executive summary
In this issue we would like to take our readers a step ahead from cyber security to cyber & digital forensics. In this high-tech world variety of computer crimes that take place in small scale as well as large scale. The loss caused is dependent upon the sensitivity of the computer data or the information for which the crime has been committed. So computer forensics has become a vital part in our corporate world.
Those golden days are gone when criminals were using only guns and other offensive equipment to commit a crime. Now a day’s a mobile is used to connect lives, run business, and same mobile is used to commit crimes and hence it is next to impossible to predict that who is actual criminal when everyone is carrying weapons i.e. phones in their pockets. Someone who is carrying unauthorized guns can be declared a criminal but what if billions of peoples are carrying same digital weapons in their pockets?
We at CCFIS faced and solved several forensics cases that cannot be solved by traditional pre-defined forensics technologies and protocols. Sometimes forensics is more of a research and behavioral analysis.
Online complaint portal
Most of the time, we don’t want to share cybercrime happened with us with anyone and that’s why they are remain unsolved and culprits are getting encouragement to repeat it again. To maintain anonymity and to resolve these cases we started eProtect initially for students and staffs of Amity Education Group.
eProtect is an online complaint portal developed by CCFIS team for students of Amity University to report any case ranging from cyber-harassment incident on social media to online fraud. Once a complaint is registered CCFIS incident response team gets notified and acts to resolves it in minimum possible time.
Recovering & decrypting deleted conversations
WhatsApp Messenger is a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. Most of us use WhatsApp to communicate with our loved ones.
We recently seized a mobile during an investigation. After further analysis of mobile, we found that all conversations were already been deleted by user. But WhatsApp create database of all conversations and that files still resided inside the mobile even after the conversations are deleted. We initially tried to recover those messages from database but the user was smart enough to delete these databases too.
Finally, we tried mobile data recovery procedure and tried recovering WhatsApp database. After all efforts these database were recovered but were in encrypted state. At final stage our research and development team were able to understand the encryption methodology and developed in house tools to decrypt those messages.
biometric fraud
Employee attendance system fraud & RFID trick
Biometric attendance devices are used in almost all offices. Every morning we punch our card & fingerprint before starting our work and repeat the same every day. But what if data of these security appliance can be manipulated? Most of the bio-metric devices works on database authentication and comparison model.Whenever an RFID enabled card is punched along with fingerprint, it compares the data to original database and authenticate the uses. Once the user is verified, a database entry is made into ERP system that particular used punched at particular timestamp.
Recently we resolved one biometric fraud case, in which none of traditional forensics methodologies worked. Every day over 800s of employee were using that biometric attendance system before stating their work. The data from all 10 biometric devices were saved in one central database and from there it was taken to organization’s ERP and other departments like HR and accounts. System administrators created rules to take automated regular backup of everyday’s database.
Management later on decided to have a forensics investigation over this issues and case was handed over to CCFIS team for further analysis. Initially we tested all biometric devices and realize that everything was normal. Then we started comparing original and backup database manually, and data were same everywhere. We also found that few database entries were deleted form database of both original and backup database. After recovering those deleted database, we realized that administrator who was in close relationship with employee created several SQL scripts to manipulate both original as well as backup database. This issue was resolved, management was informed and employee was fired from office.
We thought that this was the end of investigation. But problem started again when one busy day biometric device stopped working and all employees were standing in line to punch their card making chaos. Again the vendor was called, they checked everything and blamed CCFIS forensics team that forensics vendor CCFIS had done something with these devices. CCFIS team again visited the premises, to investigate the issues.
After removing this sicker RFID sticker, everything was normal like before and system started reading and processing all the cards. And unfortunately these stickers are available at very low price and accessible to anyone to purchase. Even few mobiles comes with free RFID sticker to customize according to their needs.
We all know about CryptoLocker malware which encrypts all documents of infected system. The Trojan encrypts data on the affected computer, switching the extensions of affected files to .cryptolocker afterwards. It uses a weaker encryption method than the original, so it’s possible experts may be able to regain access to the locked files, but this won’t be an option for most infected users.
We recently handled and solved a case related of infected server by CryptoLocker. Entire server of user was infected and all documents hosted over the site were corrupted. Ever the document files that were hosted on company’s website and FTP server was infected and infected document started spreading internally through FTP and to outside world by company’s website. Everytime administrator tried to decrypt the document, an alert was generated and application was demanding money to decrypt the files. Following were the reasons why server was infected –
- Administrator was visiting malicious sites for downloading torrents and other stuffs on server.
- Administrator didn’t installed ad-blocker to block malicious advertisements.
- Administrator clicked on some lucrative ads of his interested and followed the instructions.
CryptoLocker cannot only infect server but it can infect your systems also, recently in a blog post virus coders mentioned that they are already working on development of CryptoLocker for android and other handheld devices.
In order to resolve this case, we tried many different traditional techniques. But as this version of CryptoLocker was working on some different protocols so none of them were working. Later on we realized that original filed were deleted by this tool and a duplicate file of same name with .cryptolocker extension were created for all documents hosted on server. So even if administrator had paid the amount to the tool, he might not be to get original documents.
Our forensics team started data recovery of deleted files and since the hard disk was in good condition, so all original documents were recovered. Unfortunately the administrator had to format his server but documents were recovered.
Same case can happen with anyone of us and in most of the cases, tools like CryptoLocker demands some money to unlock these documents. Most of us think that the amount which the tools is asking is much less than cost and importance of documents and user pays the money. But as these tools are not from trustworthy sources and should not be trusted that even after paying the amount, the user will get his all documents. The same scenario happened with administrator of this company
Following are some of recommendations to avoid these types of malwares or ransom wares –
· Instead of using internet explorer as your default browser, use Chrome or Firefox. In your company policy forced you to use internet explorer then use the latest updated version of internet explorer.
· Avoid clicking on lucrative advertisements. For better security you can install ad-block plugin in your browser.
· Install original anti-virus software and update to avoid these type of malwares.
· Also, no matter how secure your computer is, if you are not aware then you cannot stop these types of malwares from infecting your computers as there is always a cat & mouse game between malwares and anti-viruses.
intelligence gathering
Tracking Pakistan Haxor Crew
Recently one site was hacked and attack was claimed by hacking activist group called Pakistan Haxor Crew. This case was brought to us for further investigation. Initially we started analyzing server logs and retrieved a number of IPs through which site received XSS, SQL injection, null byte, bruteforce and many more active attacks to take down the site. Later on after analyzing and tracing IP, we came to know that all IPs were fake and attacker used multiple proxies and tor anonymising software to perform these attacks. So we were not able to trace the trace the actual culprit and with provided data.
No comments:
Post a Comment