Proceedings of the 9th Australian Digital Forensics

0 downloads 0 Views 4MB Size Report
Dec 7, 2011 - COMPONENT TECHNOLOGIES FOR E-DISCOVERY AND ..... artefacts) and accessing a user's manual may support the two ...... Encase 5.
The Proceedings of the

9th Australian Digital Forensics Conference

5 – 7 December, 2011 Citigate Hotel, Perth, Western Australia

Proceedings of the 9th Australian Digital Forensics Conference

Published By secau – Security Research Centre School of Computer and Security Science Edith Cowan University Perth, Western Australia

Edited by Dr Andrew Woodward and Professor Craig Valli secau – Security Research Centre School of Computer and Security Science Edith Cowan University Perth, Western Australia [email protected] [email protected]

Copyright 2011, All Rights Reserved, Edith Cowan University ISBN 978-0-7298-0695-4 CRICOS Institution Provider Code 00279B

Gold Sponsor

Sponsors

Supporters

ACS Centre of Expertise - Security

Conference Foreword This is the third year that the Australian Digital Forensics Conference has been held under the banner of secau, and we have seen an increase in the number of submitted papers. This year as always, all submitted papers were subject to a double blind peer review process and of the 32 papers submitted only 16 were accepted for final presentation and subsequent publication, giving an acceptance rate of 47%. Whilst the topics were varied, there was a definite focus on forensic issues associated with portable storage devices, be they Smartphone‘s or storage media. The best paper award sponsor this year is the Australian New Zealand Forensic Science Society and the paper will be presented on the night of the conference dinner by Dr. Ken Fowle, Vice-President ANZFSS WA Branch. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, helping with the planning, organisation and execution of the conferences. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. Also to the people who took time to write papers and submit them to the conference we also give thanks.

Dr Andrew Woodward Conference Chair

Congress Organising Committee Congress Chair: Executive Chair: Conference Chair (IWAR): Conference Chair (ASIC): Conference Chair (ACTC): Conference Chair (AISM): Conference Chair (ADF): Committee Member: Committee Member: Congress Organiser:

Professor Craig Valli Professor Murray Lampard Dr Christopher Bolan Dr Dave Brooks Mr Michael Crowley Dr Trish Williams Dr Andrew Woodward Associate Professor Ken Fowle Mr Patryk Szewczyk Ms Lisa McCormack

Table of Contents GUIDELINES FOR THE DIGITAL FORENSIC PROCESSING OF SMARTPHONES .............................................................................................................. 1 Khawla Abdulla Alghafli , Andrew Jones, Thomas Anthony Martin

FORENSIC RECOVERY AND ANALYSIS OF THE ARTEFACTS OF CRIMEWARE TOOLKITS.................................................................................................... 9 Murray Brand

LOOKING TO iPHONE BACKUP FILES FOR EVIDENCE EXTRACTION ............. 16 Clinton Carpene

INFORMATION LEAKAGE THROUGH SECOND HAND USB FLASH DRIVES WITHIN THE UNITED KINGDOM ................................................................................... 33 Widya. Chaerani, Nathan Clarke, Christopher Bolan

TRACING SOURCES OF DOS AND DDOS ATTACK EVIDENTIAL RECOVERY . 39 Brian Cusack, Cary Ho

SYSTEMS ARCHITECTURE FOR THE ACQUISITION AND PRESERVATION OF WIRELESS NETWORK TRAFFIC ............................................................................. 48 Brian Cusack, Thomas Laurenson

VISUALISING FORENSIC DATA: INVESTIGATION TO COURT ............................ 56 Ken Fowle, Damian Schofield

ORGANISATIONAL PREPAREDNESS FOR HOSTED VIRTUAL DESTOPS IN THE CONTEXT OF DIGITAL FORENSICS .............................................................. 66 Nirbhay Jawale, Ajit Narayanan

COMPONENT TECHNOLOGIES FOR E-DISCOVERY AND PROTOTYPING OF SUIT-COPING SYSTEM ............................................................................................... 76 Youngsoo Kim, Dowon Hong

AN EVALUATION OF DATA ERASING TOOLS ........................................................... 84 Thomas Martin and Andrew Jones

CAN CURRENT PACKET ANALYSIS SOFTWARE DETECT BitTORRENT ACTIVITY OR EXTRACT FILES FROM BTP AND µTP TRAFFIC STREAMS?..... 93 William Pung, Andrew Woodward

FORENSIC ANALYSIS OF THE ANDROID FILE SYSTEM YAFFS2 ...................... 100 Darren Quick, Mohammed Alzaabi

DATA REMANENCE IN NEW ZEALAND: 2011 .......................................................... 110 D. Roberts, H. B. Wolfe

1

ACQUISITION OF DIGITAL EVIDENCE IN ANDROID SMARTPHONES ............ 116 Andre Morum de L. Simao, Fabio Caus Sicoli, Laerte Peotta de Melo, Flavio Elias de Deus, Rafael Timoteo de Sousa Junior

FORENSIC INVESTIGATION METHOD AND TOOL BASED ON THE USER BEHAVIOUR ANALYSIS .................................................................................................. 125 Namheun Son, Sangjin Lee

A 2011 INVESTIGATION INTO REMNANT DATA ON SECOND HAND MEMORY CARDS SOLD IN AUSTRALIA .................................................................... 134 Patryk Szewczyk and Krishnun Sansurooah

2

GUIDELINES FOR THE DIGITAL FORENSIC PROCESSING OF SMARTPHONES 1

Khawla Abdulla Alghafli1, Andrew Jones1, 2, Thomas Anthony Martin1 Khalifa University of Science, Technology and Research (KUSTAR), United Arab Emirates 2 Edith Cowan University, Perth Western Australia [email protected]

Abstract Today Smartphone devices are widespread and they hold a number of types of information about the owner and their activities. As a result of the widespread adoption of these devices into every aspect of our lives they can be involved in almost any crime. The aim of digital forensics of Smartphone devices is to recover the digital evidence in a forensically sound manner so that the digital evidence can be presented and accepted in court. The digital forensic process consists of four phases which are preservation, acquisition, examination/analysis and finally presentation. In this paper we look at various types of crime and their associated digital evidence. The digital forensics process of the Smartphone devices is discussed and, this paper also contains recommended guidelines and procedures for how to perform the phases of the digital forensics process on Smartphone devices. Finally, a description of some challenges that may be faced in this field is given. Keywords Digital forensics, Digital evidence, Preservation, Acquisition.

INTRODUCTION Smartphone devices have seen a remarkable growth in popularity and are now involved in most aspects of our daily life. They now hold variety types of information about the activities of the owner. Examples of this information are media files, chat logs, browsing history and call history. In many cases, criminals have moved to take advantage of these devices. The usage of Smartphone devices in criminal activities is on the increase. Famous examples of these crimes are the Mumbai terrorist attack 2008 and the riots in London 2011. As a result, forensics researchers are working on finding acceptable methods to recover potential digital evidence about user activities from these devices. The digital forensics of the Smartphone devices is a growing field due to the rapid development in Smartphone device technologies. The purpose of digital forensics research is to find accepted methods to recover the digital evidence in a forensically sound manner so that the recovered digital evidence can be presented and accepted in the court. The digital forensic field is usually called computer forensics and the definition is the following: ―Computer forensic is the collection, preservation, analysis, and presentation of computer-related evidence‖ (Vacca, 2010). Today, Smartphone devices are similar in functionality to computers, but there are some differences between the digital forensics of computer devices and that of Smartphone devices. These differences are illustrated in Table 1. Table 1. A Comparison of Computer and Smartphone Forensics Aspect

Computer Forensics

Smartphone Forensics

Source of evidence

- Hard disk.

- Internal memory.

- RAM.

- SIM.

- External memory cards.

- External memory cards.

Yes the hard disk can be removed easily.

No.

Can remove the internal storage media

1

Operating system

Limited number of operating systems.

Wide range of operating systems.

Can bypass the authentication password

Yes.

Cannot bypass the authentication password during logical acquisition.

Power and data cables

Standard power and data cables.

Wide range of power and data cables.

File system

Standard file system such as FAT.

Wide range of file system.

From Table 1, it‘s clear that the digital forensics of the Smartphone devices is more complex than the digital forensics of computers.

POTENTIAL DIGITAL EVIDENCE IN THE SMARTPHONE DEVICES Digital evidence is defined as ―Any data that can establish that a crime has been committed or provide a link between a crime and its victim or a crime and its perpetrator‖ (Casey, 2004). Another definition is ―any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi‖ (Casey, 2004). The following are types of potential digital evidence that may be found in the Smartphone devices: 

Call history

The call history provides an insight to the call activity of the owner before the acquisition of the Smartphone device. The investigator can see in-coming, out-going and missed calls including their time and durations. This can help the forensics investigator to draw indirect conclusion about the suspected activities. 

Contact list

The contact list not only provides contact names and their numbers either home, mobile and work but also many other types of information such as contact title, company, address and emails. Also, some Smartphone devices store a picture of the contact in the contact list. The information that is stored in the contact list provides the investigator with the social and work relations of the owner of the Smartphone device. Beside this, many people store different types of account information and their passwords in the contact list. For example, email accounts or bank account pin codes. 

Text messages/ Emails

Contrary to the call history and contact list which provide indirect information, text messages and emails give explicit information that can be used as evidence in the court. This is because they contain the exact text intended to or sent by the owner of the Smartphone device. 

Media (pictures, videos, audio)

Media files such as pictures and videos can be used as potential digital evidence in the court. Many Smartphone devices such as iPhones embed the GPS co-ordinates of the location into the metadata called Exchangeable File Format (Exif) of the resulting image file (Valli & Hannay, 2010). Not only are the GPS co-ordinates stored but also valuable information for the investigator such as the date and the time of capturing. This provides the investigator with more insight of the activities of the owner of the Smartphone. 

Browsing history/internet search

The browsing history and internet searches in the Smartphone device give the investigator a picture of the internet activities of the owner. The investigator will discover the types of web sites that the owner has visited. Also, some Smartphone devices give the owner the ability to save their favorite web sites.

2



Chat logs

There are several chat applications that can be installed in the Smartphone device such as Windows Live Messenger, Google Talk and BlackBerry Messenger. Users of these applications usually choose to save the chat logs. The chat logs can be used as digital evidence in the court as to what the owner said. 

Social network accounts

Most Social networks are available on Smartphones, including the most famous of all, Facebook. In this type of account the investigator can find pictures and notes that were published by the owner. Also, they can discover the owner's friends and the groups that they belong to. 

Calendar\ notes

The calendar gives a picture of the previous, current and future planned activities of the owner of the Smartphone. The calendar can be used to associate the owner of the Smartphone to specific locations and times in order to look for possible witnesses. The owner of the Smartphone may also have saved notes that have valuable information that can be presented as evidence in the court. 

Connections (mobile network, Wi-Fi, Bluetooth)

These will give the investigator an overview of the networking activities that were performed by the owner‘s Smartphone device. The mobile network will give a picture of which country or region the owner has roamed in. Wi-Fi will give a picture of which Local Area Network (LAN) the Smartphone connected to. Bluetooth will give the forensic investigator information about the nicknames of the devices that were connected with owners Smartphone using Bluetooth connection. 

Maps (locations, directions help, favourites)

This will provide the investigator with a geographical view of the owner‘s movements which can be used as potential evidence in court. 

Software (Document processing software, VoIP software, etc.)

Document processing software such as Word To Go and Sheet To Go can be used to create or edit documents that may be useable as potential digital evidence. VoIP applications such as Skype give the owner of the Smartphone the ability to communicate with many people using the IP protocol without leaving a record in the call history on the device. The suspect may use this software in communication with a criminal or a victim. For example in child abuse cases, the criminal may communicate with the child using VoIP software. The investigator has to check these applications on the suspects Smartphone device. The checks should include finding the suspects account and the associated contact list. The forensic investigator‘s aim is to find evidence of the crime. There are many types of crime that may be found in computing environments. In (Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders, 2009), the document details several crimes and the associated types of digital evidence. Table 2 illustrates several examples of digital crimes and their associated potential evidence. Table 2. Crimes in the computing environment Name of Crime Child abuse

Description The wrong treatment and usage of the children that may affect their development and their psychology.

Murder

Killing someone intentionally.

Potential computer evidence -Internet history logs. -Chat logs. -Internet searches. -Images. -Movies files. -calendars/notes. -calendars/notes. -Internet history logs. -Address books. -Images. -Financial/asset records. -Medical records. -Reproductions of signature.

3

Harassment

Behavior that leads to bothering or disturbing someone.

Identity theft

Types of crimes that aim to steal personal information such as credit card numbers and bank account numbers.

Counterfeiting Narcotics

Terrorism

Illegal actions that aim to produce imitations that look like an original . Types of illegal drugs that stop some of the brain functionality and relieve pain.

Dangerous actions against civilians in order to achieve political, organization goals.

-calendars/notes. -Internet history logs. -Address books. -Images. -Financial/asset records. -Internet searches about victims. -Credit card information. -Electronic money transfer. -Financial records. -Online banking software. -Reproductions of signature. -Forged document. -Credit card information -Financial records. -Reproductions of signature. -Credit card information -Electronic money transfers. -Financial records. -Fictitious identification. -Photographs of drugs and accomplices. -Unfilled prescriptions. -Credit card information -Electronic money transfers. -Financial records. -Fictitious identification. -VOIP software.

DIGITAL FORENSICS PROCESS OF SMARTPHONE DEVICES The digital forensic process consists of four phases as shown in Figure 1.

Figure 1. Digital Forensics process In this section we discuss some guidelines to be followed in the phases of the digital forensics process of Smartphone devices.

Preservation In the evidence preservation phase, the forensics investigator must preserve the Smartphone device in its original state. This means that no data should be changed on the device after preserving the scene. Figure 2 shows a work flow to be followed in this phase.

4

Figure 2: Work flow in the preservation phase It is important to preserve the source of the digital evidence in its original state. Any failure to preserve the evidence in its original state at this stage will result in a failure in all of the following stages of the digital forensics process. If the state of the device is ON the investigator should plug in a portable power supply. Consequently, it will be kept on its original state and no loss of data will occurs if the device runs out of battery. The device has to be packaged in a radio frequency isolated container (Faraday container). This is because the suspect may make the of any signal to modify or delete the evidence on the device. Also, any incoming calls may result in the overwriting of evidence. The investigator should also document all the steps that were undertaken at this stage. Acquisition This stage of the process starts when the device is received at the forensic lab after proper preservation, packing and transportation. Figure 3 shows a work flow to be followed in this phase.

5

Figure 3: Work flow in the preservation phase One of the first tasks to be undertaken in this stage is to identify the type and the model of the device. Once this has been done, the forensics examiner will be able to choose the right acquisition tool for the device. This is not easy due variety of models of Smartphone devices in market. Also there are a wide range of cloned devices that look like the original, but operate in a different manner. The examiner should review the device‘s manual, understand how the device operates and what the appropriate power/data cables are for use with the device. Once an image has been created, the integrity of the image must be checked. The most common method used is to check the integrity of a file by using a hash function. The hash function will produce a hash digest of acquired data. If any changes are made to the acquired data, the hash digest will change. Consequently, proving that no changes have taken a place since the evidence was collected is easy by using hash functions. Furthermore, all of the steps that were undertaken must be documented.

6

Examination and Analysis In this phase the forensic investigator should decide which tools they will use to support the forensic examination and analysis. For analyzing Smartphone devices, the forensic analyst can use a range of tools such as Oxygen Phone manager, Paraben Cell Seizure, Susteen Secure View or XRY (Phone manager II, 2011) (Device Seizure v4.1, 2011) (What is XRY?, 2011) these tools work with some Smartphone devices in a proper manner and others not. Thus, the forensics examiner should choose the correct tool for each type of Smartphone devices. The most important thing to be clear on that as the storage media size is increasing, the forensic process will become slower. That is because there is an increasing volume of data to be examined. According to M. G. Solomon et al. ―There is no easy answer to the question ―where do I look for evidence?‖ as with any investigation, not all evidence is clear and easily available‖ (Solomon, Barrett, & Broom, 2005). The answer of where to look is dependent on the type of the crime. For instance, if the crime is child abuse the investigator would focus their search on chat log files, email files and picture files. These files will, potentially, provide the investigator with a great view of system activity. Presentation The fourth phase in the forensic process is that of presenting the evidence. It occurs after the results have been found in the examination and analysis phase. Thus, the presentation of evidence phase shows the results that are found in the analysis phase. The duty of the forensic investigator in this phase is to prove to the audiences one or more facts using the evidence that they have obtained. They should produce a well organized report of their findings. Also, in the presentation they should explain the computer evidence in a way that can be understood by audiences that may have poor background of computer technology. The forensics examiner should also know as much as possible of the background of his audience before preparing the presentation (Solomon, Barrett, & Broom, 2005). Different types of audience have different type of expectations. For example, the expectations of managers in a company are differ from the expectations of a jury in the court. By knowing the audience, the investigator can prepare a more convincing presentation.

THE CHALLENGES OF THE DIGITAL FORENSICS OF THE SMARTPHONE DEVICES The analysis of Smartphone devices is a rapidly growing field in digital forensics. In (Zareen & Baig, 2010) (Raghav & Saxena, 2009 ), several challenges are mentioned and also difficulties that are faced in this field. Some of them are: 

There is a rapid change in the technology of Smartphone devices. Today, there are a huge number of Smartphone models on the market. This has led to increasing problems in developing and maintaining a scientifically sound method for the capturing of data from these devices.



There are a large number of different operating systems for Smartphone devices. Some of these are open source and others are not. For example, the Android is an open source operating system and Blackberry OS is a closed source operating system. How closed source operating systems work is obviously less well understood. Thus, the forensic investigator will not have a clear idea of how these operating systems are storing, modifying and retrieving data. Therefore, there is a need to perform an operational analysis of each operating system of Smartphone devices in order to understand where the data is stored and how it can be retrieved.



The forensics investigator has to be aware that there are many tools and techniques that may be remotely used by the suspect or criminal to modify or destroy data that is held by the Smartphone. To avoid this problem, the forensic investigator has to keep the Smartphone in a signal isolated box while it is moved from the scene to the forensic lab.



Signals to and from the Smartphone need to be blocked at the time of seizure to prevent any possible modification of the data in the device. The challenge here is that the battery life of the Smartphone is limited and placing the device in isolation will result in the battery being drained. This is because once the Smartphone is isolated, it starts searching for a mobile network. The solution to this situation is that the forensic investigator should have a portable power supply for the various models of the Smartphone. Before isolating the Smartphone, the investigator should attach the portable power supply.

7



There are a wide range of data and power cables that are used by Smartphone. This can cause logistical problems and also causes confusion to a forensic investigator over which type of cables to use. To meet this challenge, a database of each Smartphone model and its appropriate cables can be created. This will simplify the process of finding the appropriate cables for each model and keep the device in its original state. However, the problem that will arise is that the forensic investigator has to carry with him a bag that contain all possible portable power supply cables before going to the crime scene.



There is a need for a forensics tools for the acquisition of data in the case of physically damaged Smartphone devices. Most of the current tools work only with undamaged Smartphones.



Most Smartphones have an authentication code to prevent unauthorized access. This can cause delays in accessing the Smartphone data. Also, if the number of tries to enter right code is exceeded, the Smartphone may wipe itself. To address this challenge, there is a need to develop methods that bypass the authentication code on each of the Smartphone models.



Most of the current Smartphone forensics tools provide for the logical analysis of data. This type of analysis does not retrieve deleted files. There is a need for the development of forensic tools for each type of Smartphone device that can perform a physical analysis which can retrieve deleted data.

CONCLUSION The fast development in Smartphone device technology is making the digital forensic of these devices a very complicated task. Also, this development leads to increasing problems in developing and maintaining a scientifically sound method for the capturing of data from these devices. We have provided guidelines to be followed in the digital forensics process, but this field has many challenges that need to be addressed. Also, there is a need to develop standard procedures to be followed by the forensic investigator and examiner in order to preserve evidence‘s integrity and recover it correctly, so that it can then be accepted in court.

REFERENCES (2004). In E. Casey, Digital Evidence and Computer crime (pp. 12-13). Academic press. Device Seizure v4.1. (2011). Retrieved from Paraben Corporatio: http://paraben-forensics.com/deviceseizure.html (2009). Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders. The National Institute of Justice. Phone manager II. (2011). Retrieved from Oxygen Software: http://www.oxygensoftware.com/ Raghav, S., & Saxena, A. K. (2009 ). Mobile Forensics: Guidelines and Challenges in Data Preservation and Acquisition. IEEE student Conference on Research and Development (SCOReD 2009), (pp. 5-8). Malaysia. Solomon, M. G., Barrett, D., & Broom, N. (2005). In Computer Forensics, jump start (pp. 73-155). SYBEX. (2010). In J. R. Vacca, Computer Forensic, computer crime scene investigation (pp. 3-31). Charles River Media. Valli, C., & Hannay, P. (2010). Geotagging Where Cyberspace Comes to Your Place. Security and Management 2010, (pp. 627-632). What is XRY? (2011). Retrieved from Micro Systemation: http://www.msab.com/xry/what-is-xry Zareen, A., & Baig, S. (2010). Mobile Phone Forensics Challenges, Analysis and Tools Classification. Fifth International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE.2010), (pp. 47 – 55)

8

FORENSIC RECOVERY AND ANALYSIS OF THE ARTEFACTS OF CRIMEWARE TOOLKITS Murray Brand secau - Security Research Centre, School of Computer and Security Science Edith Cowan University, Perth, Western Australia [email protected]

Abstract The total cost of cybercrime has been estimated to exceed US$388 billion annually. The availability of crimeware toolkits has lowered the bar for entry to the world of cybercrime. With very little technical knowledge required, cybercriminals can create, deploy and harvest financial data using banking trojans though a point and click graphical user interface that can cost less than US$1000. Technical support is also available for a fee, including technical infrastructure and servers to store harvested data. Fraudsters employing crimeware toolkits have been reported to have stolen US$3.2 million dollars in as little as six months. This paper presents preliminary research that has been conducted to forensically recover and analyse artefacts from the process of using crimeware toolkits from the file system and memory of systems that have been potentially engaged in such banking trojan authoring activities. Construction of a banking trojan using a crimeware toolkit follows a process that typically requires a set of configuration files and a small suite of program tools within the toolkit. Artefacts can be recovered from the process that could potentially be presented for admission as evidence in a court of law. Artefacts from the toolkits vary, as does the versions and variants of available toolkits. This paper proposes further research to construct a library of baseline artefacts to assist in the reconstruction of events to assist the forensic analyst in determining the provenance of any particular banking trojan. Keywords Digital forensics, crimeware, ZeuS, Spy Eye, Pinch, Carberp, cybercrime, banking trojan, botnet.

INTRODUCTION A recent study estimates the cost of cybercrime worldwide to exceed US$388 billion dollars annually which exceeds the postulated US$288 billion cost of the global black market of illicit drugs such as marijuana, cocaine and heroin combined. The report also claims that more than two thirds of adults who go online have been a victim of cybercrime in their lifetime (Norton, 2011). Trend Micro (2011a, 2011b) reports that the top 10 cybercrime targets of the crimeware toolkits include online users of PayPal, eBay, Yahoo!, Facebook, Pharmacy Express, HSBC Bank, ANZ Bank, Lloyds TSB Bank, Banco Santander Bank and Western Union Bank. Malicious software developers create, market and support crimeware toolkits that can create malicious software (malware) which can be used for the theft of financial transaction data such as bank account information, credit card data, authentication credentials and personal identities. Such targeted malware is typically referred to as a "banking trojan". The command and control infrastructure for the malware is in the form of a botnet which may include thousands of infected machines from which financial and personal data can be harvested. Instances of crimeware toolkits such as ZeuS, Spy Eye, Pinch and Carberp employ graphical user interfaces such that the cybercriminal needs very little technical knowledge to create a banking trojan (Trend Micro, 2011a, 2011b). A report by Trend Micro (2011c) reveals that an investigation into a certain cybercriminal's activities who employed such a toolkit to have stolen over US$3.2 million in six months from a botnet that employed over 25,000 systems, predominately located in the United States. A generic, potential lifecycle for a banking Trojan built by a crimeware toolkit is depicted in Figure 1. The diagram shows that the toolkit is purchased from an online cybercrime site or obtained from some other means such as transfer from an external drive, email attachment or some other source. The toolkit is then installed on a system. The requisite files and tools may be on the single system or distributed across mounted volumes or network shares.

9

Purchase / Obtain Crimeware Toolkit

Install

Read Manual / Obtain Support

Execute Builder

Edit Configuration File(s)

Build Banking Trojan

Test

Deploy

Harvest

Exploit

Figure 1 Potential Crimeware Toolkit Usage Life Cycle

The crimeware toolkits examined for the purpose of this research all contained user's manuals and it is understood that online support is also available for a fee. The heart of the toolkit is a graphical user interface based "Builder" program that invokes a small number of supporting programs to build the resulting banking trojan and this process also requires the editing of a small number of configuration files. Once built, the banking trojan is likely to be tested in some manner, even if it is just to ensure that the resultant hash does not register as a known hash or virus signature. Once tested, it is envisaged that the trojan is deployed. The banking trojan can be deployed via a variety of mechanisms including spammed email that contains a link to a hijacked web site that uses iframes running malicious javascript. The malicious javascript can exploit vulnerabilities in the browser of the user which can then execute code on the target computer to conduct a variety of nefarious activities, including disabling security software and can download additional malware to the victim. Once compromised, the infected computer can be updated with enhanced malware at the discretion of the person in command of the botnet, typically referred to as the bot herder. The bot herder can then operate the botnet system from a distance, through a layered, hierarchical command and control system. Information can then be harvested and exploited in some predetermined measure. The purpose of this paper is to present preliminary research that could be suitable for investigating a computer system suspected of having being used to author a banking trojan using a crimeware toolkit. The intention is to present artefacts of the authoring process as evidence suitable for admission to a court of law. This intention assumes that the sources of evidence accessible from the suspect machine have been acquired in a legal and forensically sound manner. Only the analysis phase of the investigation is discussed in this paper. This particular area of interest is depicted in the life cycle diagram of Figure 1 between reading the user manual to testing the resultant trojan and is highlighted in the figure. This paper does not investigate how the toolkit was originally acquired, nor does it investigate how the banking trojan was deployed, nor how the botnet was controlled, nor how information was harvested or exploited from the deployed banking trojan. These lines of investigation are left for future lines of research. The highlighted components in the figure emphasize the processes that are highly likely to have been conducted on one system. The components of the diagram that are not highlighted may have been conducted on the one system, but need not to have been. Understanding the life cycle for any particular crimeware toolkit version or variant could assist an investigation. It can lead to the reconstruction of events, which can be represented in a timeline, which can be corroborated and supported with the artefacts from following the building process. Discovery of the artefacts from the combined acts of editing configuration files, running the builder program (which in turn runs subservient tools which leave artefacts) and accessing a user's manual may support the two essential elements required for a case. That is, actus reus (latin for guilty act) and mens rea (latin for guilty mind) which may be used to prove that the accused committed the prohibited act and possessed the culpable mental state (Shinder, 2002). Additional evidence such as the deployment of the trojan, the harvesting and exploitation of the resultant information from the trojan would likely provide additional, supporting elements to the case.

CRIMEWARE Crimeware Toolkit Capabilities Crimeware toolkits that include ZeuS, Spy Eye, Pinch, Carberp and Bugat, predominately operate under Microsoft Windows systems, but may also target alternative platforms such as mobile devices (S21sec, 2010). Malware continues to evolve, it is becoming more stealthy, increasingly targeted and incorporating additional anti-analysis techniques (Brand, 2010). As an example, Barrett (2011) lists features of Spy Eye to include a ring 3 rootkit which means it can hide registry and file entries from a limited privileges account. It can hook the

10

supported web browsers such as Internet Explorer, Firefox and Maxthon, and then inject code into the browser. It can intercept and control traffic by hooking into API calls. It can steal HTTP secured connection session data. It can inject forms into legitimate web pages of banks by using webinjects. Such forms can include fields to entice the victim to enter data such as Personal Identification Numbers (PIN) that are not required not requested by the online financial institution. It can include keyloggers to capture legitimate data entered by the victim. It can include data mining algorithms to collect and forward only relevant, filtered data to the Command and Control server via encrypted data channels. Crimeware Toolkit Components An examination of crimeware toolkits conducted for the purpose of this research reveals that a number of high level components appear to be in common to most of the variants and versions. This commonality includes configuration files for customizing the botnet and other files, such as the webinjects file that contains content injection rules. There is typically a builder program that generates the malware binary to infect the victims from the clear text configuration files that are customised by the cybercriminal. The format of these configuration files vary between the variants of crimeware toolkits, but all of the toolkits examined used configuration files. An encrypted version of the configuration file is created using an encryption key. It is a separate file to the executable and is generally downloaded during execution of the binary. The behaviour of the binary on the target system can then be modified at the direction of the cybercriminal. A small number of standalone programs are also included in the toolkits, including file archivers, build tools, packers, protectors, assemblers and a PHP compiler for compiling PHP web scripts. Other tools for deploying the malware may also be found as well as supporting documentation such as manuals to assist in the authoring process. The very nature of the development and release process is tailored to ensure that it works for the cybercriminal who is using the crimeware toolkit to create the banking trojan with minimal effort and complications. This means that there is a definitive structure to the configuration files for the build process and that various artefacts of the development and release process can be recovered to reconstruct the event of having built the resultant banking trojan. Various plug-ins, enhancements and customisations are available and can be purchased and traded on underground forums (Hypponen, 2011), but it could be expected that the core framework, and development and release process, for any of the particular versions or variants of the crimeware toolkits will remain consistent in the short term. This is essentially because a level of customisation is essential for customers to tailor the trojan for their particular needs. This necessitates an editable configuration file. This in turn means the configuration file requires structure with defined fields, so that the builder program can parse and interpret it to create a trojan that will function correctly. It would be very difficult to consider an alternate method that combines ease of use, consistency and reliability. In addition, reuse of tried, true and tested code is a fundamental principal of best practice software engineering.

FORENSIC ANALYSIS Crimeware Toolkit Artefacts Detection of the tools in the toolkit may not be reliably detected by an antivirus (AV) software suite. This is because AV software that is signature based is reliant upon previous detection and extraction of an appropriate signature. The tool can be protected and/or packed which will obfuscate the code, change the hash and change the signature of the code. A variety of techniques can be implemented to further hinder the digital forensic analyst. This can include techniques such as anti emulation, anti online analysis, anti hardware, anti debugger, anti disassembler, anti tools, anti memory, anti process and rootkits as discussed by Brand, Valli and Woodward (2010). In addition, it is quite simple to change the hash of any program to be the hash of a program that is on a known good file list to avoid being relegated to a list of unknown files for investigation (Foster, Liu, 2005). The configuration files between the toolkits can be different, but they do appear very similar within variants and versions of the same toolkit with clearly defined key fields and parameters. Although these files may be deleted, the potential exists to recover full or remnant parts of the files from memory devices, allocated or unallocated space, the hibernation files, the memory page files and from physical memory dumps. The configuration files are typically textual in nature, and lend themselves to key word searches. The tailoring of the banking trojan itself is determined by the configuration files. Hence to determine the released trojans capability, recovery of the configuration file could provide supporting evidence of the activity of having built a particular banking trojan. In addition, it could be possible to associate a particular banking trojan with a particular configuration file. Figure 4 demonstrates the structure of the ZeuS 1.2.4.2 configuration file. Clearly defined fields and delimiters are present. Figure 5 presents a small section of the WebInjects file. The WebInjects clearly lists URLs of common and popular banking websites. Figure 6 shows a small subsection of the user manual that uses terms associated

11

with the particular crimeware kit version. The manual needs to be descriptive enough for users to tailor their developed malware. In all cases of the selection of crimeware toolkits examined, keywords and structure are evident and could be very useful for keyword searches, file carving, indexing and filtering. ;Build time: 14:15:23 10.04.2009 GMT ;Version: 1.2.4.2 entry "StaticConfig" ;botnet "btn1" timer_config 60 1 timer_logs 1 1 timer_stats 20 1 url_config "http://localhost/config.bin" url_compip "http://localhost/ip.php" 1024 encryption_key "secret key" ;blacklist_languages 1049 end entry "DynamicConfig" url_loader "http://localhost/bot.exe" url_server "http://localhost/gate.php" file_webinjects "webinjects.txt" entry "AdvancedConfigs" ;"http://advdomain/cfg1.bin" end entry "WebFilters" "!*.microsoft.com/*" "!http://*myspace.com*" "https://www.gruposantander.es/*" "!http://*odnoklassniki.ru/*" "!http://vkontakte.ru/*" "@*/login.osmp.ru/*" "@*/atl.osmp.ru/*" end entry "WebDataFilters" ;"http://mail.rambler.ru/*" "passw;login" end entry "WebFakes" ;"http://www.google.com" "http://www.yahoo.com" "GP" "" "" end entry "TANGrabber" "https://banking.*.de/cgi/ueberweisung.cgi/*" "S3R1C6G" "*&tid=*" "*&betrag=*" "https://internetbanking.gad.de/banking/*" "S3C6" "*" "*" "KktNrTanEnz" "https://www.citibank.de/*/jba/mp#/SubmitRecap.do" "S3C6R2" "SYNC_TOKEN=*" "*" end entry "DnsMap" ;127.0.0.1 microsoft.com end end

Figure 4 ZeuS 1.2.4.2 configuration file highlighting keywords

12

set_url https://banking*.anz.com/* GPL data_before Balances and Transactions data_end data_inject data_end data_after