Be Aware And Be Secure: December 2010

Tuesday, December 21, 2010

10 reasons why PCs crash U must Know

Fatal error: The system has become unstable or is busy,” it says. “Enter to return to Windows or press Control-Alt-Delete to restart your computer.If you do this you will lose any unsaved information in all open applications.”

You have just been struck by the Blue Screen of Death. Anyone who uses Mcft Windows will be familiar with this. What can you do? More importantly, how can you prevent it happening?

1 Hardware conflict

The number one reason why Windows crashes is hardware conflict. Each hardware device communicates to other devices through an interrupt request channel (IRQ). These are supposed to be unique for each device.

For example, a printer usually connects internally on IRQ 7. The keyboard usually uses IRQ 1 and the floppy disk drive IRQ 6. Each device will try to hog a single IRQ for itself.

If there are a lot of devices, or if they are not installed properly, two of them may end up sharing the same IRQ number. When the user tries to use both devices at the same time, a crash can happen. The way to check if your computer has a hardware conflict is through the following route:

* Start-Settings-Control Panel-System-Device Manager.

Often if a device has a problem a yellow ‘!’ appears next to its description in the Device Manager. Highlight Computer (in the Device Manager) and press Properties to see the IRQ numbers used by your computer. If the IRQ number appears twice, two devices may be using it.

Sometimes a device might share an IRQ with something described as ‘IRQ holder for PCI steering’. This can be ignored. The best way to fix this problem is to remove the problem device and reinstall it.

Sometimes you may have to find more recent drivers on the internet to make the device function properly. A good resource is www.driverguide.com. If the device is a soundcard, or a modem, it can often be fixed by moving it to a different slot on the motherboard (be careful about opening your computer, as you may void the warranty).

When working inside a computer you should switch it off, unplug the mains lead and touch an unpainted metal surface to discharge any static electricity.

To be fair to Mcft, the problem with IRQ numbers is not of its making. It is a legacy problem going back to the first PC designs using the IBM 8086 chip. Initially there were only eight IRQs. Today there are 16 IRQs in a PC. It is easy to run out of them. There are plans to increase the number of IRQs in future designs.

2 Bad Ram

Ram (random-access memory) problems might bring on the blue screen of death with a message saying Fatal Exception Error. A fatal error indicates a serious hardware problem. Sometimes it may mean a part is damaged and will need replacing.

But a fatal error caused by Ram might be caused by a mismatch of chips. For example, mixing 70-nanosecond (70ns) Ram with 60ns Ram will usually force the computer to run all the Ram at the slower speed. This will often crash the machine if the Ram is overworked.

One way around this problem is to enter the BIOS settings and increase the wait state of the Ram. This can make it more stable. Another way to troubleshoot a suspected Ram problem is to rearrange the Ram chips on the motherboard, or take some of them out. Then try to repeat the circumstances that caused the crash. When handling Ram try not to touch the gold connections, as they can be easily damaged.

Parity error messages also refer to Ram. Modern Ram chips are either parity (ECC) or non parity (non-ECC). It is best not to mix the two types, as this can be a cause of trouble.

EMM386 error messages refer to memory problems but may not be connected to bad Ram. This may be due to free memory problems often linked to old Dos-based programmes.

3 BIOS settings

Every motherboard is supplied with a range of chipset settings that are decided in the factory. A common way to access these settings is to press the F2 or delete button during the first few seconds of a boot-up.

Once inside the BIOS, great care should be taken. It is a good idea to write down on a piece of paper all the settings that appear on the screen. That way, if you change something and the computer becomes more unstable, you will know what settings to revert to.

A common BIOS error concerns the CAS latency. This refers to the Ram. Older EDO (extended data out) Ram has a CAS latency of 3. Newer SDRam has a CAS latency of 2. Setting the wrong figure can cause the Ram to lock up and freeze the computer’s display.

Mcft Windows is better at allocating IRQ numbers than any BIOS. If possible set the IRQ numbers to Auto in the BIOS. This will allow Windows to allocate the IRQ numbers (make sure the BIOS setting for Plug and Play OS is switched to ‘yes’ to allow Windows to do this.).

4. Hard disk drives

After a few weeks, the information on a hard disk drive starts to become piecemeal or fragmented. It is a good idea to defragment the hard disk every week or so, to prevent the disk from causing a screen freeze. Go to

* Start-Programs-Accessories-System Tools-Disk Defragmenter

This will start the procedure. You will be unable to write data to the hard drive (to save it) while the disk is defragmenting, so it is a good idea to schedule the procedure for a period of inactivity using the Task Scheduler.

The Task Scheduler should be one of the small icons on the bottom right of the Windows opening page (the desktop).

Some lockups and screen freezes caused by hard disk problems can be solved by reducing the read-ahead optimisation. This can be adjusted by going to

* Start-Settings-Control Panel-System Icon-Performance-File System-Hard Disk.

Hard disks will slow down and crash if they are too full. Do some housekeeping on your hard drive every few months and free some space on it. Open the Windows folder on the C drive and find the Temporary Internet Files folder. Deleting the contents (not the folder) can free a lot of space.

Empty the Recycle Bin every week to free more space. Hard disk drives should be scanned every week for errors or bad sectors. Go to

* Start-Programs-Accessories-System Tools-ScanDisk

Otherwise assign the Task Scheduler to perform this operation at night when the computer is not in use.

5 Fatal OE exceptions and VXD errors

Fatal OE exception errors and VXD errors are often caused by video card problems.

These can often be resolved easily by reducing the resolution of the video display. Go to

* Start-Settings-Control Panel-Display-Settings

Here you should slide the screen area bar to the left. Take a look at the colour settings on the left of that window. For most desktops, high colour 16-bit depth is adequate.

If the screen freezes or you experience system lockups it might be due to the video card. Make sure it does not have a hardware conflict. Go to

* Start-Settings-Control Panel-System-Device Manager

Here, select the + beside Display Adapter. A line of text describing your video card should appear. Select it (make it blue) and press properties. Then select Resources and select each line in the window. Look for a message that says No Conflicts.

If you have video card hardware conflict, you will see it here. Be careful at this point and make a note of everything you do in case you make things worse.

The way to resolve a hardware conflict is to uncheck the Use Automatic Settings box and hit the Change Settings button. You are searching for a setting that will display a No Conflicts message.

Another useful way to resolve video problems is to go to

* Start-Settings-Control Panel-System-Performance-Graphics

Here you should move the Hardware Acceleration slider to the left. As ever, the most common cause of problems relating to graphics cards is old or faulty drivers (a driver is a small piece of software used by a computer to communicate with a device).

Look up your video card’s manufacturer on the internet and search for the most recent drivers for it.

6 Viruses

Often the first sign of a virus infection is instability. Some viruses erase the boot sector of a hard drive, making it impossible to start. This is why it is a good idea to create a Windows start-up disk. Go to

* Start-Settings-Control Panel-Add/Remove Programs

Here, look for the Start Up Disk tab. Virus protection requires constant vigilance.

A virus scanner requires a list of virus signatures in order to be able to identify viruses. These signatures are stored in a DAT file. DAT files should be updated weekly from the website of your antivirus software manufacturer.

An excellent antivirus programme is McAfee VirusScan by Network Associates ( www.nai.com). Another is Norton AntiVirus 2000, made by Symantec ( www.symantec.com).

7 Printers

The action of sending a document to print creates a bigger file, often called a postscript file.

Printers have only a small amount of memory, called a buffer. This can be easily overloaded. Printing a document also uses a considerable amount of CPU power. This will also slow down the computer’s performance.

If the printer is trying to print unusual characters, these might not be recognised, and can crash the computer. Sometimes printers will not recover from a crash because of confusion in the buffer. A good way to clear the buffer is to unplug the printer for ten seconds. Booting up from a powerless state, also called a cold boot, will restore the printer’s default settings and you may be able to carry on.

8 Software

A common cause of computer crash is faulty or badly-installed software. Often the problem can be cured by uninstalling the software and then reinstalling it. Use Norton Uninstall or Uninstall Shield to remove an application from your system properly. This will also remove references to the programme in the System Registry and leaves the way clear for a completely fresh copy.

The System Registry can be corrupted by old references to obsolete software that you thought was uninstalled. Use Reg Cleaner by Jouni Vuorio to clean up the System Registry and remove obsolete entries. It works on Windows 95, Windows 98, Windows 98 SE (Second Edition), Windows Millennium Edition (ME), NT4 and Windows 2000.

Read the instructions and use it carefully so you don’t do permanent damage to the Registry. If the Registry is damaged you will have to reinstall your operating system. Reg Cleaner can be obtained from www.jv16.org

Often a Windows problem can be resolved by entering Safe Mode. This can be done during start-up. When you see the message “Starting Windows” press F4. This should take you into Safe Mode.

Safe Mode loads a minimum of drivers. It allows you to find and fix problems that prevent Windows from loading properly.

Sometimes installing Windows is difficult because of unsuitable BIOS settings. If you keep getting SUWIN error messages (Windows setup) during the Windows installation, then try entering the BIOS and disabling the CPU internal cache. Try to disable the Level 2 (L2) cache if that doesn’t work.

Remember to restore all the BIOS settings back to their former settings following installation.

9 Overheating

Central processing units (CPUs) are usually equipped with fans to keep them cool. If the fan fails or if the CPU gets old it may start to overheat and generate a particular kind of error called a kernel error. This is a common problem in chips that have been overclocked to operate at higher speeds than they are supposed to.

One remedy is to get a bigger better fan and install it on top of the CPU.

CPU problems can often be fixed by disabling the CPU internal cache in the BIOS. This will make the machine run more slowly, but it should also be more stable.

10 Power supply problems

With all the new construction going on around the country the steady supply of electricity has become disrupted. A power surge or spike can crash a computer as easily as a power cut.

If this has become a nuisance for you then consider buying a uninterrupted power supply (UPS). This will give you a clean power supply when there is electricity, and it will give you a few minutes to perform a controlled shutdown in case of a power cut.

It is a good investment if your data are critical, because a power cut will cause any unsaved data to be lost.

Copy Firefox passwords to new os|Backup firefox password file

All firefox passwords are stored in three files

signons.txt, signons2.txt, key3.db

These files are stored in your firefox profile folder.

In Windows XP firefox profile is at:

c:\Documents and Settings\WindowsUsername\Application Data\Mozilla\Firefox\Profiles\profilename

Copy these three files and save them where ever you want and if you want these passwords in your other os also then just replace these three files.

Access Linux partitions from Windows using Ext2fsd

If you are using dual boot to use Windows and Linux on the same machine then you must be knowing that Windows OS does not support the ext partitions. Fortunately for the users like us there is one great open source project which allows the users not only to read the data from ext partitions but also allows to write on it.

Ext2fsd is a driver for Windows NT/2K/XP which allows the user to access linux partitions by mapping it as logical drive in Windows. During installation you can choose whether you want to load the drives automatically every time Windows boots or you want to load them manually.

Pros:

lightweight and easy to install
provides support for reading and writing data on ext2/3
supports large directories and files

Cons:

can not access ext4 partitions
will not work on Windows 7

Download Ext2fsd for Windows XP/2000

Use Windows 7 to create a Wi-Fi network without using router

If you have got Wi-Fi in your laptop and have Windows 7 installed in it then you can easily turn it into a Wi-Fi hotspot and share your net connection with other people in the range and Virtual Router is the easiest way to do so.

Virtual Router is an open source software which leverages the Wireless Hosted Network API which is a part of the new Windows Operating Systems (Windows 7 and Windows server 2008).

With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it. This feature requires that a Hosted Network capable wireless adapter is installed in the local computer. (quoted from MS library)

The program is really simple to use. After downloading and installing the software all you have to do is specify the network name and password to access this network. It uses the WPA-2 encryption to protect the wireless network from unwanted users.

The program requires only 20mb of RAM and is pretty simple to understand and use. Requires Windows 7 or Windows server 2008 to run.

Download Virtual Router | Virtual Router homepage

Restore GRUB bootloader after a new Windows installation

GRUB is widely used bootloader for booting linux systems. It lets you choose the OS you want to boot from the list of all OSs loaded on your system.

If you install any Windows OS on your PC after installing Linux then you will not see the GRUB bootloader any more. Instead of that you will see only windows OSs will be listed now in the list. As Windows bootloader does not support Linux systems. So to get back your original GRUB bootloader you will have to do some changes in your Master Boot Record.

To do so you will require a live cd to boot linux. After booting from the live cd go to terminal and execute following commands.

sudo grub
find /boot/grub/stage1

Now it will show you the location of the drive on the hard disk where the GRUB loader is stored.

root (hd *, *)
setup (hd0)

quit

In place of * type the output you got with the previous command. Now restart your system and you can see your GRUB loader again.

Use mobile as webcam|Mobiola Web Camera 3

use mobile as webcam - mobiola

Short description: The first application that realistically turns your Symbian phone into a PC-compatible webcam and truly replaces your USB camera. Works over Bluetooth!

Mobiola Web Camera 3:

Turn your camera phone into a high quality wireless (WiFi or Bluetooth) or wired (USB) web camera. Mobile phone as webcam with Mobiola Web Camera 3

Main Functionality:

Transforms your mobile phone into a high-quality PC webcam.
Connects mobile phone to PC using USB, WiFi (select models) and Bluetooth connectivity.
Screen Capture functionality, when device screen can be demonstrated on PC real-time.
NEW!!! Cool video effects. Have fun and impress your friends!
Works with Skype, Yahoo, YouTube, MSN, AOL IM, ICQ and many others as standard USB webcam.
Compatible with Symbian S60 and UIQ, Windows Mobile 5 and 6, J2ME devices, Blackberry.

DOWNLOAD

Easily restore deleted files with “Restore Deleted Files Now”

How often do you delete some file from your PC and then suddenly realize that it was an important file??? Restore Deleted Files Now is a free software which can be used to restore your accidentally deleted files. With Restore Deleted Files Now you can restore files deleted with or without the Recycle Bin, using the Shift+Delete combination or through the ‘Delete’ options in different programs.

After downloading the software from here install it on your computer. When you run the software you will see two options in left panel - Settings and Restore Deleted Files. Click on the second one. Now select the drive you want to scan for deleted files from the drop down menu and start scan. It will show you all the files which can be recovered. Image files are available for preview only. You can not recover image files using this software. You’ll have to buy the paid version of this software to recover those image files.

In short “Restore Deleted Files Now” is a free software which can be used to recover everything except image files. It works with Windows 7, Vista, XP (both 32-bit and 64-bit versions).

Download Restore Deleted Files Now (Freeware) (4.3 MB)

“The Disk is write-protected” problem (Memory card)

Recently when I tried to copy some files to my mmc using card reader it showed me some error saying the disk is write-protected. Remove the write protection or use another disk.

It was working fine before. I have used this card many times before but it never gave any error and suddenly it started showing this error. After going through some forums I came to know that it happens because of write protection notch but there was no such notch or switch on my card.I kept on searching on more forums and after some time I found one solution to this problem. Follow the steps given below if you are also facing the same problem.

Run Registry Editor (regedit).
Navigate to the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
Right click on control and create new key.
Name it as StorageDevicePolicies . (Copy and paste it from here if possible)
Now click on StorageDevicePolicies and in right side pan right click and select create new dword and name it as WriteProtect.
Double click on it and set its value to 0.

Now restart your machine and try copying some files to your card.

If this thing also doesn’t work then keep your card in card reader, connect it to your PC and then restart your system. I don’t know the logic behind this but It worked for me.

Use CPU-Z to get all the information about your system

CPU-Z is a free software that lets you view all the information about the hardware connected to your computer. It gives you the details about your Processor, Memory, Motherboard, Graphics card etc. See the screenshot below.

CPU-Z can show following details about your computer’s hardware.

CPU

Name and number.
Core stepping and process.
Package.
Core voltage.
Internal and external clocks, clock multiplier.
Supported instruction sets.
Cache information.

Mainboard

Vendor, model and revision.
BIOS model and date.
Chipset (northbridge and southbridge) and sensor.
Graphic interface.

Memory

Frequency and timings.
Module(s) specification using SPD (Serial Presence Detect) : vendor, serial number, timings table.

System

Windows and DirectX version.

Download CPU-Z | HomePage

Anti-Hacking/Anti-Cracking Tips & Tricks

Anti-Hacking/Anti-Cracking Tips & Tricks

Anti-Spyware Tips & Tricks	Reason
Keep your software updated.	It is recommended for you to keep your operating system software, mail server software, web server software, DNS server software, and all your application data updated to their latest versions at all times or at least enable automatic update. Old-version or fresh installations software straight from a CD or DVD can consist of security vulnerabilities that haven't been fixed or patched yet and can allow an attacker to compromise a targeted system quite easily.
Make sure you have a strong Internet provider that is prepared for hacker or cracker attacks.	Availing of an Internet provider who offers very strong fiber connections that can withstand heavy cyber assaults and has special policies for hacker or cracker attacks has become par for the course in today's Internet Age. Consult your Internet provider about hacker or cracker solutions and if they already are prepared for such eventualities. If your servers are on the same network as other servers that get compromised on a daily basis, then your systems as completely vulnerable.
Make daily backups of all your data.	Depending on your system policy, it is recommended for you to make daily, weekly, or monthly backups of all your data so that you can always restore or retrieve your information if you get compromised by an attack.
Always have multiple servers ready.	It is prudent for you to have multiple servers in case one server crumbles under hacker or cracker attacks. This way, you can always move your traffic to a backup server without any hassle.
The Protector Anti-Spam UTM Appliance updates automatically six times a day with Intrusion Prevention and Firewall Functionality.	In order for you network to be secure and to not have any worries about cracker or hacker attacks, it is advisable for you to make use of the award-winning Protector Anti-Spam UTM Appliance, which is updated six times a day automatically. The device comes with a strong, regularly updated Intrusion Prevention system that will block all hacker or cracker attacks with impunity. Furthermore, it also sports a firewall functionality that protects your whole network from inside and out.

Reset Nokia Security/Lock code to 12345

To reset nokia Scurity/Lock Code to 12345 .... Download the mdl file from the link given at the end of this article.

You will need a card reader to perform this operation.

1) Remove memory card from your locked Nokia mobile phone.

2) Put your card into card reader and connect it with your computer. Create
the directory System\Recogs and copy thc-nokia-unlock.mdl into this directory. So at the end your file will be in System/recogs directory of your mmc.

3) Remove the Memory Card and place it into the locked phone.

4) Now start your locked phone and wait for some time when it asks for the code. Let this tool reset the code for you. Wait for 2 minutes and then enter 12345 in the code box.

5) Done. Your security code will be reset to 12345.

This method is tested on Nokia N72 and it’s 100% working. Ask me if you need any help on this.

DOWNLOAD NOKIA THC UNLOCK (1 KB)(.mdl file)(RS)

NEW LINK:- DOWNLOAD NOKIA THC UNLOCK (1 KB)(.rar file)(MediaFire)

credit: Whoever created this tool.

Sunday, December 19, 2010

How to crack SSL over a wireless network

Introduction
Do you think you’re safe if you type https :// before paypal.com? I hope you’ll think twice before you login from a computer connected to a wireless network after reading this guide. Let’s start at the beginning. Let’s say you have an evil neighbour who wants your paypal credentials. He buys himself a nice laptop with a wireless card and, if you are using a wep encryption, he cracks your wep code (click here to see how). After cracking the key he logs into your network. Maybe you always allowed him to use your network because you thought it can’t do any harm to your computer. You aren’t sharing any folders so what’s the problem? Well, in the next few steps I’m going to describe the problem.
The guide
1. Let’s assume your neighbour uses linux to crack your wep key. After cracking it, he installs ettercap (http://ettercap.sourceforge.net/) on his linux system. If you want to do this at home, I would recommend you to download BackTrack because it already has everything installed. Look at the WEP cracking guide I mentioned above for more info about BackTrack. If you want to install it on your own linux distribution, download the source and install it with the following commands:

$ tar -xzvf ettercap-version.tar.gz
$ make
$ make install

2. After installing, you need to uncomment some code to enable SSL dissection. Open up a terminal window and type "nano /usr/local/etc/etter.conf", without the quotes. Scroll down using your arrow keys until you find this piece of code:

# if you use iptables:
# redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"
# redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"

You need to uncomment the last two lines.

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"

3. Press CTRL+O, press enter to safe the file and then press CTRL+X.
4. Boot Ettercap and click on Sniff > Unified Sniffing > type in your wireless interface and press ok.
5. Press CTRL+S to scan for hosts
6. Go to MITM > ARP poisoning, select sniff remote connections and press ok.
7. Now you (and your neighbour!) can start sniffing! Press start > start sniffing. Walk to another computer on your network and open up paypal or any other site where you need to type in an username/password (gmail, hotmail, digg.com, etc.). All credentials will appear on the computer running Ettercap!
8. When you’re done, don’t just close Ettercap, but go to Start > Stop Sniffing, and then go to MITM > Stop mitm attack(s).
But how does all this stuff work?
Look at the following scheme:

Normally when you type in a password, host 1 (your computer) directly connects to host 2 (your modem or router). But if someone launced Ettercap on your network, host 1 isn’t sending it’s passwords to host 2, but to the Attacking host, the host that’s running Ettercap! The attacking host sends everything to Host 2. This means that host 1 isn’t noticing anything! Exactly the same happens with everything that host 2 is sending. Host 2 doesn’t send packets directly to host 1, but first to the attacking host.

Black Berry Forensic Examination

Black Berry Forensic Exams-How-To

Here’s a how-to for Black Berry forensic examinations. Just a fraction of the cost you’d have to pay for a 90 minute webinar at some training sites-FREE.
I hope its useful for you.

HARDWARE NEEDED

BlackBerry (duh)
USB Cable
Cradle (if its that type)
Forensic Computer (see the reference to the BlackBerry)

SOFTWARE NEEDED

BlackBerry Desktop Software
BlackBerry Simulator for your device model (more on this later)
Amber Blackberry Converter-not free but only 19.95 USD for a license-plus you get a thirty day trial.

Ok now that we are armed with our needed equipment, lets proceed to do our forensic magic.

USING THE DESKTOP SOFTWARE AND SIMULATOR

First install the desktop software. After this is done, you need to make sure that the connection is set for USB. Look at Options->Connection Settings and from the combo box select USB. Ok now connect the suspect’s Blackberry to your system (did you protect it from the network and make sure it was charged…?

)
!!CAVEAT!!: If the BlackBerry needs a PIN-get it or get the PUK. This will not work without it. If you fail to do this, and use up your attempts to enter PIN/PUK you will wipe the device.
Now with the device connected make a backup of the handheld. Double Click the Backup/restore Icon and then choose backup (this may differ depending on the version of desktop software you are using). Direct the backup (*.ipd File) to where you want to save it and name it. Then make sure you choose all databases. I recommend making a working copy and a archive copy. Now reseal and store your exhibit.
Ok time to get out the Simulator…but wait, you say, how do I know what Simulator I need to use…there are so many choices. Glad you asked. Prior to downloading the Simulator you neeed to check something on the BlackBerry-its OS version. This is located from the mail screen under Options-About. You are looking for the platform version number as shown below (specific to my BB).

Blackberry 7130e
WirelessHandheld (CDMA)
v4.1.0.268(Platform 2.2.0.9)

Once you have this go to the link above and find the Simulator for this group of BlackBerry Devices download and install the Simulator.

Now with that installed, fire up the Simulator for your device. The Desktop software should be fooled into thinking a BB device is connected tot he computer.

Again, choose the backup/restore icon and this time restore the backup file you created. Make sure to choose all the databases. Once this completes you are looking at the exact handheld you seized albeit virtually. Pretty cool huh? Just take screencaps/vids of the device and you have your evidence.

Two side notes the Similator behaves just like a regular BB, i.e. you can click the trackwheel and escape key. If you want to see call times make sure that you enable call logging by going to the phone icon, clicking the trackwheel, coosing options and “call logging”.

USING AMBER BLACKBERRY CONVERTER

This is even easier. Once you have fired up the converter, simply click the link that says to load the IPD and the converter will load the file and show you tabs for SMS, EMAIL, call records and contacts..notice the options for PDF, HTML and Excel export…How easy is THAT?? One thing it doesnt do is pull out pictures (though it grabs MMS) that are saved…bummer but only a small one.

OTHER TIPS/TRICKS

Take the *.IPD file and load it into EnCase or FTK and index. This can give you fast access to keywords. You can also carve for pictures (though not deleted).

If you have read to here, I hope you have found this useful. I plan to add a short discussion on the structure of the IPD file-WARNING HEX AHEAD!!!

Black Berry IPD Files

IPD Files Demystified
Black Berry handheld devices have long been a favorite of the corporate executive but now with the release of a more mainstream multimedia capable mobile device in the Pearl and an aggressive advertising campaign, the Black Berry is bound to become a more popular device with non corporate types as well.
This mini white paper discusses the structure of the Black Berry backup or IPD file for the forensic examiner.
The IPD What is it?
The Black Berry Desktop software creates a proprietary backup of the databases on the Black Berry Handheld. This file is by default named in the following fashion
Backup-(current date,time and year)-.ipd
The files also default to the user’s “My Documents” folder. This, of course, may be changed by a user. The IPD file itself is a database of the databases.
IPD STRUCTURE
Below is a graphic of the IPD file.

As you can see from the graphic the IPD file begins with Inter@ctive Pager Backup/Restore File. The examiner may find this to be of use in search strings to find hidden or unallocated files.
Following this “header” the structure follows as is shown in the graphic below.

Here we can see that we have an one byte line feed (x/OA) followed by an one byte version (x/02) and a two byte indicator of the number of data bases in the file (in the above case x/3F).
Finally the names of the Databases follow after a 1 byte separator (x/00).
DATABASE NAME STRUCTURE
The databases within the file are constructed as follows

Database name length 2 bytes the length includes terminating null
Database name As long as the name length above

This is illustrated in the following graphic

After the database name length and name the database follows the following structure

Database ID Two bytes zero based position in the list of DB name blocks
Record Length 4 bytes
Database version 1 byte
DatabaseRecordHandler 2 bytes
Record Unique ID 4 bytes
Field length #1 2 bytes
Field type #1 1 byte
Field data #1 As long as field length
Field length #m 2 bytes
Field type #m 1 byte
Field data #m As long as the field length

The database has a unique id that is followed by the record length and the record ID. Each record will have a variable number of fields (as shown in the table by field #1 …field #m) that have a structure of length, type and data.

Cell Phone Codes

Here are some service codes for several handset manufacturers
LG

*6861# factory reset
*8375#
#668#
*#3646633#
*0#
*3241#
*3240#
*0008# language
*0009# language
*0000# language
*7674#
*76863#
*77463#
*72337#
*79763#
*7245786# check read FFS
*762442# GVCMMI Magic
###765*02#
###765*05#
###765*08#
###765*07#
###765*78#
1945#*5101# sim lock menu
2945#*5100#

Nokia

*#06# IMEI
*#0000# view Software Version
*#746025625# [*#sim0clock#]
*#92702689# [*#war0anty#] secret menu:
1. Displays Serial Number
2. Displays the Month and Year of Manufacture (0997)
3. Displays (if there) the date where the phone was purchased
4. Displays the date of last repairment – if found (0000)
5. Makes you capebel of transferring user data
6. Shows how many hours the phone has been on

*3370# Enhanced Full Rate Codec (EFR) activation
#3370# Enhanced Full Rate Codec (EFR) deactivation
*4370# Half Rate Codec activation
#4370# Half Rate Codec deactivation
xx# – xx position in Phone Book

NOKIA 9000

*#06# IMEI
*#682371158412125# soft version
*#3283# prod. date

NOKIA 7650

*#7979# phone reset
*#7470# hard reset
*#7370# master reset (like new phone)

Motorola

*#06# IMEI

in permament test mode
(* hold 2 sec)
***113*1*[OK] net monitor

T205/T19x (ACER)

*#300# OK List the Software and Hardware version
*#301# OK Full Keypads functional Test
*#303# OK Set Default Language to English
*#304# OK Set OFF engineering mode
#304*19980722# OK Set ON engineering mode
*#305# OK Location: 1 OK
*#307# OK Engineering Test Mode
*#311# OK Phone code changed to default code
*#400# OK ADC, Cal val*
*#402# OK Adjust Display Intensity / Contrast
*#403# OK List the Manufacturing Informations
19980722 OK Master Unlock code for Phone and Sim Lock
*#302# OK Acoustic test*
7.1 Greeting
7.2 Main VlmGain
7.3 Input Cal
7.4 Output Cal
7.5 Side In Gain
7.6 Vox Gain
7.7 Min Mic Engy
7.8 More
(a) In Vlm Gain
(b) Aux Vlm Gain
(c) Silence Prd
(d) Supp Prd
(e) In Volume
(f) Out Volume
(g) Icon
(h) Image
(i) Animation
*3370# EFR ON (enhanced full rate)
#3370# ERF OFF
*#72837726# OK Confirm ?, Data saver
1234 OK Phone code default
*#0000# OK Setting saved, restore set phone do default language
*#0048# OK Fast change polish langpack
*#0007# OK Fast change russian langpack

MOTOROLA 3xx

*#06# and quick ‘menu-key’ and 048263* (Push the key quickly!)
and entering at field “OPTCODE” you must try several times.
If not working try with MOTO TEST CARD inserted.

Security code – 32*118*1*0*0
Model – 32*279*1*0*8
Flex ver – 32*383*1*0*0
Master Reset – 18*0
Master Clear – 18*1
Set band GSM 900 – 10*0*3
Set band DCS 1800 – 10*0*4
Set band PCS 1900 – 10*0*5
Set dual band GSM 900/1800 – 10*0*6
Read band – 10*1*0 => 3-GSM, 4-DCS, 5-PCS, 6-GSM/DCS
User code – 32*116*1*0*0 /coded:00310032003300340000 – 1234/
Read imei – 32*4*1*0*0 “OK” /coded:083a05092700247709 – 350907200427799/

47*4*1*0*9*081A32547698103254 => IMEI=123456789012345
it is possible to change IMEI

Sony Ericsson

*#7465625*12*12345678#, 7465625 means SIMLOCK and 12345678 is number
   that you get from the unlock program

For SIM code: *#7465625*XX*(8-digit received SIMcode)#

XX can be:
12 for NCK lock
22 for Provider lock
32 for Network lock
42 for SIM code lock
52 for Subset lock
62 for Corporate lock
72 for IMSI personal
99 for IMSI range

For WAP code: *#9275625*11*(8-digit received WAP code)#

*#06# IMEI number
*#00xx# Changes language (xx is your country code)
*#0000000# Resets language to auto selection
*#8378 *#TEST Reset your phone
*#7465625# *#simlock# -> Displays SIM lock status
*#7353273# *#release# -> Display firmware version
*#39482633# *#EXITCODE# -> Shows phone latest failure causes
*#78737322867973738# *#superfactoryreset#
   -> Reset personal data (remove SIM card first)
*#73287489263373738# *#securitycodereset#
   -> Reset security code to 0000 (remove SIM card first)
*#8654# Test phones keystroke
*#77343# *#PREGE# -> Activates MONITOR MODE on J5/J6
*#7669666# *#SONYMON# -> Activates MONITOR MODE on J7/70/27
*#275781# *#ASKRT1# -> Still unknown
*09*(PIN code)# -> Turns PIN code on
#09*(PIN code)# -> Turns PIN code off

Samsung

*#06# Show IMEI
*#9999# Show Software Version
*#0837# Show Software Version (instructions)
*#0001# Show Serial Parameters
*#9125# Activates the smiley when charging
*#0523# LCD Contrast

*#9998*228# Battery status (capacity, voltage, temperature)
*#9998*246# Program status
*#9998*289# Change Alarm Buzzer Frequency
*#9998*324# Debug Screens
*#9998*364# Watchdog
*#9998*377# EEPROM Error Stack – Use side keys to select values
*#9998*427# Trace Watchdog
*#9998*523# Change LCD contrast
*#9998*544# Jig detect
*#9998*636# Memory status
*#9998*746# SIM File Size
*#9998*778# SIM Service Table
*#9998*785# RTK (Run Time Kernel) errors – if ok then phn is reset,
   info is put in memory error
*#9998*786# Run, Last UP, Last DOWN
*#9998*837# Software Version
*#9998*842# Test Vibrator – Flash the screenlight during 10 sec
   and vibration activated
*#9998*862# Vocoder Reg – Normal, Earphone or Carkit
*#9998*872# Diag
*#9998*947# Reset On Fatal Error
*#9998*999# Last/Chk

*#9998*9266# Yann debug screen (Debug Screens?)
*#9998*9999# Software version

*0001*s*f*t# Changes serial parameters (s=?, f=0.1, t=0.1)
*0002*?# unknown
*0003*?# unknown

FOR NEW SGH (R210, T100, A300…)
if code is in format *#9998*xxx#
try write in this *#0xxx#

SGH-600
SGH-2100

*2767*3855# Full EEPROM Reset (THIS CODE REMMOVES SP-LOCK!
   but also changes IMEI to 447967-89-400044-0
*2767*2878# Custom EEPROM Reset

SGH E700

*2767*688# remove USER CODE and SIMLOCK

SGH V200

Unlocking:
Power on the phone without SIM card and type these codes:

*2767*63342# and press green button
*2767*3855# and press green button
*2767*2878# and press green button
*2767*927# and press green button
*2767*7822573738# press button

Phone will be unlocked, but all trims are reseted !!!
Mobile phone must be fully charged

SGH S500

Unlocking

*2767*MVT# (*2767*688#) E2P MVT Reset
*#SIMLOCK# (*#7465625#)

iPhone Forensics

Though many phone examiners are traditional electronic forensic analysts who have been trained to examine phones, this is certainly not a foregone conclusion. A phone examiner may not be, to be tongue in cheek, “classically trained” in forensics. Up until just recently, little was needed to examine a phone other than the current toolset that is on the market and a handful of free tools.

Examining phones became harder with the iPhone. Apple’s revolutionary phone has garnered at least 28% of the Smart Phone market and is poised to snatch even more. Spawning many imitators and challenging the once thought invulnerable RIM Black Berry, Apple has raised the bar on the technical skill required by the phone examiner.

This series of posts on iPhone Forensic Examinations, is meant to help level the playing field for the phone examiner who may not also be a traditional forensic analyst of electronic evidence. The first post began by examining what is meant by the term “jailbreaking” and its forensic implications. This post will continue with the discussion and will be concentrating on the makeup of the iPhone’s filesystem.

Brief Overview of the iPhone Hardware

As I stated in the introduction to this post, the iPhone has raised the bar on the technical skill required by the phone examiner. The iPhone is much more than a device that is used for voice communications, it truly is a handheld computer. Below are listed some of the hardware specifications for the device.

CPU : Samsung/ARM S5L8900B01 512 Mbit SRAM

DISK: Samsung 65-nm 8/16 GB (K9MCG08U5M), 4 GB (K9HBG08U1M) MLC NAND Flash

FLASH MEMORY: Intel PF38F1030W0YTQ2 (32 MB NOR + 16 MB SRAM)

Early reports of the CPU clock speed put the iPhone’s ARM processor running at about 400 MHz with a bus speed at 100 MHz (Hockenberry). It is speculated that the ARM CPU can run at 600 MHz or more but is underclocked to provide for heat dissipation and battery life. Further firmware updates are believed to begin providing this capability as the code and hardware are refined and optimized.

So as you can see from the above, you have what amounts to a full fledged computer running with impressive CPU speeds (given its small form factor) and a massive amount (for a hand held device and for mobile forensics) of Flash storage.

The non “classical trained” phone examiner, such as the narcotics officer or border patrolman, is now faced with a device that now at the very least requires an appreciation of its capabilities and may indeed require the acquisition of more advanced knowledge of computers and a deeper skill-set in the area of traditional electronic forensics.

The iPhone Hard Disk

Now that we have had a glimpse of the iPhone’s impressive hardware array, lets begin examining how the iPhone’s Disk is arranged.

The iPhone runs a a mobile build of Mac OS X Leopard (10.5). Schematically the OS is designed like the below graphic.

Since OS X is built upon a BSD Unix foundation (please see http://en.wikipedia.org/wiki/Berkeley_Software_Distribution for a discussion of BSD Unix), and this is used in the iPhone it is necessary to cover some of concepts of the operating system.

All Operating Systems use what is called a kernel. The kernel is the the nerve center of the OS and is responsible for managing the systems resources (such as communication between the hardware and the software of a device. The iPhone uses what is called a signed kernel to limit tampering with its function (though as we saw in the first post jailbreaking is accomplished through the exploitation or hacking of the kernel).

The iPhone also borrows how it partitions its hard disk from the Unix OS conventions as well. In order to store files on a hard disk, that raw physical device must first be prepared with partitions, or contiguous sections of a disk to store common groups of information. The difference in between the iPhone’s partitioning and a physical hard disk is that the iPhone uses solid state memory as its hard disk (flash).

There are two partitions on the iPhone. The first partition is 300 MB in size and is the system or root partition(not to be confused with the root folder which will be seen in the second partition). This partition contains the operating system and the default applications that are delivered with a factory fresh iPhone. This partition is designed (unless jailbroken) to be in this pristine state for the life of the phone.

The remaining space of the hard disk is partitioned as the user-space (or media) partition. This space is where all music, videos contacts, SMS etc are stored.

Another computer science concept that is also important to understand is the concept of mounting. A file system must be “mounted” or made available to the Operating System for use. Unix type Operating Systems (such as OS X) use mount points or the location in the directory structure where the particular partition (filesystem) is available for use. The Windows equivalent to this concept is drive mapping.

Since the iPhone uses a mobile build of OS X , it follows that the two partitions is has will have mount points. This is indeed the case as can be seen from the output of the fstab file( file system table) of a jailbroken iPhone. The fstab file usually lists all available disks and disk partitions, and their mount points.

# cat fstab
^{/dev/disk0s1 / rw 0 1}
^{/dev/disk0s2 /private/var hfs rw,noexec 0 2}

A discussion of the fstab is too lengthly and complicated to go into in this this post so readers are directed to http://en.wikipedia.org/wiki/Fstab for a thorough explanation of the output. It should suffice for our purposes here to state that the first (root partition) is mounted at the top of the directory tree (“/”) and that the media partition is mounted at /private/var. It is also of forensic importance to note that the root partition here is mounted read/write. This is the result of the jailbreaking technique.

The other thing to note on the output above is that the media partition is formated in the HFS file format, and is not allowed to execute files (the “noexec” option).

Depending on whether a user is Windows based or Macintosh based the iPhone will be formatted accordingly. In the case of Windows with a FAT filesystem (http://en.wikipedia.org/wiki/FAT_32) or HFS (http://en.wikipedia.org/wiki/Hierarchical_File_System) if formatted on a Macintosh.

Data Storage

Now that we know the partition structure of how the iPhone stores data, how it is mounted for user access by the Operating System, and what filesystem formating it employs, we can look at where the most relevant files for a forensic examiner might reside. Bear in mind that the tools mentioned in the first post obtain most, if not all, of these files and report on them. The single advantage that the jailbreaking method has (offset by its non ACPO compliant forensic implications) is that the jailbrekaing method comes very near to a true forensic image and can therefore obtain possible what I have oft termed the Holy Grail of Mobile Forensics – deleted data.

As was said in the previous section the root partition is designed to stay “factory fresh” for the life of the iPhone and contains the default applications and the untampered OS of the device. It should contain most of the following if not jailbroken.

SMS
Calendar
Photos
Camera
Youtube
Stocks
Maps
Weather
Clock
Calculator
Notes
Setting
ITunes
Phone
Mail
Safari
IPod

Shown below is a graphic image of a jailbroken iPhone showing the media partition of a jailbroken iPhone. It was obtained by a jailbreaking the iPhone, setting up a wireless network and then using the “dd” command over the network. The resulting image was then mounted read only under OS X It should be noted that in a non jailbroken iPhone iTunes in its jailed access is only allowed to get to files mounted in private/var/mobile/Media or /private/var/root/Media depending on the generation of the firmware.

The iPhone stores the information most valuable to a forensic examiner, e.g. Contacts,SMS, Call Registers in Sqllite databases. In addition, the iPhone in sharing with the full fledged version of OS X stores additional information in XML like lists called Plists. Plists store a lot of cool forensic information but are beyond this post. Readers interested in Plists can find more information at http://en.wikipedia.org/wiki/Plist.

Below is a list of the plists and sqlite databases that are downloaded to a computer during an iTunes sync process.

Library_AddressBook_AddressBook.sqlitedb
Library_AddressBook_AddressBookImages.sqlitedb
Library_Calendar_Calendar.sqlitedb
Library_CallHistory_call_history.db
Library_Cookies_Cookies.plist
Library_Keyboard_dynamic-text.dat
Library_LockBackground.jpg
Library_Mail_Accounts.plist
Library_Mail_AutoFetchEnabled
Library_Maps_Bookmarks.plist
Library_Maps_History.plist
Library_Notes_notes.db
Library_Preferences_.GlobalPreferences.plist
Library_Preferences_SBShutdownCookie
Library_Preferences_SystemConfiguration_com.apple.AutoWake.plist
Library_Preferences_SystemConfiguration_com.apple.network.identification.plist
Library_Preferences_SystemConfiguration_com.apple.wifi.plist
Library_Preferences_SystemConfiguration_preferences.plist
Library_Preferences_com.apple.AppSupport.plist
Library_Preferences_com.apple.BTServer.plist
Library_Preferences_com.apple.Maps.plist
Library_Preferences_com.apple.MobileSMS.plist
Library_Preferences_com.apple.PeoplePicker.plist
Library_Preferences_com.apple.Preferences.plist
Library_Preferences_com.apple.WebFoundation.plist
Library_Preferences_com.apple.calculator.plist
Library_Preferences_com.apple.celestial.plist
Library_Preferences_com.apple.commcenter.plist
Library_Preferences_com.apple.mobilecal.alarmengine.plist
Library_Preferences_com.apple.mobilecal.plist
Library_Preferences_com.apple.mobileipod.plist
Library_Preferences_com.apple.mobilemail.plist
Library_Preferences_com.apple.mobilenotes.plist
Library_Preferences_com.apple.mobilephone.plist
Library_Preferences_com.apple.mobilephone.speeddial.plist
Library_Preferences_com.apple.mobilesafari.plist
Library_Preferences_com.apple.mobileslideshow.plist
Library_Preferences_com.apple.mobiletimer.plist
Library_Preferences_com.apple.mobilevpn.plist
Library_Preferences_com.apple.preferences.network.plist
Library_Preferences_com.apple.preferences.sounds.plist
Library_Preferences_com.apple.springboard.plist
Library_Preferences_com.apple.stocks.plist
Library_Preferences_com.apple.weather.plist
Library_Preferences_com.apple.youtube.plist
Library_Preferences_csidata
Library_SMS_sms.db
Library_Safari_Bookmarks.plist
Library_Safari_History.plist
Library_Voicemail_.token

Many of these tools are obtained and reported on by the logical analysis tools mentioned in the first post.
I will detail ways of analyzing the sqllite databases obtained in a computer sync in the next post.
References
As always, I stand upon the shoulders of others. Acknowledgement goes out to the following sources

iPhone Forensics, by Jonathan Zdziarski. Copyright 2008 Jonathan Zdziarski, 978-0-596-15358-8

Craig Hockenberry, http://furbo.org/2007/08/21/what-the-iphone-specs-dont-tell-you/

http://www.uninnovate.com/2007/07/11/dear-iphone-give-me-my-data/

iPhone and Terrorism

This is an interesting article found in the Register on the iPhone and the Taliban
http://www.theregister.co.uk/2009/02/13/iphone_taliban/

Google calculator

How to use the Google calculator?

Many time when we are online we need to some mathematical calculation,you can do this by using google calculator easily .

Google-Calculator

Google’s calculator tries to understand the problem you are attempting to solve without requiring you to use special syntax. However, it may be helpful to know the most direct way to pose a question to get the best results. Listed below are a few suggestions for the most common type of expressions (and a few more esoteric ones).
Most operators come between the two numbers they combine, such as the plus sign in the expression 1+1.

Operator	Function	Example
+	addition	3+44
-	subtraction	13-5
*	multiplication	7*8
/	division	12/3
^	exponentiation (raise to a power of)	8^2
%	modulo (finds the remainder after division)	8%7
choose	X choose Y determines the number of ways of choosing a set of Y elements from a set of X elements	18 choose 4
th root of	calculates the nth root of a number	5th root of 32
% of	X % of Y computes X percent of Y	20% of 150

Some operators work on only one number and should come before that number. In these cases, it often helps to put the number in parentheses.

Operator	Function	Example
sqrt	square root	sqrt(9)
sin, cos, etc.	trigonometric functions (numbers are assumed to be radians)	sin(pi/3) tan(45 degrees)
ln	logarithm base e	ln(17)
log	logarithm base 10	log(1,000)

A few operators come after the number.

Operator	Function	Example
!	factorial	5!

For more information check here
http://www.google.co.in/help/calculator.html

Great Article on Mobile Forensic Evidence

Great Article by Kipp Loving and Christa Miller on potentially missed evidence

ttp://www.officer.com/print/Law-Enforcement-Technology/The-crime-scene-evidence-youre-ignoring/1$48858

New Tool On The Block

I was just turned onto a brand new tool in the mobile forensics game; Phone Image Carver. Phone Image Carver is the latest creation of the Austrailian Software Development company GetData. For those who don’t know about GetData they have excellent carving and recovery tools and are the makers of Mount Image Pro which has many useful forensic uses.
According to the website-

Phone Image Carver is an easy to use sector by sector data carver for phone dumps or cell phone image files. Currently supports:
Hex;
DD;
Bin;
RAW
Easily recover more than 300+ file types using reliable automated file carving scripts.

Most interesting and at $69.95, this should be a handy edition to your mobile forensic toolkit.
The lads at GetData have graciously offered me a test spin of the tool to get up to speed on it (I should also disclose that they mention yours truly’s papers in the Help File; without recompense). I look forward to giving the application a knock about and reporting on it here.

Code it the Google Way

Google never seems to just be satisfied with the status quo, and when they run out of fields to compete in they create their own! Google’s new “Go” programming language is one of their newest ventures, a language which is an amalgamation of Python and C++.

The Go language, in development since September 2007, has been unveiled by Google along with the release of a free and open source compiler. In fact, Google has released both a stand-along compiler implementation with cryptic names such as 6g (amd64 compiler), 8g (x86 compiler), and 5g (ARM compiler) and one which is a front-end for GCC (gccgo).

Born out of frustration with existing system languages, Go attempts to bring something new to the table, and mix the ease of dynamically typed and interpreted languages with the efficiency of compiled languages.

So why make a new programming language?

Google believes that the current languages have run their course. The prominent languages in use today (C/C++, Java, C#) are all based around a similar syntax, and updating and adding new features in these language consists of piling on libraries, with little or no upgrade to the core of the language itself. What Google intends to do requires more than just the addition of a new library.

The landscape of computing has changed a lot since C, and as Google notes “Computers are enormously quicker but software development is not faster.” Languages have had to morph quite a bit to take on support concepts such as parallel processing, and garbage collection.

Quick Overview

Go, on the other hand has been designed by Google from the ground up as “a concurrent, garbage-collected language with fast compilation”.

In order to not alienate the majority of developers though, its syntax is quite similar to C, and would not take much time for a developer to catch on to.

Go has accomplished some impressive feats. The language is designed to compile fast and Go can compile a “large” program in a few seconds on a single computer. It is designed to simplify the creation of application which can better utilize today’s multi-core processors. The language supports concurrent execution andcommunication between concurrent processes natively, and is fully-garbage collected.

Goroutines are Google’s answer to threading in Go, and any function call which is preceded by the go statement runs in a different goroutine concurrently. A feature called channels allows for easy communication and synchronization between such routines.

Unlike other object oriented languages, Go has a much “simplified” type structure, which disallows sub-classing! Go offers a different flavour of object oriented programming using interfaces, which Google believes will simplify use.

By using interfaces, explicit type hierarchies need not be defined, instead, a type will satisfy all interfaces which are subsets of its methods. The relationships between types and interfaces need not be defined explicity! This can have some interesting implications as people can add interfaces to connect unrelated types even later in the development of an application.

Go seems inspired by Python as well. Python has been one of Google’s favoured languages and was the sole language supported on Google’s AppEngine when it launched. Like Python, Go supports “slices”, which allow you to refer to parts of arrays using a simple syntax. Thus for an array “a” with 100 elements, a[23,42] will result in an array with elements 23 through 42 of a. Go also tracks the length of arrays internally, further simplifying array usage. Additionally, Maps in Go allow you to create “arrays” with custom index types, and are a native feature of the language.

Conclusion

One consistent point in the features of Go is that it is better to have one excellent implementation of commonly used features such as garbage collection, strings, maps etc. rather than have them rethought and re-implemented in each program.

As nearly all Google products, Go is “beta” and not yet suitable for production use. By releasing it early Google hopes to garner a community around it and hopes that enough people will be interested in it to justify continued development.

Cell Phone Evidence Extraction Process

I’d like to share a white paper on mobile phone evidence extraction process. It was written by Det. Cynthia Murphy of the Madison Wisconsin Police Dept. It is an excellent paper and should be very influential in helping establish proper policy and procedure in evidence handling, tool verification and reporting.
I hope you all find it as useful as I did.
Cell Phone Evidence Extraction Process Development -1.8

How to crack IIS FTP password using Brute-Force

FTP is an application or service or protocol which can be used to transfer files from one place to another place ,it really comes very handy during transfer of files from a local box to a remote one .Suppose someone get access to your FTP then he/she can cause nightmare for you by uploading unappropriate images or files etc.Here we will discuss how we can crack the password of IIS installed FTP service in Windows.

What is Brute-Force?

Brute-force is a type of attack in which every possible combination of letters, digits and special characters are tried until the right password is matched with the username. The main limitation of this attack is its time factor. The time it takes to find the proper match mainly depends on the length and complexity of the password.Here I will be using this attack to crack the password.So,lets start….
Requirements:

The tool we will be using ” BrutusA2”(Download: http://www.hoobie.net/brutus/)
You need to know the target suppose “ftp://123.123.xx.xxx”

Procedure:

Step 1.Here I have shown an authentication page of an FTP service in the image below and in the following steps we will crack its password using brutus.

Step 2.Now open up “Brutus” and type your desire target ,select wordlist and select “FTP” from the drop down menu and click start. If you are confused then follow the image below.

Step 3.The time it takes as I mentioned above depends on the complexity and length of the password.So after clicking the start button wait for the time as mentioned in the tool.The password will be displayed as shown above.
Recommendation: I would recommend the readers to try it in a virtual environment as I did and enjoy the trick.It is not advisable to try it on some unknown user without prior permission.

Mobile Forensics..A New Challenge

The increasing use of Mobile phones by the population as a personal means of communication has made Mobile Phones an important piece of evidence in many legal cases. In the coming days, Mobiles will be used for e-commerce and the relevance of Mobile Evidence will assume greater importance.

Since Mobile phone is an electronic device there are several aspects of ITA-2000 that apply to the Mobile phone transactions.

These are early days of using of Mobile evidence and there is a very high possibility that an imperfect understanding of the technology by the Police, the Lawyers and the Judges may lead to wrong judicial decisions.

In view of the importance of the Mobile devices as Cyber Evidence we shall discuss some key elements of Mobile evidence for academic understanding and debate.

The important aspects for which Mobile evidence is being presently used are

a) To find out the numbers to which calls have been made from a given mobile with date and time
b) To find out the numbers from which the calls have been received in a given mobile with date and time
c) To know the contacts through the Phone book.
d) To know the details of recent SMS messages received
e) To know the details of SMS templates
f) To know the Ring tones and Games stored in the instrument
g) To know the Pictures and video clips stored in the mobile either on the SIM card or a flash memory card.

Of these, a) and b) are also available at the service provider's level. Also while the number of entries available on the instrument may be limited by the memory, the service provider has a more detailed and reliable data with timing for the purpose of billing.

What the service provider's data may provide is however the information as recorded at their system based on the SIM card recognized by the system.

If the data at the service provider's systems match the data of recently called and received numbers as found on the instrument, it could mean that the SIM card presently on the instrument has data matching with what is available at the service provider's level.

If the two data does not match it means that the SIM card data has been manipulated.

Manipulating SIM card data on the instrument is a very easy process and hence the data on the SIM card can only be taken as only an indicating evidence and has to be properly certified to be of any use in a court of law.

If the data on the SIM card is extracted from the Mobile after the mobile has been in the custody of the Police for some time, it is possible for the defense to take a stand that the data has been manipulated.

On the other hand the data at the service provider's level cannot be manipulated except with the connivance of the service provider or hacking into their system. Again here the data as found visible on the computers of the service provider can be taken as prima-facie evidence but if it has to be relied upon, there has to be a corroborative certification that the data is apparently not altered.

Since mobile conversations are not presently recorded by the service provider and they are not normally available for any evidence.

If the conversation is hacked and recorded, then it will be a case of illegal tapping and the quality of the evidence needs to be evaluated by other parameters including a voice recognition.

The phone book details only provides information about the persons whom the mobile owner has been in contact and nothing more.

A few of the incoming SMS messages are normally stored on the mobile and along with time data corroborated with the service provider's information, may be evidence of an incoming message. Templates may indicate the likely outgoing information and if it contains any spam or obscene message, may indicate the intention of the mobile user and nothing more.

Ring tones and Games may be relevant from the point of view of copyright violations.

Details of pictures and video clippings on an accompanying memory card indicates the intentions of the mobile user and if they can be matched with any outgoing data packets, may be used as evidence for the likely outgoing message. These can be of use in case of any obscene pictures being transmitted from the mobile.

However linking the stored data to a sent message requires certain Forensic testing and it is doubtful if such capabilities exist with the Indian Police as of date.

Identification of Mobile

Essentially there are two identification aspects of a mobile device. Firstly the SIM card identity which allows the transactions of a mobile to be recorded in the service provider's records.

The second is the IMEI (International Mobile Equipment Identifier) which is associated with the hardware.

Some service providers monitor IMEI numbers with call data. In such cases if a mobile is stolen and a new SIM card is being used, it would be possible to run IMEI filters to block the stolen numbers.

Spoofing:

It must be remembered that spoofing of SMS messages as well as voice messages is not impossible on a mobile.

Firstly it is possible to send SMS messages from a computing device with a false "Sender's Mobile Number".

Secondly, it is possible to pick a hand set and alter the SIM card data to make it look like a different SIM card and use it for sending offending messages or making calls which can be attributed to the original owner of the SIM Card.

For example a card belonging to Mr Fraud can be altered to match the SIM card of Mr Innocent and used for making calls to Targets 1 and 2 . Then if this SIM card is presented as evidence with or without the hand set of Mr Innocent, it is possible to create an evidence which appears as if Mr Innocent has made calls to Mr Targets 1 and 2.

Acceptance of SIM card data as evidence is therefore required to be accompanied by several collaborative Forensic certifications that eliminate the possibilities of such manipulation.

Even though the IMEI number is considered a good identification of the hardware, it is said that in India the existence of sets with duplicate IMEI numbers is wide spread and hence the service providers have been reluctant to use IMEI blocking as a solution to immobilize stolen mobiles.

[P.S: In CDMA phones the identification is through what is called ESN-(Electronic Security Number) numbers.]

Further both IMEI numbers and ESN numbers can be modified with the use of right equipments and such practices are being regularly practiced by those who deal in stolen mobiles.

It must therefore be considered possible to clone a mobile if the person so charged is shown to have sufficient resources and access to technology.

Future of Mobile Evidence

The first impact of the recognition that Mobile Evidence can be modified, will be felt by the law enforcement authorities since evidence gathered by them in many cases will be questioned in the courts of law.

Just when the judiciary in India is grappling with understanding the evidentiary aspects of Computer records, the focus being generated on the Mobile Evidence will be a further challenge to the Indian judiciary.

The undersigned is in the process of developing a Check list and Guidance Note to suggest the preferred procedure for Mobile Evidence Seizure, Preservation and Presentation as part of its activity to contribute to the "Mobile Forensics".

Search This Blog