Best Forensics Tutorials Vol.3

Dear Readers,

We present a brand new edition of our magazine, containing the best tutorials we gathered in the last few years. This issue will be divided into two parts, each with certain topics covered. We decided to do this for your convenience. Everyone gets to browse through each part and choose which topics interest them the most, and those who are not our subscribers will enjoy lower prices for buying separate e-books - everyone wins!

Still, each part contains close to 400 pages of content and a few dozen of articles and step by step tutorials, guides and how-to’s. We believe you will find those issues very useful to have in your storage of choice, without the need to search through all our issues in search for that one perfect article which solves your problems.

Part 2 - this one - has all kinds of guides on mobile forensics, delves deep into network forensic analysis and complements the set with tutorials on SQL server. The topics may not be as diverse as in Part 1, but still you have plenty to read and learn from this one.

As always, we count on your feedback. Leave your reviews on the website, give us your comments on Facebook (/EForensicsMagazine) and tweets on Twitter (@eForensics_Mag). Your opinions really matter to us, so don’t be shy! You can also reach our editors directly, sending your e-mails to our Editor in Chief Joanna Kretowicz at [email protected] and Marta Strzelec at [email protected]. We can’t wait to hear from you!

Enjoy your reading!

eForensics Magazine
Editorial Team

Buy this issue

TABLE OF CONTENTS

NETWORK:

STEPS TO CONDUCT NETWORK FORENSIC ANALYSIS
by Rizwan Khan, CISSP, CFCE

Prepare yourself for the perfect network forensic investigation – what are the network topologies, attacks and threats? How to gather the necessary data? And finally – how to make good use of Wireshark, Snort and Ossec – invaluable network forensic tools?

DEXTER’S FORENSICS. A NETWORK AND MEMORY ANALYSIS
by Andrei Saygo

In this article we’ll go step by step through an analysis of Dexter, the infamous password-stealing threat that targets Point of Sale (PoS) systems from a network and memory forensics point of view.

TRACKING NETWORK TRAFFIC WITH BACKTRACK DARKSTAT AND DRIFTNET
by Ayei Ibor

Monitoring a network can be done in several ways using different applications. One common way of tracking traffic that goes in and out of a network is packet sniffing. BackTrack darkstat and driftnet are the tools that allow us capture and log of live traffic that passes through our network. Nothing will escape your attention now!

SOCIAL MEDIA MINING
by Kevin Smith and Krystina Horvath

Social media allows users to share troves of data with their peers. From demographics to pictures and videos to status updates, this overabundance of social data allows users to clearly illustrate their personal lives. What is the catch? Privacy. This article will showcase the ease of social media mining and being able to hijack a social media profile along with the user’s other online accounts. In addition, this article will highlight mitigation techniques that can be taken by social media websites to lessen the frequency of hijacked profiles and nefarious social media data mining.

EFFECTIVEW PHISHING ATTACKS STEALING USER DETAILS
by Colin Renouf

Phishing is a growing means of attack to which so many people succumb. This article explains the most effective methods of convincing an unsuspecting user that an email has come from someone who can be trusted; and the methods of capturing information from them – some of which don’t necessarily involve the use of computers. Phishing is essentially a social attack. By learning the techniques used for surreptitiously stealing information from an unsuspecting user, a security professional can use the techniques in penetration testing. He can also prepare users to defend themselves against such attacks.

CLOUD COMPUTING RISK ASSESSMENT
by Bryan Soliman

Cloud Computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network such as the Internet. In science, Cloud Computing is a synonym for distributed computing over a network, and means the ability to run a program or application on many connected computers at the same time.

DIY: CYBER BLACK BOX DECRYPT & MODIFY TRAFFIC ON-THE-FLY
by Dennis Chow, MBA, Senior Information Security Engineer

This article demonstrates how users can still be susceptible to their secure connections being monitored or modified without their knowledge on-the-fly with a device that a malicious person can put into the network. Legitimate use cases can be for troubleshooting or basic traffic monitoring for security purposes. Other purposes can easily lead to compromised credentials or even unauthorized actions on behalf of the user. Read on to find out how you can build a DIY (Do It Yourself) Cyber Black Box that will decrypt SSL sessions and modify traffic at your will.

STEP BY STEP GUIDE TO APPLICATION SECURITY PENETRATION TESTING WEB APPLICATION SECURITY
by Abhishek Dashora

This document will guide you to penetrate the web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.

HOW TO DISABLE OR CHANGE WEB-SERVER SIGNATURE
by Mohit Raj

To know Web-server signature means to know Web-server software and its version, it means to know which software and its version is running on the server machine. Many new developed website easily show their Signature.

NMAP: NETWORK ANALYSIS TECHNIQUES – A PRAGMATIC APPROACH
by Jean Marcel and Thiago Delgado

This time Jean Marcel and Thiago Delgado will show us how to use NMAP to find vulnerabilities and scan hosts for open ports without leaving traces. We will also learn how to pick the right technique to avoid being detected and simulate fake connections to puzzle intrusion-detection systems.

THE ENEMY INSIDE THE GATES A GUIDE TO USING OPEN SOURCE TOOLS FOR NETWORK FORENSICS ANALYSIS
by Phillip D. Shade – CNX-Ethernet, PASTech, WCNA, WNAX-Forensics

Phill Shade, Certified instructor for Wireshark University, Expert and Speaker at SHARKFEST’13, internationally recognized Network Security and Forensics Expert The goal of this brief tutorial is to introduce the concepts and techniques of Network Forensics Analysis including:
- Understanding the principles of Network Forensics Analysis and situations in which to apply them to evidence analysis
- Selecting and configuring Wireshark for Network Forensics Analysis to capture and recognize traffic patterns associated with suspicious network behavior.
- Specialized Network Forensics Analysis techniques including suspicious data traffic reconstruction and viewing techniques such as Web-Browsing sessions, Emails or file transfer activities or for detailed analysis and evidentiary purposes.
- Network security principles including encryption technologies, defensive configurations of network infrastructure devices and understanding and recognizing potential network security infrastructure mis-configurations

PACKET ANALYSIS WITH WIRESHARK AND PCAP ANALYSIS TOOLS
by Eric A. Vanderburg

Almost every computer today is connected. Their communication with others takes the form of packets which can be analyzed to determine the facts of a case. Packet sniffers are also called as network analyzers as it helps in monitoring every activity that is performed over the Internet. The information from packet sniffing can be used to analyze the data packets that uncover the source of problems in the network. The important feature of packet sniffing is that it captures data that travels through the network, irrespective of the destination. A log file will be generated at the end of every operation performed by the packet sniffer and the log file will contain the information related to the packets.

USING WIRESHARK TO ANALYZE SSL CONFIGURATIONS AND CERTIFICATES
by Larry Greenblatt

With all the talk these days of internet spying and theft, people are becoming increasingly concerned with protecting their information. As Laura Chappell, the founder of Wireshark University, might say, you can have opinions from people on security, but packets don’t lie. In this article I will show you how to use some simple Wireshark display filters and settings to view SSL/TLS capabilities in browsers, the negotiated cipher suite (the asymmetric, symmetric and hashing algorithms in use for the current session) and the information stored in the certificate.

WIRESHARK FILTERS FOR NETWORK ANALYSIS
by Amandeep Kaur, CISC, CPH, CPFA

Lecturer in Information Technology Network Analysis is the process of listening to and analyzing network traffic. It offers an insight into network communication to identify performance problems, analyze application behavior, locate security breaches, and perform capacity planning. IT professionals use these processes to validate network performance and security.

CAPTURING E-MAILS AND GOOGLE IMAGE SEARCHES FROM YOUR NETWORK
by Jessica Riccio

Imagine that you are the manager of a company and receive a tip from an employee that another employee is using his computer to view images that violate the company’s computer use policy. After hearing this information, you want to decide if the allegations made against your employee are true. All you need to do is launch Wireshark and follow Jessica’s guide!

SNOOPING ON CALLS USING WIRESHARK
by Milind Bhargava

(VoIP, n.d.) – Voice over Internet Protocol, is the new fashion in market. Everyone is moving towards it. Not that I feel there is anything wrong with it. It is not really that secure. Irrespective of if you are a forensic expert or a malicious user, using a tool as simple as Wireshark can help you listen to the calls made on a network.

CARVING BINARY DATA FROM PACKET CAPTURES
by Kelly Doyle

Imagine you are an incident responder and are notified that your company’s network has been compromised for the last several weeks. Your boss tasks you with identifying what information was exfiltrated from the network. Where do you start? This article will introduce you to some of the basic concepts for finding and carving out forensic artifacts off the wire.

NETWORK BASED FILE CARVING
by Gavin Stroy

File carving is the name of the technique of pulling files out of a stream of bytes without the use of a particular file system; much like finding a word in a word search puzzle. Network based file carving is used to extract files from saved network traffic data that has been collected from tools such as Wireshark or TCPdump. This is useful for extracting viruses to be analyzed, identifying exfiltration, and forensic investigations.

NETWORK FORENSIC WITH WIRESHARK DISCOVERING AND ISOLATING DOS/DDOS ATTACKS
by Yoram Orzach

Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks are attempts to make a computing or network resource unavailable to its users. There are various types of DoS/DDoS attacks, some load the network to the point it is blocked for applications traffic, some load servers to that point, and some are more sophisticated and try to “confuse” the application servers with bad data. Although there are various tools for detection and prevention of these types of attacks, good old Wireshark can also be used for this purpose. In this article we will see some important features of Wireshark, were to place it for capturing data, and how to use it to identify attack patterns.

MOBILE:

INTRODUCTION TO MOBILE FORENSICS 

by Fabio Masa

The production process of the forensic evidence is divided in five main phase: the seizure, the identification, the acquisition and the examination or analysis. Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedures for all cases.

ANDROID FORENSICS AND SECURITY LESSON 1: ANDROID APPLICATION STRUCTURE
by Lorenzo Nicolodi

Thanks to the growth of the Android market in the last years, seizing an Android device is something that, sooner or later, will happen to every forensics expert. Even if some concepts are common to every mobile device, some others are specific to Android and the knowledge of them can be the turning point either to exploit commercial tools features or to develop specific tools for specific needs.

EMULATION DETECTION TECHNIQUES FOR ANDROID
by Victor Antonio and Torre Villahoz

Android is an operating system widely used in mobile systems. This past year it has been attacked by Malware, due to its proliferation of phones and tablets from many different manufacturers. There are projects like ‘Droidbox’ (sandbox for Android) that allow security researchers to dynamically analyze applications through the use of the emulator included in the SDK.

HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING
by Eran Goldstein

Today we are going to demonstrate a quick reverse engineering and analysis process of an android mobile application called Ingress. Ingress is a near-real time augmented reality massively multiplayer online video game. It was created by Niantic Labs, a startup within Google, for the Android based devices market. The game has a complex science fiction back story which Niantic is revealing in segments. The gameplay consists of establishing “portals” at places of public art, etc., and linking them to create virtual triangular fields over geographic areas. The progress in the game is measured by the number of Mind Units, i.e. people, nominally controlled by each faction (as illustrated on the Intel Map). The necessary links between portals may range from meters to kilometers, or to hundreds of kilometers in operations of considerable logistical complexity. International links and fields are not uncommon, as Ingress has attracted an enthusiastic following in cities worldwide amongst both young and old, to the extent that the gameplay is itself a lifestyle for some, including tattoos.

TIMELINE ANALYSIS OF LOGS IN ANDROID OS
by John Andr’e Bjørkhaug, Christoffer Hallstensen, Rebin Stenvi and Made Ziius from Gjøvik University College

In this paper we investigate into extracting logs from apps and Android system for correlation and graphically display them in the form of a timeline, while preserving the terms of forensic soundness and integrity. The paper is based on experiments done by the group members on different of devices and different applications.

STEP BY STEP ANALYSIS OF FACEBOOK AND TWITTER DATA ON ANDROID DEVICES
by Massimo Barone

The growth of social networks is heavily influenced by the burgeoning numbers of smartphones which allow access to these platforms at any time and from any place. A recent study published by Mashable shows that across all the social networking platforms, including Facebook and Google+, it is Twitter that holds the crown for the fastest growing number of active users.

HOW TO PERFORM FORENSIC ANALYSIS ON IOS OPERATING AND FILE SYSTEMS
by Deivison Pinheiro Franco and Nágila Magalhães Cardoso

With Apple Operation System (iOS) design and the large amount of storage space available, records of emails, text messages, browsing history, chat, map searching, and more are all being kept. With the amount of information available to forensic analysts on iOS, this article will cover the basics to accurately retrieve evidence from this platform and build forensically analysis when applicable. Once the image logically, via backup or physically has been obtained, files of interest will be highlighted for a forensic examiner to review.

HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES
by Deivison Pinheiro Franco and Nágila Magalhães Cardoso

iPhones collect and store a tremendous amount of evidence about a user’s activities. In many cases one could argue more evidence is collected than the user may want. Locations, messages, contacts, web surfing habits, notes, pictures and more are available on iPhones storage media, many with time stamped data. With this forensic evidence available, and more business being conducted on iPhones, forensic examiners need to be able to successfully and accurately acquire this evidence when requested by authorized authority. By utilizing proven, existing forensic techniques along with specialty tools mentioned in this paper, examiners can collect and present evidence from an iPhone. This evidence can then produce a clear report of the activities performed on the device.

STEP BY STEP GUIDE FOR IOS FORENSICS
by Nipun Jaswal

The world is crazy about apple devices, the rise of apple iOS has lead to making life of individuals stylish as well as comfortable, but high tech crimes may involve devices which run on iOS, now when this situation arises, a forensic analyst must be comfortable with carrying out forensic investigations on such devices, by doing forensic investigation of ios devices, our motive is to analyse data regarding calls, messages, logs, memory, files etc.

IOS MOBILE DEVICE FORENSICS FOR BEGINNERS
by NCIS Solutions Team

What we are hoping to do is give an overview to any new mobile device forensicators on how we would run an iOS forensics task when delivering a service to a client on a particular handset. Similar techniques would also be used when exploiting media devices. For instance, if our ‘Red Team’ is tasked by a client, to run a full security assessment at their residence or business address. The techniques shown in this article can also be added and run for Android devices in the same way, as long as you have the native cable of the mobile device you want to extract data from.

DEMYSTIFYING IOS – STEP BY STEP GUIDE FOR IPHONE HACKING
by Omkar Prakash Joshi CEH, CHFI, ECSA/LPT, ISO27001, Cyber Forensics Investigator

Nowadays, use of mobile devices has raise in this world. And most of users are using iPhones. So in this I am going to introduce jailbreaking concepts. Moreover, I will explain how to do runtime analysis on iOS applications, forensic analysis on iPhone backups, exploit iPhone devices also backdoor concepts regarding iOS devices.

WINDOWS PHONE 7/8 (WP7) DIGITAL FORENSIC INVESTIGATION PROCEDURE AND EVIDENCE RECOVERY TECHNIQUES
by Dr. Roffeh Ehud, International Law Expert in Electronic Evidence

One of the central problems involving technology and legal proceedings is the reliability of evidence presented to the court. This question is made more relevant due to the fact that rapid technological changes make previous legal precedents irrelevant. In other words, the same technology is no longer used to reinforce evidence as this is not the equivalent forensic tool used to extract digital evidence from the new device. Furthermore, the same forensic tool that was evaluated in the past and was found to be reliable with regard to the digital evidence it presents, must now undergo far reaching change in order that it be capable of copping with new technologies. This leads us to the issue as to whether the evidence presented to the court represents the actual events and/or if is it possible to rely absolutely on the evidence.

SIM CARD FORENSICS
by Apurva Rustagi

This article introduces the file-system implemented in Subscriber Identity Module (SIM) cards and the collection of data contents that might be helpful in a forensic investigation. The author, also, provides programming code that is designed to extract some of the important data such as Short Message Service (SMS) traffic and contact information from the SIM Card. A data extraction application would be written in ANSI C.

UNDERSTANDING SIM CARD FORENSICS
by Rohit Shaw

The SIM (subscriber identity module) is a fundamental component of cellular phones. It’s also known as an integrated circuit card (ICC), which is a microcontroller-based access module. It is a physical entity and can be either a subscriber identity module (SIM) or a universal integrated circuit card (UICC). A SIM can be removed from a cellular handset and inserted into another; it allows users to port identity, personal information, and service between devices. All cell phones are expected to incorporate some type of identity module eventually, in part because of this useful property.

SQL: 

HOW TO SECURE MICROSOFT SQL SERVER LOGINS USING INDUSTRY BEST PRACTICES
by Denny Cherry

Microsoft SQL Server is a large and fairly complex platform, like all mature database platforms. While it is a simple platform to install it unfortunately has a history of not being the most secure platform by default. Thankfully over the years Microsoft has made great strides to secure the database platform by default, but there is still plenty ofopportunity to install the platform in a less than secure environment.

HOW TO ENCRYPT CONNECTIONS TO A SQL SERVER DATABASE ENGINE
by Denny Cherry

Getting started with SSL in SQL Server can be a little bit of a daunting task as you’ll need to know how to get an SSL Certificate from your certificate authority as well as have an understanding of how SSL in general works. As we begin this article we will start by showing how to generate a CSR which will be needed to get the actual certificate.

TUNING SQL SERVER FOR SHAREPOINT
by Utsab Chattopadhyay

As DBA, we are very much responsible to ensure that SharePoint Environment of our corporations is always performing at it’s best. In this article, I will share some recommendations from my experience which will ensure that the SQL Server part of SharePoint Solutions is properly tuned for best performance.

HOW TO DESIGN DATABASES WITH OBSUCRITY IN SQL SERVER
by Grant Koeneke

There are many different ways to design and create databases. Now there are even several different platforms beyond just the Relation Database Management Systems (RDBMS). Add on top of this thought that there are many different reasons for using or not using one or many of these platforms to create a system and it can be quite confusing. A few of the tools we will be talking about in this discussion are SQL Server as an RDBMS, MongoDB as a NoSQL database platform and Redis as an in-memory database system.

HOW TO USE EXTENDED EVENTS TO IDENTIFY THE TOP CONSUMING QUERIES (IN A READTRACE STYLE)?
by Guillaume Kieffer

In this article I will focus on showing how to get the top consuming queries using a XEvent trace. Its old style equivalent would be to collect a profiler trace using SQLDiag for example and then Readtrace. All the scripts that will follow work with SQL Server 2012.

HOW TO KEEP SENSITIVE ECOMMERCE DATA IN MS SQL SERVER FROM BEING READ BY SIMPLE QUERIES
by Stephen Thomas

In this new digital era with cyber attack after cyber attack we must take counter measures to protect sensitive data in our eCommerce web sites. For those of us who use Microsoft ‘s powerful SQL server database to store our sensitive eCommerce data including but not limited to credit card information, copyrighted media, official documents, etc., we have many suitable options available to us to secure sensitive data by encryption. This article will reveal to you several encryption options available to you in SQL Server, explain the difference between them, and give some practical code examples for using them.

BLIND INJECTION – DBV5. STEP BY STEP
by Vidit Baxi

It’s a unique type of injection used by hackers when website does not respond to the queries and does not generate any error. This type of injection can be applied to the database version 5 or above 5.

SQL SERVER PERFORMANCE COUNTERS – POWERSHELL
by Chris Kitchen

The purpose of this article is to discuss at a high level a simple PowerShell application which collects useful Windows Performance Monitor Counters for highlighting potential performance issues. The article then goes on to discuss each of the counters in greater detail along with range values to look for.

SQL SERVER DATA ENCRYPTION & ACCESS
by Chris Kitchen

The purpose of this article is to discuss at a high level, some of the available options for encrypting and restricting access to data held within a Sql Server database. It describes a number of available options and also looks at some of the advantages and limitations of each from a technical perspective.