion

17www.eForensicsMag.com

Quality

Integrity

Sense of SecurityCompliance, Protection

and

info@senseofsecurity.com.auwww.senseofsecurity.com.au

Now Hiring

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

Teamwork

Innovation

Passion

18

The Only Magazine about Pentesting

200 Pages of the Best Technical Content Every

Month

8500 Readers

4 Specialized Issues

To learn more visit: http://pentestmag.com/.For any questions or inquiries please mail us at: en@pentestmag.com.

PenTest gives an excellent opportunity to observe security trends on the market for the readers, and for companies – to share their invaluable knowledge.

From theory to practice, from methodologies and standards to tools and real-life solutions!

adv_PenTest_213_303.indd 1 2012-04-11 21:26:36