February 2009 Archives

I read this article at National Post recently, and as it doesn't seem to have flooded all over the other security blogs, I thought I'd link to it here. The article tells the story of a Canadian judge who ruled that "one's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state" in the light of a child exploitation investigation where the police requested an internet subscriber's name and address based on an IP address without a search warrant.

Somehow I'm not sure what to think about this. On one side, it seems scary that this information can be obtained without a warrant. But on the other hand, I also tend to agree with the arguments of one of the attorneys saying that "the matching of an IP address to a name and address is similar to using a phone book" to match phone numbers to names and addresses. I think people should begin to accept that the Internet is a public place. Don't get me wrong, I wouldn't agree with getting any more information than a name and address, such as sniffing traffic or listing visited websites and the like, but matching names to numbers: I don't see the harm in that.

There's a new kid on the browser-block, and it's name is Lunascape. I've been playing around with this relatively new browser a bit, and have to say I quite like it. But this post isn't about the use of Lunascape. I was curious, because Lunascape imports many of its settings from IE and Firefox, if it used its own location to store settings and data (think: cookies and other forensic artifacts) or that it just throws it all in IE's and Firefox' directories.

A quick search on my harddisk for 'lunascape' reveals that a new directory was created in my user account's Application Data named Lunascape, having a subdirectory of Lunascape5. Some interesting information can be found here, such as for example:

C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\rebar.bmp
This one seems pretty odd. It appears to me that this is a screenshot of Lunascape's title bar taken at the moment the browser is closed. It seems to be updated every time the browser is closed, so it's not a 'default' image. As you can see below, useful information such as the last entered URL can be seen this way, and possibly a searchword if the search bar was used.


C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\Profile\Favorite
Contains three files (linked to the three default Lunascape profiles) listing the RSS feeds subscribed to.

When using the Gecko engine, some more locations exist with useful data:

C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\userprefs.js
I expected this file would contain the user preferences for the Gecko engine, but it seems to be a default file. The real preferences are stored 1 directory up in the chain, in C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\userprefs.js. It contains information such as the homepage and which proxy to be used.

C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\signons.sqlite
In this file the user stored passwords and their respective websites can be found. The username and password fields are encrypted, but at least you can see which websites are known and used by the user.

C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\cookies.sqlite
This SQLite database is used to store cookie information.

C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\Cache
This directory seems like a mashup of cached data. I'm not sure what format it is in, but most of the files contain URLs of websites visited, while others start with JFIF when viewed in an editor so images might be in there as well.

When the Trident (IE) engine is used, it seems the cookies are stored in the default IE cookies directory. So there's no possiblity to distinguish between cookies coming from IE or those coming from Lunascape.

Looking through the Windows registry, at first sight I don't find too much interesting information about Lunascape. The only thing that might be useful is the HKCU\Software\Lunascape Corporation\Lunascape5\General\SettingRootFolder key, as it points to the location where the user's Lunascape profile is stored. Because Lunascape allows the user to manage his profile, and thus store his profile in a different location, this might be interesting to find the files listed above.

While having my daily shot of RSS feeds this morning, I came across the Securology blog and an excellent post I found there. It explains why NOT to get a job in Information Security, and attempts to convince the reader to think again if InfoSec really is what they want. Although I honestly don't agree with everything they write, it does have a layer of truth underneat it: if you are drawn to it because of the salaries, don't do it.

Thanks to said blog post I also got to know the Peter Principle, of which I hadn't heard before. It made me smile, as again I can quite agree with it. For your information, according to Wikipedia, it basically is the principle that "In a Hierarchy Every Employee Tends to Rise to His Level of Incompetence." It holds that in a hierarchy, members are promoted so long as they work competently. Sooner or later they are promoted to a position at which they are no longer competent (their "level of incompetence"), and there they remain. Peter's Corollary states that "in time, every post tends to be occupied by an employee who is incompetent to carry out his duties" and adds that "work is accomplished by those employees who have not yet reached their level of incompetence".

As yearly performance reviews are currently in progress in my company, I forwarded the explanation of the principle to some colleagues who didn't get their review yet. You know, might help them to convince the boss, right? ;) Apperantly there's another principle that could be even more relevant, namely the Dilbert Principle. Again according to Wikipedia (I know, I should learn to use better sources!) The Dilbert Principle claims that incompetent employees are intentionally promoted to prevent them from doing harm (such as reducing product quality, offending customers, offending employees, etc.). It draws upon the idea that in certain situations, the upper echelons of an organization can have little relevance to the actual production and the majority of real, productive work in a company is done by people lower in the power ladder.

Must be a very satisfying job to work in a company that 'implements' both principles!

I finally found some time to start testing forensic tools, and the first thing coming to mind would be to download Helix and just dive into it. So off to the e-fense website I go, only to be greeted by the fact that Helix is now no longer free :( A previous version is still available for download here, but newer versions are to be purchased from now on.

Oh what to do, what to do without Helix! No worries, however great Helix was, some other forensic LiveCDs exist that might be worth the try.

To begin with, there's the FCCU GNU/Linux Forensic Boot CD, created by the Belgian Federal Computer Crime Unit (FCCU). For some reason, Autopsy always seemed to work better for me on this LiveCD than it did on Helix, but then again I probably just did something wrong :) It contains a whole lot of apps that were also available on Helix, plus a bunch of scripts written by the FCCU themselves.

Probably the best alternatives would be DEFT Linux and Farmer's Boot CD. I haven't tried either one of them yet myself, but both look very nice.

Some more exist, such as Penguin Sleuth, FIRE and Snarl, but they don't seem to be updated anymore.

One could also turn to BackTrack, STD or nUbuntu. Even though these are intended to be for penetration testers, they do have a small variety of forensic tools as well.

I guess there's plenty of forensic tool testing waiting for me!

The Dutch police will release a book this year named "Mountains of gold", discussing the Nigerian 419-frauds. It will discuss this history of this type of fraud, how it works, the victims, and how law enforcement can approach this problem. A summary and overview of the chapters is available here.

Rob Lee announced on the SANS forensics blog that three new forensics-related courses will be released at SANSFIRE 2009. Like probably everywhere at the moment, training budgets are getting tighter by the minute, and unfortunately it's not very likely I'll be attending any of these courses any time soon. If, however, someone feels the urge to sponsor an infosec professional looking for a career change into digital forensics (hint, hint), don't hesitate to contact me :)

SEC 408 Forensic and E-Discovery Forensics :
Written for individuals who are new to computer forensics. The course will use EnCase and FTK as the primary tool focusing on traditional crimes that can be solved with computer forensics.

SEC 558 Network Forensics:
Network equipment such as web proxies, firewalls, IDS, and routers often contain evidence that can make or break a case. By capturing evidence from network-based devices, evidence can be recovered that does not even exist on endpoint hard drives.

SEC 606 Drive and Data Recovery Forensics:
Recovering data from dead hard drives, damaged hard drives, corrupt file systems. This course will teach content from the professional data recovery world merging it with information in the forensics world allowing you to maintain best evidence and recover the content you need.

Also don't forget about the other SANS forensic courses, which I'm sure all complement very well with the new courses:

SEC 508 Computer Forensics, Investigation, and Response
SEC 427 Browser Forensics
SEC 526 Advanced Filesystem Recovery and Memory Forensics
SEC 547 Macintosh, iPod and iPhone Forensics