The Implications of Office 365 in Digital Forensics and eDiscovery – part 1

A couple of years ago Microsoft began to embrace cloud technology and launched Office 365 for Business, in direct competition with solutions being developed by Google and others. This was followed more recently with a home user edition: Office 365 Home Premium. The Office 365 suite is an evolution of the standard Office package and introduces, amongst other things, a cloud-based aspect called SkyDrive, which allows for greater online collaboration on documents. In the first of two posts, we will look at how Office 365 works, and provide an overview of the forensic artefacts that may be retrieved.

Users must have a registered Microsoft Account in order to download Office 365, which comes bundled with SkyDrive and the Office 2013 Upload Center. By default, all three applications are installed, and a SkyDrive folder is created for the user’s account at ~\Users\Username\SkyDrive.

When setting up SkyDrive on a new PC, the user has two main setup options. They can either use the default express settings, which will download any files currently associated with that account, or they can customise the setup and sync specific files and folders with the PC. They can also specify a different location for the SkyDrive folder.

The Windows Registry holds some useful Office 365 and SkyDrive configuration data. We can verify that Office 365 is installed, and determine the version in use by examining the following keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\propertyBag\productreleaseid. The value generated for this key in a typical Office 365 Home Premium setup is “O365HomePremRetail”, and it is expected that a similar naming convention will be used to represent other licensing models.

Each Microsoft account grants the user five Office 365 licences, which are managed online. Each licensed PC is given a unique identifier that is listed online and can be matched to a value in the registry, located atHKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Registration. This ID is actually the name that the user has given the computer (for example, WIN-UJMBC6MS5HB).

 The PC ID can also be retrieved from the SkyDrive system folder at C:\Users\Username\AppData\Local\Microsoft\SkyDrive\setup\logs. This folder contains one or more text files, which store the event logs for all synchronisation events and application updates, however only the logs that reference when SkyDrive was installed or updated will contain the PC ID. The line in the log containing the ID can be found relatively easily by searching for “X-Computer”.

Further information can be gleaned from the SkyDrive settings folder located at C:\Users\Username\AppData\Local\Microsoft\SkyDrive\settings. First, there is a text file which is named using a GUID (e,g. 130cf147b5dzxd4c), which is assigned to the SkyDrive account, and also forms part of the URL when the user logs in through a web browser.

The aforementioned settings file contains significant data about the SkyDrive account, including what Microsoft call the last ‘refresh’ time (i.e. the last time the account synchronised with the cloud server), the number of sync requests sent to the online server since Office 365 was installed, and the total bytes transferred. The last refresh time is also found as a Windows 64-bit little endian file time in the registry hive underHKEY_CURRENT_USER\Software\Microsoft\SkyDrive.

Uploads and downloads of Office 365 files to and from the SkyDrive account are managed by the Office 2013 Upload Center. When a new file is created using an Office 365 application, the user can either save only locally, or to their SkyDrive folder, which creates a local copy and a cloud copy. The latter creates a local version in the user’s SkyDrive folder, but also allows the Upload Center to sync the file with the cloud server. Providing the PC is online and uploads have not been paused, this sync happens almost instantaneously. Otherwise, the file is queued for upload to the cloud at the next opportunity.

While the file is only being accessed from one PC, the created, modified and accessed times behave like a normal Office file. However, if the file is accessed from another PC linked to the SkyDrive account, then there are slight differences. Firstly, the created date on the second PC is that of when the file was first uploaded to the cloud server. This is not necessarily the same as when it first came into existence on the original PC, or when it was downloaded to the additional PC. This is demonstrated in figure 1 below, which shows the created time differences for the same file on two PCs. Although in this example the difference is relatively small, if SkyDrive wasn’t synced as regularly the difference could be much bigger.

With respect to the modified date stamps, a direct comparison of between the first and second PC after synchronisation shows that this information stays the same during the sync, rather than reflecting the fact that the file has been downloaded to another PC. However, the last accessed time is updated as a result of this event and, in the example below, the accessed date on PC 2 actually reflects the time the file was downloaded from SkyDrive (although this may not always be the case).

Figure 1: A file created on PC 1 (left) and the same file on PC 2 with new created and accessed times (right).

Once synchronised, the file times then behave much as they would on an offline system. When a change is made and the file is saved, the modified and accessed times update on the local PC and, as long as synching takes place regularly, are also updated with the cloud account, so that this metadata is the same for all versions of the file on PCs associated with the account.

It is clear that Office 365 adds an extra dimension to the collection of Microsoft Office documents. While imaging a PC will capture any documents synced with SkyDrive, there may be further files sitting in the cloud that have never touched that particular device. Furthermore, the time and date information is not as reliable, and behaves differently to a standard Office document. As a result, considerable discrepancies could arise if they are not synced regularly.

Keep an eye out for part 2 of this Office 365 series, which will look at the back end that powers Office 365, and the extra information that can be uncovered from it.

Source: http://www.millnet-consulting.com/2013/05/27/office365-in-forensics-ed-1/#more-1047

Intercepting Blackberry Application Traffic

Intercepting Blackberry Application Traffic

Intercepting mobile traffic is one of the key areas of mobile application penetration testing and Blackberry mobile applicatiosn are no different. In this post, we will look at methods of intercepting blackberry application traffic.

It is important to note that the standalone blackberry simulator does not offer any mechanism to route HTTP traffic over a web proxy. To use a web proxy for traffic interception, one has to use blackberry device simulator + MDS and email simulator. Assuming you have both installed, following steps will allow you to intercept blackberry web traffic.

Case 1: Routing HTTP traffic via web proxy:

1. Browse to "\Program Files\Research In Motion\BlackBerry Email and MDS Services Simulators #.#.#\MDS\config"
2. Open the rimpublic.property file
3. Under the HTTP HANDLER section, add your web proxy configuration information:

application.handler.http.proxyEnabled=true

application.handler.http.proxyHost=<your proxy address>

application.handler.http.proxyPort=<your proxy port>

The following image shows the rimpublic.property file HTTP HANDLER section for fiddler running on port 8888 on localhost.

Web Proxy Configuration

More details on proxy configuration can be seen here. Once you save these settings and launch MDS simulator, you will be able to monitor, intercept and modify all HTTP traffic. However, we still need to put in some extra work for SSL traffic.

Image shows HTTP traffic captured for google.com

Case 2: Routing HTTPS traffic via web proxy:
The above mentioned configuration was not successful when attempted on SSL traffic. It was time for some workaround and I thought of using a reverse proxy. The idea of using reverse proxy had some limitations but it worked seamlessly and allowed me to intercept SSL traffic for a particular domain. To demonstrate this concept, I will be using Charles Proxy's Reverse Proxy. You can use any reverse proxy of your own choice. Lets configure the Charles proxy now.

1. Obtain the IP address to which the application/browser talks
2. Obtain the IP for the target domain. nslookup for mail.google.com revealed four DNS entries(74.125.226.184, 74.125.226.182, 74.125.226.181, 74.125.226.183) and one of them was chosen to be destination for reverse proxy settings. See the screenshots below for Charles Reverse Proxy settings.
3. In the hosts file make an entry to forward all the target domain address to the IP at which reverse proxy is hosted. In our case, I entered the following for mail.google.com
   127.0.0.1 mail.google.com
4. Now launch your browser and access https://mail.google.com
5. The blackberry simulator will issue a certificate error. Choose the "Trust Certificate" option, provide certificate store password and  the save your settings.
6. All the traffic will be routed via Charles now. Enjoy!

To summarize reverse proxy settings (Two sets of entries):
Entry 1: To ensure that all SSL traffic is forwarded to mail.google.com:443
Listening on : 127.0.0.1:443
Forwarding to: 74.125.226.181:443 #one

Entry 2: To ensure that all plain HTTP is forwarded too
Listening on : 127.0.0.1:80
Forwarding to: 74.125.226.181:80

Image shows reverse proxy settings in Charles

Image shows the certificate error issued when https://mail.google.com is access via reverse proxy. Choosing the "Trust Certificate" options allows SSL traffic to be intercepted.

Source: http://gursevkalra.blogspot.in/2011/06/intercepting-blackberry-application.html

Internship for 2 months

Internship for 2 months (VAPT Tester, Cyber Security Professional)

at Valency Networks in Pune (Published at 07-05-2013)
We have 2 vacancies for Internship for collage students who want to eventually pursue career in cyber security domain. Candidate will get hands-on experience and knowledge. No salary will be offered.
Internship period of 2-3 months depending on your collage schedule. Female candidates will be given preference to promote their presence in this field.

BIOS LOG

Accessing BIOS for Windows

• Turn on the computer. As the computer is booting up, look toward the bottom of the screen. You will notice directions that read "BIOS = F2, Boot System = F12" or something similar to those commands. Again, this will vary according to the manufacturer. Press the button indicated for BIOS.
• Press the button for "System Log" or "Event Log" on the menu that appears. The menu will offer you a variety of options that are accessed by pressing the indicated buttons.
• View the system log. If you do not see any of the prompts instructed in the previous steps, you may have to contact the BIOS manufacturer. To find the BIOS manufacturer for your system, go to the Search area on the desktop and type in "System Information." Click "System Information" in the result, then view "System summary." The BIOS manufacturer will be listed.

Accessing BIOS for Mac

• Turn on the computer and wait for the desktop screen to load.
• Go to "Applications," "Utilities," then "Console" or type "Console" in the Spotlight area.
• Go to "system.log" to view the BIOS system log.

Read more: How to View a BIOS System Log | eHow http://www.ehow.com/how_7720270_bios-system-log.html#ixzz2TS5KDfpd

Baybylone remove...

Mozilla  Firefox

 

• Type "about:config" into the address bar, then press Enter.
• Accept the Warning
• In the Search bar on this page, Search for "browser.newtab.url" (without

quotes).

• Right click it, and click "reset"
• Restart Firefox. 

Source: http://www.o2tricks.in

Hide Folder Without any Software...

Folder Hide : No more software need...

Step 1 : Rename any folder with extension {645FF040-5081-101B-9F08-00AA002F954E}
For eg,
If u’ve a folder with name “Anything”
press F2,
then type, “Anything.{645FF040-5081-101B-9F08-00AA002F954E}”
and Press Enter.
Step 2 : To get back to its original form,
Make a new batch file with any name and type
“ren Anything.{645FF040-5081-101B-9F08-00AA002F954E} Anything” .

Nokia Tricks

Do you know your Nokia can do this also....

1.  Imagine ur cell battery is very low, u r expecting an important call and u don’t have a charger.
     Nokia instrument comes with a reserve battery. To activate, key is “*3370#”
     Ur cell will restart with this reserve and ur instrument will show a 50% increase in battery.
     This reserve will get charged when u charge ur cell next time.
     *3370# Activate Enhanced Full Rate Codec (EFR)-Your phone uses the best sound quality but talk time    is reduced by approx 5%
     #3370# Deactivate Enhanced Full Rate Codec( EFR)
     *#4720# Activate Half Rate Codec – Your phone uses a lower quality sound but you should gain approx 30% more Talk Time
     *#4720# Deactivate Half Rate Codec
2.  *#0000# Displays your phones software version,
      1st Line :  Software Version,
      2nd Line : Software Release Date,
      3rd Line : Compression Type
3.  *#9999# Phones software version if *#0000# does not work.
4.  *#06# For checking the International Mobile Equipment Identity (IMEI Number).
5.  #pw+1234567890+1# Provider Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
6.  #pw+1234567890+2# Network Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
7.  #pw+1234567890+3# Country Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
8.  #pw+1234567890+4# SIM Card Lock Status.(use the “*” button to obtain the “p,w” and “+” symbols).
9.  *#147# (vodafone) this lets you know who called you last *#1471# Last call (Only vodofone).
10.  *#21# Allows you to check the number that “All Calls” are diverted to.
11.  *#2640# Displays security code in use.
12.  *#30# Lets you see the private number.
13.  *#43# Allows you to check the “Call Waiting” status of your phone.
14.  *#61# Allows you to check the number that “On No Reply” calls are diverted to.
15.  *#62# Allows you to check the number that “Divert If Unreachable(no service)” calls are diverted to.
16.  *#67# Allows you to check the number that “On Busy Calls” are diverted to.
17.  *#67705646# removes operator logo on 3310 & 3330
18.  *#73# Reset phone timers and game scores
19.  *#746025625# Displays the SIM Clock status, if your phone supports this power saving feature “SIM Clock Stop Allowed”, it means you will get the best standby time possible
20.  *#7760# Manufactures code
21.  *#7780# Restore factory settings
22.  *#8110# Software version for the nokia 8110
23.  *#92702689# (to remember *#WARRANTY#)
      Displays -
      1. Serial Number,
      2.Date Made
      3.Purchase Date,
      4.Date of last repair (0000 for no repairs),
      5.Transfer User Data.
      To exit this mode -you need to switch your phone off then on again
24.  *#94870345123456789# Deactivate the PWM-Mem
25.  **21*number# Turn on “All Calls” diverting to the phone number entered
26.  **61*number# Turn on “No Reply” diverting to the phone number entered
27.  **67*number# Turn on “On Busy” diverting to the phone number entered
  Each command is prefixed with either one or two * or # characters as follows:
   ** Register and Activate
   * Activate  
    ## De-Register (and Deactivate)
    # Deactivate
    *# Check Status
    © Call button
Once each command has been entered, if it is a network command (as opposed to a local handset command) it must be transmitted to the network by pressing the YES (receiver) key which acts as an enter key – this is represented here with the © character. Always enter numbers in full international format +CountryAreaNumber ( e.g. +447712345678).
Security
Change call barring code **03*OldCode*NewCode*NewCode#©
Change call barring code **03*330*OldCode*NewCode*NewCode#©
Change PIN code **04*OldPIN*NewPIN*NewPIN#©
Change PIN2 code **042*OldPIN2*NewPIN2*NewPIN2#©
Unlock PIN code (when PIN is entered wrong 3 times) **05*PUK*NewPIN*NewPIN#©
Unlock PIN2 code (when PIN2 is entered wrong 3 times) **052*PUK2*NewPIN2*NewPIN2#©
Display IMEI *#06#
Call Forwarding (Diversions)
De-register all call diversions ##002#©
Set all configured call diversions to number and activate **004*number#©
De-register all configured call diversions (no answer, not reachable, busy) ##004#©
Unconditionally divert all calls to number and activate **21*number#©
Activate unconditionally divert all calls *21#©
De-register unconditionally divert all calls ##21#©
Deactivate unconditionally divert all calls #21#©
Check status of unconditionally divert all calls *#21#©
Divert on no answer to number and activate **61*number#©
Activate divert on no answer *61#©
De-register divert on no answer ##61#©
Deactivate divert on no answer #61#©
Check status of divert on no answer *#61#©
Divert on not reachable to number and activate **62*number#©
Activate divert on not reachable *62#©
De-register divert on not reachable ##62#©
Deactivate divert on not reachable #62#©
Check status of divert on not reachable *#62#©
Divert on busy to number and activate  **67*number#©
Activate divert on busy *67#©
De-register divert on busy ##67#©
Deactivate divert on busy #67#©
Check status of divert on busy *#67#©
Change number of seconds of ringing for the given service before diverting a call (such as on no answer). Seconds must be a value from 5 to 30. De-registering the same divert will also delete this change! **service*number**seconds#© (Service numbers, see below)
Call barring
Activate barring all outgoing calls (see Security to set code) **33*code#©
Deactivate barring all outgoing calls #33*code#©
Check status of barring all outgoing calls *#33#©
Activate barring all calls **330*code#©
Deactivate barring all calls #330*code#©
Check status of barring all calls *#330*code#©
Activate barring all outgoing international calls **331*code#©
Deactivate barring all outgoing international calls #331*code#©
Check status of barring all outgoing international calls *#331#©
Activate barring all outgoing international calls except to home country **332*code#©
Deactivate barring all outgoing international calls except to home country #332*code#©
Check status of barring all outgoing international calls except to home country *#332#©
Activate barring all outgoing calls **333*code#©
Deactivate barring all outgoing calls #333*code#©
Check status of barring all outgoing calls *#333#©
Activate barring all incoming calls **35*code#©
Deactivate barring all incoming calls #35*code#©
Check status of barring all incoming calls *#35#©
Activate barring all incoming calls when roaming **351*code#©
Deactivate barring all incoming calls when roaming #351*code#©
Check status of barring all incoming calls when roaming *#351#©
Activate barring all incoming calls **353*code#©
Deactivate barring all incoming calls #353*code#©
Check status of barring all incoming calls *#353#©
Call waiting
Activate call waiting *43*#©
Deactivate call waiting #43##©
Check status of call waiting *#43#©
Calling Line Identification
The following only works if CLIP and CLIR are enabled (ask your service provider)
CLIP: Presentation of the number of the incoming call
Activate CLIP **30#©
Deactivate CLIP ##30#©
Check status of CLIP *#30#©
CLIR: Presentation of one’s own number to the to the called party
Activate CLIR **31#©
Activate CLIR for the actual call *31#number©
Deactivate CLIR ##31#©
Deactivate CLIR for the actual call #31#number©
Check status of CLIR *#31#©
COLP: Presentation of the actual number reached (if number called was diverted to another number
Activate COLP *76#©
Deactivate COLP #76#©
Check status of COLP *#76#©
COLR: Presentation of the original number called by the calling party (if the call was diverted to this cellphone)
Activate COLR *77#©
Deactivate COLR #77#©
Check status of COLR *#77#©

Source: http://kyrionhackingtutorials.com

Techno Facts

Facts you know?

160 billion emails are sent daily, 97% of which are spam.

Spam generates 33bn KWt-hours of energy every year, enough to power 2.4 million homes, producing 17 million tons of CO2.

9 out of every 1,000 computers are infected with spam.

Spammer get 1 response to every 12 million emails they send (yet it still makes them a small profit).

A twillionaire is a twitterer with a million or more followers.

There are some 1 billion computers in use.

There are some 2 billion TV sets in use.

There are more than 4 billion cell phones in use. About 3 million cell phones are sold every day.

The first known cell phone virus, Cabir.A, appeared in 2004.

Since 2008, video games have outsold movie DVDs.

Amazon sells more e-books than printed books.

Facebook has 500 million registered users… about 100 million less than QQ.

About 1.8 billion people connect to the Internet, 450 million of them speak English.

Google indexed it’s 1 trillionth unique URL on July 25, 2008. That is thought to be about 20% of all the pages on the Internet but a high percentage of the World Wide Web (the public Internet).

One google search produces about 0.2g of CO2. But since you hardly get an answer from one search, a typical search session produces about the same amount of CO2 as does boiling a kettle.

Google handles more than 1 billion search queries per day, releasing some 200 tons of CO2 per day.

The average US household uses 10.6 megawatt-hours (MWh) electricity per year.

Google uses an estimated 15 billion kWh of electricity per year, more than most countries. However, google generates a lot of their own power with their solar panels.

The first public cell phone call was made on April 3, 1973 by Martin Cooper.

The Motorola DynaTAC 8000X was the first cell phone sold in the US; launched on April 11, 1984, it was designed by Rudy Krolopp and weighed 2 pounds.

About 20% of the videos on YouTube are music related.

24 hours of video viewing is uploaded every minute on YouTube.

People view 15 billion videos online every month.

On average, US onliners view 100 videos per month each.

Flickr hosts some 5 billion photographs, Facebook hosts more than 15 billion.

1 Bit = Binary Digit
8 Bits = 1 Byte
1000 Bytes = 1 Kilobyte
1000 Kilobytes = 1 Megabyte
1000 Megabytes = 1 Gigabyte
1000 Gigabytes = 1 Terabyte
1000 Terabytes = 1 Petabyte
1000 Petabytes = 1 Exabyte
1000 Exabytes = 1 Zettabyte
1000 Zettabytes = 1 Yottabyte
1000 Yottabytes = 1 Brontobyte
1000 Brontobytes = 1 Geopbyte
Technically speaking, the sum is 1024 bytes.

Source : http://www.webaholics.in

Understand your Cell Phone & GSM Technology

AIRTEL CODE:

1. * Airtel to Airtel 15paise Call on 4 selected numbers. Just dial *#110#
2. * To know the Tariff Validity *131#
3. * To know the A/C manage Menu *121#
4. * To know the HelloTunes Menu *678#
5. * To know ur Balance *123*1#
6. * To know Local A2A Balance *123*3#
7. * To know STD Call Balance *123*6#
8. * To know ISD call balance *123*2# , *123*4# , *123*5# 

NOKIA CODE :

1.  * To Restore Battery Setting *#7780
2. * To Know Manufacture Date *#3283# & *#0000#
3. * To Stop Sim clock *#746025625#
4. * To Stop Operator Logo *#67705646#
5. * To Reset Phone Timer *#73#
6. * To Warranty *#92702689#

SAMSUNG CODE :

1. * To know software version *#9999#
2. * To ReBoot Phone #*3849# & #*2562#
3. * To On/OFF Phone Time #*2558#
4. * To Unlock Phone #*7337#
5. * To On/Off GSM facility #*4760#
6. * To know about Memory & Data *#9998*246#
7. * To know Phone’s Lock status *#7465625#
8. * To Serial No. *#0001#
9. * To Unlock Code No. *2767*637#
10. * To See Free space *#8999*636#
11. * Software Version *#1111#
12. * Firmware Version *#1234#
13. * Hardware Version *#2222#
14. * For Call List *#2255#  

LG CODE :

1. * Go to Phone’s Test Mode 2945#-*#
2. * For Secret Menu 2945*-#01*#
3. * To know software version *8375#
4. * IMEI No. *#06#
5. * To Manage Sim card Lock (For LG7010&LG7020) dial 2945#*70001#
6. * To Manage Sim Lock (For LG B1200) dial 1945#*5101#
7. * To Manage Sim Lock (For LG B5200 & 510w) dial 2945#*5101#
8. * To Manage Sim Lock (For LG 500 & 600) dial 2947#*
9. * IMEI and SW (LG 510): *#07#
10. * Software version (LG B1200): *8375#
11. * Recount cheksum (LG B1200): *6861#
12. * Factory test (B1200): #PWR 668
13. * Simlock menu (LG 7020, 7010): 2945#*70001#

GSM Secret Codes :

1. Type *#61# and press call - Check redirection status.
2. Cancel all redirections: ##002# *43# to activate call waiting, to deactivate #43#.
3. * If your phone doesn't have incoming call barring and outgoing call barring, you can try this.
4. * For outgoing call barring dial *33*barcode*# and pres OK. To deactivate it dial #33#barcode*#.
5. * On any phone on any network type in **43# to enable conference calls. You can make up to 7 calls at once
6. * If you need to block SMS reception (if you are spammed by someone) just press this code: *35*xxxx*16# xxxx is your Call Barring code (default is 0000). To remove this barring type: #35*xxxx#
7. * If you want to hide/show your phone number when calling, put one of these codes below in front of the number that you are going to call.(*#30# / *#31# or *31# / #31# ) Works on some networks.
8. * Typing *0# or *nm# on the beginning of a txt message gives you detailed delivery report on some networks.. But turn off reports in message settings before.
9. * When the sim card-pin blocked type **042*pin2 old*newpin2*newpin2 

Source : http://maayazal.blogspot.in

Essential Tasks Performed During Digital Analysis

There are three essential tasks that an examiner performs during the analysis of evidentiary digital media: (1) creation of a forensic image; (2) creation of a forensic archive from the forensic image; and (3) exporting potential probative digital data related to the investigation. All three tasks are critical to the overall success of the investigation and eventual prosecution of the case.

FORENSIC IMAGE AND FORENSIC ARCHIVE
The admissibility of potential probative data at trial is probably going to be based upon the successful creation of the initial forensic image, its digital authenticity, and its chain of custody (if appropriate). Any of the many available forensic software tools can be used to create a forensic image. They all generate a bit-by-bit copy (a “bitstream image” or “mirror image”) of the data residing on the digital media. This ensures that all the data from allocated space, unallocated space, and free space is made available for examination. Hash algorithms, such as Message Digest 5 (MD-5) or Secure Hash Algorithm-1 (SHA-1) provide a digital authenticity of not only the forensic image, but also the forensic archive and any potential digital probative data.

After receipt and inventory, the first priority is to create both a forensic image and a forensic archive. Using an approved forensic software tool and an appropriate write blocker, the evidence is acquired, resulting in creation of the forensic image, which is normally stored on a forensic computer’s evidence hard drive. Subsequently, the forensic archive is created from this forensic image. Once the forensic archive is exported onto optical media, digital tape, and/or another hard drive, the forensic image is analyzed for potential probative data. In addition to hashing, there are certain other precautions that have to be taken into consideration to ensure the authenticity of both the forensic image and the forensic archive. Specific policy and procedure needs to be defined to preclude the commingling of forensic images from separate items or different cases. There has to be a procedure for wiping the forensic image after analysis is completed. Although the forensic image is work product, it can be considered evidence since it is an exact copy of the digital evidentiary media. Therefore, the examination area needs to be physically secured with limited access. Forensically sterile media must be used when creating the forensicarchive. If an agency chooses to archive the evidence hard drive itself, other issues will arise. These include maintaining a chain of custody, proper packaging to prevent inadvertent damage and/or deleterious change, and the costs associatedwith purchasing additional hard drives.

A number of agencies create and store all examiner-generated forensic images on a Storage Area Network (SAN). There are many advantages in doing so. Virtually all SANs are configured into a RAID (Redundant Array of Inexpensive Disks). This provides data reliability, redundancy, and increased input/output performance. A SAN can also be configured with automated tape back-ups to provide another level of redundancy. Likewise, there are some disadvantages. The initial cost of the SAN and its maintenance can be costly. There has to be policy and procedure in place to preclude not only commingling of forensic images, but also limiting access to the forensic images themselves. One method would be to create individual, secured partitions for each examiner. Security procedures would dictate that access to the individual partitions is restricted. Other issues then arise: Is the forensic image going to be maintained on the SAN after the completion of the analysis? Is a forensic archive going to be created from the forensic image and stored separately on the SAN? Will the forensic image be eventually wiped and the space reclaimed? Storing forensic images on the SAN becomes a question of sufficient hard drive capacity, physical security, and a chain of custody. Remember, although the forensic image is work product, it can still be considered as evidence. In fact, there are a number of agencies that specifically keep these forensic images available for further analysis. Other agencies allow case investigators access to the forensic image to bookmark potential probative data for prosecution purposes. When this occurs, a higher level of security has to be established. Likewise, if the SAN is used as a repository of forensic archives, then appropriate additional layers of redundancy, physical security, and access will become necessary.

POTENTIAL PROBATIVE DATA
A variety of digital media can be used when exporting potential probative data: floppy disk, zip disk, optical disc, hard drive, and digital tape. In most instances, optical discs and hard drives are the only realistic options. An important consideration is how much data to export. Although investigators and prosecutors generally want all the potential probative data, this is beginning to become an unrealistic expectation. Rather, a question should be asked: “How much potential probative data do you need?” The following is a real-world example: A 120-gigabyte evidence hard drive contained 30 gigabytes of user-generated files, which consisted of pictures and movies of apparent child pornography, e-mails, spreadsheets, and text documents. The user-generated files were burned onto seven DVDs. Each picture averaged about 100 kilobytes in size. Three gigabytes of pictures were burned onto one of the DVDs. That alone represented at least 30,000 pictures that had to be viewed. The investigator and/or the prosecutor still had to review thousands of other files on the other six DVDs for potential probative data.

It is recognized that in many jurisdictions, the possession of each picture of child pornography can be a separate charge. Prosecutors often use this fact to obtain a plea bargain from the suspect. However, in the above example, does the prosecutor really need to view all 30,000 pictures? Would a better approach be to export several hundred pictures of the apparent child pornography, indicating that they are representative of what was found? Since the forensic archive is available for further analysis, additional potential probative data could be generated at a later time. Every examiner, investigator, and prosecutor is continually faced with handling and sorting through gigabytes of data to determine what is of potential probative value. This will only become more difficult and time-consuming as hard drives increase in size. The question “How much potential probative data do you need?” does not have a simple answer. It can only be resolved by the investigator, prosecutor, and the court working together to determine what evidence is necessary tosupport the indictment.

John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press in 2007.

Source: Forensicmag

Forensic operation on windows registry

Windows General


Even more Windows Forensics goodness (or badness depending on your perspective).

Description: Temp folder
Location: C:\Users\<user name>\AppData\Local\Temp
Why you care: Lots of programs need a safe place, where the user has permissions, to dump temp data. This is the place to look. They may have wiped/shredded the main file, but there could be a version in this directory depending on how the application works.
Entry by: Irongeek, but thanks to Nir.

Description: Recycle Bin
Location: C:\$Recycle.Bin
Why you care: Do I really need to say?
Entry by: Irongeek, but thanks to Nir.

Description: Last logged on user
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Why you care: Lets you know who logged in last, and may also give you a user name to attack if you're a pen-tester.
Entry by: Irongeek, but thanks to Nir.

Description: Event logs
Location: Should be in C:\Windows\System32\config or C:\Windows\System32\winevt\Logs depending on OS
Why you care: These may be relocated, so do a desktop search for *.evt and *.evtx. Let you know all sorts of things about what is happening on the box.
Entry by: Irongeek.

Description: Last key edited by RegEdit
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Why you care: Can be useful to know if the user was tweaking the registry for some purpose (like writing an article on Forensically interesting spots in the Windows 7 file system and registry).
Entry by: Irongeek, but thanks to Nir.

Description: List of Installed USB devices, both connected and unconnected
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.
Entry by: Irongeek.

Description: List of installed USB storage devices
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
Entry by: Irongeek.

Description: SetupAPI Device Log
Location: C:\windows\inf\setupapi.dev.log
Why you care: Log that can help you find out what USB devices have been installed, including thumbdrives. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but notthis file when I tested last.
Entry by: Irongeek, but thanks to Nir.

Description: Windows Prefetch
Location: C:\Windows\Prefetch
Why you care: Windows Prefetch is a feature in Windows XP and newer system (Including Windows 7) that is ment to speed up commonly executed application and boot load times by recording what on the system is accessed. Mark McKinnon has a tool you might be interested in for parsing this data. Also, you may want to read the Wikipedia entry: http://en.wikipedia.org/wiki/Prefetcher
Entry by: Irongeek, but thanks to Nir and Mark McKinnon.


Source: Irongeek

Forensically analyze Windows 7, Vista and XP file system and registry

Windows Explorer

Not to be confused with Internet Explorer, Windows Explorer is the default GUI shell for Windows 7 / Vista / XP. It leaves all sorts of data in the registry and file system for a forensics investigation.

Description: Recently opened files from Windows Explorer
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent
Why you care: It can be quite useful to know what files have been opened recently. Think someone is accessing records of embezzlement? Maybe there is a pointer to the Excel file here that can lead you to where the data has been stored. You may also see links to videos and images in here. I've had this lead to personal embarrassment before while doing a presentation for the ISSA. :)
Entry by: Irongeek, but thanks to Nir.

Description: Network Shortcuts
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Why you care: This could show an investigator what fileservers the person is accessing, or on a captured laptop a little about the internal network (useful for pen-testing).
Entry by: Irongeek, but thanks to Nir.

Description: Items recently ran from the "Run" bar
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Why you care: Useful to know what the person is running using the Windows Run bar, but in Vista and Windows 7 lots of folks use "Search programs and files" text box, which does not show up in this registry key.
Entry by: Irongeek, but thanks to Nir.


Source: http://www.irongeek.com

Encrypt Your Call Through Cellcrypt

Cellcrypt encrypts voice calls on smartphones such as Android™, BlackBerry®, iPhone® and Nokia®, providing government-grade security in an easy-to-use application that makes secure calling as simple as making a normal call on the same device. Cellcrypt's software solutions allow many types of cell phones to be supported and can be deployed to users in remote locations over the air in minutes.

Source: Cellcrypt

Search Hacks For FB.

Search Facebook Like A Pro:

Not everybody knows how powerful Facebook search is. Similar to any large search engine, Facebook search has a lot of advanced options to help you search like a pro. For example if you are looking for a person named John Marsh and filter your results down to only people who are married, you can try name: John Marsh status:married. A complete list of search tips for Facebook can be found here.

Google Search Hacks

Using Google, and some finely crafted searches we can find a lot of interesting information.

For Example we can find:
Credit Card Numbers
Passwords
Software / MP3's
...... (and on and on and on) Presented below is just a sample of interesting searches that we can send to google to obtain info that some people might not want us having.. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.

Try a few of these searches:
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password"
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command"
inurl:passlist.txt
"Index of /backup"
"Chatologica MetaSearch" "stack tracking:"


Amex Numbers: 300000000000000..399999999999999
MC Numbers: 5178000000000000..5178999999999999
visa 4356000000000000..4356999999999999


"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

Notice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.

METHOD 2

put this string in google search:

?intitle:index.of? mp3

You only need add the name of the song/artist/singer.

Example: ?intitle:index.of? mp3 jackson

METHOD 3

put this string in google search:

inurl:microsoft filetype:iso

You can change the string to watever you want, ex. microsoft to adobe, iso to zip etc…


"# -FrontPage-" inurl:service.pwd
Frontpage passwords.. very nice clean search results listing !!

"AutoCreate=TRUE password=*"
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics. For those who can read Japanese, check out the author's site at: http://www.coara.or.jp/~passy/

"http://*:*@www" domainname
This is a query to get inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net

"http://*:*@www" bangbus or "http://*:*@www"bangbus

Another way is by just typing
"http://bob:bob@www"

"sets mode: +k"
This search reveals channel keys (passwords) on IRC as revealed from IRC chat logs.

allinurl: admin mdb
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are!

allinurl:auth_user_file.txt
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)


intitle:"Index of" config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database.

eggdrop filetype:user user
These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users.

intitle:index.of.etc
This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun!

filetype:bak inurl:"htaccess|passwd|shadow|htusers"
This will search for backup files (*.bak) created by some editors or even by the administrator himself (before activating a new version).
Every attacker knows that changing the extenstion of a file on a webserver can have ugly consequences.


Let's pretend you need a serial number for windows xp pro.

In the google search bar type in just like this - "Windows XP Professional" 94FBR

the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.

Block Others Sim Card Using Code

Block Others Sim Card Using Code

Block others SIM card with a code. yes you can really block others sim card using a code.

Use this code **04*3814*7529*68243# 

After entering this it asks for PUK code type wrong code and it will be blocked.




an easy and free trick for airtel customers to get PUK and PIN no in their mobile without calling customer care just send a blank message to 785.You will get replay as your PUK number with PIN code.You should not be charged since it is a toll free number.

Please don't miss use it, this is only for educational purpose.

Nokia Mobile Phone Unlock & Hidden Feature codes

Nokia Mobile Phone Unlock & Hidden Feature codes

#pw+1234567890+1# Provider Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)
#pw+1234567890+2# Network Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)
#pw+1234567890+3# Country Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)
#pw+1234567890+4# SIM Card Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)