How to crack SSL over a wireless network

How to crack SSL over a wireless network

Introduction
Do you think you’re safe if you type https :// before paypal.com? I hope you’ll think twice before you login from a computer connected to a wireless network after reading this guide. Let’s start at the beginning. Let’s say you have an evil neighbour who wants your paypal credentials. He buys himself a nice laptop with a wireless card and, if you are using a wep encryption, he cracks your wep code (click here to see how). After cracking the key he logs into your network. Maybe you always allowed him to use your network because you thought it can’t do any harm to your computer. You aren’t sharing any folders so what’s the problem? Well, in the next few steps I’m going to describe the problem.
The guide
1. Let’s assume your neighbour uses linux to crack your wep key. After cracking it, he installs ettercap (http://ettercap.sourceforge.net/) on his linux system. If you want to do this at home, I would recommend you to download BackTrack because it already has everything installed. Look at the WEP cracking guide I mentioned above for more info about BackTrack. If you want to install it on your own linux distribution, download the source and install it with the following commands:

$ tar -xzvf ettercap-version.tar.gz
$ make
$ make install

2. After installing, you need to uncomment some code to enable SSL dissection. Open up a terminal window and type "nano /usr/local/etc/etter.conf", without the quotes. Scroll down using your arrow keys until you find this piece of code:

# if you use iptables:
# redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"
# redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"

You need to uncomment the last two lines.

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"

3. Press CTRL+O, press enter to safe the file and then press CTRL+X.
4. Boot Ettercap and click on Sniff > Unified Sniffing > type in your wireless interface and press ok.
5. Press CTRL+S to scan for hosts
6. Go to MITM > ARP poisoning, select sniff remote connections and press ok.
7. Now you (and your neighbour!) can start sniffing! Press start > start sniffing. Walk to another computer on your network and open up paypal or any other site where you need to type in an username/password (gmail, hotmail, digg.com, etc.). All credentials will appear on the computer running Ettercap!
8. When you’re done, don’t just close Ettercap, but go to Start > Stop Sniffing, and then go to MITM > Stop mitm attack(s).
But how does all this stuff work?
Look at the following scheme:

Normally when you type in a password, host 1 (your computer) directly connects to host 2 (your modem or router). But if someone launced Ettercap on your network, host 1 isn’t sending it’s passwords to host 2, but to the Attacking host, the host that’s running Ettercap! The attacking host sends everything to Host 2. This means that host 1 isn’t noticing anything! Exactly the same happens with everything that host 2 is sending. Host 2 doesn’t send packets directly to host 1, but first to the attacking host.

Black Berry Forensic Examination

Black Berry Forensic Exams-How-To

Here’s a how-to for Black Berry forensic examinations. Just a fraction of the cost you’d have to pay for a 90 minute webinar at some training sites-FREE.
I hope its useful for you.

HARDWARE NEEDED

• BlackBerry (duh)
• USB Cable
• Cradle (if its that type)
• Forensic Computer (see the reference to the BlackBerry)

SOFTWARE NEEDED

• BlackBerry Desktop Software
• BlackBerry Simulator for your device model (more on this later)
• Amber Blackberry Converter-not free but only 19.95 USD for a license-plus you get a thirty day trial.

Ok now that we are armed with our needed equipment, lets proceed to do our forensic magic.

USING THE DESKTOP SOFTWARE AND SIMULATOR

First install the desktop software. After this is done, you need to make sure that the connection is set for USB. Look at Options->Connection Settings and from the combo box select USB. Ok now connect the suspect’s Blackberry to your system (did you protect it from the network and make sure it was charged…? )
!!CAVEAT!!: If the BlackBerry needs a PIN-get it or get the PUK. This will not work without it. If you fail to do this, and use up your attempts to enter PIN/PUK you will wipe the device.
Now with the device connected make a backup of the handheld. Double Click the Backup/restore Icon and then choose backup (this may differ depending on the version of desktop software you are using). Direct the backup (*.ipd File) to where you want to save it and name it. Then make sure you choose all databases. I recommend making a working copy and a archive copy. Now reseal and store your exhibit.
Ok time to get out the Simulator…but wait, you say, how do I know what Simulator I need to use…there are so many choices. Glad you asked. Prior to downloading the Simulator you neeed to check something on the BlackBerry-its OS version. This is located from the mail screen under Options-About. You are looking for the platform version number as shown below (specific to my BB).

Blackberry 7130e
WirelessHandheld (CDMA)
v4.1.0.268(Platform 2.2.0.9)

Once you have this go to the link above and find the Simulator for this group of BlackBerry Devices download and install the Simulator.

Now with that installed, fire up the Simulator for your device. The Desktop software should be fooled into thinking a BB device is connected tot he computer.

Again, choose the backup/restore icon and this time restore the backup file you created. Make sure to choose all the databases. Once this completes you are looking at the exact handheld you seized albeit virtually. Pretty cool huh? Just take screencaps/vids of the device and you have your evidence.

Two side notes the Similator behaves just like a regular BB, i.e. you can click the trackwheel and escape key. If you want to see call times make sure that you enable call logging by going to the phone icon, clicking the trackwheel, coosing options and “call logging”.

USING AMBER BLACKBERRY CONVERTER

This is even easier. Once you have fired up the converter, simply click the link that says to load the IPD and the converter will load the file and show you tabs for SMS, EMAIL, call records and contacts..notice the options for PDF, HTML and Excel export…How easy is THAT?? One thing it doesnt do is pull out pictures (though it grabs MMS) that are saved…bummer but only a small one.

OTHER TIPS/TRICKS

Take the *.IPD file and load it into EnCase or FTK and index. This can give you fast access to keywords. You can also carve for pictures (though not deleted).

If you have read to here, I hope you have found this useful. I plan to add a short discussion on the structure of the IPD file-WARNING HEX AHEAD!!!

Black Berry IPD Files

IPD Files Demystified
Black Berry handheld devices have long been a favorite of the corporate executive but now with the release of a more mainstream multimedia capable mobile device in the Pearl and an aggressive advertising campaign, the Black Berry is bound to become a more popular device with non corporate types as well.
This mini white paper discusses the structure of the Black Berry backup or IPD file for the forensic examiner.
The IPD What is it?
The Black Berry Desktop software creates a proprietary backup of the databases on the Black Berry Handheld. This file is by default named in the following fashion
Backup-(current date,time and year)-.ipd
The files also default to the user’s “My Documents” folder. This, of course, may be changed by a user. The IPD file itself is a database of the databases.
IPD STRUCTURE
Below is a graphic of the IPD file.

As you can see from the graphic the IPD file begins with Inter@ctive Pager Backup/Restore File. The examiner may find this to be of use in search strings to find hidden or unallocated files.
Following this “header” the structure follows as is shown in the graphic below.

Here we can see that we have an one byte line feed (x/OA) followed by an one byte version (x/02) and a two byte indicator of the number of data bases in the file (in the above case x/3F).
Finally the names of the Databases follow after a 1 byte separator (x/00).
DATABASE NAME STRUCTURE
The databases within the file are constructed as follows

• Database name length 2 bytes the length includes terminating null
• Database name As long as the name length above

This is illustrated in the following graphic

After the database name length and name the database follows the following structure

• Database ID Two bytes zero based position in the list of DB name blocks
• Record Length 4 bytes
• Database version 1 byte
• DatabaseRecordHandler 2 bytes
• Record Unique ID 4 bytes
• Field length #1 2 bytes
• Field type #1 1 byte
• Field data #1 As long as field length
• Field length #m 2 bytes
• Field type #m 1 byte
• Field data #m As long as the field length

The database has a unique id that is followed by the record length and the record ID. Each record will have a variable number of fields (as shown in the table by field #1 …field #m) that have a structure of length, type and data.

Cell Phone Codes

Cell Phone Codes

 
Here are some service codes for several handset manufacturers
LG

*6861#  factory reset
*8375#
#668#
*#3646633#
*0#
*3241#
*3240#
*0008# language
*0009# language
*0000# language
*7674#
*76863#
*77463#
*72337#
*79763#
*7245786#      check read FFS
*762442#        GVCMMI Magic
###765*02#
###765*05#
###765*08#
###765*07#
###765*78#
1945#*5101#  sim lock menu
2945#*5100#


Nokia

*#06#                IMEI
*#0000#            view Software Version
*#746025625#    [*#sim0clock#]
*#92702689#      [*#war0anty#]   secret menu:
 1. Displays Serial Number
 2. Displays the Month and Year of Manufacture (0997)
 3. Displays (if there) the date where the phone was purchased
 4. Displays the date of last repairment – if found (0000)
 5. Makes you capebel of transferring user data
 6. Shows how many hours the phone has been on

*3370#      Enhanced Full Rate Codec (EFR) activation
#3370#     Enhanced Full Rate Codec (EFR) deactivation
*4370#      Half Rate Codec activation
#4370#     Half Rate Codec deactivation
xx# – xx position in Phone Book

NOKIA 9000

*#06#   IMEI
*#682371158412125#  soft version
*#3283#    prod. date

NOKIA 7650

*#7979#    phone reset
*#7470#    hard reset
*#7370#    master reset (like new phone)


Motorola

*#06#      IMEI

in permament test mode
(* hold 2 sec)
***113*1*[OK] net monitor

T205/T19x (ACER)

*#300# OK    List the Software and Hardware version
*#301# OK    Full Keypads functional Test
*#303# OK    Set Default Language to English
*#304# OK    Set OFF engineering mode
#304*19980722# OK    Set ON engineering mode
*#305# OK    Location: 1 OK
*#307# OK    Engineering Test Mode
*#311# OK    Phone code changed to default code
*#400# OK    ADC, Cal val*
*#402# OK    Adjust Display Intensity / Contrast
*#403# OK    List the Manufacturing Informations
19980722 OK   Master Unlock code for Phone and Sim Lock
*#302# OK    Acoustic test*
7.1 Greeting
7.2 Main VlmGain
7.3 Input Cal
7.4 Output Cal
7.5 Side In Gain
7.6 Vox Gain
7.7 Min Mic Engy
7.8 More
(a) In Vlm Gain
(b) Aux Vlm Gain
(c) Silence Prd
(d) Supp Prd
(e) In Volume
(f) Out Volume
(g) Icon
(h) Image
(i) Animation
*3370#   EFR ON (enhanced full rate)
#3370#  ERF OFF
*#72837726# OK  Confirm ?, Data saver
1234 OK      Phone code default
*#0000# OK   Setting saved, restore set phone do default language
*#0048# OK   Fast change polish langpack
*#0007# OK   Fast change russian langpack


MOTOROLA 3xx

*#06# and quick ‘menu-key’ and 048263* (Push the key quickly!)
and entering at field “OPTCODE” you must try several times.
If not working try with MOTO TEST CARD inserted.

Security code – 32*118*1*0*0
Model – 32*279*1*0*8
Flex ver – 32*383*1*0*0
Master Reset – 18*0
Master Clear – 18*1
Set band GSM 900 – 10*0*3
Set band DCS 1800 – 10*0*4
Set band PCS 1900 – 10*0*5
Set dual band GSM 900/1800 – 10*0*6
Read band – 10*1*0   => 3-GSM, 4-DCS, 5-PCS, 6-GSM/DCS
User code – 32*116*1*0*0 /coded:00310032003300340000 – 1234/
Read imei – 32*4*1*0*0 “OK” /coded:083a05092700247709 – 350907200427799/

47*4*1*0*9*081A32547698103254 => IMEI=123456789012345
it is possible to change IMEI


Sony Ericsson

*#7465625*12*12345678#, 7465625 means SIMLOCK and 12345678 is number
                                        that you get from the unlock program

For SIM code: *#7465625*XX*(8-digit received SIMcode)#

XX can be:
12 for NCK lock
22 for Provider lock
32 for Network lock
42 for SIM code lock
52 for Subset lock
62 for Corporate lock
72 for IMSI personal
99 for IMSI range

For WAP code: *#9275625*11*(8-digit received WAP code)#

*#06#      IMEI number
*#00xx#   Changes language (xx is your country code)
*#0000000#  Resets language to auto selection
*#8378       *#TEST Reset your phone
*#7465625#  *#simlock# -> Displays SIM lock status
*#7353273#  *#release# -> Display firmware version
*#39482633#  *#EXITCODE# -> Shows phone latest failure causes
*#78737322867973738#  *#superfactoryreset#
                                     -> Reset personal data (remove SIM card first)
*#73287489263373738#  *#securitycodereset#
                                     -> Reset security code to 0000 (remove SIM card first)
*#8654#   Test phones keystroke
*#77343#  *#PREGE# -> Activates MONITOR MODE on J5/J6
*#7669666#  *#SONYMON# -> Activates MONITOR MODE on J7/70/27
*#275781#  *#ASKRT1# -> Still unknown
*09*(PIN code)# -> Turns PIN code on
#09*(PIN code)# -> Turns PIN code off


Samsung

*#06#        Show IMEI
*#9999#    Show Software Version
*#0837#    Show Software Version (instructions)
*#0001#    Show Serial Parameters
*#9125#    Activates the smiley when charging
*#0523#    LCD Contrast

*#9998*228#    Battery status (capacity, voltage, temperature)
*#9998*246#    Program status
*#9998*289#    Change Alarm Buzzer Frequency
*#9998*324#    Debug Screens
*#9998*364#    Watchdog
*#9998*377#    EEPROM Error Stack – Use side keys to select values
*#9998*427#    Trace Watchdog
*#9998*523#    Change LCD contrast
*#9998*544#    Jig detect
*#9998*636#    Memory status
*#9998*746#    SIM File Size
*#9998*778#    SIM Service Table
*#9998*785#    RTK (Run Time Kernel) errors – if ok then phn is reset,
                       info is put in memory error
*#9998*786#    Run, Last UP, Last DOWN
*#9998*837#    Software Version
*#9998*842#    Test Vibrator – Flash the screenlight during 10 sec
                       and vibration activated
*#9998*862#    Vocoder Reg – Normal, Earphone or Carkit
*#9998*872#    Diag
*#9998*947#    Reset On Fatal Error
*#9998*999#    Last/Chk

*#9998*9266#   Yann debug screen (Debug Screens?)
*#9998*9999#   Software version

*0001*s*f*t#   Changes serial parameters (s=?, f=0.1, t=0.1)
*0002*?#   unknown
*0003*?#   unknown

FOR NEW SGH (R210, T100, A300…)
if code is in format *#9998*xxx#
try write in this       *#0xxx#

SGH-600
SGH-2100

*2767*3855#   Full EEPROM Reset (THIS CODE REMMOVES SP-LOCK!
                      but also changes IMEI to 447967-89-400044-0
*2767*2878#   Custom EEPROM Reset


SGH E700

*2767*688#   remove USER CODE and SIMLOCK


SGH V200

Unlocking:
Power on the phone without SIM card and type these codes:

*2767*63342#  and press green button
*2767*3855#    and press green button
*2767*2878#    and press green button
*2767*927#      and press green button
*2767*7822573738# press button

Phone will be unlocked, but all trims are reseted !!!
Mobile phone must be fully charged


SGH S500

Unlocking

*2767*MVT# (*2767*688#) E2P MVT Reset
*#SIMLOCK# (*#7465625#)

iPhone Forensics

iPhone Forensics

Though many phone examiners are traditional electronic forensic analysts who have been trained to examine phones, this is certainly not a foregone conclusion. A phone examiner may not be, to be tongue in cheek, “classically trained” in forensics. Up until just recently, little was needed to examine a phone other than the current toolset that is on the market and a handful of free tools.

Examining phones became harder with the iPhone. Apple’s revolutionary phone has garnered at least 28% of the Smart Phone market and is poised to snatch even more. Spawning many imitators and challenging the once thought invulnerable RIM Black Berry, Apple has raised the bar on the technical skill required by the phone examiner.

This series of posts on iPhone Forensic Examinations, is meant to help level the playing field for the phone examiner who may not also be a traditional forensic analyst of electronic evidence. The first post began by examining what is meant by the term “jailbreaking” and its forensic implications. This post will continue with the discussion and will be concentrating on the makeup of the iPhone’s filesystem.

Brief Overview of the iPhone Hardware

As I stated in the introduction to this post, the iPhone has raised the bar on the technical skill required by the phone examiner. The iPhone is much more than a device that is used for voice communications, it truly is a handheld computer. Below are listed some of the hardware specifications for the device.

• CPU : Samsung/ARM S5L8900B01 512 Mbit SRAM

• DISK: Samsung 65-nm 8/16 GB (K9MCG08U5M), 4 GB (K9HBG08U1M) MLC NAND Flash

• FLASH MEMORY: Intel PF38F1030W0YTQ2 (32 MB NOR + 16 MB SRAM)

Early reports of the CPU clock speed put the iPhone’s ARM processor running at about 400 MHz with a bus speed at 100 MHz (Hockenberry). It is speculated that the ARM CPU can run at 600 MHz or more but is underclocked to provide for heat dissipation and battery life. Further firmware updates are believed to begin providing this capability as the code and hardware are refined and optimized.

So as you can see from the above, you have what amounts to a full fledged computer running with impressive CPU speeds (given its small form factor) and a massive amount (for a hand held device and for mobile forensics) of Flash storage.

The non “classical trained” phone examiner, such as the narcotics officer or border patrolman, is now faced with a device that now at the very least requires an appreciation of its capabilities and may indeed require the acquisition of more advanced knowledge of computers and a deeper skill-set in the area of traditional electronic forensics.

The iPhone Hard Disk

Now that we have had a glimpse of the iPhone’s impressive hardware array, lets begin examining how the iPhone’s Disk is arranged.

The iPhone runs a a mobile build of Mac OS X Leopard (10.5). Schematically the OS is designed like the below graphic.
 
Since OS X is built upon a BSD Unix foundation (please see http://en.wikipedia.org/wiki/Berkeley_Software_Distribution for a discussion of BSD Unix), and this is used in the iPhone it is necessary to cover some of concepts of the operating system.

All Operating Systems use what is called a kernel. The kernel is the the nerve center of the OS and is responsible for managing the systems resources (such as communication between the hardware and the software of a device. The iPhone uses what is called a signed kernel to limit tampering with its function (though as we saw in the first post jailbreaking is accomplished through the exploitation or hacking of the kernel).

The iPhone also borrows how it partitions its hard disk from the Unix OS conventions as well. In order to store files on a hard disk, that raw physical device must first be prepared with partitions, or contiguous sections of a disk to store common groups of information. The difference in between the iPhone’s partitioning and a physical hard disk is that the iPhone uses solid state memory as its hard disk (flash).

There are two partitions on the iPhone. The first partition is 300 MB in size and is the system or root partition(not to be confused with the root folder which will be seen in the second partition). This partition contains the operating system and the default applications that are delivered with a factory fresh iPhone. This partition is designed (unless jailbroken) to be in this pristine state for the life of the phone.

The remaining space of the hard disk is partitioned as the user-space (or media) partition. This space is where all music, videos contacts, SMS etc are stored.

Another computer science concept that is also important to understand is the concept of mounting. A file system must be “mounted” or made available to the Operating System for use. Unix type Operating Systems (such as OS X) use mount points or the location in the directory structure where the particular partition (filesystem) is available for use.  The Windows equivalent to this concept is drive mapping.

Since the iPhone uses a mobile build of OS X , it follows that the two partitions is has will have mount points. This is indeed the case as can be seen from the output of the fstab file( file system table) of a jailbroken iPhone. The fstab file usually lists all available disks and disk partitions, and their mount points.

# cat fstab
^{/dev/disk0s1 / rw 0 1
/dev/disk0s2 /private/var hfs rw,noexec 0 2}

A discussion of the fstab is too lengthly and complicated to go into in this this post so readers are directed to http://en.wikipedia.org/wiki/Fstab for a thorough explanation of the output. It should suffice for our purposes here to state that the first (root partition) is mounted at the top of the directory tree (“/”) and that the media partition is mounted at /private/var. It is also of forensic importance to note that the root partition here is mounted read/write. This is the result of the jailbreaking technique.

The other thing to note on the output above is that the media partition is formated in the HFS file format, and is not allowed to execute files (the “noexec” option).

Depending on whether a user is Windows based or Macintosh based the iPhone will be formatted accordingly. In the case of Windows with a FAT filesystem (http://en.wikipedia.org/wiki/FAT_32) or HFS (http://en.wikipedia.org/wiki/Hierarchical_File_System) if formatted on a Macintosh.


Data Storage


Now that we know the partition structure of how the iPhone stores data, how it is mounted for user access by the Operating System, and what filesystem formating it employs, we can look at where the most relevant files for a forensic examiner might reside. Bear in mind that the tools mentioned in the first post obtain most, if not all,  of these files and report on them. The single advantage that the jailbreaking method has (offset by its non ACPO compliant forensic implications) is that the jailbrekaing method comes very near to a true forensic image and can therefore obtain possible what I have oft termed the Holy Grail of Mobile Forensics – deleted data.

As was said in the previous section the root partition is designed to stay “factory fresh” for the life of the iPhone and contains the default applications and the untampered OS of the device. It should contain most of the following if not jailbroken.

• SMS
• Calendar
• Photos
• Camera
• Youtube
• Stocks
• Maps
• Weather
• Clock
• Calculator
• Notes
• Setting
• ITunes
• Phone
• Mail
• Safari
• IPod

Shown below is a graphic image of a jailbroken iPhone showing the media partition of a jailbroken iPhone. It was obtained by a jailbreaking the iPhone, setting up a wireless network and then using the “dd” command over the network. The resulting image was then mounted read only under OS X It should be noted that in a non jailbroken iPhone iTunes in its jailed access is only allowed to get to files mounted in private/var/mobile/Media or /private/var/root/Media depending on the generation of the firmware.



The iPhone stores the information most valuable to a forensic examiner, e.g. Contacts,SMS, Call Registers in Sqllite databases. In addition, the iPhone in sharing with the full fledged version of OS X stores additional information in XML like  lists called Plists. Plists store a lot of cool forensic information but are beyond this post. Readers interested in Plists can find more information at http://en.wikipedia.org/wiki/Plist.

Below is a list of the plists and sqlite databases that are downloaded to a computer during an iTunes sync process.

• Library_AddressBook_AddressBook.sqlitedb
• Library_AddressBook_AddressBookImages.sqlitedb
• Library_Calendar_Calendar.sqlitedb
• Library_CallHistory_call_history.db
• Library_Cookies_Cookies.plist
• Library_Keyboard_dynamic-text.dat
• Library_LockBackground.jpg
• Library_Mail_Accounts.plist
• Library_Mail_AutoFetchEnabled
• Library_Maps_Bookmarks.plist
• Library_Maps_History.plist
• Library_Notes_notes.db
• Library_Preferences_.GlobalPreferences.plist
• Library_Preferences_SBShutdownCookie
• Library_Preferences_SystemConfiguration_com.apple.AutoWake.plist
• Library_Preferences_SystemConfiguration_com.apple.network.identification.plist
• Library_Preferences_SystemConfiguration_com.apple.wifi.plist
• Library_Preferences_SystemConfiguration_preferences.plist
• Library_Preferences_com.apple.AppSupport.plist
• Library_Preferences_com.apple.BTServer.plist
• Library_Preferences_com.apple.Maps.plist
• Library_Preferences_com.apple.MobileSMS.plist
• Library_Preferences_com.apple.PeoplePicker.plist
• Library_Preferences_com.apple.Preferences.plist
• Library_Preferences_com.apple.WebFoundation.plist
• Library_Preferences_com.apple.calculator.plist
• Library_Preferences_com.apple.celestial.plist
• Library_Preferences_com.apple.commcenter.plist
• Library_Preferences_com.apple.mobilecal.alarmengine.plist
• Library_Preferences_com.apple.mobilecal.plist
• Library_Preferences_com.apple.mobileipod.plist
• Library_Preferences_com.apple.mobilemail.plist
• Library_Preferences_com.apple.mobilenotes.plist
• Library_Preferences_com.apple.mobilephone.plist
• Library_Preferences_com.apple.mobilephone.speeddial.plist
• Library_Preferences_com.apple.mobilesafari.plist
• Library_Preferences_com.apple.mobileslideshow.plist
• Library_Preferences_com.apple.mobiletimer.plist
• Library_Preferences_com.apple.mobilevpn.plist
• Library_Preferences_com.apple.preferences.network.plist
• Library_Preferences_com.apple.preferences.sounds.plist
• Library_Preferences_com.apple.springboard.plist
• Library_Preferences_com.apple.stocks.plist
• Library_Preferences_com.apple.weather.plist
• Library_Preferences_com.apple.youtube.plist
• Library_Preferences_csidata
• Library_SMS_sms.db
• Library_Safari_Bookmarks.plist
• Library_Safari_History.plist
• Library_Voicemail_.token

Many of these tools are obtained and reported on by the logical analysis tools mentioned in the first post.
I will detail ways of analyzing the sqllite databases obtained in a computer sync in the next post.
References
As always, I stand upon the shoulders of others. Acknowledgement goes out to the following sources

iPhone Forensics, by Jonathan Zdziarski. Copyright 2008 Jonathan Zdziarski, 978-0-596-15358-8

Craig Hockenberry, http://furbo.org/2007/08/21/what-the-iphone-specs-dont-tell-you/

http://www.uninnovate.com/2007/07/11/dear-iphone-give-me-my-data/

iPhone and Terrorism

iPhone and Terrorism

This is an interesting article found in the Register on the iPhone and the Taliban
http://www.theregister.co.uk/2009/02/13/iphone_taliban/

Google calculator

How to use the Google calculator?

Many time when we are online we need to some mathematical calculation,you can do this by using google calculator easily .

Google-Calculator

Google’s calculator tries to understand the problem you are attempting to solve without requiring you to use special syntax. However, it may be helpful to know the most direct way to pose a question to get the best results. Listed below are a few suggestions for the most common type of expressions (and a few more esoteric ones).
Most operators come between the two numbers they combine, such as the plus sign in the expression 1+1.

Operator Function Example + addition 3+44 - subtraction 13-5 * multiplication 7*8 / division 12/3 ^ exponentiation (raise to a power of) 8^2 % modulo (finds the remainder after division) 8%7 choose X choose Y determines the number of ways of choosing a set of Y elements from a set of X elements 18 choose 4 th root of calculates the nth root of a number 5th root of 32 % of X % of Y computes X percent of Y 20% of 150

Some operators work on only one number and should come before that number. In these cases, it often helps to put the number in parentheses.

Operator Function Example sqrt square root sqrt(9) sin, cos, etc. trigonometric functions (numbers are assumed to be radians) sin(pi/3) tan(45 degrees) ln logarithm base e ln(17) log logarithm base 10 log(1,000)

A few operators come after the number.

Operator	Function	Example
!	factorial	5!

For more information check here
http://www.google.co.in/help/calculator.html

Great Article on Mobile Forensic Evidence

Great Article on Mobile Forensic Evidence

Great Article by Kipp Loving and Christa Miller on potentially missed evidence

ttp://www.officer.com/print/Law-Enforcement-Technology/The-crime-scene-evidence-youre-ignoring/1$48858

New Tool On The Block

New Tool On The Block

I was just turned onto a brand new tool in the mobile forensics game; Phone Image Carver. Phone Image Carver is the latest creation of the Austrailian Software Development company GetData. For those who don’t know about GetData they have excellent carving and recovery tools and are the makers of Mount Image Pro which has many useful forensic uses.
According to the website-

Phone Image Carver is an easy to use sector by sector data carver for phone dumps or cell phone image files. Currently supports:
Hex;
DD;
Bin;
RAW
Easily recover more than 300+ file types using reliable automated file carving scripts.

Most interesting and at $69.95, this should be a handy edition to your mobile forensic toolkit.
The lads at GetData have graciously offered me a test spin of the tool to get up to speed on it (I should also disclose that they mention yours truly’s papers in the Help File; without recompense). I look forward to giving the application a knock about and reporting on it here.

Code it the Google Way

Google never seems to just be satisfied with the status quo, and when they run out of fields to compete in they create their own! Google’s new “Go” programming language is one of their newest ventures, a language which is an amalgamation of Python and C++.

The Go language, in development since September 2007, has been unveiled by Google along with the release of a free and open source compiler. In fact, Google has released both a stand-along compiler implementation with cryptic names such as 6g (amd64 compiler), 8g (x86 compiler), and 5g (ARM compiler) and one which is a front-end for GCC (gccgo).

Born out of frustration with existing system languages, Go attempts to bring something new to the table, and mix the ease of dynamically typed and interpreted languages with the efficiency of compiled languages.

So why make a new programming language?

Google believes that the current languages have run their course. The prominent languages in use today (C/C++, Java, C#) are all based around a similar syntax, and updating and adding new features in these language consists of piling on libraries, with little or no upgrade to the core of the language itself. What Google intends to do requires more than just the addition of a new library.

The landscape of computing has changed a lot since C, and as Google notes “Computers are enormously quicker but software development is not faster.” Languages have had to morph quite a bit to take on support concepts such as parallel processing, and garbage collection.

Quick Overview

Go, on the other hand has been designed by Google from the ground up as “a concurrent, garbage-collected language with fast compilation”.

In order to not alienate the majority of developers though, its syntax is quite similar to C, and would not take much time for a developer to catch on to.

Go has accomplished some impressive feats. The language is designed to compile fast and Go can compile a “large” program in a few seconds on a single computer. It is designed to simplify the creation of application which can better utilize today’s multi-core processors. The language supports concurrent execution andcommunication between concurrent processes natively, and is fully-garbage collected.

Goroutines are Google’s answer to threading in Go, and any function call which is preceded by the go statement runs in a different goroutine concurrently. A feature called channels allows for easy communication and synchronization between such routines.

Unlike other object oriented languages, Go has a much “simplified” type structure, which disallows sub-classing! Go offers a different flavour of object oriented programming using interfaces, which Google believes will simplify use.

By using interfaces, explicit type hierarchies need not be defined, instead, a type will satisfy all interfaces which are subsets of its methods. The relationships between types and interfaces need not be defined explicity! This can have some interesting implications as people can add interfaces to connect unrelated types even later in the development of an application.

Go seems inspired by Python as well. Python has been one of Google’s favoured languages and was the sole language supported on Google’s AppEngine when it launched. Like Python, Go supports “slices”, which allow you to refer to parts of arrays using a simple syntax. Thus for an array “a” with 100 elements, a[23,42] will result in an array with elements 23 through 42 of a. Go also tracks the length of arrays internally, further simplifying array usage. Additionally, Maps in Go allow you to create “arrays” with custom index types, and are a native feature of the language.

Conclusion

One consistent point in the features of Go is that it is better to have one excellent implementation of commonly used features such as garbage collection, strings, maps etc. rather than have them rethought and re-implemented in each program.

As nearly all Google products, Go is “beta” and not yet suitable for production use. By releasing it early Google hopes to garner a community around it and hopes that enough people will be interested in it to justify continued development.

Cell Phone Evidence Extraction Process

Cell Phone Evidence Extraction Process

I’d like to share a white paper on mobile phone evidence extraction process. It was written by Det. Cynthia Murphy of the Madison Wisconsin Police Dept. It is an excellent paper and should be very influential in helping establish proper policy and procedure in evidence handling, tool verification and reporting.
I hope you all find it as useful as I did.
Cell Phone Evidence Extraction Process Development -1.8

How to crack IIS FTP password using Brute-Force

How to crack IIS FTP password using Brute-Force

FTP is an application or service or protocol  which can be used to transfer files from one place to another  place ,it really comes very handy  during transfer of files from a local box to a remote one .Suppose someone get access to your FTP then he/she can cause nightmare for you by uploading  unappropriate images or files etc.Here we will discuss how we can crack the password of IIS installed FTP service in Windows.

What is Brute-Force?

Brute-force is a type of attack in which every  possible combination of letters, digits and special characters are  tried until the right password is matched  with the username. The main limitation of this attack is its time factor. The time it takes to find the proper match mainly depends on the length and complexity of the password.Here I will be using this attack to crack the password.So,lets start….
Requirements:

1. The tool we will be using  ” BrutusA2”(Download: http://www.hoobie.net/brutus/)
2. You need to know the target suppose “ftp://123.123.xx.xxx”

Procedure:

Step 1.Here I have shown an authentication page of an FTP service in the image below and in the following steps we will crack its password using brutus.

Step 2.Now open up “Brutus” and type  your desire target ,select wordlist and select “FTP” from the drop down menu  and click start. If you are confused then follow the image below.


Step 3.The time it takes as I mentioned above depends on the complexity and length of the password.So after clicking the start button wait for the time as mentioned in the tool.The password will be displayed as shown above.
Recommendation: I would recommend the readers to try it in a virtual environment as I did and enjoy the trick.It is not advisable to try it on some unknown user without prior permission.

Mobile Forensics..A New Challenge

The increasing use of Mobile phones by the population as a personal means of communication has made Mobile Phones an important piece of evidence in many legal cases.  In the coming days, Mobiles will be used for e-commerce and the relevance of Mobile Evidence will assume greater importance.

Since Mobile phone is an electronic device there are several aspects of ITA-2000 that apply to the Mobile phone transactions.

These are early days of using of Mobile evidence and there is a very high possibility that an imperfect understanding of the technology by the Police, the Lawyers and the Judges may lead to wrong judicial decisions.

In view of the importance of the Mobile devices as Cyber Evidence we shall discuss some key elements of Mobile evidence for academic understanding and debate.

The important aspects for which Mobile evidence is being presently used are

a) To find out the numbers to which calls have been made from a given mobile with date and time

b) To find out the numbers from which the calls have been received in a given mobile with date and time

c) To know the contacts through the Phone book.

d) To know the details of recent SMS messages received

e) To know the details of SMS templates

f) To know the Ring tones and Games stored in the instrument

g) To know the Pictures and video clips stored in the mobile either on the SIM card or a flash memory card.

Of these, a) and b) are also available at the service provider's level. Also while the number of entries available on the instrument may be limited by the memory, the service provider has a more detailed and reliable data with timing for the purpose of billing.

What the service provider's data may provide is however the information as recorded at their system based on the SIM card recognized by the system.

If the data at the service provider's systems match the data of recently called and received numbers as found on the instrument, it could mean that the SIM card presently on the instrument has data matching with what is available at the service provider's level.

If the two data does not match it means that the SIM card data has been manipulated.

Manipulating SIM card data on the instrument is a very easy process and hence the data on the SIM card can only be taken as only an indicating evidence and has to be properly certified to be of any use in a court of law.

If the data on the SIM card is extracted from the Mobile after the mobile has been in the custody of the Police for some time, it is possible for the defense to take a stand that the data has been manipulated.

On the other hand the data at the service provider's level cannot be manipulated except with the connivance of the service provider or hacking into their system. Again here the data as found visible on the computers of the service provider can be taken as prima-facie evidence but if it has to be relied upon, there has to be a corroborative certification that the data is apparently not altered.

Since mobile conversations are not  presently recorded by the service provider and they are not normally available for any evidence.

If the conversation is hacked and recorded, then it will be a case of illegal tapping and the quality of the evidence needs to be evaluated by other parameters including a voice recognition.

The phone book details only provides information about the persons whom the mobile owner has been in contact and nothing more.

A few of the incoming SMS messages are normally stored on the mobile and along with time data corroborated with the service provider's information, may be evidence of an incoming message. Templates may indicate the likely outgoing information and if it contains any spam or obscene message, may indicate the intention of the mobile user and nothing more.

Ring tones and Games may be relevant from the point of view of copyright violations.

Details of pictures and video clippings on an accompanying memory card indicates the intentions of the mobile user and if they can be matched with any outgoing data packets, may be used as evidence for the likely outgoing message. These can be of use in case of any obscene pictures being transmitted from the mobile.

However linking the stored data to a sent message requires certain Forensic testing and it is doubtful if such capabilities exist with the Indian Police as of date.

Identification of Mobile

Essentially there are two identification aspects of a mobile device. Firstly the SIM card identity which allows the transactions of a mobile to be recorded in the service provider's records.

The second is the IMEI (International Mobile Equipment Identifier) which is associated with the hardware.

Some service providers monitor IMEI numbers with call data. In such cases if a mobile is stolen and a new SIM card is being used, it would be possible to run IMEI filters to block the stolen numbers.

Spoofing:

It must be remembered that spoofing of SMS messages as well as voice messages is not impossible on a mobile.

Firstly it is possible to send SMS messages from a computing device with a false "Sender's Mobile Number".

Secondly, it is possible to pick a hand set and alter the SIM card data to make it look like a different SIM card and use it for sending offending messages or making calls which can be attributed to the original owner of the SIM Card.

For example a card belonging to Mr Fraud can be altered to match the SIM card of Mr Innocent and used for making calls to Targets 1 and 2 . Then if this SIM card is presented as evidence with or without the hand set of Mr Innocent, it is possible to create an evidence which appears as if Mr Innocent has made calls to Mr Targets 1 and 2.

Acceptance of SIM card data as evidence is therefore required to be accompanied by several collaborative Forensic  certifications that eliminate the possibilities of such manipulation.

Even though the IMEI number is considered a good identification of the hardware, it is said that in India  the existence of sets with duplicate  IMEI numbers is wide spread and hence the service providers have been reluctant to use IMEI blocking as a solution to immobilize stolen mobiles.

[P.S: In CDMA phones the identification is through what is called ESN-(Electronic Security Number) numbers.]

Further both IMEI numbers and ESN numbers can be modified with the use of right equipments and such practices are being regularly practiced by those who deal in stolen mobiles.

It must therefore be considered possible to clone a mobile if the person so charged is shown to have sufficient resources and access to technology.

Future of Mobile Evidence

The first impact of the recognition that Mobile Evidence can be modified, will be felt by the law enforcement authorities since evidence gathered by them in many cases will be questioned in the courts of law.

Just when the judiciary in India is grappling with understanding the evidentiary aspects of Computer records, the focus being generated on the Mobile Evidence will be a further challenge to the Indian judiciary.

The undersigned is in the process of  developing a Check list and Guidance Note to suggest the preferred procedure for Mobile Evidence Seizure, Preservation and Presentation as part of its activity to contribute to the "Mobile Forensics".

How to Sign Out of Gmail Account Remotely?

Sign Out of Gmail Account Remotely
Gmail is one of the widely use email service.There are lot of features in gmail. There is a security feature for gmail known as remote logout. Many of use more than one computers to login to gmail account. Some times we often leave the browser opened & not being logged out of gmail or we are in cyber cafe and any power cut or computer faliure occurs and  if the computer is at office or any public place your account may be hacked or misused by someone else.
But there is a method by which you can l;og out from your gmail account remotely.

Open you gmail account and go to bottom of the page ,there you will see something as shown below..

gmail-remote-logout

Now you can click on “Details”  which shows you a pop-up having details about your last sessions.Click on “Sign out all other sessions” to sign out of gmail at all other places exept the current.
By this simple feature you can check that your gmail account is hacked or not.

New security feautures of windows vista in system and kernel mode

Section 1: Security Development Lifecycle

The Security Development Lifecycle technique or SDL is a professional process that helps for making sure that the software are built from the
base to reduce security risk. The SDL implements a professional process of secure design, coding, implementing, testing, review and response for all Microsoft products specific windows Vista .The SDL removes the surface area for attacks, improves operating system and
application be bugless, and helps organizations high securely management and isolate the network.
We can say that The Windows Vista is the first client operating system to be Designed and developed from the first step to finish using SDL.More than 1,000 threat models were developed for Windows Vista to ensure identification and reduse of risks in different parts of the
operating system that required especial testing.

Section 2: Kernel Patch

The most important security issue is out "operating system kernel". These rootkits are usually very useful for unwanted software, like
spywares. Kernel patch Protection of rootkits can reduce the Risk and increase stability, reliability and performance in the system, include All User data and programs.
Handling of these problems were very difficult before, because 32-bit Windows drivers like windows XP are not identified and compatible
with digital signature and It has Unsupported and poor kernel.Windows 32-bit security products that provide blocking action capabilities modify the kernel through unsupported techniques .
Although the computer system moves from 32-bit to a 64-bit architecture but the smaller installed base of 64-bit software makes it
possible to making significant enhancements for security in the kernel and reduce the potential for rootkits .

What is Kernel Patching?

Kernel patching is the practice or trying for using unsupported methods or features to change or replace of kernel code. Kernel patching can
have different result in behavior during system instability and performance errors and problems such as the Blue Screen error that we know it can reach to lost user data. another issue that is very important in kernel patching is increase the mechanism versus malware developers and attackers for Windows Vista Operating system.
The biggest risk in kernel patching is about virus and spyware writers that use this technique with malicious for hiding their presence and
effects.
Of course Malware authors are motivated for patching the kernel because That's a powerful and great mechanism for attacking the computers and data. What is Kernel Patch Protection?
There are many features of security in Windows Vista. But I want to emphasize Kernel Patch Protection is not one of them. I mean Kernel
Patch Protection created in x64 CPU architecture versions and Microsoft used it in Microsoft Windows Server 2003 SP1 and Windows XP Professional. but it not supported in x86 architectures or 32-bit systems. With increasing of using of 64-bit computers, The
Vista users will see more benefit from this technology. Actually Kernel Patch Protection monitors and looks if any resources used by the kernel or probably kernel code has been changed or modified by itself. Fortunately If windows vista detects or feels any unauthorized patch of data or code it will shut down the system
automatically. But we should consider that the Kernel Patch Protection can not prevent all viruses and malware . It can prevent one way versus attackers to system.

Section 3: Encrypting File System improvement:

We can say that The Encrypting File System or EFS is best tool for encryption of files in client and server computer. It helps users to protect their data from Unreal and unauthorized access by other person or computer or external attackers. In Windows Vista EFS includes many new security techniques and features.In Vista, EFS Technique supports "user keys storing" and also administrative keys on the smart cards. If smart card uses for login, EFS will operates in a Sign On mode, where it uses the login smart card for file encryption without require for the PIN. In windows vista through the process of creating and setting smart card keys performs their files from an old smart card to the new smart card . The utility program for smart card has these features as well.
EFS is available in Windows Vista Business, Enterprise and Ultimate.


Section 4: USB Device and Removable Devices Control:

As we know , connecting between Devices with computer is very usual in these days and users should have the ability to add new hardware to
the computer or use USB Devices or another removable storage devices.It can create two problems in system: First it may make harder
to maintain the computer when we install any unsupported device, and second it can create threats to data security as well. with a USB
Device or removable storage, with “autorun” technique can use by an attacker to install malwares or any malicious software on an
unattended system.
Fortunately Windows Vista manages or blocks the installation of unsupported or unauthorized parts or devices. These security configuration can applied independently on a client computer, or in
numbers of systems in a network. Administrator has a lot of power for setting these policies and controls in Windows vista. We can say that
The Group Policy settings are available special for manage and control for reading and writing action in removable storage devices like USB
Devices as a per user or per system base.

Section 5 : Windows Defender

As we know in these years spyware and other unwanted software like adware, bots and rootkits create big problems for systems and users.The progress of job for these type of software is Usually they installed without a user’s knowledge or confirmation and they can damage or corrupt personal information and passwords and send them
to third parties without the user's permission.
Microsoft Knows that it is very important for users to use anti-spyware protection in system. As customer choice, Microsoft supports users for
having choice about what program install and run on their computer or from where it came or what it does and how we can to remove that.Based on these discuses and users complains about spyware, Microsoft decided to create and use anti-spyware solution or Windows Defender in Windows Vista. In fact Windows Defender will help for protection
and remove spywares, adwares, rootkits, control utilities and such these things that we call “malware.” In Windows Vista, Windows Defender helps us for protection of unwanted application and software installation. It prompts and monitors different aspects of OS when feels it abused by malware , like the Startup folder in windows and the registry file. If any software to
attempt for changing to one of the protected areas of the Vista , Windows Defender prompts and appeara a message the user for allow or reject that changes.Good news , Windows Defender is available as a free download plug ins for licensed customers of Windows 2000, Windows XP and Windows Server 2003.

Section 6 : Windows Firewall

Most of Windows XP users used from Firewall. A firewall is a critical first line for defense versus huge kinds of malware before they can
enter to user’s computer or our network.
When Microsoft XP released in the first version of that the built-in firewall be turned off by default. The reason was because of compatibility with some applications or probably third-party firewalls. Based on that Microsoft released the Windows XP with the disabled
firewall by default. Naturally , a lot of customers and users did not get any benefit from firewall protection whenever any network worms
arrived to their computer.

Windows Vista Firewall

Base on this experience and for prevent of such events, naturally the firewall in Windows Vista should be on as a default and also compatible with another software. because of that the Customers who want to use a third-party firewall can turn off the built-in firewall easily.
It means the firewall in Windows Vista will turn on by default at the beginning when Windows starts for user protection. Another issue is
that The Windows Firewall in Windows Vista also allows the administrator of network or single system to block some applications as a peer-to-peer sharing softwares or instant messaging softwares that usually nobody like them.
Section

7: Protecting the Kernel of Windows in 32-Bit vs. 64-Bit

Microsoft as a designer and developer of Windows vista tried the best for create more reliable and more secure product from attacks. In fact in basic level, It means that the design and development of kernel mode code in Windows Vista
needs to have a security-focused design and development, and then test and release. As I Mentioned Microsoft has been started this Method since 2002 Under Security Development Lifecycle (SDL) progress. The Microsoft development team had an important and clear goal for improving the reliability and security in new product . As a producer It has a risk because of application
compatibility should considered in during security platform. In 32-bit windows mostly Windows XP there is , over time, third-party
developers used unsupported in a lot of applications that used by users. Actually to simply using unsupported and undocumented interfaces , there is a technique that called "kernel patching” . I emphasize here that kernel instructions and data structures are responsible directly for manipulating to
modify , change and control of system behavior.
Windows 32-Bit Architecture in Kernel and User Mode .This technique is very useful for prevent with malwares but even without malwares the using of this technique can introduce instability and stability in the system.Advantage of supported interface is that If this kind of interface is used,and changed the developers are informed about that From Microsoft documents and he/she can update their code for handle the changes. In other hand , the changes to undocumented and unsupported interfaces can not tracked and will
reach to crashes or other unexpected problems and effects when the kernel patching technique is used. Unsupported patching techniques usually will patch the undocumented kernel interfaces and naturally without introducing this side it
can reduce security in the system. When some Software and Program packages try to chain together to using of unsupported patching techniques these issues will be important. for example, Some times the order of calls from a package to next package is undefined, the
same as its behavior when we want remove one package from that chain. This kind of problem is too complex and it can lead to other subtle problems that are very difficult to diagnose and mostly it happen frequently. Although , these
techniques will be bad computer science and techniques practice, and we can say it does not support most of computer science engineering disciplines.With malicious or malwares , rootkits can be much more dangerous, because of
allowing malicious program for hiding and protecting itself while controlling and monitoring all user, as well as controlling access and performing to all software, files, and connecting to network and even hardware. These activities of malwares can do to online theft for passwords of banks or IDs.Unfortunately, making compact or zip for kernel of 32-bit systems would have a risk for some attack techniques. but for reduce this compressing and risk rate Microsoft decided to implement and improve these changes in 64-bit Windows. Because of that we have “clean start” state in Vista with native 64-bit drivers and all software adapted to these changes.

Section 8: What was Vista security holes?

As we heard Kaspersky Anti Virus Company is one of the best company for prevent of Malwares and Viruses in these days. Their experts Labs have
predicted more that 90% of current and distributed of malware will run on Windows Vista.
We believe now that Vista appears to be much more secure than previous Windows XP but The researchers warned to Microsoft and users that as Vista becomes more popular in these days and it should increase protection of kernel vs hackers.
As we know the first pieces and parts of any operating system would be attacked by attackers .It should be PatchGuard that protects the Vista kernel that we talked about that.
Although the first thing as a aim can be the technology that it take access to the
kernel of operating system more difficult.
PatchGuard as we said or kernel protection tries to prevent or protect the Vista
kernel from illegal access and unauthorised user or softwares. It can lock the system completely if it detects any risky patch or code.
Unfortunately Some hackers could try to install malware to the kernel of vista in the test stage by using new method. Actually as a drivers they ran their software in kernel space of vista.

Section 9 : New Security vs. Convenience Usability

Sometimes with appearance of new features some of advantages will be lose.in fact One of the basic issue in security designing is keeping fair between security and usability. We can say If the security is too complex, then usable simply will
be gone. If a feature offers very good level of security protection level , if it is much more complex or it has poor design of usability it will be disabled by users or administrator of systems. When microsoft engineers and designers underestood that Windows Vista is very secure , they tried to create security capabilities and they enabled by default for usable enough for users for prevent of inconvinience. It's great when you know the risks decrease by adding new security features and you can use as well as before or may be appear easier to use .
That was very hard and expert balance that you know How many softwares or applications will be need harder security and how many users wants to turn off security feature if their usability comes down?One of the great new thing in Windows Vista is User Account Control or UAC. In fact UAC is a "standard user that works" or "non-administrative user that can actually do things." For doing some things such as change the local time zone on the windows XP , you had to have local administrator level. It means we can
say everyone did a login account to system he or she was a member of the local administrators level.
But in Windows Vista, one of the main goal of User Account Control was to protect users from attack of malware or another users. To achieve that goals for Vista, they defined a standard user for all end-user that they wanted to get their changing , but for protect some user that they really need to be an administrator
from something bad and risky. Totally The primary aim of microsoft was to protect the system from user with malicious and some users that they want to illegal access.

Section 10: Windows Defender

For that When you want to see the usability of vista ,The first thing may be that the system asked too frequently for permission. Microsoft before release of vista also worked and contacted with application and software vendors to making sure that they do not require elevation and verificatin from administrators side except whenever it is necessary.
Another example for comparing convenience versus security is the policy and strategy for enabling Data Execution Prevention or DEP in Vista. In fact DEP treats data as data even code as code, and then it blocks execution stage. The
benefit of this is it allows the data buffer to be overrun with DEP, so it is harder for attacker to execute the malware codes that was placed already in the data buffer . DEP is turned on in vista by default for the kernel Mode and it is a
excellent technique for protecting parts in the system mostly Internet Explorer. The problem is that it turns out that a third-party add-ons that generate a dynamically code and store that code in the data buffer and there is no way for
DEP to diagnose between this add-ons and malware. It mean we have more security or we can select application compatibility issues.

Conclusion:
Windows Vista can make our job easier and more secure our system. If we are a systems engineer or expert , surely we will find it nearly for develop to high level secure client platform. For nonprofessional users I think there is a little
problem for using windows vista just for unsupported some programs that they probably need and some hardware as well. From security point of view with these terms that I explained , windows vista is really one big successfully for
microsoft. Because with using of Security Development Life Cycle, Kernel Patch Protection , Encrypting File System, Preparing security for USB and Removable Device, Windows Defender ,Windows Firewall and a lot of
techniques that microsoft never pulished that it's too hard attacking and cracking
and any abuse of probably holes in this product.I recommend to everyone for installing from today and enjoy from the latest operating system in the world.

Neo-Tablets Require a New Security Strategy

Business use of the iPad and other neo-tablet computers creates a unique security environment mainly because of one important difference between them and laptops – most will not support multitasking. The iPad specifically does not, and it is very likely that neither the WebOS Hewlett-Packard tablet nor the Android-based Google tablet will. That leaves the promised Asus EeePad, which will run Windows 7, as the only potential market entry that definitely will be a multitasking machine.
This creates a unique security situation, with both good and bad aspects. Without multitasking these devices will not be able to run applications in background. That means they will not support the security strategy used on laptops, which depends heavily on security software running in background. On the other hand, they also will not run versions of today’s malware, which also runs in background. That means no keyloggers, botnets, etc.
That, however, does not mean that these devices will be safe from cyber crime. For a start they will be just as vulnerable as any other computer to phishing exploits and similar attacks that depend on deceiving the computer user. Cyber-criminals could create games and other apps that actually mask malware or find ways to add their malware to legitimate apps. They also may find ways to insert instructions into the tablet’s Web browser routing all Web calls through an intermediary URL, creating malware on the SaaS model.
Security Strategies
This unique environment will require a new multilayered security strategy to protect business information, including business e-mail, chat, and IM as well as structured data. First, IT will need to centralize all data storage behind multiple defenses, and require strong identification from tablets requesting access. Business applications, and in particular front-end display systems for these neo-tablets, should be designed to prevent local storage of any data. This will protect data from exposure should a tablet be lost or stolen, which certainly will happen, as well as decreasing exposure to Internet-based cyber-crime.
Second, IT should require that all front-end business apps, whether written in-house or bought off-the-shelf, include built-in security to replace at least some of the security provided by independent applications on laptops.
Third, IT should consider using SaaS-based security to protect neo-tablets and business data from Internet-based exploits.
Finally, IT should seriously consider strong encryption for all data transmissions. This does add overhead and complications, which need to be managed, but it can also reduce exposure to data interception strategies from cyber criminals.

Action Item: None of this implies a panic situation. The first malware exploits for neo-tablets are probably still two years away at a minimum. What this does mean, however, is that data security should be designed into business strategies for using neo-tablets, and the technologies created to support those strategies, from the beginning. Security has always had to play catch-up on the desktop. This major platform change gives IT an opportunity to start off ahead of the criminals.