File000146

Module XXXIII – Investigating Internet Crimes

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Fraud Investigation Leads to Charges

Date: August 09, 2008

Following a two-year investigation into international Internet fraud, a Kelowna man has been arrested.

The Calgary Police Service and Royal Canadian Mounted Police conducted a two-year investigation related to a series of Internet frauds, in which victims in the United States and Sweden were defrauded of hundreds of thousands of dollars through Internet auctions for vintage automobiles.

The investigation indicates these Internet frauds may have been part of a larger scheme, where victims were lured into bidding on Internet auction sites for vintage automobiles.

Victims would then send their money, usually in the tens of thousands of dollars, by wire transfer to bank accounts held in Calgary.

The victims would either fail to receive a purchased vehicle or received a vehicle that was not the same as the item purchased. The money that was received from victims into holding company bank accounts was then directed elsewhere.

Source: http://www.bclocalnews.com/



News: Does the Internet Need its Own Police Force?

Sunday, December 21, 2008 5:32 AM PST

2008 has been a year of growth in malware, infections, botnets and criminal profits. Recently, some security experts called for the punishment of these criminal activities.

Malware tripled in 2008In its 'End of Year Data Security Wrap-up for 2008', Finland-based security company F-Secure said their detection count tripled in one year, which means that the total amount of malware accumulated over the previous 21 years increased by 200 per cent in the course of just one year.Criminal activity for financial gain remains the driver for the massive increase in Internet threats. Today's malware is produced by highly organised criminal gangs using increasingly sophisticated techniques. This year has seen increasing botnet activity around the world.

These remotely controlled networks of infected computers remain a major challenge to the IT security industry because it is their vast computing power that is behind the unprecedented level of spam e-mail and malware distribution.

Roy Ko, a computer security expert based in Hong Kong, has seen an overall decrease in the number of virus incidents and phishing spyware, but an increased number of alerts in the past year. Ko is the manager of Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) at the Hong Kong Productivity Council.

Daniel Eng, a computer forensics expert, said the contemporary public IT security issues include data leakage, misuse of Foxy, potential security issues with Apple's 3G iPhone, the growth of Bonets, the vulnerability in Flash videos called 'Clickjacking' (viewers' computers put under attack upon clicking on flash videos), and anti-forensics tools.

Source: http://www.pcworld.com



Module Objective

• Internet Crimes• Internet Forensics• DNS Record Manipulation• Email Headers Forging• Switch URL Redirection• Downloading a Single Page or an Entire Website• HTTP Headers• Examining Information in Cookies

This module will familiarize you with:



Module Flow

Internet Crimes

Internet Forensics

HTTP HeadersDNS Record Manipulation

Switch URL Redirection

Examining Information in Cookies

Email Headers Forging

Downloading a Single Page or an Entire Website



Internet Crimes

• Phishing is a method in which an attacker sends email to collect the information from the recipients

• It uses different types of social engineering and spoofing techniques to steal the information from the recipients

Phishing:

• Spamming is populating the user’s inbox with unsolicited or junk emails• Spam email contains malicious computer programs such as viruses and Trojans which

change the computer settings or track the system

Spamming:

• Internet identity theft is the identity theft using Internet• Attacker steals other’s identity by stealing email, eavesdropping other’s transactions over

Internet, or stealing the information from computer databases

Internet Identity Theft:

Internet crime is a crime committed on the Internet, using the Internet and by means of the Internet

Internet crimes include:



Internet Crimes(cont’d)

• In the credit card fraud , an attacker illegally uses the other’s credit card for purchasing goods and other services

Credit Card Frauds:

• It refers to harassing a victim through email or Instant messaging• Internet, e-mail, or other electronic communication devices can be used to stalk

victims

Cyberstalking:

• Cyber terrorism refers to usage of information technology by the terrorists for developing their agenda

Cyber Terrorism:

• Accesses other’s computer in an unauthorized way• Attacker uses different hacking tools or password cracking tools to get access to

other’s system

Computer Hacking:



Internet Crimes (cont’d)

• Child Pornography is defined as a visual depiction of any kind, including a drawing, cartoon, sculpture, or painting, photograph, film, video, or computer-generated image of sexually explicit conduct, where it depicts a minor engaged in sexually explicit conduct

Child Pornography:

• It refers to unauthorized copying and distribution of software, music’s, or movies over the Internet

Internet Piracy:

• Non-delivering the product• Triangulation• Misrepresentation• Shill bidding• Trading black market products• Fee stacking• Bid shielding or multiple bidding

Internet Auction Fraud:

Creation and/or distribution of Viruses, Trojans, and Spam



Internet Forensics

Internet Forensics is the application of scientific and legally sound methods for the investigation of Internet crimes

It uses a combination of advanced computing techniques and human intuition to uncover clues about people and computers involved in Internet crime



Why Internet Forensics

Underlying Internet protocols were not designed to address the problems

Electronic evidence is fragile in nature

It is difficult to verify the source of a message or the operator of a website



Goals of Investigation

To ensure that all applicable logs and evidence are preserved

To understand how the intruder is entering the system

To discover why the intruder has chosen the target machine

To gather as much evidence of the intrusion as possible

To obtain information that may narrow your list of suspects

To document the damage caused by the intruder

Gather enough information to decide if law enforcement should be involved



Steps to Investigate Internet Crimes

1• Obtain a search warrant and seize the victim’s apparatus

2• Interview the victim

3• Prepare bit-stream copies

4• Identify the victim’s configuration

5• Acquire the evidence

6• Examine and analyze

7• Generate the report



Obtain a Search Warrant

The search warrant application should describe clearly how to perform the on-site examination of the computer and the network device

Seize all the devices suspected to be used in crime including:

• Victim’s computer• Router• Webcam• Switch• Other network device

Forensic tests should be performed on all equipment listed in the search warrant



Interview the Victim

Interview the victim about the incident

Ask him/her the following question:

• What incident occurred with the victim?• From where did the intruder enter the network?• What was the purpose of the attack?• What are the major losses from this incident?



Prepare Bit-Stream Copies

Prepare a copy of the memory and configuration of the affected computer using a tool such as Safe Back

Never work directly on the original evidence



Check the Logs

Check the offsite or remote logs

Check the system, email and web server, and firewall log files

Check log files of the chat sessions if attacker monitored or had conversation with the victim through IRC services



Identify the Source of the Attack

Trace the source of the attack from where the attack originated

• Website• Email id

The source can be the following:



IP Address

Each computer communicating over the Internet is assigned a unique 32-bits numeric address, which is written as four numbers separated by periods

• Example 183.154.216.212

• Class A• For large networks with many devices

• Class B• For medium-sized networks

• Class C• For small networks (fewer than 256

devices)• Class D

• Multicast addresses• Class E

• Reserved for future use

There are five different address formats or classes:

32 bits

Network Host

Network HostHostNetwork

8 bits

0-255 0-255 0-255 0-255

8 bits 8 bits 8 bits



Internet Assigned Numbers Authority

IANA assigns the globally unique number called an IP address

It is the entity that oversees global IP address allocation, DNS root zone management, media types, and other Internet protocol assignments

It is operated by the ICANN, whose headquarters are in Los Angeles, California, US



Regional Internet Registry (RIR)

RIR is an organization overseeing the allocation and registration of Internet number resources within a particular region of the world

• American Registry for Internet Numbers (ARIN) for North America and parts of the Caribbean

• RIPE Network Coordination Centre (RIPE NCC) for Europe, the Middle East and Central Asia

• Asia-Pacific Network Information Centre (APNIC) for Asia and the Pacific region

• Latin American and Caribbean Internet Address Registry (LACNIC) for Latin America and parts of the Caribbean region

• African Network Information Centre (AfriNIC) for Africa

There are currently five RIRs in operation:



Internet Service Provider

Internet Service Providers are commercial vendors that provide Internet service

They may reserve blocks of IP addresses that can be assigned to their users



Trace the IP Address of the Attacker’s Computer

Examine the email headers and get the IP address of the attacker’s system

Access a website that allows you to find IP address information

Use IP address locating tools such as WhoisIP to find out the location of the attacker

The IP address identifies the computer that is used to send the message to other computers within the Internet



Domain Name System (DNS)

DNS is a distributed Internet directory service

It translates domain names to IP addresses and vice versa

It enables you to assign authoritative names without the need to communicate with a central registrar

Source: http://nirlog.com/www.example.com 145.214.158.216



DNS Record Manipulation

• Mail Server - MX • DNS Server - NS • Network Host - A • Alias - CNAME • Reverse Host Record - PTR • Text Record - TXT

DNS uses several different records for converting domain names into IP addresses such as:

• DNS Poisoning:• In a DNS poisoning attack, DNS servers are manipulated to fetch updated, incorrect DNS

records from a server

• DNS Pharming :• Pharming is a term used for different approaches for manipulating DNS records

DNS Record manipulation techniques:



DNS Lookup

A process which converts a unique IP address into a domain name and vice-versa

A DNS Lookup service also gives the following information:

• Details of Domain Name Servers • Registrars of domain name • Regional Internet Registries

Example of online DNS Lookup services:

• www.dnsstuff.com • http://www.bankes.com/nslookup.htm • http://www.network-tools.com/



Nslookup

Nslookup is a program to query Internet domain name servers and also displays information that can be used to diagnose Domain Name System (DNS) infrastructure

It helps to find additional IP addresses if authoritative DNS is known from whois



Analyze the Whois Information

Analyze the IP address information from the Whois database, which shows information from the RIR database

Look for the physical address, telephone number, and other contact information from the registry



Whois

Whois is the client utility that communicates with WHOIS servers located around the world to obtain information about domain registration

It supports IP address queries and automatically selects the appropriate Whois server for IP addresses



Example Whois Record



Whois Tools and Utilities

http://www.dnsstuff.com/

http://whois.domaintools.com/

http://network-tools.com/

http://centralops.net/co/

http://www.betterwhois.com/

Samspade, http://samspade.org/



Samspadehttp://samspade.org/

Samspade is an integrated network query tool for Windows

• Nslookup: This utility gives the details of Domain Name Server• Whois lookup: Whois lookup provides all the details of a domain name• Name and contact details of registrar: Name and contact details of domain name

owner• Traceroute: This utility traces the route to the Domain Name Server and gives the

details of all the intermediate gateways between the DNS and a specified computer connected to the system

• SMTP verification utility: Simple Mail Transfer Protocol (SMTP) verifies the origin of emails

Functions:



SamSpade Report



IP Address Locatorhttp://www.geobytes.com/IpLocator.htm?Getlocation

IP address Locator assists in locating the geographical location of an IP Address



IP Address Locator: Screenshot



www.centralops.net: Tracing Geographical Location of a URL

• Email Dossier• Ping• Traceroute• NsLookup• AutoWhois• TcpQuery• AnalyzePath

www.centralops.net is a collection of Internet utilities developed by Hexillion for:



DNS Lookup Result: centralops.net



Traceroute

Traceroute works by exploiting a feature of the Internet Protocol called TTL (Time To Live)

It reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs

As each router processes an IP packet, it decrements the TTL; When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator

Routers with DNS entries reveal the name of routers, network affiliation, and geographic location



Collect the Evidence

• Running processes (ps or the /proc file system)• Active network connections (netstat)• ARP cache (arp)• List of open files (lsof)• Virtual and physical memory (/dev/mem, /dev/kmem)

Volatile and important sources of evidence on live

systems, and the commands used to capture the evidence

• Guidance Software’s EnCase (:www.guidancesoftware.com)

• Accessdata’s Forensic Toolkit (www.accessdata.com)

Computer Forensic Tools for Data Collection include:



Examining Information in Cookies

Cookies are used for authenticating, tracking, and maintaining specific information about users

Syntax of a Set-Cookie header looks like:

•Set-Cookie: <NAME>=<CONTENT>; expires=<TIMESTAMP>; path=<PATH>; domain=<DOMAIN>;

• Identifies cookie

NAME

• String of information that has some specific meaning to the server.

CONTENT

• Denotes date, time , and duration of cookie (Wdy, DD-Mon-YYYY HH:MM:SS GMT)

TIMESTAMP

• Denotes the directories on the target site

PATH

• Defines hosts within a domain that the cookie applies to

DOMAIN



Viewing Cookies in Firefox

1. Go to Tools -> Options 2. Click on Show Cookies



Tool: Cookie Viewerhttp://www.karenware.com/

Cookie Viewer automatically scans your computer, looking for "cookies" created by Microsoft's Internet Explorer, Netscape's Navigator and Mozilla Project's Firefox web browsers

It displays the data stored in each one and also deletes any unwanted cookies stored by these browsers



Switch URL Redirection

URL redirection is a technique where many URLs point to a single web page

It is done by posting the address of one site and redirecting the traffic it receives to the target address

It can be done in two basic ways:

• Page-based redirection:• Adding a special tag to a web page on the proxy site that tells the browser

to go to the target

• Server-based redirection• Adding a line to the web server configuration file to intercept the request

for a specific page that tells the browser to fetch it from the target location



Sample Javascript for Page-based Redirection

var version = navigator.appVersion; // sets variable =

browser version

if (version.indexOf("MSIE") >= -1) // checks to see if

using IE

{

window.location.href="ie.htm" /* If using IE, it shows

this page replace ie.htm with page name */

}

else window.open("other.htm", target="_self") /* else

open other page replace other.html with page name */



Embedded JavaScript

Embedded JavaScript is used by attackers to cover tracks

• Hide source HTML for a page• Manipulate the URL displayed in the

status bar and browser history

Java scripts can be used to :



Downloading a Single Page or an Entire Web Site

To save a page from browser, Go to File -> Save Page As

• Grab-a-Site • SurfOffline 1.4• My Offline Browser 1.0

Following tools can be used to save an entire web site:



Downloading a Single Page or an Entire Web Site (cont’d)

Grab-a-Site is a file-based Offline Browser that combines speed, stability, and powerful filtering capabilities

SurfOffline is a fast and convenient website download software



Tool: My Offline Browser http://www.newprosoft.com

My Offline Browser is a multithreaded website downloader

• Download and save entire websites to your hard disk• Change all links in the HTML code to relative local links• Support multithreaded downloading (up to 50 threads)• Automatically re-execute all tasks (Project scheduler)• Support proxy server• Built-in browser• Limit the downloading by URL filter, maximum crawling

depth, and maximum file size• Export all the URLs into a text file(ASCII), Excel file

Features:



My Offline Browser: Screenshot



Recovering Information from Web Pages

In IE, go to View -> Source

In Firefox, go to View -> Page Source



Tool: WayBack Machinehttp://www.archive.org/

Wayback Machine is a web-based utility to browse through 85 billion web pages archived from 1996 to a few months ago

• Go to www.archive.org• Type in the web address of a site or page• Press enter or click on Take Me Back• Click on the desired date from the archived dates available• Resulting pages point to other archived pages to nearest date as possible

To view the history of a website:



Trace the Email

Trace the email address to determine the source of email

Tools and utilities:

• Samspade, http://www.samspade.org/• Visualroute, http://visualroute.visualware.com/• www.centralops.net• https://www.abika.com/forms/Verifyemailaddress.asp



https://www.abika.com/forms/Verifyemailaddress.asp



HTTP Headers

• Entity• Meta information about an entity body or resource.

• General• Applicable for use in both request and in response to messages

• Request• Sent by a browser or other client to a server

• Response• Sent by a server in response to a request

Types of Headers:

• Accept• Specifies which Internet media types are acceptable for the response and assigns preferences to

them

• Accept-Charset [Request]• Specifies which character encodings are acceptable for the response and assigns preferences to

them

• Accept-Encoding [Request]• Specifies which data format tranformations, confusingly called content (en)codings

• Accept-Ranges [Response]• Indicates the server's acceptance of range requests for a resource

Headers include the following information:



HTTP Headers (cont’d)

• Gives the sender's estimate of the amount of time since the response (or its revalidation) was generated at the origin of the serverAge [Response]

• Lists the set of methods supported by the resource identified by the Request-URIAllow [Entity]

• Consists of credentials containing the authentication information of the client for the realm of the resource being requested Authorization [Request]

• Specifies directives that must be obeyed by all caching mechanisms along the request/response chainCache-Control [General]

• Specifies options that are desired for the particular connection and must not be communicated by proxies over further connectionsConnection [General]

• Used as a modifier to the media-typeContent-Encoding [Entity]

• Specifies the natural language(s) of the intended audience for the enclosed entityContent-Language [Entity]

• Indicates the size of the entity-body that is sent or that would have been sent if it had been requestedContent-Length [Entity]



Email Headers Forging

1. Open a command prompt by clicking Start-> Run -> type cmd.

2. Find out the name of your ISP's mail server from email client settings (mail.isp.com or smtp.isp.com )

3. Type SMTP commands after the mail server responds

4. Continue with the address you want the mail to come FROM

5. For example, to forge mail from XYZ , type 'MAIL FROM: [email protected]'

6. Type 'RCPT TO: [email protected] after 'Sender Ok’ message

7. Type 'DATA' and press enter after 'Recipient Ok’ message

8. On the first line type 'Subject: yoursubject' and press enter twice, that will be the subject

9. Type message and press enter

10. The server should say 'Message accepted for delivery'

11. You are done



Viewing Header Information

Header information reveals original source of a email

View and trace mail header to find the real source address of threatening or malicious mails which are generally spoofed



Tracing Back Spam Mails

• Use tracing tools such as eMailTrackerPro to trace the email header

Examine header information:

Source: http://www.emailtrackerpro.com



Tracing Back Spam Mails (cont’d)



VisualRoutehttp://www.visualroute.com/

VisualRoute analyzes Internet connections to quickly locate where an outage or slowdown occurs

It identifies the geographical location of IP addresses and web servers on a global map

It helps to identify network intruders and Internet abusers

VisualRoute's traceroute provides three types of data:

• An overall analysis• Data table• A geographical view of the routing



NeoTrace (Now McAfee Visual Trace)

NeoTrace shows the traceroute output visually – map view, node view and IP view



NetScanTools Prohttp://www.netscantools.com/

NetScanTools Pro is an advanced Internet information gathering program for Windows 2003/XP/2000

It can be used to research for IP addresses, hostnames, domain names, email addresses, or URLs automatically or with manual tools

• Requires lesser time to gather information about Internet or local LAN users, network devices, IP addresses, ports, and many other network specifics

• Removes guesswork from an Internet investigation by automating research requiring multiple network tools

• Produces clear, concise results reports in the format that you prefer - web page or a file easily imported by a spreadsheet

• Enhances many standard network tools

Benefits:



NetScanTools Pro: Screenshot



Report Generation

Name of the investigator

List of router evidence

Documents of the evidence and other supporting items

List of tools used for investigation

List of devices and setup used in the examination

Brief description of the examination steps

Details about the findings:

• Information about the files • Internet related evidence• Data and image analysis

Conclusion of the investigation



Summary

Internet crimes are crimes committed over the Internet or by using the Internet

Internet Forensics is the application of scientific and legally sound methods for the investigation of Internet crimes

URL redirection is a technique where many URLs point to a single web page

Attackers use embedded JavaScript to cover tracks

Cookies are used for authenticating, tracking, and maintaining specific information about users

DNS lookup is a process which converts a unique IP address into a domain name and is frequently used by the webmasters to research listings contained in the server log files

File000146

Technology

Transcript of File000146