Tag Archives: forensics

Yes, we can validate the Wikileaks emails

Posted on by

DKIM is a system designed to stop spam. It works by verifying the sender of the email. Moreover, as a side effect, it verifies that the email has not been altered.

Hillary’s team uses “hillaryclinton.com”, which as DKIM enabled. Thus, we can verify whether some of these emails are true.

Source: Errata Security: Yes, we can validate the Wikileaks emails

I was just listening to ABC News about this story. It repeated Democrat talking points that the WikiLeaks emails weren’t validated. That’s a lie. This email in particular has been validated. I just did it, and shown you how you can validate it, too.

U.S.: No alternate leads in Sony hack

Posted on by

Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

via U.S.: No alternate leads in Sony hack – Tal Kopan – POLITICO.

From:  The FBI’s North Korea evidence is nonsense 

The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch.

Above article dated 12/19/2014.  It appears the FBI may be doubling down on their theories to save face.  Their conclusions got POTUS to make a speech about this and if it turns out it was all nonsense that makes him look bad too.

As a fan of author Tom Clancy’s early works I found this quote funny.  From: Researcher: Sony Hack Was Likely an Inside Job by a Woman Named “Lena”

This sounds much more plausible to me than a crack North Korean cyber-commando squad, or whichever Tom Clancy wet dream has been floating between the White House and the New York Times.

The Art and Science of Digital Forensics

Posted on by

The need to a proficiency in digital forensics is manifest in the recent attack against Target stores. After an aggressive attack, the store called in external digital forensics consultants to help them make sense of what happened.

The book starts with an anatomy of a digital investigation, including the basic model an investigator should use to ensure an effective investigation. While the author is not a lawyer; the book details all of the laws, standards, constitutional issues and regulations that an investigator needs to be cognizant of.

via Book Review: Digital Archaeology: the Art and Science of Digital Forensics – Slashdot.

Under the Hood: Banking Malware

Posted on by

After 48 hours (and two all-nighters in a row) I logged onto the (now really REALLY) infected computer, complete with shiny new malware updates. I surfed to Bank of America’s web page, and found what I was looking for– a Man-In-The-Browser attack in action!

via Under the Hood: Banking Malware » LMG Security Blog.

We cover malware network forensics, web proxies and flow analysis during Days 3-4 of the Network Forensics class. We’ll be teaching next at Black Hat USA, July 27-30. Seats are limited, so sign up soon!

You’ll Never Believe the Data ‘Wiped’ Smartphones Store

Posted on by

So what can you do about all this the next time you’re ready to upgrade phones? The alarming answer is not much. According to Reiber, all of our volunteers did the right thing. They used the software tools available to restore each phone to its factory settings. But that didn’t matter. The data is still there, if you have the means to recover it. In fact, Reiber says there’s only one surefire way to make sure someone isn’t going to come along behind you and scarf up your old bits: Take a hammer to it.

via Break Out a Hammer: You’ll Never Believe the Data ‘Wiped’ Smartphones Store | Gadget Lab | Wired.com.

Another reason not to use your mobile gadget for storing any sensitive information.  Here’s a link to MPE+ Mobile Phone Forensics mentioned in the article.  Here’s a sample of their features:

PHYSICAL IMAGING OF ANDROID DEVICES

MPE+ enables physical imaging of Android devices. MPE+ features built in rooting functions that allows the physical analysis of any partition on an Android device. No need to pay for additional “rooting” suites.

Offensive Mobile Forensics

Posted on by

There are many different locations containing interesting data on iOS devices. Data often resides in SQLite databases, the chosen format for local storage on mobile devices. The next best place to find sensitive information is in plist, or property list files – these are the primary storage medium for configuration settings in iOS, and they are also a fantastic source of sensitive information. User credentials are often stored here, instead of inside the KeyChain where they should be. Rounding out the top three data sources are binary or binary-encoded files, such as the device’s keyboard cache and pasteboard. Although storage locations commonly change with the release of new iOS firmware, it is fairly simple to poke around the general area and find what you’re looking for.

via Offensive Mobile Forensics.

Similarly to the configuration files for iOS, the XML files storing preferences for Android applications commonly include user credentials and other sensitive information.

Mount dd images in Windows

Posted on by

Tools for OSForensics – OSFMount – Mount dd images in Windows.

OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter. You can then analyze the disk image file with PassMark OSForensics™ by using the mounted volume’s drive letter. By default, the image files are mounted as read only so that the original image files are not altered.