Wikileaks has data from several Neo Nazi forums. The information includes user lists, private message histories, forum posts, etc. I’ve been pouring over the data since yesterday. They seem to be using SMF and phpBB primarily between the sites – some with modified fields. I’m currently looking at the communication patterns for the private messages. When I analyzed the user lists, I found a good number of overlap users between the sites – users who were members of multiple websites. What I’m doing now is cross referencing the private messages to and from the individuals with multiple memberships. I’m hoping this reveals who the significant actors are, what individuals form subgroups, and how different subgroups are linked between the sites through the multiple membership users.

This is all very preliminary, but should make for some fascinating observations later. After I am done with the communication patterns, I’m going to take a look at word frequencies in the forum posts. I might make one of those weighted word clouds, those always make for intriguing eye candy.

User error is ever the bane of security. It has plagued the digital world since the first user taped their password to their monitor, an event likely to have occurred shortly after the first passwords were given out. While the existence of user error continues its endless march, the form it takes mutates as technology advances. Recently, the Department of Homeland Security mistakenly released a manual on its screening procedures (user error 1) and failure to properly redact certain sections (user error 2). The internet, in its vast never sleeping glory, found this document and scattered it to the four winds to preserve it against censorship. (As a side note, I often speak of the internet metaphorically as if it were a living entity. I feel it better captures the internet’s essence that we are each but parts of a larger metaphorical mental organism.)

The document can be found at cryptome.org and on wikileaks.org.

The mistake was a fairly simple one, and a common governmental gaff. In redacting the document, the reviewer simply placed black boxes over the offending text without “burning in” the redaction. “Burning in” is a process of re-rendering the post-script data so instead of rendering a block of text with a black bar on top of it (e.g. layered) it renders just the black bar. The layered rendering they released can then have the redaction box deleted or the data simply cut and pasted out of the document.

(more…)

The results for the 2009 challenge are due in 6 days. This year there were 1153 entries with 44 submissions, a slightly lower rate of return than last year. The challenge format was different this year. Last year’s format was a set of discrete problems at various levels of difficulty with some of the higher difficulty problems being more complex forms of the lower problems. This year the challenge was a simulation. We received a case file with information from the investigators and a type of work order for what we were to investigate. The challenge data was a single hard drive image from a system used by the suspect.

Evidence was located in a variety of places from simple chat logs to the windows registry. There were some red herrings along the way including files from previous years, but all in all it was a decent challenge. Some of the documents felt rushed, such as the case file still having track changes enabled, but given the difficulty in constructing believable simulations I cannot call the DoD to task overly much.

Below the fold is our primary report for the challenge we submitted earlier in the month. The full report including the registry report, the evidence files, and so forth will likely be released when the results are announced as they were last year. If DC3 does not release them, I will post a copy for download if anyone is interested.

(more…)

Just a short update. I’ve been busy working away at the final touches on the DC3 2009 submission. 4 days to go until the deadline then I’ll be posting a summary of our findings!

Fairly uninteresting from a technical point of view, but worth noting as a perpetual problem. The Register reports on a recent fishing attack against hotmail and other web based email users. Phishing, Fishing, <><, all refer to what is known as a “Social Engineering” attack. Social engineering attacks attack the user rather than the technology and do so by convincing the user to go along with what the attacker wants or needs. Here’s a snip from Hackers the circa 1995 movie which illustrates the concept:

(more…)

The Respondus LockDown Browser is an application designed to “lock down” a system for the duration of an exam. It claims to display a full screen browser that cannot be minimized, prevents task switching, stops “over 400 screen capture, messaging, screen-sharing and network monitoring applications” from running, blocks external links to avoid compromising the “locked testing environment”, and so forth. The application is intended to (1) stop students from accessing external material while taking the exam, (2) stop students from recording the examination quesitons, and (3) stop students from communicating with others – all in an effort to stop cheating.

I learned about this application over the weekend when an online exam for a class I am taking this semester required its use. I was quite annoyed to learn it did not have a linux client and relied on Internet Explorer. Using linux as my primary OS, I naturally loaded it into a VMWare copy of Windows XP only to discover it refuses to run in a virtual machine. Not wanting to go all the way to campus to take the exam, I fired up IDAPro and decided to take a look at the VM detection mechanisms – needless to say I was unimpressed.

(more…)

New Scientist posted a writeup about a new paper on stylometry published by researchers Michael Brennan & Rachel Greenstadt at Drexel University. It was an interesting read. They missed a recent publication from last year’s DFRWS conference dealing with authorship identification from anonymous emails etc. The former is referring to the concept as “Stylometry” whereas the later uses the term “Write Print.” The basic idea is an individual’s writing will have a consistent style sufficiently unique from writing at large to link back to the author. In general, various facets of the writing (word choice, tense, grammatical constructs, etc) are parsed and reduced to statistical information fed into various AI classification techniques; thereafter the classifier trained on an individual’s known writing can be used to classify unknown writing samples as belonging to a given individual with some probability.

(more…)

Two convicted for refusal to decrypt data

Since October 2007 when the refusal to disclose decryption keys was made criminal in the UK, the buzz around the smallish digital forensics research community has been alarm. Security researcher, by definition always on the lookout for failings in a system, immediately proposed a situation in which encrypted data is present on a system for which the user did not have the decryption key thus creating a crime through ignorance, not of the law but of the key. As reported by the Register in the above link, two individuals have been convicted under this ridiculous law.

(more…)

The “Louisiana Technology Council” held a press conference today regarding the ongoing attempts to recover Mayor Nagin’s email and calendar information. I just got back from the press conference, but am somewhat disappointed in its content. Some information can be found in these articles:

http://www.nola.com/news/index.ssf/2009/07/technology_group_hired_to_do_f.html

http://www.wwltv.com/topstories/stories/wwl063009cbltc.229efbfe.html

I’m waiting for the broadcast tonight to review what was said. The meat of the press conference boiled down to a scenario where an Exchange 2003 mail server experienced a significant failure in 2008, the failure was not specified, prompting the city’s IT department to accelerate a planned migration of the mailstore to a new Exchange 2003 server. The old mail server was purged of 22 GB of data with a post-purge store size of 60+ GB at or around May 5th which the individuals associated with the LTC recovery effort described as suspiciously shortly after a conference call about the recovery effort.

(more…)

Microsoft Office has several available cryptographic options for encrypting office documents. In the 97-2003 doc format the RC4 stream cipher with 40bit key is used by default. The 40 bit key was chosen at a time when export restrictions on encryption technology existed. There have been publications exposing the weaknesses in the implementation beyond the 40bit key size, but the format is still the default in all office installation prior to 2007.

I recently had to read up on the implementation in Microsoft Office for word documents to solve part of the 2009 DC3 forensics challenge. I found the scattered nature of the documentation concerning it somewhat frustrating, and not as clear as it could be in demonstrating the process. I decided to document it here in a single location for posterity. This post will detail the verification process step by step with illustrations showing the process in pseudo code/math/memory. For the most part the images represent byte arrays manipulated with various functions, but should be fairly clear. They are SVG format images; if your browser does not support them you may view them in inkscape, but most modern browsers should handle them fine. This document does not cover the word document format itself or how to extract the encryption information – I’ll save that for another post later when I add some code for automatically extracting it.

(more…)