Securing Windows

INFORMATION SECURITY and Anti‐Forensics

by MISSIONMAN | V2 | FINAL

AbstractWhere there is a data leak there is a helpful LEO to pick up the

slack and throw you in jail for it. This guide attempts to educate you on some of the best security practices and anti‐

forensics techniques so that doesn’t happen. From news reporters to people who want to download and watch child

porn; this guide will help keep you safe.

P a g e | 1

Dedication

This guide is dedicated to the wonderful Law Enforcement Agencies of

the world; if they didn’t try to fuck us over all the time, I wouldn’t care

enough to make this guide in the first place.

P a g e | 2

InformationSecurityandAnti‐Forensics

TableofContents

Dedication ..................................................................................................................................................... 1

Chapter 1 _The CIA Triad ........................................................................................................................... 5

Chapter 2 _ Recommendations ................................................................................................................. 6

Chapter 3 _ Encryption ............................................................................................................................ 10

3.1. Encryption Dealing with Confidentiality ..................................................................................... 11

3.2. Encrypting Files or the Hard Drive .............................................................................................. 12

3.3. Securely Exchanging Messages or Data ...................................................................................... 15

3.4. Steganography ............................................................................................................................ 17

3.5. Authentication Factors ................................................................................................................ 18

3.6. Password Attacks and Account Recovery Attacks ...................................................................... 18

3.7. Creating Secure Passwords ......................................................................................................... 19

3.8. Hashing, Hashing Collisions, and Birthday Attacks ..................................................................... 19

3.9. Cold Boot Attacks ........................................................................................................................ 21

Chapter 4 _ Data ...................................................................................................................................... 22

4.1 Deleted Data ............................................................................................................................... 23

4.2 Deleting Data Securely ................................................................................................................ 24

4.3 File Slack ...................................................................................................................................... 25

4.4 Where to Hide Your Data ............................................................................................................ 26

4.5 Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache ..................... 26

4.6 Temporary Application Files and Recent Files Lists .................................................................... 28

4.7 Shellbags ..................................................................................................................................... 32

4.8 Prefetching and Timestamps ...................................................................................................... 33

4.9 Event Logs ................................................................................................................................... 34

4.10 Printers, Print Jobs, and Copiers ................................................................................................. 34

4.11 Cameras, Pictures, and Metadata ............................................................................................... 36

4.12 USB Information .......................................................................................................................... 37

P a g e | 3

4.13 SSD – Solid State Drives .............................................................................................................. 38

4.14 Forensic Software Tools .............................................................................................................. 39

Chapter 5 _ Continuity ............................................................................................................................. 40

5.1 Security Concerns with Backups ................................................................................................. 41

5.2 Security Concerns with Sleep and Hibernation........................................................................... 41

5.3 Ensuring Information and Service Continuity ............................................................................. 41

5.4 DoS and DDoS attacks ................................................................................................................. 42

Chapter 6 _ System Hardening ................................................................................................................ 45

6.1. Uninstall Unnecessary Software ................................................................................................. 46

6.2. Disable Unnecessary Services ..................................................................................................... 46

6.3. Disable Unnecessary Accounts ................................................................................................... 47

6.4. Update and Patch Windows and Other Applications ................................................................. 48

6.5. Password Protection ................................................................................................................... 48

Chapter 7 _ Antivirus, Keyloggers, Firewalls, DLP’s, and HID’s ................................................................ 50

7.1. Antivirus ...................................................................................................................................... 51

7.2. Hardware Keyloggers .................................................................................................................. 51

7.3. Firewalls ...................................................................................................................................... 52

7.4. DLP’s ............................................................................................................................................ 52

7.5. HIDS’s and NID’s .......................................................................................................................... 53

7.6. Other Considerations .................................................................................................................. 53

Chapter 8 _ Networks .............................................................................................................................. 54

8.1. Private vs. Public IP Address ....................................................................................................... 55

8.2. MAC Address ............................................................................................................................... 55

8.3. Public Wireless ............................................................................................................................ 56

8.4. Security Protocols ....................................................................................................................... 58

8.5. Chat Sites ‐ How Attackers Attack ............................................................................................... 59

8.6. Other Considerations .................................................................................................................. 61

8.7. Extra: MAC Address Spoofing and ARP Attacks ‐ How they work .............................................. 62

Chapter 9 _ Web Browser Security .......................................................................................................... 64

9.1. Downloading and Using the Tor Browser Bundle ....................................................................... 65

9.2. Configuring Web‐Browsers and Applications to Use Tor ............................................................ 67

9.3. What is Sandboxing and What is JIT Hardening, and Why Do I Care? ........................................ 68

9.4. JavaScript .................................................................................................................................... 68

9.5. Cookie Protection and Session Hijacking Attacks ....................................................................... 69

P a g e | 4

9.6. Caching ........................................................................................................................................ 69

9.7. Referers ....................................................................................................................................... 70

9.8. CSRF/CSRF Attacks (XSS Attack) .................................................................................................. 71

9.9. Protect Browser Settings ............................................................................................................ 71

9.10. DNS Leaks ................................................................................................................................ 71

9.11. User Awareness, Accidents and System Updates ................................................................... 72

9.12. Limitations ............................................................................................................................... 73

9.13. Extra ........................................................................................................................................ 73

Chapter 10 _ Standard Acronyms .......................................................................................................... 75

Chapter 11 _ Download Links ................................................................................................................ 76

P a g e | 5

In this guide I am going to reference a well‐known security policy that was developed to identify

problem areas and the recommended solutions when dealing with information security. This policy is

known as the CIA and stands for: Confidentiality, Integrity, and Availability. This triad was developed so

people will think about these important aspects of security when implementing security controls. There

should be a balance between these three aspects of security to ensure the proper use and control of

your security solutions.

Confidentiality is, as the word implies, having something be confidential or secure. In essence, privacy is

security and confidentiality means that third party individuals cannot read information if they do not

have access to it. Data to think about keeping confidential is data stored on a computer (temporary

data, data saved, etc.), data stored for backup, data in transit, and data intended for another person.

Confidentiality will be the main focus point of this article as it is most often referred to as the most

important aspect of security.

The I in CIA stands for Integrity and is specifically referring to data integrity. Integrity is the act of

ensuring that data was not modified or deleted by parties that are not authorized to do so. It also

ensures that if the data was changed, that the authorized person can make changes that should not

have been made in the first place. Simply, if you send a message to someone, you want to make sure

that the person does not receive a message that was altered during transit. Integrity also confirms that

you are in fact speaking to who you think you are speaking to (for example: we download an add‐on

from the website, you want to make sure that you are downloading from that website and not an

unscrupulous third‐party).

Finally, the A stands for Availability and ensures that when you need the data it is available to you. Not

only does data have to be available to you, but it has to be reasonably accessible. There's no point in

security controls if you cannot access the data! This component is a concern, but for the average end

user, there is not much that can be done to ensure availability when dealing with webpages, or IRC

servers or anything else managed by a third party host. For this reason we will not be discussing

Availability except for backing up your data in this guide.

Chapter1_TheCIATriad

P a g e | 6

indows was not built with security in mind, therefor should not be used. Tails is

recommended as it is a live DVD or USB that was created to preserve your anonymity and

privacy. It allows you to browse the internet anonymously and safely as all applications are

preconfigured to run through Tor. Other uses includes encrypting your files, sending and receiving

emails and instant messaging, photo editing, document editing and more. Tails also operates

completely in RAM so it does not leave a trace on your computer. RAM is Random Access Memory and

is wiped when the machine shuts down. Everything that you want saved is done so in secure, encrypted

persistent storage. Tails link: Here. A step‐by‐step for installing Tails can be found here. If you cannot

use Tails – or better yet – do not want to use Tails, you should make sure that Windows is secure.

Windows:

Truecrypt – I would download TrueCrypt and enable FDE (Full Disk Encryption) to make sure that

all evidence is encrypted thus allowing you to skip Chapter 4. If you do not want to enable FDE, I

would create a container and have a Virtual Machine inside the container. Otherwise,

EVIDENCE CAN BE EASILY GATHERED BY INVESTIGATORS. (Section 3.2)

Tor Browser Bundle– This allows you to browse the internet anonymously. Using TBB will also

allow you to visit .onion sites as well as to join the .onion IRC servers with TBB’s instance or Tor.

(Section 9.1)

Anti‐Virus (AV) and a Firewall – This will keep your computer protected from viruses as well as

remote intruders (most all‐in‐one anti‐virus software has these features). (Section 7)

I have decided to move a recommendation from later on in this guide to up here. One good

recommendation is to create and use a standard account with no Administrative privileges. This

way, if a virus is executed, it only has the privileges of the account that you are in. Also, I would

make sure your username does not contain your full name as many applications such as Pidgin

can share this information. Furthermore, make sure that you create a Windows password that

is difficult to guess/attack, as your computer can be explored using that password, over the

network.

(Optional) TorChat – TC is a chat application that runs over Tor to provide an anonymous way to

chat. (Section 2)

(Optional) IRC Client – An IRC client allows you to enter Tor chat rooms to talk to many

individuals at one time. You will need one with proxy settings so you can run the client through

Tor. Make sure to NOT use DCC as it can expose your IP address. There are several IRC servers

W

Chapter2_Recommendations

P a g e | 7

that run over Tor (.onion addresses) that you can use. They are all logically connected, so

connecting to one will connect you to all. (Section 2)

(Optional) GPG – for sharing messages and files back and forth over a common medium, GPG

ensures confidentiality and integrity. (Section 3.3)

(Optional) Tormail email address – Tormail is an email service that runs through Tor, so it

provides anonymity. I recommend using Tormail with GPG when communicating via email. The

link to tormail is http://tormail.net/. Once loaded you will be prompted to visit

http://jhiwjjlqpyawmpjx.onion/ via tor.

Tryitout–SetupIRCclientforTor

1. Download your IRC client. Personally, I use Pidgin. The link is provided for you: http://pidgin.im/. There is a portable version of Pidgin available if you plan on using the client on several machines (which is not recommended as the computer can contain spyware). Also, Pidgin allows you to connect to several servers at once in the chance you get disconnected from a server or a netsplit occurs.

2. To create an account, Click Accounts followed by Manage Accounts. You can add as many accounts as you want; I created a few accounts to connect to the different IRC servers for the reason described above.

3. Select Add. Under Basic, your settings should look like this: Protocol – IRC, Username – your username, Server – IRC server (listed below), Local alias – your username. Again, you can use any of the several Tor IRC servers as they are all connected. Alternatively, you can use one of the several IRC relays instead of connecting to the Tor servers directly.

4. Under Advanced, your settings should look like this: Port – 6667, Username – your username. In Pidgin, if you do not specify a username under the Advanced settings, your username will be exposed. When you enter or leave the chat room the username will appear before the hostname. For example, if your ID is TheBest and your username is Bob, then it will appear as TheBest [Bob@OnionNet].

5. Under Proxy, your settings should look like this: Proxy type – SOCKS 5, Host – 127.0.0.1, Port ‐9050 (Tor Port). If you are using Privoxy, the port will be 8118.

6. Click Buddies and Join a Chat to join a channel. Add Chat will permanently add the channels to the Chats list so you don’t have to remember the channel name every time. Right‐clicking the chat under Chats will give you a host of options. I selected Persistent to receive the messages in the chat‐room even though they are not currently open. You can use /list to get a list of all the channels or you can use /join #room to join a specific room. #security and #public are two good channels when asking general questions or questions related to privacy or security.

7. You can use the /msg “username” command to send a private message to someone or use the /query “username” command which will open a new window in both clients for private messaging. I would advise looking up the IRC client commands for full functionality. Also, even though I recommended disabling DCC, the servers disable the functionality altogether.

8. Lastly, you should know that most ‐if not all‐ IRC clients cache your username for functionality. Pidgin, takes this further by creating logs for specific channels and individual users that you chat with using private messaging by default. Under Preferences > Logging, you should disable Log all instant messages and Log all chats.

P a g e | 8

IRCServersHere is a list of the Tor IRC servers (note that all servers are linked):

Mixie: 4eiruntyxxbgfv7o.onion (Down)

FTW: ftwircdwyhghzw4i.onion

Renko: renko743grixe7ob.onion (Down)

PB: jkpos24pl2r3urlw.onion (Down)

Nissehult: nissehqau52b5kuo.onion

IRCChannelsHere is a list of some of the popular Tor IRC channels (ordered by user count at the moment of writing):

#boys! #knaben

#pedo #torchan

#cams #public

#mjb #security

#girls #hackbb

Tryitout–TorChat:

1. Download TorChat from github as it is now the official source for the TorChat project. At of the time writing the article, the direct link is https://github.com/prof7bit/TorChat. Once the page is loaded, click the Downloads button over on the right. Select the latest build as denoted by the version number. Make sure to download the Windows executable version for Windows, Debian / Ubuntu package for Debian/Ubuntu, or the Pidgin plugin if that is what you want to do. If the build is in Alpha, then it is not recommended.

2. The file will be downloaded as a .zip file. Once the file is fully downloaded, open the file and extract the contents with your favorite archive file manager. I extracted the file to the default location in Windows which is the Downloads folder. You can move the folder at any time as TorChat is portable.

3. Open the TorChat folder, expand the bin folder, and run torchat.exe to start TorChat for the first time. Once loaded, you will be provided your TorChat ID (16 characters that are comprised of letters and numbers).

4. To add a contact, just right‐click in the white space of the program and click Add Contact… Alternatively, you can edit the buddy‐list file in the bin directory. Double‐clicking a contact will initiate a chat (right‐clicking and selecting Chat…, will accomplish the same thing). You can also edit and delete a contact by Right‐Clicking the user and selecting the appropriate function. Sending a file is as simple as dragging the file into the chat window or right‐clicking the username and selecting Send file… (Windows can only send one file at a time whereas Debian/Ubuntu can send many at one time).

5. If you are upgrading your version of TorChat than make sure to backup and copy over bin\buddy‐list.txt, bin\Tor\hidden_service\hostname, and bin\Tor\hidden_service\private_key. If you do not copy over the latter two files, you will be provided a new TorChat ID.

P a g e | 9

Tryitout–InstallingTails:

1. Download Tails from the official Tails website. You can either download Tails via the direct link or the Torrent; which might be faster. However, the direct link is recommended as is downloading and verifying the Tails Signature. The link to the Tails download page is here: Here. Under option 2, select the latest release to start downloading. To verify the download, use GPG to verify the Tails signature to ensure that your image has not been modified in any way

2. Once downloaded you have a couple of options: you can burn the image to a DVD or a USB (the image is too big to fit on a CD). If you burn the image on a DVD‐R, an attacker cannot modify the contents as the disk is read only. This also means that you cannot save anything or make any permanent changes on the disk. DVD‐RW and the USB can be written to and re‐written to, meaning files and settings can be saved in persistent storage. But, this comes at a risk as an attacker can maliciously modify Tails

3. Installing an image to a DVD is easy, all you need is the right software. ISO Image Burner is a good software for Windows that can do this for you. Mac’s and computers running Ubuntu can burn the image natively. Once your ISO burning program is open, insert the blank DVD into the disk drive and burn the Tails ISO image to the blank disk (or a DVD‐RW disk)

4. When installing the Tails ISO image onto a USB, it is recommended that you download and install Oracle VM VirtualBox, and use that virtualization program to boot into Tails. Otherwise, you cannot create persistent storage for saving files and settings. Once you successfully boot into Tails, you can use the built in Tails USB installer to install Tails on the USB device

5. I downloaded and installed VirtualBox from here. Once installed, start VirtualBox and Click New to create a new VM. Fill out the Name textbox, select Linux for the Type, and select Other Linux for the version. Proceed past the next page and select Do not add a virtual hard drive and click Create. At the top of the Oracle VM VirtualBox Manager click on Settings to modify the settings of the VM you just created. Select Storage and next to Controller: IDE click on the little disk icon to add a CD/DVD device. Click Choose disk and select the Tails ISO you just downloaded. Under Controller: IDE you should see the image you just selected. Selected that image and check Live CD/DVD over on the right under Attributes. Click OK. Start the VM to boot into Tails.

6. At this point you should be asked if you would like to view more options. I am going to kill two birds with one stone and cover how to install Tails on a USB as well as what I recommend after you install the ISO on the USB. Select Yes on this screen and create an Administrator password on the next screen. Under Applications > Tails you can create a persistent volume as well as use the Tails USB Installer. When creating a persistent volume, I would select all the applications you will use as well as if you are going to save any materials.

P a g e | 10

ncryption is the process of encoding messages (or information) in such a way that eavesdroppers

or hackers cannot read it, but that authorized parties can. Using cryptography three purposes are

fulfilled: confidentiality, integrity, and non‐repudiation. Encryption has long been used by

militaries and governments to facilitate secret communication. It is now commonly used in protecting

information within many kinds of civilian systems. Also, many compliance laws require encryption to be

used in businesses to ensure that confidential client data be secured if the device or data is stolen. In

this section I will be talking about using encryption for confidentiality and integrity. Non‐repudiation is

used, but is not normally implemented for our purposes.

Topics

This Chapter will cover the following topics:

Encryption Dealing with Confidentiality

Encrypting Files or the Hard Drive

Securely Exchanging Messages or Data

Steganography

Authentication Factors

Password Attacks and Account Recovery Attacks

Creating Secure Passwords

Hashing, Hashing Collisions, and Birthday Attacks

Cold Boot Attacks

E

Chapter3_Encryption

P a g e | 11

3.1. EncryptionDealingwithConfidentiality

Computer encryption is based on the science of cryptography, which has been used as long as humans

have wanted to keep information secret. The earliest forms of encryption where the scytale’s and the

creation of cipher texts. These forms of cryptography would rely on both parties knowing the key used

or the correct cipher before the message could be delivered. Here's an example of a typical cipher, with

a grid of letters and their corresponding numbers:

1 2 3 4 5

1 A B C D E

2 F G H I/J K

3 L M N O P

4 Q R S T U

5 V W X Y Z

If a general wanted to send the message “I love ponies” he would write the series of corresponding

numbers: 42 13 43 15 51 53 43 33 42 51 34. Only the person with this cipher text would be able to

reach the message. Now obviously, to make the message more difficult to decipher, the letters inside

the table would be arranged differently. Computer encryption uses algorithms to alter plain text

information into a form that is unreadable. Most people believe that AES will be a sufficient encryption

standard for a long time coming: A 128‐bit key, for instance, can have more than

300,000,000,000,000,000,000,000,000,000,000,000 key combinations. Today’s AES standard is AES

256bit encryption which has 256 ^ 2 possible combinations.

As we said before, there are many reasons for encryption. One purpose of encryption is the act of

transforming data from a state that is readable to a state that cannot be read by a third party that does

not have permission. The result of the process is encrypted information (in cryptography, referred to as

ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to

as decryption (i.e., to make it unencrypted). It is also important to know that the word encryption can

implicitly refer to the decryption process. For example, if you get an encryption program, it encrypts

information as well as decrypts it.

There are two types of encryption that should be used for two different purposes: symmetric (private

key encryption) and asymmetric (public key encryption). Symmetric encryption is used the most

because it is fast, easy to use, and is the most widely needed. You will use this form of encryption when

there is only one password being used (such as TrueCrypt or another simple file encryption utility).

Asymmetric encryption on the other hand uses two keys, one to encrypt information and the other to

decrypt the information.

P a g e | 12

3.2. EncryptingFilesortheHardDrive

You will most commonly want to encrypt files for storage or if you want to upload them to several

people securely. There are a couple of programs that support this type of encryption and most of you

probably already heard of them. These programs I am referring to are TrueCrypt and WinRAR and they

both provide symmetric file encryption. TrueCrypt is a program that allows you to encrypt your entire

hard drive or to create an encrypted container. WinRAR on the other hand is a program that allows you

to create an encrypted archive. Remember that symmetric file encryption has only one key for the

encryption and decryption process. So you will need to share the key if you plan on sharing the files.

Note: WinRAR can be cracked and there might exist a backdoor to your encrypted files. This program

is only meant to exchange material in the public without any individual to see what is contained. DO

NOT STORE SENSITIVE DATA ENCRYPTED WITH WINRAR ON YOUR COMPUTER. USE TRUECRYPT.

Below is an example of a very simple encryption process known as the Caesar’s Cipher:

Symmetric Encryption Asymmetric Encryption

P a g e | 13

In this example, as with the fundamentals of the Caesar Cipher, all the characters are shifted, usually by

3 characters. If he wanted to say "You will never guess this," for instance, he'd write down "BRXZLOO

HYHU JXHVV WKLV" instead. As you can see, the text is also broken up into even groups in order to

make the size of each word less obvious. You can change the orders of the letters and change the

number of shifts per letter to complicate the process for the attacker even further.

Creating an encrypted container with TrueCrypt will allow you to store data within the encrypted

container. When mounted, it will look as another drive on your computer. TrueCrypt containers are

secure but using them still comes with the risks of leaving your recent files lists, thumb files, and other

temporary and cache data exposed. It is recommended that you use TrueCrypt and encrypt the entire

disk for maximum security. Investigators cannot determine whether or not you have a hidden volume in

your TrueCrypt container unless you tell them. You can also use TrueCrypt to encrypt portable drives

using the Traveler Disk Setup. For information about using TrueCrypt on SSD’s, please reference SSD –

Solid State Drives (section 4.10).

Tryitout–CreateTrueCryptContainer

1. Start TrueCrypt 2. Click on Volumes (menu item) in TrueCrypt 3. Click on Create New Volume... (menu item) 4. Select Create an encrypted file container (radio button) and click Next > (button) 5. Select Hidden TrueCrypt volume (radio button) and click Next > (button) 6. Select Normal mode (radio button) followed by Next > (button) 7. Click Select File... (button) 8. In this step you will specify the name and location of your TrueCrypt container. If you try to save

the file and get an “access denied” error, try creating the container in your Documents folder or elsewhere. Choose the location in the Explorer window and specify the File name: (edit) in Specify Path and File Name [...]. Click Save (button) in the Specify Path and File Name dialog box

9. Click Next > (button) followed by Next > (button) on the next page 10. In the dropdown, I selected AES (list item) for the Encryption Algorithm. This is the most secure

and provides 256bit encryption which is a 32 character password. You can read up on the other encryption algorithms for further explanation. SHA‐512 (list item) was my choice for the Hash Algorithm. You can also read further on the hashing algorithms. Click Next > (button)

11. In this step you want to specify the size of the TrueCrypt container. Most likely you will want to select GB (radio button) to specify you want to size to be in Gigabytes. This is recommended if you are going to store pictures or videos. In the textbox, enter the total size that you want to container to be and not just the size of your Outer Volume. So, if you want your Outer Volume to be 50GB and your Inner Volume to be 25GB, you will need to enter 75 here. Click Next

12. Enter and re‐enter your password for the Outer Volume Password. This is the password that you will be able to reveal if you are forced to do so. You are allowed to enter a password up to 64 characters

P a g e | 14

13. For the Large Files step, I selected Yes, so it would format as NTFS; it is up to you though. Click Next > (button)

14. Once all the settings are set, move your mouse around to add security. Click Format (button) to start formatting the volume. Depending on the size and your hard drive speed and other factors, this process could take several hours. Once complete click Next > (button)

15. You will now create your Hidden Volume, or the volume that you do not want others to find. Select Next > (button) to start the process

16. I used the same settings as before. Click Next > (button) until you are prompted to create the Hidden Volume Size. This size is less than the Outer Volume Size and should leave ample room so you can store enough non‐private data in your Outer Volume whilst allowing plenty of room for private material in this Hidden Volume. Click Next > (button)

17. Create a Hidden Volume Password. This password should be as secure as this container will hold your private data. The maximum possible length for a password in this step is also 64 characters. This is the password that you do not want to give out under any circumstances. The government cannot determine if a hidden container exists therefore they will not know that this password even exists. Do not fall victim to social engineering attacks whereas someone tricks you into giving them the password.

18. Select Next > (button), choose whether Large Files are going to be used in the next window, and click Format (button) to finalize the process (again, make sure to move your mouse around on that step for better security)

19. Open TrueCrypt again and mount the Outer container. To start, I would mount the Outer Container so we can add some decoy data in there in case you are forced to give the password. To do this, just select the drive letter, click Select File… (button), select the TrueCrypt file you created in Step 8, and press Mount. Simply, you will enter the Outer Volume password or the Hidden Volume password depending on which volume you want to mount. Make sure when moving decoy data over that it is completely legal and that it CANNOT be confused for something illegal. Also, make sure it would be something you would truly want hidden. Porn, data backups, and etc. are good ideas. To move the files over to either of these volumes you will simply open Windows Explorer and navigate to the drive letter.

Tryitout–WinRAR:

1. If you are in the WinRAR program window, select the file(s) and click the Add button. This is denoted as an icon of a stack of books with binding around them. Alternatively, you can right‐click the file(s) in the explorer window and click Add to archive…

2. The Archive name and parameters page will open. Please note the size of the file you are about to upload and the size limit that you are allowed to upload on each site.

3. In the Split to volumes, bytes input field under the General tab, enter the appropriate size of each archive. For example: If you have a file that is 200MB (or 204800KB) and the file upload size limit is 50MB, for the Split to volumes, bytes input field, you will enter 50MB. In this case four files will be created, each 50MB a piece.

4. Select the Advanced tab and hit the Set Password… button. Enter the password in the first field and re‐enter the password for verification. Remember this password; if it is lost the file is NOT recoverable. Most people also select Encrypt file names for extra security.

P a g e | 15

When using TrueCrypt, as presented in the “Try it out” section, it is a good idea to use a hidden

container. Here’s why… Let’s say you have two videos: video A and video B. Video A is of your pet

hamster frolicking around in the fish‐tank with your preciousness goldfish named Garry (the fish, not the

hamster). On the other hand, Video B is a recording of your grandmother doing the naughty with the

pizza delivery man. Now, I am going to make a sweeping assumption in claiming that you don't mind

other people seeing video A, so it is deemed that the video can be "public" or "not hidden." Video B on

the other hand is just plain nasty and if the pizza delivery man were 12, and you needed to hide that

video at all costs, this video would need to be "private" or "hidden." So, you would stick Video A in the

container that you could give the key away to and Video B would go in a container that you would

protect at all costs. If you use the key for Video A, you can see video A and so forth.

So, on the same lines, a hidden container (or, a hidden OS), is a hidden, encrypted container that the

LEA cannot prove exists. So, you have two keys: a key for the public container and a private

container. You can unlock one or the other at one time, but not both at the same time. So, you can give

the LEA the key that opens up your public container whilst hiding the key for your private

container. The LEA cannot determine if you have a private, hidden OS, or a private container. If you use

the key for your non‐sensitive container, you will boot into container.

In essence (when dealing with hidden OS’s), think of two Operating Systems on one computer and you

can choose which one to boot into depending on the password. A hidden OS, is hidden and the LEA

cannot prove that it exists. The advantage of this is you can have one OS for normal data whilst hiding

your other material and use it when you need it. A hidden OS also has all the sensitive data leaks

inherent with any OS. So, instead of anti‐forensic techniques or saying, "opps, I forgot the password",

you can view all sensitive material in the hidden OS and not worry about anything sensitive being leaked

(paging, recent file lists, db files, caching, etc). Remember this: if you are forced to give the encryption

key, you can do so whilst keeping your hidden container hidden which is the main advantage of a hidden

container.

3.3. SecurelyExchangingMessagesorData

The problem with symmetric encryption is that it only uses one password to encrypt and decrypt data.

But what if you wanted to send a message to somebody? Somehow, you will need to share the key

while reducing the risk of anyone being able to intercept the password and use it to decrypt the data.

Asymmetric encryption tackles this problem by implementing a secure key exchange. With this form of

encryption there are two keys used, a public key and a private key. The public key is given to the world

and is used to encrypt data whereas the private key is used to decrypt the data and to verify the data

being received is legitimate. A popular program to securely share data and messages between two

people (using asymmetric encryption) is PGP or GPG (GPG being a free replacement for PGP).

P a g e | 16

Tryitout‐GPG: For Windows (since this is a Windows guide), I recommend downloading and installing Gpg4win. If you are using Linux you can simply use gpg and stick with command line. Here is a guide from their website on how to install the program: http://gpg4win.de/handbuecher/novices_5.html. When Gpg4win is installed, follow these steps to create your key pair for encryption/decryption (note: the following instructions are for creating a key size of 4096 which I recommend. You can create a 2048bit encryption key using the program Kleopatra):

1. Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in Search Programs and Features. A black box should pop up

2. Type in gpg ‐‐gen‐key 3. Enter 1 and press Enter 4. The default key is 2048, I recommend 4096 5. Set the value to 0 here. If you set the key to expire, you will need to go through this same

process of creating and redistributing your public keys. When is asks for a confirmation, enter y 6. Your real name will most likely be your screenname. I will enter missionman here 7. For this step, input an email address. For this I entered my tormail email address. 8. Enter a comment if you wish, this step is optional 9. If you wish to change something, now is the time to do it. Everything is correct and I am done so

I will enter o 10. At this point you should see a popup prompting you to create a ‘secret key.’ This is also referred

to as a ‘private key’. Make sure when creating this password that it conforms to strong password guidelines

11. Re‐enter the password to confirm you entered it correctly 12. You will now want to type a lot of random data in a text program of your choice or move your

mouse around the screen so the key can be generated until the key generation is complete 13. If there are no errors, then you have successfully created your public and private key! 14. Now, to give people your Public key (which they use to encrypt data they want to send to you)

you will type in gpg ‐‐export ‐a ‘username’ > c:\public.key. For example I typed in gpg ‐‐export ‐a missionman > c:\missionman.key

Encryptinganddecryptingamessage/file:1. First, find the location of your file or save a message to a text document 2. The command to encrypt a file is gpg ‐e ‐‐output "output file" ‐‐local‐user "your username" ‐r

"recipient" ‐‐armor ‐‐sign "filename". For example, I typed in gpg ‐e ‐‐output C:\encrypted.txt ‐‐local‐user missionman ‐r testuser ‐‐armor ‐‐sign clear.txt. ‐‐detach‐sig will create a separate signature file

3. To decrypt a file you will simply enter gpg‐d ‐‐local‐user “username” ‐o “output file” “input file”. For example, I entered gpg‐d ‐‐local‐user missionman –o C:\decrypted.txt C:\encrypted.txt.

P a g e | 17

Here is an example of a GPG encrypted message:

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQINBFAisdkBEADQeOmbSJ5acqwBAxAEKicWg50sPSR0oO0roRsrSziDpnJf+nxC Y5uUDPOCs/KDHeSv1XIvK0yv5rpesh7lZeIESpJSyBG9IlEl8vQhmt+Bohy53xWs r5NJIktmeU+whCil8X9SYndc63UrdOoEVlKLApLDrskR91NDbx/YAv/YeNYQO4iB jP38E0bRliO5yxHENZLdP0PAhksBnC/rYXOiilBHqUFMKZJzaH1flTBjpiawojb1 9jOQPcIQ8eNC3EKl0LkaZs9dzlmF69ore8A3swck+bHnII9dhzmJS09iMc1KQDHb xjeF3XzvaQzwq6TtZcRyzEpcHtnIBe2w6LNgSEzuEIPKHVLKqDWfzbuAL6/+DPGf -----END PGP PUBLIC KEY BLOCK-----

When you give someone the message – or key or signature – you want to copy all the text including

everything you see in the example above.

3.4. Steganography

Another good form of encryption is steganography which is the act of hiding data within text, graphic

files, or audio files. The purpose of this method is so that nobody will know that there is a private

message inside the medium (photo, document, etc.) because it is hidden. Let’s say Bob wants to send

private messages to Steve over a public forum read by numerous people. Bob grabs a picture, puts a

hidden message inside and uploads it to the website. Nobody knows the message is there except for

Steve, which is able to save the picture to his computer and read the message hidden inside. Forensic

examiners will need to be looking at each individual file to determine if steganography was used. So for

example if you have 1000 pictures, they will need to go through each and every one to determine which

ones have steganography and which ones do not.

Note: ‐‐armor specifies the output is easily copied when you copy the text versus sending

the file and ‐‐sign attaches a digital signature so the receiver knows it is coming from you.

Note: If you want people to send you messages or files, you will give out your PUBLIC key.

NEVER GIVE OUT YOUR PRIVATE KEY, EVER! Also, make sure that nobody steals your

private key; keep it on an encrypted drive. You can exchange public keys or data either via

in a file, or plain text in a forum. Here is a good site with some of the common commands:

http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg‐cs.html

P a g e | 18

Using steganography is as easy as downloading the right software from the internet. I started out by

downloading one of the more popular freeware tools out now: F5, then moved to a tool called

SecurEngine, which hides text files within larger text files, and lastly a tool that hides files in MP3s called

MP3Stego. I also tested one commercial steganography product, Steganos Suite. These tools may

contain backdoors as with all encryption programs therefor should not be used with data you are trying

to hide from any party that may hold the decryption key.

3.5. AuthenticationFactors

There are three common authentication factors in the security field that people refer to often. This is

something you know, something you have, and something you are. A username and password falls into

the something you know category. This is because you know in your mind what your username and

password is. Something you have is a physical device such as a smart card or token. Finally, something

you are refers to a fingerprint, an iris scan, or another physical feature.

When setting up TrueCrypt most people only use a password, which is adequate for most scenarios.

Another feature of TrueCrypt allows for multifactor authentication, which is as it implies, when the user

uses two or more authentication factors. Multifactor authentication relies on both factors when trying

to decrypt the file or get into your system and is recommended to provide the best security. The link

provided will elaborate more on key files, security tokens, and smart cards when using TrueCrypt: Click

here

3.6. PasswordAttacksandAccountRecoveryAttacks

There are several types of password attacks that people

perform when trying to decrypt information. These are

known as dictionary attacks, brute force attacks, and

random guess attacks. Creating complex passwords will

help prevent against dictionary attacks. Creating long

passwords will help prevent against brute force attacks.

And creating passwords that do not include your

username or any other identifiable information will help

against random guess attacks. This is why your password

should be long, complex, and should not include any

identifiable information.

Case: The Sarah Palin email hack occurred

on September 16, 2008, during the 2008

United States presidential election

campaign when the Yahoo! personal email

account of vice presidential candidate

Sarah Palin was subjected to unauthorized

access. The hacker, David Kernell, had

obtained access to Palin's account by

looking up biographical details such as her

high school and birthdate and using

Yahoo!'s account recovery for forgotten

passwords.

P a g e | 19

Another common attack that people do not usually think of is account recovery attacks. This is when

someone is trying to login into your account by attempting to reset your password by using your

account recovery questions. For this reason you should make sure when creating security questions and

answers that they are not easily guessed (or found). A good recommendation is to make the answers as

complicated as the passwords, but still can be easily remembered.

3.7. CreatingSecurePasswords

The problem with passwords is they are usually too easy to crack or they are too hard for the users to

remember. Therefore, both of these problems should be considered when creating a new password.

Start by creating a password that is at least 16 characters. Use as many different types of characters as

possible, including: lowercase letters, uppercase letters, numbers, and symbols. Never reuse a previous

password and never use the same password for more than one account. Don’t use password‐storage

tools, whether software or hardware. Make sure that your password does not include anything

identifiable such as: names, usernames, pet names, or words in a dictionary. Lastly, make sure that the

password is not too hard for you to remember so you don’t forget the password or have to write it

down or save it. Here is an example of a site that can create a secure password: click here.

3.8. Hashing,HashingCollisions,andBirthdayAttacks

When people refer to hashing, they are referring to a type of encryption. Hashing is the process of

creating an encrypted output that cannot be decrypted (it performs a one‐way encryption) and is used

to ensure that a message or file was not modified from the original copy. Hashing is also commonly

used to help authenticate somebody. For example, many websites store a hashed copy of your

password instead of the password in the clear. There are several types of hashing algorithms and the

newer versions are better than the outdated versions for security purposes. SHA256 is the newest

version and is recommended as of right now when you are checking file or message hashes.

Using asymmetric encryption provides integrity as well as the already explained confidentiality. When

you successfully decrypt a message that another user sent you, you have verified its integrity. Another

way to ensure integrity is to create the hash of a file or a message and allow people to check the hash

they generate against the hash you gave them. For example: let’s say Bob uploads a file for Steve. Bob

uploads a file and generates a hash (let’s say a value of 456) so Steve can make sure that when he

downloads the file, it was not changed along the way. After downloading and saving the file, Steve also

generates a hash of the saved file. If Steve generates the same hash, the file was not altered. But if

Steve generates a different value (let’s say 334), than the file has been changed. Personally, I use

HashMyFiles because it is easy to use and is a standalone program.

P a g e | 20

Tryitout–Hashing

1. Downloading and save this file: http://ocrlwkklxt3ud64u.onion/files/1343933815.txt. If the file opens up in your browser, then save everything to a text file and save as ‘hash.txt’

2. Download the program HashMyFiles and start it when that is complete 3. Click File > Add Files and select ‘hash.txt’ 4. Record the hash of the file (press F7 on your keyboard) * I used MD5 for this test 5. Compare your hash to the hash I generated before uploading the file

(83a814a08b5edfa57c003415224f8b46)

Another good method of ensuring that a file is actually sent from someone who claims they sent it is if

they digitally sign a message using their private key. What you need to know is that you can digitally

sign a message or file without actually sending the message or file. This is helpful if you want to share a

file in which everybody knows what the password is whilst allowing them to confirm that it came from

you.

Tryitout–DigitalSignatures

1. I am assuming that have already setup GPG and have created your Private/Public key pair 2. Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in Search

Programs and Features. A black box should pop up 3. The command to create a digital signature is gpg ‐‐output “output file” ‐‐local‐user “user name”

‐‐detach‐sign “input file”. For example, I typed in gpg ‐‐output final.sig ‐‐local‐user missionman ‐‐detach‐sign test.txt

4. To verify the digital signature, type gpg ‐‐verify “signature” “file name”. For example, I typed in gpg ‐‐verify final.sig c:\test.txt

While talking about hashing, I should mention Hashing Collisions. Hashing Collisions occur when two

distinctly different messages produce the same hash result. Birthday attacks attempt to exploit this

vulnerability by relying on the likelihood of the collisions occurred between the random attack attempts

and the number of permutations. “As an example, consider the scenario in which a teacher with a class

of 30 students asks for everybody's birthday, to determine whether any two students have the same

birthday. Intuitively, this chance may seem small. If the teacher picked a specific day (say September

16), then the chance that at least one student was born on that specific day is 1 ‐ (364/365)^{30}, about

7.9%. However, the probability that at least one student has the same birthday as any other student is

around 70.”

P a g e | 21

3.9. ColdBootAttacks

In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side

channel attack in which an attacker with physical access to a computer is able to retrieve encryption

keys from a running operating system after using a cold reboot to restart the machine. The attack relies

on the data remanence property of DRAM and SRAM to retrieve memory contents which remain

readable in the seconds to minutes after power has been removed. Basically, when a computer is

restarted, the encryption keys (passwords) might still exist in RAM and may be recoverable to the extent

that they can be used to decrypt your device.

There are a few ways to mitigate this risk. The best method

is to make sure to dismount the drive before ending the

program or shutting the computer down. Most software

programs will erase the key from memory after you perform

this action. This method is the best way to prevent cold

boot attacks. Shutting the computer down cleanly should

also ensure that the key is erased from memory. Another

mitigation technique is with using a security token or smart

card. This can be fooled though if the attacker grabs the key

and has the token/smart card in hand.

Note: Many forensic

investigators carry a can of

compressed air with them to

a crime scene to freeze the

RAM stick for further analysis.

P a g e | 22

his section will talk about data in general: how it gets stored and what happens when it is

deleted. Furthermore, we will take about recent file lists and data caching. Knowing how

Windows and other applications handle these files will help eliminate the risks associated with

evidence left over after your session. You will learn how to find and remove this data completely and

securely from your computer. In some instances, you will also learn how to prevent these risks from

happening altogether.

Topics


Deleted Data

Deleting Data Securely

File Slack

Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache

Temporary Application Files and Recent Files Lists

Event Logs

Printers, Print Jobs, and Copiers

Cameras, Pictures, and Metadata

USB Information

SSD – Solid State Drive

Where to Hide Your Data

T

Chapter4_Data

P a g e | 23

4.1 DeletedData

A common misconception that computer users have is, when you delete a file, it is completely removed

from the hard disk. However, you should know that highly sensitive files such as pictures, passwords,

chat logs, and so forth still remain on the hard disk. Even after they are deleted from your recycle bin,

they are still located on the hard drive and can be retrieved with the right software. Take for example

when you use WinRAR to extract the file that someone sent you. The program extracts the data to a

temporary file before it reaches its destination on your hard disk; this may lead to a data leak.

Any time that a file is deleted from a hard drive, it is not erased. What are erased are the bits of

information that points to the location of the file on the hard drive. The operating system uses these

pointers to build the directory tree structure (the file allocation table), which consists of the pointers for

every other file on the hard drive. When the pointers are erased, the file essentially becomes invisible to

the operating system. The file still exists; the operating system just doesn't know how to find it.

Shadow data is the fringe data that remains on the physical track of storage media after it is deleted,

sweeped, or scrubbed. A mechanical device called a head is used to write the data, and it is stored

electronically in magnetic patterns of ones and zeros. The patterns are in the form of sectors which are

written consecutively in concentric rings called tracks. However, head alignment is just a little bit

different each time an attempt is made to erase data, and data remnants sometimes bleed over the

tracks. This is the reason why government agencies require multiple scrubs or burning, because there is

no guarantee of complete elimination of fringe, or shadow, data.

The only way that you can permanently delete this data is to override it with special software or wait for

the operating system to overwrite the data. There are files on the hard disk that do not have any

pointers in the file allocation table so it will eventually be overridden with something new. Even files

that are fragmented or are partially written over are recoverable and can be used against you. Special

software will overwrite these files securely and immediately. One such recommended software that

securely cleans the white space is CCleaner. As a word of note, people suggest that's simply defragging

a hard drive will overwrite these pointers; this is not true. Drives formatted using NTFS are especially

not affected using this method. This is because of the way NTFS stores data; it essentially makes

defragging the hard drive useless.

Note: You can change the location where WinRAR extracts the temporary data to. Navigate

to Options > Settings > Paths. You can change the path under Folder for temporary files.

P a g e | 24

Tryitout–CCleaner

1. Download and install CCleaner to your machine. Make sure when you download CCleaner from the internet, as with all programs, you download from the manufacturer’s website only. The link has been provided for you: http://www.piriform.com/ccleaner/download/standard

2. Open CCleaner press Tools on the left 3. Select Drive Wiper 4. Select Free Space Only in the drop‐down box next to Wipe 5. In the security drop‐down box, I recommend selecting the complex overwrite 6. Choose the drive letter you wish to clean and pressed Wipe

4.2 DeletingDataSecurely

As mentioned before, when you delete data, it is not actually deleted and can be easily recovered. To

prevent data from being recovered you must secure erase (or shred) the data. What special programs

do to securely erase contents from a computer is they enumerate through each bit of data and replace it

with a random bit. The shredding method I recommend is 7 passes. This process makes the bits

unknown as recovery of this data difficult, if not impossible. This can be done with file eraser programs,

or it can be done to the entire drive with bootable software. DBAN is recommended if you are trying to

erase your entire drive. Note however, DBAN does not erase bad sectors or HPA/DCO areas. Some

programs such as Blancco implement HPA/DCO wiping by default, other tools could allow the user to

choose whether or not to wipe HPA/DCO while other tools are not able to wipe HPA/DCO at all.

HPA stands for Host Protected Area and is a section of the hard drive that is hidden for the operating

system and the user. The HPA is often used by manufacturers to hide a maintenance and recovery

system for the computer. For this reason, the HPA is not a big concern, but you can securely remove

data here nonetheless. A DCO is a Device Configuration Overlay and is another hidden area of today’s

hard drives. Similar to the HPA, the DCOs can be securely erased in such the same way.

While recovery of information wiped out in this manner is far more difficult, and in many cases

impossible, some recovery techniques exist that specialists can employ to retrieve some of the data.

Factors such as the size of the hard drive, the accuracy of the mechanical system in the drive, the power

with which the information was recorded, and even the length of time the information was left on the

drive prior to wiping all will have an effect on the probabilities for recovery.

P a g e | 25

Another method is to physically destroy the hard drive to a state that is irreparable. The best method

for this is to open the hard disk and grind the platters to obliterate all data. Another method for hard

drives that use disks is to use an industrial strength magnet to remove the data. Optical disks (CD’s,

DVD’s, etc.) can be shredded if they are not writable. Also, optical disks can be destroyed be cooking

them and is the best method for destroying data on optical media. Cooking them however is not

recommended for practicing or everyday use as they release a toxic fume.

4.3 FileSlack

To understand file slack, one first needs to understand how disks are organized at the lowest level. As

can be seen in the diagram below, disks are subdivided into a set of tracks. These tracks are further

subdivided into a set of sectors and collection of sectors form together to make a cluster. If you write a

1 KB file that has a cluster size of 4 KB, the last 3 KB is wasted. This unused space between the logical

end‐of‐file and the physical end‐of‐file is known as slack space.

The perhaps somewhat unexpected consequence from this is that the file slack contains whatever data

was on the disk before the cluster was allocated, such as data from previously deleted files. Using file

slack, it would be possible not only to recover previously discarded (and potentially sensitive

information) information, but also to effectively hide data. The ability to hide data arises because the

operating system does not modify data within a cluster once it has been allocated. This means that any

data that is stored in the slack is safe (provided the files size does not change).

P a g e | 26

4.4 WheretoHideYourData

Location Information

HPA Host Protected Area is an area of a hard drive that is not normally visible to an operating system and is protected from user activity. To hide data there, you will need to write a program, or find a program, to write information there.

MBR The Master Boot Record only requires a single sector thereby leaving 62 open sectors for hiding data

Partition slack File systems store data in block, which are made of sectors. If the total number of sectors in a partition is not a multiple of the block size, there will be some sectors at the end of the partition that cannot be accessed by the operating system using any typical means.

Volume slack If the partitions on a hard drive do not use up all of the available space, the remaining area cannot be accessed by the operating system by conventional means (e.g., through Windows Explorer). This wasted space is called volume. It is possible to create two or more partitions, put some data into them, and then delete one of the partitions. Since deleting the partition does not actually delete the data, that data is now hidden.

File slack This is the unused space between the end‐of‐file marker and the end of the hard drive cluster in which the file is stored.

Unallocated space Any space in a partition not currently allocated to a particular cannot be accessed by the operating system. Until that space has been allocated to a file, it could contain hidden data.

Boot Sector in non‐bootable partitions

Every partition contains a boot sector, even if that partition is not bootable. The boot sectors in non‐bootable partitions are available to hide data.

Good blocks marked as bad

It is possible to manipulate the file system metadata that identifies bad blocks (e.g. the File Allocation Table in a FAT file system or $BadClus in NTFS) so that usable blocks are marked as bad and therefore will no longer be accessed by the operating system. Such metadata will produce blocks that can store hidden data.

4.5 WindowsSwapFiles,ReadyBoost,TemporaryInternetFilesandBrowserCache

A swap file allows an operating system to use hard disk space to simulate extra memory. When the

system runs low on memory, it swaps a section of RAM that an idle program is using onto the hard disk

to free up memory for other programs. Then when you go back to the swapped out program, it changes

places with another program in RAM. This feature ensures that Windows is usable when memory runs

out. Even though this feature is helpful, sensitive information might be contained within the swap space

that could incriminate you.

P a g e | 27

Let’s say you download sensitive material and after you were done with it, you delete it securely. If you

ran out of memory (RAM) the temporary data might have been saved to swap space thereby rendering

your method of removing the file useless. The best way to attack this problem is to disable paging

altogether while viewing sensitive information. If you are using applications that use large amounts of

memory, you can turn paging back on during your session.

Tryitout–Disablepaging

1. Open the Start Menu and go to Control Panel 2. Click on the System icon 3. Select the Advanced tab 4. Under Performance, click Settings 5. Go to Advanced 6. Under Virtual Memory, click Change 7. Select No Paging File and then click Set 8. Click OK in all the menus 9. Restart 10. To enable paging again, simply select Automatically manage paging file size for all drives

ReadyBoost is another caching feature introduced in Windows Vista and was continued with Windows 7.

It works by using flash memory, a USB flash drive, SD card, CompactFlash or any kind of portable flash

mass storage system as a cache. Data that is written to the removable drive is encrypted using AES‐

128bit encryption before written to the drive. This means that an examiner who recovers the drive with

the ReadyBoost information will find it difficult to decipher this data.

Another way that Windows operates under the surface is when creating temporary internet files.

Temporary Internet Files is a folder on Microsoft Windows which holds browser caches. The directory is

used by Internet Explorer and other web browsers to cache pages and other multimedia content, such

as video and audio files, from websites visited by the user. This allows such websites to load more

quickly the next time they are visited. Not only web browsers access the directory to read or write, but

also Windows Explorer and Windows Desktop Search.

You can see how this is a problem if you ever want to download (or view) pictures or files that contain

sensitive material. Furthermore, other applications might use temporary files when handling content.

For example, when I talked about WinRAR earlier, I explained that when you unpack data from an

archive, the program creates a temporary file on your file system before it is moved to its destination.

The only way around this (excluding internet cache) is to periodically wipe slack data as stated before.

When dealing with internet data, you should be concerned with deleting internet cache and cookies.

P a g e | 28

Tryitout–Deleteinternetcache

1. Start Firefox 2. Click Tools (if you do not see the menu‐bar press the Alt key on your keyboard. The menu‐bar

should appear.) 3. Click Options 4. Click Privacy 5. Select TorBrowser will: Use custom settings for history and check Clear history when

TorBrowser closes

4.6 TemporaryApplicationFilesandRecentFilesLists

Every time you open up a file from Windows Explorer or the Open/Save dialog box, the name of the file

is recorded by Windows. This feature was introduced into Windows and other applications to make

those applications more user friendly by allowing easy access to those recently used files. Such the

same, some applications create cache that is stored on your computer so the application can run faster

the next time it is loaded or a specific project is being worked on.

Recent file lists and application caching does make the experience more friendly, but it also added

security risks. If for example, someone took a video and loaded it into a video editing software. The

software might take pieces of the video and save it to your hard drive for fast access. The same goes for

viewing videos/images that are sensitive by nature. Whoever is looking at the recent files list for your

computer, will know what the names of files are as well as possibly knowing the location of those files.

First we are going to talk about what is known as thumbnail caching. Thumbnails are the little pictures

that are loaded for every file in Windows Explorer as a little “preview” of sorts. A thumbnail cache is

used to store thumbnail images for Windows Explorer's thumbnail view. This speeds up the display of

thumbnails as these smaller images do not need to be recalculated every time the user views the folder.

You can see where this is a problem when you open a folder

containing sensitive pictures or videos. Thumbnail caches are stored

in thumbs.db files and the locations will vary depending on the

Operating System. In Windows XP, the thumbs.db files will be

stored in every folder.

Windows 7 and Vista saves all the thumbnails in a central location.

The cache is stored at %userprofile%\ AppData \Local \Microsoft

\Windows \Explorer as a number of files with the label

thumbcache_xxx.db (numbered by size); as well as an index used to

find thumbnails in each database. This makes it easier for us to

Note: Jump Lists appear on

the Start menu as well as on

the Taskbar when you right‐

click on an icon. You can use

it to perform specific

actions, but for security

purposes, it can record files

that were recently opened.

P a g e | 29

locate and remove the caches of these thumbnails. You can use CCleaner to remove the existing cache.

I recommend using this page to enable/disable thumbnail caching. Click here

Another feature of Windows and several applications is recent files lists. There are several locations

where these lists can appear, yet there are only two ways they are saved: the registry or as a file.

Windows XP saves file names in the registry and a centralized location in Windows Explorer whereas

Windows 7 introduces yet another list known as a “jump list” which can also be cleaned by using

CCleaner.

Tryitout–Disablejumplists

1. Right‐click the Start Menu and click Properties 2. Expand the Start Menu tab 3. Uncheck Store and display recently opened items in the Start menu and the taskbar 4. Click OK

CCleaner erases most all (if not all) of the recent file lists for Windows as well as for a few other

applications. Listed below are common locations where these recent file lists and application caches can

be found at (I would look into winapp2.ini for more locations which is an add‐on for CCleaner):

Registry (all are in HKEY_CURRENT_USER):

(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs

(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ ComDlg32\OpenSaveMRU

(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ RunMRU

(Windows) Software\Microsoft\MediaPlayer\Player

(Windows) Software\Microsoft\ Internet Explorer\TypedURLs

(Media Player Classic) Software\Gabest\Media Player

Classic\Recent File List

(Media Player Classic) Software\Gabest\Media Player

Classic\Settings

Files:

(Recent file list) %appdata%\Microsoft\Windows\Recent

(Jump list) C:\Users\<user

name>\AppData\Roaming\Microsoft\Windows\Recent\

AutomaticDestinations

(Temp data – Vista/7) C:\Users\<user name>\AppData\Local\Temp

(Temp data – XP) C:\Documents and Settings\<user name>\Local Settings\temp

Note: Other applications

include PrivaZer for

Windows and Bleachbit

for Linux.

P a g e | 30

Tryitout–SettingupCCleaner

1. Download and install CCleaner to your machine. Make sure when you download CCleaner from the internet, as with all programs, you download from the manufacturer’s website only. The link has been provided for you: http://www.piriform.com/ccleaner/download/standard

2. Once the program is open click the Options button on the left hand side of the window 3. Next, click on Settings 4. Make sure that Secure file deletion (Slower) is checked, Complex Overwrite (7 passes) is

selected in the dropdown box and Wipe MFT Free Space is checked. Very Complex Overwrite can be selected instead of Complex Overwrite. The Complex Overwrite is the minimum you should choose

5. Click Cleaner on the left 6. Make sure they all the items are checked under Windows Explorer

Another thing I do is set CCleaner to perform a clean whenever I log into the machine and every hour

thereafter. Cleaning your computer automatically will help with managing this program as you will not

have to remember to manually run the program every so often. One drawback with this method

however is if an application is using temporary data that is erased by CCleaner, the application might

perform incorrectly or stop working altogether.

Tryitout–SettingupCCleanertoautomaticallyrun(WindowsVista/7)

1. Start CCleaner and select Options on the left 2. Check Save all settings to INI file under the Advanced tab 3. Open the Start Menu and enter Task Scheduler into the search box 4. Click on the Action header in the menu bar and select Create Basic Task 5. Follow the steps of the wizard to create the task. In the first window, name the task and give it a

description to help you remember what it is later 6. On the next page, select how often you want this to run. I checked the When I log on check box 7. Select the option labeled Start a program on the next page 8. Hit Browse and navigate to the directory you installed CCleaner to. Add /AUTO to the text field

labeled Add arguments 9. Click Finish

Finally, for those of you who switched to Windows 8 should know about the app data. Windows 8 for

starters has made significant strides over Windows 7 in respects to the interface. They have added the

Metro interface which hosts a plethora of apps that can possibly leak important data. Two such apps

are the Windows Photos and Windows Video. When viewing a photo or video, you can immediately see

that the photo or video cap is cached as they are still apparent even after the material is deleted.

Obviously, you can see the glaring issue with this when it concerns security.

P a g e | 31

I have not too much research on the matter, so I am going to be brief. For starters, all your apps are

located in your appdata folder. Specifically, the folder paths are as follows (per user settings):

Location of all your apps: C:\Users\”Username”\AppData\Local\Packages.

Windows Photos:

C:\Users\”Username”\AppData\Local\Packages\microsoft.windowsphotos_8wekyb3d8bbwe\

LocalState

When the app is closed the cached images no longer

appear on the Metro interface. Furthermore, the cached

images don’t appear when you open the app again. I did

some more investigating into Windows Photos and notice

that several files get increasingly larger after I view images

in the Windows Photos app – even after the app is closed.

Specifically, those files are the:

Microsoft.WindowsLive.ModernPhotos.etl,

Microsoft.WindowsLive.ModernPhotosLast.etl, and

ModernPhoto.edb.

Other files exist that show the last 5 images that were

cycled through on the Windows Photos Metro app. These

files are LargeTile1(through 5) and SmallTile1(through 5).

The latter files should not be an issue unless they

contained sensitive images.

I cannot read what is actually contained within the files themselves, but I can be reasonably sure that

with everything Windows, image previews are being cached and stored to limit I/O usage and speed up

the loading process. Saying this, it is recommended that you delete these files securely if you accidently

– or purposely – open pictures using the Windows Pictures app (and it is going to happen, trust me). To

do this you should close the Pictures app (from the gesture on the left side or the task manager) and

securely erase those files using a program of choice.

When setting up a user profile in Windows 8, if you gave your actual name when creating the Hotmail

profile you used when logging into Windows 8, that name will be automatically embedded as metadata

in a variety of documents. So make sure that you have a metadata cleaner if you plan on uploading

anything sensitive. If you use Bing which is the default search provider and included pre‐installed as an

app, you should know that Bing creates a separate web history of its own and stored the data over the

internet. So make sure that anything sensitive gets purged. People also expressed concerns with ReFS,

which is not used on Windows 8 devices moreso is it used with Windows Server 2012 (Windows Server

8). Also, with the advent of Office 2013, the default location that the documents will be saved is

Windows Skydrive; so you can see how that might be a security concern if you save something sensitive

without looking. Concerning content saved to Windows Skydrive, here is part of Microsoft’s TOA:

P a g e | 32

So, they scan your documents (and pictures) for anything that violates its TOA, and if they find anything,

you are banned and possibly facing criminal charges. Hotmail accounts and Windows 8 account will

have to be re‐created, your XBOX live and Skydrive account will be disabled as well. They also actively

scan for child pornography so make sure you don't accidentally save to a Skydrive account either. This

seems like a huge invasion of privacy digging deep within all your documents and pictures (even if it is

automatic) and the repercussions can be immense.

4.7 Shellbags

When you open a folder in Windows Explorer and customize the GUI display Windows uses the Shellbag

keys to store user preferences. Everything from visible columns to display mode (icons, details, list, etc.)

to sort order are tracked. If you have ever made changes to a folder and returned to that folder to find

your new preferences intact, then you have seen Shellbags in action. In the paper “Using shellbag

information to reconstruct user activities”, the authors write that "Shellbag information is available only

for folders that have been opened and closed in Windows Explorer at least once.” So basically, if you

visit that folder, a shellbag is created.

Thanks to the wonders of Windows Registry last write timestamps, we can also identify when that folder

was first visited or last updated (and correlate with the embedded folder MAC times also stored by the

key). In some cases, historical file listings are available. This means that even if you dismount a drive

(let’s say you are only using a TrueCrypt container) or delete a folder, the folders that you opened will

still be recorded. Normally, this would not be an issue because just the folder names are recorded here,

but if you name your folder to that of something sensitive and the name alludes to criminal activity, you

will be in trouble.

You will not upload, post, transmit, transfer, distribute, or facilitate distribution of any

content (including text, images, sound, video, data, information or software) or

otherwise use the service in a way that:

1. depicts nudity of any sort, including full or partial human nudity, or nudity in

nonhuman forms such as cartoons, fantasy art or manga.

2. incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred,

bigotry, racism, or gratuitous violence.

P a g e | 33

RegistryKeys

Windows uses the following Registry keys to save the folders information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

(Only in Windows Vista)

If you are curious as to what forensic data can be found out by using shellbags, a good program to view

all of the ahellbags can be found here. You can also remove the shellbags that contain sensitive

information that you wish not be found.

To disable them all together you can do this:

Navigate here in the Registry (if you do not know what you are doing, then I DO NOT RECOMMEND

THIS): [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell]

Left‐click on the Shell key and in the right pane, if you can see BagMRU Size then there is no need to

undertake this step. If it isn't there however, right‐click and select New>DWORD 32‐bit Value and name

it BagMRU Size. Now set this value to 0 in Decimal view.

4.8 PrefetchingandTimestamps

To start, there is a feature that began with Windows XP that is known as Windows Prefetching.

Windows Prefetch files are designed to speed up the application startup process. Prefetch files contain

the name of the executable (the program you are running), a Unicode list of DLLs (Dynamic Link

Libraries; files that supports the program in order to run) used by that executable, a count of how many

times the executable has been run, and a timestamp indicating the last time the program was run. This

means that if you are trying to use programs such as TrueCrypt or secure deletion programs or other file

encryption programs, a Prefetch file will be created thus alerting the forensic investigators. This is not

usually an issue unless you are trying to counter forensic techniques without letting the investigator

know.

P a g e | 34

An example where Prefetching is troublesome is when you are trying to change the Windows

Timestamps for files. Every time a file is created, accessed, or modified a Timestamp is created.

Changing the timestamps are a good idea to throw the investigators off. Also, it is easy to change as

there are programs that can do that for you. A popular program is TimeStop; but an investigator can

investigate the Prefetch file and determine that the program was run. When this happens they can be

reasonably certain that the timestamps were changed maliciously. So, before you download the file I

would pack the file using a program such as UPX (Ultimate Packer for eXecutables). This will change the

hash of the file so the investigator does not know TimeStop was used when examining the Prefetch files.

4.9 EventLogs

Event logs are special files that record significant events on your computer, such as when a user logs on

to the computer or when a program encounters an error. Whenever these types of events occur,

Windows records the event in an event log that you can read by using Event Viewer. An investigator can

determine security related information (These events are called audits and are described as successful

or failed depending on the event, such as whether a user trying to log on to Windows was successful),

application and service information, and more. As security information is not incriminating,

investigators can tell when you attempted to log in and out of the computer, which can correspond to

suspected times. Also, application data might not be incriminating, but depending on what the

application actually logs, file names and other incriminating evidence might be recorded.

Tryitout–Eraseeventlogs

1. Open the Start Menu and go to Control Panel 2. Click on Administrative Tools and open Event Viewer 3. Expand Windows Logs on the left 4. Right‐click Application, Security, and System and click Clear Log…

4.10 Printers,PrintJobs,andCopiers

There are several things that you should be concerned about when printing sensitive documents. Print

data might be left on your computer, on the printer’s hard drive, or through transit. Before you can

know where to look, you must first know how Windows prints a document. When you send something

to a printer the document is first spooled and two files are created in the %system32%\spool\printers

folder. These two files are the shadow file and a spool file. The files are named as complimentary pairs;

for example, one job sent to the printer results in the creation of one FP00001.SDH file and one

FP00001.SPL file for the same job, while the next job will create FP00002.SDH and FP00002.SPL.

P a g e | 35

The shadow file (.SHD) can contain information about the job itself, such as the printer name, computer

name, files accessed to enable printing, user account that created the print job, the selected print

processor and format, the application used to print the file, and the name of the printed file (which can

be the URL if a file is printed from the web). All of this data can be seen in Unicode using a hex editor or

forensic software.

Spool files (.SPL) on the other hand contain the actual data to be printed. This means that if you print a

picture for example, a copy of the picture is created and temporarily stored in the spool folder. Next,

the print job is finally sent to the printer and both the .SHD file and the .SPL file are deleted. If there is

an error whereas the document waits in the queue list, these files can easily be read and the contents of

the file revealed. It is also important to note that these two files were deleted insecurely, so there is the

possibility of recovery.

Since 2002, every copier has the capacity to store copies of the documents that are copied or printed.

Furthermore, copiers mark the documents they copy with a hidden code to provide an identifier for the

copier. This means that printed documents and copies might be stored on the printer’s hard drive, or

they might be recoverable if they were already deleted. There is also a security concern whereas

printed documents can be tied to specific printers. Lastly, print documents can be captured if you are

sending them to a printer that is located over the network. Currently, it is up to the manufacturer to

provide security when sending jobs to a printer.

Tryitout–Readspooldata

1. I am going to assume that you already have a printer installed on your machine 2. Disconnect the printer’s power source. This will allow us to view the .SHD file and the .SPL file 3. Send a print job to that printer that you just disconnected 4. Open Windows Explorer and in the address bar, type in ‘%windir%\ System32\spool\PRINTERS 5. You should notice the two files I mentioned: a .SHD file and a .SPL file. If you have more than

two files, then you might have additional print jobs in the queue 6. Select the file with the extension .SPL, right‐click and select Copy. Paste the file in the location

of your choice. 7. Download and install the program SPLView from the manufacturer’s website: click here. 8. Either open the file from within SPLView, or if you associate the .SPL extension with the

program, you can simply double‐click the file 9. To view SHD file, I recommend downloading a using SPLViewer: click here. If the file is locked,

you can follow Try it out – removing services in section 5.2, and disable the Print Spooler service 10. Turn the printer back on to finish printing the document or delete the files when the Print

Spooler service is stopped (Try it out – removing services in section 5.2)

P a g e | 36

4.11 Cameras,Pictures,andMetadata

Metadata may be written into a digital photo file that will identify who owns it, copyright & contact

information, what camera created the file, along with exposure information and descriptive information

such as keywords about the photo, making the file searchable on the computer and/or the Internet.

Some metadata is written by the camera and some is input by the photographer and/or software after

downloading to a computer.

EXIF information, the Exchangeable Image File format, describes a format for a block of data that can be

embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date

and time information, camera settings, location information, textual descriptions, and copyright

information. In some instances, especially with the use of cameras in cell phones, the location where

the picture was taken might also be embedded with the use of geocaching. This information should be

removed before the photo is shared with someone else or stored unprotected.

To remove EXIF information from an image, or a batch of images, you will need to get a special program

that strips this data. I recommend the program BatchPurifier that can remove this information from

batch of files or a single file. A good program to read EXIF information from PEG, TIFF and EEIX template

files is Opanda IEXIF. If you want to remove metadata from a RAW image, you will need to get a

separate program such as Exiv2. Opanda IEXIF can’t remove the data, but it can show you what data is

contained within each picture that you take (unless you purchase the professional version).

You cannot stop cameras from recording metadata and embedding them in pictures, so the above steps

are the only way to ensure the pictures are clean. To further clean the image that you took, you will

want to crop and remove identifiable information contained within the actual pictures itself. The best

program that can do this is Adobe Photoshop, but a good, free program is Gimp. Identifiable

information should include names, faces, logos, labels, prescriptions, anything that includes

handwriting, toys specific to a particular regions or store, etc.

It is also important to know that digital cameras leave a telltale fingerprint buried in the pixels of every

image they capture. Now forensic scientists can use this fingerprint to tell what camera model was used

to take a shot. Furthermore, these scientists can tell the specific camera that took a specific picture if

they had the camera in hand. I would either use a separate camera for on‐topic material or change the

photo by either resizing or re‐rendering the image after making global changes (blurring, filtering, etc.).

Photoshop, Paint.Net, or GIMP are all good program that enable you to edit a photo without making

changes to the original. This allows you to go back and make further changes (or undo changes) in the

future if needed.

P a g e | 37

You should also know that pictures are not the only material that can contain sensitive information.

Documents can include Microsoft Office® documents (Word, Excel, PowerPoint), OpenOffice.org

documents, PDF documents, and popular image and media file types such as JPEG, JPEG 2000, PNG,

SVG, AVI, WAVE, AIFF, MP3, MP4, and F4V. It is best to either remove the data from these files before

sharing them or it is best not to share them all together. You should know that changing the file

extension does not trick the investigators. They use file header information to gather pictures/videos.

As we are talking about pictures, you should also be concerned what is in the pictures themselves. Law

Enforcement Agencies have teams of analysts that pick apart background data to determine names,

addresses, geographic data, demographics, and etc. As the case provided, detectives were able to

determine where the suspect lived based on a toy bunny and an orange sweatshirt as seen in one of the

photos. You should attempt to remove all information that includes names, dates, addresses,

paraphernalia or anything in nature that is region specific, or anything else that can be identifiable.

Tattoos, and other body parts (not specific to the face) are identifiable too. For example, veins on the

penis can be linked to a specific person. Recently, somebody was taking photos of his underage

daughter and posting them online. The problem is he posted one with a clear view of a prescription

bottle in the background and got busted. Not smart; don’t make the jobs of the LEA easier.

When editing a photo for the first time, I usually crop the sides of the image, add blurring (even though

some investigators have recently been able to reverse the blurring process and render this useless) and

the halo effect, smooth physical features of adults, remove items that are identifiable, and sometimes

replace the background altogether. If you really want to get involved, you can change physical features

such as eye or hair color. Doing this will not trick an investigator, but it will obscure the features of a

photo making it harder for someone to identify you. Also, if done correctly, it will enhance the photo

visually and the presentation will be much better.

4.12 USBInformation

Whenever a device is plugged into the system, information about that device is stored in the registry

and the setupapi.log file (Windows XP and earlier). The registry key can be found here:

Case: During an investigation into an internal child porn ring, detectives tracked down a toy

bunny, seen in a photo, was used to trace the suspect to Amsterdam. Investigators have

discovered that the bunny was a character in a children's book popular in the Netherlands.

The detective also traced the boy's orange sweater to a small Amsterdam store that had sold

only 20 others like it. That led to the capture and arrest of 43 other individuals.

P a g e | 38

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and the setupapi.log file can be

found here: %windir%\setupapi.log. All of the subkeys under USBSTOR will contain information about

every device that was plugged into your computer via the USB. The setupapi.log file contains

information about device changes, driver changes, and major system changes, such as service pack

installations and hotfix installations.

To delete this registry key and or subkeys you must first right‐click the key and choose permissions. You

can then set the “everyone” group with full permission to the key or subkeys so that they can then be

deleted. I’m sure it isn’t too difficult to whip up a script or piece of software to automate this. Also, if

you have system restore enabled, the information might be contained in there as well. The setupapi.log

file should be securely deleted as you would with anything sensitive. As pointed out to me by a forum

that I frequent, here is a program that will do this for you: https://code.google.com/p/usboblivion/.

4.13 SSD–SolidStateDrives

Unlike HDDs, SSDs have a feature known as a garbage collector wherein cells that are marked to be

deleted are permanently erased in the background, usually within several minutes of being deleted. It is

important to know that this process happens on the SSD hardware level, so simply leaving the SSD

powered on regardless if it is attached to anything will result in the destruction of the data (also known

as self‐corrosion). Even though SSD’s implement garbage collecting, encrypting or securely deleting the

device is hard.

SSD's use load balancing, which is a feature that evenly balances I/O operations between allocation

pools. This means that when you attempt to encrypt or delete a bit of data, it will move past the actual

to the next bit. Also, SSDs should not be encrypted using programs that are meant to encrypt HDs

because of another feature called "wear leveling". TrueCrypt for example recommends that "TrueCrypt

volumes are not created/stored on devices (or in file systems) that utilize a wear‐leveling mechanism

(and that TrueCrypt is not used to encrypt any portions of such devices or filesystems)”. You should

know however, that was referring to existing data already stored on the hard drive. New data that has

not been written to the disk will be secured because it is encrypted before physical storage on the hard

drive. This still can allow for data leaks, so it is still not recommended.

On the SSDs you cannot save to a specific sector on the drive therefor if it theoretically possible that

there are multiple instances of the same data stored on the drive. Let’s say for example that you change

the TrueCrypt volume header; the old header might still be accessible on the drive as you cannot write

over it individually. An attacker, knowing this information can attack the container using the old header

information.

P a g e | 39

4.14 ForensicSoftwareTools

Category of Tools Examples

Chat recovery tools Chat Examiner

Computer activity tracking tools Visual TimeAnalyser

Disk imaging software SnapBack DataArrest, SafeBack, Helix

E‐mail recovery tools Email Examiner, Network and Email Examiner

File deletion tools PDWipe, Darik’s Boot and Nuke, Blancco

File integrity checkers FileMon, File Date Time Extractor, Decode‐Forensic Date/Time Decoder

Forensic work environments X‐Ways Forensics

Internet history viewers Cookie Decoder, Cookie View, Cache View, FavURLView, NetAnalysis, Internet Evidence Finder

Linux/UNIX tools Ltools, Mtools

Multipurpose tools and tool kits Maresware, LC Technologies Software, WinHEX Specialist Edition, ProDiscover DFT, NTI Tools, Access Data, FTK, EnCase

Partition managers Partimage

Password recovery tools @Stake, Decryption Collection Enterprise, AIM Password Decoder, Microsoft Access Database Password Decoder, Cain and Able, Ophcrack

Slack space and data recovery tools Ontrack Easy Recovery, Paraben Device Seizure 1.0, Forensic Sorter, Directory Snoop

Specialized software for analyzing registries, finding open ports, patching file bytes, simplifying log file analysis, removing plug‐ins, examining P2Psoftware, and examining SIM cards and various brands of phones

Registry Analyzer, Regmon, DiamondCS OpenPorts, Port Explorer, Vision, Autoruns, Autostart Viewer, Patchit, PyFlag, Pasco Belkasoft RemovEx, KaZAlyser, Oxygen Phone Manager for Nokia phone, SIM Card Seizure

Text search tools Evidor

P a g e | 40

ervice and data continuity is the activity performed by you to ensure that files and services will be

available to yourself and others for the applicable lifetime. There are several methods to provide

continued support including: backing up data, using controls and techniques to restrict access, and

implementing controls on servers, networks, and other devices. None of these controls should be

skipped as they are all equally important. This step is often overlooked when securing your information

but assures availability is met.

Topics


Security Concerns with Backups

Security Concerns with Sleep and Hibernation

Ensuring Information and Service Continuity

DoS and DDoS attacks

S

Chapter5_Continuity

P a g e | 41

5.1 SecurityConcernswithBackups

To start, Windows backup and restore is a feature of Windows and does exactly as it implies; it backs up

your data. Without much explanation, there are three types of Windows backups: full, differential, and

incremental. A full backup provides a backup regardless of previous backups. A Differential backup only

backs up data that was changed since the last full backup and an incremental backup backs up data that

was changed from the last full backup, or the last incremental backup.

I know I am stating the obvious, but make sure that you do not backup anything that is confidential.

Whether by accident or on purpose, once you backup sensitive data, it does not matter if you remove

the file from your computer because a copy is already made. Personally, I keep all my sensitive

information in an encrypted container by itself so I don’t confuse it with my other stuff. After I move all

of my sensitive information into a container by itself I have ensured two things, 1) my information is

secured and 2) nothing is being backed up that is not supposed to.

5.2 SecurityConcernswithSleepandHibernation

There are two other features with Windows that you should know of:

sleep and hibernation. If you need to walk away from your laptop for a

small –or extended – period of time but want your Windows session to

resume quickly, you will use either of these two features. The difference

is that with sleep mode, your computer stores everything in memory and

with hibernation mode, everything in RAM is saved to your hard drive.

Sleep is for short‐term storage and hibernation is for long term storage.

If you use sleep or hibernation, the encryption keys and everything else

that is open at that time is saved, allowing a third party to bypass the

security measures you have in place. For example, everything that you

have opened at this moment, including mounted containers and open documents, will be viewable by

forensic investigators. The best mitigation technique is not to use them or to disable both hibernation

and sleep altogether.

5.3 EnsuringInformationandServiceContinuity

Keeping a backup of all your private/sensitive materials is a good idea for the continuity of such data, as

long as that data is secure. Securely storing data has been discussed in another section, so I will only

make a recommendation. I would create a container with TrueCrypt and store all sensitive data within

Note: Windows 8, the

latest Operation System

Microsoft is coming out

with hibernates the

system kernel, but does

not put memory in

storage

P a g e | 42

that container before saving the backup somewhere else. Doing this will achieve two goals in the CIA

triad, confidentiality and availability.

There are two locations that need to be considered when backing up data: locally and remotely. A local

copy is a good idea when data loss occurs and you want an immediate, speedy recovery of the backed

up data. But what if a natural disaster or a fire occurs and it destroys both your computer and your local

backup device? This is where a remote backup solution comes in; it prevents data loss in off‐chance that

this happens. Common methods of remote backups are remote backup services, tapes, external drives,

or hosted services. Another common method is finding someone else in another location (another state

preferably) and you each keep a backup for one another.

For example: let’s say that I have a friend (okay, I did say as an example) and that friend lives in another

state. One good way that I can back up my data at his place and his at mine, is we setup a VPN to

connect our networks together. This way, we can send the files securely over the internet without much

complication. Make sure however, that you trust the other party as they will have your Public IP

Address. Another device that allows for storage redundancy is a RAID device. RAID (redundant array of

independent disks) is a storage technology that combines

multiple disk drive components into a logical unit. Basically, it is

a device that is comprised of several disks for the purpose that if

one (or more) drive(s) fail, data is not lost. This can come in the

form of a RAID controller (or software controller) on your

computer, or a network device (such as a NAS box).

There are a few more solutions if you are going to set up a

service that you host and are concerned with continuity and

service availability. All these methods are assuming that you

have multiple servers available and can configure them and the

network they reside in. Firstly, you can configure the site for mirroring which is the act is creating an

exact copy of one server to another server. Clustering (or failover clustering) is another method of

ensuring availability as it is a group of devices that act as a single device. When one device fails in a

cluster, another device starts providing the service (a process known as a failover). And finally, you can

implement load balancing on your network which distributes the traffic load between several devices in

your network.

5.4 DoSandDDoSattacks

DoS (Denial of Service) attacks are the acts of making resources for legitimate users unavailable. DDoS

(Distributed Denial of Service) attacks are the same thing as DoS attacks, but they use hundreds (even

thousands) of machines to disrupt access to resources. Usually this is performed by flooding the service

with ICMP packets forcing the router (or server) to respond to the attackers request (by replying to the

Note: NAS stands for

Network Attached Storage

and is intended to store

information over the

network.

P a g e | 43

ICMP packet). Other attacks including sending malformed ICMP packets, flooding the site with resource

requests, or SYN flood attacks.

Even though ICMP traffic uses the TCP protocol, it is not supported via Tor. This attack will be best

accomplished with Clearnet sites. Ping of Death attacks can be accomplished in two ways: the attacker

can send too many packets or they can send malformed packets. For example, Windows has a packet

size limit of 65500. So anything received that is higher, might crash the machine or enable the attacker

to successfully perform a privilege escalation attack. Flooding the site with requests for resources

(videos, pictures, login requests, etc.) is an example of a DoS attack that is more commonly used with

Tor sites.

These attacks are mostly an issue that has to be prevented with hardware controls versus

implementations within the website itself. Assuming that you are hosting and managing the website

and the server the website resides on, you can implement ingress filtering on your network to help block

some of the attack. The backscatter traceback method is a good strategy for that. Also, I would block

ICMP packets on your external interface (WAN interface). You should also make sure that all

"unallocated source address'" are blocked. This means that you should block all packets with private IP

address that are coming into your network. You cannot stop DDoS attacks, only mitigate the effect.

ToolsforDDoSattacks

To initiate DDoS attacks, you will need to right tools based on your preferences and other factors such as

your platform of attack. The following are samples of DDoS attack tools:

Low Orbit Ion Cannon – LOIC attacks a server by flooding the server with TCP or UPD traffic.

Specifically, it mostly floods the server with ICMP traffic which is ping traffic

Trinoo – Trinoo is easy to use and has the ability to command and control many systems to

launch an attack

Tribal Flood Network – TFN can launch ICMP, ICMP Smurf, UDP, and SYN Flood attacks against a

victim. This tool was the first publically available DDoS tool

Stacheldraht ‐ This tool features that are seen in both Trinoo and TFN and sends commands via

ICMP and TCP packets to coordinate an attack. Another feature of Stacheldraht is that it can

encrypt the communication between the client to the handlers

TFN2K – An upgrade to TFN, this program offers some more advanced features including

spoofing of packets and port configuration options

Shaft ‐ This works much the same way as Trinoo except it includes the ability for the client to

configure the size of the flooding packets and the duration of the attack

MStream – This program utilizes spoofed TCP packets to attack a designated victim

Trinity – This performs several DDoS functions including: fraggle, fragment, SYN, RST, ACK, and

others

P a g e | 44

Whatdotheymean?

Let me take a second to define some of the attack turns as presented above:

ICMP DOS – An attacker can use either the ICMP "Time exceeded" or "Destination unreachable" messages. Both of these ICMP messages can cause a host to immediately drop a connection

ICMP packet magnification ‐ An attacker sends forged ICMP packets to bring down a host. As an example (as presented above), Windows has a packet size limit of 65500. So

anything received that is higher will be fragmented. Since the machine cannot reassemble the

packet, it might crash or reboot

ICMP Smurf attack ‐ An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. Doing this will tell all the systems on the network (inside the broadcast domain) to send ICMP echo replies to the victim, consuming the targets available bandwidth

SYN flood attacks – A SYN flood attack takes advantage of the TCP three‐way handshake. A SYN

flood attacks spoofs the IP address thereby forcing the server to keep open the connection while

waiting for the ACK message (which is never sent) from the client and uses resources in the

process

RST attacks – This attack works by injecting RST packets into TCP packets tricking the server to

close the connection. RST attacks are performed against other users trying to use a particular

resource

Fraggle attacks – Fraggle attacks are similar to Smurf attacks except that Fraggle attacks uses

UDP packets instead of TCP packets

P a g e | 45

ystem hardening is the process of securing a system by reducing its surface of vulnerability (attack

surface which is the components of a system that an attacker can use to break into the system.). A

system has a larger vulnerability surface the more that it does; in principle a single‐function system

is more secure than a multipurpose one. We will also go over several other risk mitigating methods

when dealing with Windows. This will include the removal of unnecessary software, unnecessary

usernames or logins and the disabling or removal of unnecessary services.

Topics


Uninstall Unnecessary Software

Disable Unnecessary Services

Disable Unnecessary Accounts

Update and Patch Windows and Other Applications

Password Protection

S

Chapter6_SystemHardening

P a g e | 46

6.1. UninstallUnnecessarySoftware

The first step in hardening a system is to remove unnecessary programs. Start by removing unnecessary

third party programs that are installed on the machine. You also want to look at programs that were

installed when downloading or installing other products, whether intentional or not. For example,

when you purchase a machine there is a bunch of software that comes preinstalled that you probably

never use. I would recommend reviewing everything that is installed and remove all software that you

do not need.

Tryitout–Uninstallingsoftware

1. Open the Start Menu and go to Control Panel 2. Select Uninstall a program or Add/Remove Program 3. Right‐click the unnecessary programs from the list and click Uninstall

6.2. DisableUnnecessaryServices

Once all of the software has been uninstalled from the machine, you should then start by disabling all of

the unnecessary services that are running in the background. Each service will provide support for the

application that they support; many of them providing functionality for Windows. You should get a

listing of all the system services running on the system and evaluate whether each service is needed.

Also know that I am more referring to third‐party services versus Windows services. Make sure to do

your research on each service before disabling anything.

Tryitout–Removingservices

1. Open the Start Menu and go to Control Panel 2. Select Administrative Tools and open Services 3. Review and identify each unnecessary service 4. Right‐click the unnecessary service and select Disabled in the dropdown box next to Startup

type. Stop the service and press OK

P a g e | 47

6.3. DisableUnnecessaryAccounts

An aspect that is overlooked often is disabling accounts that are not currently being used. You will need

to determine if you need information from that account (if you remove account data) or to use services

that can only be used from within that account. Windows XP has the administrative account enabled

with a blank password be default whereas Windows Vista and 7 disable the account by default. Also, a

quick word from the real world, make sure when creating a user account to not use anything that can

possibly identity you as doing something illegal. A real world example, someone actually created a

separate account name “childporn”, so he can hide all his illegal materials in that account. Better yet, he

hid all materials in a folder on his desktop named “childporn”! (NOT smart) Not only can forensic

investigators see all the accounts that are currently on the machine, but they can see previously deleted

accounts as well.

Tryitout–Removinguseraccounts

1. Open the Start Menu and go to Control Panel 2. Expand User Accounts and select the account you wish to delete 3. Click Delete the account

Note: One good recommendation is to create and use a standard account with no Administrative

privileges. This way, if a virus is executed, it only has the privileges of the account that you are in.

Also, I would make sure your username does not contain your full name as many applications

such as Pidgin can share this information.

P a g e | 48

6.4. UpdateandPatchWindowsandOtherApplications

Another step in hardening the system is updating the Operation System and all software installed on the

machine. When you patch the system, you are applying security fixes to known vulnerabilities to the

software that is running on the system. These vulnerabilities are what remote attackers use to gain

access to the system. Without patching the system, you are opening up your machine to attack by these

malicious hackers.

Windows updates should be enabled as they provide many fixes concerning Windows security.

Individual software and applications should also be updated as soon as a known stable version of the

update is available. Usually, when vendors release an update, they are stable unless stated otherwise. I

recommend the use of a tool that checks the programs installed on the machine and reports the ones

that are out‐of‐date. A good program for this purpose is Secunia PSI. This program will constantly

check the programs installed on your machine and report which ones are out‐of‐date, which ones are

scheduled for an update, and which ones can be updated manually.

6.5. PasswordProtection

A final practice you should incorporate in system hardening is password protecting your devices. On

your computer, you should make sure that all of the user accounts that are enabled are password

protected. This is especially true when folder shares are involved. Make sure that the passwords on

your machine are all strong so an attacker cannot use that account to gain access to your machine. For

example, when you mount a TrueCrypt container, it can be explored though another computer in the

network using an account on the local machine if they have the correct permission. This means that

even if you have the world’s strongest password for TC, an attacker can still gain access to its contents

using your Windows password over the network. Also, by default Windows XP has the administrative

account enabled without a password by default. Windows 7 and 8 has this administrative account

disabled by default.

Note: A program that I would recommend looking into is Microsoft Baseline Security

Analyzer (MBSA) which is a free security and vulnerability assessment (VA) scan tool to

improve security management process and assess or determine security state in accordance

with Microsoft security recommendations and offers specific remediation guidance.

P a g e | 49

Tryitout–Passwordprotectcomputeraccounts

1. Open the Start Menu and go to Control Panel 2. Expand User Accounts and select the account which you want to create a password for 3. Click Change Password

Tryitout–Exploreyourcomputerfromanothermachine

1. Find your IP address on your computer. Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in Search Programs and Features. A black box should pop up

2. Type in ipconfig and under the adapter you are using, record the IP address next to IPv4 (example: 192.168.1.5) *rarely will people use IPv6

3. Hop onto the other computer and open up Windows Explorer 4. In the address are, type in ‘\\’ followed by your computers IP address finished with a ‘\’, your

drive letter and a ‘$’ (usually C). For example, I type in \\192.168.1.5\C$ 5. You will be prompted to enter the username and password for your machine

Note: When you mount a TrueCrypt container in Windows, it can be explored though

another computer in the network using an account in Windows if they have the correct

permission. For this reason, make sure that your Windows password is not easily guessed!

You can test this out by trying the Try it out – Explore your computer from another machine

and replacing the “C$” with whatever the TrueCrypt container is. You can also see if your

container is mounted via Windows Shares and if is, you can stop the share. Also, I would

change the permissions for the TrueCrypt file.

P a g e | 50

Malware, short for malicious software, is software used or created to disrupt computer operation,

gather sensitive information, or gain access to private computer systems. It can appear in the form of

code, scripts, active content, and other software. This is not only annoying, but if malware is running on

your machine, your security is at risk. Notice that all these solutions can be either hardware or

software. Hardware solutions are usually on the perimeter as in the form of an all in one device

(SonicWall or Fortigate for example).

Topics


Antivirus

Hardware Keyloggers

Firewalls

DLP’s

HIDS’s

Other Considerations

Chapter7_Antivirus,Keyloggers,Firewalls,DLP’s,andHID’s

P a g e | 51

7.1. Antivirus

'Malware' is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software.

This software comes in several different flavors, but we will only be talking about Spyware and Trojan

Horses. Trojan horses are often delivered through an email message where it masquerades as an image

or joke, or by a malicious website, which installs the Trojan horse on a computer through vulnerabilities

in web browser software such as Microsoft Internet Explorer. Spyware on the other hand covertly

monitors your activity on your computer, gathering personal information, such as usernames,

passwords, account numbers, files, and even driver’s license or social security numbers.

Antivirus software can protect you from viruses, worms, Trojan horse and other types of malicious

programs. More recent versions of antivirus programs can also protect from spyware and potentially

unwanted programs such as adware. Having security software gives you control over software you may

not want and protects you from online threats is essential to staying safe on the Internet. Your antivirus

and antispyware software should be configured to update itself, and it should do so every time you

connect to the Internet.

7.2. HardwareKeyloggers

Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer

users' keystrokes, including sensitive passwords. They can be implemented via BIOS‐level firmware, or

alternatively, via a device plugged inline between a computer keyboard and a computer. They log all

Case: The Computer and Internet Protocol Address Verifier (CIPAV) is an illegal data gathering

tool that the Federal Bureau of Investigation (FBI) uses to track and gather location data on

suspects under electronic surveillance. The software operates on the target computer much

like other forms of illegal spyware, whereas it is unknown to the operator that the software

has been installed and is monitoring and reporting on their activities.

Location‐related information, such as: IP address, MAC address, open ports, running

programs, operating system and installed application registration and version information,

default web browser, and last visited URL was captured. Once that initial inventory is

conducted, the CIPAV slips into the background and silently monitors all outbound

communication, logging every IP address to which the computer connects, and time and date

stamping each.

P a g e | 52

keyboard activity to their internal memory. Hardware keyloggers have an advantage over software

keyloggers as they can begin logging from the moment a computer is turned on (and are therefore able

to intercept passwords for the BIOS or disk encryption software).

You might think that physical inspections are one way to defend against hardware keyloggers, but it is

not. Nor is using a wireless keyboard, as that sort of keylogger, doesn't necessarily have to be hidden

outside of the keyboard. A dedicated attacker may just as well place an extra chip inside of the keyboard

or replace it all together by a manipulated keyboard of the same model to record keystrokes without

any obvious visual cues. So, the best way may to the use different keyboard layouts before entering the

password. Furthermore, you can also enter random data within the password and going back to remove

them later. And finally, you can use tokens as well as a password when logging into your computer.

7.3. Firewalls

A firewall is usually your computer's first line of defense‐it controls who and what can communicate

with your computer online. You could think of a firewall as a sort of "policeman" that watches all the

data attempting to flow in and out of your computer, allowing communications that it knows are safe

and blocking "bad" traffic such as attacks from ever reaching your computer. Configuring your firewall

can prevent Spyware or other confidential data from leaving your network entirely. It can also prevent

remote attackers from “hacking” into your computer. Most AIO (all‐in‐one) security solutions such as

Norton or McAfee or BitDefender have a firewall built in. For a

free firewall, Comodo firewall is a good alternative:

https://personalfirewall.comodo.com/.

7.4. DLP’s

Data leakage prevention solution is a system that is designed to

detect potential data breach incidents in timely manner and

prevent them by monitoring data while in‐use (endpoint actions),

in‐motion (network traffic), and at‐rest (data storage).

Importantly, personal DLP software can protect you from

accidently disclosing confidential or sensitive data. Some AIO

security software does this as well as free software.

Note: In most Linux distros

including Redhat / CentOS /

Fedora Linux installs iptables

by default. It has become a

standard option in all

distros. If it is not installed,

you can use the command

yum install iptables or apt‐

get install iptables if you are

using Ubuntu.

P a g e | 53

7.5. HIDS’sandNID’s

The principle operation of a HIDS (Host Intrusion Detection System) depends on the fact that successful

intruders (hackers) will generally leave a trace of their activities. In fact, such intruders often want to

own the computer they have attacked, and will establish their "ownership" by installing software that

will grant the intruders future access to carry out whatever activity (keystroke logging, identity theft,

spamming, botnet activity, spyware‐usage etc.) they envisage.

In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do

just that and reports its findings. Intrusion attempts can be keylogger attempts (spyware), Internet

Explorer leaks, DLL injections, malware drivers, etc. HIDS’s are installed on your machine and a baseline

must be performed before HIDS’s can detect any anomalies. Many anti‐virus programs have a basic

HIDS built into the software as an added feature.

Network IDS’s on the other hand sit on your network to monitor all traffic coming into your network to

alert you to any attacks. There are several methods of detecting an attack including anomaly based

detection and signature based detection. Also, there is either a passive or active based detection

depending on if you want the IDS to actually take action or not. You should know when setting up an

IDS, that there will be false positives as it takes a while for the IDS to learn and for you to teach. Also,

you will need to be there to monitor the alerts. Snort is a good, free NIDS and is widely used in

businesses.

7.6. OtherConsiderations

What you download can affect security. Make sure that what you download is safe; it should go without

saying, but is good to hear nonetheless. PDF, word documents, executables, broken pictures, and

binders are all security issues. Make sure that you protect yourself by downloading alternative PDF

viewers (or block your PDF application from connecting to the internet), disable Macros if you use

Microsoft Office programs, disable JavaScript in Adobe Acrobat/Reader if you use it, etc. Lastly, make

sure that you are updating your web browser, and if you are using the Tor Bundle, you update that as

well. These releases are extremely important for security and often include patcheswhat for found

vulnerabilities.

P a g e | 54

eeping your network secure is a must to ensure to keep intruders out and your information from

getting into the wrong hands. Furthermore, it protects you from other people hopping on your

network, doing something illegal, and having the evidence point to you. Network security covers a

variety of computer networks, both public and private, and you should concern yourself with both. This

chapter will explain some of the common methods of security and a brief introduction on a few

networking terms as well as security concerns when hopping on another person’s network. This will

include both hardware and software methods to ensure this security.

Topics


Private vs. Public IP Address

MAC Address

Public Wireless

Security Protocols

Chat Sites ‐ How Attackers Attack

Other Considerations

K

Chapter8_Networks

P a g e | 55

8.1. Privatevs.PublicIPAddress

A private IP address (assigned by the owner’s wireless device) is assigned per device in the network from

a DHCP pool. DHCP pulls a list of available IP addresses and assigns it when a device is attached to the

network. A certain IP address is not assigned to a specific device (there is no static mapping) therefor

people cannot use IP addresses to located your specify device. Static IP addressing can be used, but

typically is not used in a home environment. When you connect to a wireless device, it is possible that it

changes each and every time you connect, depending on what else is connected to the network. Also,

unless the IP address is currently leased out, nobody will be able to look in a log (typically) to determine

what IP address what connected when.

The other IP address is known as a Public IP address. This type of address is what your ISP (Internet

Search Provider) uses to identify you. When you log into a website, this is the IP address that is logged.

When you use proxy or VPN services, the Public IP address that is hidden and the VPN/proxy IP address

is exposed. If somebody has your IP address, they can get the geographical location of where you live

whereas your ISP has your name, telephone number, home address, and whatever else you have given

them. Lastly, when you are connected to a person directly (DCC, video chat, P2P, etc.); they can also log

your Public IP address.

8.2. MACAddress

Think of a MAC address like a bank account number; we are each given a bank account number so when

we make a purchase, at a grocery store for example, the grocery store knows how to send the payment

to your bank and vice‐versa. Similarly, a MAC address, which is unique to your wireless card, allows the

router to know where to send the data. And if you really care, the MAC address is held in an ARP table,

but we won’t get into that.

When you connect to a network, the router logs the computers MAC address and temporary saves the

computers IP address. People can also sniff the network to see what you are doing and record your

MAC address that way. And yet another way people can get your MAC address is if they use software

that monitors the network and records all the devices automatically. All these methods have one this in

common (besides the obvious), they can only record the addresses that are broadcasted, meaning if you

change your MAC address, these methods are useless.

P a g e | 56

People use MAC address changers for many reasons; mostly for getting free WiFi by bypassing MAC

address filtering or performing MAC flood attacks. If you connect to a public network, or your

neighbor’s network, I would use a MAC address changer to make it hard to locate you. Earlier, we said

that a MAC address is unique to your computer; so if they were to look at all of the devices in your

house, they won’t find the device with the MAC address that was logged because it has been changed.

The easiest way to change the MAC address is to download a program to do it for you; otherwise you

can change it in your network settings. Win7 MAC Address Changer Portable is a good program to do

this for you.

As a quick note, another recent discovery that can identify individual computers that cannot be spoofed

(as of yet) is with using the computers graphics card. The PUFFIN Project (physically unclonable

functions found in standard PC components) has brought forward research suggesting that GPU

manufacturing processes leave each product with a unique "fingerprint." The PUFFIN team has created

software that can detect these physical differences between GPUs. This is another way that someone

can determine whether your device was used in a crime if your GPU “fingerprint” was obtained.

PUFFIN’s research will run until 2015.

8.3. PublicWireless

It is up to you whether or not to stop using the neighbors wireless. But know they can see Tor traffic if

they: use a packet sniffer and perform a MiTM attack if their wireless network is not protected, if they

were using a network hub which broadcasts information out of all ports, if they have a managed switch

and enable port mirroring, or if they change the MAC address of their computer to that of the AP

(Access Point). Even though they can see Tor traffic, they cannot see what you are doing inside of Tor

and they still will have no clue that it was you. If they could, the purpose of Tor would be defeated.

They are other risks with using public networks (or your neighbor’s network) therefore it is not

recommended (unless you are absolutely sure that you are safe).

These risks includes attackers remotely logging into your computer via a known backdoor or an exploit.

The best known Operating System to attack a machine is Backtrack. BackTrack is a Linux‐based

Note: To change the MAC address in Linux, you can use the hw ether command. ifconfig

eth0 down > ifconfig eth0 hw ether 00:00:00:00:00:00 > ifconfig eth0 up > ifconfig eth0

|grep HWaddr. Notice, you will use a custom MAC address instead of 00:00:00:00:00:00

and run each command separately (as defined by the ‘>’ character). Also, you will want to

replace eth0 with the adapter that you are using.

P a g e | 57

penetration testing arsenal that aids security professionals in the ability to perform assessments in a

purely native environment dedicated to hacking. The methods of attack in BackTrack are against

operating systems, applications, phones, networks, internet protocols, websites, and etc. The best part

about BackTrack is that it is free! I would start with getting a good firewall and anti‐virus for your

computer. Also, make sure you follow System Hardening (Section 6) section to help correctly configure

your machine.

As always, I would use Tor for all sensitive information in which you do not want anyone to learn your

location or monitor your browsing habits. To protect all other sensitive data that does not require such

autonymity, I would recommend the use of a VPN. A VPN reroutes all computer traffic through a secure

tunnel to a trusted third‐party (or a designated network) before the information reaches its destination.

This provides security against anyone sniffing your computer traffic as all information is encrypted.

Common reasons for a VPN is when: checking emails, checking your bank account, application data

security, or transmitting insecure data over a secure data stream. The difference between Tor and a

VPN is that when using Tor, nobody knows who you are whereas in a VPN somebody always does.

NetworkSniffingTools

There are several sniffing tools available. Listed below are some of the common tools:

Wireshark – One of the most popular packet sniffing programs available and is a successor to

Etheral offering a tremendous number of features to assist dissecting and analyzing traffic

Omnipeek – Created and manufactured by Wildpackets, Omnipeek is a commercial product that

is the evolution of Etherpeek

Dsniff – A suite of tools designed to perform sniffing as well as other tools to reveal passwords.

Dsniff is designed for UNIX and Linux platforms and does not have a complete equivalent for

Windows

Cain and Able –and Able provides much of the same tools as Dsniff but also provides features

such ARP Poisoning (MiTM attack can be performed inside a network), enumeration of Windows

systems, and password cracking

Etherape – A UNIX/Linux tools that was designed to show the connection going in and out of the

system graphically

Netwitness Investigator – A free tool that allows a user to perform network analysis tools as

well as packet reassemble and dissection

P a g e | 58

8.4. SecurityProtocols

Securing your network should be as important as securing your computer. Allowing people access to

your network opens you up to attack and as previously stated, legal issues, because they can got caught

doing something they weren’t supposed to on your network. If you are doing everything secure on your

network computer but someone gets caught downloading child porn, the government is coming after

you. There are several ways to protect your network depending on your equipment and if you use

custom firmware or not. If you get a router, plug it in, and start using it; you are NOT protected!

The first thing that anybody needs to do is change the default password for the device so nobody can log

in and change the security settings. Followed by changing the device password, you should create a

wireless password to limit the people who can get on the device in the first place. There are several

types of protocols that limit access: WEP, WPA, WPA2, MAC Address Filtering, etc. WEP, WPA, and

WPA2 are protocols that rely on password authentication to accept users who are trying to connect to

your wireless device. MAC Address Filtering on the other hand only allows specific wireless devices

access to the network depending on the MAC addresses.

WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer

standards such as WPA and WPA2. WPA is also deprecated making the recommended security protocol

WPA2. WPA2 is the strongest protocol as it has not been cracked, yet it might not be supported by all

devices. MAC address filtering filters wireless devices allowing only those that are allowed into the

network. The problem is however, it can be easily defeated if someone changes their MAC address to

one that is allowed.

WirelessHackingTools

I recommend obtaining a copy of Backtrack as there are many wireless hacking tools already installed.

Kismet ‐ Using Kismet one can see all the open wireless networks, as well as those Wireless Networks which don’t broadcast their SSID’s. It’s a matter of minutes to use this tool and identify networks around you

Netstumbler ‐ NetStumbler is a freeware Wi‐Fi hacking tool that’s compatible with Windows only. It can be used to search open wireless networks and establish unauthorized connections with them

Medieval Bluetooth Scanner ‐ This program can analyze and scan your Bluetooth network finding Bluetooth devices that can be attacked (see bluejacking or bluesnarfing or bluebugging)

Coreimpact ‐ This it is widely considered to be the most powerful exploitation tool available. However, CoreImpact is not cheap and will set anybody back at least $30,000

P a g e | 59

Wireshark ‐ Wireshark Wi‐Fi hacking tool not only allows hackers to find out all available wireless networks, but also keeps the connection active and helps the hacker to sniff the data flowing through the network

AirSnort ‐ Most Wi‐Fi hacking tools work only when there is no encrypted security settings. While NetStumblr and Kismet fail to work if there is a wireless encryption security being used, AirSnort works to break the network key to get you inside the network

CowPatty ‐ CowPatty is an another Wi‐Fi network hacking tool that has crack got a WPA‐PSK protection feature and using this hackers can even break into more secure Wi‐Fi environments

Reaver – This program takes advantage of the weakness inherent with WPS (WiFi Protected Setup)

8.5. ChatSites‐HowAttackersAttack

Some people where asking me about the risks involved in Omegle and downloading pictures to your

computer. So, briefly, I am going to describe here what I told them. Firstly and most obviously, Tor does

not support cam sites for the reason listed in section 9.11. Quite simply, Tor does not support UDP

traffic in which video streaming operates. So, if you wondering how people actually captures this traffic

and obtains your IP address, this is how:

CaptureIPAddressfromOmegle

1. First, you will need to download a packet sniffer. I would either use Wireshark, Ethereal, or NetWitness Investigator. The first two will simply capture the packets whereas the latter will captures the packets and has the ability to put them back together. This is useful if you want to rebuild the video that was streaming.

2. Start Omegle (or an alternative chat site) and get connected to somebody on the other end. Capturing the IP address can also be done via text, but for this method, you must use your camera.

3. Start the packet sniffer of choice; for this example I will be using “Wireshark.” 4. To select the interface you will need to select “Capture” than “Interfaces.” 5. Determine the interface that you are using (usually the one with the most packets) and press

“Start” to start capturing the packets. 6. All you need is a few packets, even though you will get a few hundred to a few thousand. Once

you have enough packets press “Stop the running live capture”. This is denoted by the forth icon at the top with the “X” or you can select “Stop” under “Capture.” FAILURE TO STOP THE CAPTURE WILL CRASH YOUR MACHINE! THE AMOUNT OF PACKETS YOU CAN CAPTURE IS DEPENDENT ON THE AMOUNT OF MEMORY YOUR MACHINE HAS!

7. You are only concerned with UDP traffic, so in the “Filter” field, enter “udp” 8. Now, you will notice that there is more UDP traffic from two specific IP addresses than anything

else; these IP addresses will be your IP address and the individual on the other end of the webcam. Your IP address will either start with a 192.x.x.x or a 10.x.x.x or possibly a 172.x.x.x. Most likely, a 192.x.x.x. There are restrictions, so if you have any questions, ask or refer to a Private IP address list. The other IP address will be theirs.

9. Copy their IP address. This can be denoted via four octets separated by decimals or with dashes.

P a g e | 60

It can also contain words or letters. 93.53.23.231, pd‐93‐53‐23‐231, or 93‐52‐23‐231.abc.dgf.net will all be the same thing. In either case, you want to copy it down as 93.53.23.231. Notice that the words might be different; only concern yourself with the numbers.

10. That is it; you can use a reverse IP address lookup to find basic information.

That described simply how to capture the IP address via a packet sniffer. When connected, this

connection can also be seen in your netstat list; you should not worry yourself about this. The reason

being is UDP traffic connects directly to your machine. TCP traffic connects to a third party site such as

Omelge. Another method is getting the person to go to a honeypot that captures the users IP address

when they click on a link and navigate to that site. They are a few out there, and it is easy for people to

be baited into navigating to these sites.

If you are really interested there are two things that happen when you are connected via webcam. The

first thing is the handshake ‐ or the initial connection ‐ and is facilitated by the chat website (Omegle,

ChatRoulette, etc). This connection is the first step that is performed to connect you to the other

person whom you are trying to connect with. After this initial process is complete, you are now directly

connected to the person you are chatting with. At this point, the stream is no longer being passed

through the chat website. The webcam traffic is UDP traffic, which is not supported by Tor.

Another popular method of getting IP addresses and other computer information such as usernames,

passwords, keystrokes, screenshots and etc., if with the use of spyware. I am not going to go into detail

about spyware (or a keylogger or malware), but I will go over a popular delivery method. When people

send pictures – or videos – via TorChat or an alternative medium, they can use a binder program to

attach a picture file to an executable. When the file is opened, the picture appears as normal along with

the spyware in the background.

To protect yourself when dealing with UDP information (audio or video chat), you can use a UDP proxy,

a VPN, or configure a VPN over Tor. I usually just use a VPN that claims to not log any traffic; but who

knows if that claim holds merit. Simple text chat uses TCP packets which Tor can protect. Obviously, do

not use shortlinks as they can link to a honeypot or another rouge site. And if you do decided to open

links you are unsure about, make sure you do via Tor with JS disabled.

P a g e | 61

8.6. OtherConsiderations

Most people have home routers with stock firmware, so most of this does not apply. For those of you

interested in having more granular control of your router, you can search the internet for custom

firmware; for example, DD‐WRT is a good Linux‐based firmware. Also, you can purchase managed ports

and wireless access points specifically for this purpose. Most commercial equipment can manage what I

am about to talk about, but they usually run in the several thousands, if not hundreds of thousands.

One of the basic hardening techniques for wireless security is the use of VLAN’s. If the attacker passes

your security controls and into your network, VLAN’s will ensure that they cannot read your network

traffic. Let’s say some ports on switch A are in VLAN 10 and other ports on switch B can are in VLAN 10.

Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10.

However, these devices can all communicate because they are on the same VLAN. You should also know

that VLAN’s can be set up on the same switch.

WPS, or WiFi Protected Setup, is a way for individuals to easily connect devices to the wireless router. In

this method, the standard requires a PIN to be used during the setup phase. As it is not a technique to

add security to the network, you should know that WPS should be disabled at all times. The

vulnerability discovered in WPS makes that PIN highly susceptible to brute force attempts. It takes

approximately 4‐10 hours to break WPS pins (passwords) with Reaver.

You should also know about rouge AP’s; specifically when an attacker impersonates an SSID. Rouge

Access Points are a security concern because an attacker can set up a device such as a router or

computer to have a similar or the same SSID as the wireless Access Point you connect to. Unscrupulous

parties can connect to this rouge device and all traffic can be logged and MiTM attacks can be

performed. This threat is of low concern because it is not very likely to happen.

One final security configuration I am going to mention is a DMZ. The purpose of a Demilitarized Zone is

to add an additional layer of security to your local area network (LAN – Private network); an external

attacker only has access to equipment in the DMZ, rather than the entire network. This would be if you

were setting up anything that you want people from outside your network to have access to whilst

protecting your internal network. Examples of such services would be Websites, IRC servers and relay

servers.

P a g e | 62

8.7. Extra: MACAddressSpoofingandARPAttacks‐Howtheywork

Two methods I want to talk about are: ARP poisoning and MAC address spoofing. As many of you

already know MAC address spoofing is also a way to hide your computer or to get free Internet when

places either filter computers by MAC addresses or have a pay to‐use‐system. A few of you have asked

how this works and instead of reinventing the wheel each and every time I decided to create this

fundamental, quick how‐it‐works guide. These are a couple of reasons why you should lock down your

private network and never use public networks.

When a computer decides it wants to talk to another computer on the network it has four primary fields

it uses to communicate. In a packet, these fields are: source IP address, destination IP address, source

MAC address, and destination MAC address. Again, most of you even know about IP addresses so we

won’t get into that at all. But what most of you don’t know is the computer transfers traffic based on the

computers MAC address (which is a unique identifier for each device) and not the computer’s IP

address. The computer uses the IP address to learn the MAC address but does not actually send data

with it. Let me explain.

Let’s say Bob wants to talk the Alisha on the same network (send data). There is a protocol called ARP,

which stands for Address Resolution Protocol, that will send a request to the switch (or all of the devices

in the network if you’re using a hub) that you are trying to communicate with Alisha. When Alisha

responds, she will send back the MAC address of her computer to the switch. The switch, will then learn

Alisha’s MAC address if it doesn’t already know and send it back to Bob. Now Bob, having Alisha’s MAC

address, will fill in the destination MAC address (which is Alisha’s computer) and send data using that

information.

Here’s an example: Bob wants to send Alisha a file over the network. Bob first sends an ARP request to

the switch (most, if not all, home routers have a switch build in) saying “hey, I want to talk to Alisha,

here is her IP address. What is her MAC address so I can send the data?” The switch looks in the MAC

address table and determines that Alisha’s MAC address is F026:EA98:EB03:C68E (if the MAC address is

not known, it sends the ARP request to ALL of the computers on the network, except for Bob’s, until

Alisha responds back, “It’s me!”) Once the MAC address is determined, it is sent back to Bob so he can

transfer the data.

This is where MAC address spoofing comes in, because as you just learned, computers do not transfer

data using the IP address, but instead the MAC address. So MAC address spoofing, tricks the switch into

thinking your computer (let’s say you are Steve), is actually Alisha’s computer. So now when Bob wants

to send data to Alisha, half the packets will go to Alisha and half the packets will go to Steve. For the

same reason this works, the pay to‐use‐system can be defeated as well. This pay to‐use‐system uses the

MAC addresses to send data to already authorized computers which in turn is tricked and data is sent to

you without charge.

P a g e | 63

ARP poisoning on the other hand when an attacker is able to compromise the ARP table on the other

machines and changes the MAC address so that the IP address points to another machine. If the

attacker makes the compromised device’s IP address point to his own MAC address then he would be

able to steal the information, or simply eavesdrop and forward on communications meant for the

victim.

THIS IS EDUCATIONAL AND PROVIDED TO HELP YOU PROTECT YOURSELF BY EXPLAINING THE METHODS

OF ATTACKS BY OFFENDERS. I DID NOT WRITE THIS WITH THE INTENTION FOR ANYBODY TO USE IT

AGAINST ANYONE ELSE. SO PLEASE DON'T!

ARPPoisoningDemonstration:

1. Open Cain (you will need Cain and Able installed on your machine) 2. Click the Sniffer tab and turn on the network sniffer (the network interface button next to the

folder icon on the second row) 3. This should already be selected, but ensure that the Hosts tab is selected at the bottom 4. At the top, click the blue Plus button to scan for MAC addresses. Alternatively, you can right‐

click anywhere in the datagrid (white box) and select Scan MAC Addresses. 5. Once populated with devices other than your Default Gateway (usually any IP address ending

with the octet of 1) or your computer, select the APR tab at the bottom 6. Make sure APR is selected over on the left and click anywhere in the top datagrid (the top field

that is blank). The Plus button at the top should no longer be greyed out. 7. Once the New APR Poisoning Routing dialog box appears, you will select the computers that

you wish to attack 8. Over on the left, you will select your Default Gateway and over on the right you will select the

computer you wish to attack (the datagrid on the right will populate once the GW is selected on the left) *Doing this has the potential of causing a DoS attack whereas the victim cannot access the internet or any data in the network

9. Finally, select the “session” that you just created (under Status, it will say Idle) and click the ARP Poisoning button on the top that is next to the sniffer button you clicked on earlier. If successful, the status will change from Idle to Poisoning

10. From here, you can capture data packets, usernames, passwords, email addresses, and etc. 11. The only way to defeat this is to use encryption such and client to hosts VPN’s, PKI, or Tor 12. To stop the attack, you can click the ARP Poisoning button and the Sniffer button once more

Again, I should provide the warning that there are other ways they can see your traffic if they: use a

packet sniffer and perform a MiTM attack if their wireless network is not protected, if they were using a

network hub which broadcasts information out of all ports, if they have a managed switch and enable

port mirroring, or if they change the MAC address of their computer to that of the AP (Access Point) as

mentioned above.

P a g e | 64

n this section, I will talk about several vulnerabilities, what they accomplish, and the mitigation

techniques. Because web browsers are used so frequently, it is vital to configure them securely.

Often, the web browser that comes with an operating system is not set up in a secure default

configuration. Not securing your web browser can lead quickly to a variety of computer problems

caused by anything from spyware being installed without your knowledge to intruders taking control of

your computer to websites obtaining your IP address and running malicious scripts when you navigate

to their webpage. I will briefly go over some other security considerations, dealing primarily with web

browsers. This section does not encompass everything, so further research is necessarily!

Topics


Downloading and Using the Tor Browser Bundle

What is Sandboxing and What is JIT Hardening, and Why Do I Care?

JavaScript

Cookie Protection and Session Hijacking attacks

Caching

Referers

CSRF/CSRF Attacks (XSS Attack)

Protect Browser Settings

DNS Leaks

User Awareness, Accidents and System Updates

Configuring Web‐Browsers and Applications to Use Tor

I

Chapter9_WebBrowserSecurity

P a g e | 65

Let’s start by talking about the browser itself. Personally, I use the Tor Bundle with Firefox, as do most.

Moreso, using Tails is recommended because of way it was designed; all traffic will run through Tor

regardless of the source and if is not running through Tor, it is dropped. A study was done though and it

was concluded that Google Chrome is the most secure browser largely because of Chrome’s sandboxing

and plug‐in security. Comparatively, Internet Explorer implemented (lacking industry standard)

sandboxing and JIT Hardening whereas Firefox falls behind on sandboxing and does not implement JIT

hardening.

9.1. DownloadingandUsingtheTorBrowserBundle

The Tor Project describes Tor as “Tor protects you by bouncing your communications around a

distributed network of relays run by volunteers all around the world: it prevents somebody watching

your Internet connection from learning what sites you visit, and it prevents the sites you visit from

learning your physical location. Tor works with many of your existing applications, including web

browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.”

I recommend downloading and using the Tor Browser Bundle even though I provided a step‐by‐step

exercise on how to configure your existing browsers to run through Tor (Section 9.11). Many people in

the past have used the Tor Button for Firefox which is no longer supported due to its fairly new rapid

release cycle of Firefox. Also, the use of a web proxy is not needed if you are just browsing the internet

using the Tor Browser Bundle. I would recommend using the hardening techniques as described below.

You should know that even though you are using Tor, you data is compromised at the Tor Exit Node if

you are browsing the internet (non‐onion websites).

P a g e | 66

DownloadandStarttheTorBrowserBundle

1. Navigate to the Tor website. 2. Under Tor Browser Bundle for Windows/Mac/Linux, select the appropriate version (32‐bit vs.

64‐bit). For Windows, just select the appropriate language. 3. Click “Save File” 4. Once the file is downloaded, open it. An example file I just downloaded was, tor‐browser‐

2.2.39‐1_en‐US.exe. Your version will probably be different than mine. 5. It is a self‐extracting archive. Select your preferred location and press Extract. 6. Navigate to and open the folder and run Start Tor Browser. 7. Once Tor establishes a connection, a Firefox browser will open. 8. You can now browse the internet as you would normally without your ISP or another party from

seeing what you are doing within Tor itself. There are other vulnerabilities that should be addressed, so I recommend reading on.

TorLinks

When you download and use Tor you can go to many .onion sites that are hidden from the clear

internet. Using these sites are completely anonymous as nobody knows you specifically are navigating

there; not even your exit node. Here is a list of a few Tor sites:

Main Page ‐ http:/kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page. This link is to the main

Hidden Wiki that hosts links to other hidden Tor websites. View this site for the full listing.

Silk Road ‐ http://silkroadvb5piz3r.onion/. Silk Road ‐ Private marketplace with escrow (Bitcoin).

You can purchase anything from illegal pictures and video, to drugs and drug paraphernalia, to

arms and ammunition.

HackBB ‐ http://clsvtzwzdgzkjda7.onion/. Forums for hacking, carding, cracking, programming,

anti‐forensics, and other tech topics. Also a marketplace with escrow.

TorMail ‐ http://jhiwjjlqpyawmpjx.onion/. Can send/receive mail from inside and outside Tor

with a [email protected] address.

FreedomHosting ‐ http://xqz3u5drneuzhaeo.onion/. Hosting Service with PHP/MySQL. As of

2011‐06‐04, it hosts about 50% of the live OnionWeb by onion.

HardCandy – http://kpvz7ki2v5agwt35.onion/wiki/index.php/Hard_Candy. HiddenWiki link to

sites containing material that is intended for people who are attracted to children.

Lolita City ‐ http://m3hjrfh4hlqc67gb.onion/. Described as the biggest CP site in the Onionland.

Light, moderately fast collection, with a (often invaluable) tag, search and comment system. As

of November 2012 it hosts over 1 000 000 images.

OPVA2 (OnionPedo Video Archive) ‐ http://opva2pilsncvtwmh.onion/. Video archive with

comments, tags and search system. Mostly contains CP.

Pedo Support Community ‐ http://f3wjuyqroxyz2z3w.onion/. Support and resource community

for people who love children. This site does not contain any pictures/videos of CP and only

allows for individuals to join if they love children and do not seek to hurt them.

P a g e | 67

9.2. ConfiguringWeb‐BrowsersandApplicationstoUseTor

Here, I am going to be talking about using Tor to encrypt HTTP traffic as well as FTP and SSL. To

accomplish this we will be using Tor as well as Polipo, a web caching web proxy. Basically, we are going

to send all the traffic to the port that Polipo is listening on and forwarding that traffic through Tor.

Doing this will encrypt all HTTP, FTP and SSL traffic. This is a substitute to using the Tor Browser Bundle.

As stated above, you should know that even though you are using Tor, you data is compromised at

the Tor Exit Node if you are browsing the internet (non‐onion websites).

The first thing we need to do is download the Vidalia Bundle. This bundle includes Tor, Vidalia, and

Polipo. We are going to be configuring Firefox for this article. You should know however that all other

browsers and applications that allow for proxy settings will use the same configurations. However there

are limitations which we will discuss further down.

Startingtheservices

1. Start Polipo. 2. Start Vidalia. 3. Once you are connected to Tor (“Connected to the Tor network” – in the Vidalia Control Panel)

we will begin setting the proxy settings for Firefox.

Firefox

1. Start Firefox. 2. Click ‘Tools’ (if you do not see the menu‐bar press the ‘Alt’ key on your keyboard. The menu‐bar

should appear.). 3. Click ‘Options’ followed by ‘Advanced’. Select the ‘Network’ tab. 4. Under the ‘Connection’ group select ‘Settings…’ 5. Check the ‘Manual proxy configuration”’ check box. 6. For HTTP, SSL, SOCKS and FTP you will use (127.0.0.1 with Port 8118).

P a g e | 68

9.3. WhatisSandboxingandWhatisJITHardening,andWhyDoICare?

Wikipedia defines a sandbox as a “security mechanism for separating running programs. It is often used

to execute untested code, or untrusted programs from unverified third‐parties, suppliers, untrusted

users and untrusted websites.” Basically, think of it as, well… a sandbox. If you put a whole bunch of

kids in a sandbox and want them to stay there, they can’t leave. Sandboxes restrict system information,

which is extremely important for our purposes. Furthermore, as an additional layer of security, I use The

Tor Bundle in a virtual environment (a virtual application but a virtual machine is also recommended).

JIT hardening “keeps the browser from compiling JavaScript that cannot be run on the user’s computer.”

Basically, it is code that is compiled (compiling is like writing a book; you write several pages before you

bind the book together) on‐the‐fly to improve the

runtime performance of the JS. “Attackers have long

relied on JIT techniques to convert JavaScript into

malicious machine code that bypasses exploit

mitigations such as ASLR.”

9.4. JavaScript

Javascript is just as it implies; a script that is executed in the browser or where it is run from. JavaScript

is a programming language that allows access to system resources of the system running the script. It

runs when the webpage is loaded or an event is triggered and is denoted by <script> and </script> alike.

These scripts can interface with all aspects of an OS just like programming languages, such as the C

language. This means that JScript, when executed, can potentiality damage the system or be used to

send information to unauthorized persons. Obviously, this is not all‐inclusive and further

vulnerabilities/exploits can be managed by using JavaScript.

What should be pulled out of this is Javascript only runs scripts that are on the webpage; it cannot

magically get your IP address without it being explicitly written in the script. Thus, enabling JS on sites

that are known to be trusted, such as this site, you can be relatively safe in knowing that system

information (or your Public IP address) is not being leaked. But, however, as you may have guessed, this

is assuming that the scripts are not compromised which is a possibility at any time (though unlikely). In

any other scenario, you should disable JS for the site completely.

NoScript is recommended when dealing with JavaScript as it blocked all scripts unless explicitly defined

(as per script or site). Make sure when using NoScript, that “Disable Scripts Globally” is checked,

because if it enabled globally, you would defeat the purpose of the add‐on. By default, it is already

turned on. When using The Tor Bundle or the outdated Tor Button, it is also good to know that

dangerous JavaScript is already hooked. “Javascript is injected into pages to hook the Date object to

P a g e | 69

mask your timezone, and to hook the navigator object to mask OS and user agent properties not

handled by the standard Firefox user agent override settings.” You can also disable JavaScript directly

from the browser.

9.5. CookieProtectionandSessionHijackingAttacks

Wikipedia defines a cookie as a “small piece of data sent from a website and stored in a user's web

browser while a user is browsing a website. When the user browses the same website in the future, the

data stored in the cookie can be retrieved by the website to notify the website of the user's previous

activity.” When you log into a webpage, that session is also stored on your computer as a cookie. More

onion websites are using cookies for several reasons, including DoS attacks and session hijacking attacks.

A session hijacking attack basically allows a third party attacker to connect to a website and access their

session. For example, when you log into a website, you have just created a session. There are two main

ways they perform a session hijacking attack: session ID guessing and stolen session cookies. Session is

usually not as big of an issue because of the length of the session ID (mostly). And the other way

someone could steal a session cookie, is at the Tor Endpoint when they are performing a MiTM attack.

Sadly, MiTM attacks cannot be mitigated and cookie hijacking is a real threat.

Cookies, in general are not dangerous, however all third party cookies should be blocked in the browser

settings to stop tracking from a third party. A third party cookie places a cookie from one site for

another site. For example, if you visit www.widgets.com and the cookie placed on your computer says

www.stats‐for‐free.com, then this is a third‐party cookie.

Firefox(version10.0.5)

1. Start Firefox 2. Click ‘Tools’ (if you do not see the menu‐bar press the ‘Alt’ key on your keyboard. The menu‐bar

should appear.) 3. Click ‘Options’ 4. Click ‘Privacy’ 5. Check, ‘Tell websites I do not want to be tracked’ and either ‘TorBrowser will: never remember

my history’ OR uncheck ‘Accept third‐party cookies.’ Note, this does not stop all trackers websites do NOT have to abide by the ‘Tell websites I do not want to be tracked’ feature and this is not the only method.

9.6. Caching

Internet cache is “is a component that transparently stores data so that future requests for that data can

be served faster.” Whenever you go to a website, internet cached is created and saved on your

computer for faster viewing. This means that when you go to a picture site, all the pictures that are

P a g e | 70

loaded on the screen are saved on your computer for future viewing. Obviously, this is a huge security

risk and if someone were to gain access to your system and view the cache, they would know what you

have been looking at.

As a real quick side note, in the USA at least, it is not illegal to view the images, just download them.

Now, if you have adequate knowledge, they can claim that you knew the cached images were there and

you kept them there as an attempt to download the images. You can configure the browser settings or

have a program erase the cache securely. CCleaner is a good, recommended (and free!) program that

does that.

Firefox(version10.0.5)

1. Start Firefox 2. Click ‘Tools’ (if you do not see the menu‐bar press the ‘Alt’ key on your keyboard. The menu‐bar

should appear.) 3. Click ‘Options’ 4. Click ‘Privacy’ 5. Select ‘TorBrowser will: Use custom settings for history’ Note, this is not the only method

9.7. Referers

Wikipedia defines referers as “occurs as an HTTP header field – identifies, from the point of view of an

Internet webpage or resource, the address of the webpage (commonly the Uniform Resource Locator

(URL).” Basically, when you click on a picture for example (or when a picture loads in a webpage), the

website that hosts the information is sent a request that contains the last page you were in. Most

recently, on one of the sites that I frequent, there was an attack done whereas somebody performed

session hijacking attacks using referrer information

This was possible because the session ID was in the URL (again, the address of the webpage) and with

the use of referers, when a user loaded a page with live previews (or when a link was pressed), the

session was given to the attacker which allowed them to do whatever they wanted to the users account.

Disabling referers on the browser is recommended. This type of attack is another reason some sites are

not requiring cookies.

Disabling referers in the browsers setting or downloading an add‐on is recommended. RefControl,

https://addons.mozilla.org/en‐US/firefox/addon/refcontrol/ is a good add‐on that accomplishes this.

You can also disable referers in the browser settings as such:

P a g e | 71

Firefox

1. In the address bar, type ‘about:config’ press ‘Enter 2. Accept the prompt 3. Type ‘network.http.sendRefererHeader’ into the ‘Filter’ field 4. Double‐click ‘network.http.sendRefererHeader’ under ‘Preference Name’ 5. In the white box, enter ‘1’. The default value is two 6. Next, type ‘network.http.sendSecureXSiteReferrer’ into the ‘Filter’ field 7. Double‐click ‘network.http.sendSecureXSiteReferrer’ under ‘Preference Name.’ The value

should change to ‘False’ 8. Click "OK" and close the ‘about:config’ window

9.8. CSRF/CSRFAttacks(XSSAttack)

Wikipedia defines this attack as a “type of malicious exploit of a website whereby unauthorized

commands are transmitted from a user that the website trusts.” I won’t go into much detail about XSS

attacks because there are so many. Basically, this is another way that an attacker might be able to gain

control of your session. I recommend the add‐on RequestPolicy: https://addons.mozilla.org/en‐

US/firefox/addon/requestpolicy/

9.9. ProtectBrowserSettings

No amount of configurations will help if maleware on your machine is able to change your browser

settings. One popular attack is changing the proxy settings of the browser which will transmit anything

to a third party location versus through Tor. Another example is if software or maleware changes your

search settings. You might unknowing type something in that you did not want searched with a

particular search engine. For this, I would recommend BrowserProtect: https://addons.mozilla.org/en‐

US/firefox/addon/browserprotect/ which protects your browser’s settings and preference from being

changed.

9.10. DNSLeaks

Basically, a DNS leak is when your Public IP is leaked versus it going through Tor. If any traffic leaks, a

third party monitoring your connection will be able to log your webtraffic. There is a great how‐to for

Linux found here: https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks. For

Windows users, I would block TCP port 53 on your firewall. Note that blocking port 53 will block ALL

attempts from any web browser whether in Tor or otherwise. Also, I would change your DNS settings to

localhost (taken from Microsoft and “Mintywhite”, whatever that is):

P a g e | 72

Vista/71. Open Network Connections by clicking the Start button , clicking Control Panel, clicking

Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.

2. Right‐click the connection that you want to change, and then click Properties. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. Local Area Connection is usually the wired connection and Wireless is wireless. For other adapters (dongles, etc.), you will have to right‐click those or use the software provided with the device.

3. Click the Networking tab. Under This connection uses the following items, click either Internet Protocol Version 4 (TCP/IPv4).

4. To specify DNS server address settings, do one of the following: 5. To specify a DNS server address, click Use the following DNS server addresses, and then, in the

Preferred DNS server and Alternate DNS server boxes, type the addresses of the primary and secondary DNS servers (127.0.0.1).

XP1. Locate and open Network Connections. 2. Double‐Click your default Network Connection from the available list. 3. Click Properties. 4. Highlight Internet Protocol (TCP/IP) and click on Properties again. 5. To specify a DNS server address, click Use the following DNS server addresses, and then, in the

Preferred DNS server and Alternate DNS server boxes, type the addresses of the primary and secondary DNS servers (127.0.0.1).

Furthermore, I would configure your browser to disable DNS prefetching:

Firefox

1. In the address bar, type ‘about:config’ press ‘Enter’. 2. Accept the prompt. 3. Type ‘network.dns.disablePrefetch’ into the ‘Filter’ field. 4. Double‐click ‘network.dns.disablePrefetch’ under ‘Preference Name’. 5. In the white box, enter ‘True’. 6. Click "OK" and close the ‘about:config’ window.

9.11. UserAwareness,AccidentsandSystemUpdates

We are all human and therefor make mistakes; it is a simple fact of life. One the most common mistake

is accidently searching for something in a web browser when it contains sensitive information.

Unfortunately, common user errors are not preventable and cannot be completely solved. You can

change the search provider to ensure it does not log your IP address in the first place, which should be

done regardless. For this I recommend DuckDuckGo: https://duckduckgo.com/privacy.html.

P a g e | 73

9.12. Limitations

When using Tor people believe that all traffic is encrypted; this is not the case. It is a good idea

that people know when traffic will be sent in clear‐text. As I said before, Tor works with many

applications including your instant messaging applications, remote logins and many other

applications based on the TCP protocol, but not the UDP protocol. Voice and video traffic are

examples of data that will likely be using UDP traffic; this means they are generally not safe to

use. This includes programs such as Skype, Google Voice, ChatRoulette, or Omegle. Those

programs/websites (when using webcam) will not be encrypted therefor they have no anonymity.

Even though I would not recommend it, you can send all traffic through a VPN and run the VPN through

Tor. Make sure to configure the VPN to use TCP traffic instead of the default UDP traffic though first.

Also know that there will be extreme performance degradation when doing this, so you might not even

consider this feasible.

9.13. Extra

There are also more advanced features of Polipo that you could look into that offer additional security.

Polipo offers the option to censor given HTTP headers in both client requests and server replies. The

main application of this feature is to very slightly improve the user's privacy by eliminating cookies and

some content‐negotiation headers. This can also be done using the FireFox windows (about:config) by

configuring the Header and Referrer information.

As a number of HTTP servers and CGI scripts serve incorrect HTTP headers, Polipo uses a lax parser,

meaning that incorrect HTTP headers will be ignored (a warning will be logged by default). If the variable

laxHttpParser is not set (it is set by default), Polipo will use a strict parser, and refuse to serve an

instance unless it could parse all the headers. Recently, as per a new vulnerability, you should set

network.websocket.enabled to False.

P a g e | 74

If you are using Linux you can create rules in the firewall (iptables) to only allow traffic through Tor and

block everything else. Doing so ensures that nothing is accidently leaked (traffic wise). When using the

Tor Browser Bundle, or a computer that is multipurpose, I would recommend blocking UDP port 53.

Port 53 is used for DNS, or Domain Name Service, and will ensure that your computer will not resolve

websites without going through Tor.

P a g e | 75

AES:AdvancedEncryptionStandard AP:AccessPointARP:AddressResolutionProtocol ASLR:AddressSpaceLayoutRandomizationAV:Anti‐virus BIOS:BasicInputOutputSystemCGI:CommonGatewayInterface CIA:Confidentiality,Integrity,andAvailabilityDBAN:DariksBootandNuke DCC:DirectClienttoClientDDoS:DistributedDenialofService DHCP:DynamicHostConfigurationProtocolDLL:DynamicLinkLibrary DLP:DataLeakagePreventionDMZ:DemilitarizedZone DNS:DomainNameServiceDoS:DenialofService DRAM:Dynamicrandom‐accessmemoryEXIF:ExchangeableImageFileFormat FDE:FullDiskEncryptionFTP:FileTransferProtocol GPG:GNUPrivacyGuardHIDS:HostIntrusionDetectionSystem HPA:HostProtectedAreaHTTP:HypertextTransferProtocal ICMP:InternetControlMessageProtocolIP:InternetProtocol IRC:InternetRelayChatISP:InternetSearchProvider JITHardening:JustinTimeHardeningJS:JavaScript KB:KilobyteLAN:LocalAreaConnection MACAddress:MediaAccessControlAddressMBR:MasterBootRecord MD:MessageDigestMFT:MasterFileTable MiTM:ManinTheMiddleNAS:Network‐attachedStorage NIDS:NetworkIntrusionDetectionSystemP2P:PeertoPeer PGP:PrettyGoodPrivacyRAID:RedundantArrayofIndependentDisks RAM:RandomAccessMemorySHA:SecureHashAlgorithm SRAM:Staticrandom‐accessmemorySSD:SolidStateDrives SSL:SecureSocketLayerTBB:TorBrowserBundle TC:TorChat/TrueCryptTCP:TransmissionControlProtocol UDP:UserDatagramProtocolURL:Uniformresourcelocator USB:UniversalSerialBusVLAN:VirtualLocalAreaNetwork VPN:VirtualPrivateNetworkWAN:WideAreaNetwork WiFi:WirelessFidelityWPS:WiFiProtectedSetup XSS:CrossSiteScripting

Chapter10 _StandardAcronyms

P a g e | 76

DownloadLinks

Listed below are the programs that I mentioned throughout this guide and the associated links:

Truecrypt (Encryption) ‐ http://www.truecrypt.org/downloads

WinRAR (Encryption) ‐ http://www.rarlab.com/download.htm

GPG (Encryption) ‐ http://gnupg.org/download/index.en.html

GPG for Windows (GUI) (Encryption) ‐ http://gpg4win.de/index.html

Tor Browser Bundle (Internet Safety) ‐ https://www.torproject.org/download/download‐

easy.html.en

TorChat (Anonymous Chat) ‐ https://github.com/prof7bit/TorChat

Pidgin (Chat Program) ‐ http://pidgin.im/

Tormail (Anonymous Mail) ‐ http://jhiwjjlqpyawmpjx.onion/

Tails (Secure Operating System) ‐ https://tails.boum.org/download/index.en.html

HashMyFiles (File Hash) ‐ http://www.nirsoft.net/utils/hash_my_files.html

CCleaner (Privacy Eraser) ‐ http://www.piriform.com/ccleaner/download/standard

PrivaZer (Privacy Eraser) ‐ http://privazer.com/download.php

Bleachbit (Privacy Eraser) ‐ http://bleachbit.sourceforge.net/download

DBAN (Secure Partition Delete) ‐ http://www.dban.org/download

Blancco (Secure Partition Delete) ‐ http://www.blancco.com/us/download/

UPX (Executable Packer) ‐ http://upx.sourceforge.net/

SPLView (SPL File Viewer) ‐ http://www.lvbprint.de/html/splviewer1.html

SPLViewer (SPL File Viewer) ‐

http://www.undocprint.org/_media/formats/winspool/splview.zip

BatchPurifier (Meta Data Remover) ‐ http://www.digitalconfidence.com/BatchPurifier.html

Exiv2 (Meta Data Viewer) ‐ http://www.exiv2.org/download.html

Opanda IEXIF (Meta Data Viewer) ‐ http://www.opanda.com/en/iexif/download.htm

Photoshop (Photo Editor) ‐ http://www.photoshop.com/

Paint.Net (Photo Editor) ‐ http://paint.net/

GIMP (Photo Editor) ‐ http://www.gimp.org/downloads/#mirrors

USB Oblivion (Evidence Remover) ‐ https://code.google.com/p/usboblivion/

Forensic Software Tools ‐ 4.13 (DOWNLOAD PATHS NOT LISTED)

LOIC (DoS Attack Tool) ‐ http://sourceforge.net/projects/loic/

Chapter11 _DownloadLinks

P a g e | 77

TFN (DDoS Attack Tool) ‐ http://packetstormsecurity.org/distributed/tfn2k.tgz

Stacheldraht (DDoS Attack Tool) ‐ http://packetstormsecurity.org/distributed/stachel.tgz

Secunia PSI (Update Tool) ‐ http://secunia.com/vulnerability_scanning/personal/

SuperAntiSpyware (Spyware Remover) ‐ http://superantispyware.com/download.html

Comodo (Firewall) ‐ https://personalfirewall.comodo.com/

Snort (IDS) ‐ http://www.snort.org/start/download

BackTrack (Penetration Testing Tool) ‐ http://www.backtrack‐linux.org/downloads/

Wireshark (Packet Sniffer) ‐ http://www.wireshark.org/download.html

Ethereal (Packet Sniffer) ‐ http://ethereal.com/download.html

Omnipeek (Packet Sniffer) ‐ http://www.wildpackets.com/

Dsniff (Network Auditing) ‐ http://www.monkey.org/~dugsong/dsniff/

Cain and Able (Various Tools) ‐ http://www.oxid.it/cain.html

Etherape (Packet Sniffer) ‐ http://etherape.sourceforge.net/

Netwitness Investigator (Packet Sniffer) ‐ http://www.netwitness.com/

Kismet (Packet Sniffer) ‐ http://kismetwireless.net/download.shtml

NetStumbler (Packet Sniffer) ‐ http://stumbler.net/

Medieval Bluetooth Scanner (Bluetooth Scanner) – Unknown manufactures page

CoreImpact (Penetration Testing) ‐ http://www.coresecurity.com/

AirSnort (Wireless Hacking) ‐ http://sourceforge.net/projects/airsnort/files/

CowPatty (Wireless Hacking) ‐ http://www.willhackforsushi.com/Cowpatty.html

Reaver (Wireless Hacking) ‐ http://code.google.com/p/reaver‐wps/

P a g e | 78

Thanks to CuriousVendetta and all for reviewing the guide

Securing Windows

Documents

Transcript of Securing Windows