Computer Crime

COEN 1

Classification

Computers as an instrument of crime Check forgery Child pornography e-auction fraud, identity theft Phishing most criminal activity

Computers as a target of a crime Intrusion

botnets for spamming Identity theft

Alteration of websites

Email Investigations: Overview

Email has become a primary means of communication.

Email can easily be forged. Email can be abused

SpamAid in committing a crime …Threatening email, …

Email Investigations: Overview

Email evidence: Is in the email itself

Header Contents

In logs: Left behind as the email travels from sender to recipient. Law enforcement uses subpoenas to follow the trace. System ads have some logs under their control.

Notice: All fakemailing that you will be learning can be easily traced.

Email Fundamentals

Email travels from originating computer to the receiving computer through email servers.

All email servers add to the header. Use important internet services to interpret and

verify data in a header.

Email Fundamentals

Typical path of an email message:

ClientMail Server

Mail Server

Mail Server

Client

Email Protocols:

Email program such as outlook or groupwise are a client application.

Needs to interact with an email server:Post Office Protocol (POP) Internet Message Access Protocol (IMAP)Microsoft’s Mail API (MAPI)

Web-based email uses a web-page as an interface with an email server.

Email Protocols:

A mail server stores incoming mail and distributes it to the appropriate mail box.

Behavior afterwards depends on type of protocol.

Accordingly, investigation needs to be done at server or at the workstation.

Email Protocols:

Post Office Service Protocol Characteristics

Stores only incoming messages.

POP Investigation must be at the workstation.

Stores all messages IMAP

MS’ MAPI

Lotus Notes

Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both.

Web-based send and receive.

HTTP Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

Email Protocols: SMTP

Neither IMAP or POP are involved relaying messages between servers.

Simple Mail Transfer Protocol: SMTPEasy.Has several additions.Can be spoofed:

By using an unsecured or undersecured email server.

By setting up your own smtp server.

Email Protocols: SMTPHow to spoof email

telnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005

14:58:49 - 0800

helo 129.210.16.8250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [129.210.19.198], pleased to meet you

mail from: jholliday@engr.scu.edu250 2.1.0 jholliday@engr.scu.edu... Sender ok

rcpt to: tschwarz@scu.edu250 2.1.5 tschwarz@scu.edu... Recipient ok

data354 Enter mail, end with "." on a line by itself

This is a spoofed message.. 250 2.0.0 jBSMwnTd023057 Message accepted for delivery

quit 221 2.0.0 endor.engr.scu.edu closing connection

Email Protocols: SMTP

Return-path: <jholliday@engr.scu.edu>Received: from MGW2.scu.edu [129.210.251.18]by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800Received: from endor.engr.scu.edu (unverified [129.210.16.1]) by MGW2.scu.edu(Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066443608@MGW2.scu.edu> for <tjschwarz@scu.edu>;Wed, 28 Dec 2005 15:00:29 -0800X-Modus-BlackList: 129.210.16.1=OK;jholliday@engr.scu.edu=OKX-Modus-Trusted: 129.210.16.1=NOReceived: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34])by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057for tjschwarz@scu.edu; Wed, 28 Dec 2005 15:00:54 -0800Date: Wed, 28 Dec 2005 14:58:49 -0800From: JoAnne Holliday <jholliday@engr.scu.edu>Message-Id: <200512282300.jBSMwnTd023057@endor.engr.scu.edu>

this is a spoofed message.

This looks very convincing.

Only hint: received line gives the name of my machine.

If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.

Email Protocols: SMTPHow to spoof email Endor will only relay messages from machines that have

properly authenticated themselves within the last five minutes.

Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.

Email Protocols: SMTPHow to spoof email

telnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 -0800mail from: plocatelli@scu.edu250 2.1.0 plocatelli@scu.edu... Sender okrcpt to: tschwarz@scu.edu250 2.1.5 tschwarz@scu.edu... Recipient okdata354 Enter mail, end with "." on a line by itselfDate: 23 Dec 05 11:22:33From: plocatelli@scu.eduTo: tschwarz@scu.eduSubject: Congrats

You are hrby appointed the next president of Santa Clara University, effectivelyimmediately.

Best, Paul.250 2.0.0 jBSNaDlu023813 Message accepted for deliveryquit

Email Protocols: SMTPHow to spoof email

Email Protocols: SMTP

Things are even easier with Windows XP. Turn on the SMTP service that each WinXP machine runs. Create a file that follows the SMTP protocol. Place the file in Inetpub/mailroot/Pickup

Email Protocols: SMTP

To: tschwarz@engr.scu.eduFrom: HolyFather@vatican.va

This is a spoofed message.

From HolyFather@vatican.va Tue Dec 23 17:25:50 2003Return-Path: <HolyFather@vatican.va>Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226])by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244for <tschwarz@engr.scu.edu>; Tue, 23 Dec 2003 17:25:50 -0800Received: from mail pickup service by Xavier with Microsoft SMTPSVC;Tue, 23 Dec 2003 17:25:33 -0800To: tschwarz@engr.scu.eduFrom: HolyFather@vatican.vaMessage-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier>X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9BC]Date: 23 Dec 2003 17:25:33 -0800X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) onserver4.engr.scu.eduX-Spam-Level:X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=noversion=2.60-rc3

This is a spoofed message.

Email Protocols: SMTP

SMTP Headers:Each mail-server adds to headers. Additions are being made at the top of the list.

Therefore, read the header from the bottom.

To read headers, you usually have to enable them in your mail client.

URL Obscuring

Internet based criminal activity that subverts web technology:Phishing (fraud)Traffic redirectionHosting of illegal sites

Child pornography

URL Obscuring

Internet based fraud is gaining quickly in importance.

Phishing: The practice of enticing victims with spoofed email to visit a fraudulent webpage.

http://www.antiphishing.org/

URL Obscuring

Technical Subterfuge:Plants crimeware onto PCs.

Example: Vulnerable web browser executes remote script at a criminal website.

Just staying away from porn no longer protects you.

Payload: Use Trojan keylogger spyware. Search for financial data and send it to an untraceable

email address

URL Obscuring

Social Engineering: Target receives e-mail pretending to be from an

institution inviting to go to the institutions website. Following the link leads to a spoofed website, which

gathers data. It is possible to establish a web-presence without any links:

Establish website with stolen / gift credit card. Use email to send harvested information to an untraceable

account, etc. Connect through public networks.

URL Obscuring: Phishing Example

Visible Link: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html

Actual Link: http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm

Actual website IP: 209.35.123.41

Uses Java program to overwrite the visible address bar in the window:

URL Obscuring:Phishing Example

URL Obscuring

Phishs need to hide web-servers URL Obscuring Javascript or other active web-technology overwrites

URL field no longer possible in latest browsers

Other techniques to hide web-server address Use hosts file

Hiding illegal web-server at legal site Hijacking site to host pages.

URL Basics

Phishs can use obscure features of URL. URL consists of three parts:

ServiceAddress of serverLocation of resource.

http://www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html

URL Basics

Scheme, colon double forward slash. An optional user name and password. The internet domain name

RCF1037 format IP address as a set of four decimal digits.

Port number in decimal notation. (Optional) Path + communication data.

http://tschwarz:fiddlesticks@www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html

http://www.google.com/search?hl=en&ie=UTF-8&q=phishing

Obscuring URL Addresses

Embed URL in other documents Use features in those documents to not

show complete URL

http://www.usfca.edu@www.cse.scu.edu/~tschwarz/coen252_03/index.html

URL rules interpret this as a userid.

Hide this portion of the URL.

Obscuring URL Addresses

Use the password field.www.scu.edu has IP address 129.210.2.1.Some browsers accept the decimal value

129*256**3 + 210*256**2 + 2*256 + 1 = 2178023937 for the IP address.

http://www.usfca.edu@2178023937 Works as a link. Does not work directly in later versions of IE

Obscuring URL Addresses

http://www.usfca.edu@129.210.2.1 works. Hide the ASCI encoding of @:

http://www.usfca.edu%40129.210.2.1 Or just break up the name:

http://www.usfca.edu%40%127%167w.scu.edu

Or use active page technologies (javascript, …) to create fake links.

'Enroll your card with Verified By Visa program' 2004 Phish sends SPAM consisting of a

single image:

'Enroll your card with Verified By Visa program'

The whole text is a single image, linked to the correct citi URL. If the mouse hovers

over the image, it displays the correct citi URL.

But surrounded by an HTML box that leads to the phishing website.

'Enroll your card with Verified By Visa program'

Target webpage has an address bar that is overwritten with a picture with a different URL.

Go to www.antiphishing.org .

Phishing Phishers now use bogus https

techniques.Exploiting browser flaws to display secure

icon.Hacking legitimate sites or frames from

these sites directly.Purchase and present certificates for sites

that are named in resemblance of the target sites.

The SSL lock icon is no longer a guarantee for a legitimate site.

Hiding Hosts

Name Look-Up: OS checks HOST file first. Can use HOST file to block out certain sites

adservers

Affects a single machine.

OS Location

Linux /etc/hosts

Win95/98/ME C:\windows\hosts

Win NT/2000/XP Pro

C:\winnt\systems32\etc\hosts

Win XP Home C:\windows\system32\drivers\etc\hosts

Subverting IP Look-Up In general, not used for phishing.

Economic Damage Hillary for Senate campaign attack. Hiding illegal websites. (Kiddie Porn)

DNS Server Sabotage IP Forwarding

Subverting IP Look-Up Port Forwarding

URLs allow port numbers. Legitimate business at default port number. Illegitimate at an obscure port number.

Screen clicks Embed small picture.

Single pixel. Forward from picture to the illegitimate site. Easily detected in HTML source code.

Password screens Depending on access control, access to different

sites.

Phisher-Finder

Carefully investigate the message to find the URL.Do not expect this to be successful unless the

phisher is low-tech. Capture network traffic with Ethereal to

find the actual URL / IP address. Use Sam Spade or similar tools to collect

data about the IP address.

Phisher-Finder

Capture network traffic with Ethereal when going to the site.This could be dangerous.

Disable active webpages. Do not use IE (too popular).

Look at the http messages actually transmitted.

Expect some cgi etc. script.

Phisher-Finder

Investigation now needs to find the person that has access to the website. This is were you can expect to loose the trace.

The data entered can be transmitted in various forms, such as anonymous email.

For example, they can be sent to a free email account. IPS usually has the IP data of the computer from which the

account was set up and from which the account was recently accessed.

Perpetrator can use publicly available computers and / or unencrypted wireless access points.

Investigator is usually left with vague geographical data.

Email Investigation

Email investigations derive evidence from: Internal data;

Headers. Contents.

External data; Server logs.

Sending machine itself As we will see.

Email Investigation

Header Analysis:Most recent entries are on the top of the

header. Resolve all inconsistencies of information. Resolve all IP addresses. Create timeline.

Allow for clock drift between different sites.

Compare entries generated (allegedly) by known servers with previous ones.

Email Investigation

Law Enforcement (LE) can use subpoenas for investigation of log files.

The same is true for private entities through the use of John Doe lawsuits.

Phishing Investigation

Find the true URL to identify the server with which a potential victim interacts. Difficult since phishers change sites frequently. Using network tracer when accessing a website can speed

things up. Use subpoena process to obtain

log records of email Contact infos for web-sites, redirection services, etc.

Try to obtain information amicably as often as possible. Outside of US. To guard volatile information

Case Examples:1. A Kornblum, Microsoft A. Kornblum: Searching for John Doe:

Finding Spammers and Phishers Used John Doe lawsuit to obtain sub-

poenas for phisher that became active in September 2003.

Case Examples:1. A Kornblum, Microsoft

Originating emails Traced ultimately to ISP in India, from where not enough data could be

obtained. Traced websites:

At each round, a subpoena request would yield the IP address of a controlling website.

Hosting company in San Francisco. Another hosting company in San Francisco. Redirection Server in Austria.

Owner did not like spammers and handed out record voluntarily. IP controlled by Quest. 69 year old quest customer in Davenport, Iowa. Who had grandson Jayson Harris living with him. MS involved FBI who raided household and obtained three machines. MS sued Jayson Harris and obtained a 3M$ default judgment against him. Criminal charges are pending.

Case Examples:2. Highschool Death Threads Blog sites allow comments by anonymous

friends. Death threads were made on a high-

school related blog anonymously. XPD (name altered) was informed by

principal.

Case Examples:2. Highschool Death Threads XPD contacted blog site, but owner/operator did not

have valid contact data. However, blog site operator gave out the IP address

from which the comment originated. XPD went to ISP to obtain the address of the computer

to which the IP was assigned at the time of the thread. XPD obtained a search warrant for the premises of the

owner of the address. The owner was a respectable, older community member. XPD assumed that there was a grandson involved.

Case Examples:2. Highschool Death Threads Search warrant was executed at 7 am. No sign of high school student in the house, but

the owner was running an unsecured wireless access point.

XPD convinced the owner to keep the access point running, but to set up logging.

Using google maps and addresses of all high school students, they also identified a suspect.

Case is still pending.

Computer Crime Evidence

Computers are used by criminals Activities of computer users leave traces around:

Fraud Investigation Perp stole friend’s credit card information while visiting. Started shopping spree to satisfy demanding girl friend. Police obtained warrant, searched house, seized computer. Investigators were able to reconstruct shopping sessions.

Computer Crime Evidence

Examples for Evidence IE usage:

IE retains data in a file called index.dat Index.dat contains data on websites used.

Computer Crime Evidence

Deleted filesWhen a file is deleted:

Blocks are marked as free Directory entry is marked as free

What remains are: The file itself Almost the complete directory entry

USB Storage Example

•Identify FAT Boot Sector (Sector 0)

•Find BPB

USB Storage Example

0B-0C: Bytes per Sector (little endian)00 02 02 00 = 512decimal

0D: Sectors per Cluster: 04 10: Number of FATs: 02

USB Storage Example

06-07: Size of FAT is 00 7B sectors There are two FATs Conclusion:

Root Directory starts at sector 1+7B+7BGo to sector 247

USB Storage Root Directory

Three entries. Top: a short entry. Then a long followed by the associated short

entry.

USB Storage Root Directory

First Entry File attribute is 28 -> 0010 1000 b Volume marker is set Archive marker is set Volume Label Name is Lexar Media

USB Storage Root Directory

Time field is 7D 6F. Translated from little endian 6F 7D. Binary 0100 1111 0111 1101. Hour is 01001 -> 13. Minute is 111011 -> 51. Creation time is 13:51.

USB Storage Device Root Directory

Date field is 6B 2F. Translated from little endian 2F 6B. In binary 0010 1111 0110 1011. Year is 001 0111 = 23 after 1980 ->2003 Month is 1011 = 11 = November Day is 01011 = 11. Formatted on the 11/11/2003.

USB Storage Device Root Directory First cluster is 00 00, obviously. File size is 00 00 00 00.

USB Storage Device Root Directory Next two entries: a deleted long and short

record. File attribute 0F (long entry) File attribute 10 (directory) Leading byte 0xE5 (deleted)

USB Storage Device Root Directory Long entry file name: .Trashes Short entry file name: TRASHE~1 Created by MACs Deleted on 10/24/2003 582F -> 2F 58 -> 0010 1111 0101 1000

USB Storage Device Root Directory First cluster is 04 59 -> 0x 5904 -> 22788 Size is 00 00 08 00 -> 0x 00 08 00 00 = 2048.

USB Storage Device Root Directory Go through the directory to find interesting

entries. At the end, a deleted directory called My

Pictures. Starts at cluster 0x0846

USB Storage Device Directory Go to this sector:

Two deleted directories kittieporn and adultporn First starts at cluster 0x4708

USB Storage Device Directory Sounds interesting: Go to sector 0x0849

USB Storage Device Directory Entry

File is called “CAT55.304438-1-t” Size is 0x07C1 = 1985, fits into 1 cluster Starts at cluster 0x849.

USB Storage DeviceDeleted File

Go to file

Magic number JFIF tells us that this is a JPEG file.

USB Storage DeviceDeleted File

Most files have these magic markers. Learn how to identify them.

USB Storage DeviceDeleted File Use Winhex to save this block into a file. Change file extension to JPG. Now we can look at it. Indeed, minors in a seductive position and

completely naked!

USB Storage DeviceDeleted File

Recovering Files This was easy because we just followed

directory entries. WinHex actually calculates a lot of the

values that we distilled by hand. Reconstructs directory entries on its own. But has no generic file previewer

Recovering Files

If directory entry is overwritten:Look for sectors in slack space.Look for files that have not been overwritten.Try to splice pieces of the file together from the

FAT.Use pattern recognition software to guess file

type.Result is frequently useful.

Recovering Files

Text files:Search for Words in the Duplicate.Learn how word processors store files. Interesting finds, especially in old MS Word

formats.

Creating Evidence

Tie suspect to the computer and to incriminating files.

Establish a pattern of usage using MAC. Photos can establish usage. Emails can establish usage. Remember: The prosecution must make

the case.