08-31-06 06:14 PM
Stealth (edition 15)
inserted with FIW
Two Sandals (TT)
Pm4Pigs: twosandals@mbhZyGBgwMQ-x5yPcObaNYnQFi8,MKRM3Bvts09NFmkAdlpJ1Q
Frost key: twosandals@O94AarM8kdJiMdyfS7+btsC1u_s
New in this edition: Window Washer. Updated: Evidence Eliminator and Helix
Boot CD
The government(s) is(are) freaking out. They make up new computer laws and
then vigorously pursue and prosecute anyone who violates them. Even if
someone uses your computer for something illegal and gets caught, it still
reflects badly on you. If someone wanted to do you some harm and planted a
bunch of CP on your HD and then tipped off the cops, what would happen?
You'd be screwed. Why? Because computer technology and the Internet have
snuck up on governments and industry, and they realize that their bizarre
laws are going to be much harder to enforce than they originally thought.
That translates into stiff penalties for the people they catch (or believe
that they have caught).
Why on Earth would someone make computer data illegal? It's stupid. It's
data folks, ones and zeroes. It's not going to kill anybody (directly
anyway), it's not going to molest kids, it's not going to steal valid
products that people have worked hard to produce. The only thing that it's
going to do is cut into the bottom lines of companies who develop software
and "content" (not necessarily a bad thing I'd argue) and make it harder
for governments to enforce their random codes of civil (not moral) ethics.
So what do you do? Aside from running Freenet, cover your tracks. That's
what I hope that this freesite will help you do. I don't know everything
about computer security, but I know a little bit that should help people be
better equipped to conceal what they do on their systems, and better
understand how government snoops work and collect "evidence". I mainly work
on the Windows platform so not all of this information will be helpful to
the Unix folks out there. But I'd guess that most Unix people use Windows
more than they would like to admit. Even I have an OpenBSD machine sitting
beside me, but it doesn't run everything that I need........ Anyway, enough
with the chat, onto the content:
EnCase 4.20
http://127.0.0.1:8888/CHK@D353Zjo8j...MADPEtgNAwI,B--
PGURa9B2teB67RmE0gg/EnCase%20v4.20.rar
We have all heard the horror stories of government agents seizing people's
computers and through their hi-tech govt' software, finding all the CP and
Warez that the owner supposedly had on the system; even though they tried
their best to hide them. Well, this is pretty much true. Government quality
computer forensics software is pretty bad-XXX. It has perfected screwing
people over to a fine art. EnCase is such a tool. To install, just follow
the instructions in the shock.nfo file. EnCase, all I can say is: learn how
to use this software! EnCase is probably the most popular forensics
software for govt' snoops. Knowing how to use it is knowing how the "enemy"
works and thinks. Also, it will allow you to verify that the security
procedures (file over-writing, free-space wiping, temp file deleting) you
are taking are actually working. I've been surprised a couple of times when
I thought that I had removed all relevant evidence from my computer only to
have EnCase turn up something that I had either overlooked or did not know
existed. EnCase supports FAT12, FAT16, FAT32, NTFS, HFS, HFS+, CDFS, EXT2,
UFS, RAID drives, Palm PDA's and *all* file system types in RAW mode! Still
think the fact that you run NetBSD is going to throw off the snoops? Encase
will let you create a boot disk that lets you do a full disk capture of a
target machine over parallel or network cable without ever having to boot
the hard drive. One of the things that learning to use EnCase will show you
is what really comprises good security: For instance, if you're like me you
would think that renaming a file will serve to hide it's true contents. Who
would think that Metallica.wav would really be just a renamed copy of
Terrorist Bomb Plans.doc? Nobody right? Wrong! EnCase has a little feature
known as Signature Analysis. Basically SA will search all the files on a
file system and flag every file that has an extension that doesn't match
what EnCase believes the content to be from looking at the actual file.
Previous Version: EnCase 3.22g
http://127.0.0.1:8888/CHK@jzxcm19tZ...Ic0M9CDfAMAwI,-
RpTDtrWzq4Qc5feWQax5w/Encase%20Forensic%20Edition%20v3.22g%
20and%20Manual.zip
EnCase 4.20 Support Files
http://127.0.0.1:8888/ CHK@kH3g0qc7...>
38l2PcJnApHKI
%7ENO2w/EnCase%204.20%20Support%20Files.rar
This includes tools for making bootable floppies and CDs for network/USB
acquisitions. That way you don't have to sit around all day doing a
parallel port transfer in EnCase. Also included are hashes for some "hacker
tools" as they are called. Seemingly encryption packages are included....
EnCase 3.22g Support Files
http://127.0.0.1:8888/CHK@QayMVmO-
G8aokiSYPXfPxJd~D1MLAwI,oMX2ZjGgGp
KsW2QmmmEwwQ/EnCase%203.22%20Support%20Files.rar
This contains a tool for making a bootable acquisition CD. Also EnScript
scripts for automating various computer forensics tasks.
Access Data Forensics Toolkit 1.5
http://127.0.0.1:8888/ CHK@vyk64RMm...>
~Jwz2SAne6mCd
AIzfw/Access%20Data%20FTK%20Imager%202.2%20and%20Forensics%20Toolkit%201.5.
rar
and Imager 2.2 Here is an alternative to EnCase. It seems to do some
things better: for instance it can read Outlook PST files. When you startup
it complains about not being able to find a "kff" file. This is a small
catalog hashes of known programs. I didn't include it here since it is a
pretty large file. However, you can download it from Access Data's website.
Last time I checked you didn't need a login to do this. I'm not too wild
about the imager since I discovered Helix (detailed below). I really can't
imagine doing an acquire in anything else.
WinHex .v12.85
http://127.0.0.1:8888/ CHK@2vIkGw7j...>
bWFBEQmmnAGG8
Tql3A/X-Ways.WinHex.v12.85.Incl.Keymaker-ZWT.rar
This is pretty much just a fancy hex editor. It lets you search disk and
memory areas. I can't say I'm too impressed, but everyone raves about this
tool so I figured I'd include it.
RDS Hash Sets
http://127.0.0.1:8888/__CHECKED_HTT....nsrl.nist.gov/
Our buddies over at NIST have compiled hash sets for known software. They
break it down into normal operating system files and "suspicious" software.
The advantage for an investigator is that if they can mark certain files on
a suspect's hard drive as being innocuous they can focus on files that are
out of the ordinary. For people who want to work like investigators this
collection is a must. Encase has to do some painfully long processing to
import these files but it is probably worth it if you have the diskspace.
UpdatedHelix Boot CD
http://127.0.0.1:8888/__CHECKED_HTT...ense.com/helix/
This is a great tool to have on hand. You can use it to boot into a
customized Linux environment to do hard drive acquisitions or start it from
a running Windows machine to do acquisitions of memory in a running system,
etc. For instance if you have a full hard drive encryption program this
disk will still let you retrieve information from your hard drive because
your encryption package will decrypt on the fly as needed. That's why you
always turn off your computers when you're not physically present...if
possible  .
There are actually a large number of tools on this disk. You can not only
do acquisitions of systems but it also contains forensic software as well.
The Autopsy forensic browser is a web-based interface to the Sleuth Kit
command line tools for Linux.
Eraser 5.7
http://127.0.0.1:8888/ CHK@qYY1U5gV...>
0t66MwilV3xh2
olXGg/Eraser57Setup.zip
There are various file "wiping" programs out there, but Eraser is Open
Source. I'm uploading it to Freenet for the sake of completeness of this
site and for the paranoid. For those that don't know: When you delete a
file all you are actually doing is removing the link to it's position on
disk in the file table. The data stays there intact until some file needs
the space that it occupied and overwrites it. Eraser will overwrite the
unused portions of your disk (and file slack too), removing any traces of
files that remain there. This means that when someone runs EnCase not only
will they not see any left over data on your disk, they won't even see the
original filename in your computer's file table.
There is a lot of talk about "multiple" passes to remove data from the
dreaded "magnetic remnance" scan. The idea is that even after multiple over-
writes there is some data left on the disk that is still accessible to
advanced equipment. If you are worried about this, encrypt your whole HD in
the first place. But for the most part, even one pass with Eraser makes a
file unrecoverable to your HD's electronics and hence EnCase or any other
forensics software.
UpdatedEvidence Eliminator 5.0
http://127.0.0.1:8888/CHK@reln-
u0NTdK9T5jKDzp5xOvk9XwMAwI,Uabz
ghPcVfqs%7Enwklk4PHw/Evidence%20Eliminator%205.0%20and%20Upgrade.zip
Depreciated: You are better off with Window Washer since it is more
current and seems to work better as well (see below). There has been a lot
of FUD thrown around about EE, both for and against. Personally, I use EE
in conjunction with Eraser and other encryption packages. I will say that
EE as it runs out of the box will *not* secure your computer completely.
Frankly there are too many temp files that EE doesn't know anything about.
One thing that burns me about it is that it doesn't remove the DAT files
that are under Temporary Internet Files and that contain the names of files
that were in cache. My policy is to be aware of what files are being
modified on my system and set up custom folder definitions in EE to remove
them. AFAIC, EE is worth-while enough to be used with other packages for
complete system security. Kinda like food coloring, and sugar loaded grain
puffs being "part of this complete breakfast".
New!Window Washer 6
http://127.0.0.1:8888/CHK@8aJ7dMqCv...LFPXe0MAwI,NOw-
XL78c7vuxJFDryiFbw/Window%20Washer%206.0.2.466.rar
Nothing beats self-audits to spot the leftover "traces" you leave on your
system; however, this comes in a close second. On my system I use it "out
of the box" and it automatically finds and prepares cleaner settings for
just about every application that I use. This tool seems to work better
than Evidence Eliminator. In fact there were some things that EE did so
badly that I consider it partially broken. WW is nice and current, however.
It includes lists of current software (including FireFox) and lets you
define custom file/directory/registry/etc entries to remove. The one thing
that doesn't seem to work correctly is it's freespace wipe: it says that it
wipes, but it doesn't seem to really do it. Eraser is still your best bet
for that task.
Afick
http://127.0.0.1:8888/CHK@l-amISRq5E7-
W68zMRBdwnBxlfEPAwI,gWUqKOMYXPTNLhCwJ2su
XA/afick-1.4-0.zip
This is an OpenSource PERL script that will calculate and verify md5
checksums of any files and directories that you specify. The value of this
is that you can see what files are being changed on your system and when.
Not only can you see if someone has infected your computer with a virus or
installed a trojan. But you can locate what files are being modified on
your system in the course of normal operation. This is *extremely* handy. I
have many folders set up in Evidence Eliminator that are only there because
this program showed that data was being collected in them. You have to
install PERL for this to function, a Windows port can be had from
Activestate, check Perl's website for links. Basically you have a
configuration file (xp.conf in the distribution) that is modified to show
the directories that you want checked. Then you run something like
"afick.pl -c xp.conf -i" to initialize your database. Then run "afick.pl -c
xp.conf -u > results.txt" to check the current filesystem against the
checksums and data in Afick's database and write a report to results.txt.
To use this I keep the program and database on an encrypted drive that I
only mount when I want to scan my system. This prevents someone from
modifying my system and then just running Afick's update procedure to hide
their modifications.
DriveCrypt 4.2
http://127.0.0.1:8888/ CHK@zYPOIaKk...br />
YLkARo8t-
HnoyvLiYEsg/DriveCrypt%20Standard%20v4.20.rar
This is a package that allows you to create encrypted volumes that can be
mounted as disks in Widows. It doesn't encrypt your entire hard drive, so
you will still have to mind your temporary files. It seems to be very
stable however. It allows you to enlarge your encrypted disk files when
they get too full. It's great for extra security when using a full disk
encryption package and for creating encrypted files of things that you want
to burn onto CD.
Another point for DriveCrypt is that, unlike PGP's encrypted disk files,
there are no special headers in the files it creates that identify that
they are encrypted disks. This could be used for some deniability for
govt's (like the British) that require you to hand over encryption keys on
demand. If they can't prove that it is actually encrypted and not just a
file that's been overwritten with random data it's hard to be able to hold
it against you in court. Let me know if anyone has had experience with this
type of thing with British authorities.
With version 4, DriveCrypt supports invisible disks (BestCrypt, also on
this page does too, thanks to some observant Frost users for pointing this
out to me). This lets you have a "reveal-able" password that you can give
if coerced that will decrypt the container but will only show the files
that you want others to believe are the real contents. You can have a
second password that decrypt the "real" contents of the container. Someone
who decrypts your container with the password you reveal will not be able
to tell that you have another, secret, container. However, there is a bit
of a problem: When DriveCrypt makes an encrypted container it doesn't
populate the freespace inside that container with random data. Because of
this, a container that doesn't have a second, hidden container, will have
it's freespace blank. In fact, when you create a hidden container in
DriveCrypt there is a blank space between where your "reveal-able" data
ends and the hidden encrypted container begins. Of course, there isn't a
header that says "hidden container begins here", but someone who was
familiar with this behavior would usually be able to know if you have a
hidden container. Note that BestCrypt (also on this page) has the same
hidden container functionality but pre-populates a new container's free
space with random data and so is probably a better choice if you need this
ability. There are probably some die-hard DriveCrypt-ers out there who
still want to stick with DriveCrypt and for them there is a way around this
problem: After making your outer container use Eraser or something to
overwrite the blank space with random data. Then copy your revel-able files
and finally make the hidden container. What will happen is that someone
inspecting your outer container will see free space with random data and
there won't be a gap of blank free space before your secret container. If
you routinely do this to your encrypted drives people wouldn't be able to
tell the difference between regular containers and those with a second,
hidden container.
Previous version: DriveCrypt 4
http://127.0.0.1:8888/ CHK@8v9tU4gZ...>
BTuqkWSE8olXz
Hw1Dg/DriveCrypt4.0.zip
DriveCrypt Plus Pack 3
http://127.0.0.1:8888/ CHK@HQuPGJjd...>
CDILAn3EG2dzx
mpnAw/DriveCrypt%20Plus%20Pack%203.0%20new%20crack.rar
This software is used to encrypt entire hard disks and partitions (regular
DriveCrypt will encrypt partitions as well). Included is a file in the
archive called recovery.exe. This is a utility that can be run from a
system boot floppy and will decrypt a disk in the event that Windows system
files become corrupted. This is in addition to the bootable floppies that
DCPP makes that lets you boot an encrypted drive in the event of boot
sector corruption (of if you don't want to use the DCPP boot sector). My
advice is to install and test this on a separate test system. Practice
encrypting and decrypting drives from the Windows interface and decrypting
from a boot disk with recovery.exe.
One of the nice things about DCPP is that it is very fast. I generally
can't tell it's working (but it is, I checked ;) ). In fact even on a DCPP
encrypted HD I will still run regular DriveCrypt encrypted volumes and I
don't see much of a performance hit. To see what it's doing run EnCase and
preview your drives: your disk drives will be unencrypted and will be
accessible as normal but your physical disk will be seemingly random data.
New version notes: One of the new features with version 3 is a hidden OS
feature. Basically, it lets you hide an entire operating system in the
freespace of a dummy copy. Just like hidden containers. I haven't tried
this as of yet so I don't know how well it works. There are two questions I
have about it: 1) Does the hidden OS feature suffer from the same problem
as hidden containers in regular DriveCrypt (see above), and 2) When booting
the "dummy" OS are sectors modified where they would mess up your real OS
installation. This question came up in alt.security.scramdisk. Shawn H.
(the main DC developer) said that they booted into the dummy OSs' a few
times and they were still able to seccessfully start the real OS. Of
course, this isn't a real test. A real test would involve taking a HD image
*then* booting into the dummy OS a few times, taking another image and
doing a sector-by-sector comparison of the two. I am planning on doing this
sometime, but it may have to wait until I feel I have the time.
If you don't want someone knowing that you use HD encryption you can set
DCPP to run in "HD fail mode" where, instead of a password prompt, it
displays a "Hard drive 0 boot failed......" message. Making it look, to the
casual observer, like you are having hardware problems. Of course, when you
type in your passwords it boots normally.
Previous versions: DriveCrypt Plus Pack 2.60,
http://127.0.0.1:8888/ CHK@3x1nttSO...>
X5wZpkmhff4uo
UsMig/DriveCrypt%20Plus%20Pack%202.60.zip
DriveCrypt Plus Pack 2.70
http://127.0.0.1:8888/ CHK@cuocDyKg.../>
pPwGvJSG%7E-
w6qD6R%7EgEw/DriveCrypt%20Plus%20Pack%20v2.7%20FINAL.rar
BestCrypt 7.11
http://127.0.0.1:8888/ CHK@FLMS%7Ed...>
HfU4h3kuM2cPU
zQTcTlw/BestCrypt%20v7.11.rar
Here is another HD encryption program. It's basically like DriveCrypt in
that you can make encrypted containers that can be mounted as virtual
drives. BestCrypt also has a good implementation of "invisible containers";
see the above discussion about DriveCrypt's invisible containers for more.
Note: This version originated from an anonymous (to me anyway) in-Freenet
source. Generally, I like to get stuff outside of Freenet so that I can be
somewhat certain that it isn't trojaned by some outside party trying to
compromise this network. The 7.10 version has been around longer and
originated from Mr. Flibble. In other words I trust it a bit more....
Previous Version: BestCrypt 7.10
http://127.0.0.1:8888/CHK@KcI3ykG-r...O0dJMiT8jefwpb-
CVv8w/BestCrypt.v7.10-PuKE.rar
Tor
http://127.0.0.1:8888/__CHECKED_HTT...ehaven.net/tor/
You really can't beat Freenet for security, however occasionally one has
to access the "real" Internet. There are various paid proxy services around
but I wouldn't trust them, mainly because they are businesses. Tor is a
free client/server package and is pretty much a Mixmaster for IP
connections. The best way to use Tor is with Privoxy (link from Tor's site
or here
http://127.0.0.1:8888/__CHECKED_HTTP__www.privoxy.org/
). You can run any IP connection through Tor. Even supported is the ability
to run hidden services: you can run any IP service through Tor without
revealing your real IP address. Like everything on the "big bad Internet"
however use caution, they say that this is development code so don't use it
to send death threats to the president or anything. Keep what you have to
say on Freenet if at all possible.
TrueCrypt
http://127.0.0.1:8888/__CHECKED_HTTP__www.truecrypt.tk/
It's probably hard to believe from all the pirated software on this
Freesite and the stuff I post in Frost, but I do actually try to support
Free/GPL software whenever I can. I had looked at TrueCrypt but since it
was on the Internet I didn't think to mention it. However someone reminded
me about it and I had a pang of conscience, so here it is. TrueCrypt is
actually pretty nice. One of the best things about it is that it is GPL'd
and you can look at/compile from source if you are so inclined.
Physical Inspection Software trojans aren't the only thing that can be used
to record your keystrokes or information about your computer. There are a
lot of hardware keystroke loggers. One device plugs in between your
keyboard and the PS2 socket on your computer and will record keystrokes
until it's large buffer files up (like 30,000 characters or something) or
someone plugs it into a computer that runs the retrieval software and
downloads everything you typed. There are probably lots of other similar
devices and a lot that the govt' has that we don't even know about. It's a
good idea to get familiar with the internals of your computer. Look at the
sockets and cards and be able to notice if something changes.
Environment Video cameras are small and cheap. All the security in the
world won't help you if someone has installed a camera that is pointing at
your keyboard and is recording everything you type. Look around you in
vents and openings in the ceiling and walls. Make sure that your location
isn't overlooked from windows or doors.
Checksums One of the things I've noticed about EnCase is it's reliance on
file checksums for identification. It's reasonable, in general file names
can change but if the contents match a known hash you know that the file is
the same. If you install a trojaned explorer.exe in Windows, a good
forensics person would be able to detect it. Likewise if you rename one of
your security programs in an effort to hide it, it will still be obvious to
someone using a database of hashes of known programs.
Luckily, it's fairly easy to change the checksum of a binary file: Just
open it up in your favorite binary editor (I use Frhed because it's free)
and overwrite a text area of the file with new data. Be sure to overwrite
though and not add characters, if the file length is changed the program
will no longer work (unless you're really good ;) ). Also, a text area
would be a part of the program that contains error messages, or something
that could be output to the screen. For instance, most Windows programs
have a string at the beginning of the file that says "This program cannot
be run in DOS mode". You could overwrite this string to say something a
little more gutsy like: "I pity the fool who tries to run me in DOS!!". Or
something like that. Now if someone runs a checksum of the file it will be
different.
E-Books
Here are some computer security books in PDF format that are probably worth
studying. They are written from the point of view of an investigator for
the most part. They go into more detail than my advice to "encrypt
everything and watch your back!" ;)
Cyber Crime Investigator's Field Guide
http://127.0.0.1:8888/ CHK@zKVPvecm...>
V%7Ed%7ERb4w9
GsUA24QYQ/ Cyber%20Crime%20Investigator%27s%20Field
%20Guide.pdf
Professionally "stuffy" look into the world of computer security. This one
has a definite "law enforcement" feel to it.
Privacy Protection and Computer Forensics
http://127.0.0.1:8888/CHK@sW%7EtWuf227DZpwyT-
xMExnGRxT8MAwI,yEID9lcLp0zqq%7En3ea6QnA/Priva
cy%20Protection%20and%20Computer%20Foren
sics.pdf
The title says it all.
Incident Response and Computer Forensics Second Edition
http://127.0.0.1:8888/ CHK@RQxXfAC2...>
v8z2LABXP7UaI
BlUgA/ Incident%20Response%20and%20Computer%20F
orensics%20Second%20Edition.p
df
A little light on the technical details and a bit heavy on the
"procedures."
Scene of the Cybercrime Computer Forensics Handbook
http://127.0.0.1:8888/ CHK@WR7SRQR4...>
PqlK1JGLQ4RWE
yHmXT2g/ Scene%20of%20the%20Cybercrime%20Computer
%20Forensics%20Handbook.pdf
Prety basic. The authors seem to have a very one-sided view of computer
security: "Cops good! Hackers bad!" <Yawn>.
If you want to try and contact me try "whirlpool" in Frost. It's a public
board (unkeyed). I read "privacy" in Frost as well. My public key is at the
bottom of the page.
Good luck and stay out of prison!
Two Sandals (TT)
Pm4Pigs: twosandals@mbhZyGBgwMQ-x5yPcObaNYnQFi8,MKRM3Bvts09NFmkAdlpJ1Q
Frost key: twosandals@O94AarM8kdJiMdyfS7+btsC1u_s
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.eu.org
for abuse and hashcash info.
[ Post a follow-up to this message ]
|
