InformationSecurity

2013
VERSION3
MISSIONMAN
andAntiForensics
P a g e |1

Foreword

Computersecurityisnotjustasciencebutalsoanart.Itisanartbecausenosystemcanbeconsidered
securewithoutanexaminationofhowitistobeused.Allcomponentsmuchbeexaminedandyou
mustknowhowanattackergoesaboutasystembeforeyoucantrulyunderstandhowtobestdefend
yourself.Thisiswherethisguidecomesin;itexistsforthepurposeofexaminingthesemethodsof
attackandtheimplementationforattackmitigation.Youwilllearnthecommontechniquesusedfor
attackandhowtoprotectyourselffromthem.Thisguideshouldnotbeusedasanindepthanalysisof
eachattack,butareferenceforeachoftheattacksthatexist.

P a g e |2

Acknowledgements

RogerNyght

IwanttothankRogerNyghtforcreatingtheTailsGuide.Thisamazingguidestepsyouthroughthe
processofinstallingandusingTailsathomeaswellasthefeaturesthatithosts.Foranyonethinking
aboutusingthisOperatingSystemfortrueanonymityandsecurity,shouldreadthistoguideitsentirety.
Allcredits,attributions,andworksgotohimforthissection.Thanksagain!

CuriousVendetta, Goodguy, RogerNyght, and All

Afterwritingthisguide,itwasapparentthatwasabunchoferrorslitteredthroughoutthething.
Thankstoeveryoneforspendingthetimegoingoveritandperformingasanitycheck.Itwasfoundthat
IamonlyhalfascrazyasIthought.Thankseveryone!

P a g e |3

Table of Contents

Chapter1 _TheCIATriad...........................................................................................................................9
Chapter2 _Recommendations...............................................................................................................10
2.1. Learnhowtochat.......................................................................................................................12
2.2. IntrotoTails................................................................................................................................14
2.3. IntrotoWhonix...........................................................................................................................15
Chapter3 _Encryption............................................................................................................................20
3.1. EncryptionDealingwithConfidentiality.....................................................................................21
3.2. EncryptingFilesortheHardDrive..............................................................................................23
3.3. SecurelyExchangingMessages,Data,andSigningData............................................................29
3.4. Steganography............................................................................................................................34
3.5. AuthenticationFactors................................................................................................................34
3.6. PasswordAttacksandAccountRecoveryAttacks......................................................................37
3.7. CreatingSecurePasswords.........................................................................................................37
3.8. Hashing,HashingCollisions,andBirthdayAttacks.....................................................................38
3.9. ColdBootAttacks........................................................................................................................39
Chapter4 _Data......................................................................................................................................41
4.1 AQuickWord..............................................................................................................................42
4.2 DeletedData...............................................................................................................................42
4.3 DeletingDataSecurely................................................................................................................44
4.4 FileSlack......................................................................................................................................45
4.5 AlternateDataStreams...............................................................................................................47
4.6 WheretoHideYourData............................................................................................................49
4.7 ChangingFileHeaderstoAvoidDetection.................................................................................49
4.8 WindowsSwapFiles,ReadyBoost,TemporaryInternetFilesandBrowserCache.....................51
4.9 TemporaryApplicationFilesandRecentFilesLists....................................................................53
4.10 Shellbags.....................................................................................................................................58
4.11 PrefetchingandTimestamps......................................................................................................60
4.12 EventLogs...................................................................................................................................60
4.13 Printers,PrintJobs,andCopiers.................................................................................................61
P a g e |4

4.14 Cameras,Pictures,andMetadata...............................................................................................62
4.15 USBInformation..........................................................................................................................65
4.16 SSDSolidStateDrives..............................................................................................................65
4.17 ForensicSoftwareTools..............................................................................................................66
Chapter5 _Continuity.............................................................................................................................68
5.1 SecurityConcernswithBackups.................................................................................................69
5.2 SecurityConcernswithSleepandHibernation...........................................................................69
5.3 EnsuringInformationandServiceContinuity.............................................................................70
5.4 DoSandDDoSattacks.................................................................................................................71
Chapter6 _SystemHardening................................................................................................................75
6.1. UninstallUnnecessarySoftware.................................................................................................76
6.2. DisableUnnecessaryServices.....................................................................................................76
6.3. DisableUnnecessaryAccounts...................................................................................................77
6.4. UpdateandPatchWindowsandOtherApplications.................................................................78
6.5. PasswordProtection...................................................................................................................79
Chapter7 _Antivirus,Keyloggers,Firewalls,DLPs,andHIDs................................................................81
7.1. Antivirus......................................................................................................................................82
7.2. HardwareKeyloggers..................................................................................................................83
7.3. Firewalls......................................................................................................................................83
7.4. DLPs............................................................................................................................................83
7.5. HIDSsandNIDs..........................................................................................................................84
7.6. OtherConsiderations..................................................................................................................84
Chapter8 _Networks..............................................................................................................................85
8.1. IntrotoNetworking....................................................................................................................86
8.2. Privatevs.PublicIPAddress.......................................................................................................91
8.3. MACAddress...............................................................................................................................91
8.4. PublicWireless............................................................................................................................92
8.5. SecurityProtocols.......................................................................................................................96
8.6. VirtualPrivateNetworks.............................................................................................................99
8.7. ChatSitesHowAttackersAttack.............................................................................................104
8.8. OtherConsiderations................................................................................................................108
8.9. Extra:MACAddressSpoofingandARPAttacksHowtheywork............................................110
Chapter9 _WebBrowserSecurity........................................................................................................113
P a g e |5

9.1. DownloadingandUsingtheTorBrowserBundle.....................................................................114
9.2. ConfiguringWebBrowsersandApplicationstoUseTor..........................................................115
9.3. WhatisSandboxingandWhatisJITHardening,andWhyDoICare?......................................117
9.4. JavaScript..................................................................................................................................117
9.5. CookieProtectionandSessionHijackingAttacks.....................................................................118
9.6. Caching......................................................................................................................................119
9.7. Referers.....................................................................................................................................119
9.8. CSRF/CSRFAttacks(XSSAttack)................................................................................................120
9.9. ProtectBrowserSettings..........................................................................................................120
9.10. DNSLeaks..............................................................................................................................121
9.11. UserAwareness,AccidentsandSystemUpdates.................................................................122
9.12. Limitations.............................................................................................................................122
9.13. Extra......................................................................................................................................123
Chapter10_Tails......................................................................................................................................124
10.1.1. Tailsconcept........................................................................................................................125
10.1.2. WhycantIuseanotherOS/WindowsinaVM?.................................................................126
10.2.1. Howtochoosestrongpassphrases......................................................................................126
10.3.1. RequirementsforTails..........................................................................................................127
10.4.1. Firststeps..............................................................................................................................127
10.4.2. UsingTailsasacompletelyamnesicsystem.........................................................................127
10.4.3. UsingTailswithapersistentvolume....................................................................................128
10.5.1. Encryptionofanexternaldrive.............................................................................................128
10.5.2. HowtomountaLUKSencryptedvolumeinWindows.........................................................128
10.6.1. Securedeletionofadriveorpartition..................................................................................129
10.7.1. Usingthepersistentvolume.................................................................................................129
10.7.2. Storingfilesonthepersistentvolume..................................................................................130
10.7.3. Firefoxbookmarkmanagement............................................................................................130
10.7.4. ThepasswordmanagerPasswordsandEncryptionKeys...................................................131
10.7.5. PidginforIM/Chat/IRC..........................................................................................................132
10.8.1. Installingsoftware:Thebasics..............................................................................................132
10.8.2. Recommendedsoftwareadditions.......................................................................................133
10.8.3. I2P/iMule(notrecommended)...........................................................................................135
10.8.4. TorChat(notworking)...........................................................................................................135
P a g e |6

10.9.1. FileandfolderhandlinginTerminal.....................................................................................135
10.10.1. Generaladvice..................................................................................................................136
Chapter11_HackingTools......................................................................................................................138
FingerprintingandReconnaissance......................................................................................................140
DNSInterrogationTools:.......................................................................................................................140
EmailTrackingTools:............................................................................................................................140
GooglehackingTools:...........................................................................................................................140
MonitoringWebUpdatesTools:...........................................................................................................141
TracerouteTools:..................................................................................................................................141
WebsiteFootprintingTools:.................................................................................................................141
WebsiteMirroringTools:......................................................................................................................141
WHOISLookupTools:............................................................................................................................141
OtherLinks:...........................................................................................................................................141
ScanningNetworks...............................................................................................................................142
BannerGrabbingTools:........................................................................................................................142
CensorshipCircumventionTools:.........................................................................................................142
CustomPacketCreator:........................................................................................................................143
NetworkDiscoveryandMappingTools:...............................................................................................143
PacketCrafterTool:..............................................................................................................................143
PingSweepTools:.................................................................................................................................143
ProxyTools:...........................................................................................................................................143
ScanningTools:.....................................................................................................................................144
TunnelingTools:....................................................................................................................................144
VulnerabilityScanningTools:................................................................................................................144
SystemHacking.....................................................................................................................................145
AntiRootkits:........................................................................................................................................145
AntiSpywares:......................................................................................................................................145
CoveringTracksTools:..........................................................................................................................145
Keyloggers.............................................................................................................................................146
PasswordCrackingTools:......................................................................................................................146
VirusesandWorms...............................................................................................................................147
VirusprogramsandGenerators:...........................................................................................................147
Viruses:..................................................................................................................................................147
P a g e |7

WormsMaker:......................................................................................................................................147
Sniffing..................................................................................................................................................148
ARPSpoofingDetectionTools:.............................................................................................................148
DHCPStarvationAttackTools:..............................................................................................................148
MACFloodingTools:.............................................................................................................................148
MACSpoofingTools:.............................................................................................................................148
SniffingTools:........................................................................................................................................148
SocialEngineering.................................................................................................................................149
DoS........................................................................................................................................................149
SessionHijacking...................................................................................................................................150
SessionHijackingTools:........................................................................................................................150
HackingWebservers.............................................................................................................................150
InformationGatheringTools:................................................................................................................150
WebserverAttackTools:.......................................................................................................................150
SessionHijackingTools:........................................................................................................................150
VulnerabilityScanningTools:................................................................................................................151
WebApplicationSecurityScanners:.....................................................................................................151
WebserverFootprintingTools:.............................................................................................................151
WebserverSecurityTools:....................................................................................................................151
HackingWebApplications....................................................................................................................151
SessionTokenSniffing:.........................................................................................................................151
WebApplicationHackingTools:...........................................................................................................152
WebServiceAttackTools:....................................................................................................................152
WebSpideringTools:............................................................................................................................152
WebserverHackingTools:....................................................................................................................152
WebApplicationPenTestingTools:.....................................................................................................152
WebApplicationSecurityTools:...........................................................................................................153
SQLInjection.........................................................................................................................................153
SQLiInjectionTools:..............................................................................................................................154
HackingWirelessNetworks..................................................................................................................154
BluetoothHackingTools:......................................................................................................................155
GPSMappingTools:..............................................................................................................................155
MobilebasedWiFiDiscoveryTools:....................................................................................................155
P a g e |8

RFMonitoringTools:.............................................................................................................................155
SpectrumAnalyzingTools:....................................................................................................................155
WEPEncryption:...................................................................................................................................155
WEP/WPACrackingTools:....................................................................................................................155
WiFiDiscoveryTools:...........................................................................................................................156
WiFiPacketSniffer:..............................................................................................................................156
WiFiPredictivePlanningTools:............................................................................................................156
WiFiSecurityAuditingTools:...............................................................................................................156
WiFiSniffer:.........................................................................................................................................156
WiFiTrafficAnalyzerTools:.................................................................................................................156
WiFiVulnerabilityScanningTools:.......................................................................................................157
EvadingIDS,Firewalls,andHoneypots.................................................................................................157
Firewalls:...............................................................................................................................................157
HoneypotDetectingTools:...................................................................................................................158
HoneypotTools:....................................................................................................................................158
PacketFragmentGenerators:...............................................................................................................158
BufferOverflow.....................................................................................................................................158
Chapter12_StandardAcronyms.............................................................................................................159
Chapter13_DownloadLinks...................................................................................................................159

P a g e |9

InthisguideIamgoingtoreferenceawellknownsecuritypolicythatwasdevelopedtoidentifyproblem
areasandtherecommendedsolutionswhendealingwithinformationsecurity.Thispolicyisknownas
theCIAandstandsfor:Confidentiality,Integrity,andAvailability.Thistriadwasdevelopedsopeoplewill
thinkabouttheseimportantaspectsofsecuritywhenimplementingsecuritycontrols.Thereshouldbea
balance between these three aspects of security to ensure the proper use and control of your security
solutions.

Confidentialityis,asthewordimplies,havingsomethingbeconfidentialorsecure.Inessence,privacyis
securityandconfidentialitymeansthatthirdpartyindividualscannotreadinformationiftheydonothave
accesstoit.Datatothinkaboutkeepingconfidentialisdatastoredonacomputer(temporarydata,data
saved,etc.),datastoredforbackup,dataintransit,anddataintendedforanotherperson.Confidentiality
willbethemainfocuspointofthisarticleasitismostoftenreferredtoasthemostimportantaspectof
security.

TheIinCIAstandsforIntegrityandisspecificallyreferringtodataintegrity.Integrityistheactofensuring
thatdatawasnotmodifiedordeletedbypartiesthatarenotauthorizedtodoso.Italsoensuresthatif
thedatawaschanged,thattheauthorizedpersoncanmakechangesthatshouldnothavebeenmadein
thefirstplace.Simply,ifyousendamessagetosomeone,youwanttomakesurethatthepersondoes
notreceiveamessagethatwasalteredduringtransit.Integrityalsoconfirmsthatyouareinfactspeaking
towhoyouthinkyouarespeakingto(forexample:wedownloadanaddonfromthewebsite,youwant
tomakesurethatyouaredownloadingfromthatwebsiteandnotanunscrupulousthirdparty).

Finally,theAstandsforAvailabilityandensuresthatwhenyouneedthedataitisavailabletoyou.Not
only does data have to be available to you, but it has to be reasonably accessible. There's no point in
securitycontrolsifyoucannotaccessthedata!Thiscomponentisaconcern,butfortheaverageenduser,
thereisnotmuchthatcanbedonetoensureavailabilitywhendealingwithwebpages,orIRCserversor
anythingelsemanagedbyathirdpartyhost.ForthisreasonwewillnotbediscussingAvailabilityexcept
forbackingupyourdatainthisguide.

Chapter 1 _The CIA Triad

P a g e |10

indowswasnotbuiltwithsecurityinmind,thereforshouldnotbeused.Tailsisrecommended
asitisaliveDVDorUSBthatwascreatedtopreserveyouranonymityandprivacy(Chapter
10). It allows you to browse the internet anonymously and safely as all applications are
preconfiguredtorunthroughTor.Otherusesincludesencryptingyourfiles,sendingandreceivingemails
and instant messaging, photo editing, document editing and more. Tails also operates completely in
RAMsoitdoesnotleaveatraceonyourcomputer.RAMisRandomAccessMemoryandiswipedwhen
the machine shuts down. Everything that you want saved is done so in secure, encrypted persistent
storage.Tailslink:Here.AstepbystepforinstallingTailscanbefoundbelow.AnotherdistroIwould
recommendisWhonix.Whonixisanoperatingsystemfocusedonanonymity,privacyandsecurity.It's
based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are
impossible,andnotevenmalwarewithrootprivilegescanfindouttheuser'srealIP.Ifyoucannotuse
TailsorWhonixorbetteryetdonotwanttousethem,youshouldmakesurethatWindowsissecure.

Windows:

TruecryptIwoulddownloadTrueCryptandenableFDE(FullDiskEncryption)tomakesurethat
allevidenceisencryptedthusallowingyoutoskipChapter4.IfyoudonotwanttoenableFDE,I
wouldcreateacontainerandhaveaVirtualMachineinsidethecontainer.Otherwise,
EVIDENCECANBEEASILYGATHEREDBYINVESTIGATORS.(Section3.2)
TorBrowserBundleThisallowsyoutobrowsetheinternetanonymously.UsingTBBwillalso
allowyoutovisit.onionsitesaswellastojointhe.onionIRCserverswithTBBsinstanceorTor.
(Section9.1)
AntiVirus(AV)andaFirewallThiswillkeepyourcomputerprotectedfromvirusesaswellas
remoteintruders(mostallinoneantivirussoftwarehasthesefeatures).(Section7)
Ihavedecidedtomovearecommendationfromlateroninthisguidetouphere.Onegood
recommendationistocreateanduseastandardaccountwithnoAdministrativeprivileges.This
way,ifavirusisexecuted,itonlyhastheprivilegesoftheaccountthatyouarein.Also,Iwould
makesureyourusernamedoesnotcontainyourfullnameasmanyapplicationssuchasPidgin
cansharethisinformation.Furthermore,makesurethatyoucreateaWindowspasswordthat
isdifficulttoguess/attack,asyourcomputercanbeexploredusingthatpassword,overthe
network.
W
Chapter 2_ Recommendations
P a g e |11

(Optional)TorChatTCisachatapplicationthatrunsoverTortoprovideananonymouswayto
chat.(Section2)
(Optional)IRCClientAnIRCclientallowsyoutoenterTorchatroomstotalktomany
individualsatonetime.Youwillneedonewithproxysettingssoyoucanruntheclientthrough
Tor.MakesuretoNOTuseDCCasitcanexposeyourIPaddress.ThereareseveralIRCservers
thatrunoverTor(.onionaddresses)thatyoucanuse.Theyarealllogicallyconnected,so
connectingtoonewillconnectyoutoall.(Section2)
(Optional)GPGforsharingmessagesandfilesbackandforthoveracommonmedium,GPG
ensuresconfidentialityandintegrity.(Section3.3)

Sample Security Checklist:

Checkauthentication
Checkingauthorizationandaccesscontrol
Auditingyoursystem
Verifyingfirewalls,proxysettings,andothersecurity
Verifyingencryptionforbothpublicandprivatekeyencryption
Checkcommunicationencryption,including:email,chat,webbrowsing,andOperatingSystem
data
Updatesystemsoftware,includingAntiVirussoftwareandscanners
Backupandstoringsensitivedatasecurely
Hardenyoursystembyremovingunnecessarysoftwareandservices

Things to be mindful of:

Dontassumethatsomethingissecuredbyanotherlayerorprocess.Verifythatthedatais
securedandthatthedatabeingtransmittedoverthenetworkortheinternetisprotectedfrom
attackers.Differentlevelsofsensitivitymeansdifferentlevelsofsecurity
Knowthelimitationsofeachsecurityproduct.Eachproductaddressesaspecificsetofissues
withinaspecificcontext.Makesuretoknowthedifferencesbetweentheemployedsolutions
andhowtheyprotectyou.Forexample,usingaVPNdoesnotstopanyoneonefromstealing
yourlaptopandgatheringallyourdata.Useseverallayersofsecurityformaximumsecurity.
Donotrelayonauthenticationatthesessioninitiationalone.Useseverallevelsof
authenticationtoensurethatthepersonyouarecommunicatingwithiswhomtheysaytheyare
andviceversa.
Assumeeverythingyouuseisinsecureandtreateverythinglikeasecuritythreat.Buildyour
securitymodelbasedonwhatyoudo;securityisdynamic,notstatic.
Planforhandlingfailures,errors,intrusions,anddowntime.Focusonwhattodowhenthings
gobad.Planandpracticethatplan.Goodsecuritymeansnothingifwhatyoudodoesnot
work.
P a g e |12

2.1. Learn how to chat

ThereareacoupleofwaystochatoverTordependingonyourwantsandneeds.Inthisguide,Iwill
onlybetalkingabouttwowaystochatwithotherpeople:IRCandTorChat.UsinganIRCserverallows
youtochatwithmanypeopleatonetimeaswellaschatwithanotherpersoninaprivatechatroom.
TorChatontheotherhandonlyallowsyoutochatprivatelywithsomeone,butitallowsyoutoshare
fileswithanotherpersonwhereastheIRCdoesnot.

ThefirstwayIwilldescribeishowtoconnecttotheOnionnetIRC.TheOnionnetisanetworkofservers
thatareconnectedtogethertoincreaseredundancy.Forthoseofyouwhomdontknow,IRCstandsfor
InternetRelayChatandwasintendedforgroupcommunicationindiscussionforums,calledchannels,
butalsoallowsonetoonecommunicationviaprivatemessageaswellaschatanddatatransfer,

includingfilesharing.WhenusingtheOnionnetservershowever(asdescribedbelow),DCCfilesharing
isdisabledandothersecurityrestrictionsapply.

Set up IRC Client:

1. DownloadyourIRCclient.Personally,IusePidgin.Thelinkisprovidedforyou:
http://pidgin.im/.ThereisaportableversionofPidginavailableifyouplanonusingtheclienton
severalmachines(whichisnotrecommendedasthecomputercancontainspyware).Also,
Pidginallowsyoutoconnecttoseveralserversatonceinthechanceyougetdisconnectedfrom
aserveroranetsplitoccurs
2. Tocreateanaccount,ClickAccountsfollowedbyManageAccounts.Youcanaddasmany
accountsasyouwant;IcreatedafewaccountstoconnecttothedifferentIRCserversforthe
reasondescribedabove
3. SelectAdd.UnderBasic,yoursettingsshouldlooklikethis:ProtocolIRC,Usernameyour
username,ServerIRCserver(listedbelow),Localaliasyourusername.Again,youcanuse
anyoftheseveralTorIRCserversastheyareallconnected.Alternatively,youcanuseoneof
theseveralIRCrelaysinsteadofconnectingtotheTorserversdirectly.
4. UnderAdvanced,yoursettingsshouldlooklikethis:Port6667,Usernameyourusername.
InPidgin,ifyoudonotspecifyausernameundertheAdvancedsettings,yourusernamewillbe
exposed.Whenyouenterorleavethechatroomtheusernamewillappearbeforethe
hostname.Forexample,ifyourIDisTheBestandyourusernameisBob,thenitwillappearas
TheBest[Bob@OnionNet].IfyouaretryingtouseOFTC,youwillreplaceport6667withport
9999asseenintheIRCServerbelow(youcanalsoremovethe:9999belowifusingPidgin)
5. UnderProxy,yoursettingsshouldlooklikethis:ProxytypeSOCKS5,Host127.0.0.1,Port
9150(TorPort).IfyouareusingPrivoxy,theportwillbe8118
6. ClickBuddiesandJoinaChattojoinachannel.AddChatwillpermanentlyaddthechannelsto
theChatslistsoyoudonthavetorememberthechannelnameeverytime.Rightclickingthe
P a g e |13

chatunderChatswillgiveyouahostofoptions.IselectedPersistenttoreceivethemessagesin
thechatroomeventhoughtheyarenotcurrentlyopen.Youcanuse/listtogetalistofallthe
channelsoryoucanuse/join#roomtojoinaspecificroom.#securityand#publicaretwogood
channelswhenaskinggeneralquestionsorquestionsrelatedtoprivacyorsecurity
7. Youcanusethe/msgusernamecommandtosendaprivatemessagetosomeoneorusethe
/queryusernamecommandwhichwillopenanewwindowinbothclientsforprivate
messaging.IwouldadviselookinguptheIRCclientcommandsforfullfunctionality.Also,even
thoughIrecommendeddisablingDCC,theserversdisablethefunctionalityaltogether
8. Lastly,youshouldknowthatmostifnotallIRCclientscacheyourusernameforfunctionality.
Pidgin,takesthisfurtherbycreatinglogsforspecificchannelsandindividualusersthatyouchat
withusingprivatemessagingbydefault.UnderPreferences>Logging,youshoulddisableLog
allinstantmessagesandLogallchats

IRC Servers:
HereisalistoftheTorIRCservers(notethatallserversarelinked):
FTW:ftwircdwyhghzw4i.onion
Nissehult:nissehqau52b5kuo.onion
Renko:ircd5ilf47whang4.onion
OFTC:irc.oftc.net:9999(NOTONIONNETCLEARNETIFNOTCONFIGUREDFORTOR)
IRC Channels:
HereisalistofsomeofthepopularTorIRCchannels(orderedbyusercountatthemomentofwriting):
#boys2 #knaben
#pedo #torchan
#cams #public
#mjb #security
#girls
#tor(OFTC)
#hackbb
#nottor(OFTC)

TheothermethodIwantedtotalkaboutisbyusingTorChat.TorChatisapeertopeerinstant
messengerwithacompletelydecentralizeddesign,builtontopofTor'slocationhiddenservices,giving
youextremelystronganonymitywhilebeingveryeasytousewithouttheneedtoinstallorconfigure
anything.Thisprogramrunscompletelyportableandcanbeeasilymoved,protectedorbackedup.
LikeIsaidbefore,TorChatcanbeusedtosharedatawithanotherpersonthroughTorasitwasbuiltis
nativelywithsecurityinmind.

P a g e |14

Set up Torchat:

1. DownloadTorChatfromgithubasitisnowtheofficialsourcefortheTorChatproject.Atofthe
timewritingthearticle,thedirectlinkishttps://github.com/prof7bit/TorChat.Oncethepageis
loaded,clicktheDownloadsbuttonoverontheright.Selectthelatestbuildasdenotedbythe
versionnumber.MakesuretodownloadtheWindowsexecutableversionforWindows,
Debian/UbuntupackageforDebian/Ubuntu,orthePidginpluginifthatiswhatyouwantto
do.IfthebuildisinAlpha,thenitisnotrecommended
2. Thefilewillbedownloadedasa.zipfile.Oncethefileisfullydownloaded,openthefileand
extractthecontentswithyourfavoritearchivefilemanager.Iextractedthefiletothedefault
locationinWindowswhichistheDownloadsfolder.Youcanmovethefolderatanytimeas
TorChatisportable
3. OpentheTorChatfolder,expandthebinfolder,andruntorchat.exetostartTorChatforthefirst
time.Onceloaded,youwillbeprovidedyourTorChatID(16charactersthatarecomprisedof
lettersandnumbers)
4. Toaddacontact,justrightclickinthewhitespaceoftheprogramandclickAddContact
Alternatively,youcaneditthebuddylistfileinthebindirectory.Doubleclickingacontactwill
initiateachat(rightclickingandselectingChat,willaccomplishthesamething).Youcanalso
editanddeleteacontactbyRightClickingtheuserandselectingtheappropriatefunction.
Sendingafileisassimpleasdraggingthefileintothechatwindoworrightclickingthe
usernameandselectingSendfile(Windowscanonlysendonefileatatimewhereas
Debian/Ubuntucansendmanyatonetime)
5. IfyouareupgradingyourversionofTorChatthanmakesuretobackupandcopyover
bin\buddylist.txt,bin\Tor\hidden_service\hostname,and
bin\Tor\hidden_service\private_key.Ifyoudonotcopyoverthelattertwofiles,youwillbe
providedanewTorChatID

2.2. Intro to Tails

Ifyouarehandlinganythingsensitivethatyoudontwantfound,orifyoudontwanttoleaveanytrace
onyourcomputer,IrecommendyouuseanotherOperatingSystemaltogether.Agoodalternativethat
wasbuiltwithsecurityinmindisTails.TailswasbuilttorouteallinternettrafficthroughTor,torun
completelyinRAM,andtosavenothingunlessexplicitlydefinedto.Inthissection,Iwillonlybetalking
aboutinstallingTailsonaDVDorUSBasthereisanother,thoroughguidethatcanbefoundinsection
10.

Installing Tails:

1. DownloadTailsfromtheofficialTailswebsite.YoucaneitherdownloadTailsviathedirectlink
ortheTorrent;whichmightbefaster.However,thedirectlinkisrecommendedasis
P a g e |15

downloadingandverifyingtheTailsSignature.ThelinktotheTailsdownloadpageishere:
Here.Underoption2,selectthelatestreleasetostartdownloading.Toverifythedownload,
useGPGtoverifytheTailssignaturetoensurethatyourimagehasnotbeenmodifiedinany
way
2. Oncedownloadedyouhaveacoupleofoptions:youcanburntheimagetoaDVDoraUSB(the
imageistoobigtofitonaCD).IfyouburntheimageonaDVDR,anattackercannotmodifythe
contentsasthediskisreadonly.Thisalsomeansthatyoucannotsaveanythingormakeany
permanentchangesonthedisk.DVDRWandtheUSBcanbewrittentoandrewrittento,
meaningfilesandsettingscanbesavedinpersistentstorage.But,thiscomesatariskasan
attackercanmaliciouslymodifyTails
3. InstallinganimagetoaDVDiseasy,allyouneedistherightsoftware.ISOImageBurnerisa
goodsoftwareforWindowsthatcandothisforyou.MacsandcomputersrunningUbuntucan
burntheimagenatively.OnceyourISOburningprogramisopen,inserttheblankDVDintothe
diskdriveandburntheTailsISOimagetotheblankdisk(oraDVDRWdisk)
4. WheninstallingtheTailsISOimageontoaUSB,itisrecommendedthatyoudownloadand
installOracleVMVirtualBox,andusethatvirtualizationprogramtobootintoTails.Otherwise,
youcannotcreatepersistentstorageforsavingfilesandsettings.Onceyousuccessfullyboot
intoTails,youcanusethebuiltinTailsUSBinstallertoinstallTailsontheUSBdevice
5. IdownloadedandinstalledVirtualBoxfromhere.Onceinstalled,startVirtualBoxandClick
NewtocreateanewVM.FillouttheNametextbox,selectLinuxfortheType,andselectOther
Linuxfortheversion.ProceedpastthenextpageandselectDonotaddavirtualharddriveand
clickCreate.AtthetopoftheOracleVMVirtualBoxManagerclickonSettingstomodifythe
settingsoftheVMyoujustcreated.SelectStorageandnexttoController:IDEclickonthelittle
diskicontoaddaCD/DVDdevice.ClickChoosediskandselecttheTailsISOyoujust
downloaded.UnderController:IDEyoushouldseetheimageyoujustselected.Selectedthat
imageandcheckLiveCD/DVDoverontherightunderAttributes.ClickOK.StarttheVMto
bootintoTails.
6. Atthispointyoushouldbeaskedifyouwouldliketoviewmoreoptions.Iamgoingtokilltwo
birdswithonestoneandcoverhowtoinstallTailsonaUSBaswellaswhatIrecommendafter
youinstalltheISOontheUSB.SelectYesonthisscreenandcreateanAdministratorpassword
onthenextscreen.UnderApplications>Tailsyoucancreateapersistentvolumeaswellasuse
theTailsUSBInstaller.Whencreatingapersistentvolume,Iwouldselectalltheapplications
youwilluseaswellasifyouaregoingtosaveanymaterials.

2.3. Intro to Whonix

Quotingdirectlyfromthemanufacturerswebsite:Whonixisanoperatingsystemfocusedon
anonymity,privacyandsecurity.It'sbasedontheToranonymitynetwork,DebianGNU/Linuxand
securitybyisolation.DNSleaksareimpossible,andnotevenmalwarewithrootprivilegescanfindout
theuser'srealIP.Whonixconsistsoftwoparts:OnesolelyrunsTorandactsasagateway,whichwecall
WhonixGateway.Theother,whichwecallWhonixWorkstation,isonacompletelyisolatednetwork.
OnlyconnectionsthroughTorarepossible.
P a g e |16

Features(fromtheWhonixwebsite):
Adobe Flash anonymously
Browse The Web Anonymously
Anonymous IRC
Anonymous Publishing
Anonymous E-Mail with Mozilla Thunderbird and TorBirdy
Add a proxy behind Tor (Tor -> proxy)
Based on Debian GNU/Linux.
Based on the Tor anonymity network.
Based on Virtual Box.
Can torify almost any application.
Can torify any operating system
Can torify Windows.
Chat anonymously.
Circumvent Censorship.
DNSSEC over Tor
Encrypted DNS
Full IP/DNS protocol leak protection.
Hide the fact that you are using Tor
Hide the fact you are using Whonix
Hide installed software from ISP
Isolating Proxy
Java anonymously
Javascript anonymously
Location/IP hidden servers
Mixmaster over Tor
Prevents anyone from learning your IP.
Prevents anyone from learning your physical location.
Private obfuscated bridges supported.
Protects your privacy.
Protocol-Leak-Protection and Fingerprinting-Protection
Secure And Distributed Time Synchronization
Mechanism
Security by Isolation
Send Anonymous E-mails without registration
Stream isolation to prevent identity correlation through
circuit sharing
Virtual Machine Images
VPN/Tunnel Support
Whonix is produced independently from the Tor (r)
anonymity software and carries no guarantee from The
Tor Project about quality, suitability or anything else.
Transparent Proxy
Tunnel Freenet through Tor
Tunnel i2p through Tor
Tunnel JonDonym through Tor
Tunnel Proxy through Tor
Tunnel Retroshare through Tor
Tunnel SSH through Tor
Tunnel UDP over Tor
Tunnel VPN through Tor
Tor enforcement
Note:WhenusingWhonix,
youwillberesponsiblefor
threeOperatingSystems.The
Whonixgateway,theWhonix
workstation,andthehost
machine.Whonixisonly
intenedtorunonVirtualBox,
soVMWareisnot
recommended.
P a g e |17

TorChat
Free Software, Libre Software, Open Source
via Optional Configuration
Setup Whonix:

1. Firstthingsfirst:downloadboththegatewayandtheworkstationfromthemanufacturers
website:Downloadlinkscanbefoundhere
2. YouwillneedtodownloadandinstallVirtualBox
3. NextstepistoimportbothoftheVirtualMachinesintoVirtualBox:useVirtualBoxtoopenboth
the.ovaimages(File>ImportAppliance)
4. ClickchooseandselecttheWhonixGateway.ovafromyourdownloadfolderandpressOpen
5. ClickNextuntilyoureachtheApplianceImportSettings.ClickImportwithoutchanginganyof
thesettings.RepeattheprocessforbothVMs
6. NowstartbothVirtualmachines(gatewayfollowedbytheworkstation)
7. Whenyouloginforthefirsttime,Irecommendchangingthepassword:
a. AtTerminalenter:sudosu
b. Enterthedefaultpasswordchangeme
c. Changethepasswordusingthiscommand:passwdandpasswduserforbothVMs
8. TolearnmoreaboutWhonixsecurityandadditionalfunctionality,gohere:
https://www.whonix.org/wiki/Main_Page

AfteryousetupandboththeWhonixworkstationandgateway,youcancustomizeithoweveryouwant.
UnlikeTails,Whonixisentirelypersistentwithastartof50Gbofspace.Ifyouneedtoincreasethesize
ofWhonix,youwillneedtoutilizeVirtualBox.Irecommendincreasingthesizepresetupversusafter
thefactasitwillbemucheasier(andsafer).Onceyouaredoneandwanttoshutdownthemachine,
youcanusetheShutdownbuttonontheworkstationandtypeSudopoweroffinthegateway.Another
helpfulcommandissudoarminthegatewaytocheckthestatusofTorandusethecharacterNtoforce
anewidentitywhenyouareviewingthearmoutput.

Chat in Whonix (using XChat):

XChatisanIRCclientandisrecommendedasitisalreadypreinstalledandconfiguredtobeusedon
Whonix.Thefollowingstepswalkyouthroughtheprocessofconfiguringausernameandaddingthe
onionserversasfoundinthepreviouschatsection(section1.1).
1. OnceXChatisopenedclicktheXChatbuttonfromthemenubar
2. SelectNetworkListfromthedropdown
3. FillintheinformationunderUserInformation.Thesenamesareusedbydefaultforeach
connectionandwillbevisibletoeveryone
4. UnderNetworks,clickAdd,toToaddaserverthatyouwillconnectto
P a g e |18

5. Givethisnewvalueaname.Forexample,IenteredOnion,soIknewitcontainedalltheIRC
serversforOnionnetTest
6. PresstheEnterkeyonyourkeyboardandselecttheEditbuttonintheprogram
7. OnceyouseetheEditpagecomeup,youwillseeonedefaultserverintheServersforTest
list.YoucanselectthatitemandclickEdit
8. Theformatforaddinganewserverisasfollows:serveraddress.onion/port.Forexample,I
enteredthis:ftwircdwyhghzw4i.onion/6667
9. Remember,theprogramalreadyconfiguredtheproxyinformation,sothisisallyouneedto
do.Ifyouwantspecificchannelstoopenonceyouareconnectedtotheserver,youcanadd
themtotheFavoriteslist.Youcannowclosethispage
10. OnceyouarebacktotheNetworkList,selectthenewlycreatednetworkandpressConnect
11. YoucanusethesameIRCcommandsasinSection1.1.

Chat in Whonix (using Torchat):

ThefollowinginstructionsweretakendirectlyfromtheWhonixwebsite.
OnWhonixGateway
1. Opentorrcusingthiscommand:sudonano/etc/tor/torrc
2. Searchfor:
a. #HiddenServiceDir/var/lib/tor/torchat_service/
b. #HiddenServicePort11009192.168.0.11:11009
3. Oncefound,removethecommentcharactersfromthebeginningofeachline
4. Savethefile
5. ReloadTorusingthiscommandusingthiscommand:sudoservicetorreload
6. Getyouronionaddress
a. Firstenterthiscommandtobecomeroot:sudosu.Enteryourpasswordwhen
prompted
b. Next,openthefilethatcontainsyouronionaddress:nano
/var/lib/tor/torchat_service/hostname
7. Youcanbackupyourprivatekeyincaseyouneedtorestoreinonanothermachine:nano
/var/lib/tor/torchat_service/private_key

OnWhonixWorkstation
1. Openuptheterminalwindow:Start>Terminal
2. InstallTorchatonthemachine:sudoaptgetinstalltorchat
3. Openthetorchat.iniwhichisinthehiddenfolder/home/user/.torchat/torchat.ini.Lookfor
thefollowingline:own_hostname=<youronionhostnamewithoutthe.onionending>
P a g e |19

4. Replaceitwithyouronionhostname.Forexampleifyouronionhostnameis
idnxcnkne4qt76tg.onionreplaceitenteridnxcnkne4qt76tg,soitlookslikethis:own_hostname
=idnxcnkne4qt76tg

KGPG

WhonixusesKGpg,whichisasimpleinterfaceforGnuPG,apowerfulencryptionutility.GnuPGallows
toencryptandsignyourdataandcommunication,featuresaversatilekeymanagementsystemaswell
asaccessmodulesforallkindsofpublickeydirectories.Foreaseofuse,youcanimportthekeysinto
KGpgandusetheGPGcommandsfoundinsection4forfullfunctionality.Toimportapublickeyin
KGpg:opentheprogramandclickImportKeyfromthemenubar.Selectthepublickeyyoudownloaded
andclickOpen.Oncethekeysareimported,youcanencryptdatausingtheprogram(rightclickthefile
inDolphinbrowser,andclickEncrypt)orusethecommandlineswitches.GnuPGisrecommendedfor
securecommunication.
P a g e |20

ncryptionistheprocessofencodingmessages(orinformation)insuchawaythateavesdroppers
orhackerscannotreadit,butthatauthorizedpartiescan.Usingcryptographythreepurposesare
fulfilled:confidentiality,integrity,andnonrepudiation.Encryptionhaslongbeenusedbymilitaries
andgovernmentstofacilitatesecretcommunication.Itisnowcommonlyusedinprotectinginformation
within many kinds of civilian systems. Also, many compliance laws require encryption to be used in
businessestoensurethatconfidentialclientdatabesecuredifthedeviceordataisstolen.Inthissection
Iwillbetalkingaboutusingencryptionforconfidentialityandintegrity.Nonrepudiationisused,butis
notnormallyimplementedforourpurposes.

Topics

ThisChapterwillcoverthefollowingtopics:
EncryptionDealingwithConfidentiality
EncryptingFilesortheHardDrive
SecurelyExchangingMessagesorData
Steganography
AuthenticationFactors
PasswordAttacksandAccountRecoveryAttacks
CreatingSecurePasswords
Hashing,HashingCollisions,andBirthdayAttacks
ColdBootAttacks
E
Chapter 3_ Encryption
P a g e |21

3.1. Encryption Dealing with Confidentiality

Computerencryptionisbasedonthescienceofcryptography,whichhasbeenusedaslongashumans
have wanted to keep information secret. The earliest forms of encryption where the scytales and the
creationofciphertexts.Theseformsofcryptographywouldrelyonbothpartiesknowingthekeyusedor
thecorrectcipherbeforethemessagecouldbedelivered.Here'sanexampleofatypicalcipher,witha
gridoflettersandtheircorrespondingnumbers:

1 2 3 4 5
1 A B C D E
2 F G H I/J K
3 L M N O P
4 Q R S T U
5 V W X Y Z

LetssayageneralwantedtosendthemessageIloveponieshewouldwritetheseriesofcorresponding
numbers:4213431551534333425134.Onlythepersonwiththisciphertextwouldbeabletoreach
themessage.Nowobviously,tomakethemessagemoredifficulttodecipher,thelettersinsidethetable
wouldbearrangeddifferently.Computerencryptionusesalgorithmstoalterplaintextinformationintoa
formthatisunreadable.MostpeoplebelievethatAESwillbeasufficientencryptionstandardforalong
time coming: A 128bit key, for instance, can have more than
300,000,000,000,000,000,000,000,000,000,000,000 key combinations. Todays AES standard is AES
256bitencryptionwhichhas2^256possiblecombinations.

Doneright,encryptionprotectsprivateorsensitivedatabymakingitdifficultfortheattackertouncover
theplaintext.Thisistheideaofencryption:tomakeitharderforotherstouncoveroursecrets.Theidea
behind it is that whatever amount of expertise and computer time/resources is needed to decrypt the
encrypteddatashouldcostmorethantheperceivedvalueoftheinformationbeingdecrypted.Knowing
whattouseencryptionhowitworks,andwhattypeofencryptiontousedependingonthecircumstances
willallowyoutobetteryoursecurityandmakeitharderforanattackertodohisjob.

As we said before, there are many reasons for encryption. One purpose of encryption is the act of
transformingdatafromastatethatisreadabletoastatethatcannotbereadbyathirdpartythatdoes
nothavepermission.Theresultoftheprocessisencryptedinformation(incryptography,referredtoas
ciphertext).Thereverseprocess,i.e.,tomaketheencryptedinformationreadableagain,isreferredtoas
decryption (i.e., to make it unencrypted). It is also important to know that the word encryption can
implicitly refer to the decryption process. For example, if you get an encryption program, it encrypts
informationaswellasdecryptsit.
P a g e |22

There are a few types of encryption that should be used for two different purposes: symmetric and
asymmetric(publickeyencryption).Symmetricencryptioncanalsobeknownasprivatekeyencryption
or single key encryption. Symmetric means the encryption and decryption processes are reverses of
eachother.ImustsharethesecretpassphrasewithanyoneIwanttobeabletodecryptmyencrypted
data.Itisusedthemostbecauseitisfast,easytouse,andisthemostwidelyneeded.Youwillusethis
formofencryptionwhenthereisonlyonepasswordbeingused(suchasTrueCryptoranothersimplefile
encryptionutility).Theproblemwiththisisasstatedbefore,itusesonlyonekey,soexchangingthatkey
isnotdonesecurelybetweentwopeople.Asymmetricencryptionfixesthatproblembyutilizingtwokeys
insteadofjustone.

Asymmetric (or Public key) encryption uses two keys, one key to encrypt information and the other to
decrypttheinformation.Asymmetricmeansthattheprocessofencryptionwiththepublickeycanonly
be reversed (decrypted) by using the private key (and vice versa). Although a message sent from one
computertoanotherwon'tbesecuresincethepublickeyusedforencryptionispublishedandavailable
toanyone,anyonewhopicksitupcan'treaditwithouttheprivatekey.Thistypeofencryptionisslower,
but is more secure when sending confidential information to someone, signing data, or verifying to a
personiswhotheysaytheyare.Ifyouwanttosendmeanencryptedmessage,youmusthavemypublic
keyandonlysomeonewhohasaccesstomyprivatekey(presumably,justme)candecryptmessages
encryptedwithmypublickey.So,whenBobwantstosendyouamessage,hiscomputerencryptsthe
documentwithasymmetrickey,thenencryptsthesymmetrickeywithyourPublic.Whenyoureceivethe
data,yourcomputerusesitsownprivatekeytodecodethesymmetrickey.Itthenusesthesymmetric
keytodecodethedocument.

Symmetric Asymmetric
P a g e |23

Lastwordofnotewhenusingencryptionistomakesurethatyouuseopensourceencryptionprograms
suchasTruecrypt,asmostcompanieswillhandovertheencryptionkeystolawenforcement.Most
companiesusetheEnCaseDecryptionSuitetodecryptasuspectshardriveorotherportablemedia
device.ThislistispulleddirectlyfromEnCaseandprovidesalistofbuiltinkeysthatcanbeusedto
readmediaonencrypteddevices:

3.2. Encrypting Files or the Hard Drive

Youwillmostcommonlywanttoencryptfilesforstorageorifyouwanttouploadthemtoseveralpeople
securely. Using your computer is also a security risk if you simply created a Windows password and
stoppedyoursecuritythere.Windowshashesyourpasswordandchecksthatagainstthepasswordyou
enterwhenloggingintothedevice.Innowaydoesitattempttoencryptyourfiles;meaningtheyareall
in the clear just waiting for someone to take them. And even if you use Windows encryption, law
enforcementcanjustrequestthekeys.Furthermore,manyofyouthinkthatusingBIOSpasswordsare
greatforsecurity,whichisalsonotthecase.TheycanbebrokenaseasilyasWindowspasswordcan.
P a g e |24

ThereareseveralprogramsthatrunoutsideofWindowstoeitherremoveorcrackapassword.Removing
thepassworddoesjustthat;removesthepasswordcompletely.Crackingapasswordontheotherhand
allowsyoutoobtainthepassword,insteadofremovingit.Doingsoallowsyoutologintothedeviceas
theuser,orasmanypeopledo,usethesamepasswordacrossseveralloginsacrossseveralsystems.

Trinity Rescue Kit (removing a password):

1. Usethislink todownload TRK:clickhere. Irecommend using theexecutable,selfburning

fromWindowsonlyformattoeasilyburntheimagetoaCD
2. Oncetheburningprocessiscomplete,keeptheCDintheCDtrayandrebootyourdevice
3. Bootupfromthedevice(youmightneedtogooglehowtodoso)
4. When TRK boots up, you will see a bunch of options. Select the first option: Run Trinity
RescueKit3.4(defaultmode,withtextmenu)
5. Clickthedownarrowuntilyouselect:Windowspasswordresetting
6. Clickthedownarrowagainuntilyoureachthedesiredoption.Inthisexample,selectthefirst
option:ResetpasswordonbuiltinAdministrator(defaultaction)
7. Whenprompted,enter1toClear(blank)userpassword

I wont get into cracking password with Ophcrack as that is an involved process. Ophcrack cracks
passwordsusingwhattheycallRainbowTableswhichbasicallyisalistofstoredhashedtobeusedagainst
thehashesstoredonthemachine.Thesetablescomeinseveralformsdependingonthecomplexityyou
areexpecting.Youwillneedtodownloadandstorethesetablessotheycanbeaccesseswhenyouare
attemptingtoattackadevice.Also,makesureyouhaveplentyofspaceontheharddriveandtheycan
reachtoacoupleTerabytesofdata.

Thereareacoupleofprogramsthatsupportthistypefileandfolderencryptionandmostofyouprobably
alreadyheardofthem.TheseprogramsIamreferringtoareTrueCryptand7Zipandtheybothprovide
symmetricfileencryption.TrueCryptisaprogramthatallowsyoutoencryptyourentireharddriveorto
createanencryptedcontainer.7Zipontheotherhandisaprogramthatallowsyoutocreateanencrypted
archive.Rememberthatsymmetricfileencryptionhasonlyonekeyfortheencryptionanddecryption
process.Soyouwillneedtosharethekeyincleartextifyouplanonsharingthefiles.
P a g e |25

BelowisanexampleofaverysimpleencryptionprocessknownastheCaesarsCipher:

Inthisexample,aswiththefundamentalsoftheCaesarCipher,allthecharactersareshifted,usuallyby3
characters.Ifhewantedtosay"Youwillneverguessthis,"forinstance,he'dwritedown"BRXZLOOHYHU
JXHVVWKLV"instead.Asyoucansee,thetextisalsobrokenupintoevengroupsinordertomakethe
sizeofeachwordlessobvious.Youcanchangetheordersofthelettersandchangethenumberofshifts
perlettertocomplicatetheprocessfortheattackerevenfurther.

Creating an encrypted container with TrueCrypt will allow you to store data within the encrypted
container. When mounted, it will look as another drive on your computer. TrueCrypt containers are
securebutusingthemstillcomeswiththerisksofleavingyourrecentfileslists,thumbfiles,andother
temporaryandcache dataexposed. Itisrecommended thatyouuseTrueCryptand encrypttheentire
diskformaximumsecurity.TheprocessofencryptionyourentirediskiscalledFDE(FullDiskEncryption).
Furthermore, it is recommended that you use a hidden volume when using TrueCrypt. Investigators
cannotdeterminewhetherornotyouhaveahiddenvolumeinyourTrueCryptcontainerunlessyoutell
them.OnedrawbackwithusingFDEwithahiddenvolumeversususingFDEwithoutahiddenvolumeis
youwillhavetwoOperatingSystemsinsteadofjustone.YoucanalsouseTrueCrypttoencryptportable
drivesusingtheTravelerDiskSetup.ForinformationaboutusingTrueCryptonSSDs,pleasereference
SSDSolidStateDrives(section4.16).

Try it out Create TrueCrypt Container

1. StartTrueCrypt
2. ClickonVolumes(menuitem)inTrueCrypt
3. ClickonCreateNewVolume...(menuitem)
4. SelectCreateanencryptedfilecontainer(radiobutton)andclickNext>(button)
5. SelectHiddenTrueCryptvolume(radiobutton)andclickNext>(button)
6. SelectNormalmode(radiobutton)followedbyNext>(button)
7. ClickSelectFile...(button)
P a g e |26

8. InthisstepyouwillspecifythenameandlocationofyourTrueCryptcontainer.Ifyoutryto
savethefileandgetanaccessdeniederror,trycreatingthecontainerinyourDocuments
folderorelsewhere.ChoosethelocationintheExplorerwindowandspecifytheFilename:
(edit)inSpecifyPathandFileName[...].ClickSave(button)intheSpecifyPathandFile
Namedialogbox
9. ClickNext>(button)followedbyNext>(button)onthenextpage
10. Inthedropdown,IselectedAES(listitem)fortheEncryptionAlgorithm.Thisisthemost
secureandprovides256bitencryptionwhichisa32characterpassword.Youcanreadupon
theotherencryptionalgorithmsforfurtherexplanation.SHA512(listitem)wasmychoice
fortheHashAlgorithm.Youcanalsoreadfurtheronthehashingalgorithms.ClickNext>
(button)
11. InthisstepyouwanttospecifythesizeoftheTrueCryptcontainer.Mostlikelyyouwillwant
toselectGB(radiobutton)tospecifyyouwanttosizetobeinGigabytes.Thisis
recommendedifyouaregoingtostorepicturesorvideos.Inthetextbox,enterthetotalsize
thatyouwanttocontainertobeandnotjustthesizeofyourOuterVolume.So,ifyouwant
yourOuterVolumetobe50GBandyourInnerVolumetobe25GB,youwillneedtoenter75
here.ClickNext
12. EnterandreenteryourpasswordfortheOuterVolumePassword.Thisisthepasswordthat
youwillbeabletorevealifyouareforcedtodoso.Youareallowedtoenterapasswordup
to64characters
13. FortheLargeFilesstep,IselectedYes,soitwouldformatasNTFS;itisuptoyouthough.
ClickNext>(button)
14. Onceallthesettingsareset,moveyourmousearoundtoaddsecurity.ClickFormat(button)
tostartformattingthevolume.Dependingonthesizeandyourharddrivespeedandother
factors,thisprocesscouldtakeseveralhours.OncecompleteclickNext>(button)
15. YouwillnowcreateyourHiddenVolume,orthevolumethatyoudonotwantotherstofind.
SelectNext>(button)tostarttheprocess
16. Iusedthesamesettingsasbefore.ClickNext>(button)untilyouarepromptedtocreatethe
HiddenVolumeSize.ThissizeislessthantheOuterVolumeSizeandshouldleaveample
roomsoyoucanstoreenoughnonprivatedatainyourOuterVolumewhilstallowingplenty
ofroomforprivatematerialinthisHiddenVolume.ClickNext>(button)
17. CreateaHiddenVolumePassword.Thispasswordshouldbeassecureasthiscontainerwill
holdyourprivatedata.Themaximumpossiblelengthforapasswordinthisstepisalso64
characters.Thisisthepasswordthatyoudonotwanttogiveoutunderanycircumstances.
Thegovernmentcannotdetermineifahiddencontainerexiststhereforetheywillnotknow
thatthispasswordevenexists.Donotfallvictimtosocialengineeringattackswhereas
someonetricksyouintogivingthemthepassword.
18. SelectNext>(button),choosewhetherLargeFilesaregoingtobeusedinthenextwindow,
andclickFormat(button)tofinalizetheprocess(again,makesuretomoveyourmouse
aroundonthatstepforbettersecurity)
19. OpenTrueCryptagainandmounttheOutercontainer.Tostart,IwouldmounttheOuter
Containersowecanaddsomedecoydatainthereincaseyouareforcedtogivethe
password.Todothis,justselectthedriveletter,clickSelectFile(button),selectthe
TrueCryptfileyoucreatedinStep8,andpressMount.Simply,youwillentertheOuter
VolumepasswordortheHiddenVolumepassworddependingonwhichvolumeyouwantto
mount.Makesurewhenmovingdecoydataoverthatitiscompletelylegalandthatit
CANNOTbeconfusedforsomethingillegal.Also,makesureitwouldbesomethingyouwould
P a g e |27

trulywanthidden.Porn,databackups,andetc.aregoodideas.Tomovethefilesoverto
eitherofthesevolumesyouwillsimplyopenWindowsExplorerandnavigatetothedrive
letter.

Try it out WinRAR:

1. IfyouareintheWinRARprogramwindow,selectthefile(s)andclicktheAddbutton.Thisis
denotedasaniconofastackofbookswithbindingaroundthem.Alternatively,youcan
rightclickthefile(s)intheexplorerwindowandclickAddtoarchive
2. TheArchivenameandparameterspagewillopen.Pleasenotethesizeofthefileyouare
abouttouploadandthesizelimitthatyouareallowedtouploadoneachsite.
3. IntheSplittovolumes,bytesinputfieldundertheGeneraltab,entertheappropriatesizeof
eacharchive.Forexample:Ifyouhaveafilethatis200MB(or204800KB)andthefileupload
sizelimitis50MB,fortheSplittovolumes,bytesinputfield,youwillenter50MB.Inthiscase
fourfileswillbecreated,each50MBapiece.
4. SelecttheAdvancedtabandhittheSetPasswordbutton.Enterthepasswordinthefirst
fieldandreenterthepasswordforverification.Rememberthispassword;ifitislostthefile
isNOTrecoverable.MostpeoplealsoselectEncryptfilenamesforextrasecurity.

Assaidbefore,whenusingTrueCrypt,aspresentedintheTryitoutsection,itisagoodideatousea
hiddencontainer.HereswhyLetssayyouhavetwovideos:videoAandvideoB.VideoAisofyour
pethamsterfrolickingaroundinthefishtankwithyourpreciousnessgoldfishnamedGarry(thefish,not
thehamster).Ontheotherhand,VideoBisarecordingofyourgrandmotherdoingthenaughtywiththe
pizza delivery man. Now, I am going to make a sweeping assumption in claiming that you don't mind
otherpeopleseeingvideoA,soitisdeemedthatthevideocanbe"public"or"nothidden."VideoBon
theotherhandisjustplainnastyandifthepizzadeliverymanwere12,andyouneededtohidethatvideo
atallcosts,thisvideowouldneedtobe"private"or"hidden."So,youwouldstickVideoAinthecontainer
that you could give the key away to and Video B would go in a container that you would protect at all
costs.IfyouusethekeyforVideoA,youcanseevideoAandsoforth.

So,onthesamelines,ahiddencontainer(or,ahiddenOS),isahidden,encryptedcontainerthattheLEA
cannotproveexists.So,youhavetwokeys:akeyforthepubliccontainerandaprivatecontainer.You
canunlockoneortheotheratonetime,butnotbothatthesametime.So,youcangivetheLEAthekey
that opens up your public container whilst hiding the key for your private container. The LEA cannot
determineifyouhaveaprivate,hiddenOS,oraprivatecontainer.Ifyouusethekeyforyournonsensitive
container,youwillbootintocontainer.

Inessence(whendealingwithhiddenOSs),thinkoftwoOperatingSystemsononecomputerandyou
canchoosewhichonetobootintodependingonthepassword.AhiddenOS,ishiddenandtheLEAcannot
provethatitexists.TheadvantageofthisisyoucanhaveoneOSfornormaldatawhilsthidingyourother
P a g e |28

materialanduseitwhenyouneedit.AhiddenOSalsohasallthesensitivedataleaksinherentwithany
OS. So, instead of antiforensic techniques or saying, "opps, I forgot the password", you can view all
sensitivematerialinthehiddenOSandnotworryaboutanythingsensitivebeingleaked(paging,recent
filelists,dbfiles,caching,etc).Rememberthis:ifyouareforcedtogivetheencryptionkey,youcandoso
whilstkeepingyourhiddencontainerhiddenwhichisthemainadvantageofahiddencontainer.

YoucanalsouseprogramssuchasPGPorGPG(GPGbeingafreereplacementforPGP)tosecurelyencrypt
dataormessageswhicharebothprogramsthataremainlyintendedforasymmetricencryption,butwill
workforourpurposes.NoticethatIsaidtheyare usedtoencryptdataand messages;theycannot be
usedlikeTruecrypttoencryptentiredrives,partition,orusedtocreateencryptedcontainers.AndlikeI
saidabove,theyaresubjecttothesameproblemwhenexchangingthekey.Thekeystillmustbesentin
cleartext.

ThesimplestcommandlineswitchforencryptingafilewithGPG(assumingyouhaveGPGinstalledand
havethecommandpromptopen)isthis:gpgcinputfile.ext.Letbreakthisdownabit.Gpgisthename
oftheprogram;soyouaretellingthecomputertoopentheprogramGPG.Thecistellingtheprogram
thatyouwanttousetheabbreviationforsymmetric.Finally,theinputfile.ext(replaceextwiththefile
extension),tellstheprogramthatyouwanttoencrypttheinputfile.extfileonyourcomputer.Nowwhen
youlookinthesamedirectlyyouwillseethesamefilewithanewfilewiththesamenameandextension,
butwitha.gpgaddedtotheend.So,forexample,thenewencryptedfilenamewillbeinputfile.ext.gpg.

Decryptingthefileusingsymmetricencryptionisaseasyasputtingthefileonyourcomputerandtelling
theprogramtodecryptit.Thecommandlineswitchforthedecryptionprocessissimilartotheencryption
process. The decrypt a file, you must use GPG and enter this: gpg decrypt inputfile.ext.gpg. The
programwillthenrecognizeitusedsymmetricencryptionandwillaskforthekeytodecryptit.Again,the
keytoencryptthefileisthesamekeyyouwillnowusetodecryptthefile.Youshouldalsoknowthat
whenencryptingthefile,theprogramGPGdoesnothingtothecleartextfile.Soitisstillsittingonyour
computerand canberead byanybodywhogainsaccessto it.Deletingafile securelywill be discussed
lateron.

When you originally encrypt the file you will notice that the output looks like a bunch of gibberish. To
combatthisGPGasacommandoptionforASCIIArmoroutput.WhenGPGoriginallyencryptionmessage
withouttheASCIIarmoroutputyouaresayingthatiscalledthebinaryoutput.Binaryoutputismachine
readable but we cannot make sense of it. ASCII armor ensures that the only characters used are ASCII
characterssotheycanbereadeasily.Forexample,ifIwanttoencryptdatausingthesymmetricalgorithm
with the armor output I would put in the command as followed: gpg ac. The a generates the armor
outputandthec,asabove,specifiesthatwanttousethesymmetricalgorithm.Usingthisswitchwill
specifyamessagemanuallywithinthecommandpromptasnoinputfileisspecified.Whenyouaredone
P a g e |29

youwillhavetoenteranendoffilesequence).OnWindows:pressEnter,thenctrlz,thenEnter.OnOS
X/Linux:pressEnter,thenctrld.Pressingctrlc(abort)quitsGnuPGwithoutexecutinganycommand.

3.3. Securely Exchanging Messages, Data, and Signing Data

Theproblemwithsymmetricencryptionisthatitonlyusesonepasswordtoencryptanddecryptdata.
Butwhatifyouwantedtosendamessagetosomebody?Somehow,youwillneedtosharethekeywhile
reducing the risk of anyone being able to intercept the password and use it to decrypt the data.
Asymmetricencryptiontacklesthisproblembyimplementingasecurekeyexchange.Withthisformof
encryptiontherearetwokeysused,apublickeyandaprivatekey.Thepublickeyisgiventotheworld
and is used to encrypt data whereas the private key is used to decrypt the data and to verify the data
beingreceivedislegitimate.Apopularprogramtosecurelysharedataandmessagesbetweentwopeople
(usingasymmetricencryption)isPGPorGPG(GPGbeingafreereplacementforPGP).Forthepurposes
ofthisguide,IwillbeusingGPG,thefreereplacementforPGP.

Firstthingsfirst,exchangingthepublicsosomeonewhowantstogiveyouamessagecansecurethedata
beforesendingittoyou.AssumingthatyoubothhaveGPGinstalledonyourmachines,youcanusethe
TryitoutcreateGPGkeyexampletocreate,export,andexchangeyourpublickeys.Thepublickeyis
onlyusedtoencryptdata.Soforanattackertodecryptdata,theymusthaveyourprivatekey.Oncethe
initialpublickeyexchangeisdoneyoucannowsecurelyexchangedata.YouwillalsonoticethatIused
the armor output option so when I want to exchange my public key via email or form, it can easily be
copiedbytherecipienttryingtoimportit.Youshouldonlygiveoutyourpublickey,andneveryourprivate
key.Itisbesttokeepyourkeypairsonanencrypteddrive.Ifsomeoneobtainsyourprivatekeytheywill
beabletoreadallencryptedmessagesintendedforyou.Ifcompromised,createanewprivateandpublic
keypairandgiveoutyournewpublickey.Alsonote,thatyourkeypaircomeswithanexpirationdateif
specified.Oncetheexpirationdateisreached,peoplecannolongersendyouencryptedmessagesusing
thatexpiredpublickey.

HereisanexampleofaGPGencryptedmessagewitharmoroutput:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQINBFAisdkBEADQeOmbSJ5acqwBAxAEKicWg50sPSR0oO0roRsrSziDpnJf+nxC
Y5uUDPOCs/KDHeSv1XIvK0yv5rpesh7lZeIESpJSyBG9IlEl8vQhmt+Bohy53xWs
r5NJIktmeU+whCil8X9SYndc63UrdOoEVlKLApLDrskR91NDbx/YAv/YeNYQO4iB
jP38E0bRliO5yxHENZLdP0PAhksBnC/rYXOiilBHqUFMKZJzaH1flTBjpiawojb1
9jOQPcIQ8eNC3EKl0LkaZs9dzlmF69ore8A3swck+bHnII9dhzmJS09iMc1KQDHb
xjeF3XzvaQzwq6TtZcRyzEpcHtnIBe2w6LNgSEzuEIPKHVLKqDWfzbuAL6/+DPGf

-----END PGP PUBLIC KEY BLOCK-----

P a g e |30

Whensendorreceiveamessageorkeyorsignatureyouwanttoincludeeverythingincludingthe-
----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----. When
imported a Public key from another person, you will not need to use your private key, nor will they
need to have access to your public key. The begging and ending signatures will also appear
different depending on what you are doing. Finally, if you do not use the armor output option, the
begin and end signature will not appear.


Nowthatyouhavecreatedyourownkeypairandimportedsomeoneelses,youcanstartencryptingand
decryptingdatarespectively.YoucanfollowtheTryitoutEncryptinganddecryptingamessage/fileto
learnhowtoencryptanddecryptafile.Iwillelaborateonhowthatworksalittlemore.Tobegin,you
willusegpgtostarttheprogramGPGandetotelltheprogramthatyouwanttousetheasymmetric
encryptionversusthesymmetricencryption(c)asusedbefore.output"outputfile"isthenameofthe
output file that will contain the encrypted data. localuser "your username" is the name of the user
thatthemessageiscomingfrom(inthiscase,you).r"recipient"isthepersonwhomyouaresending
thedatato,armorspecifiestheprogramtousetheASCIIarmoroutput,andsignclear.txtwillcreate
asignaturefile.Givenasigneddocument,youcaneithercheckthesignatureorcheckthesignatureand
recovertheoriginaldocument.

Try it out create GPG key:

ForWindows(sincethisisaWindowsguide),IrecommenddownloadingandinstallingGpg4win.If
youareusingLinuxyoucansimplyusegpgandstickwithcommandline.Hereisaguidefromtheir
websiteonhowtoinstalltheprogram:http://gpg4win.de/handbuecher/novices_5.html.When
Gpg4winisinstalled,followthesestepstocreateyourkeypairforencryption/decryption(note:the
followinginstructionsareforcreatingakeysizeof4096whichIrecommend.Youcancreatea
2048bitencryptionkeyusingtheprogramKleopatra):

1. Startthecommandprompt:Start>Run>cmd>OK*WindowsVista/7,typecmdinSearch
ProgramsandFeatures.Ablackboxshouldpopup
2. Typeingpggenkey
3. Enter1andpressEnter
4. Thedefaultkeyis2048,Irecommend4096
5. Setthevalueto0here.Ifyousetthekeytoexpire,youwillneedtogothroughthissame
processofcreatingandredistributingyourpublickeys.Whenisasksforaconfirmation,enter
y
6. Yourrealnamewillmostlikelybeyourscreenname.Iwillentermissionmanhere
7. Forthisstep,inputanemailaddress.ForthisIenteredmytormailemailaddress.
8. Enteracommentifyouwish,thisstepisoptional
9. Ifyouwishtochangesomething,nowisthetimetodoit.EverythingiscorrectandIamdone
soIwillentero
10. Atthispointyoushouldseeapopuppromptingyoutocreateasecretkey.Thisisalso
referredtoasaprivatekey.Makesurewhencreatingthispasswordthatitconformsto
strongpasswordguidelines
11. Reenterthepasswordtoconfirmyouentereditcorrectly
P a g e |31

Adigitalsignaturecertifiesandtimestampsadocument.Ifthedocumentissubsequentlymodifiedinany
way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand
writtensignaturewiththeadditionalbenefitofbeingtamperresistant.TheGnuPGsourcedistribution,
forexample, issignedso thatusers canverifythatthesourcecodehasnotbeen modifiedsinceit was
packaged.

Creating and verifying signatures uses the public/private keypair in an operation different from
encryption and decryption. A signature is created using the private key of the signer. The signature is
verifiedusingthecorrespondingpublickey.Forexample,Alicewoulduseherownprivatekeytodigitally
sign her latest submission to the Journal of Inorganic Chemistry. The associate editor handling her
submissionwoulduseAlice'spublickeytocheckthesignaturetoverifythatthesubmissionindeedcame
fromAliceandthatithadnotbeenmodifiedsinceAlicesentit.Aconsequenceofusingdigitalsignatures
isthatitisdifficulttodenythatyoumadeadigitalsignaturesincethatwouldimplyyourprivatekeyhad
beencompromised.

An example on how to sign a document without encrypting the document is as follows: gpg output
doc.sigsigndoc.NoticeinthisexamplethatIdidnotspecifythatIwanttousemypublickeytosignthe
document.Ifyouneedtospecifyyouasthesender,youcanalsousethelocaluser"yourusername"
command. Given a signed document, you can either check the signature or check the signature and
recovertheoriginaldocument.Tocheckthesignatureusetheverifyoption.Toverifythesignatureand
extractthedocumentusethedecryptoption.Thesigneddocumenttoverifyandrecoverisinputand
the recovered document is output. gpg output doc decrypt doc.sig is the command line switch to
verifyadocumentusingthepersonssignature.
12. Youwillnowwanttotypealotofrandomdatainatextprogramofyourchoiceormoveyour
mousearoundthescreensothekeycanbegenerateduntilthekeygenerationiscomplete
13. Iftherearenoerrors,thenyouhavesuccessfullycreatedyourpublicandprivatekey!
14. Now,togivepeopleyourPublickey(whichtheyusetoencryptdatatheywanttosendto
you)youwilltypeingpgexportausername>c:\public.key.ForexampleItypedingpg
exportamissionman>c:\missionman.key

Try it out Encrypting and decrypting a message/file:

1. First,findthelocationofyourfileorsaveamessagetoatextdocument
2. Thecommandtoencryptafileisgpgeoutput"outputfile"localuser"yourusername"
r"recipient"armorsign"filename".Forexample,Itypedingpgeoutput
C:\encrypted.txtlocalusermissionmanrtestuserarmorsignclear.txt.detachsig
willcreateaseparatesignaturefile
3. Todecryptafileyouwillsimplyentergpgdlocaluserusernameooutputfileinput
file.Forexample,IenteredgpgdlocalusermissionmanoC:\decrypted.txt
C:\encrypted.txt.

P a g e |32

Insuchsituationswhereitisundesirabletocompressthedocumentwhilesigningittheoptionclearsign
causesthedocument to bewrappedinanASCIIarmoredsignaturebutotherwisedoesnotmodifythe
document. However, a signed document has limited usefulness. Other users must recover the original
documentfromthesignedversion,andevenwithclearsigneddocuments,thesigneddocumentmustbe
editedtorecovertheoriginal.Therefore,thereisathirdmethodforsigningadocumentthatcreatesa
detachedsignature.detachsigwillcreateaseparatesignaturefile.

Hereisagoodsitewithsomeofthecommoncommands:
http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpgcs.html

Onefinalwordaboutsignaturesistheusabilityofthemtoverifypackagesdownloadedfromthe
internet.Youwillnoticethatthereareusuallytwotypesofverificationoptions:signaturefilesandhash
outputs.Verifyingthepackagesthatyoudownloadfromtheinternetestablishesthatthepackageyou
haveonyourcomputerwasnotalteredinanywayduringtransit.Toverifyapackage,youwillfollow
thesameprocessofusingthevendorsPublickeyandsignaturefile(orjustverifythefileifthesignature
isnotdetached)andusingtheverifyoptionasusedabove.Usingthehashverification,youwillneed
tocreateahashoutputofthedownloadedfileandcompareittothehashspecifiedfromthevendor.
Youcanreadmoreabouthashingbelow.

Muchlikeanything,youwanttomakesurethatyouarekeepingupwiththeencryptionstandards
today.Thismeansthatusingthenewalgorithmstoreplacetoolderones.Asarealworldexample,
thereareleakeddocumentsclaimingtheNSA(NationalSecurityAgency)paidRSA$10,000,000USDto
haveabackdoorplantedinsideEllipticalCurveCryptography(ECC)algorithms.ProductssuchasTor
wereaffectedandshouldbeupdatetodefeattheseattacks.

OneTime pad

IwantedasectiononOTPs,however,Ididnotwanttogiveitafullnumberbesidesitsname.You
mightnoticethatmostofthisinformationistakendirectlyfromWikipedia;thereasonisthatIdidnot
wanttoreinventthewheelinsharingthisinformation.Incryptography,theonetimepad(OTP)isatype
ofencryptionthatisimpossibletocrackifusedcorrectly.Eachbitorcharacterfromtheplaintextis
encryptedbyamodularadditionwithabitorcharacterfromasecretrandomkey(orpad)ofthesame
lengthastheplaintext,resultinginaciphertext.Ifthekeyistrulyrandom,atleastaslongasthe
plaintext,neverreusedinwholeorpart,andkeptsecret,theciphertextwillbeimpossibletodecryptor
breakwithoutknowingthekey.Sayingthat,thisformofencryptionisthemostsecureformof
encryptionoutthere.

P a g e |33

Onepopularmethodisimplementation,istheXORmethod,whichisoftenusedtocombinethe
plaintextandthekeyelements,andisespeciallyattractiveoncomputerssinceitisusuallyanative
machineinstructionandisthereforeveryfast.However,ensuringthatthekeymaterialisactually
random,isusedonlyonce,neverbecomesknowntotheopposition,andiscompletelydestroyedafter
useishardtodo.TheXORmethodoperatesaccordingtothisprinciple:

A 0 = A,
A A = 0,
(A B) C = A (B C),
(B A) A = B 0 = B

Now,youareprobablywonderingtoyourself,Whatdoesthatevenmean?Letmeexplain.The
denotestheexclusivedisjunction(XOR)operationwhichcanbeusedoneverycharacterintheplaintext
stringusingagivenkey.Todecrypttheoutput,thesameprocessisusedandthecipherwillbe
convertedbacktoplaintext.BelowisanexampleonhowtheXORoperationisused.Youwillnotice
that0+0and1+1returntheoutputof0whereas1+0and0+1returnstheoutputof1.Thestring
below,"Wiki"(01010111011010010110101101101001in8bitASCII),canbeencryptedwiththe
repeatingkey11110011asfollows:
01010111 01101001 01101011 01101001

11110011 11110011 11110011 11110011

= 10100100 10011010 10011000 10011010
And conversely, for decryption:
10100100 10011010 10011000 10011010

11110011 11110011 11110011 11110011

= 01010111 01101001 01101011 01101001

The XOR operator is extremely common as a component in more complex ciphers. By itself, using a
constantrepeatingkey,asimpleXORciphercantriviallybebrokenusingfrequencyanalysis.Ifthecontent
ofanymessagecanbeguessedorotherwiseknownthenthekeycanberevealed.Itsprimarymeritisthat
itissimpletoimplement,andthattheXORoperationiscomputationallyinexpensive.Asimplerepeating
XOR cipher is therefore sometimes used for hiding information in cases where no particular security is
required.

P a g e |34

3.4. Steganography

Anothergoodformofencryptionissteganographywhichistheactofhidingdatawithintext,graphicfiles,
oraudiofiles.Thepurposeofthis methodissothatnobodywillknowthat thereisaprivatemessage
inside the medium (photo, document, etc.) because it is hidden. Lets say Bob wants to send private
messagestoSteveoverapublicforumreadbynumerouspeople.Bobgrabsapicture,putsahidden
messageinsideanduploadsittothewebsite.NobodyknowsthemessageisthereexceptforSteve,which
isabletosavethepicturetohiscomputerandreadthemessagehiddeninside.Forensicexaminerswill
needtobelookingateachindividualfiletodetermineifsteganographywasused.Soforexampleifyou
have 1000 pictures, they will need to go through each and every one to determine which ones have
steganographyandwhichonesdonot.

Using steganography is as easy as downloading the right software from the internet. I started out by
downloading one of the more popular freeware tools out now: F5, then moved to a tool called
SecurEngine,whichhidestextfileswithinlargertextfiles,andlastlyatoolthathidesfilesinMP3scalled
MP3Stego.Ialsotestedonecommercialsteganographyproduct,SteganosSuite.Thesetoolsmaycontain
backdoorsaswithallencryptionprogramsthereforshouldnotbeusedwithdatayouaretryingtohide
fromanypartythatmayholdthedecryptionkey.

3.5. Authentication Factors

Thereareseveraltypesofauthenticationfactorswhenaccessingresources,andmostofyouhaveonly
beenusingoneofthem.Inthesecurityfieldtheyarereferredtosomethingyouknow,somethingyou
have,andsomethingyouare.Ausernameandpasswordfallsintothesomethingyouknowcategory.
Thisisbecauseyouknowinyourmindwhatyourusernameandpasswordis.Somethingyouhaveisa
physicaldevicesuchasasmartcardortoken.Finally,somethingyouarereferstoafingerprint,aniris
scan,oranotherphysicalfeature.

Theideabehindsomethingyouknowiskeepingasecretthatonlyyouknow.Thus,knowledgeofa
secretdistinguishesyoufromallotherindividuals.Andtheauthenticationsystemsimplyneedstocheck
toseeifthepersonclaimingtobeyouknowsthesecret.Thismethodisalsousedbetweentwoormore
personstoverifytheyarewhomtheyclaimtobe.Thisisoftencalledchallengeresponseauthentication
andeventhoughitismoresousedasatoken,itcanbeusedbetweenseveralpeople.

IfyouhaveeverwatchedthemovieBourneUltimatumyouhavealreadyseenthisinaction.Halfway
duringthemovie,oneofthatcharactersispresentedwithaDuressChallengeinwhichsheisaskeda
questionanddependingontheresponse,sheiseithernormalorunderduress.Suchthesame,many
peoplecancreateasimilarmodelofauthenticationthatmovespastasimplepasswordthatcanconvey
P a g e |35

duressaswellasauthenticatetheuser.Forexample,inthemoviethechallengewordwassparrowand
theresponseifunderduressisrubyandtheresponseifnormalwasEverest.

Onepopularchallengeresponsemechanismusestokenstoauthenticatetheuser.Thesemethodsare
becomingincreasinglypopularandisevenemployedbysuchservicessuchasGoogleandTruecrypt.
Disconnectedtokenssuchasthosedeployedbyseveralonlineserviceshaveneitheraphysicalnor
logicalconnectiontotheclientcomputer.Theytypicallydonotrequireaspecialinputdevice,and
insteaduseabuiltinscreentodisplaythegeneratedauthenticationdata,whichtheuserenters
manuallythemselvesviaakeyboardorkeypad.Smartcards,otherphysicaltokens,andkeyfilesarealso
methodsthatfallunderthesomethingyouhavecategory.Belowisaverysimplyexampleofhow
somechallengeresponsemechanismwork.

A B C D E F G H I J K L M N O P
B C D E F G H I J K L M N O P Q
C D E F G H I J K L M N O P Q R
D E F G H I J K L M N O P Q R S
E F G H I J K L M N O P Q R S T
F G H I J K L M N O P Q R S T U
G H I J K L M N O P Q R S T U V
H I J K L M N O P Q R S T U V W

Letssaythatyouwanttologintoasystemanduseadetachedtoken.Youwillmostlikelybegivenaset
ofcharacterstoinputintothesystemtoverifythatyouarewhomyousayyouare.So,youfireupthe
tokenandrequestyouonetimepincode.Theserverthatgeneratesthecodewillloadupthelistand
selectasetofcharactersfromthetables.Inthisexample,wewillsaythechallengearethecharacters
H,G,A,I,P,andS(yellow).YourtokenwillthengeneratearesponseofJ,I,C,K,R,andU(red).The
serverwillthenverifythattheresponsethetokencreatedmatchesuptotheresponsetheserver
expects.Oncethisiscomplete,theserverwillallowyouintowhateversystemyouweretryingto
access.

Thethirdauthenticationtypeisbiometricauthenticationasisknowntobethebestformof
authenticationasitisthebestwaytodeterminethatapersoniswhotheysaytheyare.Ihavepasteda
charttoshowacomparisonofbiometrictypesbelow:

P a g e |36

Comparison of Biometric technologies

Characteristic Fingerprints Hand

Geometry
Retina Iris Face Signature Voice
EaseofUse High High Low Medium Medium High High
Error
incidence
Dryness,
dirt,age
Hand
injury,age
Glasses Poor
lighting
Lighting,
age,
glasses,
hair
Changing
signatures
Noise,
colds,
weather
Accuracy High High Very
High
Very
High
High High High
Cost * * * * * * *
User
acceptance
Medium Medium Medium Medium Medium Medium High
Required
securitylevel
High Medium High Very
High
Medium Medium Medium
Longterm
stability
High Medium High High Medium Medium Medium
CompiledfromNISTpublication
Anothertermthatisused,is:multifactorauthentication.Multifactorauthentication,whichisasit
implies,iswhentheuserusestwoormoreauthenticationfactors.Whenyouaretryingtoaccess
resources(suchasgettingintoaTruecryptcontainer)forexample,thesystemrequirestheapprovalof
bothfactorsbeforeaccessisgrantedintothesystem.Thecombinationofmorethanonefactor
decreasesthechangesofsomeoneotherthanyourselfobtainsthisaccess.Forthisreason,itis
recommendedasabestsecuritypracticewhensettingupaprotectedsystem.

Formostusersreadingthisguide,youwillonlyneedtoconcernyourselfwithsettingupmorethanone
factorwhenusingTrueCrypt.Mostofyouareonlyuseapassword,whichisadequateformostscenarios,
andiswhatmostpeopleuseingeneral.ButanotherfeatureofTrueCryptthatmostpeopledontrealize
isthatitdoesallowformultifactorauthentication.ThismeansthatyoucansetupTruecrypttoutilize
bothapasswordandakeyfile(ortokenorsmartcard)whenloggingintothesystem.Thelinkprovided
willelaboratemoreonkeyfiles,securitytokens,andsmartcardswhenusingTrueCrypt:Clickhere.

Thegobacktothebeginning,Itoldyouthatusingmultipleauthenticationfactorsarebestpractice,but
youmightbewonderingtoyourself,why?Twoormorefactorsfurtherensuresthattheprotectionof
yourdatadoesnotrelyonasinglefactoralone.Forexample,letssayyouhaveamachinethats
encryptedwithTrueCrypt.YouknowthattheencryptionemployedbyTrueCryptisstrong,however,
youcreatedapasswordthatisweakandeasilyguessed.Thisiswherethemultifactorauthentication
comesin.Theattackermighthaveguessedyourpasswordbutifyouhaveanotherfactorsuchasa
token,theattackerwillalsohavetohaveaccesstothattokenduringtheentiresessioninorderfor
themtogetin.
P a g e |37

Anothermethodofattackiswiththeuseofspyware,whichisatypeofmalewarethatattemptstospy
onyoubyrecordingeverythingyoudoonthecomputer.Suchthesame,hardwarekeyloggers(which
canbeintheformofspyware),attemptstorecordeverythingthatyoutypeinonakeyboard.If
successful,akeyloggerwillcaptureyourpasswordthatcanbeusedlateronforanattack.Tomitigate
thistypeofthreat,youwillonceagainrelyonmultifactorauthenticationtoauthenticateyouintothe
system.Andforadditionalsecurity,youcancheckfornewhardwaredevicesattachedtoyourcomputer
andmakesurethatyouusesomesortofantivirussoftwaretomitigatethethreatofsoftware
installations.

3.6. Password Attacks and Account Recovery Attacks

There are several types of password attacks that people perform when trying to decrypt information.
Theseareknownasdictionaryattacks,bruteforceattacks,andrandomguessattacks.Creatingcomplex
passwordswillhelppreventagainstdictionaryattacks.Creatinglongpasswordswillhelppreventagainst
bruteforceattacks.Andcreatingpasswordsthatdonotincludeyourusernameoranyotheridentifiable
informationwillhelpagainstrandomguessattacks.Thisiswhyyourpasswordshouldbelong,complex,
andshouldnotincludeanyidentifiableinformation.
Another common attack that people do not usually think of is account recovery attacks. This is when
someoneistryingtologinintoyouraccountbyattemptingtoresetyourpasswordbyusingyouraccount
recoveryquestions.Forthisreasonyoushouldmakesurewhencreatingsecurityquestionsandanswers
that they are not easily guessed (or found). A good recommendation is to make the answers as
complicatedasthepasswords,butstillcanbeeasilyremembered.

3.7. Creating Secure Passwords

Theproblemwithpasswordsistheyareusuallytooeasy
tocrackortheyaretoohardfortheuserstoremember.
Therefore,bothoftheseproblemsshouldbeconsidered
when creating a new password. Start by creating a
password that is at least 16 characters. Use as many
different types of characters as possible, including:
lowercase letters, uppercase letters, numbers, and
symbols. Never reuse a previous password and never
use the same password for more than one account.
Dontusepasswordstoragetools,whethersoftwareor
hardware. Make sure that your password does not
include anything identifiable such as: names,
usernames,petnames,orwordsinadictionary.Lastly,
makesurethatthepasswordisnottoohardforyouto
Case:TheSarahPalinemailhackoccurred
onSeptember16,2008,duringthe2008
UnitedStatespresidentialelection
campaignwhentheYahoo!personalemail
accountofvicepresidentialcandidate
SarahPalinwassubjectedtounauthorized
access.Thehacker,DavidKernell,had
obtainedaccesstoPalin'saccountby
lookingupbiographicaldetailssuchasher
highschoolandbirthdateandusing
Yahoo!'saccountrecoveryforforgotten
passwords.
P a g e |38

remembersoyoudontforgetthepasswordorhavetowriteitdownorsaveit.Hereisanexampleofa
sitethatcancreateasecurepassword:clickhere.
3.8. Hashing, Hashing Collisions, and Birthday Attacks

Whenpeoplerefertohashing,theyarereferringtoatypeofencryption.Hashingistheprocessofcreating
anencryptedoutputthatcannotbedecrypted(itperformsaonewayencryption)andisusedtoensure
thatamessageorfilewasnotmodifiedfromtheoriginalcopy.Hashingisalsocommonlyusedtohelp
authenticatesomebody.Forexample,manywebsitesstoreahashedcopyofyourpasswordinsteadof
thepasswordintheclear.Thereareseveraltypesofhashingalgorithmsandthenewerversionsarebetter
thantheoutdatedversionsforsecuritypurposes.SHA256isthenewestversionandisrecommendedas
ofrightnowwhenyouarecheckingfileormessagehashes.

Using asymmetric encryption provides integrity as well as the already explained confidentiality. When
yousuccessfullydecryptamessagethatanotherusersentyou,youhaveverifieditsintegrity.Another
waytoensureintegrityistocreatethehashofafileoramessageandallowpeopletocheckthehash
theygenerateagainstthehashyougavethem.Forexample:letssayBobuploadsafileforSteve.Bob
uploads a file and generates a hash (lets say a value of 456) so Steve can make sure that when he
downloadsthefile,itwasnotchangedalongtheway.Afterdownloadingandsavingthefile,Stevealso
generatesahashofthesavedfile.IfStevegeneratesthesamehash,thefilewasnotaltered.ButifSteve
generatesadifferentvalue(letssay334),thanthefilehasbeenchanged.Personally,IuseHashMyFiles
becauseitiseasytouseandisastandaloneprogram.

Also,youshouldknowthatsincethereareseveraltypesofencryptionmethods,youneedtospecifywhich
hashalgorithmyouwanttousewhenverifyingdata.Thenewerthealgorithm,thebetterchancesyou
have of mitigating the eventuality of hash collision. Adding to what we talked about earlier about
asymmetric encryption, when you create a file signature for the recipient to verify the contents they
receive;theyareactuallydecryptingthehashvalueofthedataforverification.Soinessence,thesame
processforverifyingthecontentsarethesame,withtheaddedbenefitofverifyingthesenderandthe
filewhenusingasymmetricencryption.
Try it out Hashing

1. Downloadingandsavethisfile:http://ocrlwkklxt3ud64u.onion/files/1343933815.txt.Ifthe
fileopensupinyourbrowser,thensaveeverythingtoatextfileandsaveashash.txt
2. DownloadtheprogramHashMyFilesandstartitwhenthatiscomplete
3. ClickFile>AddFilesandselecthash.txt
4. Recordthehashofthefile(pressF7onyourkeyboard)*IusedMD5forthistest
5. CompareyourhashtothehashIgeneratedbeforeuploadingthefile
(83a814a08b5edfa57c003415224f8b46)

P a g e |39

Anothergoodmethodofensuringthatafileisactuallysentfromsomeonewhoclaimstheysentitisif
theydigitallysignamessageusingtheirprivatekey.Whatyouneedtoknowisthatyoucandigitallysign
amessageorfilewithoutactuallysendingthemessageorfile.Thisishelpfulifyouwanttoshareafilein
whicheverybodyknowswhatthepasswordiswhilstallowingthemtoconfirmthatitcamefromyou.

Try it out Digital Signatures

1. IamassumingthathavealreadysetupGPGandhavecreatedyourPrivate/Publickeypair
2. Startthecommandprompt:Start>Run>cmd>OK*WindowsVista/7,typecmdinSearch
ProgramsandFeatures.Ablackboxshouldpopup
3. Thecommandtocreateadigitalsignatureisgpgoutputoutputfilelocaluseruser
namedetachsigninputfile.Forexample,Itypedingpgoutputfinal.siglocaluser
missionmandetachsigntest.txt
4. Toverifythedigitalsignature,typegpgverifysignaturefilename.Forexample,Ityped
ingpgverifyfinal.sigc:\test.txt

While talking about hashing, I should mention Hashing Collisions. Hashing Collisions occur when two
distinctly different messages produce the same hash result. Birthday attacks attempt to exploit this
vulnerabilitybyrelyingonthelikelihoodofthecollisionsoccurredbetweentherandomattackattempts
andthenumberofpermutations.Asanexample,considerthescenarioinwhichateacherwithaclass
of 30 students asks for everybody's birthday, to determine whether any two students have the same
birthday.Intuitively,thischancemayseemsmall.Iftheteacherpickedaspecificday(saySeptember16),
thenthechancethatatleastonestudentwasbornonthatspecificdayis1(364/365)^{30},about7.9%.
However,theprobabilitythatatleastonestudenthasthesamebirthdayasanyotherstudentisaround
70.

3.9. Cold Boot Attacks

Incryptography,acoldbootattack(ortoalesserextent,aplatformresetattack)isatypeofsidechannel
attackinwhichanattackerwithphysicalaccesstoacomputerisabletoretrieveencryptionkeysfroma
runningoperatingsystemafterusingacoldreboottorestartthemachine.Theattackreliesonthedata
reminisce property of DRAM and SRAM to retrieve memory contents which remain readable in the
seconds to minutes after power has been removed. Basically, when a computer is restarted, the
encryptionkeys(passwords)mightstillexistinRAMandmayberecoverabletotheextentthattheycan
beusedtodecryptyourdevice.

TosimplifywhatIjustsaid,coldbootattacksworklikethis.Afteryouturnoffyourcomputer,RAMisn't
automaticallyerasedwhenit nolongerhas power. Instead, RAMdegradesovertime,and evenaftera
P a g e |40

few seconds without power, you still can recover a significant amount of data. Researchers also found
thatifyouchilltheRAMfirst,usingliquidnitrogenorevenacanofcompressedairturnedupsidedown,
youcanpreservetheRAMstateformorethan30secondsuptominutesatatimemorethanenough
timetoremovetheRAMphysicallyfromamachineandplaceitinanothercomputer.Onceinsideanother
computer,aninvestigatorcanusethatdatathatistemporarilystoredinsidetheRAMandreadit.

Thereareafewwaystomitigatethisrisk.Thebestmethodistomakesuretodismountthedrivebefore
ending the program or shutting the computer down. Most software programs will erase the key from
memory after you perform this action. This method is the
bestwaytopreventcoldbootattacks.Shuttingthecomputer
downcleanlyshouldalsoensurethatthekeyiserasedfrom
memory. Another mitigation technique is with using a
securitytokenorsmartcard.Thiscanbefooledthoughifthe
attackergrabsthekeyandhasthetoken/smartcardinhand.

Ishouldmentionthatwhilecoldbootattacksarepresent,
grabbinganencryptionkeyfromRAMisnotwidelyusedby
manyforensicinvestigators.Untilrecently,grabbingthese
keysviaRAMwasthoughtofonlyasatheoryandnot
actuallyaccomplishable.However,thereisotherdatathatyoushouldbeconcernedwithcoldboot
attacks.Datasuchasunwrittenemails,wordsinatestdocument,andpicturescanberecoveredfrom
RAM.Evenifitispartialdata,itcanbereadandusedagainstyou.

IfyouareinterestedinobtainingdatacontainedinRAM,thereareseveralprogramsouttherethatcan
assistyou.Mostoftheseprogramsarenotfreeanddonotcomewithanysortoftrail.Youcanutilize
theseprogramsafteryoufreezetheRAMandinsertitintoanothermachinethathoststheRAM
analyzer.YoumayusethesameprogramstoImagetheRAMonyourownmachineandyouwoulduse
afterfreezingandmovingtheRAMover.TherearealsoKeyscanningtoolsthatisthesecondsetof
toolsthatyoucanusetoscantheRAMimageyouhavecreatedforencryptionkeys.Thenamesofthe
toolsareprettyselfexplanatory.TheaeskeyfindtoolsearchesforAESkeys,andthersakeyfindtool
searchesforRSAkeys.Note:AESissymmetricencryptionandRSAisanasymmetricencryption.

Note:Manyforensic
investigatorscarryacanof
compressedairwiththemto
acrimescenetofreezethe
RAMstickforfurtheranalysis.
P a g e |41

hissectionwilltalkaboutdataingeneral:howitgetsstoredandwhathappenswhenitisdeleted.
Furthermore, we will take about recent file lists and data caching. Knowing how Windows and
otherapplicationshandlethesefileswillhelpeliminatetherisksassociatedwithevidenceleftover
afteryoursession.Youwilllearnhowtofindandremovethisdatacompletelyandsecurelyfromyour
computer.Insomeinstances,youwillalsolearnhowtopreventtheserisksfromhappeningaltogether.

Topics

ThisChapterwillcoverthefollowingtopics:
DeletedData
DeletingDataSecurely
FileSlack
WindowsSwapFiles,ReadyBoost,TemporaryInternetFilesandBrowserCache
TemporaryApplicationFilesandRecentFilesLists
EventLogs
Printers,PrintJobs,andCopiers
Cameras,Pictures,andMetadata
USBInformation
SSDSolidStateDrive
WheretoHideYourData

T
Chapter 4_ Data
P a g e |42

4.1 A Quick Word

Inthissection,wewillmainlybefocusingonNTFSdrives.Iamnotsayingthatthefollowinginformation
doesnotapplytoXPorearlier,itjustdoesnotALLapplytowhatwearetalkingabout.Among
improvementsinNTFSfilesystemsareincreasedfilesizepotential(roughly16TBversus4GBforFAT32),
increasedvolumesizepotential(roughly256TBversus2TBforFAT32),andtherecordingofLast
Accessedtimes(inWindowsNT/2k/XP/2k3,andinVista/2k8/7ifenabled).Inaddition,NTFSusesadata
structurecalledtheMasterFileTable(MFT)andentriescalledindexattributesinsteadofafileallocation
table(FAT)andfolderentriesinordertomaketheaccessandorganizationofdatamoreefficient.

4.2 Deleted Data

Acommonmisconceptionthatcomputerusershaveis,whenyoudeleteafile,itiscompletelyremoved
fromtheharddisk.However,youshouldknowthathighlysensitivefilessuchaspictures,passwords,chat
logs,andsoforthstillremainontheharddisk.Evenaftertheyaredeletedfromyourrecyclebin,they
arestilllocatedontheharddriveandcanberetrievedwiththerightsoftware.Takeforexamplewhen
youuseWinRARtoextractthefilethatsomeonesentyou.Theprogramextractsthedatatoatemporary
filebeforeitreachesitsdestinationonyourharddisk;thismayleadtoadataleak.

Anytimethatafileisdeletedfromaharddrive,itisnoterased.Whenyoudeleteafile,thetwobytes
located at record offset 22 within the files MFT record are changed from \x01\x00 (allocated file) to
\x00\x00(unallocatedfile).Theoperatingsystemusesthesepointerstobuildthedirectorytreestructure
(thefileallocationtable),whichconsistsofthepointersforeveryotherfileontheharddrive.Whenthe
pointersarechanged,thefileessentiallybecomesinvisibletotheoperatingsystem.Thefilestillexists;
theoperatingsystemisjustreadywriteoverthem.Youshouldalsoknowthatthedeletedfilesentryis
removed from its parent index, and the file system metadata (i.e., Last Written, Last Accessed, Entry
Modified)forthefilesparentfolderareupdated.Itisalsopossiblethatthemetadataforthedeletedfile
itselfmaybeupdatedbecauseofhowtheuserinteractedwiththefileinordertodeleteit(e.g.,right
clickingonthefile).

Note:YoucanchangethelocationwhereWinRARextractsthetemporarydatato.Navigate
toOptions>Settings>Paths.YoucanchangethepathunderFolderfortemporaryfiles.
P a g e |43

Thereisanotherprocesswhenafileisdeletedandissenttotherecyclebin.PostWindowsVista(XP,95,
etc.),whenafileissenttotherecyclebin,arecordintheINFO2fileiscreated.StartingwithWindows
Vista,MicrosoftwentawaywiththeINFO2fileinfavorofanewmethodofstoringdeleteddata.Below
isatablethatshowswhereeachrecordislocated.Notethatthe<UserSID>,orSecurityIdentifier,isthe
uniqueidentifierforeachuseronthemachine.YoucanfindyourSIDbyfollowingthestepsinsection
6.1 Disable Unnecessary Accounts. *Remember though, you do not need to delete the key from the
registry.

Operating System Common File Structure Location of Deleted Files
Windows95/98/ME FAT32 C:\Recycled\INFO2
WindowsNT/2K/XP NTFS C:\Recycler\<UserSID>INFO2
WindowsVista/7/8/8.1 NTFS C:\$Recycle.Bin\<USERSID>\

IwillnotbegettingintotheactualprocessofexaminingtheINFO2filesorthenewestfileformatfor
WindowsVistaonforward.Rather,Iwillgiveaverybriefoverviewofwhattoexpectwhenexamining
thesetwoformats.StartingwithINFO2,whenafileismovedtotheRecycleBin,itistypicallyrenamedto
DC#. EXT, where#isanintegerandEXTistheoriginalfilesextension. Theonlythingthatyoureally
needtoknow,isthatwhenyouremoveanindividualfilefromtherecyclebin,thefiledetailsarenot
removedfromtheINFO2file.Instead,itissimplymarkedasdeletedtoavoidtheprocessofrebuildingthe
INFO2file.ItisonlywhenyoucompletelyemptythedeletedfilesdoestheINFO2filegoaway.

Moving along to Windows Vista, 7, and 8, Windows has significantly changed how the files and
correspondingdetailsarerepresentedwhensenttotherecyclebin.Asthetableaboveillustrates,the
newformatstillinvolvesusingtheusersSIDbutarenowfoundintheC:\$Recycle.Bin\<USERSID>\directory.
Inthisnewformat,whereVistaonforwardbeginstohandledeletedfilesdifferentlyisthatadeletedfile
isrenamedto$R,followedbyaseriesofsixrandomcharactersandthentheoriginalfileextension.Then
asecondfileiscreatedofthesamename,with$1insteadof$R,containinginformationsimilartothat
containedwithintheINFO2file.However,thisfilecontainsonlytheoriginalfilename,thefilesoriginal
size,andthedata/timethefilewasdeleted.

AgreatprogramtoinvestigatetheseIndexfileisrifiuti2,afreeprogramtoreadbothINFO2filesand
thenewfileformats.Youcandownloadtheprogramfromtheofficialpage,here:Clickhere.

Shadow data is the fringe data that remains on the physical track of storage media after it is deleted,
sweeped, or scrubbed. A mechanical device called a head is used to write the data, and it is stored
electronicallyinmagneticpatternsofonesandzeros.Thepatternsareintheformofsectorswhichare
writtenconsecutivelyinconcentricringscalledtracks.However,headalignmentisjustalittlebitdifferent
eachtimeanattemptismadetoerasedata,anddataremnantssometimesbleedoverthetracks.Thisis
thereasonwhygovernmentagenciesrequiremultiplescrubsorburning,becausethereisnoguarantee
ofcompleteeliminationoffringe,orshadow,data.
P a g e |44

Theonlywaythatyoucanpermanentlydeletethisdataistooverrideitwithspecialsoftwareorwaitfor
theoperatingsystemtooverwritethedata.Therearefilesontheharddiskthatdonothaveanypointers
in the file allocation table so it will eventually be overridden with something new. Even files that are
fragmentedorarepartiallywrittenoverarerecoverableandcanbeusedagainstyou.Specialsoftware
will overwrite these files securely and immediately. One such recommended software that securely
cleansthewhitespaceisCCleanerandRecuvatoerasetheactualdataleftover.Asawordofnote,people
suggest that's simply defragging a hard drive will overwrite these pointers; this is not true. Drives
formatted using NTFS are especially not affected using this method. This is because of the way NTFS
storesdata;itessentiallymakesdefraggingtheharddriveuseless.

Try it out CCleaner

1. DownloadandinstallCCleanertoyourmachine.MakesurewhenyoudownloadCCleaner
fromtheinternet,aswithallprograms,youdownloadfromthemanufacturerswebsiteonly.
Thelinkhasbeenprovidedforyou:http://www.piriform.com/ccleaner/download/standard
2. OpenCCleanerpressToolsontheleft
3. SelectDriveWiper
4. SelectFreeSpaceOnlyinthedropdownboxnexttoWipe
5. Inthesecuritydropdownbox,Irecommendselectingthecomplexoverwrite
6. ChoosethedriveletteryouwishtocleanandpressedWipe

4.3 Deleting Data Securely

Asmentionedbefore,whenyoudeletedata,itisnotactually deletedand canbeeasilyrecovered. To

preventdatafrombeingrecoveredyoumustsecureerase(orshred)thedata.Whatspecialprogramsdo
to securely erase contents from a computer is they enumerate through each bit of data and replace it
witharandombit.TheshreddingmethodIrecommendis7passes.Thisprocessmakesthebitsunknown
asrecoveryofthisdatadifficult,ifnotimpossible.Thiscanbedonewithfileeraserprograms,oritcan
bedonetotheentiredrivewithbootablesoftware.DBANisrecommendedifyouaretryingtoeraseyour
entiredrive.Notehowever,DBANdoesnoterasebadsectorsorHPA/DCOareas.Someprogramssuch
asBlanccoimplementHPA/DCOwipingbydefault,othertoolscouldallowtheusertochoosewhetheror
nottowipeHPA/DCOwhileothertoolsarenotabletowipeHPA/DCOatall.

HPA stands for Host Protected Area and is a section of the hard drive that is hidden for the operating
systemandtheuser.TheHPAisoftenusedbymanufacturerstohideamaintenanceandrecoverysystem
forthecomputer.Forthisreason,theHPAisnotabigconcern,butyoucansecurelyremovedatahere
nonetheless.ADCOisaDeviceConfigurationOverlayandisanotherhiddenareaoftodaysharddrives.
SimilartotheHPA,theDCOscanbesecurelyerasedinsuchthesameway.
P a g e |45

Whilerecoveryofinformationwipedoutinthismannerisfarmoredifficult,andinmanycasesimpossible,
somerecoverytechniquesexistthatspecialistscanemploytoretrievesomeofthedata.Factorssuchas
thesizeoftheharddrive,theaccuracyofthemechanicalsysteminthedrive,thepowerwithwhichthe
information was recorded, and even the length of time the information was left on the drive prior to
wipingallwillhaveaneffectontheprobabilitiesforrecovery.

Anothermethodistophysicallydestroytheharddrivetoastatethatisirreparable.Thebestmethodfor
thisistoopentheharddiskandgrindtheplatterstoobliteratealldata.Anothermethodforharddrives
thatusedisksistouseanindustrialstrengthmagnettoremovethedata.Opticaldisks(CDs,DVDs,etc.)
canbeshreddediftheyarenotwritable.Also,opticaldiskscanbedestroyedbecookingthemandisthe
best method for destroying data on optical media. Cooking them however is not recommended for
practicingoreverydayuseastheyreleaseatoxicfume.

4.4 File Slack

Tounderstandfileslack,onefirstneedstounderstandhowdisksareorganizedatthelowestlevel.Ascan
beseeninthediagrambelow,disksaresubdividedintoasetoftracks.Thesetracksarefurthersubdivided
intoasetofsectorsandcollectionofsectorsformtogethertomakeacluster.Ifyouwritea1KBfilethat
hasaclustersizeof4KB,thelast3KBiswasted.Thisunusedspacebetweenthelogicalendoffileand
thephysicalendoffileisknownasslackspace.

Theperhapssomewhatunexpectedconsequencefromthisisthatthefileslackcontainswhateverdata
was on the disk before the cluster was allocated, such as data from previously deleted files. Using file
slack,itwouldbepossiblenotonlytorecoverpreviouslydiscarded(andpotentiallysensitiveinformation)
information,butalsotoeffectivelyhidedata.Theabilitytohidedataarisesbecausetheoperatingsystem
doesnotmodifydatawithinaclusteronceithasbeenallocated.Thismeansthatanydatathatisstored
P a g e |46

intheslackissafe(providedthefilessizedoesnotchange).Usingforensicsexaminersoftwaresuchas
EnCaseorFTK,aninvestigatorcanrecoverthisdatacontainedinslackspace.

Towipethisslackspace,IuseasoftwarecalledEraserwhichhasutilitiestowipeunallocatedfilespace
andslackspacedisk.Irecommendutilizingthe3passmethodtoensurethatnoshadowdataexistsafter
theprocessiscomplete.Youwillnoticeafterrunningtheprogramtoremovetheslackspace,thatyour
secretmessageyoujustenterediserased.

Try it out Hiding data in file slack space

1. OpenMicrosoftOfficeandcreatea.Docfile.Enteranythingyoulike.
2. DownloadandinstallyourfavoriteHexEditor.IHexWorkshopHexEditorisagoodoneand
willfulfillourpurposeforthisexample.
3. Starttheprogram.IwillbecoveringthestepswhenusingHexWorkshop.
4. Selectthefilethatyoujustcreatedandloaditintheprogram.Thehexoutputwillappearin
themainportionofthescreen
5. Oncethefileopens,clickonEdit/FindtoopentheFinddialogbox.
6. IntheFinddialogbox,clickonthedropdownboxnexttoType:andselectTextString.
Enterthepartofthetextyouenteredinthefirststep.
7. Ontherightsideofthescreen,navigatetoablanklineandrememberthatposition.Onthe
blankline,typeasecretmessage.

8. ClickonFile/SaveAsandsavethefiletowhateveryouwant(IMPORTANT:SaveasWord97
2003format)
9. CloseHexWorkshopandopenMSWord
10. InMSWord,openthenewfileyoujustcreatedintheHexWorkshop
11. ConfirmthatyourhiddenmessageisnotvisiblewithinMSWord
P a g e |47

4.5 Alternate Data Streams

ADSs,orAlternateDataStreams,havebeenaroundsincetheverybeginningoftheNTFSfilesystem.
TheinventionwasattributedtohelpsupportMacintoshHierarchicalFileSystem(HFS)whichuses
resourceforkstostoreiconsandotherinformationforafile.However,usingADSs,youcanhidedata
easilythatwillgoundetectedwithoutspecializedsoftwareorcloseinspection.Thismethodrequires
nothingmorethanaWindowsdevicethatisformattedusingNTFSwhichispracticallyeveryonenow.
Itworksbyappendingonefiletoanotherwhilsthidingthesensitivedatafromviewandkeepingthefile
sizeoftheoriginaldata.Youneedtoknow,thatyouhiddenfileisinnowayencrypted.So,ifan
attackerknowsthefileisthere,hewillbeabletoreadthecontents.

Afewcommandsbeforewegetstarted:
CDChangeDirectory(cd\path\to\change\toorcd..toreverseonedirectoryorcd
C:\Absolute\Path)
DIRListcontentsofdirectory(dirtoshowcurrentfolderordir\folder)
TYPEUsedtoviewsmallfiles
EchoDisplaytextorwritetoafile
StartStartsanexecutableprogram

Letsstartwiththebasics,hidingatextfilewithinatextfile:
1. Opencommandprompt.Start>Run>typecmd
2. Whenopened,thedirectoryisC:\Windows\System32.ChangethisdirectorytoC:\bytypingcd
C:\
3. Wearegoingtocreateourfirsttextfileandwritedataintoit.Thecommandtodothatisecho
Thisfileisseen>seen.txt.IfyougetanAccessDeniederror,youmightneedtoruncmdas
Administratororchangethedirectorytoyourhomedirectory(cdC:\Users\%YourUsername%\
Documents).Youcantesttoseeifthefilewascreatedandifdatawaswrittentoitbyusing
typeseen.txt
4. NowwewilluseacolonastheoperatortotellourcommandstocreateoruseanADS.Type:
echoYoucan'tseeme>seen.txt:secret.txt
5. Toreadthefileyouwillwanttousethefollowingsyntax:typeseen.txt:secret.txt
6. Unfortunately,theuseofthecolonoperatorisabithitormissinitsimplementationand
sometimesdoesnotworkaswemightexpect.Sincethetypecommanddoesnotunderstand
thecolonoperatorwewillhavetousenotepadtoreadthefile:notepadseen.txt:secret.txt
7. Ifitallworkedcorrectly,youshouldseethecontentsofsecret.txt.Youshouldalsonotethat
thefilesizedidnotchangewhatyouaddedthesecret.txtfile
P a g e |48

8. Youshouldalsonotethatyoucanhidedatainsideadirectlyaswell.Typemdtesttocreatea
directoryandcdtesttonavigatetothatdirectory.Thenusingthesamesyntaxasabove,wewill
hideourdatabytypingthis:echoHidestuffinadirectory>:hide.txt
9. Youcantesttoseethatthefileishiddenbylistingallthefilesinthedirectorybyusingthedir
command.Toopenthefileyouwilljustenternotepad:hide.txt

So,nowyouhavesuccessfullyhiddentwofilesfromview!Butthatisonlythebeginningasthereare
manymoreniftyfeaturesthatcanbeusedontheNTFSsystem.Forthenextexample,wewillbehiding
executablefileswithinatextfilethatcanberunusingthestartcommand.Thismethodisactuallynot
muchharderthanthenthemethodabove:

1. Opencommandprompt.Start>Run>typecmd
2. Whenopened,thedirectoryisC:\Windows\System32.ChangethisdirectorytoC:\bytypingcd
C:\.Again,youmayneedtochangeyourdirectorytoyourdocumentsfolderorsomething
similar:(cdC:\Users\%YourUsername%\Documents)
3. First,wearegoingtomakeafiletowriteto:echoTest>test.txt.Youcancheckthesizeofthe
textdocumentbytypingindirtest.txt
4. Next,wearegoingtohideanexecutableinthetest.txtfile:Youcanfindanyfilethatyouwish
torun.Forthisexample,wewillbeusingnotepad:typenotepad.exe>test.txt:note.exe.So,
whatwejustsaidwascopyandrenametheprogramnotepad.exetonote.exeandadditthe
textdocumenttest.txt.Again,tomakesurethefilesizedidnotchange,youcancheckthesize
ofthetextdocumentbytypingindirtest.txt
5. Torunthefile,youwilltypein:start.\test.txt:note.exe

Finally,thelastthingwewilltalkaboutishidingvideosinADSs.Thismethodisthesameastheabove
methods,howeveryouwillneedtocalltheactualvideoplayertoplaythevideos.
1. Opencommandprompt.Start>Run>typecmd
2. Whenopened,thedirectoryisC:\Windows\System32.ChangethisdirectorytoC:\bytypingcd
C:\.Again,youmayneedtochangeyourdirectorytoyourdocumentsfolderorsomething
similar:(cdC:\Users\%YourUsername%\Documents)
3. Makesurethatavideoexistsinthesamedirectory.Thecommandtohideavideoinsideatext
documentisthis:type"hellokitty.avi">"sample.txt:hellokitty.avi".Whendealingwithfiles
thatincludespaces,youalwayswanttousequotes.Andobviously,replacethefilenameswith
yourown.
4. Now,toplaythevideo,youwillneedtoknowtheexactpathofthevideoplayer.Hereisa
samplesyntaxtoopenthevideowithWindowsMediaPlayer:"C:\ProgramFiles\Windows
MediaPlayer\wmplayer.exe""sample.txt:hellokitty.avi".ThistellsWindowstouse
wmplayer.exetoplayhellokitty.avithatishiddeninsample.txt

P a g e |49

4.6 Where to Hide Your Data

Location Information
HPA HostProtectedAreaisanareaofaharddrivethatisnotnormallyvisible
toanoperatingsystemandisprotectedfromuseractivity.Tohidedata
there,youwillneedtowriteaprogram,orfindaprogram,towrite
informationthere.
MBR TheMasterBootRecordonlyrequiresasinglesectortherebyleaving62
opensectorsforhidingdata
Partitionslack Filesystemsstoredatainblock,whicharemadeofsectors.Ifthetotal
numberofsectorsinapartitionisnotamultipleoftheblocksize,there
willbesomesectorsattheendofthepartitionthatcannotbeaccessedby
theoperatingsystemusinganytypicalmeans.
Volumeslack Ifthepartitionsonaharddrivedonotuseupalloftheavailablespace,the
remainingareacannotbeaccessedbytheoperatingsystemby
conventionalmeans(e.g.,throughWindowsExplorer).Thiswastedspace
iscalledvolume.Itispossibletocreatetwoormorepartitions,putsome
dataintothem,andthendeleteoneofthepartitions.Sincedeletingthe
partitiondoesnotactuallydeletethedata,thatdataisnowhidden.
Fileslack Thisistheunusedspacebetweentheendoffilemarkerandtheendof
theharddriveclusterinwhichthefileisstored.
Unallocatedspace Anyspaceinapartitionnotcurrentlyallocatedtoaparticularcannotbe
accessedbytheoperatingsystem.Untilthatspacehasbeenallocatedtoa
file,itcouldcontainhiddendata.
BootSectorinnon
bootablepartitions
Everypartitioncontainsabootsector,evenifthatpartitionisnot
bootable.Thebootsectorsinnonbootablepartitionsareavailabletohide
data.
Goodblocksmarkedas
bad
Itispossibletomanipulatethefilesystemmetadatathatidentifiesbad
blocks(e.g.theFileAllocationTableinaFATfilesystemor$BadClusin
NTFS)sothatusableblocksaremarkedasbadandthereforewillnolonger
beaccessedbytheoperatingsystem.Suchmetadatawillproduceblocks
thatcanstorehiddendata.

4.7 Changing File Headers to Avoid Detection

Majorforensicsoftwareusetwomethodsforidentifyingfiletypes:fileextensions(.exe,.jpg,.txt)and
fileheaders(charactersatthebeginningofthefile).Apersontryingtohideanimagemightsimply
changetheextensionfrom.jpgto.ziptotrytofoolaninvestigator.Mostpeoplewilltrytoopenthefile,
P a g e |50

buttheywillencounteranerrorandtheywillprobablymoveontothenextfile.Asthismethodmight
workonsomebodywhomdoesnthavespecializedsoftwaretoviewtheheaderinformation,itdoesnt
foolthosewhomuseproductssuchasEnCase.Thisisbecause,asIsaidbefore,thereisanothermethod
todeterminetotypeoffiletheyarereviewing.Yet,ifthefileextensionandtheheaderinformation
matches,theymightlookoverthefilecompletelyasitmightnotbethefiletypetheyarelookingfor.

Whenforensicinvestigatorlooksatafilethathasamismatchbetweentheextensionandthefile
header,hemightgetsuspiciousandfurtherinvestigatethediscrepancy.Forthisreasonitisimportant
tochangebothfileextensionandheaderinformationtomatch.Bychangingthisinformation,youcan
effectivelyhidewhateveritisyouaretryingtohide.Youshouldnotehowever,ifaninvestigatoropens
thefilewiththecorrectprogram,hewillstillbeabletoviewthecontentsofthefile.Forexample,you
canchangea.jpgsextensionandheaderinformationtoa.txt,butifthefileisopenedinPictureViewer,
youwillstillbeabletoseethepicture.

Firstthingsfirst:changethefilesextension.Forthisexample,wewillbechanginga.rartoan.exe.So
finda.rarfileonyourmachineandchangetheextensiontoexe.Thispartistheeasiestpartandcanbe
doneinonlyafewseconds:

1. StartWindowsExplorerandnavigatetothefolderthatcontainsthefileyouwishtohide
2. Ifyoudonotseethefileextensions,youmighthavetochangeasettingtoviewthem.ForXP
and7,youwillclickTools>FolderOptions>ViewanduncheckHideextensionsforknownfile
types
3. Onceyoucanseethefileextension,youcannowrightclickthefileandclickRenametochange
thefileextension

Ishouldalsonotethatforthefirstcoupleoftimesbeforeyoufeelcomfortabletestingthisoutonyour
own,touseafilethatyoudontwantortocreateacopyofafiletotestthison.Thenextpartisto
changetheheaderinformationofthesamefileyoujustchangedtheextensionfor.Thisisdonewitha
programthatyoucanfreelydownloadovertheinternet.Forthisexample,IamusingHxDHexEditor
andcanbedownloadedfromhereandmodifyinga.rarfile.

1. OpenHxDHexEditor,clickFile>Open,selectthefile,andclickOpen
2. Youwillnoticethatthehexviewshowsthefileheaderfor.rarfilesare52617221in
hexadecimalandRar!InASCII(Figure1).Thisistheinformationyouaregoingtochange
3. Clickyoucursorrightbeforethefirsthexadecimalcharacterontheleft,the5.Now,whenyou
starttyping,thenewcharacterswillreplacetheexistingcharactersandtheywillappearred
P a g e |51

4. TochangethefilesignatureofthisRARarchivewesimplytakethefilesignatureofan
executablefileandaddittothestartofthisfile.InthiscaseIwilladd4D5Atothestartofthe
file(Figure2)
5. Savethefile

Figure1

Figure2
Thistechniquewillfooltheforensicssoftwareasitwillnotreturnthefilewhenitislookingfor.RAR
files.However,eventhoughyouchangethefiletype,youmaynotbeabletofooltheinvestigator
dependingonwheniscontainedinsidethefile.Changing.docor.docxfilesto.jpegsforexamplemight
notbethebestideaintheworldastheycanstillseeallthetextcontainedwithinthedocument..RAR
filesmightalsocontainthefilenameeventhoughencryptionisenabledifEncryptfilenamesisnot
used.
4.8 Windows Swap Files, ReadyBoost, Temporary Internet Files and
Browser Cache

Aswapfileallowsanoperatingsystemtouseharddiskspacetosimulateextramemory.Whenthesystem
runslowonmemory,itswapsasectionofRAMthatanidleprogramisusingontotheharddisktofreeup
memoryforotherprograms.Thenwhenyougobacktotheswappedoutprogram,itchangesplaceswith
another program in RAM. This feature ensures that Windows is usable when memory runs out. Even
thoughthisfeatureishelpful,sensitiveinformationmightbecontainedwithintheswapspacethatcould
incriminateyou.

Letssayyoudownloadsensitivematerialandafteryouweredonewithit,youdeleteitsecurely.Ifyou
ranoutofmemory(RAM)thetemporarydatamighthavebeensavedtoswapspacetherebyrendering
your method of removing the file useless. The best way to attack this problem is to disable paging
P a g e |52

altogetherwhileviewingsensitiveinformation. Ifyouareusingapplicationsthatuselarge amountsof

memory,youcanturnpagingbackonduringyoursession.

Try it out Disable paging

1. OpentheStartMenuandgotoControlPanel
2. ClickontheSystemicon
3. SelecttheAdvancedtab
4. UnderPerformance,clickSettings
5. GotoAdvanced
6. UnderVirtualMemory,clickChange
7. SelectNoPagingFileandthenclickSet
8. ClickOKinallthemenus
9. Restart
10. Toenablepagingagain,simplyselectAutomaticallymanagepagingfilesizeforalldrives

ReadyBoostisanothercachingfeatureintroducedinWindowsVistaandwascontinuedwithWindows7.
It works by using flash memory, a USB flash drive, SD card, CompactFlash or any kind of portable flash
massstoragesystemasacache.DatathatiswrittentotheremovabledriveisencryptedusingAES128bit
encryption before written to the drive. This means that an examiner who recovers the drive with the
ReadyBoostinformationwillfinditdifficulttodecipherthisdata.

Another way that Windows operates under the surface is when creating temporary internet files.
TemporaryInternetFilesisafolderonMicrosoftWindowswhichholdsbrowsercaches.Thedirectoryis
usedbyInternetExplorerandotherwebbrowserstocachepagesandothermultimediacontent,suchas
videoandaudiofiles,fromwebsitesvisitedbytheuser.Thisallowssuchwebsitestoloadmorequickly
the next time they are visited. Not only web browsers access the directory to read or write, but also
WindowsExplorerandWindowsDesktopSearch.

Youcanseehowthisisaproblemifyoueverwanttodownload(orview)picturesorfilesthatcontain
sensitive material. Furthermore, other applications might use temporary files when handling content.
Forexample,whenItalkedaboutWinRARearlier,Iexplainedthatwhenyouunpackdatafromanarchive,
theprogramcreatesatemporaryfileonyourfilesystembeforeitismovedtoitsdestination.Theonly
way around this (excluding internet cache) is to periodically wipe slack data as stated before. When
dealingwithinternetdata,youshouldbeconcernedwithdeletinginternetcacheandcookies.Youshould
also know that even if you use Private Browsing mode in any of the popular Internet browsers,
temporaryinternetfilesmightstillexistontheharddrive.Alwaysperformchecks,evenwhenusingthis
mode.

P a g e |53

Try it out Delete internet cache

1. StartFirefox
2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar
shouldappear.)
3. ClickOptions
4. ClickPrivacy
5. SelectTorBrowserwill:UsecustomsettingsforhistoryandcheckClearhistorywhen
TorBrowsercloses

4.9 Temporary Application Files and Recent Files Lists

EverytimeyouopenupafilefromWindowsExplorerortheOpen/Savedialogbox,thenameofthefileis
recordedbyWindows.ThisfeaturewasintroducedintoWindowsandotherapplicationstomakethose
applicationsmoreuserfriendlybyallowingeasyaccesstothoserecentlyusedfiles.Suchthesame,some
applicationscreatecachethatisstoredonyourcomputersotheapplicationcanrunfasterthenexttime
itisloadedoraspecificprojectisbeingworkedon.

Recentfilelistsandapplicationcachingdoesmaketheexperiencemorefriendly,butitalsoaddedsecurity
risks. If for example, someone took a video and loaded it into a video editing software. The software
mighttakepiecesofthevideoandsaveittoyourharddriveforfastaccess.Thesamegoesforviewing
videos/imagesthataresensitivebynature.Whoeverislookingattherecentfileslistforyourcomputer,
willknowwhatthenamesoffilesareaswellaspossiblyknowingthelocationofthosefiles.

Firstwearegoingtotalkaboutwhatisknownasthumbnail
caching.Thumbnailsarethelittlepicturesthatareloaded
foreveryfileinWindowsExplorerasalittlepreviewof
sorts.Athumbnailcacheisusedtostorethumbnailimages
forWindowsExplorer'sthumbnailview.Thisspeedsupthe
displayofthumbnailsasthesesmallerimagesdonotneed
to be recalculated every time the user views the folder.
You can see where this is a problem when you open a
foldercontainingsensitivepicturesor videos. Thumbnail
cachesarestoredinthumbs.dbfilesandthelocationswill
varydependingontheOperatingSystem.InWindowsXP,
thethumbs.dbfileswillbestoredineveryfolder.

P a g e |54

Windows7andVistasavesallthethumbnailsinacentrallocation.Thecacheisstoredat%userprofile%\
AppData \Local \Microsoft \Windows \Explorer as a number of files with the label thumbcache_xxx.db
(numberedbysize);aswellasanindexusedtofindthumbnailsineachdatabase.Thismakesiteasierfor
ustolocateandremovethecachesofthesethumbnails.YoucanuseCCleanertoremovetheexisting
cache.Irecommendusingthispagetoenable/disablethumbnailcaching.Clickhere

Try it out View thumbnail cache

1. DownloadThumbcacheViewerfromhere
2. StarttheprogramandpressFile>Open
3. Locateyouthumbfiles,selectthem,andpressOpen
4. Theimagesthatwerecachedwillpopulateinthelistbox.Selectafiletoviewthe
imagepreview

Try it out Delete thumbnail cache using CCleaner

1. OpenCCleaner
2. MakesureThumbnailCacheunderWindowsExplorerischeck
3. YoucansetallsecuritysettingintheOptions>Settingsmenu
4. ClickRunCCleaner

Another feature of Windows and several applications is recent files

lists. There are several locations where these lists can appear, yet
there are only two ways they are saved: the registry or as a file.
WindowsXPsavesfilenamesintheregistryandacentralizedlocation
inWindowsExplorerwhereasWindows7introducesyetanotherlist
knownasajumplistwhichcanalsobecleanedbyusingCCleaner.
Jump list location can be found here:
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations.

Try it out Disable jump lists

5. RightclicktheStartMenuandclickProperties
6. ExpandtheStartMenutab
7. UncheckStoreanddisplayrecentlyopeneditemsintheStartmenuandthetaskbar
8. ClickOK

P a g e |55

Toreadthedatacontainedwithinthejumplistdatafiles,youcanusetheJumpListsViewprogramfound
here.

CCleaner erases most all (if not all) of the recent file lists for Windows as well as for a few other
applications.Listedbelowarecommonlocationswheretheserecentfilelistsandapplicationcachescan
befoundat(Iwouldlookintowinapp2.iniformorelocationswhichisanaddonforCCleaner):

Registry(allareinHKEY_CURRENT_USER):
(Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
(Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
(Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
(Windows)Software\Microsoft\MediaPlayer\Player
(Windows)Software\Microsoft\InternetExplorer\TypedURLs
(MediaPlayerClassic)Software\Gabest\MediaPlayerClassic\RecentFileList
(MediaPlayerClassic)Software\Gabest\MediaPlayerClassic\Settings
Files:
(Recentfilelist)%appdata%\Microsoft\Windows\Recent
(Jumplist)C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
AutomaticDestinations
(TempdataVista/7)C:\Users\<username>\AppData\Local\Temp
(TempdataXP)C:\DocumentsandSettings\<username>\LocalSettings\temp

P a g e |56

Try it out Setting up CCleaner

1. DownloadandinstallCCleanertoyourmachine.MakesurewhenyoudownloadCCleaner
fromtheinternet,aswithallprograms,youdownloadfromthemanufacturerswebsiteonly.
Thelinkhasbeenprovidedforyou:http://www.piriform.com/ccleaner/download/standard
2. OncetheprogramisopenclicktheOptionsbuttononthelefthandsideofthewindow
3. Next,clickonSettings
4. MakesurethatSecurefiledeletion(Slower)ischecked,ComplexOverwrite(7passes)is
selectedinthedropdownboxandWipeMFTFreeSpaceischecked.VeryComplexOverwrite
canbeselectedinsteadofComplexOverwrite.TheComplexOverwriteistheminimumyou
shouldchoose
5. ClickCleanerontheleft
6. MakesuretheyalltheitemsarecheckedunderWindowsExplorer

AnotherthingIdoissetCCleanertoperformacleanwhenever
Ilogintothemachineandeveryhourthereafter.Cleaningyour
computerautomaticallywillhelpwithmanagingthisprogramas
you will not have to remember to manually run the program
everysooften.Onedrawbackwiththismethodhoweverisifan
applicationisusingtemporarydatathatiserasedbyCCleaner,
the application might perform incorrectly or stop working
altogether.

Try it out Setting up CCleaner to automatically run (Windows Vista/7)

1. StartCCleanerandselectOptionsontheleft
2. CheckSaveallsettingstoINIfileundertheAdvancedtab
3. OpentheStartMenuandenterTaskSchedulerintothesearchbox
4. ClickontheActionheaderinthemenubarandselectCreateBasicTask
5. Followthestepsofthewizardtocreatethetask.Inthefirstwindow,namethetaskandgive
itadescriptiontohelpyourememberwhatitislater
6. Onthenextpage,selecthowoftenyouwantthistorun.IcheckedtheWhenIlogoncheck
box
7. SelecttheoptionlabeledStartaprogramonthenextpage
8. HitBrowseandnavigatetothedirectoryyouinstalledCCleanerto.Add/AUTOtothetext
fieldlabeledAddarguments
9. ClickFinish

Note:Otherapplications
includePrivaZerfor
WindowsandBleachbit
forLinux.
P a g e |57

Finally,forthoseofyouwhoswitched toWindows 8shouldknowabout the appdata.Windows8for

startershasmadesignificantstridesoverWindows7inrespectstotheinterface.Theyhaveaddedthe
Metrointerfacewhichhostsaplethoraofappsthatcanpossiblyleakimportantdata.Twosuchappsare
theWindowsPhotosandWindowsVideo.Whenviewingaphotoorvideo,youcanimmediatelyseethat
thephotoorvideocapiscachedastheyarestillapparentevenafterthematerialisdeleted.Obviously,
youcanseetheglaringissuewiththiswhenitconcernssecurity.

Ihavenottoomuchresearchonthematter,soIamgoing
tobebrief.Forstarters,allyourappsarelocatedinyour
appdata folder. Specifically, the folder paths are as
follows(perusersettings):
Locationofallyourapps:
C:\Users\Username\AppData\Local\Packages.
WindowsPhotos:C:\Users\Username
\AppData\Local\Packages
\microsoft.windowsphotos_8wekyb3d8bbwe
\LocalState
When the app is closed the cached images no longer
appearontheMetrointerface.Furthermore,thecached
imagesdontappearwhenyouopentheappagain.Idid
some more investigating into Windows Photos and
noticethatseveralfilesgetincreasinglylargerafterIview
imagesintheWindowsPhotosappevenaftertheapp
isclosed.
Specifically,thosefilesarethe:Microsoft.WindowsLive.ModernPhotos.etl,
Microsoft.WindowsLive.ModernPhotosLast.etl,andModernPhoto.edb.
Otherfilesexistthatshowthelast5imagesthatwerecycledthroughontheWindowsPhotosMetroapp.
ThesefilesareLargeTile1(through5)andSmallTile1(through5).Thelatterfilesshouldnotbeanissue
unlesstheycontainedsensitiveimages.

Icannotreadwhatisactuallycontainedwithinthefilesthemselves,butIcanbereasonablysurethatwith
everythingWindows,imagepreviewsarebeing cachedandstored tolimitI/Ousageandspeedup the
loadingprocess.Sayingthis,itisrecommendedthatyoudeletethesefilessecurelyifyouaccidentlyor
purposelyopenpicturesusingtheWindowsPicturesapp(anditisgoingtohappen,trustme).Todo
thisyoushouldclosethePicturesapp(fromthegestureontheleftsideorthetaskmanager)andsecurely
erasethosefilesusingaprogramofchoice.

P a g e |58

When setting up a user profile in Windows 8, if you gave your actual name when creating the Hotmail
profileyouusedwhenloggingintoWindows8,thatnamewillbeautomaticallyembeddedasmetadata
in a variety of documents. So make sure that you have a metadata cleaner if you plan on uploading
anythingsensitive.IfyouuseBingwhichisthedefaultsearchproviderandincludedpreinstalledasan
app,youshouldknowthatBingcreatesaseparatewebhistoryofitsownandstoredthedataoverthe
internet.Somakesurethatanythingsensitivegetspurged.PeoplealsoexpressedconcernswithReFS,
whichisnotusedonWindows8devicesmoresoisitusedwithWindowsServer2012(WindowsServer
8).Also,withtheadventofOffice2013,thedefaultlocationthatthedocumentswillbesavedisWindows
Skydrive;so youcansee howthatmightbeasecurityconcernifyousavesomethingsensitivewithout
looking.ConcerningcontentsavedtoWindowsSkydrive,hereispartofMicrosoftsTOA:

So,theyscanyourdocuments(andpictures)foranythingthatviolatesitsTOA,andiftheyfindanything,
youarebannedandpossiblyfacingcriminalcharges.HotmailaccountsandWindows8accountwillhave
toberecreated,yourXBOXliveandSkydriveaccountwillbedisabledaswell.Theyalsoactivelyscanfor
childpornographysomakesureyoudon'taccidentallysavetoaSkydriveaccounteither.Thisseemslike
ahugeinvasionofprivacydiggingdeepwithinallyourdocumentsandpictures(evenifitisautomatic)
andtherepercussionscanbeimmense.
4.10 Shellbags

WhenyouopenafolderinWindowsExplorerandcustomizetheGUIdisplayWindowsusestheShellbag
keystostoreuserpreferences.Everythingfromvisiblecolumnstodisplaymode(icons,details,list,etc.)
tosortorderaretracked.Ifyouhaveevermadechangestoafolderandreturnedtothatfoldertofind
yournewpreferencesintact,thenyouhaveseenShellbagsinaction.InthepaperUsingshellbag
informationtoreconstructuseractivities,theauthorswritethat"Shellbaginformationisavailableonly
forfoldersthathavebeenopenedandclosedinWindowsExploreratleastonce.Sobasically,ifyou
visitthatfolder,ashellbagiscreated.

ThankstothewondersofWindowsRegistrylastwritetimestamps,wecanalsoidentifywhenthatfolder
wasfirstvisitedorlastupdated(andcorrelatewiththeembeddedfolderMACtimesalsostoredbythe
key).Insomecases,historicalfilelistingsareavailable.Thismeansthatevenifyoudismountadrive
Youwillnotupload,post,transmit,transfer,distribute,orfacilitatedistributionofany
content(includingtext,images,sound,video,data,informationorsoftware)or
otherwiseusetheserviceinawaythat:

1. depictsnudityofanysort,includingfullorpartialhumannudity,ornudityin
nonhumanformssuchascartoons,fantasyartormanga.
2. incites,advocates,orexpressespornography,obscenity,vulgarity,profanity,hatred,
bigotry,racism,orgratuitousviolence.
P a g e |59

(letssayyouareonlyusingaTrueCryptcontainer)ordeleteafolder,thefoldersthatyouopenedwill
stillberecorded.Normally,thiswouldnotbeanissuebecausejustthefoldernamesarerecordedhere,
butifyounameyourfoldertothatofsomethingsensitiveandthenamealludestocriminalactivity,you
willbeintrouble.
Registry Keys

WindowsusesthefollowingRegistrykeystosavethefoldersinformation:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell
(OnlyinWindowsVista)

Ifyouarecuriousastowhatforensicdatacanbefoundoutbyusingshellbags,agoodprogramtoview
alloftheshellbagsisShellbagAnalyzerandcanbefoundhere.Youcanalsoremovetheshellbagsthat
containsensitiveinformationthatyouwishnotbefound.

Todisablethemalltogetheryoucandothis:
NavigatehereintheRegistry(ifyoudonotknowwhatyouaredoing,thenIDONOTRECOMMEND
THIS):[HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell]

P a g e |60

LeftclickontheShellkeyandintherightpane,ifyoucanseeBagMRUSizethenthereisnoneedto
undertakethisstep.Ifitisn'ttherehowever,rightclickandselectNew>DWORD32bitValueandname
itBagMRUSize.Nowsetthisvalueto0inDecimalview.InWindows8,setthevalueto1(thanksto
whomeverpointedthisouttome).

4.11 Prefetching and Timestamps

Tostart,thereisafeaturethatbeganwithWindowsXPthatisknownasWindowsPrefetching.Windows
Prefetchfilesaredesignedtospeeduptheapplicationstartupprocess.Prefetchfilescontainthenameof
theexecutable(theprogramyouarerunning),aUnicodelistofDLLs(DynamicLinkLibraries;filesthat
supportstheprograminordertorun)usedbythatexecutable,acountofhowmanytimestheexecutable
hasbeenrun,andatimestampindicatingthelasttimetheprogramwasrun.Thismeansthatifyouare
tryingtouseprogramssuchasTrueCryptorsecuredeletionprogramsorotherfileencryptionprograms,
aPrefetchfilewillbecreatedthusalertingtheforensicinvestigators.Thisisnotusuallyanissueunless
youaretryingtocounterforensictechniqueswithoutlettingtheinvestigatorknow.
AnexamplewherePrefetchingistroublesomeiswhenyouaretryingtochangetheWindowsTimestamps
for files. Every time a file is created, accessed, or modified a Timestamp is created. Changing the
timestampsareagoodideatothrowtheinvestigatorsoff.Also,itiseasytochangeasthereareprograms
thatcandothatforyou.ApopularprogramisTimeStop;butaninvestigatorcaninvestigatethePrefetch
fileanddeterminethattheprogramwasrun.Whenthishappenstheycanbereasonablycertainthatthe
timestamps were changed maliciously. So, before you download the file I would pack the file using a
program such as UPX (Ultimate Packer for eXecutables). This will change the hash of the file so the
investigatordoesnotknowTimeStopwasusedwhenexaminingthePrefetchfiles.

One good program to view the prefetch data is with this program: WinPrefetchView and can be
downloaded from here. You can remove information from the prefetch folder, but note that running
theseprogramsandbootingupthesystemwilltakeaconsiderablemoreamountoftimetobootasthis
informationwillonceagainneedtobecollected.C:\Windows\Prefetchisthepathtotheprefetchdata.

4.12 Event Logs

Eventlogsarespecialfilesthatrecordsignificanteventsonyourcomputer,suchaswhenauserlogson
tothecomputerorwhenaprogramencountersanerror.Wheneverthesetypesofeventsoccur,Windows
recordstheeventinaneventlogthatyoucanreadbyusingEventViewer.Aninvestigatorcandetermine
P a g e |61

security related information (These events are called audits and are described as successful or failed
dependingontheevent,suchaswhetherausertryingtologontoWindowswassuccessful),application
and service information, and more. As security information is not incriminating, investigators can tell
whenyouattemptedtologinandoutofthecomputer,whichcancorrespondtosuspectedtimes.Also,
application data might not be incriminating, but depending on what the application actually logs, file
namesandotherincriminatingevidencemightberecorded.

Try it out Erase event logs

1. OpentheStartMenuandgotoControlPanel
2. ClickonAdministrativeToolsandopenEventViewer
3. ExpandWindowsLogsontheleft
4. RightclickApplication,Security,andSystemandclickClearLog

4.13 Printers, Print Jobs, and Copiers

Thereareseveralthingsthatyoushouldbeconcernedaboutwhenprintingsensitivedocuments.Print
datamightbeleftonyourcomputer,ontheprintersharddrive,orthroughtransit.Beforeyoucanknow
where to look, you must first know how Windows prints a document. When you send something to a
printerthedocumentisfirstspooledandtwofilesarecreatedinthe%system32%\spool\printersfolder.
These two files are the shadow file and a spool file. The files are named as complimentary pairs; for
example,onejobsenttotheprinterresultsinthecreationofoneFP00001.SDHfileandoneFP00001.SPL
fileforthesamejob,whilethenextjobwillcreateFP00002.SDHandFP00002.SPL.

Theshadowfile(.SHD)cancontaininformationaboutthejobitself,suchastheprintername,computer
name, files accessed to enable printing, user account that created the print job, the selected print
processorandformat,theapplicationusedtoprintthefile,andthenameoftheprintedfile(whichcan
betheURLifafileisprintedfromtheweb).AllofthisdatacanbeseeninUnicodeusingahexeditoror
forensicsoftware.

Spoolfiles(.SPL)ontheotherhandcontaintheactualdatatobeprinted.Thismeansthatifyouprinta
pictureforexample,acopyofthepictureiscreatedandtemporarilystoredinthespoolfolder.Next,the
printjobisfinallysenttotheprinterandboththe.SHDfileandthe.SPLfilearedeleted.Ifthereisan
errorwhereasthedocumentwaitsinthequeuelist,thesefilescaneasilybereadandthecontentsofthe
file revealed. It is also important to note that these two files were deleted insecurely, so there is the
possibilityofrecovery.

P a g e |62

Since 2002, every copier has the capacity to store copies of the documents that are copied or printed.
Furthermore,copiersmarkthedocumentstheycopywithahiddencodetoprovideanidentifierforthe
copier. This means that printed documents and copies might be stored on the printers hard drive, or
theymightberecoverableiftheywerealreadydeleted.Thereisalsoasecurityconcernwhereasprinted
documentscanbetiedtospecificprinters.Lastly,printdocumentscanbe capturedifyouaresending
them to a printer that is located over the network. Currently, it is up to the manufacturer to provide
securitywhensendingjobstoaprinter.

Try it out Read spool data

1. Iamgoingtoassumethatyoualreadyhaveaprinterinstalledonyourmachine
2. Disconnecttheprinterspowersource.Thiswillallowustoviewthe.SHDfileandthe.SPLfile
3. Sendaprintjobtothatprinterthatyoujustdisconnected
4. OpenWindowsExplorerandintheaddressbar,typein%windir%\
System32\spool\PRINTERS
5. YoushouldnoticethetwofilesImentioned:a.SHDfileanda.SPLfile.Ifyouhavemorethan
twofiles,thenyoumighthaveadditionalprintjobsinthequeue
6. Selectthefilewiththeextension.SPL,rightclickandselectCopy.Pastethefileinthe
locationofyourchoice.
7. DownloadandinstalltheprogramSPLViewfromthemanufacturerswebsite:clickhere.
8. EitheropenthefilefromwithinSPLView,orifyouassociatethe.SPLextensionwiththe
program,youcansimplydoubleclickthefile
9. ToviewSHDfile,IrecommenddownloadingausingSPLViewer:clickhere.Ifthefileis
locked,youcanfollowTryitoutremovingservicesinsection5.2,anddisablethePrint
Spoolerservice
10. TurntheprinterbackontofinishprintingthedocumentordeletethefileswhenthePrint
Spoolerserviceisstopped(Tryitoutremovingservicesinsection5.2)

4.14 Cameras, Pictures, and Metadata

Metadata may be written into a digital photo file that will identify who owns it, copyright & contact
information,whatcameracreatedthefile,alongwithexposureinformationanddescriptiveinformation
suchaskeywordsaboutthephoto,makingthefilesearchableonthecomputerand/ortheInternet.Some
metadata is written by the camera and some is input by the photographer and/or software after
downloadingtoacomputer.

EXIFinformation,theExchangeableImageFileformat,describesaformatforablockofdatathatcanbe
embeddedintoJPEGandTIFFimagefiles,aswellasRIFFWAVEaudiofiles.Informationincludesdateand
timeinformation,camerasettings,locationinformation,textualdescriptions,andcopyrightinformation.
P a g e |63

Insomeinstances,especiallywiththeuseofcamerasincellphones,thelocationwherethepicturewas
takenmightalsobeembeddedwiththeuseofgeocaching.Furthermore,theimagescontainmetadata
imagesthemselvesthatcanrevealtheimagebeforeanyeditingwasdone.Thisinformationshouldbe
removedbeforethephotoissharedwithsomeoneelseorstoredunprotected.

ToremoveEXIFinformationfromanimage,orabatchofimages,youwillneedtogetaspecialprogram
thatstripsthisdata.IrecommendtheprogramBatchPurifierthatcanremovethisinformationfrombatch
offilesorasinglefile.AgoodprogramtoreadEXIFinformationfromPEG,TIFFandEEIXtemplatefilesis
Opanda IEXIF. If you want to remove metadata from a RAW image, you will need to get a separate
programsuchasExiv2.OpandaIEXIFcantremovethedata,butitcanshowyouwhatdataiscontained
withineachpicturethatyoutake(unlessyoupurchasetheprofessionalversion).

Youcannotstopcamerasfromrecordingmetadataandembeddingtheminpictures,sotheabovesteps
aretheonlywaytoensurethepicturesareclean.Tofurthercleantheimagethatyoutook,youwillwant
tocropandremoveidentifiableinformationcontainedwithintheactualpicturesitself.Thebestprogram
thatcandothisisAdobePhotoshop,butagood,freeprogramisGimp.Identifiableinformationshould
include names, faces, logos, labels, prescriptions, anything that includes handwriting, toys specific to a
particularregionsorstore,etc.

Itisalsoimportanttoknowthatdigitalcamerasleaveatelltalefingerprintburiedinthepixelsofevery
imagetheycapture.Nowforensicscientistscanusethisfingerprinttotellwhatcameramodelwasused
to take a shot. Furthermore, these scientists can tell the specific camera that took a specific picture if
theyhadthecamerainhand.Iwouldeitheruseaseparatecameraforontopicmaterialorchangethe
photobyeitherresizingorrerenderingtheimageaftermakingglobalchanges(blurring,filtering,etc.).
Photoshop, Paint.Net, or GIMP are all good program that enable you to edit a photo without making
changestotheoriginal.Thisallowsyoutogobackandmakefurtherchanges(orundochanges)inthe
futureifneeded.

Before
After
P a g e |64

You should also know that pictures are not the only material that can contain sensitive information.
Documents can include Microsoft Office documents (Word, Excel, PowerPoint), OpenOffice.org
documents,PDFdocuments,andpopularimageandmediafiletypessuchasJPEG,JPEG2000,PNG,SVG,
AVI,WAVE,AIFF,MP3,MP4,andF4V.Itisbesttoeitherremovethedatafromthesefilesbeforesharing
themoritisbestnottosharethemalltogether.Youshouldknowthatchangingthefileextensiondoes
nottricktheinvestigators.Theyusefileheaderinformationtogatherpictures/videos.Clickherefora
goodlist.

Forexample:Whenwelookatajpegheadertherearemultiplepartswecanusetoidentifythetypeof
imageandformatsused.Thefirstparttolookatisthefirsttwobytesofthefile.ThehexvaluesFFD8will
identifythestartoftheimagefile.ThisisoftenenoughtoknowthatyouhaveanactualJPEGfile.The
next two bytes are the Application marker typically FF E0. This marker can change depending on the
applicationusedtomodifyorsavetheimage.IhaveseenthismarkerasFFE1whenpictureswerecreated
byCanondigitalcameras.Thenexttwobytesareskipped.Readthenextfivebytestoidentifyspecifically
theapplicationmarker.Thiswouldtypicallybe4A464946(JFIF)and00toterminatethestring.Normally
this zero terminated string will be "JFIF" but using the previous example of Canon digital cameras this
stringwillbe45786966(Exif).MostimageeditorshandleallJPEGformatsunlessaproprietaryformat
isusedthatdoesnotfollowtheJPEGstandard.

Aswearetalkingaboutpictures,youshouldalsobeconcernedwhatisinthepicturesthemselves.Law
Enforcement Agencies have teams of analysts that pick apart background data to determine names,
addresses, geographic data, demographics, and etc. As the case provided, detectives were able to
determinewherethesuspectlivedbasedonatoybunnyandanorangesweatshirtasseeninoneofthe
photos. You should attempt to remove all information that includes names, dates, addresses,
paraphernalia or anything in nature that is region specific, or anything else that can be identifiable.
Tattoos,andotherbodyparts(notspecifictotheface)areidentifiabletoo.Forexample,characteristics
Case:Duringaninvestigationintoaninternalchildpornring,detectivestrackeddownatoy
bunny,seeninaphoto,wasusedtotracethesuspecttoAmsterdam.Investigatorshave
discoveredthatthebunnywasacharacterinachildren'sbookpopularintheNetherlands.
Thedetectivealsotracedtheboy'sorangesweatertoasmallAmsterdamstorethathadsold
only20otherslikeit.Thatledtothecaptureandarrestof43otherindividuals.
P a g e |65

onthegenitaliacanbelinkedtoaspecificperson.Recently,somebodywastakingphotosofhisunderage
daughterandpostingthemonline.Theproblemishepostedonewithaclearviewofaprescriptionbottle
inthebackgroundandgotbusted.Theywereabletousethatinformationtolocatetheindividual.

Wheneditingaphotoforthefirsttime,Iusuallycropthesidesoftheimage,addblurring(eventhough
someinvestigatorshaverecentlybeenabletoreversetheblurringprocessandrenderthisuseless)and
the halo effect, smooth physical features of adults, remove items that are identifiable, and sometimes
replacethebackgroundaltogether.Ifyoureallywanttogetinvolved,youcanchangephysicalfeatures
such as eye or hair color. Doing this will not trick an investigator, but it will obscure the features of a
photo making it harder for someone to identify you. Also, if done correctly, it will enhance the photo
visuallyandthepresentationwillbemuchbetter.

4.15 USB Information

Wheneveradeviceispluggedintothesystem,informationaboutthatdeviceisstoredintheregistryand
the setupapi.log file (Windows XP and earlier). The registry key can be found here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and the setupapi.log file can be
foundhere:%windir%\setupapi.log.AllofthesubkeysunderUSBSTORwillcontaininformationabout
everydevicethatwaspluggedintoyourcomputerviatheUSB.Thesetupapi.logfilecontainsinformation
aboutdevicechanges,driverchanges,andmajorsystemchanges,suchasservicepackinstallationsand
hotfixinstallations.

Todeletethisregistrykeyandorsubkeysyoumustfirstrightclickthekeyandchoosepermissions.You
canthenset theeveryonegroupwithfullpermissiontothe keyorsubkeyssothattheycan thenbe
deleted.Imsureitisnttoodifficulttowhipupascriptorpieceofsoftwaretoautomatethis.Also,ifyou
havesystemrestoreenabled,theinformationmightbecontainedinthereaswell.Thesetupapi.logfile
shouldbesecurelydeletedasyouwouldwithanythingsensitive.AspointedouttomebyaforumthatI
frequent,hereisaprogramthatwilldothisforyou:https://code.google.com/p/usboblivion/.

4.16 SSD Solid State Drives

Unlike HDDs, SSDs have a feature known as a garbage collector wherein cells that are marked to be
deletedarepermanentlyerasedinthebackground,usuallywithinseveralminutesofbeingdeleted.Itis
important to know that this process happens on the SSD hardware level, so simply leaving the SSD
poweredonregardlessifitisattachedtoanythingwillresultinthedestructionofthedata(alsoknown
P a g e |66

asselfcorrosion).EventhoughSSDsimplementgarbagecollecting,encryptingorsecurelydeletingthe
deviceishard.

SSD'suseloadbalancing,whichisafeaturethatevenlybalancesI/Ooperationsbetweenallocationpools.
Thismeansthatwhenyouattempttoencryptordeleteabitofdata,itwillmovepasttheactualtothe
nextbit.Also,SSDsshouldnotbeencryptedusingprogramsthataremeanttoencryptHDsbecauseof
anotherfeaturecalled"wearleveling".TrueCryptforexamplerecommendsthat"TrueCryptvolumesare
not created/stored on devices (or in file systems) that utilize a wearleveling mechanism (and that
TrueCryptisnotusedtoencryptanyportionsofsuchdevicesorfilesystems).Youshouldknowhowever,
thatwasreferringtoexistingdataalreadystoredontheharddrive.Newdatathathasnotbeenwritten
tothediskwillbesecuredbecauseitisencryptedbeforephysicalstorageontheharddrive.Thisstillcan
allowfordataleaks,soitisstillnotrecommended.

OntheSSDsyoucannotsavetoaspecificsectoronthedrivethereforifittheoreticallypossiblethatthere
aremultipleinstancesofthesamedatastoredonthedrive. Letssayforexample thatyouchange the
TrueCryptvolumeheader;theoldheadermightstillbeaccessibleonthedriveasyoucannotwriteover
it individually. An attacker, knowing this information can attack the container using the old header
information.

4.17 Forensic Software Tools

CategoryofTools Examples
Chatrecoverytools ChatExaminer
Computeractivitytrackingtools VisualTimeAnalyser
Diskimagingsoftware SnapBackDataArrest,SafeBack,Helix
Emailrecoverytools EmailExaminer,NetworkandEmailExaminer
Filedeletiontools PDWipe,DariksBootandNuke,Blancco
Fileintegritycheckers FileMon,FileDateTimeExtractor,Decode
ForensicDate/TimeDecoder
Forensicworkenvironments XWaysForensics
Internethistoryviewers CookieDecoder,CookieView,CacheView,
FavURLView,NetAnalysis,InternetEvidence
Finder
Linux/UNIXtools Ltools,Mtools
Multipurposetoolsandtoolkits Maresware,LCTechnologiesSoftware,WinHEX
SpecialistEdition,ProDiscoverDFT,NTITools,
AccessData,FTK,EnCase
Partitionmanagers Partimage
P a g e |67

Passwordrecoverytools @Stake,DecryptionCollectionEnterprise,AIM
PasswordDecoder,MicrosoftAccessDatabase
PasswordDecoder,CainandAble,Ophcrack
Slackspaceanddatarecoverytools OntrackEasyRecovery,ParabenDeviceSeizure
1.0,ForensicSorter,DirectorySnoop,FTK,EnCase
Specializedsoftwareforanalyzingregistries,
findingopenports,patchingfilebytes,simplifying
logfileanalysis,removingplugins,examining
P2Psoftware,andexaminingSIMcardsand
variousbrandsofphones
RegistryAnalyzer,Regmon,DiamondCS
OpenPorts,PortExplorer,Vision,Autoruns,
AutostartViewer,Patchit,PyFlag,PascoBelkasoft
RemovEx,KaZAlyser,OxygenPhoneManagerfor
Nokiaphone,SIMCardSeizure
Textsearchtools Evidor

P a g e |68

erviceanddatacontinuityistheactivityperformedbyyoutoensurethatfilesandserviceswillbe
availabletoyourselfandothersfortheapplicablelifetime.Thereareseveralmethodstoprovide
continuedsupportincluding:backingupdata,usingcontrolsandtechniquestorestrictaccess,and
implementingcontrolsonservers,networks,andotherdevices.Noneofthesecontrolsshouldbeskipped
as they are all equally important. This step is often overlooked when securing your information but
assuresavailabilityismet.

Topics

ThisChapterwillcoverthefollowingtopics:
SecurityConcernswithBackups
SecurityConcernswithSleepandHibernation
EnsuringInformationandServiceContinuity
DoSandDDoSattacks

S
Chapter 5_ Continuity
P a g e |69

5.1 Security Concerns with Backups

Tostart,WindowsbackupandrestoreisafeatureofWindowsanddoesexactlyasitimplies;itbacksup
yourdata.Withoutmuchexplanation,therearethreetypesofWindowsbackups:full,differential,and
incremental.Afullbackupprovidesabackupregardlessofpreviousbackups.ADifferentialbackuponly
backsupdatathatwaschangedsincethelastfullbackupandanincrementalbackupbacksupdatathat
waschangedfromthelastfullbackup,orthelastincrementalbackup.

I know I am stating the obvious, but make sure that you do not backup anything that is confidential.
Whetherbyaccidentoronpurpose,onceyoubackupsensitivedata,itdoesnotmatterifyouremovethe
filefromyourcomputerbecauseacopyisalreadymade.Personally,Ikeepallmysensitiveinformation
inanencryptedcontainerbyitselfsoIdontconfuseitwithmyotherstuff.AfterImoveallofmysensitive
information into a container by itself I have ensured two things, 1) my information is secured and 2)
nothingisbeingbackedupthatisnotsupposedto.

5.2 Security Concerns with Sleep and Hibernation

TherearetwootherfeatureswithWindowsthatyoushouldknowof:sleep
andhibernation.Ifyouneedtowalkawayfromyourlaptopforasmall
or extended period of time but want your Windows session to resume
quickly, you will use either of these two features. The difference is that
with sleep mode, your computer stores everything in memory and with
hibernationmode,everythinginRAMissavedtoyourharddrive.Sleepis
forshorttermstorageandhibernationisforlongtermstorage.

If you use sleep or hibernation, the encryption keys and everything else
that is open at that time is saved, allowing a third party to bypass the
security measures you have in place. For example, everything that you
have opened at this moment, including mounted containers and open documents, will be viewable by
forensicinvestigators.Lookingatthepicturebelow,youcanseethattheuserhadawebsiteopenthe
momentheusedhibernationmodeonhisWindowsdevice.Thisinformationamongstanythingelsethat
wasstoredinRAMatthemomentcanberead.Thebestmitigationtechniqueisnottousethemorto
disablebothhibernationandsleepaltogether.

Note:Windows8,the
latestOperationSystem
Microsoftiscomingout
withhibernatesthe
systemkernel,butdoes
notputmemoryin
storage
P a g e |70

5.3 Ensuring Information and Service Continuity

Keepingabackupofallyourprivate/sensitivematerialsisagoodideaforthecontinuityofsuchdata,as
longasthatdataissecure.Securelystoringdatahasbeendiscussedinanothersection,soIwillonlymake
a recommendation. I would create a container with TrueCrypt and store all sensitive data within that
containerbeforesavingthebackupsomewhereelse.DoingthiswillachievetwogoalsintheCIAtriad,
confidentialityandavailability.

Therearetwolocationsthatneedtobeconsideredwhenbackingupdata:locallyandremotely.Alocal
copyisagoodideawhendatalossoccursandyouwantanimmediate,speedyrecoveryofthebackedup
data. But what if a natural disaster or a fire occurs and it destroys both your computer and your local
backupdevice?Thisiswherearemotebackupsolutioncomesin;itpreventsdatalossinoffchancethat
thishappens.Commonmethodsofremotebackupsareremotebackupservices,tapes,externaldrives,
orhostedservices.Anothercommonmethodisfindingsomeoneelseinanotherlocation(anotherstate
preferably)andyoueachkeepabackupforoneanother.

Forexample:letssaythatIhaveafriend(okay,Ididsayasanexample)andthatfriendlivesinanother
state.OnegoodwaythatIcanbackupmydataathisplaceandhisatmine,iswesetupaVPNtoconnect
our networks together. This way, we can send the files securely over the internet without much
complication.Makesurehowever,thatyoutrusttheotherpartyastheywillhaveyourPublicIPAddress.
Another device that allows for storage redundancy is a RAID device. RAID (redundant array of
independentdisks)isastoragetechnologythatcombinesmultiplediskdrivecomponentsintoalogical
unit.Basically,itisadevicethatiscomprisedofseveraldisksforthepurposethatifone(ormore)drive(s)
P a g e |71

fail, data is not lost. This can come in the form of a RAID controller (or software controller) on your
computer,oranetworkdevice(suchasaNASbox).ANASboxisaNetworkAttachedStorageandisa
devicethatplugsintoyournetworksoyoucanbackupmultipledevices.Thesedevicesarestandalone
devicesandusuallyhaveRAIDfunctionality.

Thereareafewmoresolutionsifyouaregoingtosetupaservicethatyouhostandareconcernedwith
continuity and service availability. All these methods are assuming that you have multiple servers
availableandcanconfigurethemandthenetworktheyresidein.Firstly,youcanconfigurethesitefor
mirroringwhichistheactiscreatinganexactcopyofoneservertoanotherserver.Clustering(orfailover
clustering)isanothermethodofensuringavailabilityasitisagroupofdevicesthatactasasingledevice.
When one device fails in a cluster, another device starts providing the service (a process known as a
failover).Andfinally,youcanimplementloadbalancingonyournetworkwhichdistributesthetrafficload
betweenseveraldevicesinyournetwork.

5.4 DoS and DDoS attacks

DoS(DenialofService)attacksaretheactsofmakingresourcesforlegitimateusersunavailable.DDoS
(Distributed Denial of Service) attacks are the same thing as DoS attacks, but they use hundreds (even
thousands)ofmachinestodisruptaccesstoresources.Usuallythisisperformedbyfloodingtheservice
withICMPpacketsforcingtherouter(orserver)torespondtotheattackersrequest(byreplyingtothe
ICMPpacket).OtherattacksincludingsendingmalformedICMPpackets,floodingthesitewithresource
requests,orSYNfloodattacks.
P a g e |72

Even though ICMP traffic uses the TCP protocol, it is not supported via Tor. This attack will be best
accomplishedwithClearnetsites.PingofDeathattackscanbeaccomplishedintwoways:theattacker
cansendtoomanypacketsortheycansendmalformedpackets.Forexample,Windowshasapacketsize
limit of 65500. So anything received that is higher, might crash the machine or enable the attacker to
successfullyperformaprivilegeescalationattack.Floodingthesitewithrequestsforresources(videos,
pictures,loginrequests,etc.)isanexampleofaDoSattackthatismorecommonlyusedwithTorsites.

These attacks are mostly an issue that has to be prevented with hardware controls versus
implementationswithinthewebsiteitself.Assumingthatyouarehostingandmanagingthewebsiteand
theserverthewebsiteresideson,youcanimplementingressfilteringonyournetworktohelpblocksome
oftheattack. Thebackscattertraceback methodis agoodstrategyforthat. Also,IwouldblockICMP
packets on your external interface (WAN interface). You should also make sure that all "unallocated
sourceaddress'"areblocked.ThismeansthatyoushouldblockallpacketswithprivateIPaddressthat
arecomingintoyournetwork.YoucannotstopDDoSattacks,onlymitigatetheeffect.

AnothertypeofDoSattackisknownasanApplicationlayerDoSattack.Thistypeofattackbypassesthe
firewallasituseslegitimatetraffictoattacktheservicedirectly.Applicationlayerattackscanaffectmany
differentapplications.AlotofthemtargetHTTP,inwhichcasetheyaimtoexhausttheresourcelimitsof
Webservices.Often,theyarecustomizedtotargetaparticularWebapplicationbymakingrequeststhat
tieupresourcesdeepinsidetheaffectednetwork.TheseattacksaretypicallymoreefficientthanTCPor
UDPbasedattacks,requiringfewernetworkconnectionstoachievetheirmaliciouspurposes.Theyare
also harder to detect, both because they dont involve large amounts of traffic and because they look
similartonormalbenigntraffic.

Tools for DDoS attacks

ToinitiateDDoSattacks,youwillneedtorighttoolsbasedonyourpreferencesandotherfactorssuchas
yourplatformofattack.ThefollowingaresamplesofDDoSattacktools:
LowOrbitIonCannonLOICattacksaserverbyfloodingtheserverwithTCPorUPDtraffic.
Specifically,itmostlyfloodstheserverwithICMPtrafficwhichispingtraffic
TrinooTrinooiseasytouseandhastheabilitytocommandandcontrolmanysystemsto
launchanattack
TribalFloodNetworkTFNcanlaunchICMP,ICMPSmurf,UDP,andSYNFloodattacksagainsta
victim.ThistoolwasthefirstpublicallyavailableDDoStool
StacheldrahtThistoolfeaturesthatareseeninbothTrinooandTFNandsendscommandsvia
ICMPandTCPpacketstocoordinateanattack.AnotherfeatureofStacheldrahtisthatitcan
encryptthecommunicationbetweentheclienttothehandlers
P a g e |73

TFN2KAnupgradetoTFN,thisprogramofferssomemoreadvancedfeaturesincluding
spoofingofpacketsandportconfigurationoptions
ShaftThisworksmuchthesamewayasTrinooexceptitincludestheabilityfortheclientto
configurethesizeofthefloodingpacketsandthedurationoftheattack
MStreamThisprogramutilizesspoofedTCPpacketstoattackadesignatedvictim
TrinityThisperformsseveralDDoSfunctionsincluding:fraggle,fragment,SYN,RST,ACK,and
others
SlowlorisApplicationlayerattackthatisaHTTPGETbasedattack.Thebasicideaissimple:a
limitednumberofmachines,orevenasinglemachine,candisableaWebserverbysending
partialHTTPrequeststhatproliferateendlessly,updateslowly,andneverclose
SlowPostThisattackworksinsomewhatthesamewayasSlowloris,exceptthatitusesHTTP
POSTcommandstransmittedvery,veryslowlyinsteadofGETstotieupWebservices
SIPINVITEFloodThetwoattacksabovebothtargetHTTP;thisoneisaVoIPfloodthattargets
SIP(SessionInitiationProtocol)
TorshammerSlowpostDOStestingtoolwritteninPython.ItcanalsoberunthroughtheTor
networktobeanonymized

What do they mean?

Letmetakeasecondtodefinesomeoftheattackturnsaspresentedabove:
ICMPDOSAn attacker can use either the ICMP "Time exceeded" or "Destination
unreachable" messages. Both of these ICMP messages can cause a host to
immediately drop a connection
ICMPpacketmagnificationAn attacker sends forged ICMP packets to bring down a
host. As an example (as presented above), Windowshasapacketsizelimitof65500.So
anythingreceivedthatishigherwillbefragmented.Sincethemachinecannotreassemblethe
packet,itmightcrashorreboot
ICMPSmurfattackAn attacker sends forged ICMP echo packets to vulnerable
networks' broadcast addresses. Doing this will tell all the systems on the network
(inside the broadcast domain) to send ICMP echo replies to the victim, consuming
the targets available bandwidth
SYNfloodattacksASYNfloodattacktakesadvantageoftheTCPthreewayhandshake.ASYN
floodattacksspoofstheIPaddresstherebyforcingtheservertokeepopentheconnectionwhile
waitingfortheACKmessage(whichisneversent)fromtheclientandusesresourcesinthe
process
RSTattacksThisattackworksbyinjectingRSTpacketsintoTCPpacketstrickingtheserverto
closetheconnection.RSTattacksareperformedagainstotheruserstryingtouseaparticular
resource
P a g e |74

FraggleattacksFraggleattacksaresimilartoSmurfattacksexceptthatFraggleattacksuses
UDPpacketsinsteadofTCPpackets
P a g e |75

ystemhardeningistheprocessofsecuringasystembyreducingitssurfaceofvulnerability(attack
surfacewhichisthecomponentsofasystemthatanattackercanusetobreakintothesystem.).A
systemhasalargervulnerabilitysurfacethemorethatitdoes;inprincipleasinglefunctionsystem
ismoresecurethanamultipurposeone.Wewillalsogooverseveralotherriskmitigatingmethodswhen
dealingwithWindows.Thiswillincludetheremovalofunnecessarysoftware,unnecessaryusernamesor
loginsandthedisablingorremovalofunnecessaryservices.

Topics

ThisChapterwillcoverthefollowingtopics:
UninstallUnnecessarySoftware
DisableUnnecessaryServices
DisableUnnecessaryAccounts
UpdateandPatchWindowsandOtherApplications
PasswordProtection

S
Chapter 6_ System Hardening
P a g e |76

6.1. Uninstall Unnecessary Software

Thefirststepinhardeningasystemistoremoveunnecessaryprograms.Startbyremovingunnecessary
third party programs that are installed on the machine. You also want to look at programs that were
installedwhendownloadingorinstallingotherproducts,whetherintentionalornot.Forexample,when
youpurchaseamachinethereisabunchofsoftwarethatcomespreinstalledthatyouprobablyneveruse.
Iwouldrecommendreviewingeverythingthatisinstalledandremoveallsoftwarethatyoudonotneed.

Try it out Uninstalling software

1. OpentheStartMenuandgotoControlPanel
2. SelectUninstallaprogramorAdd/RemoveProgram
3. RightclicktheunnecessaryprogramsfromthelistandclickUninstall

6.2. Disable Unnecessary Services

Onceallofthesoftwarehasbeenuninstalledfromthemachine,youshouldthenstartbydisablingallof
theunnecessaryservicesthatarerunninginthebackground.Eachservicewillprovidesupportforthe
applicationthattheysupport;manyofthemprovidingfunctionalityforWindows.Youshouldgetalisting
ofallthesystemservicesrunningonthesystemandevaluatewhethereachserviceisneeded.Alsoknow
thatIammorereferringtothirdpartyservicesversusWindowsservices.Makesuretodoyourresearch
oneachservicebeforedisablinganything.

Try it out Removing services

1. OpentheStartMenuandgotoControlPanel
2. SelectAdministrativeToolsandopenServices
3. Reviewandidentifyeachunnecessaryservice
4. RightclicktheunnecessaryserviceandselectDisabledinthedropdownboxnexttoStartup
type.StoptheserviceandpressOK

P a g e |77

6.3. Disable Unnecessary Accounts

Anaspectthatisoverlookedoftenisdisablingaccountsthatarenotcurrentlybeingused.Youwillneed
todetermineifyouneedinformationfromthataccount(ifyouremoveaccountdata)ortouseservices
thatcanonlybeusedfromwithinthataccount.WindowsXPhastheadministrativeaccountenabledwith
ablankpasswordbedefaultwhereasWindowsVistaand7disabletheaccountbydefault.Also,aquick
wordfromtherealworld,makesurewhencreatingauseraccounttonotuseanythingthatcanpossibly
identity you as doing something illegal. A real world example, someone actually created a separate
accountnamechildporn,sohecanhideallhisillegalmaterialsinthataccount.Betteryet,hehidall
materialsin afolderonhisdesktopnamedchildporn!Notonlycanforensicinvestigatorsseeallthe
accountsthatarecurrentlyonthemachine,buttheycanseepreviouslydeletedaccountsaswell.

Try it out Removing user accounts

1. OpentheStartMenuandgotoControlPanel
2. ExpandUserAccountsandselecttheaccountyouwishtodelete
3. ClickDeletetheaccount

Note:OnegoodrecommendationistocreateanduseastandardaccountwithnoAdministrative
privileges.Thisway,ifavirusisexecuted,itonlyhastheprivilegesoftheaccountthatyouarein.Also,I
wouldmakesureyourusernamedoesnotcontainyourfullnameasmanyapplicationssuchasPidgin
cansharethisinformation.

WhatImeantbythat,ifalltheaccountdataiscontainedintheWindowsRegistryandwillcontainuser
accountsthatarebeingusednowandthosethatweredeletedfromwithintheControlPanel.Forthis
reason,forensicsinvestigatorsusetheregistrykeyswhenperformingtheanalysis.Furthermore,they
canviewothersensitiveartifactsfromtheusersuniqueregistryistheyareleftintact.Thelocationto
theregistrykeysthatcontaintheuserinformationishere:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

P a g e |78

Asyoucantellfromtheimage,theselecteduseraccounthastheusernameofadmin.Thiscanbeseen
fromtheProfileImagePathregistrykey.RemembertheSIDforlateruse.Onceyouhavegonethrough
allthekeysunderProfileListandhavelocatedyours,youcanrightclickthekeyasshownintheimage
aboveandselectingDelete.Nowthatyouhavedeletedtheuseraccountfromtheregistry,youshould
nowdeletetheactualuserdatafromtheregistryaswell.YoushouldnownavigatetoHKEY_USERS\%SID%
toremovethedataforthecurrentuser.Thisdatacanincluderecentfilelists,openfiledialogs,shell
bags,etc.

Finally,youshouldlocatetheprofilepathinExplorertoremoveallfilesthatarecontainedwithinthe
hierarchy.ForWindowsVista/7/8,thelocationwillbeC:\Users\%username%andforXP,thispathwill
beC:\DocumentsandSettings\%username%.Thisshouldbedonesecurelytoensurethatnodatacan
berecovered.

6.4. Update and Patch Windows and Other Applications

AnotherstepinhardeningthesystemisupdatingtheOperationSystemandallsoftwareinstalledonthe
machine. When you patch the system, you are applying security fixes to known vulnerabilities to the
softwarethatisrunningonthesystem.Thesevulnerabilitiesarewhatremoteattackersusetogainaccess
to the system. Without patching the system, you are opening up your machine to attack by these
malicioushackers.

P a g e |79

WindowsupdatesshouldbeenabledastheyprovidemanyfixesconcerningWindowssecurity.Individual
software and applications should also be updated as soon as a known stable version of the update is
available. Usually, when vendors release an update, they are stable unless stated otherwise. I
recommendtheuseofatoolthatcheckstheprogramsinstalledonthemachineandreportstheonesthat
areoutofdate.AgoodprogramforthispurposeisSecuniaPSI.Thisprogramwillconstantlycheckthe
programsinstalledonyourmachineandreportwhichonesareoutofdate,whichonesarescheduledfor
anupdate,andwhichonescanbeupdatedmanually.

6.5. Password Protection

Afinalpracticeyoushouldincorporateinsystemhardeningispasswordprotectingyourdevices.Onyour
computer,youshouldmakesurethatalloftheuseraccountsthatareenabledarepasswordprotected.
Thisisespeciallytruewhenfoldersharesareinvolved.Makesurethatthepasswordsonyourmachine
areallstrongsoanattackercannotusethataccounttogainaccesstoyourmachine.Forexample,when
youmountaTrueCryptcontainer,itcanbeexploredthoughanothercomputerinthenetworkusingan
accountonthelocalmachineiftheyhavethecorrectpermission.Thismeansthatevenifyouhavethe
worldsstrongest passwordforTC,an attacker can stillgainaccesstoits contents usingyourWindows
passwordoverthenetwork.Also,bydefaultWindowsXPhastheadministrativeaccountenabledwithout
apasswordbydefault.Windows7and8hasthisadministrativeaccountdisabledbydefault.

Note:AprogramthatIwouldrecommendlookingintoisMicrosoftBaselineSecurity
Analyzer(MBSA)whichisafreesecurityandvulnerabilityassessment(VA)scantoolto
improvesecuritymanagementprocessandassessordeterminesecuritystateinaccordance
withMicrosoftsecurityrecommendationsandoffersspecificremediationguidance.
Note:WhenyoumountaTrueCryptcontainerinWindows,itcanbeexploredthough
anothercomputerinthenetworkusinganaccountinWindowsiftheyhavethecorrect
permission.Forthisreason,makesurethatyourWindowspasswordisnoteasilyguessed!
YoucantestthisoutbytryingtheTryitoutExploreyourcomputerfromanothermachine
andreplacingtheC$withwhatevertheTrueCryptcontaineris.Youcanalsoseeifyour
containerismountedviaWindowsSharesandifis,youcanstoptheshare.Also,Iwould
changethepermissionsfortheTrueCryptfile.
P a g e |80

Try it out Password protect computer accounts

1. OpentheStartMenuandgotoControlPanel
2. ExpandUserAccountsandselecttheaccountwhichyouwanttocreateapasswordfor
3. ClickChangePassword

Try it out Explore your computer from another machine

1. FindyourIPaddressonyourcomputer.Startthecommandprompt:Start>Run>cmd>OK
*WindowsVista/7,typecmdinSearchProgramsandFeatures.Ablackboxshouldpopup
2. Typeinipconfigandundertheadapteryouareusing,recordtheIPaddressnexttoIPv4
(example:192.168.1.5)*rarelywillpeopleuseIPv6
3. HopontotheothercomputerandopenupWindowsExplorer
4. Intheaddressare,typein\\followedbyyourcomputersIPaddressfinishedwitha\,your
driveletteranda$(usuallyC).Forexample,Itypein\\192.168.1.5\C$
5. Youwillbepromptedtoentertheusernameandpasswordforyourmachine

P a g e |81

Malware,shortformalicioussoftware,issoftwareusedorcreatedtodisruptcomputeroperation,gather
sensitive information, or gain access to private computer systems. It can appear in the form of code,
scripts,activecontent,andothersoftware.Thisisnotonlyannoying,butifmalwareisrunningonyour
machine, your security is at risk. Notice that all these solutions can be either hardware or software.
Hardware solutions are usually on the perimeter as in the form of an all in one device (SonicWall or
Fortigateforexample).

Topics

ThisChapterwillcoverthefollowingtopics:
Antivirus
HardwareKeyloggers
Firewalls
DLPs
HIDSs
OtherConsiderations

Chapter 7_ Antivirus, Keyloggers,
Firewalls, DLPs, and HIDs
P a g e |82

7.1. Antivirus

'Malware'isageneraltermusedtorefertoavarietyofformsofhostile,intrusive,orannoyingsoftware.
This software comes in several different flavors, but we will only be talking about Spyware and Trojan
Horses.Trojanhorsesareoftendeliveredthroughanemailmessagewhereitmasqueradesasanimage
orjoke,orbyamaliciouswebsite,whichinstallstheTrojanhorseonacomputerthroughvulnerabilities
in web browser software such as Microsoft Internet Explorer. Spyware on the other hand covertly
monitorsyouractivityonyourcomputer,gatheringpersonalinformation,suchasusernames,passwords,
accountnumbers,files,andevendriverslicenseorsocialsecuritynumbers.

Antivirus software can protect you from viruses, worms, Trojan horse and other types of malicious
programs. More recent versions of antivirus programs can also protect from spyware and potentially
unwantedprogramssuchasadware.Havingsecuritysoftwaregivesyoucontroloversoftwareyoumay
notwantandprotectsyoufromonlinethreatsisessentialtostayingsafeontheInternet.Yourantivirus
and antispyware software should be configured to update itself, and it should do so every time you
connecttotheInternet.

Case:TheComputerandInternetProtocolAddressVerifier(CIPAV)isanillegaldatagathering
toolthattheFederalBureauofInvestigation(FBI)usestotrackandgatherlocationdataon
suspectsunderelectronicsurveillance.Thesoftwareoperatesonthetargetcomputermuch
likeotherformsofillegalspyware,whereasitisunknowntotheoperatorthatthesoftware
hasbeeninstalledandismonitoringandreportingontheiractivities.

Locationrelatedinformation,suchas:IPaddress,MACaddress,openports,running
programs,operatingsystemandinstalledapplicationregistrationandversioninformation,
defaultwebbrowser,andlastvisitedURLwascaptured.Oncethatinitialinventoryis
conducted,theCIPAVslipsintothebackgroundandsilentlymonitorsalloutbound
communication,loggingeveryIPaddresstowhichthecomputerconnects,andtimeanddate
stampingeach.
P a g e |83

7.2. Hardware Keyloggers

Hardwarekeyloggersareusedforkeystrokelogging,amethodofcapturingandrecordingcomputerusers'
keystrokes, including sensitive passwords. They can be implemented via BIOSlevel firmware, or
alternatively, via a device plugged inline between a computer keyboard and a computer. They log all
keyboard activity to their internal memory. Hardware keyloggers have an advantage over software
keyloggersastheycanbeginloggingfromthemomentacomputeristurnedon(andarethereforeable
tointerceptpasswordsfortheBIOSordiskencryptionsoftware).

You might think that physical inspections are one way to defend against hardware keyloggers, but it is
not. Nor is using a wireless keyboard, as that sort of keylogger, doesn't necessarily have to be hidden
outsideofthekeyboard.Adedicatedattackermayjustaswellplaceanextrachipinsideofthekeyboard
orreplaceitalltogetherbyamanipulatedkeyboardofthesamemodeltorecordkeystrokeswithoutany
obvious visual cues. So, the best way may to the use different keyboard layouts before entering the
password.Furthermore,youcanalsoenterrandomdatawithinthepasswordandgoingbacktoremove
themlater.Andfinally,youcanusetokensaswellasapasswordwhenloggingintoyourcomputer.

7.3. Firewalls

Afirewallisusuallyyourcomputer'sfirstlineofdefenseitcontrols
whoandwhatcancommunicatewithyourcomputeronline.You
couldthinkofafirewallasasortof"policeman"thatwatchesall
thedataattemptingtoflowinandoutofyourcomputer,allowing
communicationsthatitknowsaresafeandblocking"bad"traffic
such as attacks from ever reaching your computer. Configuring
yourfirewallcanpreventSpywareorotherconfidentialdatafrom
leaving your network entirely. It can also prevent remote
attackers from hacking into your computer. Most AIO (allin
one)securitysolutionssuchasNortonorMcAfeeorBitDefender
have a firewall built in. For a free firewall, Comodo firewall is a
goodalternative:https://personalfirewall.comodo.com/.

7.4. DLPs

Dataleakagepreventionsolutionisasystemthatisdesignedtodetectpotentialdatabreachincidentsin
timelymannerandpreventthembymonitoringdatawhileinuse(endpointactions),inmotion(network
traffic),andatrest(datastorage).Importantly,personalDLPsoftwarecanprotectyoufromaccidently
disclosingconfidentialorsensitivedata.SomeAIOsecuritysoftwaredoesthisaswellasfreesoftware.
Note:InmostLinuxdistros
includingRedhat/CentOS/
FedoraLinuxinstallsiptables
bydefault.Ithasbecomea
standardoptioninall
distros.Ifitisnotinstalled,
youcanusethecommand
yuminstalliptablesorapt
getinstalliptablesifyouare
usingUbuntu.
P a g e |84

7.5. HIDSs and NIDs

TheprincipleoperationofaHIDS(HostIntrusionDetectionSystem)dependsonthefactthatsuccessful
intruders(hackers)willgenerallyleaveatraceoftheiractivities.Infact,suchintrudersoftenwanttoown
thecomputertheyhaveattacked,andwillestablishtheir"ownership"byinstallingsoftwarethatwillgrant
the intruders future access to carry out whatever activity (keystroke logging, identity theft, spamming,
botnetactivity,spywareusageetc.)theyenvisage.

Intheory,acomputeruserhastheabilitytodetectanysuchmodifications,andtheHIDSattemptstodo
just that and reports its findings. Intrusion attempts can be keylogger attempts (spyware), Internet
Explorerleaks,DLLinjections,malwaredrivers,etc.HIDSsareinstalledonyourmachineandabaseline
mustbeperformedbeforeHIDSscandetectanyanomalies.ManyantivirusprogramshaveabasicHIDS
builtintothesoftwareasanaddedfeature.

NetworkIDSsontheotherhandsitonyournetworktomonitoralltrafficcomingintoyournetworkto
alert you to any attacks. There are several methods of detecting an attack including anomaly based
detection and signature based detection. Also, there is either a passive or active based detection
dependingonifyouwanttheIDStoactuallytakeactionornot.YoushouldknowwhensettingupanIDS,
thattherewillbefalsepositivesasittakesawhilefortheIDStolearnandforyoutoteach.Also,youwill
needtobetheretomonitorthealerts.Snortisagood,freeNIDSandiswidelyusedinbusinesses.

7.6. Other Considerations

Whatyoudownloadcanaffectsecurity.Makesurethatwhatyoudownloadissafe;itshouldgowithout
saying,butisgoodtohearnonetheless.PDF,worddocuments,executables,brokenpictures,andbinders
areallsecurityissues.MakesurethatyouprotectyourselfbydownloadingalternativePDFviewers(or
blockyourPDFapplicationfromconnectingtotheinternet),disableMacrosifyouuseMicrosoftOffice
programs,disableJavaScriptinAdobeAcrobat/Readerifyouuseit,etc.Lastly,makesurethatyouare
updatingyourwebbrowser,andifyouareusingtheTorBundle,youupdatethataswell.Thesereleases
areextremelyimportantforsecurityandoftenincludepatchesforfoundvulnerabilities.

P a g e |85

eepingyournetworksecureisamusttoensuretokeepintrudersoutandyourinformationfrom
getting into the wrong hands. Furthermore, it protects you from other people hopping on your
network,doingsomethingillegal,andhavingtheevidencepointtoyou.Networksecuritycoversa
varietyofcomputernetworks,bothpublicandprivate,andyoushouldconcernyourselfwithboth.This
chapter will explain some of the common methods of security and a brief introduction on a few
networking terms as well as security concerns when hopping on another persons network. This will
includebothhardwareandsoftwaremethodstoensurethissecurity.

Topics

ThisChapterwillcoverthefollowingtopics:
Privatevs.PublicIPAddress
MACAddress
PublicWireless
SecurityProtocols
ChatSitesHowAttackersAttack
OtherConsiderations
K
Chapter 8_ Networks
P a g e |86

8.1. Intro to Networking

Beforewebeingdivingintothissection,wearegoingtodiscussthefundamentalsofnetworking.Ifyou
arewonderingwhy,itsbecausewearegoingtousenetworkingterminologyandthefunctionalitythey
serve.Sothefirstquestionyoumayaskwillbeansweredfirst.Whatisanetwork?

Acomputernetworkordatanetworkisatelecommunicationsnetworkthatallowscomputersto
exchangedata.Therearetwotypesofnetworks:apublicandaprivatenetwork.Aprivatenetworkis
typicallythedeviceswithinyourhomeorplaceofbusiness.Withintheprivatenetwork,youhave
interconnecteddevicessuchascomputers,gamingdevices,phones,mediaservers,andetc.Thenwe
haveapublicnetwork,whichisaninterconnectednetworkofprivatenetworksreachableonthe
internet.

Nowthatyouknowwhatanetworkis,wearemovingontohowthesedevicesinanetworkphysically
connecttoeachother.Insideaprivatenetwork,allthedevicesthatconnectviaacable(alsocalled
Ethernetcables),arepluggedintoanetworkswitchorthelesspopulardeviceknownasanetwork
hub.Ispecifynetworkswitchasthereareacoupledifferenttypesofswitches.Switchesprovidemore
speedandsecuritythennetworkhubs.Wewontgetintothesecurityfeaturesinthisguide.

Iwillstatelateroninthisguidethatiftheadministratorofthenetworkdeviceisusingahub,theycan
capturealldataeasily.Mostofyouarefamiliarwithabasichomerouter.Butmostofyoudontknow
thatwithahomerouter,theportsinthebackareactuallyswitchports,whichisbuiltintotherouteritself.
Therearetwoprimarydifferencesbetweenhubsandswitches:hubsarehalfduplexwhereasswitches
arefullduplexandhubshaveonecollisiondomainversusswitcheswhichhasacollisiondomainperport.
Basically,fullduplexmeansthehubscansendandreceiveinformationatthesametimewhereashalf
duplex devices cannot. Wireless devices send data in
halfduplex mode as well; this is one reason why
wireless connections are slower than wired
connections.

Anetworkcollisionoccurswhenmorethanonedevice
attemptstosendapacketonanetworksegmentatthe
sametime.Andacollisiondomaindefineswhere
packetscancollidewithoneanother.Soforexample,
letssayyouhavea5porthub.Ahubhasonecollision
domain;soalltheinformationbeingsentthroughany
oneofthoseportscancollidewithanydatafromthe
sameportoranotherport.Ifyouarepluggedintoport
1,informationwillbesenttoport1,2,3,4,and5.A
P a g e |87

switchontheotherhandmayhave5ports,buteachportonlytransferspacketsthroughthehostthatis
usingthatport.So,port1transferspacketsonlythroughport1,port2throughport2,port3through
port3,andsoon.Ialsosaidthataswitchcansendandreceivepacketsatthesametime,make
collisionsnearimpossible.Asyoucanseeintheillustration,whenHostAwantstosendinformationto
HostB,ahubsendsthedatatoallportsandaswitchonlysendsthedatatotheportHostBresideson.
AnattackercansitonHostCorDandcaptureallthetrafficcomingfromanotherdevice.

Nowyouknowhowdeviceareconnectedwithinaprivatenetwork;withtheuseofswitches.Next,we
aregoingtotalkabouthowdifferentnetworksconnectwithoneanotherandhowdeviceswithina
networkcantalkwitheachother.Rememberthough;thisisanintrotonetworking,soIwillnotbe
goingintoanytechnicaldetails.Sayingthat,agroupofnetworksareconnectedwithoneanotherusing
arouter.Andarouterdoesjustasthenameimplies;itroutesbetweentwoormorenetworks.Look
belowforabasicnetworkdiagram.

So,letstalkabouttheillustrationabovetolearnmoreabouthowthesedevicescommunicate.Asyou
cansee,twoormorenetworkscommunicateviaarouter.ThiscanbeseeninthediagramasRouterA
andRouterBandspecifytwodifferenttypesofnetworks.Branchingofffromtherouters,anetwork
switchisused.Again,theswitchsconnectsthedeviceswithinthenetworkandtherouterroutestraffic
betweennetworks.Finally,connectedtoeachswitchesarethedeviceswithineachprivatenetwork.

Movingon,whatwejustdescribeswashowdevicesconnecttoeachotherphysically,butnotlogically.
Itoldyouthebasicsonnetworkswitchesandhubsandhowtheyroutetraffic.Buttheycannotroute
trafficifthedevicesinthenetworkdonothaveIPaddresses.AnInternetProtocoladdress(IPaddress)
isanumericallabelassignedtoeachdevice(e.g.,computer,printer)sothattheymaycommunicatewith
oneanother.Tohelpfacilitatethis,thereisaserviceknowasaDHCPservice,whichstandsforDynamic
HostConfigurationProtocol,andisresponsibleforleasingoutIPaddressestodevicesconnectedtothe
network.
P a g e |88

TherearetwotypesofIPaddress:apublicIPaddressandaprivateIPaddress.PublicIPaddressesare
usedovertheinternetandprivateIPaddressesareusedwithinprivatenetworks.Privateaddresssfall
withintheseranges:

192.168.0.1to192.168.255.254
172.16.0.1to172.31.255.254
10.0.0.1to10.255.255.254

WhendealingwithIPaddressesandnetworking,therearetwoothernumbersthatyoushouldalso
knowabout:subnetmasksanddefaultgateways.Asubnetallowstheflowofnetworktrafficbetween
hoststobesegregatedbasedonanetworkconfiguration.Byorganizinghostsintologicalgroups,
subnettingcanimprovenetworksecurityandperformance.Forexample,mosthomedevicesgivea
subnetmaskof255.255.255.0whichlookslike11111111111111111111111100000000inbinary
notation.Withoutgettingintosubnettingwhichcantakemepagestoexplain,anydevicethathasthe
samenumbersinthefirstthreeoctectswithasubnetmaskof255.255.255.0cancommunicate.

Forexample:192.168.1.2and192.168.1.3and192.168.1.4andsooncancommunicatewitheachother
butdeviceswithIPaddressesof192.168.1.2and192.168.2.2cannotcommunicate.Thisisbecausethey
areintwodifferentnetworksthereforarelogicallyseparated.Furthermore,bychangingthesubnetyou
canchangetheamountofhostspernetwork.Wewontintothatatallasagain,thatdealswith
subnetting.YoumightalsonoticethatifyounetworkisfullthefirstIPaddressandthelastIPaddressis
notusedatall.Inthiscase:192.168.1.0and192.168.1.255arenotused.192.168.1.0isthenetwork
addressand192.168.1.255isthebroadcastaddress.Finally,thedefaultgatewayisthelastresort
gatewayandisusedtoroutetrafficwhenitdoesnotknowwheretogo.Practicallyspeaking,your
homerouteractsasyourdefaultgateway(andyourDHCPserver)asitknowshowtosenddatawithin
thenetworkandovertheinternet.

Anotherareaconcerningnetworkingareportsandtheactualprocessofdatatraversingnetworks.
Everyserviceisassignedaportandusuallytheseportsdonotchange.Forexample,Port80isalways
usedforHTTP(webtraffic),port433forHTTPS,port53forDNS,andsoforth.Whenyourequesta
service,youarerequestingtheservicebyusingthatparticularport,andnotbytheDNSname
(Google.com)thatyouwishtouse.LetssaythatyouopenedupFireFoxandwanttogotoGoogle.com.
Yourcomputerwillfirstberequestingthedataonport53(DNS)torequestanIPaddressfor
Google.comandport80torequesttheactualinformation.Ifyouareusinganotherservicefor
Google.com,suchastheirmusicservice,youwillberequestingtheserviceusingadifferentport.More
informationonthisprocesscanbefoundinsection8.3.

P a g e |89

Movingalong,whenyourcomputerisrequestinginformation,thesocket(orcommunicationflow)is
actuallyassignedarandomportnumbertomaketherequest.Thisnewportnumberisperconnection
andnotperpacket.So,forexample,ifyouarerequestingHTTPtraffic(port80),youareactually
assignedarandomportof,forexample,port1000001.Thisisifincaseyouhavemultipleapplications
requestingdifferentinformationforthesameservice/portnumber.OpeningupseveraltabsinFireFox
providesgoodillustrationofthis;eachtabisassignedadifferentportnumber,soyourcomputerknows
wheretosendtotrafficoncereceivedbyyourcomputer.Notonlydoesyourcomputerdothis,butyour
routerdoeswhenusingafeaturecalledPAT,theotherroutersdothiswhenbeingsentacrossthe
world,andthewebserver(Google.com)doesthiswhenopenaconnectionandsendinginformation
backtoyou.Theeasiestwaytothinkofareasonwhyopeninguprandomports,isthattherandom
portsareuniquelyassignednamesforeachservicerequestingtheinformation.

Note:PATstandsforPortAddressTranslationandiswhenmultipledevicesonthenetworkmustuse
onePublicIPaddress.YoumayhaveheardpeoplerefertothisprocessasNAT,orNetworkAddress
Translation,whichisacceptedforuse,buttechnicallyincorrect.Example:mosthomeusersthatusea
routerareusingPATwithoutknowingit.PATisusedsoallthedevicesinyournetworkcanaccessthe
internetwiththePublicIPaddressthatisassignedbyyourISP.

Router2wouldbeonthesamenetworkastheserver,Freepizza.com.Whenusingtheinternet,asinmostcases,therewouldbe
severalmorenetworksbetweenRouter1andRouter2.Thesewereomittedintentionallyforsimplicitypurposes.

Theaboveillustrationbriefly,andsimplistically,demonstrateshowdataisforwardedfromonenetwork
toanother.YouwillseethatBobwantstoviewthesiteFreepizza.comtogetsomedelicious,freepizza.
OnefundamentalconceptyouneedtorealizeisthatroutersdonotuseMACaddresses.Without
gettingintotheOSImodel,MACaddresses,alsoexplainedinsection8.3,areonlyusedforyourlocal
P a g e |90

network.Whendataissentthroughtheinternet,oracrossnetworks(asdemonstratedbydifferent
routers),onlytheIPaddressisused.Letmegoovertheillustrationabove.

Bobwantstosendthedatatofreepizza.com,buthedoesnotknowhowtogetthere.So,Bobsendsa
packettoRouter1.Hesays,Thispacketisgoingto192.168.1.1(Router1)andisfrom192.168.1.2.
Router1seesthatRouter2knowshowtogettoFreepizza.comsoheproceedsbysendingthepacketto
Router2(thisisbecauseRouter2advertisesthatheknowshowtogettofreepizza.comandRouter1
advertisesheknowshowtogettoRouter2).Nowagain,routersdonotcareaboutMACaddressesso
theyremovetheMACaddressandreplacetheIPaddresses(SourceandDestination)withitsown
sourceanddestinationheader.Inthiscase,theSourceIPAddressor192.168.1.2andDestinationIP
Addressof192.168.1.1arereplacedwiththeSourceIPaddressof192.168.1.1andDestinationIP
Addressof10.0.1.1.WhenRouter2receivesthepacket,hewillsay,Hey,IknowwhereFreepizza.com
is!Heisat10.0.1.2.Again,withoutgettingintohowMACaddressesworkandwhentheyareused,
Router2willreplacethatIPAddressinformationwiththeSourceIPAddressof10.0.1.1andDestination
IPAddressof10.0.1.2.TheMACaddresswillbeusedinsidethenetworkbetweentheswitch(notinthe
diagram)andtherouter/pizza.comserver.

Phew,arentyougladthatsoverwith?NotquiteIsay!Westillhavetodescribehowdataissentback
throughthenetworkbacktoBob.Thispartwillgomuchquickeraswehavealreadydescribedthe
fundamentalsonhowthepacketgotthereinthefirstplace.So,whenFreepizza.comisreadytosend
theinformationbacktoBob,itfollowstheexactsameprocessingettingthere,exceptitusestheSource
IPaddresstosendthedatabacktowhomeversentitinthefirstplace.Thedataheadersarestill
replacesandtheMACaddressesarestillremoved.

ItisforthisveryreasonthatwhenyouareaTorexitnode,youareatriskatpeoplecomingtoyour
houseifsomeonedoessomethingillegalandgetscaughtdoingit.TheTorexitnodeonlyhastheIP
addressinformationoftheRouteritisat(knownasthePublicIPaddress).AlltheIPaddress
informationoftheToruserandallhopsinbetweenarestrippedawayandonlyaccessiblebyeach
individualhop.Now,TorusesencryptionandvariesothermethodsofhidingtheIPaddress
information,butthisasimpleexplanationonhowdatatravelsacrossnetworks.

Wrappingthisup,whencomputerswanttocommunicateinanetworktheysendanARPcommandthat
isusedbythenetworkdevicesandthenetworkswitchtosenddatatootherdeviceswithinthesame
network.IdescribedthisprocessfurtherdownintheguidewhenexplainingaboutARPreplayattacks,
soIwillskipitfornow.RouterscancommunicatedirectlywithoneanotherusingaDCE/DTEcableor
throughtheinternetviaamodem.Oldmodemsconvertedtheincomingdatafromanalogtodigitaland
viceversaonthewayout.Cablemodems,whichareusedmostnowadays,convertsthecablefeedinto
aformatthatcanbeusedbyseveraldevicesinyourhome.YourISPusesDHCPservicestoleaseyouout
anIPaddresssoyouhaveinternetaccess.Whenyouarefinallyabletocommunicatewithinyour
P a g e |91

networkorovertheinternet,dataissentinwhatiscalledpackets.Packetandpacketforensicsis
describedbelowinsection8.4.

8.2. Private vs. Public IP Address

AprivateIPaddress(assignedbytheownerswirelessdevice)isassignedperdeviceinthenetworkfrom
aDHCPpool.DHCPpullsalistofavailableIPaddressesandassignsitwhenadeviceisattachedtothe
network. A certain IP address is not assigned to a specific device (there is no static mapping) therefor
people cannot use IP addresses to located your specify device. Static IP addressing can be used, but
typicallyisnotusedinahomeenvironment.Whenyouconnecttoawirelessdevice,itispossiblethatit
changeseachandeverytimeyouconnect,dependingonwhatelseisconnectedtothenetwork.Also,
unlesstheIPaddressiscurrentlyleasedout,nobodywillbeabletolookinalog(typically)todetermine
whatIPaddresswhatconnectedwhen.

TheotherIPaddressisknownasaPublicIPaddress.ThistypeofaddressiswhatyourISP(InternetSearch
Provider)usestoidentifyyou.Whenyoulogintoawebsite,thisistheIPaddressthatislogged.When
you use proxy or VPN services, the Public IP address that is hidden and the VPN/proxy IP address is
exposed. If somebody has your IP address, they can get the geographical location of where you live
whereasyourISPhasyourname,telephonenumber,homeaddress,andwhateverelseyouhavegiven
them.Lastly,whenyouareconnectedtoapersondirectly(DCC,videochat,P2P,etc.);theycanalsolog
yourPublicIPaddress.

8.3. MAC Address

ThinkofaMACaddresslikeabankaccountnumber;weareeachgivenabankaccountnumbersowhen
wemakeapurchase,atagrocerystoreforexample,thegrocerystoreknowshowtosendthepayment
toyourbankandviceversa.Similarly,aMACaddress,whichisuniquetoyourwirelesscard,allowsthe
routertoknowwheretosendthedata.Andifyoureallycare,theMACaddressisheldinanARPtable,
butwewontgetintothat.

Whenyouconnecttoanetwork,therouterlogsthecomputersMACaddressandtemporarysavesthe
computersIPaddress.PeoplecanalsosniffthenetworktoseewhatyouaredoingandrecordyourMAC
address that way. And yet another way people can get your MAC address is if they use software that
monitors the network and records all the devices automatically. All these methods have one this in
common(besidestheobvious),theycanonlyrecordtheaddressesthatarebroadcasted,meaningifyou
changeyourMACaddress,thesemethodsareuseless.
P a g e |92

Note:TochangetheMACaddressinLinux,youcanusethehwethercommand.ifconfigeth0down>
ifconfigeth0hwether00:00:00:00:00:00>ifconfigeth0up>ifconfigeth0|grepHWaddr.Notice,you
willuseacustomMACaddressinsteadof00:00:00:00:00:00andruneachcommandseparately(as
definedbythe>character).Also,youwillwanttoreplaceeth0withtheadapterthatyouareusing.

People use MAC address changers for many reasons; mostly for getting free WiFi by bypassing MAC
addressfilteringorperformingMACfloodattacks.Ifyouconnecttoapublicnetwork,oryourneighbors
network,IwoulduseaMACaddresschangertomakeithardtolocateyou.Earlier,wesaidthataMAC
addressisuniquetoyourcomputer;soiftheyweretolookatallofthedevicesinyourhouse,theywont
findthedevicewiththeMACaddressthatwasloggedbecauseithasbeenchanged.Theeasiestwayto
changetheMACaddressistodownloadaprogramtodoitforyou;otherwiseyoucanchangeitinyour
networksettings.Win7MACAddressChangerPortableisagoodprogramtodothisforyou.

Asaquicknote,anotherrecentdiscoverythatcanidentifyindividualcomputersthatcannotbespoofed
(asofyet)iswithusingthecomputersgraphicscard.ThePUFFINProject(physicallyunclonablefunctions
found in standard PC components) has brought forward research suggesting that GPU manufacturing
processesleaveeachproductwithaunique"fingerprint." ThePUFFIN team hascreatedsoftwarethat
candetectthesephysicaldifferencesbetweenGPUs.Thisisanotherwaythatsomeonecandetermine
whetheryourdevicewasusedinacrimeifyourGPUfingerprintwasobtained.PUFFINsresearchwill
rununtil2015.

8.4. Public Wireless

Itisuptoyouwhetherornottostopusingtheneighborswireless.ButknowtheycanseeTortrafficif
they:useapacketsnifferandperformaMiTMattackiftheirwirelessnetworkisnotprotected,ifthey
wereusinganetworkhubwhichbroadcastsinformationoutofallports,iftheyhaveamanagedswitch
andenableportmirroring,oriftheychangetheMACaddressoftheircomputertothatoftheAP(Access
Point).EventhoughtheycanseeTortraffic,theycannotseewhatyouaredoinginsideofTorandthey
stillwillhavenocluethatitwasyou.Iftheycould,thepurposeofTorwouldbedefeated.Theyareother
risks with using public networks (or your neighbors network) therefore it is not recommended (unless
youareabsolutelysurethatyouaresafe).

Theserisksincludesattackersremotelyloggingintoyourcomputerviaaknownbackdoororanexploit.
The best known Operating System to attack a machine is Backtrack. BackTrack is a Linuxbased
penetration testing arsenal that aids security professionals in the ability to perform assessments in a
purely native environment dedicated to hacking. The methods of attack in BackTrack are against
operatingsystems,applications,phones,networks,internetprotocols,websites,andetc.Thebestpart
about BackTrack is that it is free! I would start with getting a good firewall and antivirus for your
P a g e |93

computer.Also,makesureyoufollowSystemHardening(Section6)sectiontohelpcorrectlyconfigure
yourmachine.

Asalways,I woulduseTorforallsensitiveinformationinwhich youdonotwantanyonetolearnyour

locationormonitoryourbrowsinghabits.Toprotectallothersensitivedatathatdoesnotrequiresuch
autonymity,IwouldrecommendtheuseofaVPN.AVPNreroutesallcomputertrafficthroughasecure
tunneltoatrustedthirdparty(oradesignatednetwork)beforetheinformationreachesitsdestination.
This provides security against anyone sniffing your computer traffic as all information is encrypted.
Common reasons for a VPN is when: checking emails, checking your bank account, application data
security,ortransmittinginsecuredataoverasecuredatastream.ThedifferencebetweenTorandaVPN
isthatwhenusingTor,nobodyknowswhoyouarewhereasinaVPNsomebodyalwaysdoes.

Network Sniffing Tools

Thereareseveralsniffingtoolsavailable.Listedbelowaresomeofthecommontools:
WiresharkOneofthemostpopularpacketsniffingprogramsavailableandisasuccessorto
Etheralofferingatremendousnumberoffeaturestoassistdissectingandanalyzingtraffic
OmnipeekCreatedandmanufacturedbyWildpackets,Omnipeekisacommercialproductthat
istheevolutionofEtherpeek
DsniffAsuiteoftoolsdesignedtoperformsniffingaswellasothertoolstorevealpasswords.
DsniffisdesignedforUNIXandLinuxplatformsanddoesnothaveacompleteequivalentfor
Windows
CainandAbleandAbleprovidesmuchofthesametoolsasDsniffbutalsoprovidesfeatures
suchARPPoisoning(MiTMattackcanbeperformedinsideanetwork),enumerationofWindows
systems,andpasswordcracking
EtherapeAUNIX/Linuxtoolsthatwasdesignedtoshowtheconnectiongoinginandoutofthe
systemgraphically
NetwitnessInvestigatorAfreetoolthatallowsausertoperformnetworkanalysistoolsas
wellaspacketreassembleanddissection
P a g e |94

HereisanexampleofwhatcapturedpacketslooklikeinWireshark.Ifyouwanttolearnmoreabout
networkinvestigations,usingpacketsniffersandanalyzingthedataisagoodwaytostart.Startingwith
thefundamentals,Iwouldlearnaboutsimplenetworkingandthebasicportnumbersandwhattheyare
usedfor.Letsusetheexampleaboveandlearnwhatisgoingon.

Thefirstforpacketswewilltalkabout(No.811)areallDNSpackets.Packet8isaDNSrequest
fromIPaddress192.168.82.133toIPaddress208.67.222.222forthedomain
www.youtube.com.TheSourcefieldisyourIPaddress(ortheaddressoftheoriginating
computer.TheDestinationfieldistheaddresswherethedataisgoing.TheprotocolisDNSas
sceneintheProtocolfield.DNSisDomainNameServiceandistheprotocolusedthegettheIP
addressfromaDomainName.Andfinally,theInfofieldcontainsthedatawithinthepacket.
Inthiscase,packet8requeststhepacket(StandardqueryAwww.youtube.com)andpacket9
respondswiththeCNAMErecordandtheIPaddress(Standardqueryresponse).TheArecordis
thestandardrecordthatmapsthedomainnametotheIPaddressandtheCNAMErecordisa
typeofDNSrecordthatspecifiesthatthedomainnameisanaliasofanother,canonicaldomain
name.
Movingon,packets1214isthestandardTCPthreewayhandshake.Moreinformationcanbe
foundinsection8.5andisdenotedbythepackets[SYN],[SYN,ACK],then[ACK].Oncethefinal
[ACK]packethasbeensent,theconnectionismadeandinformationcanflow.
P a g e |95

ThenextpacketistheGETrequest.ThispacketistellingtheHTTPserverthatitisrequesting
resources(inthiscase,thecontentonthewebpage).IfyousubmitdatayouwillseeaPOST
requestmeaningthatyouaresendingresourcestothewebserver.
Finally,theuserissendingandreceivinginformationfromthewebsiteasyoucanseebythe
Sourceportintheinformationpane.Port80(http)denoteswebtrafficandisusedwhenauser
istryingtoaccessawebpage.

Thisisthebasicoverviewofwebtrafficthatcanbecapturedandread.ProtocolssuchasFTPandHTTP
arealldoneincleartext,meaningyoucanreadallthedatathatiscontainedwithinthepackets.Thisis
especiallyaproblemfortheuserifinformationsuchasusernamesorpasswordsarebeingsent.FTPfor
examplerequirestheuserthelogintotheserver,butdoessendsalltheinformationintheclear.The
picturebelowisanexampleofnetworktrafficthatcapturedtheFTPusernameandpassword.The
destinationfieldtellsyouthattheFTPserverhasanIPaddressof10.0.8.126andtheuserrequestingit
hasanIPaddressof10.0.4.232.

TherearetwomorethingsthatIwanttodiscussbeforemovingontothenextsection:
1. WhenusingWirehark,youshouldfamiliarizeyourselfwithfilteringandFollowTCPStream
2. Reassemblingpacketstoviewdatasuchasimagesandgettingdetailedviewofpacketanalysis

OnepopularfeatureofWiresharkistofollowthestreamofcapturedpackets.Letssaythatauseris
sendinganemailandhasattachedacompressedfilealongwithit.UsingWireshark,youcanfinda
packetinthestream,rightclickthepacket,andselectFollowTCPStream.Anewwindowwillopenwill
allthedatainthestream,whichwillcontainthefileyouaretryingtodownload.Oncethenewwindow
P a g e |96

isopenedandfullyloaded,youcanclickSaveastosavetodatatoafile.Thefileisnowreadytobe
openedwiththeprogramthathandlesthefiletype.

Movingalongtotheseconditemonthelist,youcanalsoreassemblepacketstoviewtheinformation
containedwithinthosepackets.Letssayforexamplethatsomeoneviewsabunchofimagesoverthe
internet.Reassemblingthepacketswillallowyoutoviewtheimagestheuserviewed.Now,Wireshark
isgoodforcapturingpacketsandisagreatprogramforabunchofpurposes,butitisnotagreat
programwhentryingtodothis.Personally,IuseaprogramcalledNetWitnessInvestigatorthatwillnot
onlyallowyoutoviewthedatathatwascaptured,butitwillallowyoutodosographically.Everything
ispointandclickandthereisnorealneedtoknowaboutpacketanalysisbeyondtheverybasics.And
finally,thisprogramshowsadetailedviewofthepacketscaptured.

Commonportnumbers:
Application Port Protocol Notes
HTTP 80,
8080
TCP Hyptertext Transfer Protocol. Used by web browsers such
as Internet Explorer, Firefox and Opera.
HTTPS 443 TCP,
UDP
Used for secure web browsing.
IMAP 143 TCP Email applications including Outlook, Outlook Express,
Eudora and Thunderbird.
FTP 20 to
21
TCP File Transfer Protocol.
SSH 22 TCP Secure Shell protocol. Provides a secure session when
logging into a remote machine.
Telnet 23 TCP Used for remote server administration.
DNS 53 TCP,
UDP
Domain Name System protocol for converting domain
names to IP addresses.
POP3 110 TCP Post Office Protocol. For receiving email.
SMTP 25 TCP Simple Mail Transfer Protocol, used for sending email.

8.5. Security Protocols

Securingyournetworkshouldbeasimportantassecuringyourcomputer.Allowingpeopleaccesstoyour
networkopensyouuptoattackandaspreviouslystated,legalissues,becausetheycangotcaughtdoing
somethingtheywerentsupposedtoonyournetwork.Ifyouaredoingeverythingsecureonyournetwork
computerbutsomeonegetscaughtdownloadingchildporn,thegovernmentiscomingafteryou.There
areseveralwaystoprotectyournetworkdependingonyourequipmentandifyouusecustomfirmware
ornot.Ifyougetarouter,plugitin,andstartusingit;youareNOTprotected!
P a g e |97

Thefirstthingthatanybodyneedstodoischangethedefaultpasswordforthedevicesonobodycanlog
in and change the security settings. Followed by changing the device password, you should create a
wirelesspasswordtolimitthepeoplewhocangetonthedeviceinthefirstplace.Thereareseveraltypes
ofprotocolsthatlimitaccess:WEP,WPA,WPA2,MACAddressFiltering,etc.WEP,WPA,andWPA2are
protocolsthatrelyonpasswordauthenticationtoacceptuserswhoaretryingtoconnecttoyourwireless
device. MAC Address Filtering on the other hand only allows specific wireless devices access to the
networkdependingontheMACaddresses.

WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer
standardssuchasWPAandWPA2.WPAisalsodeprecatedmakingtherecommendedsecurityprotocol
WPA2.WPA2isthestrongestprotocolasithasnotbeencracked,yetitmightnotbesupportedbyall
devices.Ifyouwanttogettechnical,WPAusesTKIPwhereasWPA2usesAESCCMP.TKIPisTemporal
KeyIntegrityProtocolandAESCCMPisAdvancedEncryptionStandardCounterCipherModewithBlock
ChainingMessageAuthenticationCodeProtocol.MACaddressfilteringfilterswirelessdevicesallowing
only those that are allowed into the network. The problem is however, it can be easily defeated if
someonechangestheirMACaddresstoonethatisallowed.

Wireless Hacking Tools

IrecommendobtainingacopyofBacktrackastherearemanywirelesshackingtoolsalreadyinstalled.
Herearesomeothertoolsthatyouhelpyou:
KismetUsingKismetonecanseealltheopenwirelessnetworks,aswellasthoseWireless
NetworkswhichdontbroadcasttheirSSIDs.Itsamatterofminutestousethistooland
identifynetworksaroundyou
NetstumblerNetStumblerisafreewareWiFihackingtoolthatscompatiblewithWindows
only.Itcanbeusedtosearchopenwirelessnetworksandestablishunauthorizedconnections
withthem
MedievalBluetoothScannerThisprogramcananalyzeandscanyourBluetoothnetwork
findingBluetoothdevicesthatcanbeattacked(seebluejackingorbluesnarfingorbluebugging)
CoreimpactThisitiswidelyconsideredtobethemostpowerfulexploitationtoolavailable.
However,CoreImpactisnotcheapandwillsetanybodybackatleast$30,000
WiresharkWiresharkWiFihackingtoolnotonlyallowshackerstofindoutallavailable
wirelessnetworks,butalsokeepstheconnectionactiveandhelpsthehackertosniffthedata
flowingthroughthenetwork
AirSnortMostWiFihackingtoolsworkonlywhenthereisnoencryptedsecuritysettings.
WhileNetStumblrandKismetfailtoworkifthereisawirelessencryptionsecuritybeingused,
AirSnortworkstobreakthenetworkkeytogetyouinsidethenetwork
CowPattyCowPattyisananotherWiFinetworkhackingtoolthathascrackgotaWPAPSK
protectionfeatureandusingthishackerscanevenbreakintomoresecureWiFienvironments
ReaverThisprogramtakesadvantageoftheweaknessinherentwithWPS(WiFiProtected
Setup)

P a g e |98

Common attack methods and terminology

Icallthesemethodscommonbuttheyarereallythemoreknownandusedattacksoutthere.Thelast
twodefinitionsaremethodsfordefenseonceatattackerentersthenetwork.Note,thatthislistisnon
exhaustiveandmoreattacksexists.
ARPSpoofingAddressResolutionProtocol(ARP),isaservicethatconvertsIPaddressesto
MACaddressesthatareusesbythelocalLAN(LocalAreaNetwork).ARPspoofingisatechnique
wherebyanattackersendsfake("spoofed")ARPmessagesontoaLAN.Generally,theaimisto
associatetheattacker'sMACaddresswiththeIPaddressofanotherhost(suchasthedefault
gateway),causinganytrafficmeantforthatIPaddresstobesenttotheattackerinstead.
MACSpoofingatechniqueforchangingafactoryassignedMediaAccessControl(MAC)
addressofanetworkinterfaceonanetworkeddevice.TheMACaddressishardcodedona
networkinterfacecontroller(NIC)andcannotbechanged.However,therearetoolswhichcan
makeanoperatingsystembelievethattheNIChastheMACaddressofauser'schoosing.The
processofmaskingaMACaddressisknownasMACspoofing.Essentially,MACspoofingentails
changingacomputer'sidentity,foranyreason,anditisrelativelyeasy.Thiscanbeanattackto
getpastsecuritysafeguards,tomasqueradeasanotherdevice,ortotryadeviceintosending
datatoit.
FragmentationIPfragmentationistheprocessofbreakingupasingleInternetProtocol(IP)
datagramintomultiplepacketsofsmallersize.Everynetworklinkhasacharacteristicsizeof
messagesthatmaybetransmitted,calledthemaximumtransmissionunit(MTU).Thereare
severalattacksregardingIPfragmentationandcanbeusedbyservicesthatdonotprotect
themselvesfromthesetypesofattacks.
BufferOverflowananomalywhereaprogram,whilewritingdatatoabuffer,overrunsthe
buffer'sboundaryandoverwritesadjacentmemory.Thisisaspecialcaseofviolationofmemory
safety.Thismayresultinerraticprogrambehavior,includingmemoryaccesserrors,incorrect
results,acrash,orabreachofsystemsecurity.Thus,theyarethebasisofmanysoftware
vulnerabilitiesandcanbemaliciouslyexploited.
DNSPoisoningDNSspoofing(orDNScachepoisoning)isacomputerhackingattack,whereby
dataisintroducedintoaDomainNameSystem(DNS)nameserver'scachedatabase,causingthe
nameservertoreturnanincorrectIPaddress,divertingtraffictoanothercomputer(oftenthe
attacker's)orawebsite.Doingthis,theattackercancapturealldata,injectdata,orlog
informationsuchasIPaddressesorothersensitivecomputerinformation.
IMCPRedirectAnICMPRedirecttellstherecipientsystemtooverridesomethinginits
routingtable.Itislegitimatelyusedbyrouterstotellhoststhatthehostisusinganonoptimal
ordefunctroutetoaparticulardestination,i.e.thehostissendingittothewrongrouter.The
wrongroutersendsthehostbackanICMPRedirectpacketthattellsthehostwhatthecorrect
routeshouldbe.IfyoucanforgeICMPRedirectpackets,andifyourtargethostpaysattention
tothem,youcanaltertheroutingtablesonthehostandpossiblysubvertthesecurityofthe
hostbycausingtraffictoflowviaapaththenetworkmanagerdidn'tintend.ICMPRedirectsalso
maybeemployedfordenialofserviceattacks,whereahostissentaroutethatlosesit
connectivity,orissentanICMPNetworkUnreachablepackettellingitthatitcannolonger
accessaparticularnetwork.
P a g e |99

ProxyManipulationThisattackinvolvesalteringtheproxysettingsofthetargetmachineto
redirecttraffictotheattackerscomputerorservice.Doingthis,theattackercancaptureall
data,injectdata,orloginformationsuchasIPaddressesorothersensitivecomputer
information.
RougeDNSDNShijackingorDNSredirectionisthepracticeofsubvertingtheresolutionof
DomainNameSystem(DNS)queries.Thiscanbeachievedbymalwarethatoverridesa
computer'sTCP/IPconfigurationtopointatarogueDNSserverunderthecontrolofanattacker,
orthroughmodifyingthebehaviorofatrustedDNSserversothatitdoesnotcomplywith
internetstandards.
RougeAPArogueaccesspointisawirelessaccesspointthathaseitherbeeninstalledona
securecompanynetworkwithoutexplicitauthorizationfromalocalnetworkadministrator,or
hasbeencreatedtoallowahackertoconductamaninthemiddleattack.Forthepurposesof
theguide,arougeAPcanbesetupbyanattackerassoavictimwillunknowinglyconnecttheto
theAPandsendalldatathroughtheattacker.
HoneypotAhoneypotisatrapsettodetect,deflect,orinsomemannercounteractattempts
atunauthorizeduseofinformationsystems.Generallyitconsistsofacomputer,data,ora
networksitethatappearstobepartofanetwork,butisactuallyisolatedandmonitored,and
whichseemstocontaininformationoraresourceofvaluetoattackers.
PaddedCellApaddedcellisahoneypotthathasbeenprotectedsothatthatitcannotbe
easilycompromised.Inotherwords,apaddedcellisahardenedhoneypot.Inadditionto
attractingattackerswithtemptingdata,apaddedcelloperatesintandemwithatraditionalIDS.
WhentheIDSdetectsattackers,itseamlesslytransfersthemtoaspecialsimulatedenvironment
wheretheycancausenoharm thenatureofthishostenvironmentiswhatgivestheapproach
itsname,paddedcell.

8.6. Virtual Private Networks

ThroughoutthisguideImentiontheuseofVirtualPrivateNetworks(VPNs),andnowIamgoingto
explainexactlywhatitis.Inthesimplestofterms,aVPNtransmitsdatafromonenetworktoanother,
asiftheywereonthesamenetwork.Forexample,letssaythatyouhaveafileserveronyourhome
networkthatyouwilltoaccesswhileonvacation.AVPNallowsyoutologintothenetworkandview
thosefilesasifyouweresittingathome.Furthermore,tunnelingyourconnectionthroughanuntrusted
networktoatrustednetworkwiththeuseofVPNs,ensuresthatnoprivatedataisleakedto
unscrupulousparties.

P a g e |100

ThereareseveralreasonstouseVPNsandthereareevenmorepeoplewhousethem.Mostoften,you
willseetheuseofthistechnologyemployedbybusinessesthathaveemployeesthatwanttoconnectto
theofficeorseveralofficesthatneedtoconnecttothehomeoffice.Thereareafewtypesof
configurationsthatinclude:hosttohost,gatewaytogateway,andhosttogateway.Hosttohostis
moreoftenusedwhenonepersonneedstodirectlycommunicatewithanotherperson(sharefilesfrom
onePCtoanother,chat,etc.),gatewaytogatewayiswhentwoormorelocationsneedstosharedata
betweennetworks,andhosttogatewayiswhenusersneedtoconnecttoanetworktoaccessnetwork
resources(likeinourfirstexample).

Sayingthis,theaccessofresourcesisnottheonlyreasonwhyyouwouldwanttouseaVPN.AsIsaidin
thefirstexample,aVPNcanbeusedforasecurecommunicationbetweenthetwonodes.WhatImean
isthis:letsassumethatyouareatanuntrustednetworkoryouareexchangingdataoveranuntrusted
medium,suchastheinternet.AVPNencryptsyourdata,createsasecuretunnelbetweenyouandthe
hostmachine(thedevicereceivingtheVPNtraffic),andtransfersthedatawithoutanyonebeingableto
seeorinjectanythingharmfulalongtheway.Note:whenIsaytheycannotinject,bothsidesperforma
checkofthedata.Ifsomeoneinjectsormodifiesthedata,itwillbediscardedandresent.

Movingon,theuseoftheacronymVPNdoesnotimplicitlyrefertosecuredatatransmission,butrefers
tohowdataistransferedfromonepointtoanother.YoucanbreakaVPNintotwoparts:thetunneling
protocolsandencryptionprotocols.Tunnelingprotocolsdefineshowdatatransversesacrossnetworks
andtheinternet.Byitsverynature,theseprotocolsdonotprovideanyencryption.Itslikedrivingacar
withoutanyairbags;itsnotworriedaboutsafety,itjustcaresthatitgetsthere.Encryptionprotocols
ontheotherhandareconcernedwithjustthat:encryptingthedata.

Usedtogether,VPNscanprovideforconfidentiality,integrity,andauthentication:
P a g e |101

Confidentiality:Whenthedataisencryptedandsenttoasecure,privatenetwork,youcan
mitigatetheriskofthirdpartiesreadingyourdatawhileintransit
Integrity:VPNsarealsousedtodetectchangesindatawhenreceivedoneitherside
Authentication:Whenyouconnecttoahostoraclient,youcanbereasonablysurethatthe
otherpersoniswhotheysaytheyare.Thisisbecausetunnelendpointsmustverifytheother
partybeforeaconnectionisestablished

Selectingbothtunnelingandencryptionprotocolswillmostlydependsonyourneedsandwhatyou
haveatyourdisposal.Forexample,foraclienttoclientconnection,youcanuseLogMeInHamachito
establishasecureVPNbetween.SonicwallsuseSSLVPNsthatcanbeusedhosttohostorhostto
clientandcustomfirmwareroutersuseOpenVPNcandothesamethingbutaddshosttohosttothe
mix.Forthepurposesofthisguide,IrecommendusingOpenVPNasitisfreeandopensource.

WithoutgettingintotoomuchdetailabouthowVPNsworksandwhatishappeningbehindthescenes,I
willgiveyouabroadoverviewofthetypesoftunnelsandencryptionprotocolsVPNsuse.
Protocols:

PointtoPointProtocol(PPP):Thisprotocoldefinesdatathatistransmittedoverseriallines.
Mostly,nowadays,PPPisnotusedbutwhenusingDialUpconnectionsbetweenmodems.
PointtoPointTunnelingProtocol(PPTP):PPTP(PointtoPointTunnelingProtocol)isagood,
lightweightVPNprotocolofferingbasiconlinesecuritywithfastspeeds.PPTPisbuiltintoa
widearrayofdesktopandmobiledevicesandfeatures128bitencryption.PPTPisagoodchoice
ifOpenVPNisn'tavailableonyourdeviceandspeedistoppriority.
LayerTwoTunnelingProtocol(L2TP)/IPSec:L2TP(Layer2TunnelingProtocol)withIPsec(IP
Security)isaverysecureprotocolbuiltintoawidearrayofdesktopandmobiledevices.
L2TP/IPsecfeatures256bitencryption,buttheextrasecurityoverheadrequiresmoreCPU
usagethanPPTP.L2TP/IPsecisanexcellentchoiceifOpenVPNisnotavailableonyourdevice,
butyouwantmoresecuritythanPPTP.
InternetProtocolSecurity(IPsec):IPsecisactuallyacollectionofmultiplerelatedprotocols.It
canbeusedasacompleteVPNprotocolsolutionorsimplyastheencryptionschemewithin
L2TPorPPTP.IPsecexistsatthenetworklayer(LayerThree)oftheOSImodel.Ifyouare
choosingtouseIPSec,youshouldknowaboutthetwomodesitusestotransportthedata:
tunnelandtransport.

o Tunnel:Intunnelingmode,theentirepacketitencrypted,includingtheheader
information.Thepacketisthenencapsulatestheencryptedpacketandaddsanew
headerbeforesendingthedata.Specifically,EncapsulatingSecurityPayload(ESP)and
AuthenticationHeader(AH)arethetwoIPSecsecurityprotocolsusedtoprovidethese
securityservices.However,wewillnotgetintothatinthisguide.
P a g e |102

o Transport:Thismodeencryptsthepayload,butdoesnothingtoprotecttheheader
information.Again,theheaderinformationprovidesinformationsuchas:sourceand
destinationIPaddress,portinformation,framesequence,flags,etc.

OpenVPN:OpenVPNisthepremierVPNprotocoldesignedformodernbroadbandnetworks,
butisnotsupportedbymobiledevicesandtablets.OpenVPNfeatures256bitencryptionandis
extremelystableandfastovernetworkswithlongdistancesandhighlatency.Itprovidesgreater
securitythanPPTPandrequireslessCPUusagethanL2TP/IPsec.OpenVPNistherecommended
protocolfordesktops,includingWindows,MacOSX,andLinux.
SecureSocketLayer(SSL):AnSSLVPNisaformofVPNthatcanbeusedwithastandardWeb
browser.IncontrasttothetraditionalInternetProtocolSecurity(IPsec)VPN,anSSLVPNdoes
notrequiretheinstallationofspecializedclientsoftwareontheenduser'scomputer.It'sused
togiveremoteuserswithaccesstoWebapplications,client/serverapplicationsandinternal
networkconnections.
Comparison chart:

PPTP L2TP/IPsec OpenVPN

Compatibility Built-in support for a
wide array of
desktops, mobile
devices, and tablets.
Built-in support for a wide
array of desktops, mobile
devices, and tablets.
Supported by most
desktop computers.
Supported
Systems
Windows
Mac OS X
Linux
iOS
Android
DD-WRT
Windows
Mac OS X
Linux
iOS
Android
Windows
Mac OS X
Linux
Android
Encryption 128-bit 256-bit 160-bit
256-bit
Security Basic encryption Uses the highest
encryption. Data integrity
checking, encapsulates data
twice.
Highest encryption, no
known vulnerabilities,
authenticates the data
on both ends of the
connection through
digital certificates.
Stability Very stable, accepted
by most Wi-Fi
hotspots
Stable if your device
supports NAT
Most stable/reliable
even on non-reliable
networks, behind
P a g e |103

wireless routers, and

on Wi-Fi hotspots
Setup Easy to set up, built-
in to most operating
systems
Requires custom
configuration
Easy to set up with
software
Speed Fast because of
lower encryption
overhead
Requires the most CPU
processing
Best performance.
Fast, even across great
distances and on high
latency connections.
Conclusion A good choice if
OpenVPN isn't
available on your
device and if ease-of-
use and speed are
priorities over
security.
More secure than PPTP but
not as fast and requires
additional configuration. A
good choice if OpenVPN
isn't available on your
device and security is a
priority over ease-of-use
and speed.
Best choice on
desktops, such
Windows Mac OS X
and Linux. Fast, secure
and reliable. OpenVPN
is the recommended
protocol.
How a VPN connection is made:

AssumearemotehostwithpublicIPaddress1.2.3.4wishestoconnecttoaserverfoundinsidea
companynetwork.Theserverhasinternaladdress192.168.1.10andisnotreachablepublicly.Before
theclientcanreachthisserver,itneedstogothroughaVPNserver/firewalldevicethathaspublicIP
address5.6.7.8andaninternaladdressof192.168.1.1.Alldatabetweentheclientandtheserverwill
needtobekeptconfidential,henceasecureVPNisused.

1. TheVPNclientconnectstoaVPNserverviaanexternalnetworkinterface.
2. TheVPNserverassignsanIPaddresstotheVPNclientfromtheVPNserver'ssubnet.Theclient
getsinternalIPaddress192.168.1.50,forexample,andcreatesavirtualnetworkinterface
throughwhichitwillsendencryptedpacketstotheothertunnelendpoint(thedeviceatthe
otherendofthetunnel).(Thisinterfacealsogetstheaddress192.168.1.50.)
3. WhentheVPNclientwishestocommunicatewiththecompanyserver,itpreparesapacket
addressedto192.168.1.10,encryptsitandencapsulatesitinanouterVPNpacket,sayanIPSec
packet.ThispacketisthensenttotheVPNserveratIPaddress5.6.7.8overthepublicInternet.
TheinnerpacketisencryptedsothatevenifsomeoneinterceptsthepacketovertheInternet,
theycannotgetanyinformationfromit.Theycanseethattheremotehostiscommunicating
withaserver/firewall,butnoneofthecontentsofthecommunication.Theinnerencrypted
packethassourceaddress192.168.1.50anddestinationaddress192.168.1.10.Theouterpacket
hassourceaddress1.2.3.4anddestinationaddress5.6.7.8.
P a g e |104

4. WhenthepacketreachestheVPNserverfromtheInternet,theVPNserverdecapsulatesthe
innerpacket,decryptsit,findsthedestinationaddresstobe192.168.1.10,andforwardsitto
theintendedserverat192.168.1.10.
5. Aftersometime,theVPNserverreceivesareplypacketfrom192.168.1.10,intendedfor
192.168.1.50.TheVPNserverconsultsitsroutingtable,andseesthispacketisintendedfora
remotehostthatmustgothroughVPN.
6. TheVPNserverencryptsthisreplypacket,encapsulatesitinaVPNpacketandsendsitoutover
theInternet.Theinnerencryptedpackethassourceaddress192.168.1.10anddestination
address192.168.1.50.TheouterVPNpackethassourceaddress5.6.7.8anddestinationaddress
1.2.3.4.
7. Theremotehostreceivesthepacket.TheVPNclientdecapsulatestheinnerpacket,decryptsit,
andpassesittotheappropriatesoftwareatupperlayers.

OnelastthingthatIwanttotalkaboutissplittunneling.Splittunnelingistheactofbeingconnectedto
bothaWANnetwork(VPN)andaLANnetwork(yourlocalhomenetwork)atthesametime.When
enabled,dataintendedforthesecureVPNmightaccidentlyleakouttheinsecurepartofthenetwork.
Anothernegativerisk,isthatanattackercangainaccesstoyourcomputerviatheLANnetworkand
haveaccesstoyourprivatenetworkyouareconnectedtoovertheWAN.Forbestsecurity,itisadvised
tohavesplittunnelingdisabledatalltimes.

8.7. Chat Sites How Attackers Attack

Some people were asking me about the risks involved in Omegle and downloading pictures to your
computer.So,briefly,IamgoingtodescribeherewhatItoldthem.Firstlyandmostobviously,Tordoes
notsupportcamsitesforthereasonlistedinsection9.11.Quitesimply,TordoesnotsupportUDPtraffic
in which video streaming operates. So, if you wondering how people actually captures this traffic and
obtainsyourIPaddress,thisishow:
Try it out Capture IP Address from Omegle

1. First,youwillneedtodownloadapacketsniffer.IwouldeitheruseWireshark,Ethereal,or
NetWitnessInvestigator.Thefirsttwowillsimplycapturethepacketswhereasthelatterwill
capturesthepacketsandhastheabilitytoputthembacktogether.Thisisusefulifyouwant
torebuildthevideothatwasstreaming.
2. StartOmegle(oranalternativechatsite)andgetconnectedtosomebodyontheotherend.
CapturingtheIPaddresscanalsobedoneviatext,butforthismethod,youmustuseyour
camera.
3. Startthepacketsnifferofchoice;forthisexampleIwillbeusingWireshark.
4. ToselecttheinterfaceyouwillneedtoselectCapturethanInterfaces.
5. Determinetheinterfacethatyouareusing(usuallytheonewiththemostpackets)andpress
Starttostartcapturingthepackets.
P a g e |105

6. Allyouneedisafewpackets,eventhoughyouwillgetafewhundredtoafewthousand.
OnceyouhaveenoughpacketspressStoptherunninglivecapture.Thisisdenotedbythe
forthiconatthetopwiththeXoryoucanselectStopunderCapture.FAILURETOSTOP
THECAPTUREWILLCRASHYOURMACHINE!THEAMOUNTOFPACKETSYOUCANCAPTUREIS
DEPENDENTONTHEAMOUNTOFMEMORYYOURMACHINEHAS!
7. YouareonlyconcernedwithUDPtraffic,sointheFilterfield,enterudp
8. Now,youwillnoticethatthereismoreUDPtrafficfromtwospecificIPaddressesthan
anythingelse;theseIPaddresseswillbeyourIPaddressandtheindividualontheotherend
ofthewebcam.YourIPaddresswilleitherstartwitha192.168.x.xora10.x.x.xorpossiblya
172.x.x.x.Mostlikely,a192.168.x.x.Therearerestrictions,soifyouhaveanyquestions,ask
orrefertoaPrivateIPaddresslist.TheotherIPaddresswillbetheirs.
9. CopytheirIPaddress.Thiscanbedenotedviafouroctetsseparatedbydecimalsorwith
dashes.Itcanalsocontainwordsorletters.93.53.23.231,pd935323231,or935223
231.abc.dgf.netwillallbethesamething.Ineithercase,youwanttocopyitdownas
93.53.23.231.Noticethatthewordsmightbedifferent;onlyconcernyourselfwiththe
numbers.
10. Thatisit;youcanuseareverseIPaddresslookuptofindbasicinformation.

ThatdescribedsimplyhowtocapturetheIPaddressviaapacketsniffer.Whenconnected,thisconnection
canalsobeseeninyournetstatlist;butfamiliarizingyourselfwiththismightbeachallengeifyoudont
know what you are looking at. The reason being is UDP traffic connects directly to your machine. TCP
trafficconnectstoathirdpartysitesuchasOmelge.Anothermethodisgettingthepersontogotoa
honeypotthatcapturestheusersIPaddresswhentheyclickonalinkandnavigatetothatsite.Theyare
afewoutthere,anditiseasyforpeopletobebaitedintonavigatingtothesesites.

Lookingattheillustrationbelow,youwillseeanexampleofanetstatoutput.Thelocaladdress(red)with
be your computer and the foreign address (yellow) is the remote device. 127.0.0.1 is your computers
loopbackaddress.So,thisistellingyouthatthecomputerwiththeIPaddressof192.168.0.6isconnecting
to a website at 66.102.1.104 and 72.232.101.40. You know this because the :80 next to the foreign
addresses.Port80isusedforHTTPtrafficwhenauserwantstoconnecttoawebsite.Theotherports
nextto192.168.0.6arerandomportsassignedbythesystem.AndusinganIPlookuptellsyouthatthe
first IP address of 66.102.1.104 belongs to google whereas 72.232.101.40 belongs to Layered
Technologies.Note:youcaneitherfindawebsitetolookuptheIPaddressoryoucantrytoentertheIP
addressdirectlyintotheaddressbar.

P a g e |106

Protoorprotocolistheinternetprotocolbeingused;thiscanbeingeitherTCPorUDP.TCPconnection
orientedandalostpacketwillberesentsothereisnolossofdataduringtransmission.UDPontheother
handisconnectionlessandifapacketislost,thepacketislostforever.Thereareabout12statesthat
you can familiarize yourself with, but we wont get into that much in this guide. For this example,
establishedmeansthattheconnection(socket)hasbeenestablished,listeningmeansthatthesocket(the
program that created the connection) is waiting
for incoming connections, and time_wait means
that the socket is waiting after close to handle
packetsstillinthenetwork.Finally,thePIDisthe
programthatishandlingtheconnection.ThisPID
number is created per program and can change
everytimetoprogramisstarted.

To look up the application associated with the

particular PID, you can use Windows Task
Manager. The Task Manager can be opened by
rightclicking the Taskbar and selecting Task
Manager. However, Task Manager does not
displayPIDinformationbydefault.Todisplaythe
PIDvalueinTaskManager,gotoProcessestab,clickonViewmenu,thenclickonSelectColumns.In
the Select Columns or Select Process Page Columns dialog, tick and check the checkbox for PID
(Process Identifier), and click OK. You can rightclick the process and click Properties to view which
programisbeingrunandwhere.

If you are really interested in learning more about gathering an IP address, there are two things that
happenwhenyouareconnectedviawebcam.Thefirstthingisthehandshakeortheinitialconnection
andisfacilitatedbythechatwebsite(Omegle,ChatRoulette,etc).Thisconnectionisthefirststepthat
P a g e |107

isperformedtoconnectyoutotheotherpersonwhomyouaretryingtoconnectwith.Afterthisinitial
processiscomplete,youarenowdirectlyconnectedtothepersonyouarechattingwith.Atthispoint,
thestreamisnolongerbeingpassedthroughthechatwebsite.ThewebcamtrafficisUDPtraffic,which
isnotsupportedbyTor.Continuebelowforanexpandedexplanation.

TCPHandshake
ThepictureaboveshowsthetypicalthreewayhandshakewhencapturingtrafficinWireshark.Youwill
see[SYN],[SYN,ACK],then[ACK].HostAsendaSYNchronizepackettoHostB,HostBrespondswiththe
SYNchronizeACKnowledgementpacketbacktoHostA,andHostAoncefinalizestheconnectionwitha
ACKnowledgementpackettoHostB.OncethehandshakeiscompleteyouwillseeafloodofUDPtraffic.
Again,theUDPtrafficisallthewebcamtrafficdataandistheonlytrafficyouaregoingtoconcernyourself
with.

When looking at all this traffic, you want to concern yourself with three fields in particular: Source,
Destination,andProtocol.Thesourceiswheretheinformationiscomingfrom,thedestinationiswhere
thetrafficisgoingto,andtheprotocoldefinestheprotocolbeingused.Thepicturebelowshowswhat
trafficwilllooklikeinWiresharkwhentheUDPprotocolisbeingused.Noticethatthispictureonlyshows
UDPtrafficflowingthroughthenetwork.ThisisbecauseyoucanfiltertrafficinWireSharktoshowpretty
muchwhateveryouwantittoshow.

P a g e |108

So,thethreefieldsIwillbedescribingaretheSourceandDestinationfields.Youwillnoticethatthere
aretwoIPaddressbeingused:192.168.0.103and78.167.170.99.IfyoufollowedtheTryitout
CaptureIPAddressfromOmegleyoumightrememberthat192.168.0.103istheaddressoflocaluser
thatiscapturingthetrafficandthe78.168.170.99istheuserthatisconnectedontheotherside.Your
IPaddresswilleitherstartwitha192.168.x.xora10.x.x.xorpossiblya172.x.x.x.Mostlikely,a
192.168.x.x.TheotherIPaddresswilltheaddressoftheuserthatisconnectedtoyou;thisistheIP
addressthatyouarelookingforandistheIPaddressthatattackerswilllookforaswell.

Another popular method of getting IP addresses and other computer information such as usernames,
passwords,keystrokes,screenshotsandetc.,ifwiththeuseofspyware.Iamnotgoingtogointodetail
aboutspyware(orakeyloggerormalware),butIwillgooverapopulardeliverymethod.Whenpeople
sendpicturesorvideosviaTorChatoranalternativemedium,theycanuseabinderprogramtoattach
a picture file to an executable. When the file is opened, the picture appears as normal along with the
spywareinthebackground.

ToprotectyourselfwhendealingwithUDPinformation(audioorvideochat),youcanuseaUDPproxy,a
VPN,orconfigureaVPNoverTor.IusuallyjustuseaVPNthatclaimstonotloganytraffic;butwhoknows
ifthatclaimholdsmerit.SimpletextchatusesTCPpacketswhichTorcanprotect.Obviously,donotuse
shortlinksastheycanlinktoahoneypotoranotherrougesite.Andifyoudodecidedtoopenlinksyou
areunsureabout,makesureyoudoviaTorwithJSdisabled.

8.8. Other Considerations

Mostpeoplehavehomerouterswithstockfirmware,somostofthisdoesnotapply.Forthoseofyou
interested in having more granular control of your router, you can search the internet for custom
P a g e |109

firmware;forexample,DDWRTisagoodLinuxbasedfirmware.Also,youcanpurchasemanagedports
andwirelessaccesspointsspecificallyforthispurpose.MostcommercialequipmentcanmanagewhatI
amabouttotalkabout,buttheyusuallyrunintheseveralthousands,ifnothundredsofthousands.

OneofthebasichardeningtechniquesforwirelesssecurityistheuseofVLANs.Iftheattackerpasses
your security controls and into your network, VLANs will ensure that they cannot read your network
traffic.LetssaysomeportsonswitchAareinVLAN10andotherportsonswitchBcanareinVLAN10.
BroadcastsbetweenthesedeviceswillnotbeseenonanyotherportinanyotherVLAN,otherthan10.
However,thesedevicescanallcommunicatebecausetheyareonthesameVLAN.Youshouldalsoknow
thatVLANscanbesetuponthesameswitch.

WPS,orWiFiProtectedSetup,isawayforindividualstoeasilyconnectdevicestothewirelessrouter.In
thismethod,thestandardrequiresaPINtobeusedduringthesetupphase.Asitisnotatechniqueto
addsecuritytothenetwork,youshouldknowthatWPSshouldbedisabledatalltimes.Thevulnerability
discoveredinWPSmakesthatPINhighlysusceptibletobruteforceattempts.Ittakesapproximately4
10hourstobreakWPSpins(passwords)withReaver.

YoushouldalsoknowaboutrougeAPs;specificallywhenanattackerimpersonatesanSSID.RougeAccess
Pointsareasecurityconcernbecauseanattackercansetupadevicesuchasarouterorcomputertohave
asimilarorthesameSSIDasthewirelessAccessPointyouconnectto.Unscrupulouspartiescanconnect
tothisrougedeviceandalltrafficcanbeloggedandMiTMattackscanbeperformed.Thisthreatisof
lowconcernbecauseitisnotverylikelytohappen.

OnefinalsecurityconfigurationIamgoingtomentionisaDMZ.ThepurposeofaDemilitarizedZoneis
to add an additional layer of security to your local area network (LAN Private network); an external
attackeronlyhasaccesstoequipmentintheDMZ,ratherthantheentirenetwork.Thiswouldbeifyou
were setting up anything that you want people from outside your network to have access to whilst
protecting your internal network. Examples of such services would be Websites, IRC servers and relay
servers.
P a g e |110

8.9. Extra: MAC Address Spoofing and ARP Attacks How they work

TwomethodsIwanttotalkaboutare:ARPpoisoningandMACaddressspoofing.Asmanyofyoualready
knowMACaddressspoofingisalsoawaytohideyourcomputerortogetfreeInternetwhenplaceseither
filtercomputersbyMACaddressesorhaveapaytousesystem.Afewofyouhaveaskedhowthisworks
andinsteadofreinventingthewheeleachandeverytimeIdecidedtocreatethisfundamental,quickhow
itworkssection.Theseareacoupleofreasonswhyyoushouldlockdownyourprivatenetworkandnever
usepublicnetworks.

Whenacomputerdecidesitwantstotalktoanothercomputeronthenetworkithasfourprimaryfields
it uses to communicate. In a packet, these fields are: source IP address, destination IP address, source
MAC address, and destination MAC address. Again, most of you even know about IP addresses so we
wontgetintothatatall.Butwhatmostofyoudontknowisthecomputertransferstrafficbasedonthe
computersMACaddress(whichisauniqueidentifierforeachdevice)andnotthecomputersIPaddress.
ThecomputerusestheIPaddresstolearntheMACaddressbutdoesnotactuallysenddatawithit.Let
meexplain.

LetssayBobwantstotalktheAlishaonthesamenetwork(senddata).ThereisaprotocolcalledARP,
whichstandsforAddressResolutionProtocol,thatwillsendarequesttotheswitch(orallofthedevices
in the network if youre using a hub) that you are trying to communicate with Alisha. When Alisha
responds,shewillsendbacktheMACaddressofhercomputertotheswitch.Theswitch,willthenlearn
AlishasMACaddressifitdoesntalreadyknowandsenditbacktoBob.NowBob,havingAlishasMAC
address, will fill in the destination MAC address (which is Alishas computer) and send data using that
information.

P a g e |111

Heresanexample:BobwantstosendAlishaafileoverthenetwork.BobfirstsendsanARPrequestto
theswitch(most,ifnotall,homeroutershaveaswitchbuildin)sayinghey,IwanttotalktoAlisha,here
isherIPaddress.WhatisherMACaddresssoIcansendthedata?TheswitchlooksintheMACaddress
table and determines that Alishas MAC address is F026:EA98:EB03:C68E (if the MAC address is not
known,itsendstheARPrequesttoALLofthecomputersonthenetwork,exceptforBobs,untilAlisha
respondsback,Itsme!)OncetheMACaddressisdetermined,itissentbacktoBobsohecantransfer
thedata.

This is where MAC address spoofing comes in, because as you just learned, computers do not transfer
datausingtheIPaddress,butinsteadtheMACaddress.SoMACaddressspoofing,trickstheswitchinto
thinkingyourcomputer(letssayyouareSteve),isactuallyAlishascomputer.SonowwhenBobwants
tosenddatatoAlisha,halfthepacketswillgotoAlishaandhalfthepacketswillgotoSteve.Forthesame
reasonthisworks,thepaytousesystemcanbedefeatedaswell.ThispaytousesystemusestheMAC
addressestosenddatatoalreadyauthorizedcomputerswhichinturnistrickedanddataissenttoyou
withoutcharge.

ARP poisoning on the other hand when an attacker is able to compromise the ARP table on the other
machineandchangestheMACaddresssothattheIPaddresspointstoanothermachine.Iftheattacker
makesthecompromiseddevicesIPaddresspointtohisownMACaddressthenhewouldbeabletosteal
theinformation,orsimplyeavesdropandforwardoncommunicationsmeantforthevictim.

THISISEDUCATIONALANDPROVIDEDTOHELPYOUPROTECTYOURSELFBYEXPLAININGTHEMETHODS
OF ATTACKS BY OFFENDERS. I DID NOT WRITE THIS WITH THE INTENTION FOR ANYBODY TO USE IT
AGAINSTANYONEELSE.SOPLEASEDON'T!

ARP Poisoning Demonstration:

1. OpenCain(youwillneedCainandAbleinstalledonyourmachine)
2. ClicktheSniffertabandturnonthenetworksniffer(thenetworkinterfacebuttonnexttothe
foldericononthesecondrow)
3. Thisshouldalreadybeselected,butensurethattheHoststabisselectedatthebottom
4. Atthetop,clickthebluePlusbuttontoscanforMACaddresses.Alternatively,youcanright
clickanywhereinthedatagrid(whitebox)andselectScanMACAddresses.
5. OncepopulatedwithdevicesotherthanyourDefaultGateway(usuallyanyIPaddressending
withtheoctetof1)oryourcomputer,selecttheAPRtabatthebottom
6. MakesureAPRisselectedoverontheleftandclickanywhereinthetopdatagrid(thetop
fieldthatisblank).ThePlusbuttonatthetopshouldnolongerbegreyedout.
7. OncetheNewAPRPoisoningRoutingdialogboxappears,youwillselectthecomputersthat
youwishtoattack
P a g e |112

8. Overontheleft,youwillselectyourDefaultGatewayandoverontherightyouwillselectthe
computeryouwishtoattack(thedatagridontherightwillpopulateoncetheGWisselected
ontheleft)*DoingthishasthepotentialofcausingaDoSattackwhereasthevictimcannot
accesstheinternetoranydatainthenetwork
9. Finally,selectthesessionthatyoujustcreated(underStatus,itwillsayIdle)andclickthe
ARPPoisoningbuttononthetopthatisnexttothesnifferbuttonyouclickedonearlier.If
successful,thestatuswillchangefromIdletoPoisoning
10. Fromhere,youcancapturedatapackets,usernames,passwords,emailaddresses,andetc.
11. TheonlywaytodefeatthisistouseencryptionsuchandclienttohostsVPNs,PKI,orTor
12. Tostoptheattack,youcanclicktheARPPoisoningbuttonandtheSnifferbuttononcemore

Again, I should provide the warning that there are other ways they can see your traffic if they: use a
packetsnifferandperformaMiTMattackiftheirwirelessnetworkisnotprotected,iftheywereusinga
networkhubwhichbroadcastsinformationoutofallports,iftheyhaveamanagedswitchandenableport
mirroring(whereanadminsendsdataintendedforanotherporttoadesignatedport),oriftheychange
theMACaddressoftheircomputertothatoftheAP(AccessPoint)asmentionedabove.

MiTMattackstandsforManinTheMiddleattackandiswhenanattackerinsertshimselfbetweenyou
andthepersonorserviceyouareconnectedto.AsIsaidbefore,onethisisaccomplished,theattacker
canthencaptureallinformation,stripSSLtoobtaininformationsuchaspasswords,insertmaliciouscode,
redirecttheuser,orblocktheuserfromaservicealltogether.TopreventagainMiTMattacks,youcan
useaVPNorencryptiontoauthenticateyouandtheremotehostalike.Theseattacksareusedmoreso
onlocalnetworksthenusedovertheinternet;however,itisstillpossible.

P a g e |113

n this section, I will talk about several vulnerabilities, what they accomplish, and the mitigation
techniques.Becausewebbrowsersareusedsofrequently,itisvitaltoconfigurethemsecurely.Often,
thewebbrowserthatcomeswithanoperatingsystemisnotsetupinasecuredefaultconfiguration.
Notsecuringyourwebbrowsercanleadquicklytoavarietyofcomputerproblemscausedbyanything
from spyware being installed without your knowledge to intruders taking control of your computer to
websitesobtainingyourIPaddressandrunningmaliciousscriptswhenyounavigatetotheirwebpage.I
willbrieflygooversomeothersecurityconsiderations,dealingprimarilywithwebbrowsers.Thissection
doesnotencompasseverything,sofurtherresearchisnecessarily!

Topics

ThisChapterwillcoverthefollowingtopics:
DownloadingandUsingtheTorBrowserBundle
WhatisSandboxingandWhatisJITHardening,andWhyDoICare?
JavaScript
CookieProtectionandSessionHijackingattacks
Caching
Referers
CSRF/CSRFAttacks(XSSAttack)
ProtectBrowserSettings
DNSLeaks
UserAwareness,AccidentsandSystemUpdates
ConfiguringWebBrowsersandApplicationstoUseTor
I
Chapter 9_ Web Browser Security
P a g e |114

Letsstartbytalkingaboutthebrowseritself.Personally,IusetheTorBundlewithFirefox,asdomost.
Moreso,usingTailsisrecommendedbecauseofwayitwasdesigned;alltrafficwillrunthroughTor
regardlessofthesourceandifisnotrunningthroughTor,itisdropped.Astudywasdonethoughandit
wasconcludedthatGoogleChromeisthemostsecurebrowserlargelybecauseofChromessandboxing
andpluginsecurity.Comparatively,InternetExplorerimplemented(lackingindustrystandard)
sandboxingandJITHardeningwhereasFirefoxfallsbehindonsandboxinganddoesnotimplementJIT
hardening.

9.1. Downloading and Using the Tor Browser Bundle

TheTorProjectdescribesTorasTorprotectsyoubybouncingyourcommunicationsaroundadistributed
networkofrelaysrunbyvolunteersallaroundtheworld:itpreventssomebodywatchingyourInternet
connectionfromlearningwhatsitesyouvisit,anditpreventsthesitesyouvisitfromlearningyourphysical
location.Torworkswithmanyofyourexistingapplications,includingwebbrowsers,instantmessaging
clients,remotelogin,andotherapplicationsbasedontheTCPprotocol.

I recommend downloading and using the Tor Browser Bundle even though I provided a stepbystep
exerciseonhowtoconfigureyourexistingbrowserstorunthroughTor(Section9.11).Manypeoplein
the past have used the Tor Button for Firefox which is no longer supported due to its fairly new rapid
releasecycleofFirefox.Also,theuseofawebproxyisnotneededifyouarejustbrowsingtheinternet
usingtheTorBrowserBundle.Iwouldrecommendusingthehardeningtechniquesasdescribedbelow.
YoushouldknowthateventhoughyouareusingTor,youdataiscompromisedattheTorExitNodeif
youarebrowsingtheinternet(nononionwebsites).

P a g e |115

Download and Start the Tor Browser Bundle

1. NavigatetotheTorwebsite.
2. UnderTorBrowserBundleforWindows/Mac/Linux,selecttheappropriateversion(32bitvs.
64bit).ForWindows,justselecttheappropriatelanguage.
3. ClickSaveFile
4. Oncethefileisdownloaded,openit.AnexamplefileIjustdownloadedwas,torbrowser
2.2.391_enUS.exe.Yourversionwillprobablybedifferentthanmine.
5. Itisaselfextractingarchive.SelectyourpreferredlocationandpressExtract.
6. NavigatetoandopenthefolderandrunStartTorBrowser.
7. OnceTorestablishesaconnection,aFirefoxbrowserwillopen.
8. YoucannowbrowsetheinternetasyouwouldnormallywithoutyourISPoranotherparty
fromseeingwhatyouaredoingwithinToritself.Thereareothervulnerabilitiesthatshould
beaddressed,soIrecommendreadingon.

Tor Links

WhenyoudownloadanduseToryoucangotomany.onionsitesthatarehiddenfromtheclearinternet.
Usingthesesitesarecompletelyanonymousasnobodyknowsyouspecificallyarenavigatingthere;not
evenyourexitnode.HereisalistofafewTorsites:
MainPagehttp:/kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page.Thislinkistothemain
HiddenWikithathostslinkstootherhiddenTorwebsites.Viewthissiteforthefulllisting.
SilkRoadhttp://silkroadvb5piz3r.onion/.SilkRoadPrivatemarketplacewithescrow(Bitcoin).
Youcanpurchaseanythingfromillegalpicturesandvideo,todrugsanddrugparaphernalia,to
armsandammunition.
HackBBhttp://clsvtzwzdgzkjda7.onion/.Forumsforhacking,carding,cracking,programming,
antiforensics,andothertechtopics.Alsoamarketplacewithescrow.

9.2. Configuring WebBrowsers and Applications to Use Tor

Here,IamgoingtobetalkingaboutusingTortoencryptHTTPtrafficaswellasFTPandSSL.Toaccomplish
thiswewillbeusingToraswellasPolipo,awebcachingwebproxy.Basically,wearegoingtosendall
thetraffictotheportthatPolipoislisteningonandforwardingthattrafficthroughTor.Doingthiswill
encrypt all HTTP, FTP and SSL traffic. This is a substitute to using the Tor Browser Bundle. As stated
above,youshouldknowthateventhoughyouareusingTor,youdataiscompromisedattheTorExit
Nodeifyouarebrowsingtheinternet(nononionwebsites).
P a g e |116

ThefirstthingweneedtodoisdownloadtheVidaliaBundle.ThisbundleincludesTor,Vidalia,andPolipo.
WearegoingtobeconfiguringFirefoxforthisarticle.Youshouldknowhoweverthatallotherbrowsers
and applications that allow for proxy settings will use the same configurations. However there are
limitationswhichwewilldiscussfurtherdown.

Starting the services

1. StartPolipo.
2. StartVidalia.
3. OnceyouareconnectedtoTor(ConnectedtotheTornetworkintheVidaliaControl
Panel)wewillbeginsettingtheproxysettingsforFirefox.

Firefox

1. StartFirefox.
2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenu
barshouldappear.).
3. ClickOptionsfollowedbyAdvanced.SelecttheNetworktab.
4. UndertheConnectiongroupselectSettings
5. ChecktheManualproxyconfigurationcheckbox.
6. ForHTTP,SSL,SOCKSandFTPyouwilluse(127.0.0.1withPort8118).

P a g e |117

9.3. What is Sandboxing and What is JIT Hardening, and Why Do I Care?

Wikipediadefinesasandboxasasecuritymechanismforseparatingrunningprograms.Itisoftenused
toexecuteuntestedcode,oruntrustedprogramsfromunverifiedthirdparties,suppliers,untrustedusers
anduntrustedwebsites.Basically,thinkofitas,wellasandbox.Ifyouputawholebunchofkidsina
sandboxandwantthemtostaythere,theycantleave.Sandboxesrestrictsysteminformation,whichis
extremely important for our purposes. Furthermore, as an additional layer of security, I use The Tor
Bundleinavirtualenvironment(avirtualapplicationbutavirtualmachineisalsorecommended).

JIThardeningkeepsthebrowserfromcompilingJavaScriptthatcannotberunontheuserscomputer.
Basically,itiscodethatiscompiled(compilingislikewritingabook;youwriteseveralpagesbeforeyou
bind the book together) onthefly to improve the
runtime performance of the JS. Attackers have long
relied on JIT techniques to convert JavaScript into
malicious machine code that bypasses exploit
mitigationssuchasASLR.

9.4. JavaScript

Javascriptisjustasitimplies;ascriptthatisexecutedinthebrowserorwhereitisrunfrom.JavaScriptis
aprogramminglanguagethatallowsaccesstosystemresourcesofthesystemrunningthescript.Itruns
whenthewebpageisloadedoraneventistriggeredandisdenotedby<script>and</script>alike.These
scripts can interface with all aspects of an OS just like programming languages, such as the C
language.ThismeansthatJScript,whenexecuted,canpotentialitydamagethesystemorbeusedtosend
informationtounauthorizedpersons.Obviously,thisisnotallinclusiveandfurthervulnerabilities/exploits
canbemanagedbyusingJavaScript.

What should be pulled out of this is Javascript only runs scripts that are on the webpage; it cannot
magicallygetyourIPaddresswithoutitbeingexplicitlywritteninthescript.Thus,enablingJSonsites
that are known to be trusted, such as this site, you can be relatively safe in knowing that system
information(oryourPublicIPaddress)isnotbeingleaked.But,however,asyoumayhaveguessed,this
isassumingthatthescriptsarenotcompromisedwhichisapossibilityatanytime(thoughunlikely).In
anyotherscenario,youshoulddisableJSforthesitecompletely.

NoScriptisrecommendedwhendealingwithJavaScriptasitblockedallscriptsunlessexplicitlydefined
(asperscriptorsite).MakesurewhenusingNoScript,thatDisableScriptsGloballyischecked,because
if it enabled globally, you would defeat the purpose of the addon. By default, it is already turned on.
WhenusingTheTorBundleortheoutdatedTorButton,itisalsogoodtoknowthatdangerousJavaScript
P a g e |118

isalreadyhooked.JavascriptisinjectedintopagestohooktheDateobjecttomaskyourtimezone,and
tohookthenavigatorobjecttomaskOSanduseragentpropertiesnothandledbythestandardFirefox
useragentoverridesettings.YoucanalsodisableJavaScriptdirectlyfromthebrowser.

9.5. Cookie Protection and Session Hijacking Attacks

Wikipediadefinesacookieasasmallpieceofdatasentfromawebsiteandstoredinauser'swebbrowser
whileauserisbrowsingawebsite.Whentheuserbrowsesthesamewebsiteinthefuture,thedatastored
inthecookiecanberetrievedbythewebsitetonotifythewebsiteoftheuser'spreviousactivity.When
youlogintoawebpage,thatsessionisalsostoredonyourcomputerasacookie.Moreonionwebsites
areusingcookiesforseveralreasons,includingDoSattacksandsessionhijackingattacks.

Asessionhijackingattackbasicallyallowsathirdpartyattackertoconnecttoawebsiteandaccesstheir
session.Forexample,whenyoulogintoawebsite,youhavejustcreatedasession.Therearetwomain
waystheyperformasessionhijackingattack:sessionIDguessingandstolensessioncookies.Sessionis
usuallynotasbigofanissuebecauseofthelengthofthesessionID(mostly).Andtheotherwaysomeone
couldstealasessioncookie,isattheTorEndpointwhentheyareperformingaMiTMattack.Sadly,MiTM
attackscannotbemitigatedandcookiehijackingisarealthreat.

Cookies,ingeneralarenotdangerous,howeverallthirdpartycookiesshouldbeblockedinthebrowser
settingstostoptrackingfromathirdparty.Athirdpartycookieplacesacookiefromonesiteforanother
site.Forexample,ifyouvisitwww.widgets.comandthecookieplacedonyourcomputersayswww.stats
forfree.com,thenthisisathirdpartycookie.

Firefox (version 10.0.5)

1. StartFirefox
2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenu
barshouldappear.)
3. ClickOptions
4. ClickPrivacy
5. Check,TellwebsitesIdonotwanttobetrackedandeitherTorBrowserwill:never
remembermyhistoryORuncheckAcceptthirdpartycookies.Note,thisdoesnotstopall
trackerswebsitesdoNOThavetoabidebytheTellwebsitesIdonotwanttobetracked
featureandthisisnottheonlymethod.

P a g e |119

9.6. Caching

Internetcacheisisacomponentthattransparentlystoresdatasothatfuturerequestsforthatdatacan
beservedfaster.Wheneveryougotoawebsite,internetcachediscreatedandsavedonyourcomputer
forfasterviewing.Thismeansthatwhenyougotoapicturesite,allthepicturesthatareloadedonthe
screen are saved on your computer for future viewing. Obviously, this is a huge security risk and if
someoneweretogainaccesstoyoursystemandviewthecache,theywouldknowwhatyouhavebeen
lookingat.

Asarealquicksidenote,intheUSAatleast,itisnotillegaltoviewtheimages,justdownloadthem.Now,
ifyouhaveadequateknowledge,theycanclaimthatyouknewthecachedimageswerethereandyou
keptthemthereasanattempttodownloadtheimages.Youcanconfigurethebrowsersettingsorhave
a program erase the cache securely. CCleaner is a good, recommended (and free!) program that does
that.
Firefox (version 10.0.5)

1. StartFirefox
2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenu
barshouldappear.)
3. ClickOptions
4. ClickPrivacy
5. SelectTorBrowserwill:UsecustomsettingsforhistoryNote,thisisnottheonlymethod

9.7. Referers

WikipediadefinesreferersasoccursasanHTTPheaderfieldidentifies,fromthepointofviewofan
Internet webpage or resource, the address of the webpage (commonly the Uniform Resource Locator
(URL). Basically, when you click on a picture for example (or when a picture loads in a webpage), the
websitethathoststheinformationissentarequestthatcontainsthelastpageyouwerein.Mostrecently,
on one of the sites that I frequent, there was an attack done whereas somebody performed session
hijackingattacksusingreferrerinformation

ThiswaspossiblebecausethesessionIDwasintheURL(again,theaddressofthewebpage)andwiththe
useofreferers,whenauserloadedapagewithlivepreviews(orwhenalinkwaspressed),thesession
wasgiventotheattackerwhichallowedthemtodowhatevertheywantedtotheusersaccount.Disabling
referers on the browser is recommended. This type of attack is another reason some sites are not
requiringcookies.
P a g e |120

Disabling referers in the browsers setting or downloading an addon is recommended. RefControl,

https://addons.mozilla.org/enUS/firefox/addon/refcontrol/isagoodaddonthataccomplishesthis.You
canalsodisablereferersinthebrowsersettingsassuch:

Firefox

1. Intheaddressbar,typeabout:configpressEnter
2. Accepttheprompt
3. Typenetwork.http.sendRefererHeaderintotheFilterfield
4. Doubleclicknetwork.http.sendRefererHeaderunderPreferenceName
5. Inthewhitebox,enter1.Thedefaultvalueistwo
6. Next,typenetwork.http.sendSecureXSiteReferrerintotheFilterfield
7. Doubleclicknetwork.http.sendSecureXSiteReferrerunderPreferenceName.Thevalue
shouldchangetoFalse
8. Click"OK"andclosetheabout:configwindow

9.8. CSRF/CSRF Attacks (XSS Attack)

Wikipedia defines this attack as a type of malicious exploit of a website whereby unauthorized
commandsaretransmittedfromauserthatthewebsitetrusts.IwontgointomuchdetailaboutXSS
attacksbecausetherearesomany.Basically,thisisanotherwaythatanattackermightbeabletogain
control of your session. I recommend the addon RequestPolicy: https://addons.mozilla.org/en
US/firefox/addon/requestpolicy/

9.9. Protect Browser Settings

No amount of configurations will help if maleware on your machine is able to change your browser
settings.Onepopularattackischangingtheproxysettingsofthebrowserwhichwilltransmitanything
toathirdpartylocationversusthroughTor.Anotherexampleisifsoftwareormalewarechangesyour
searchsettings.Youmightunknowingtypesomethinginthatyoudidnotwantsearchedwithaparticular
search engine. For this, I would recommend BrowserProtect: https://addons.mozilla.org/en
US/firefox/addon/browserprotect/ which protects your browsers settings and preference from being
changed.

P a g e |121

9.10. DNS Leaks

Basically,aDNSleakiswhenyourPublicIPisleakedversusitgoingthroughTor.Ifanytrafficleaks,athird
partymonitoringyourconnectionwillbeabletologyourwebtraffic.ThereisagreathowtoforLinux
foundhere: https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks. ForWindows
users,IwouldblockTCPport53onyourfirewall.Notethatblockingport53willblockALLattemptsfrom
anywebbrowserwhetherinTororotherwise.Also,IwouldchangeyourDNSsettingstolocalhost(taken
fromMicrosoftandMintywhite,whateverthatis):
Vista/7
1. OpenNetworkConnectionsbyclickingtheStartbutton ,clickingControlPanel,clicking
NetworkandInternet,clickingNetworkandSharingCenter,andthenclickingManage
networkconnections.
2. Rightclicktheconnectionthatyouwanttochange,andthenclickProperties. Ifyouare
promptedforanadministratorpasswordorconfirmation,typethepasswordorprovide
confirmation.LocalAreaConnectionisusuallythewiredconnectionandWirelessiswireless.
Forotheradapters(dongles,etc.),youwillhavetorightclickthoseorusethesoftware
providedwiththedevice.
3. ClicktheNetworkingtab.UnderThisconnectionusesthefollowingitems,clickeitherInternet
ProtocolVersion4(TCP/IPv4).
4. TospecifyDNSserveraddresssettings,dooneofthefollowing:
5. TospecifyaDNSserveraddress,clickUsethefollowingDNSserveraddresses,andthen,in
thePreferredDNSserverandAlternateDNSserverboxes,typetheaddressesoftheprimary
andsecondaryDNSservers(127.0.0.1).
XP
1. LocateandopenNetworkConnections.
2. DoubleClickyourdefaultNetworkConnectionfromtheavailablelist.
3. ClickProperties.
4. HighlightInternetProtocol(TCP/IP)andclickonPropertiesagain.
5. TospecifyaDNSserveraddress,clickUsethefollowingDNSserveraddresses,andthen,in
thePreferredDNSserverandAlternateDNSserverboxes,typetheaddressesoftheprimary
andsecondaryDNSservers(127.0.0.1).

Furthermore,IwouldconfigureyourbrowsertodisableDNSprefetching:
Firefox

1. Intheaddressbar,typeabout:configpressEnter.
2. Accepttheprompt.
3. Typenetwork.dns.disablePrefetchintotheFilterfield.
4. Doubleclicknetwork.dns.disablePrefetchunderPreferenceName.
5. Inthewhitebox,enterTrue.
6. Click"OK"andclosetheabout:configwindow.

P a g e |122

9.11. User Awareness, Accidents and System Updates

Weareallhumanandthereformakemistakes;itisasimplefactoflife.Onethemostcommonmistake
is accidently searching for something in a web browser when it contains sensitive information.
Unfortunately, common user errors are not preventable and cannot be completely solved. You can
changethesearchprovidertoensureitdoesnotlogyourIPaddressinthefirstplace,whichshouldbe
doneregardless.ForthisIrecommendDuckDuckGo:https://duckduckgo.com/privacy.html.

9.12. Limitations

WhenusingTorpeoplebelievethatalltrafficisencrypted;thisisnotthecase.Itisagoodidea
thatpeopleknowwhentrafficwillbesentincleartext.AsIsaidbefore,Torworkswithmany
applications including your instant messaging applications, remote logins and many other
applicationsbasedontheTCPprotocol,butnottheUDPprotocol. Voiceandvideotrafficare
examplesofdatathatwilllikelybeusingUDPtraffic;thismeanstheyaregenerallynotsafeto
use. This includes programs such as Skype, Google Voice, ChatRoulette, or Omegle. Those
programs/websites(whenusingwebcam)willnotbeencryptedtherefortheyhavenoanonymity.

EventhoughIwouldnotrecommendit,youcansendalltrafficthroughaVPNandruntheVPNthrough
Tor.MakesuretoconfiguretheVPNtouseTCPtrafficinsteadofthedefaultUDPtrafficthoughfirst.Also
know that there will be extreme performance degradation when doing this, so you might not even
considerthisfeasible.Forexample,itispossibletouseOpenVPNtouseTCPandsetaproxyto9150to
runthroughTor.

P a g e |123

9.13. Extra

TherearealsomoreadvancedfeaturesofPolipothatyoucouldlookintothatofferadditionalsecurity.

PolipoofferstheoptiontocensorgivenHTTPheadersinbothclientrequestsandserverreplies.Themain
applicationofthisfeatureistoveryslightlyimprovetheuser'sprivacybyeliminatingcookiesandsome
contentnegotiation headers. This can also be done using the FireFox windows (about:config) by
configuring the Header and Referrer information.

As a number of HTTP servers and CGI scripts serve incorrect HTTP headers, Polipo uses a lax parser,
meaningthatincorrectHTTPheaderswillbeignored(awarningwillbeloggedbydefault).Ifthevariable
laxHttpParserisnotset(itissetbydefault),Polipowilluseastrictparser,andrefusetoserveaninstance
unless it could parse all the headers. Recently, as per a new vulnerability, you should set
network.websocket.enabled to False.

IfyouareusingLinuxyoucancreaterulesinthefirewall(iptables)toonlyallowtrafficthroughTorand
blockeverythingelse.Doingsoensuresthatnothingisaccidentlyleaked(trafficwise).Whenusingthe
TorBrowserBundle,oracomputerthatismultipurpose,IwouldrecommendblockingUDPport53.Port
53isusedforDNS,orDomainNameService,andwillensurethatyourcomputerwillnotresolvewebsites
withoutgoingthroughTor.
P a g e |124

Author: RogerNyght

hisguideduplicatesmanytopicsthatarealreadybrilliantlycoveredbytheTails
documentation.https://tails.boum.org/doc/index.en.html.Iurgeyoutoreadthat!In
fact,myguideisnotsupposedtobeasurrogatefortheTailsdocumentation.Itsalsonot
apurewalkthrough.Itsratheranexplanatoryarticle,showingyouwhatTailscandoforyou
andhow.

Thisguideprovidesacompletesolutionforanyonetryingtobeassecureaspossiblefortheir
Toradventures.Thatincludesasecureoperatingsystemandencryptedstorageforyourfiles.
Thissectionwascreatedforversions.12.14.Thingsmightbedifferentandfunctionality
mighthavechangedsincethen

Topics

ThisChapterwillcoverthefollowingtopics:
Tailsconcept
WhycantIuseWindows/WindowsinaVM/OperatingSystemXYZ?
Howtochoosestrongpassphrases
RequirementsforTails
Firststeps
UsingTailsasacompletelyamnesicsystem
UsingTailswithapersistentvolume
Encryptionofanexternaldrive
HowtomountaLUKSencryptedvolumeinWindows
Securedeletionofadriveorpartition
Usingthepersistentvolume
Storingfilesonthepersistentvolume
More!
T
Chapter 10 _ Tails
P a g e |125

TailsisanoperatingsystembasedonDebian/Linux.ItsaliveOS,meaningyoudontinstallitto
aharddrivelikeWindows,butratherrunitfromDVDorUSBstick.Itisoptimizedforprivacy
andanonymity.

10.1.1. Tails concept

Tailsisexplicitlybuiltforpeoplewhoneedstronganonymity.Thus,itprovidesthefollowing
featuresoutofthebox:

1. Torsetup:YoudontneedtoconfigureToryourself.Tailsenforcesanyconnectionsto
gothroughtheTornetworkand/orblocksconnectionsoutsideofTor.Thisisamajor
securityadvantagefortheuserDNSleaksarentpossibleandunmaskingattacks
becomemuchharder,especiallyifcomparedtoavanillaWindowssystemusing
TorBrowser.TailsalsomakesiteasiertouseotherprogramsviaTorClawsforMailand
PidginforIMarealreadyinstalled.

2. Amnesiclivesystem:TailsbootsfromDVDorUSBstick.Itisdesignedtoexclusivelyrun
inRAM:Notracesareleftonharddrives(i.e.,caches,logs,etc.).Bydesign,nothingis
writtenonaharddriveunlessyouexplicitlytellittodoso(forinstance,savingafileto
yourencryptedexternaldrive).Thecombinationofthetwofactsaboveenablesyouto
takeyoursecureTorenvironmentwithyouYoucansafelybootfromyourTailsstickon
aforeignPC(onlyrisksbeingsurveillancecamerasorhardwarekeyloggers).Also,you
cansafelygiveawayyourPCforrepairs:UnplugyourUSBstick(andtheeventual,
encryptedexternaldrive),andtheresnothingleftconnectingyourPCtoyourTor
activities.ThisisoneofthebigreasonswhytonevermixregularWindowsusage
(encryptedornot!)withyourToractivities.Moreonthatinchapter1.d.

3. Emergencyexit:Whenpushcomestoshove,youjustcantworryaboutdeletingtraces
ofyourrunningsystem.Tailsmakesiteasy:Presstheshutdownbuttonanditwill
initializeRAMwipe,whichonlytakesabout1020seconds.Youcanevenripoutthe
TailsUSBstickfromarunningsystem,whichshouldtriggerRAMwipeaswell.Wiping
RAMisbetterthaninstantlyremovingpowerfromthePCRAMcanholdinformation
withoutelectricityforsomeseconds,uptosomeminutes.Granted,retrieving
informationfromcoldRAMisnotthemostprobableattackvector,butthatsthe
reasonforTailsRAMwipingprocess.

4. BasedonFreeOpenSourceSoftware:Tailsonlyincludessoftwareafterreviewingits
sourcecode.ThisisimportantforguaranteeingasecureOS.Italsomeansforyouthat
installingadditionalsoftwarecanbreakTailssecuresetup.Moreonthatinchapters7
through9.

P a g e |126

5. Includedencryptiontools:Youdontneedtoinstallanyencryptionsoftwareyourself.
Tailsprovides:

a. LUKSencryptionforharddrives
b. aPassword/OpenPGPkeymanager
c. anOpenPGPappletfortextencryption
d. TrueCrypt(legacysupport)

10.1.2. Why cant I use another OS / Windows in a VM?

Sure,youarefreetodoso.But,therearealwayspeopleaskingquestionsofthekind:isitsafe
touseprogramXwithTorandhowdoIdisable/deleteWindowscachesandtraces?Especially
ifyoudonthaveagoodunderstandingofhowthingswork,youwillstrugglewithyoursetup
andalwaysworryaboutitssecurityrightfullyso.

Tailsontheotherhandisalreadyoptimizedforanonymousinternetaccessandoverallsecurity.
Yes,youcouldachievecomparablesecuritybyothermeans,butTailsisthemostfailsafe
option.Especiallyifyoudontexactlyknowwhatyouredoing,attemptstocreateasecure
Windowsenvironmentwillfailatsomepointoranother.

10.2.1. How to choose strong passphrases

Thereareseveraloccasionsthatrequireyoutochooseasafepassphrase,especiallyfor
encryption.Keepinmindthatshort,simplepassphraseswillbecrackedinashorttime.I
recommendacombinationofthosetwoapproaches:

1. DiceWaremethod:http://world.std.com/%7Ereinhold/diceware.html
2. Mnemonicapproach:http://youtube.com/watch?v=VYzguTdOmmU

Rememberthatyouarenotonlytryingtodefeatbruteforceattacks.Apassphraselike:
supercalifragilisticexpialidociousmightbe34characterslong,butwillbeeasilycrackedwitha
simpledictionaryattack.Thatdoesntatallmeanyoushouldntusedictionarywordsbutyou
havetocombineatleast5randomwords,e.g.withtheDiceWaremethodmentionedabove,
creatingpassphraseslookinglikethis:zenstunkashleytipoffsudangouda

Thiskindofpassphraseiseasytotype,easytoremember,yet,hardtocrack.Forexplanatory
details,readtheDiceWareFAQ:http://world.std.com/%7Ereinhold/dicewarefaq.html

P a g e |127

10.3.1. Requirements for Tails

Basic:
o PCwith(atleast!)1GBofRAM
o DVDdrive
Advanced:
o USBstickwith(atleast!)2GB
o AbilitytobootfromUSB(dependsonmotherboard.Anyproblems,justgoogle
motherboardnamebootfromUSB)
o Externalharddriveforencryptedfilestorage

Note:IhaveheardaboutproblemsbootingfromTailsUSBsticksonMaclaptops.Youmight
needabootmanagerlikerEFIt.http://refit.sourceforge.net.

10.4.1. First steps

1. DownloadtheTailsdiskimage:https://tails.boum.org/download/index.en.html
2. BurnittoDVD.Ifyoudontknowhowtoburnadiskimage,heresahowtoforevery
OS:https://help.ubuntu.com/community/BurningIsoHowto
3. BootfromDVD

NowyoushouldthinkabouthowyouwanttouseTails.Therearetwooptions

10.4.2. Using Tails as a completely amnesic system

IfyouneverintendtopermanentlysaveanyfilesandjustwanttobrowseinTorland,thisisthe
waytogo.Outofthebox,Tailswillnotutilizeyourharddrives.ItcompletelystaysinRAM.
OpenyouramnesiasHomefolderontheDesktop:Anythingsavedintherewillbewipedon
shutdown

YoucanstillmakechangestoTails,likeinstallingDownThemAll(Firefoxintegrateddownload
manager),addingsoftwarepackagesthroughaptget,buteverythingwillbelostafter
shutdown

IfyouuseTailsthisway,thebigadvantageis:Noevidenceatall.Ifyouvedecidedthateven
wellencryptedfilesaretoomuchofariskforyou,thisisthewaytogo.Theresnorecoverable
evidenceofyouractivities,nocleanuptoolsneeded.Youcanlookatpictures,evendownload
filestoyouramnesiasHomefoldertheywillirrecoverablybegoneonshutdown.UsingTails
forthiskindofsurfingiswaymorefailsafeandeasierthancleaningupaWindowsmachine
everyday

P a g e |128

10.4.3. Using Tails with a persistent volume

IfyouwanttodomorewithyourTailssetup,youwillneedaUSBsticktoputapersistent
volumeonit.InstallingTailsonaUSBstickisbestdonewithinTails,readtheinstructionshere:
https://tails.boum.org/doc/firststeps/usbinstallation/index.en.html

BeingabletobootfromUSBdependsonyourPCsmotherboardmostcandoit.Youmight
needtochangeBIOSsettings,youwillfindthatinformationontheweb.Nowthatyouhave
bootedfromyourTailsUSBstick,youcancreateapersistentvolumeonitsremainingspace.
Instructions:https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html

Readcloselywhichfilesorfeaturescanbemadepersistent.EspeciallytheGNOMEkeyringand
thesavedAPTPackages/APTlistscanbeveryuseful.IrecommendenablingthePersonaldata
option,whichmeansthatyoucanpermanentlystorefilesontheencryptedportionofthestick.
ItwillberepresentedbythefoldercalledPersistent.Youmightnotwanttouseitforyourmain
storageduetothesizeofyourUSBstickreadonhowtosetupanencryptedexternaldrive.

10.5.1. Encryption of an external drive

IguessmanyofyouuseTrueCrypt.YoucancontinuetouseTrueCryptonTailsbutnotinthe
longrun.Rightnow,youdhavetoenableTrueCryptinthebootoptions:
https://tails.boum.org/doc/encryptionandprivacy/truecrypt/index.en.html

InfutureversionsofTails,TrueCryptsupportwillbedroppedentirely(reasonsbeing:License
issuesandconcernsaboutTCssomewhatcloseddevelopment).Instead,youshoulduseLUKS,
theLinuxstandardfordiskencryption.ItiseasilyconfiguredthroughtheGNOMEDiskUtility.
Youllfindtheinstructionshere:
https://tails.boum.org/doc/encryptionandprivacy/encrypted_volumes/index.en.html

Makesureyouchooseastrongpassphrase,asdescribedinchapter2.NotethatDiskUtility
allowsyoutochangethevolumespassphraseatanytimewithoutreencryptingthewhole
drive.Thatspossiblebecauseofthetwolayerencryptionstructure:Theresamasterkeythat
encryptsyourdrive.Yourpassphraseencryptsthemasterkey.Shouldyouchangeyour
passphrase,onlythemasterkeywillbereencrypted.

10.5.2. How to mount a LUKSencrypted volume in Windows

AlthoughitsaLinuxfilesystem,thereisawaytoaccessitinWindows.Ifyoueverfeelthe
needtoaccessyourdriveinaWindowsenvironment,usehttp://www.freeotfe.org.Not
recommendedforvarioussecurityreasons,butpossible
P a g e |129

10.6.1. Secure deletion of a drive or partition

IfyouvedecidedtoditchyouroldWindowsenvironment,itsimportanttodestroypotential
evidence.Dontkeepolddrivesthatyouusedfordownloading,viewing,orstoringofanything
illegalorincriminating.Overwritingsuchadriveonceissufficient.Dontwasteyourtimewith
35passmethods.Readherewhy.

HowtodoitinTails:
1. IdentifytheIDofyourdriveorpartition
2. OpenGNOMEDiskUtilityfromthemenubar:Applications>SystemTools>DiskUtility
3. Clickonthedriveyouplantowipe.Itshouldlooklikethis:clickhere
4. YoufindtheIDinthelineDevice.Inthecaseshowninthescreenshot,itwouldbe
/dev/sdb/.AdrivesIDalwayslookslike:/dev/sdX/.ApartitionsIDalwayslookslike:
/dev/sdXY/

UseshredcommandinTerminal:shredisshippedwithTails,itdoesnothaveaGUI(Graphical
UserInterface).Youcontrolitviathecommandline,whichiscalledTerminalinTails.Inthe
menubar,clickontheblackitemrepresentingacommandlineprompttolaunchTerminal.
Thecommand:shredvfn1/dev/sdX/willoverwritethedrive/dev/sdX/oncewithrandom
data(n1),outputprogressinfo(v),andoperateasaforceoverwrite(f).Theoperationwill
takesomehours(500GBtookmeabout45hours).BECAREFUL.Makesureyouidentifiedthe
rightdrive.Onceoverwritten,dataislost.

10.7.1. Using the persistent volume

IfyouveinstalledTailsonaUSBstick,goingtoApplicationsTailsConfigurepersistentvolume
willwalkyouthroughaninstallationwizardforthepersistentvolume.Makesureyouchoosea
strongpasswordreadchapter2

DespitethePersistencefeature,TailswillneverworklikeaninstalledOSthatyouareprobably
usedto.ItwillremainaliveOSthatcanpreservesomeresources,butforthesakeofsecurity
andintegrity,itcantbeascomfortableasaninstalledOS.GotoApplicationsTailsConfigure
persistentvolumetotakealookattheavailableoptions.YoucansortthePersistenceoptions
intofourcategories:

1. Persistentfilestorage(PersonalData)
2. PersistentconfigurationfilesforsomeTailsapps(e.g.Pidgin,GNOMEKeyring,SSH
client)
P a g e |130

3. Persistentsoftwarelistsandsoftwaredownloads(APTlistsandAPTPackages,read
chapter8!)
4. Persistentdirectories(forinstance,pathstoconfigurationfilesforadditionallyinstalled
softwareadvanced!)

Itemswillbemadepersistentafterareboot.AnytimeyouenableaPersistencefeature,reboot
beforeusingit.

10.7.2. Storing files on the persistent volume

Thisisthemostbasicoption.Itenablesapersistentapersistentfolderfoundin
/amnesia/Persistent/.Keepinmind,allotherdirectories,forinstancetheDesktop,arestillnot
persistent.DuetoUSBstickslimitedcapacitiesIdontrecommendthePersistentfolderas
yourmainstorage.Itsassecureasyourpasswordis,soyoucanuseitforsensitivefilesthough.
I,forone,onlykeepthefollowingitemsinthePersistentfolder:

o Backupsofpasswordkeyringsandotherimportantfiles
o Bookmarks
o Somenotesandtextfiles;stuffIwanttohavewithmeonthego

Thatsjustanexample;usethefolderhoweveryoulike.Justchooseastrongpasswordas
describedinchapter2.

10.7.3. Firefox bookmark management

YoumayhavealreadynoticedthataPersistencepresetfortheFirefox/Iceweaselbrowseris
missing.Mainreasonbeing,Tailswantstodiscourageyoufromchanginganythingbrowser
related,forsecurityreasons.Thatmakessense,butalsomeansthatwehavetofindsync
bookmarksmanually.

Theoretically,youcouldmakethebookmarks.htmlfilepersistent,inwhichthebrowserstores
allbookmarks.Fortechnicalreasons,thisisharderthanitlooks,becausetheprofilesdirectory
changesoneachlaunchofFirefox.Unlesssomeonefindsabettersolutionforthis,weareleft
withtwooptionsforthebookmarksproblem:
o UseFirefox/IceweaselsintegratedImportandBackupfeature:
1. createyourbookmarksinFirefox/Iceweasel
2. gotoBookmarksShowallbookmarksImportandBackupBackup
3. savethisbackupfileinyourPersistentfolder
4. viathesamemenu,importthisfilethenexttimeyoubootTails
o Keepthelinksinaplaintextfile(.txt),storedinPersistentfolder
1. thismightlookabitpuritan,butitseasiertohandle.

P a g e |131

10.7.4. The password manager Passwords and Encryption Keys

ThetoolisfoundinSystem>Preferences>PasswordsandEncryptionKeys.Itallowsyouto:
1. storepasswordsorloginsinanencryptedkeyring
2. createanOpenPGPkeyforencryptingmails

Iwanttofocusonthefirstfeature.YoumayberegisteredonseveralTorsites.Itsahassleto
choosepasswordsthatarebotheasytorememberandsecure.Thatswhyitmightbeagood
ideatouseapasswordmanager.Thusyoucanchoosecryptic,ridiculouslylonglogins,butonly
havetorememberthemasterpasswordofyourpasswordmanager.First,enablePersistence
fortheGNOMEKeyring.Asalways,thisisdoneinApplications>Tails>Configurepersistent
volume.Dontforgettorebootaftermakingthatchange.Now,youcancreatepersistent
passwordkeyrings

Tocreateakeyring:
1. OpenthemanagerfromSystem>Preferences>PasswordsandEncryptionKeys
2. ClickFile>New>PasswordKeyring,chooseanameandpassword

Toaddapasswordtothiskeyring:
1. OpenthemanagerfromSystem>Preferences>PasswordsandEncryptionKeys
2. ClickFile>New>Storedpassword
3. Selectyourpreviouslycreatedkeyring
4. Foradescription,e.g.usethesitesURLoryouraccountsname
5. Typeorpastethepassword

Toaccessapassword:
1. OpenthemanagerfromSystem>Preferences>PasswordsandEncryptionKeys
2. Rightclickonthekeyring,Unlock
3. Doubleclickthepasswordentry
4. ExpandthepasswordfieldandclickShowPassword

Creatingabackupofthekeyring:IncaseyouloseyourUSBstick,itmightbehandytohavea
backupofyourpasswords.Keyringsaresmallfilesthatyoucanstoreonsomeotherencrypted
volume(forinstance,yourencryptedexternaldrive,chapter5.a).Incaseyouneedtorecover
thebackup,justputthefilesbackintotheiroriginallocation.
1. Openafilebrowserwindow.ClickGo>Location...
2. Intheaddressfield,insert:/home/amnesia/.gnome2/keyringsandpressEnter
3. Youllseeyourkeyring(s)withthefileextension.keyring
4. Copythosefilestoanother(encrypted!)volume

Recoveringakeyringbackup:
1. ClosetheprogramPasswordsandEncryptionkeysifitsopen
2. Gotoyourbackuplocation,copythe.keyringfile(s)
P a g e |132

3. Inthefilebrowser,clickGoLocation...
4. Intheaddressfield,input:/home/amnesia/.gnome2/keyringsandpressEnter
5. Pasteyour.keyringfilesintothisfolder
6. RestartPasswordandEncryptionkeys
7. Yourkeyringarebackinplace

10.7.5. Pidgin for IM/Chat/IRC

PidginispreconfiguredforchattingthroughTor.Manychatprotocolsaresupported.Ifyou
wantyouraccountsettingstobepermanent,enablethePersistenceoptionPidginin
Applications>Tails>Configurepersistentvolumeandreboot

Whatsnotsafetodo:
o Foranonymouschatting,donteverlogintoanyservicesthatcouldbetracedbackto
you.Thatincludes:
o servicesthatmayhavepersonalinformationaboutyou(name,address,phone,
email,reallifefriends,etc)
o servicesyoupreviouslyloggedintowithoutTor(alwaysassumeserviceslogIP
addresses!)
o Whatssafetodo:
o UsinganyofthesupportedchatprotocolswithaccountsyoucreatedwithTor
andwithoutgivingpersonalinformation.TheTorChatplugin:
Goodnews:ThedeveloperofTorChathasalsocreatedaTorChatPidgin
plugin
Badnews:itdoesntworkonTails.Sameproblemaswithstandalone
TorChat,readaboutthatissueinchapter8.d

10.8.1. Installing software: The basics

KeepinmindyoushouldmodifyTailsonlywhennecessaryandtotheminimum.Thewhole
pointofTailsistoprovideasafelyconfiguredsystem.Donttamperwithit.Readthewarnings
here.Yet,yousometimesneedsomethingthatsnotincludedinTails.
o TailsisLinux/Debianbased.YoucaninstallsoftwarethatsprovidedinDebian
repositories(ormanuallydownloada.debfile)
o Youllneedadminprivilegesforanyinstallation.ThatrequirestoenableMore
optionswhenbooting,afterwhichyoucansetanadminpassword.Youdont
needaninsanelystrongpasswordhere,becauseitsnotforencryption
o Installationiseitherdonevia:SynapticPackageManager(System>
Administration>SynapticPackageManager),Terminalcommand:sudoaptget
P a g e |133

install,ormanuallyinstalladownloaded.debfile(Terminal:sudodpkgi
/path/to/file.deb).Thelastpartisonlynecessaryforapplicationsthatarenot
includedintheusualDebianrepositories

ItisrecommendedtoenablethefollowingPersistenceoptions(Applications>Systemtools>
Configurepersistentvolume):

1. APTlists
2. APTpackages

APTlistsareinformationaboutsoftware,itsversionsandtheiravailability.Onceyoutriggeran
updateofthatlistviasudoaptgetupdate,thelistwillbekept.APTpackagesarethe
applicationsyoudownloadviasudoaptgetinstallorSynapticPackageManager.Important:
ONLYthepackagesarekept.Nottheactualapplicationsinstallationortheapplications
configuration.Thismeansthatyouhavetoinstallyourapplicationsagain,oneveryboot.This
mightfeelcumbersome,butactuallyitisnot.

Savea.txtfilewiththecommandsyouneedtorunoneverybootandpastetheminto
Terminal.Youdontneedtoincludesudoaptgetupdate,justappendeveryapplicationyou
wishtoinstalltosudoaptgetinstall.Itcouldlooklikethis:sudoaptgetinstallapp1app2&&
sudodpkgi/PATH/app3.deb&&app1.Thislinewoulddothefollowing:

1. installapp1
2. installapp2
3. installapp3fromlocalfile
4. launch/initializeapp1

Takealookatthesyntax:with&&,youchaindifferentcommands,soyoucanputmultiple
commandsinoneline.Obviously,alloftheaboveismeantforadvancedcomputerusers.
Especiallyifyoutryandinstalla.debfilemanually,socalleddependencieswillcomeintoplay.
Thatmeans,toinstalltheapplication,someotherpackagesneedtobeinstalledtomakeit
work.ThisisalsothecaseifyouinstallviaaptgetorSynapticPackageManager,butinthose
cases,dependenciesarehandledautomatically

10.8.2. Recommended software additions

1. DownThemAll(viaFirefox/Iceweasel)
2. Gnomescreensaver(viaaptget)

DownThemAll:Tailsstronglyadvisesagainstinstallingbrowserplugins.Youshouldrunavanilla
Iceweaselforthreereasons:

P a g e |134

1. Dontchangethebrowsersfootprint.YouwanttolooklikeeveryotherTorBrowserout
there
2. Theplugincouldcontainmaliciousorbuggycode
3. Dontriskmessingupthebrowserssafesetup.Youdontwantanythingtointerfere
withTorButtonorproxysettings,forinstance

Ontheotherhand,withoutdownloadmanagers,youdlosetheabilitytoresumeunstable
downloads.AddingadownloadmanagerisonTailsagenda,letshopetheydoitsoon.Inthe
meantime,IvechosenDownThemAllforthefollowingreasons:

1. ItisFreeOpenSourcesoftware
2. ItcompletelyrunswithinIceweasel/Firefox(doesnothaveownproxy/networksettings)

HowtoinstallDownThemAll:

1. Downloadthexpifilefromthedeveloperhttp://www.downthemall.net/main/install
it/downthemall2013/
2. SaveitinyourPersistentfolder,soyoudontneedtodownloaditforsubsequent
installations
3. DragitontoarunningIceweaselwindow,whichwillneedtorestart

Note:ThefactyouresavingacopyofDTAtoyourdiskalsomeansyoushouldmanuallycheck
forupdatesonceinawhile.

gnomescreensaver(viaaptget):Forsomereason,Tailsdoesnotbringitsownscreenlock.
Youshouldalwayslockthescreen,evenifyourejustopeningthedoororfeedingthedog.
Primaldownloadandinstallationofgnomescreensaver:
1. OpenaTerminal
2. Run:sudoaptgetupdate&&sudoaptgetinstallgnomescreensaver&&gnome
screensaver
3. Tolockthescreen,pressCTRL+ALT+LorclickLockScreeninthemenubarsSystemtab

Subsequentinstallationsofgnomescreensaver:
1. Savethefollowingcommandtoa.txtfileinyourPersistentfolder,soyoucaneasily
pasteitintoaTerminalwindow:sudoaptgetinstallgnomescreensaver&&gnome
screensaver
2. Notethedifferencetotheprimalinstallation:Wedontupdatethepackagelistagain
(aptgetupdate)andalso,thepackagegnomescreensaverwillnotbedownloaded
again,ifyouveenabledthePersistenceoptionsforAPTListsandAPTPackages.Ifyou
needtochainmultipleinstallationstogetherIwroteasyntaxexampleinchapter7.a

P a g e |135

10.8.3. I2P / iMule (not recommended)

IfyoudontknowanythingaboutI2P,dontuseit.YouaremostlikelybetteroffwithTor,so
juststickwiththat.iMuleisaneMuleclonebasedontheanonymousdarknetI2P.Although
TailsisfocusedonTor,italsoshipswithanI2Pconsole.Thefollowingstepsarejustan
orientationforadvancedusersonly.

1. YoucanstartI2Pfromthemenubar:Internet>i2p
2. YoullneedtoenabletheSAMbridgeforiMule:I2PConsole>I2PServices>Clients>
SAMapplicationbridge
3. Restarttheconsole
4. iMuledependsonlibcrypto++8andpython/wxgtk,installit
5. InstalliMule(downloadhereandtakethei386squeezePackage)
6. Bootstrapwithanodes.dat;Itookthis
7. Youshouldbeupandrunning,waitfordiscoveryofmoreclients.
8. iMuleisslowanyway

10.8.4. TorChat (not working)

Itsapity,butTorChatisnotbeingshippedwithTails(TailsdevelopersdisagreewithTorChats
implementation).ItisnotimpossibletogetTorChatworkingwithTails.Igotasfaras:

installingTorChat
makingthehiddenservicedirectorypersistent

Themajorproblemisthefollowing:TorChatusesitsownTorinstancenottheonethats
alreadyrunningonthesystem.ThisconflictswithTailssetup.Itcouldberesolvedbyputting
TorChatinclientmode,whichforcesittousethesystemsTorinstance.Thatrequiresmaking
changestoTailstorrc(Torconfig),whichIamnotableto(safely)do.Ifsomebodyfindsasafe
way,tellus.Remember,youactuallydontwanttomakepersistentchangestoTailssystem,
especiallytheTorsetup.

10.9.1. File and folder handling in Terminal

Forthemostpart,youcanstickwiththegraphicalFileBrowser.Sometasksthoughrequirethe
Terminal,forexamplejoiningasplitfile.Herearesomethemorebasiccommandssuchascd
changedirectory.ATerminalwindowalwaysstartsat/home/amnesia/.Forexample,the
commandcd/home/amnesia/PersistenttakesyoutoyourPersistentfolder.cd..takesyou
onelevelupinthedirectoryhierarchyinthiscase,backtothe/amesia/homefolder.Youcan
P a g e |136

alsotypecdand,beforepressingEnter,dragafolderfromFileBrowserontotheTerminal
windowtoadditsfullpath!Workswithindividualfilesaswell.

Lslistallfilesandfoldersincurrentdirectory.lsaincludeshiddenfilesandfolders.Catisa
utilitytojoinfiles.Example:Youdownloadasplitvideo,withpartsnamedVideo1.avi.001,
Video1.avi.002,assoon.Stepstojointhevideo:
Putallthepartsofyourvideoinonefolder
OpenaTerminalwindowandjumptoyourvideofolderspathwith:cd
/path/to/folder/
Remember,youcandragthefolderontoTerminaltoadditspath
RuncatVideo1.avi*>Video1.aviinTerminal

Takeacloselookatcatssyntaxtounderstandwhatitdoes:catVideo1.avi*>Video1.avi
ThiscommandmeansthatcatwilllookatallfilesthatbeginwithVideo1.aviandputthem
alltogetherinasinglefilecalledVideo1.avi.Theasteriskworksasawildcard,justasinafile
search.ThequotesarenecessarybecausetheTerminaldoesntlikespacesinfilenames.
Beforeyoudeletethesplitparts,makesurethatthejoinedfilewascreatedcorrectly.cat
doesntgivefeedbackandifapartweremissing,itwonttellyou.

Thatlittlefilejoiningoperationshouldjustserveasatinyexampleofthecommandlines
capabilities.IfyouspendsometimeexploringitandsearchontheinternetforDebian/Linux
relatedtips,youllgetgooduseoutofit,forexamplecreatingsplit.rararchives,encodingvideo
clipsandmuchmore.

10.10.1. General advice

Dontloseyourparanoia(dontfeeltotallysafewithTails).Paranoiakeepsyouthinking
andaware
UsingTailsdoesnotmagicallymakeyousafeforalleternity
UpdatingTailswheneveranewversioncomesoutiscrucialformaintainingasecure
state
DontscrewwithTails
DontmakesystempathspersistentthatwillpreventTailsfrombeingproperly
updated
Ifyoucanavoidit,dontinstalladditionalsoftware
Dontinstallbrowserplugins.Atmost,DownThemAll
DonttryandmakeIceweasel/Firefoxpersistent.Thepotentialilleffectsoutweighthe
discomfortofaddingDTAorbookmarkseverytime
Neverleaveincriminatingfilesunencryptedonanydrive.Thatincludesyourold
Windowssystem,ifyoueverdownloaded,storedorviewedincriminatingfileswithit
P a g e |137

So,pleaseerasealldrivesthatcouldstillkeepunencryptedincriminatingfilesortraces.
Readchapter6forahowto.Betterbesafethansorry
READtheTailsdocumentation.BrowseinTailsforumtoseehowotherpeopleresolve
theirproblems.
Unsureaboutsomething?Askquestions!
P a g e |138

Thetoolsprovidedbelowareactualtoolsusedbyhackersthatattemptto:breakintoasystem,
stealdata,subvertprotection,orcausemaliciousdamage.Thislistisnotallinclusiveand
shouldnotbeusedasasubstitutewhenperformingsecurityevaluations.Please,donotuse
anyofthesetoolsifyoudonothavepermissiontodosoandplease,donotuseanyofthese
toolsformaliciouspurposes.Thislistdoesnotexistforthatreason.

Youshouldlookuponeachtoolthatyouplanonusingandlearnhowthetoolworksversus
justlearningwhateachbuttondoes.Forexample,NMAPisagreattooltofigureoutwhich
portsareopenonaserver,however,itwillnothelpyoumuchifyouarenotfamiliarwith
networking.Inthiscase,youwillhavetolearnabouttheTCP/IPheaderinformation,whatthe
portsare,theflags,whathappensinresponse(SYN,SYNACK,ACK,RST,RSTACK,etc.,etc.).It
alsodoesnottellyouhowtogetpastafirewallorthatapacketfilteringfirewallandastateful
firewallshouldbehandleddifferently.

Common steps for breaking into a system

Thesearethecommonstepsforanattackerwhenbreakingintoasystem.Whengoingthrough
thelistoftoolsprovidedbelow,thislistshouldhelpsomewhendeterminingatwhatpointyou
shouldbeontheattack.Obviously,thislistisverysimplisticanddoesnotrepresentanactual
procedureforanattack.Thispostisnotmeanttoteachyouhowtohack;justtoshowyou
theattacktoolsincaseyouareinterested.
1. Reconnaissance(footprinting).
2. Scanning.
3. Ports&ServicesEnumeration.
4. VulnerabilityAssessment.
5. VulnerabilityExploitation.
6. PenetrationandAccess.
7. PrivilegeEscalation&fullaccess
8. Erasetracks.
9. Maintainingaccess.
Chapter 11 _ Hacking Tools
P a g e |139

Andwithoutfurtherado,herearethelistoftoolsattackersuse...

Top Tools

List:
Kali(formerlyBackTrack):http://www.kali.org/."FromthecreatorsofBackTrackcomes
KaliLinux,themostadvancedandversatilepenetrationtestingdistributionever
created.BackTrackhasgrownfarbeyonditshumblerootsasaliveCDandhasnow
becomeafullfledgedoperatingsystem."
NMAP:http://nmap.org/."Nmap(NetworkMapper)isafreeopensourceutilityfor
networkexplorationorsecurityauditing.Itwasdesignedtorapidlyscanlargenetworks,
althoughitworksfineagainstsinglehosts.NmapusesrawIPpacketsinnovelwaysto
determinewhathostsareavailableonthenetwork,whatservices(applicationname
andversion)thosehostsareoffering,whatoperatingsystems(andOSversions)theyare
running,whattypeofpacketfilters/firewallsareinuse,anddozensofother
characteristics.Nmaprunsonmosttypesofcomputersandbothconsoleandgraphical
versionsareavailable.Nmapisfreeandopensource."
NessusRemoteSecurityScanner:Nessus:
[/b]http://www.tenable.com/products/nessus."Nessusistheworldsmostpopular
vulnerabilityscannerusedinover75,000organizationsworldwide.Manyoftheworlds
largestorganizationsarerealizingsignificantcostsavingsbyusingNessustoaudit
businesscriticalenterprisedevicesandapplications."
Nikto:http://www.cirt.net/nikt02."NiktoisanOpenSource(GPL)webserverscanner
whichperformscomprehensivetestsagainstwebserversformultipleitems,including
over3200potentiallydangerousfiles/CGIs,versionsonover625servers,andversion
specificproblemsonover230servers.Scanitemsandpluginsarefrequentlyupdated
andcanbeautomaticallyupdated(ifdesired)."
Wireshark:http://www.wireshark.org/."WiresharkisaGTK+basednetworkprotocol
analyzer,orsniffer,thatletsyoucaptureandinteractivelybrowsethecontentsof
networkframes.Thegoaloftheprojectistocreateacommercialqualityanalyzerfor
UnixandtogiveWiresharkfeaturesthataremissingfromclosedsourcesniffers."
Cain&Abel:http://www.oxid.it/cain.html."Cain&Abelisapasswordrecoverytoolfor
MicrosoftOperatingSystems.Itallowseasyrecoveryofvariouskindofpasswordsby
sniffingthenetwork,crackingencryptedpasswordsusingDictionary,BruteForceand
Cryptanalysisattacks,recordingVoIPconversations,decodingscrambledpasswords,
revealingpasswordboxes,uncoveringcachedpasswordsandanalyzingrouting
protocols."
Kismet:http://www.kismetwireless.net/."Kismetisan802.11layer2wirelessnetwork
detector,sniffer,andintrusiondetectionsystem.Kismetwillworkwithanywireless
P a g e |140

cardwhichsupportsrawmonitoring(rfmon)mode,andcansniff802.11b,802.11a,and
802.11gtraffic."

Fingerprinting and Reconnaissance

Beforeyoubeginanattack,thereshouldbeafairamountofplanningandreasearchtowards
thetargetsoyouarenotusingallthetoolsblindly.Thisstepinvolvesaccumulatingdata
regardingaspecificnetworkenvironment,usuallyforthepurposeoffindingwaystointrude
intotheenvironment.Footprintingcanrevealsystemvulnerabilitiesandimprovetheeasewith
whichtheycanbeexploited.Thesearesometoolsthatcanassistintheinformationgathering,
however,allotofinformationdoesnotexistonthispage.Forexample,whengetting
information,suchasawebserver,youcantrytotelnetintothedeviceandseeifabanneris
returnedwhenthetelnetfails.Forreconnaissance,youcansearchpublicforums,jobpostings,
socialnetworkingaccounts,andetc.Let'ssaythatyouperformawhoisonadomainnameand
receiveagenericemail.Thebouncebackemailmightcontainaspecificnametoanindividual
withinthatcompany.Usingthatinformation,youcanexploredifferentavenuesofattack.

Collect Location Information Tools:

GoogleEarth:http://www.google.com/earth/index.html
DNS Interrogation Tools:
DNSDataView:http://www.nirsoft.net
Email Tracking Tools:
eMailTrackerPro:http://www.emailtrackerpro.com
PoliteMail:http://www.politemail.com
SuperEmailMarketingSoftware:http://www.bulkemailmarketingsoftware.net
MSGTAG:http://www.msgtag.com/download/free/
Zendio:http://www.zendio.com/download
Google hacking Tools:
GMapCatcher:http://code.google.com
SiteDigger:http://www.mcafee.com
SearchDiggity:http://www.stachliu.com
GoogleHacks:http://code.google.com
P a g e |141

GoogleHackHoneypot:http://ghh.sourceforge.net
BiLESuite:http://www.sensepost.com
MetaGoofil:http://www.edgesecurity.com
Monitoring Web Updates Tools:
WebSiteWatcher:http://aignes.com/download.htm
Traceroute Tools:
NetworkPinger:http://www.networkpinger.eom/en/downloads/#download
MagicNetTrace:
http://www.tialsoft.com/download/?url=http://www.tialsoft.com/mNTr.exe
GEOSpider:http://oreware.com/viewprogram.php?prog=22
3DTraceroute:http://www.d3tr.de/download.html
Website Footprinting Tools:
BurpSuite:http://portswigger.net/burp/download.html
Zaproxy:https://code.google.eom/p/zaproxy/downloads/list
Website Mirroring Tools:
HTTrackWebsiteCopier:http://www.httrack.c0m/page/2/
BlackWidow:http://softbytelabs.com/us/downloads.html
Webripper:http://www.callunasoftware.com/Webripper
SurfOffline:http://www.surfoffline.com/
WebsiteRipperCopier:http://www.tensons.com/products/websiterippercopier/
GNUWget:ftp://ftp.gnu.org/gnu/wget/
WHOIS Lookup Tools:
ActiveWhois:http://www.johnru.com/
WhoisLookupMultipleAddresses:http://www.sobolsoft.com/
WhoisThisDomain:http://www.nirsoft.net/utils/whois_this_domain.html
WhoisAnalyzerPro:http://www.whoisanalyzer.com/download.opp
Other Links:
ExtractWebsiteInformationfromarchive.org,Availablefromwww.archive.org
RegionalInternetRegistry:http://en.wikipedia.org/wiki/Regional_lnternet_Registry
EmailLookupFreeEmailTracker:http://www.ipaddresslocation.org
ReadNotify:http://www.readnotify.com
P a g e |142

Pointofmail:http://www.pointofmail.com
DidTheyReadlt:http://www.didtheyreadit.com
TraceEmail:http://whatismyipaddress.com/traceemail
myDNSTools:http://www.mydnstools.info/nslookup
DNSWatch:http://www.dnswatch.info
DomainTools:http://www.domaintools.com

Scanning Networks

NetworkScanningistheprocessofexaminingtheactivityonanetwork,whichcaninclude
monitoringdataflowaswellasmonitoringthefunctioningofnetworkdevices.Network
Scanningservestopromoteboththesecurityandperformanceofanetwork.NetworkScanning
mayalsobeemployedfromoutsideanetworkinordertoidentifypotentialnetwork
vulnerabilities.Thisstepisusuallyvery"loud"andifdoneinproperly,cangetyou
caught.Duringthisphase,youaretryingtodeterminewhichportsareopenandwhichservices
areopen.Forexample,ifyoudetermineport80isopen,youcantrytolaunchwebservice
attacks.IfyoulearnthatthewebserverisApache,thenyoucanlaunchattacksthatis
specificallyforApache.

Anonymizers:
AnonymousWebSurfingTool:http://www.anonymoussurfing.com
GZapper:http://www.dummysoftware.com/gzapper.html
HideYourIPAddress:http://www.hideyouripaddress.net
HideMyIP:http://www.privacypro.com/features.html
Spotflux:http://www.spotflux.com
Banner Grabbing Tools:
IDServe:http://www.grc.com
Netcat:http://sourceforge.net/projects/netcat/files/latest/download?source=files
Censorship Circumvention Tools:
Psiphon:http://psiphon.ca
YourFreedom:http://www.yourfreedom.net

P a g e |143

Custom Packet Creator:

ColasoftPacketBuilder:
http://www.colasoft.com/download/products/download_packet_builder.php
Network Discovery and Mapping Tools:
CartoReso:http://cartoreso.campus.ecp.fr
FriendlyPinger:http://www.kilievich.com/fpinger/download.htm
SpiceworksNetworkMapper:http://www.spiceworks.com/download/
SwitchCenterEnterprise:http://www.lansecure.c0m/d0wnl0ads.htrn#netw0rk
LANsurveyor:
http://www.solarwinds.com/register/MoreSoftware.aspx?External=false&Program=175
92&c=70150000OOOPjNE
OpManager:http://www.manageengine.com/networkmonitoring/download.html
NetworkView:http://www.networkview.com/html/download.html
TheDude:http://www.mikrotik.com/thedude
LANState:http://www.10strike.com/lanstate/download.shtml
Packet Crafter Tool:
Hping3:http://www.hping.org/hping3.html
Ping Sweep Tools:
AngryIPScanner:http://angryip.0rg/w/D0wnl0ad
SolarWindsEngineer'sToolset:
http://downloads.solarwinds.com/solarwinds/Release/Toolset/ZPToolset/ZPToolset
Ol.html
ColasoftPingTool:
http://www.colasoft.com/download/products/download_ping_tool.php
VisualPingTesterStandard:http://www.pingtester.net
PingScannerPro:http://www.digilextechnologies.com
NetworkPing:http://www.greenlinesoft.com/product_network_ping/index.aspx
UltraPingPro:http://ultraping.webs.com/downloads.htm
PingMonitor:http://www.niliand.com
PinglnfoView:http://www.nirsoft.net/utils/multiple_ping_tool.html
Pinkie:http://www.ipuptime.net/category/download/
Proxy Tools:
ezProxy:https://www.0clc.0rg/ezpr0xy/d0wnl0ad.en.h.tml
Charles:http://www.charlesproxy.com/
P a g e |144

JAPAnonymityandPrivacy:http://anon.inf.tudresden.de/win/download_en.html
UltraSurf:http://www.ultrasurf.us
CCProxyServer:http://www.youngzsoft.net/ccproxy/proxyserverdownload.htm
WideCap:http://widecap.ru
FoxyProxyStandard:https://addons.mozilla.org
ProxyCap:http://www.proxycap.com
TOR(TheOnionRouting):https://www.torproject.org/download/download
Scanning Tools:
IPTools:http://www.kssoft.net/iptools.eng/downpage.htm
AdvancedPortScanner:
http://www.radmin.com/download/previousversions/portscanner.php
MegaPing:http://www.magnetosoft.com/products/megaping/megaping_features.htm
Netifera:http://netifera.com
NetworkInventoryExplorer:http://www.10
strike.com/networkinventoryexplorer/download.shtml.References
FreePortScanner:
http://www.nsauditor.eom/network_tools/free_port_scanner.html#.UWJRvqLzvrw
NMAP:http://nmap.org/
GlobalNetworkInventoryScanner:
http://www.magnetosoft.com/products/global_network_inventory/gni_features.htm
NetTools:http://mabsoft.com/nettools.htm
SoftPerfectNetworkScanner:http://www.softperfect.com/products/networkscanner/
Tunneling Tools:
SuperNetworkTunnel:http://www.networktunnel.net
HTTPTunnel:http://www.httptunnel.com
Bitvise:http://www.bitvise.com
Vulnerability Scanning Tools:
GFILanGuard:http://www.gfi.com/downloads/mirrors.aspx?pid=lanss
Nessus:http://www.tenable.com/products/nessus
MBSA:http://www.microsoft.com/enus/download/details.aspx?id=7558
NsauditorNetworkSecurityAuditor:
http://www.nsaudit0r.c0m/netw0rk_security/netw0rk_security_audit0r.html#.UWKEx6
Lzvrw
SecurityAuditor'sResearchAssistant(SARA):http://wwwarc.com/sara/
SecurityManagerPlus:http://www.manageengine.com/products/securitymanager/
download,html
P a g e |145

System Hacking

Anti Keyloggers:
CoDefender:https://www.encassa.com/downloads/default.aspx
DataGuardAntiKeyloggerUltimate:http://www.maxsecuritylab.com/dataguard
antikeylogger/downloadantikeyloger.php
PrivacyKeyboard:http://www.privacykeyboard.com/privacykeyboard.html
EliteAntiKeylogger:http://www.eliteantikeylogger.com/freedownload.html
AntiRootkits:
Stinger:http://www.mcafee.com/us/downloads/freetools/howtousestinger.aspx
UnHackMe:http://www.greatis.com/unhackme/download.htm
VirusRemovalTool:http://www.sophos.com/enus/products/freetools/virusremoval
tool.aspx
HypersightRootkitDetector:http://northsecuritylabs.com/
AviraFreeAntivirus:http://www.avira.com/en/avirafreeantivirus
AntiSpywares:
MacScan:http://macscan.securemac.com/
SpybotSearch&Destroy:http://www.safernetworking.org/dl/
MalwarebytesAntiMalwarePRO:
http://www.malwarebytes.org/products/malwarebytes_pro/
SpyHunter:http://www.enigmasoftware.com/products/
SUPERAntiSpyware:http://superantispyware.com/index.html
SpywareTerminator2012:http://www.pcrx.com/spywareterminator/
Covering Tracks Tools:
CCIeaner:http://www.piriform.com/download
MRUBlaster:http://www.brightfort.com/mrublaster.html
Wipe:http://privacyroot.com/software/www/en/wipe.php
TracksEraserPro:http://www.acesoft.net/features.htm
BleachBit:http://bleachbit.sourceforge.net/news/bleachbit093
AbsoluteShieldInternetEraserPro:http://www.internettrack
eraser.com/ineteraser.php
ClearMyHistory:http://www.hidemyip.com/clearmyhistory.shtml
P a g e |146

EvidenceEraser:http://www.evidenceeraser.com/
WinTools.netProfessional:http://www.wintools.net/
RealTimeCookie&CacheCleaner(RtC3):http://www.kleinsoft.co.za/buy.html
AdvaHistEraser:http://www.advacrypt.cjb.net/
FreeInternetWindowWasher:
http://www.eusing.com/Window_Washer/Window_Washer.htm
Keyloggers:
StaffCopStandard:http://www.staffcop.com/download/
iMonitorPC:http://www.imonitorpc.com/
PCActivityMonitorStandard:http://www.pcacme.com/download.html
KeyProwler:http://keyprowler.com/download.aspx
KeyloggerSpyMonitor:http://ematrixsoft.com/download.php?p=keyloggerspy
monitorsoftware
REFOGPersonalMonitor:http://www.refog.com/personalmonitor.html
ActualKeylogger:http://www.actualkeylogger.com/downloadfreekeylogger.html
Spytector:http://www.spytector.com/download.html
KidLogger:http://kidlogger.net/download.html
PCSpyKeylogger:http://www.pcspykeylogger.com
RevealerKeylogger:http://www.logixoft.com/freekeyloggerdownload
SpyKeylogger:http://www.spykeylogger.com/download.html
ActualSpy:http://www.actualspy.com/download.html
SpyBuddy2013:http://www.exploreanywhere.com/products/spybuddy/
Password Cracking Tools:
WindowsPasswordRecoveryTool:http://www.windowspasswordsrecovery.com/
HashSuite:http://hashsuite.openwall.net/download
WindowsPasswordRecovery:
http://www.passcape.com/windows_password_recovery
PasswordRecoveryBundle:http://www.toppassword.com/passwordrecovery
bundle.html
krbpwguess:http://www.cqure.net/wp/tools/passwordrecovery/krbpwguess/
WindowsPasswordBreakerEnterprise:
http://www.recoverwindowspassword.com/windowspasswordbreaker.html
RekeysoftWindowsPasswordRecoveryEnterprise:http://www.rekeysoft.com/reset
windowspassword.html
pwdump7:http://www.tarasco.org/security/pwdump_7/
LOphtCrack:http://www.IOphtcrack.com/download.html
Ophcrack:http://ophcrack.sourceforge.net/download.php

P a g e |147

Viruses and Worms

Acomputervirusisatypeofmalwarethat,whenexecuted,replicatesbyinsertingcopiesof
itself(possiblymodified)intoothercomputerprograms,datafiles,orthebootsectorofthe
harddrive;whenthisreplicationsucceeds,theaffectedareasarethensaidtobe
"infected".Virusesoftenperformsometypeofharmfulactivityoninfectedhosts,suchas
stealingharddiskspaceorCPUtime,accessingprivateinformation,corruptingdata,displaying
politicalorhumorousmessagesontheuser'sscreen,spammingtheircontacts,orloggingtheir
keystrokes.However,notallvirusescarryadestructivepayloadorattempttohide
themselvesthedefiningcharacteristicofvirusesisthattheyareselfreplicatingcomputer
programswhichinstallthemselveswithouttheuser'sconsent.

Virus Construction Kits:

ADMmutate:http://www.ktwo.ca/security.html
Virus programs and Generators:
BatchEncryt:<N/A>
BTGO.0.7:<N/A>
BWGen5.03:<N/A>
codeevolution:<N/A>
encrypter:<N/A>
looper1.0:<N/A>
polydropd:<N/A>
rsbg:<N/A>
splitt:<N/A>
Viruses:
TOOMANYTOLIST:<N/A>
Worms Maker:
InternetWormMakeThing:<N/A>
LogicalMines:<N/A>
PersonalCAKE:<N/A>
VBSWormGenerator:<N/A>
WSHWC:<N/A>
XVGL:<N/A>
P a g e |148

Sniffing

Thissectionhasseveraltoolsthatemployseveralmethodsforcapturingdata.ARPPoisoning,
DHCPStarvationAttacks,andMACaddressspoofingtoolsaresomemethodsthatare
used.AnothermethodnotincludedonthislistisaDNSzonetransfer,whichcanbedoneusing
Windowscommandline.Thesetoolswillnothelpyouifyouarenotfamiliarwithbasic
networking.

ARP Poisoning Tools:

Cain&Abel:http://www.oxid.it/cain.html
UfasoftSnif:http://ufasoft.com/sniffer/
WinArpAttacker:http://www.xfocus.org/index.html
ARP Spoofing Detection Tools:
XArp:http://www.chrismc.de/development/xarp/index.html
macof:http://www.monkey.org
Yersinia:http://www.yersinia.net/download.htm
Dhcpstarv:http://dhcpstarv.sourceforge.net/
Gobbler:http://gobbler.sourceforge.net/
DHCP Starvation Attack Tools:
DHCPstarv:http://dhcpstarv.sourceforge.net/
Gobbler:http://gobbler.sourceforge.net/
MAC Flooding Tools:
Yersinia:http://www.yersinia.net/
MAC Spoofing Tools:
SMAC:http://www.klcconsulting.net/smac/index.html#download
Sniffing Tools:
AcePasswordSniffer:http://www.effetech.com/aps/
RSANetWitnessInvestigator:http://www.emc.c0m/security/rsa
netwitness.htm#lfreeware
P a g e |149

BigMother:http://www.tupsoft.com/download.htm
EtherDetectPacketSniffer:http://www.etherdetect.com/download.htm
dsniff:http://monkey.org/~dugsong/dsniff/
EffeTechHTTPSniffer:http://www.effetech.com/download/
Ntop:http://www.ntop.org/products/ntop/
Ettercap:http://ettercap.sourceforge.net/downloads.html
Wireshark:http://www.wireshark.org/

Social Engineering

Socialengineering,inthecontextofinformationsecurity,referstopsychologicalmanipulation
ofpeopleintoperformingactionsordivulgingconfidentialinformation.Atypeofconfidence
trickforthepurposeofinformationgathering,fraud,orsystemaccess,itdiffersfroma
traditional"con"inthatitisoftenoneofmanystepsinamorecomplexfraudscheme.One
typeofsocialengineertermusedinhackingisPhishingandSpearPhishing.Socialengineeris
notusuallydonebyusingtools,butbyusingthepersontogainaccesstoasystem.

Tools:
NetcraftToolbar:http://toolbar.netcraft.com/install
PhishTank:http://www.phishtank.com/
ReadNotify:http://www.readnotify.com/
SocialEngineeringToolkit(SET):https://www.trustedsec.com/downloads/social
engineertoolkit/

DoS

Tools:
BLANKALREADYLISTEDINGUIDE:<N/A>

P a g e |150

Session Hijacking

Packet Crafting Tools:

ColasoftPacketBuilder:http://www.colasoft.com/packet_builder/
Session Hijacking Tools:
BurpSuite:http://portswigger.net/burp/download.html
Ettercap:http://sourceforge.net/projects/ettercap/files/latest/download?source=dlp
WhatsUpGoldEngineer'sToolkit:
http://www.whatsupgold.com/products/download/network_management.aspx?k_id=p
ingsweeptool
Hunt:http://packetstormsecurity.com/files/download/21968/huntl.5bin.tgz
Juggernaut:http://www.securiteam.com
TamperlE:http://www.bayden.com/TamperlE/
CookieCadger:https://www.cookiecadger.com/?page_id=19

Hacking Webservers

Hacking Web Passwords Tools:

Brutus:http://www.hoobie.net/brutus/brutusdownload.html
THCHyrda:https://www.thc.org/thchydra/
Information Gathering Tools:
ActiveWhois:http://www.johnru.com/
Webserver Attack Tools:
Metasploit:http://www.metasploit.com/download/
Session Hijacking Tools:
BurpSuite:http://portswigger.net/burp/download.html
Hamster:http://erratasec.blogspot.in/2009/03/hamster20andferret20.html

P a g e |151

Vulnerability Scanning Tools:

Nessus:http://www.tenable.com/products/nessus
Web Application Security Scanners:
NStalkerWebApplicationSecurityScanner:
http://www.nstalker.com/products/editions/free/
Webserver Footprinting Tools:
httprecon:http://www.computec.ch/projekte/httprecon/?s=download
IDServe:http://www.grc.com
Webserver Security Tools:
Arirang:http://www.monkey.org/~pilot/arirang/
NStalkerWebApplicationSecurityScanner:
http://www.nstalker.com/products/editions/free/
Infiltrator:http://www.infiltrationsystems.com/download.shtml
WebCruiser:http://sec4app.com/download.htm
Nscan:http://nscan.hypermart.net
RetinaCS:http://www.beyondtrust.com/Landers/TYPage
RetinaCSCommunity/index.html
NetlQSecureConfigurationManager:https://www.netiq.com/products/secure
configurationmanager/

Hacking Web Applications

Cookie Poisoning:
OWASPZedAttackProxy:
https://code.google.com/p/zaproxy/downloads/detail?name=ZAP_2.0.0_Windows.exe
&can=2&q=
Session Token Sniffing:
Wireshark:http://www.wireshark.org/

P a g e |152

Web Application Hacking Tools:

TeleportPro:http://www.tenmax.com/teleport/pro/download.htm
BlackWidow:http://softbytelabs.com/us/downloads.html
CookieDigger:http://www.mcafee.com/apps/free
tools/termsofuse.aspx7urh/us/downloads/freetools/cookiedigger.aspx
GNUWget:ftp://ftp.gnu.org/gnu/wget/
Web Service Attack Tools:
soapUl:http://www.soapui.org/
XMLSpy:http://www.altova.com/xmlspy.html
Web Spidering Tools:
BurpSpider:http://blog.portswigger.net/2008/ll/mobpallnewburpspider.html
WebScarab:https://www.0wasp.0rg/index.php/Categ0ry:0WASP_WebScarab_Pr0ject
Webserver Hacking Tools:
UrIScan:
http://www.microsoft.com/web/gallery/install.aspx?appsxml=&appid=UrlScan%3bUrlSc
an
Nikto:http://www.cirt.net/nikt02
Web Application Pen Testing Tools:
BeEF:http://beefproject.com/
XSSProxy:http://sourceforge.net/projects/xssproxy/files/latest/download
sqlbftools:http://packetst0rmsecurity.c0m/files/d0wnl0ad/43795/sqlbft00lsl.2.tar.gz
SofterraLDAPBrowser:http://www.ldapadministrator.com/download.htm
Hibernate:http://www.hibernate.org/downloads
NHibernate:http://nhforge.org/
Soaplite:http://soaplite.com/download.html
cURL:http://curl.haxx.se/download.html
WSDigger:http://www.mcafee.com/apps/free
tools/termsofuse.aspx?url=/us/downloads/freetools/wsdigger.aspx
Sprajax:https://www.0wasp.0rg/index.php/Categ0ry:0WASP_Sprajax_Pr0ject

P a g e |153

Web Application Security Tools:

KeepNI:http://www.keepni.com/
WSDigger:http://www.mcafee.com/apps/free
tools/termsofuse.aspx?url=/us/downloads/freetools/wsdigger.aspx
Arachni:http://arachniscanner.com/latest
XSSS:http://www.sven.de/xsss/
Vega:http://www.subgraph.com/vega_download.php
Websecurify:
https://code.google.com/p/websecurify/downloads/detail?name=Websecurify%20Suite
%201.0.0.exe&can=2&q=
OWASPZAP:
https://code.google.com/p/zaproxy/downloads/detail?name=ZAP_2.0.0_Windows.exe
&can=2&q=
NetBrute:http://www.rawlogic.com/netbrute/
skipfish:https://c0de.g00gle.c0m/p/skipfish/
X5s:http://xss.codeplex.com/downloads/get/115610
SecuBatVulnerabilityScanner:http://secubat.codeplex.com/
SPIKEProxy:http://www.immunitysec.com/resourcesfreesoftware.shtml
Ratproxy:https://c0de.g00gle.c0m/p/ratpr0xy/
Wapiti:http://wapiti.sourceforge.net/

SQL Injection

SQLInjectionisoneofthemanywebattackmechanismsusedbyhackerstostealdatafrom
organizations.Itisperhapsoneofthemostcommonapplicationlayerattacktechniquesused
today.Itisthetypeofattackthattakesadvantageofimpropercodingofyourwebapplications
thatallowshackertoinjectSQLcommandsintosayaloginformtoallowthemtogainaccessto
thedataheldwithinyourdatabase.

SQLi Detection Tools:

HPWeblnspect:http://www.hpenterprisesecurity.com/products/hpfortifysoftware
securitycenter/hpwebinspect
SQLDict:http://ntsecurity.nu/toolbox/sqldict/
HPScrawlr:https://h30406.www3.hp.com/campaigns/2008/wwcampaign/l
57C4K/index.php
SQLBlockMonitor:http://sqltools.net/blockmonitor/
AcunetixWebVulnerabilityScanner:http://www.acunetix.com/vulnerabilityscanner/
P a g e |154

GreenSQLDatabaseSecurity:http://www.greensql.com/content/greensql
databasesecurity#&sliderl=l
MicrosoftCodeAnalysisTool.NET(CAT.NET):
http://www.microsoft.com/enus/download/details.aspx?id=5570
NGSSQuirreLVulnerabilityScanners:http://www.nccgroup.com/en/our
services/securitytestingauditcompliance/informationsecuritysoftware/ngssquirrel
vulnerabilityscanners/
WSSAWebSiteSecurityScanningService:http://www.beyondsecurity.com/sql
injection.html
NStalkerWebApplicationSecurityScanner:
http://www.nstalker.com/products/editions/free/
SQLi Injection Tools:
Absinthe:http://www.darknet.org.uk/2006/07/absintheblindsqlinjection
toolsoftware/
BlindSqlInjectionBruteForcer:http://c0de.g00gle.c0m/p/bsqlbfv2/
sqlmap:http://sqlmap.org/
SQLInjectionDigger:http://sqid.rubyforge.org
Pangolin:http://nosec.org/en/evaluate/
SQLPAT:http://www.cqure.net/wp/tools/passwordrecovery/sqlpat/
FJlnjectorFramework:http://sourceforge.net/projects/injectionfwk/
Exploiter(beta):
http://www.ibm.com/developerworks/rational/downloads/08/appscan_exploiter/
SQLIer:http://bcable.net/project.php7sqlier
SQLPowerInjector:http://www.sqlpowerinjector.com/download.htm
Havij:http://www.itsecteam.com
SQLBrute:http://www.gdssecurity.c0m/l/t.php
BobCat:http://www.northernmonkee.co.uk/pub/bobcat.html
Sqlninja:http://sqlninja.sourceforge.net/download.html

Hacking Wireless Networks

AirPcap Enabled Open Source tools:

CainandAbel:http://www.oxid.it/cain.html
Aircrack:http://www.airpcap.nl/
Airpcap:http://www.airpcap.nl/
Kismet:http://www.kismetwireless.net/
P a g e |155

Bluetooth Hacking Tools:

BHBluejack:http://croozeus.com/blogs/?p=33
Bluediving:http://bluediving.sourceforge.net/
Blooover:http://trifinite.org/trifinite_stuff_blooover.html
BTScanner:
http://www.pentest.co.uk/downloads.html?cat=downloads&section=01_bluetooth
CIHwBT:http://sourceforge.net/projects/cihwithbt/files/
SuperBluetoothHack:http://gallery.mobile9.eom/f/317828/
GPS Mapping Tools:
WIGLE:http://wigle.net/gps/gps/main/download/
Skyhook:http://www.skyhookwireless.com/locationtechnology/sdk.php
WeFi:http://www.wefi.com/download/
Mobilebased WiFi Discovery Tools:
WiFiManager:http://kmansoft.com/
WiFiFoFumWiFiScanner:http://www.wififofum.net/downloads
RF Monitoring Tools:
DTC340RFXpert:http://www.dektec.com/Products/Apps/DTC340/index.asp
KOrinoco:http://korinoco.sourceforge.net/
NetworkManager:https://wiki.gnome.org/Projects/NetworkManager
xosview:http://xosview.sourceforge.net/
Spectrum Analyzing Tools:
AirSleuthPro:http://nutsaboutnets.com/airsleuthspectrumanalyzer/
BumbleBeeLXHandheldSpectrumAnalyzer:
http://www.bvsystems.com/Products/Spectrum/BumbleBeeLX/bumblebeelx.htm
WiSpy:http://www.metageek.net/products/wispy/
WEP Encryption:
Aircrack:http://www.airpcap.nl/
CainandAbel:http://www.oxid.it/cain.html
WEP/WPA Cracking Tools:
Aircrack:http://www.airpcap.nl/
P a g e |156

CainandAbel:http://www.oxid.it/cain.html
WiFi Discovery Tools:
inSSIDer:http://www.metageek.net/products/inssider/
Netsurveyor:http://www.performancewifi.net/performance
wifi/products/netsurveyornetworkdiscovery.htm
Vistumbler:http://www.vistumbler.net/
WirelessMon:http://www.passmark.com/products/wirelessmonitor.htm
WiFiHopper:http://www.wifihopper.com/download.html
AirCheckWiFiTester:http://www.flukenetworks.com/enterprise
network/networktesting/AirCheckWiFiTester
AirRadar2:http://www.koingosw.com/products/airradar.php
WiFi Packet Sniffer:
OmniPeek:http://www.wildpackets.com/products/omnipeek_network_analyzer
SnifferPortableProfessionalAnalyzer:
http://www.netscout.com/products/enterprise/Sniffer_Portable_Analyzer/Sniffer_Port
able_Professional_Analyzer/Pages/default.aspx
CapsaWiFi:http://www.colasoft.com/download/products/capsa_free.php
ApSniff:http://www.monolith81.de/apsniff.html
Wireshark:http://www.wireshark.org/download.html
WiFi Predictive Planning Tools:
TamoGraphSiteSurvey:http://www.tamos.com/products/wifisitesurvey/wlan
planner.php
WiFi Security Auditing Tools:
AirMagnetWiFiAnalyzer:http://www.flukenetworks.com/enterprise
network/wirelessnetwork/AirMagnetWiFiAnalyzer
WiFi Sniffer:
Kismet:http://www.kismetwireless.net/
WiFi Traffic Analyzer Tools:
NetworkTrafficMonitor&AnalyzerCAPSA:http://www.javvin.com/packettraffic.html
Observer:
http://www.networkinstruments.com/products/observer/index.php?tab=download
P a g e |157

UfasoftSnif:http://ufasoft.com/sniffer/
vxSniffer:http://www.cambridgevx.com/vxsniffer.html
WiFi Vulnerability Scanning Tools:
Nessus:http://www.tenable.com/products/nessus
NexposeCommunityEdition:http://www.rapid7.com/products/nexpose/compare
downloads.jsp
WiFishFinder:http://www.airtightnetworks.com/home/resources/knowledge
center/wifishfinder.html
OSWA:http://securitystartshere.org/pagedownloads.htm
WiFiZoo:http://c0mmunity.c0rest.c0m/~h0ch0a/wifiz00/index.html#d0wnl0ad

Evading IDS, Firewalls, and Honeypots

Anintrusiondetectionsystem(IDS)isadeviceorsoftwareapplicationthatmonitorsnetworkor
systemactivitiesformaliciousactivitiesorpolicyviolationsandproducesreportstoa
managementstation.Afirewallisasoftwareorhardwarebasednetworksecuritysystemthat
controlstheincomingandoutgoingnetworktrafficbyanalyzingthedatapacketsand
determiningwhethertheyshouldbeallowedthroughornot,basedonappliedruleset.A
honeypotisatrapsettodetect,deflect,or,insomemanner,counteractattemptsat
unauthorizeduseofinformationsystems.Generally,ahoneypotconsistsofacomputer,data,
oranetworksitethatappearstobepartofanetwork,butisactuallyisolatedandmonitored,
andwhichseemstocontaininformationoraresourceofvaluetoattackers.

Firewall Evasion Tools:

AtelierWebFirewallTester:http://www.atelierweb.com/products/firewalltester/
Freenet:https://freenetproject.org/
GTunnel:http://gardennetworks.org/download
HotspotShield:http://www.anchorfree.com/hotspotshieldVPNdownload
windows.php
Proxifier:http://www.proxifier.com/
VpnOneClick:http://www.vpnoneclick.com/download/index.html
Firewalls:
ComodoFirewall:http://personalfirewall.comodo.com/
OnlineArmor:http://www.onlinearmor.com/productsonlinearmorfree.php
P a g e |158

Honeypot Detecting Tools:

Hping3:http://www.hping.org/hping3.html
Nessus:http://www.tenable.com/products/nessus
SendSafeHoneypotHunter:http://www.sendsafe.com/honeypothunter.html
Honeypot Tools:
Argos:http://www.few.vu.nl/argos/?page=2
Glastopf:http://glastopf.org/
Honeyd:http://www.honeyd.org/
KFSensor:http://www.keyfocus.net/kfsensor/
SymantecDecoyServer:http://www.symantec.com/press/2003/n030623b.html
TinyHoneypot:http://freecode.com/projects/thp
LaBrea:http://labrea.sourceforge.net/labreainfo.html
PatriotBox:http://www.alkasis.com/?action=products&pid=6
Kojoney:http://kojoney.sourceforge.net/
HoneyBOT:http://www.atomicsoftwaresolutions.com/honeybot.php
GoogleHackHoneypot:http://ghh.sourceforge.net/
WinHoneyd:http://www2.netvigilance.com/winhoneyd
HIHAT:http://hihat.sourceforge.net/
Packet Fragment Generators:
MultiGenerator(MGEN):http://cs.itd.nrl.navy.mil/work/mgen/index.php
Netlnspect:http://search.cpan.org/~sullr/Netlnspect/lib/Net/lnspect/L3/IP.pm
NConvert:http://www.xnview.com/en/nconvert/
fping3:http://fping.org/

Buffer Overflow

Abufferoverflow,orbufferoverrun,isananomalywhereaprogram,whilewritingdatatoa
buffer,overrunsthebuffer'sboundaryandoverwritesadjacentmemory.Thisisaspecialcase
ofviolationofmemorysafety.Ifthishappened,theattackercanusethisanomalytorun
specificmachineinstructionsandsendsensitiveinformationtoathirdparty.

BoF Tools:
Netcat:http://netcat.sourceforge.net/download.php
P a g e |159

LCLint:http://www.linuxjournal.com/article/3599
Code::Blocks:http://www.codeblocks.org/
eEyeRetina:http://www.eeye.com/
Spike:http://spike.lazypics.de/dl_index_en.html
BruteForceBinaryTester(BFB):http://bfbtester.sourceforge.net/
ImmunityCANVAS:http://www.immunityinc.com/productscanvas.shtml
ImmunityDebugger:http://www.immunityinc.com/productsimmdbg.shtml
Splint:http://www.splint.org/download.html
Flawfinder:http://www.dwheeler.com/flawfinder/
BLAST:http://mtc.epfl.ch/softwaretools/blast/indexepfl.php
StackShield:http://www.angelfire.com/sk/stackshield/download.html
Valgrind:http://valgrind.org/downloads/current.html
PolySpaceCVerifier:http://www.mathworks.in/products/polyspace/
Insure++:http://www.parasoft.com/jsp/products/insure.jsp?itemld=63
/GS:http://microsoft.com
BufferShield:http://www.sys
manage.com/PR0DUCTS/BufferShield/tabid/61/Default.aspx
DefenseWall:http://www.softsphere.com/onlinehelp/defenceplus/
TIED:
http://www.security.iitk.ac.in/index.php?page=contents/projects/tiedJibsafe/tied_libsaf
eplus
LibsafePlus:
http://www.security.iitk.ac.in/index.php?page=contents/projects/tied_libsafe/tied_libs
afeplus
ComodoMemoryFirewall:
http://www.comodo.com/news/press_releases/16_01_08.html
ClangStaticAnalyzer:http://clanganalyzer.llvm.org/
FireFuzzer:https://c0de.g00gle.c0m/p/firefuzzer/
BOON:http://www.cs.berkeley.edu/~daw/boon/
TheEnhancedMitigationExperienceToolkit:
http://www.microsoft.com/enus/download/details.aspx?id=29851
CodeSonarStaticAnalysisTool:http://www.grammatech.com/codesonar
COREIMPACTPro:http://www.coresecurity.com/coreimpactpro

P a g e |160

AES: Advanced Encryption Standard AP: Access Point
ARP: Address Resolution Protocol ASLR: Address Space Layout Randomization
AV: Antivirus BIOS: Basic Input Output System
CGI: Common Gateway Interface CIA: Confidentiality, Integrity, and Availability
DBAN: Dariks Boot and Nuke DCC: Direct Client to Client
DDoS: Distributed Denial of Service DHCP: Dynamic Host Configuration Protocol
DLL: Dynamic Link Library DLP: Data Leakage Prevention
DMZ: Demilitarized Zone DNS: Domain Name Service
DoS: Denial of Service DRAM: Dynamic randomaccess memory
EXIF: Exchangeable Image File Format FDE: Full Disk Encryption
FTP: File Transfer Protocol GPG: GNU Privacy Guard
HIDS: Host Intrusion Detection System HPA: Host Protected Area
HTTP: Hypertext Transfer Protocal ICMP: Internet Control Message Protocol
IP: Internet Protocol IRC: Internet Relay Chat
ISP: Internet Search Provider JIT Hardening: Just in Time Hardening
JS: JavaScript KB: Kilobyte
LAN: Local Area Connection MAC Address: Media Access Control Address
MBR: Master Boot Record MD: Message Digest
MFT: Master File Table MiTM: Man in The Middle
NAS: Networkattached Storage NIDS: Network Intrusion Detection System
P2P: Peer to Peer PGP: Pretty Good Privacy
RAID: Redundant Array of Independent Disks RAM: Random Access Memory
SHA: Secure Hash Algorithm SRAM: Static randomaccess memory
SSD: Solid State Drives SSL: Secure Socket Layer
TBB: Tor Browser Bundle TC: TorChat/TrueCrypt
TCP: Transmission Control Protocol UDP: User Datagram Protocol
URL: Uniform resource locator USB: Universal Serial Bus
VLAN: Virtual Local Area Network VPN: Virtual Private Network
WAN: Wide Area Network WiFi: Wireless Fidelity
WPS: WiFi Protected Setup XSS: Cross Site Scripting

Chapter 12 _ Standard Acronyms

P a g e |161

Download Links

ListedbelowaretheprogramsthatImentionedthroughoutthisguideandtheassociatedlinks:

Truecrypt(Encryption)http://www.truecrypt.org/downloads
WinRAR(Encryption)http://www.rarlab.com/download.htm
GPG(Encryption)http://gnupg.org/download/index.en.html
GPGforWindows(GUI)(Encryption)http://gpg4win.de/index.html
TorBrowserBundle(InternetSafety)https://www.torproject.org/download/download
easy.html.en
TorChat(AnonymousChat)https://github.com/prof7bit/TorChat
Pidgin(ChatProgram)http://pidgin.im/
Tormail(AnonymousMail)http://jhiwjjlqpyawmpjx.onion/
Tails(SecureOperatingSystem)https://tails.boum.org/download/index.en.html
HashMyFiles(FileHash)http://www.nirsoft.net/utils/hash_my_files.html
CCleaner(PrivacyEraser)http://www.piriform.com/ccleaner/download/standard
PrivaZer(PrivacyEraser)http://privazer.com/download.php
Bleachbit(PrivacyEraser)http://bleachbit.sourceforge.net/download
DBAN(SecurePartitionDelete)http://www.dban.org/download
Blancco(SecurePartitionDelete)http://www.blancco.com/us/download/
Rifiuti2http://code.google.com/p/rifiuti2/
UPX(ExecutablePacker)http://upx.sourceforge.net/
SPLView(SPLFileViewer)http://www.lvbprint.de/html/splviewer1.html
SPLViewer(SPLFileViewer)
http://www.undocprint.org/_media/formats/winspool/splview.zip
BatchPurifier(MetaDataRemover)http://www.digitalconfidence.com/BatchPurifier.html
Exiv2(MetaDataViewer)http://www.exiv2.org/download.html
OpandaIEXIF(MetaDataViewer)http://www.opanda.com/en/iexif/download.htm
Photoshop(PhotoEditor)http://www.photoshop.com/
Paint.Net(PhotoEditor)http://paint.net/
GIMP(PhotoEditor)http://www.gimp.org/downloads/#mirrors
USBOblivion(EvidenceRemover)https://code.google.com/p/usboblivion/
Chapter 13 _ Download Links
P a g e |162

ForensicSoftwareTools4.13(DOWNLOADPATHSNOTLISTED)
LOIC(DoSAttackTool)http://sourceforge.net/projects/loic/
TFN(DDoSAttackTool)http://packetstormsecurity.org/distributed/tfn2k.tgz
Stacheldraht(DDoSAttackTool)http://packetstormsecurity.org/distributed/stachel.tgz
SecuniaPSI(UpdateTool)http://secunia.com/vulnerability_scanning/personal/
SuperAntiSpyware(SpywareRemover)http://superantispyware.com/download.html
Comodo(Firewall)https://personalfirewall.comodo.com/
Snort(IDS)http://www.snort.org/start/download
BackTrack(PenetrationTestingTool)http://www.backtracklinux.org/downloads/
Wireshark(PacketSniffer)http://www.wireshark.org/download.html
Ethereal(PacketSniffer)http://ethereal.com/download.html
Omnipeek(PacketSniffer)http://www.wildpackets.com/
Dsniff(NetworkAuditing)http://www.monkey.org/~dugsong/dsniff/
CainandAble(VariousTools)http://www.oxid.it/cain.html
Etherape(PacketSniffer)http://etherape.sourceforge.net/
NetwitnessInvestigator(PacketSniffer)http://www.netwitness.com/
Kismet(PacketSniffer)http://kismetwireless.net/download.shtml
NetStumbler(PacketSniffer)http://stumbler.net/
MedievalBluetoothScanner(BluetoothScanner)Unknownmanufacturespage
CoreImpact(PenetrationTesting)http://www.coresecurity.com/
AirSnort(WirelessHacking)http://sourceforge.net/projects/airsnort/files/
CowPatty(WirelessHacking)http://www.willhackforsushi.com/Cowpatty.html
Reaver(WirelessHacking)http://code.google.com/p/reaverwps/