Informazioni personali

Cerca nel blog

Translate

mercoledì 16 aprile 2014

New York Defense and Security Conference Features Session on "Exploring the NIST Cybersecurity Framework and Implementation"

New York Defense and Security Conference Features Session on “Exploring the NIST Cybersecurity Framework and Implementation” (via Investorideas.com News )

Industry Panel to Discuss Cybersecurity, Biometrics and Security Issues in the Public and Private Sector Ideas get bigger when you share them…     New York, NY – March 6, 2014 (www.investorideas.com newswire) Investorideas.com, an investor…

RightScale Releases 2014 State of the Cloud Report

RightScale Releases 2014 State of the Cloud Report (via MarketWired)

SOURCE: RightScale April 02, 2014 09:56 ET Public Cloud Adoption Nears 90 Percent on the Journey to Hybrid Cloud SANTA BARBARA, CA–(Marketwired – Apr 2, 2014) – RightScale® Inc., a demonstrated leader in enterprise cloud portfolio management, today…

Fortinet Launches "Connected UTM" Platform, Releases Twelve Network Security Products for Distributed Enterprises

Fortinet Launches “Connected UTM” Platform, Releases Twelve Network Security Products for Distributed Enterprises (via MarketWired)

SOURCE: Fortinet January 13, 2014 09:00 ET New UTM Appliances, WLAN Access Points, 3G/4G Wireless WAN Extender, and Ethernet Switches Connect and Extend High-Performance Network Security for Retail, Branch Offices and Other Distributed Enterprise Environments…

White Paper Assessing Cloud Computing Security

White Paper Assessing Cloud Computing Security (via www.hexanika.com)

Assessing Cloud Computing Security – Risks against Reality It is evident that cloud computing is mounting all over the globe and in 2014 cloud computing is all set to emerge stronger. Growth of the cloud landscape will be huge and raging and will…

16-31 March 2014 Cyber Attacks Timeline

Pulitzer for Snowden Revelations

°° Sardegna: L'esercito di MangiaNeonati alla riscossa °°

Boooh to Virgins! - LOL

Security's Secret Shame

Blackshirt Mob Attacks Progressive Candidate in Ukraine

A Family of Writers! - LOL

martedì 15 aprile 2014

Prenda On Appeal: Copyright Troll Tactics Challenged in DC Circuit

Prenda On Appeal: Copyright Troll Tactics Challenged in DC Circuit (via EFF)

The DC Circuit Court of Appeals heard argument today in AF Holdings v. Does 1-1058, one of the few mass copyright cases to reach an appellate court, and the first to specifically raise the fundamental procedural problems that tilt the playing field…

Google admits it's reading your emails

Google admits it’s reading your emails (via The Inquirer)

its privacy terms and conditions, eroding a little more of its users’ privacy. Google is so far unapologetic about its changes, despite having created some controversy. The bulk of the responses worry that Google is now able to read users’ emails and…

Inside Politics: Pulitzers for NSA leaks?

Inside Politics: Pulitzers for NSA leaks? (via CNN Video)

John King, Julie Pace and Jonathan Martin discuss the Pulitzer prizes awarded for coverage of Edward Snowden.

Security Solutions Discussed by Industry Leaders in SecuritySolutionsWatch.com Interviews With HP, ImageWare Systems, March Networks, Nuance, StrikeForce, Xcluesiv Cloud Technology

Security Solutions Discussed by Industry Leaders in SecuritySolutionsWatch.com Interviews With HP, ImageWare Systems, March Networks, Nuance, StrikeForce, Xcluesiv Cloud Technology (via MarketWired)

SOURCE: SecuritySolutionsWatch.com March 06, 2014 00:01 ET RYE BROOK, NY–(Marketwired – Mar 6, 2014) – ImageWare Systems, Inc. (OTCQB: IWSY) and StrikeForce Technologies, Inc. (OTCBB: SFOR) ***** HP Enterprise Services Mr. Rob Wigley, Director, Cybersecurity…

Trend Micro Enhances Complete User Protection Solution to Address Demand for Greater Flexibility in Deployment and Management of Security

Trend Micro Enhances Complete User Protection Solution to Address Demand for Greater Flexibility in Deployment and Management of Security (via PR Newswire)

Provides simple, comprehensive security across endpoints using cloud, hybrid or on-premise deployment DALLAS, April 15, 2014 /PRNewswire/ — Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global pioneer in security software, today announced major…

Is It a Bad Thing to Want to Give Our Kids a Magical Childhood?

The Hearbreak of Heartbleed

Positive for Acme, a natural step for Oracle

Positive for Acme, a natural step for Oracle (via Light Reading)

Oracle Corp.‘s plan to acquire session border controller (SBC) specialist Acme Packet Inc. looks like a way for the software giant to get some ready-made smarts in the key telco sectors of 4G packet core networking and network functions virtualization…

Wash Post, Guardian share Pulitzer for NSA coverage

Wash Post, Guardian share Pulitzer for NSA coverage (via AFP)

The Guardian and the Washington Post shared a Pulitzer Prize Monday for reporting on leaks from former National Security Agency contractor Edward Snowden that revealed a global surveillance network monitoring millions of Americans and foreigners. The…

Yes, Net Neutrality Is A Solution To An Existing Problem

Yes, Net Neutrality Is A Solution To An Existing Problem (via Techdirt)

While AT&T, Comcast, and Verizon have argued — with incredible message discipline — that network neutrality is “a solution in search of a problem,” that’s simply not true. There are many concrete examples of network neutrality violations around the…

FBI Plans to Have 52 Million Photos in its NGI Face Recognition Database by Next Year

FBI Plans to Have 52 Million Photos in its NGI Face Recognition Database by Next Year (via EFF)

New documents released by the FBI show that the Bureau is well on its way toward its goal of a fully operational face recognition database by this summer. EFF received these records in response to our Freedom of Information Act lawsuit for information…

FBI Abruptly Walks Out On Senate Briefing After Being Asked How 'Insider Threat' Program Avoids Whistleblowers

 

FBI Abruptly Walks Out On Senate Briefing After Being Asked How ‘Insider Threat’ Program Avoids Whistleblowers (via Techdirt)

While we’ve been disappointed that Senator Chuck Grassley appears to have a bit of a double standard with his staunch support for whistleblowers when it comes to Ed Snowden, it is true that he has fought for real whistleblower protections for quite…

 

 

Greenwald, Poitras, Gellman, MacAskill: key in NSA coverage

Greenwald, Poitras, Gellman, MacAskill: key in NSA coverage (via AFP)

The Guardian and the Washington Post won the Pulitzer Prize for public service journalism on Monday for their in-depth reporting on Edward Snowden’s revelations about the National Security Agency and its vast global surveillance network. The citations…

Websense Reports Record Surge in Demand for TRITON Cybersecurity

Websense Reports Record Surge in Demand for TRITON Cybersecurity (via PR Newswire)

More than $380 million billings, 45 percent increase in Fortune 100 sales and Websense TRITON security effectiveness drives 2014 momentum SAN DIEGO, Feb. 19, 2014 /PRNewswire/ — Websense, a global leader in protecting organizations from the latest…

Gartner Recognizes VASCO Data Security in Leaders Quadrant in Magic Quadrant for User Authentication

Gartner Recognizes VASCO Data Security in Leaders Quadrant in Magic Quadrant for User Authentication (via PR Newswire)

VASCO positioned as a leader for its ability to execute and completeness of vision OAKBROOK TERRACE, Illinois and ZURICH, Jan. 28, 2014 /PRNewswire/ — VASCO Data Security International, Inc. (www.vasco.com) (Nasdaq: VDSI), a leading software security…

venerdì 11 aprile 2014

L'ipocrisia della forma ed il senso della giustizia

Lo so non dovrei ne stupirmi ne arrabbiarmi, ma non ci posso fare nulla tutte le volte che ho a che fare con la burocrazia italica non osso fare a meno di avere un travaso di bile.

Non si tratta della cronica inefficienza, o della assoluta mancanza di professionalità di una classe manageriale pubblica inetta, ma proprio dello spirito con cui le cose vengono, nella pubblica amministrazione, gestite.

Esiste una profonda ipocrisia nella gestione della res publica e nei servizi al cittadino che basa la sua essenza sulla forma del regolamento e non nel suo spirito, quella stessa ipocrisia che permea da anni la parola dei politici di cui i dirigenti della cosa pubblica sono vassalli obbedienti.

Se sostituiamo “lo spirito” della legge con “la lettera” otteniamo due vantaggi notevoli:

  • possiamo usare i tecnicismi per giustificare quasi tutto
  • ci deresponsabilizziamo in quanto “Dura lex sed Lex” non potevamo fare altrimenti.

Se poi consideriamo quale sia la pariteticità con cui tali regolamenti son applicati….

Forte con il debole debole con il forte

Nella volontaria scelta di servire lo stato il dipendente pubblico di più alto grado ha, evidentemente, fatto una scelta di campo, sto con chi comanda, alla faccia del popolo sovrano ed amenità varie. Infischiandosene allegramente del senso della nostra costituzione e giocando sottilmente sulla forma si è costruito uno scudo di immunità con cui allegramente affronta le più disparate sfide della decenza.

Tra Equitalia (mai nome fu più ironico) e l’agenzia delle entrate gli esempi si sprecano, esempi dove uno stato impositore affatto attento alle esigenze del popolo che sarebbe chiamato a servire e rappresentare si pone insensibile di fronte a qualsiasi lamento perseguendo stolidamente, sino alla fine, l’obiettivo anche se questo è causa di un danno molto superiore del torto, reale o presunto, che il cittadino ha commesso.

Cosi quando lo stato costringe sul lastrico una persona sequestrandogli beni essenziali e privandolo dei mezzi di sostentamento sta violando da un lato la nostra costituzione che afferma che ben altro è il compito dello stato e della repubblica, e dell’altro si fa scudo di una serie di regolamenti scritti e pensati proprio per proteggere il mandante in spregio al concetto di responsabilità.

Ovviamente tale rigore messianico viene adottato solo per quelli per cui la legge è uguale per tutti, per coloro, cioè, che non hanno ne la forza ne la possibilità di reagire, cosi evasioni milionarie vengono allegramente dilazionate a chi problemi di sopravvivenza non ne ha, mentre all’impiegato, imprenditore o libero professionista di turno vengono imposti vincoli tali da rendergli impossibile o il rispetto della ammenda o il prosieguo della attività.

Dura lex sed Lex? Purtroppo lo è solo nei termini in cui viene applicata,se sei abbastanza potente scatta di colpo la “comprensione”.

Un esempio classico sono le macchinette mangiasoldi, vi invito a cercare cosa disse Umberto Rapetto

al riguardo quando scoprì l’evasione plurimilionaria che era stata elegantemente insabbiata dalla nostre classe politica e che gli costo la “promozione”  .

Ma come: 96 miliardi di evaso non si possono esigere perché significherebbe la chiusura della attività? Ed allora quando si fa chiudere un imprenditore o si manda per strada un cittadino sequestrandogli la casa?

Ora non nego che tutta la questione sia aperta e discutibile, e che potrebbe anche essere che tale evasione s “presunta” sia di entità inferiore, ma vorrei ricordare che il meccanismo con cui equitalia procede verso i normali cittadini è il seguente, almeno cosi è stato per me

  1. ti notifico che mi devi una certa cifra “X”
  2. il calcolo del dovuto all’erario è pari alla cifra “X”+ interessi + spese gestione pratica + penale + multa. A fronte di tutte le riduzioni possibili immaginabili che l’erario graziosamente di applica il totale risulta essere circa pari a 6 volte l’importo X
  3. se paghi senza contestare ti riconosco un ulteriore sconto per cui ti chiedo di pagare 2.5*X altrimenti se ritieni che vi siano ragioni valide per contestare procedi a pagare 6X e poi puoi fare ricorso
  4. in caso di mancato pagamento o accordo la pratica passa ad equitalia che provvederà all’incasso di 6X+interessi+spese gestione pratica+penale+multa

non mi sembra che sia stato usato lo stesso metro nel caso slot machines, verrebbe da chiedersi perché….

L’ipocrisia del problema lavoro

Un alto esempio lampante di come si trattino ipocritamente in italia le questioni facendosi scudo dei regolamenti è la questione disoccupazione.

Per quanto grave sia la disoccupazione giovanile in italia, ben più grave, ed urgente, è la questione della disoccupazione di chi giovane non è più.

Cerchiamo di capirci: non dico che la disoccupazione giovanile sia un problema minore, ma sostengo che occorrerebbe presentare i numeri contestualizzati.

A fronte di un alto tasso di disoccupazione giovanile, che correttamente deve essere affrontata e risolta, nessuno parla del problema dei disoccupati ultra-quarantenni quadri o dirigenti che hanno di fronte la seguente situazione:

  •  di solito hanno una famiglia da mantenere, e nella maggior parte dei casi sono famiglie monoreddito
  • hanno un mercato del lavoro decisamente più difficile di quello giovanile e molti strumenti sono non applicabili: dai contratti di formazione a quelli per i “giovani”
  • Spesso hanno dovuto sopperire alla mancanza di lavoro con la apertura di una partita IVA che è lo strumento minimo che gli permette di poter trovare attività lavorative temporanee.
  • Avendo partita IVA vengono tagliati fuori dai meccanismi di supporto per i meno abbienti indipendentemente dal loro valore isee
  • Oltre il danno anche la beffa molti di loro sono stati allontanati dalla azienda tramite i programmi di incentivazione, peccato che se in questo modo incassano una buona uscita dall’altro non possono richiedere sussidi in quanto non risultano “licenziati” od accedere, ad esempio, alla sospensione del mutuo.

Il problema è che mentre parliamo della disoccupazione giovanile e di come porvi rimedio ci dimentichiamo di persone che, invece, hanno urgenza immediata e non possono aspettare “soluzioni strutturali” a medio termine.

Ancora una volta ci si fa scudo della lettera per non vedere o applicare il senso, e cosi frotte di ligi pubblici ufficiali tratteranno un esercito di partite IVA di “sopravvivenza” alla stregua di velleitari imprenditori che scialacquando i beni si sono ridotti per loro insipienza sul lastrico, e non come persone costrette dagli eventi a prendere azione per sopravvivere. ma si sa, non è colpa del prode funzionario, lui ha fatto il suo dovere perché cosi dice la legge o il regolamento.

Pensiamoci quando gridiamo al disgusto di fronte a quello che facevano i soldati nazisti e al loro “eseguivamo gli ordini”. Pensiamoci quando sentiamo di un compagno di sventura caduto sotto le fauci di uno stato iniquo e persecutore.

Se, secondo la nostra costituzione, tutti devono concorrere al progresso ed al benessere della repubblica in funzione delle proprie capacità ed aspirazioni come può essere giustificabile un tale comportamento? Può un regolamento essere prevaricante rispetto al senso della nostra costituzione?

E come può uno stato il cui scopo costituzionale è promuovere questo sviluppo e rimuovere gli eventuali ostacoli comportarsi in tale maniera?

E poi dicono che l’Italia è il Belpaese, la vedo grigia sempre più grigia.

Antonio

 

 

L'ipocrisia della forma ed il senso della giustizia

Lo so non dovrei ne stupirmi ne arrabbiarmi, ma non ci posso fare nulla tutte le volte che ho a che fare con la burocrazia italica non osso fare a meno di avere un travaso di bile.

Non si tratta della cronica inefficienza, o della assoluta mancanza di professionalità di una classe manageriale pubblica inetta, ma proprio dello spirito con cui le cose vengono, nella pubblica amministrazione, gestite.

Esiste una profonda ipocrisia nella gestione della res publica e nei servizi al cittadino che basa la sua essenza sulla forma del regolamento e non nel suo spirito, quella stessa ipocrisia che permea da anni la parola dei politici di cui i dirigenti della cosa pubblica sono vassalli obbedienti.

Se sostituiamo “lo spirito” della legge con “la lettera” otteniamo due vantaggi notevoli:

  • possiamo usare i tecnicismi per giustificare quasi tutto
  • ci deresponsabilizziamo in quanto “Dura lex sed Lex” non potevamo fare altrimenti.

Se poi consideriamo quale sia la pariteticità con cui tali regolamenti son applicati….

Forte con il debole debole con il forte

Nella volontaria scelta di servire lo stato il dipendente pubblico di più alto grado ha, evidentemente, fatto una scelta di campo, sto con chi comanda, alla faccia del popolo sovrano ed amenità varie. Infischiandosene allegramente del senso della nostra costituzione e giocando sottilmente sulla forma si è costruito uno scudo di immunità con cui allegramente affronta le più disparate sfide della decenza.

Tra Equitalia (mai nome fu più ironico) e l’agenzia delle entrate gli esempi si sprecano, esempi dove uno stato impositore affatto attento alle esigenze del popolo che sarebbe chiamato a servire e rappresentare si pone insensibile di fronte a qualsiasi lamento perseguendo stolidamente, sino alla fine, l’obiettivo anche se questo è causa di un danno molto superiore del torto, reale o presunto, che il cittadino ha commesso.

Cosi quando lo stato costringe sul lastrico una persona sequestrandogli beni essenziali e privandolo dei mezzi di sostentamento sta violando da un lato la nostra costituzione che afferma che ben altro è il compito dello stato e della repubblica, e dell’altro si fa scudo di una serie di regolamenti scritti e pensati proprio per proteggere il mandante in spregio al concetto di responsabilità.

Ovviamente tale rigore messianico viene adottato solo per quelli per cui la legge è uguale per tutti, per coloro, cioè, che non hanno ne la forza ne la possibilità di reagire, cosi evasioni milionarie vengono allegramente dilazionate a chi problemi di sopravvivenza non ne ha, mentre all’impiegato, imprenditore o libero professionista di turno vengono imposti vincoli tali da rendergli impossibile o il rispetto della ammenda o il prosieguo della attività.

Dura lex sed Lex? Purtroppo lo è solo nei termini in cui viene applicata,se sei abbastanza potente scatta di colpo la “comprensione”.

Un esempio classico sono le macchinette mangiasoldi, vi invito a cercare cosa disse Umberto Rapetto

al riguardo quando scoprì l’evasione plurimilionaria che era stata elegantemente insabbiata dalla nostre classe politica e che gli costo la “promozione”  .

Ma come: 96 miliardi di evaso non si possono esigere perché significherebbe la chiusura della attività? Ed allora quando si fa chiudere un imprenditore o si manda per strada un cittadino sequestrandogli la casa?

Ora non nego che tutta la questione sia aperta e discutibile, e che potrebbe anche essere che tale evasione s “presunta” sia di entità inferiore, ma vorrei ricordare che il meccanismo con cui equitalia procede verso i normali cittadini è il seguente, almeno cosi è stato per me

  1. ti notifico che mi devi una certa cifra “X”
  2. il calcolo del dovuto all’erario è pari alla cifra “X”+ interessi + spese gestione pratica + penale + multa. A fronte di tutte le riduzioni possibili immaginabili che l’erario graziosamente di applica il totale risulta essere circa pari a 6 volte l’importo X
  3. se paghi senza contestare ti riconosco un ulteriore sconto per cui ti chiedo di pagare 2.5*X altrimenti se ritieni che vi siano ragioni valide per contestare procedi a pagare 6X e poi puoi fare ricorso
  4. in caso di mancato pagamento o accordo la pratica passa ad equitalia che provvederà all’incasso di 6X+interessi+spese gestione pratica+penale+multa

non mi sembra che sia stato usato lo stesso metro nel caso slot machines, verrebbe da chiedersi perché….

L’ipocrisia del problema lavoro

Un alto esempio lampante di come si trattino ipocritamente in italia le questioni facendosi scudo dei regolamenti è la questione disoccupazione.

Per quanto grave sia la disoccupazione giovanile in italia, ben più grave, ed urgente, è la questione della disoccupazione di chi giovane non è più.

Cerchiamo di capirci: non dico che la disoccupazione giovanile sia un problema minore, ma sostengo che occorrerebbe presentare i numeri contestualizzati.

A fronte di un alto tasso di disoccupazione giovanile, che correttamente deve essere affrontata e risolta, nessuno parla del problema dei disoccupati ultra-quarantenni quadri o dirigenti che hanno di fronte la seguente situazione:

  •  di solito hanno una famiglia da mantenere, e nella maggior parte dei casi sono famiglie monoreddito
  • hanno un mercato del lavoro decisamente più difficile di quello giovanile e molti strumenti sono non applicabili: dai contratti di formazione a quelli per i “giovani”
  • Spesso hanno dovuto sopperire alla mancanza di lavoro con la apertura di una partita IVA che è lo strumento minimo che gli permette di poter trovare attività lavorative temporanee.
  • Avendo partita IVA vengono tagliati fuori dai meccanismi di supporto per i meno abbienti indipendentemente dal loro valore isee
  • Oltre il danno anche la beffa molti di loro sono stati allontanati dalla azienda tramite i programmi di incentivazione, peccato che se in questo modo incassano una buona uscita dall’altro non possono richiedere sussidi in quanto non risultano “licenziati” od accedere, ad esempio, alla sospensione del mutuo.

Il problema è che mentre parliamo della disoccupazione giovanile e di come porvi rimedio ci dimentichiamo di persone che, invece, hanno urgenza immediata e non possono aspettare “soluzioni strutturali” a medio termine.

Ancora una volta ci si fa scudo della lettera per non vedere o applicare il senso, e cosi frotte di ligi pubblici ufficiali tratteranno un esercito di partite IVA di “sopravvivenza” alla stregua di velleitari imprenditori che scialacquando i beni si sono ridotti per loro insipienza sul lastrico, e non come persone costrette dagli eventi a prendere azione per sopravvivere. ma si sa, non è colpa del prode funzionario, lui ha fatto il suo dovere perché cosi dice la legge o il regolamento.

Pensiamoci quando gridiamo al disgusto di fronte a quello che facevano i soldati nazisti e al loro “eseguivamo gli ordini”. Pensiamoci quando sentiamo di un compagno di sventura caduto sotto le fauci di uno stato iniquo e persecutore.

Se, secondo la nostra costituzione, tutti devono concorrere al progresso ed al benessere della repubblica in funzione delle proprie capacità ed aspirazioni come può essere giustificabile un tale comportamento? Può un regolamento essere prevaricante rispetto al senso della nostra costituzione?

E come può uno stato il cui scopo costituzionale è promuovere questo sviluppo e rimuovere gli eventuali ostacoli comportarsi in tale maniera?

E poi dicono che l’Italia è il Belpaese, la vedo grigia sempre più grigia.

Antonio

 

 

giovedì 3 aprile 2014

Wireshark, Tools and forensic

English: A portable Tableau forensic write-blo...
English: A portable Tableau forensic write-blocker attached to a hard disk drive (Photo credit: Wikipedia)

 

Intro

 

Making a forensic analysis means to be able to collect and analyze data in order to find out evidence that could led you to a specific break.

 

Although is usually considered a post-mortem activity in the IT realm this aspect is less marked than in other forensic environment. If we are running an investigation on a homicide, as an example, we will be present when everything is already done, and we just have to collect cold evidence. On the other end when we are running a forensic IT investigation we cannot be sure that the event has occurred in the past, some traces and some events related to the break could still be alive and running as the break itself.

 

When performing an IT forensic investigation we should be able to collect cold evidences as hard disks, logs and whatever we could need, as well as live “warm” data.

 

This part of the job require, among other abilities, to be able to sniff and analyze your network, collect packet capture and deep inspect the content in order to find out what is unusual or clearly symptom of a breach.

 

What means forensic

 

Through the history, we have seen a great development of forensic instruments and branches: from pathology to entomology, from engineering to psychology several branches develop and we see new coming out as science and technology evolve.

 

No matter what branch or technique we are using, the aim is always the same: to be able to analyze in detail a crime scene in order to find the truth using any physical available evidence.

 

Since this is a quite new science definition and   rules are not well defined for any field, some areas are still in development, as for the computer and digital forensic, while other are in an advanced stage of development, as pathology for example.

 

Computer Forensic is still a new branch of the Forensic world we have to face some aspects:

 

  • Computer forensics is in its early or development stages
  • It is different from other forensic sciences as digital, and not physical, evidence is examined
  • There is a little theoretical knowledge based up on which empirical hypothesis testing is done
  • Designations are not entirely professional
  • There is a lack of proper training
  • There is no standardization of tools
  • It is still more of an “Art” than a “Science”

 

Working in the Cyber area require, nevertheless a quite standard approach, common to every forensic investigation. There are some “simple” rules that should be followed by any forensic investigator:

 

 

 

Identifying the crime

 

If there is no crime there is no need of a Forensic investigation, although it is always possible to use a forensic approach to proactively find possible areas where a crime can be pursued.

 

In any case, either if proactive or reactive, an investigation has to start with an object, a target, this is necessary in order to define instruments and tools that have to be used. Is quite different to suspect a database manipulation than a use of pornographic material in the work environment and so different will be the tools used to gather evidences.

 

Gathering the evidence

 

This is the core of any forensic activity, evidences are what we will work on, but in Computer Forensic those evidences are partially physical and mostly digital. This require an extra effort in order to no pollute evidences due to our gathering.

 

The process should be non-destructive and should preserve the data collected and the environment we are working on.

 

There are several good reason to be cautious: usually we will work in working environment and the evidence could be stored on production systems. Stopping or harming those environments would be sometimes worse than the crime itself, so it is strongly suggested to not bring home the entire database and related servers of an e-commerce company making them stop the activity, would not be appreciated. Clearly, we will have to find the best tradeoff between the collection of data and the preservation of the work environment.

 

Another good reason to be cautious is due to the fact that

 

Digital data can be easily modified and this could invalidate our effort, trying to not change, modify the evidence is always necessary, but here we need to be extra cautious.

 

We should also consider that sometimes law requirements force us to respect specific policy and rules, we can think of the privacy EU set of laws that makes difficult to handle properly sensitive and personal data even during a forensic investigation.

 

If it is possible we should use as less as possible the original evidences, trying to use when possible duplicate.

 

Building a chain of custody

 

Forensic data usually need to be moved from the crime scene to a safer location where the forensic expert can analyze it.  The chain of custody is fundamental when we’re moving digital data both if they are physical evidence, think of an HDD or USB keys, and digital as logs, scan reports or files. We have to be sure that nobody can tamper our evidences.

 

Analyzing the evidence

 

Finally we can analyze the evidence we gathered. Again most of the consideration of the previous points should be followed; we should never modify the original data, any modification should be reported in detail with any change of status, the analysis should be non-destructive when possible, we should use the appropriate tool and course of action considering the data we’re analyzing.

 

 The 3 A’s

 

  1. Acquire evidence without modification or corruption
  2. Authenticate that the recovered evidence is same as the originally seized data
  3. Analyze data without any alterations

 

Forensic and the network

 

Computer forensic evidences can be collected form a multitude of sources, data can be found in HDD’s , USB keys, CD\DVD rom, Ram, Rom and Cmos memory and so on. We should also consider that data can be presented in raw form (think of a stream of byte in a drive), as files, as metadata, as process (sql queries for example) and so on. But the complex network environment can present other sources as protocols and the network itself.

 

If the Network can be itself analyzed for a forensic investigation, why we should do this and what can we could find?

 

The network is the communication backbone where our data flow, and thus can be used in a crime to modify, access, copy, tamper data and systems .  Being able to analyze this backbone is mandatory in any forensic investigation.

 

To be able to do so we should be able to understand network protocols and the various objects we can find in a network as:

 

  • Computers
  • Network devices as printer, scanner and so on
  • Mobile computing devices as tablet, phones, laptop …
  • Network equipment‘s such as routers, switches, tappers, WAP (Wireless Access Point), firewalls, proxies, IDS …

 

But we have also to relate them with network protocols at the various level, the operating systems used, application environment, authentication environment, management and security platforms and so on.

 

This is a quite complicated effort since, usually, there is not a complete and clear documentation nor a single source of information. We, as Forensic Investigators, need to create ourselves a map of the environment where we will perform our investigation.

 

Activities like listing all the active process on a machine or all the port currently used are commonly performed with tools or internal command of the various OS and are fundamental to understand and design the environment.

 

Network analysis is fundamental to trails the whole incident how the attack begins, which are the intermediate devices through which it pass and who was the victim.

 

In order to obtain this goal we should collect evidences from log, firewalls, internetworking devices and files, and being able to make a network scan that can depict location and status of every device present on the network itself.

 

Once collected the data we should also be able to analyze that in detail, using the appropriated tools.

 

The first type of analysis is at the physical layer where we usually use:

 

  • Sniffers , which put NICs in promiscuous mode that allow them to be used to collect digital evidence at the physical layer
  • SPANned ports, hardware taps help sniffing in a switched network

 

Sniffers collect traffic from the network and transport layers other than the physical and data-link layer.

 

Investigators should configure sniffers for the size of frames to be captured, the default size of frame that most sniffers capture by default is 68 bytes of Ethernet frame, It is advisable to configure sniffers to collect Ethernet frames of size 65535 bytes

 

The de facto standard of saving the gathered data from the network is in a tcpdump file with “*.dump” extension

 

At the Data-Link Layer we usually check

 

  • MAC address , a part of the data-link layer is associated with the hardware of a computer
  • The ARP table of a router comes handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses
  • The DHCP database also provides as a means for determining the MAC addresses associated with the computer in custody The DHCP server maintains a list of recent queries along with the MAC address and IP Address

 

At the Network and transport layer we usually collect:

 

Authentication logs:

 

  • Shows accounts related to a particular event
  • The IP address of the authenticated user gets stored in this log file

 

Application logs :

 

  • Application logging is meant for the storage of auditing information, which includes information produced by application activity
  • Web server logs help identify the system which was used as a means to commit the crime

 

Operating System logs:

 

  • It maintains log of events such as errors, system reboot, shutdown, security policy changes, user and group management

 

But before enable logging one should bear in mind: what to log otherwise, it can result in over-collection of data making it difficult to trace the critical event

 

Network device logs:

 

  • Network devices such as router and firewalls are configured to send a copy of their logs to remote server as the memory for these devices is low

 

The logs from network devices can be used as evidence for particular investigation on that network

 

Some of those data requires administrative privileges to be collected, some other rely on tools able to help to gather read and analyze data. Since we will have to correlate data coming from different sources in order to reconstruct a process is mandatory to align all timestamps. So if this is not done we should collect all the time setting for each device providing a log and considerate eventual time gaps in order to normalize all the references.

 

Wireshark, the standard tool for deep packet inspection

 

If you search on Google for a network sniffer or protocol analyzer, one of the first hits will be Wireshark (www.wireshark.org).

 

Wireshark is an open source network packet analyzer. Without any special hardware or reconfiguration, it can capture live data going in and out over any of your box’s network interfaces: Ethernet, WiFi, PPP, loopback, even USB. Typically it’s used as a forensics tool for troubleshooting network problems like congestion, high latency, or protocol errors — but you don’t want to wait until your network is in trouble to learn how to use it.

 

Wireshark has some features not found in many of the other free sniffers that are available, such as conversation reassembly and a capture display/filter, syntax that is more advanced than most.

 

Wireshark does require the WinPCap drivers, which are very simple to set up.WinPcap can be downloaded from www.winpcap.org. The WinPcap drivers enable a greater degree of access and control to the network communications at the packet level than is available by going through the Windows network drivers. For this reason, many third-party utilities that do heavy packet manipulation make use of WinPcap.

 

Profile normal network traffic is not the goal of Wireshark — it is a tool to help you recognize aberrant behavior when you are trying to track down the source of a problem. Unfortunately, there is no quick-and-easy path to tracing down the root cause of high latency or slow throughput.

 

Sure, if there is a zombie machine on your network infected by a trojan, you may easily flag it as an infected spam bot when you see it initiate thousands of SMTP connections per hour — and detecting viruses and malware is an important forensic task. But tracking down why one of your database servers is always a little bit slower than the other could involve quite a bit more digging and analysis.

 

That’s why taking some time to profile your network traffic under what we’ll assume are normal operating conditions is valuable. You can get a feel for how often WiFi clients see TCP retransmissions; if the rate doubles or triples, and you have not added any more machines, then you may need to look to see whether any one client is behaving differently than the others, or if you are simply seeing signal degradation. When diagnosing bandwidth woes, if one of your local servers is consistently timing out and dropping connections, it could be an application-level problem. But if Wireshark’s logs reveal that it is the remote server resetting connections, then you need to make a phone call.

 

Here, the tutorials at the Wireshark site are an invaluable aid. The wiki has some basic network troubleshooting pages, as well as links to resources hosted elsewhere.

 

Wireshark includes a lot of features that will help you analyze your network when you are tracking down the source of your problem. For example, you can run statistical comparisons between two saved packet captures; this allows you to perform a capture when you are experiencing the problem, and compare it against a data set you collect as a control group when things are running smooth. Likewise, you can collect and compare captures from two different machines — say, on different network segments or with different configurations.

 

This is also why it is so helpful that there are builds of Wireshark available for the proprietary operating systems: when chasing down a performance problem, you may need to collect data from every source. Last but not least, although Wireshark is always referred to as a network analyzer, the truth is it can analyze other things as well, including USB traffic and even Unix socket connections between applications. So even if you master your TCP/IP traffic this weekend, you may still have room to explore.

 

Capturing wireless control traffic can be done with Wireshark. To capture the control frames, the system must support the monitor mode on the card.

 

Its availablity are platform, driver and libpcap dependent, on most Linux systems it is possible to get the card into monitor mode with iwconfig or more easy with the airmon-ng script, for example, airmon-ng start wlan0, on windows, the AirPcap adapters from Riverbed allows the capture of full raw wireless traffic

 

NOTE

Wireshark is packet-centric (not data-centric)

Wireshark doesn’t work well with large network capture files (you can turn all packet coloring rules off to increase performance).

 

Since Wireshark is so powerful we can wonder if it can do everything we need. The answer is “Almost”. Where wireshark is limited we can find or write expansion in order to allow deeper and further analisys.

 

There are several plugin or addon on the internet related to wireshark, of course the very first can be found on the wireshark site, and are the ones crafted by reverbed technology, main sponsor of the wireshark project.

 

Plugin, addon and collateral software allow the forensic analyst to deep analyze data presented by wireshark. There are, actually, several needs to implement further wireshark astonishing capability.

 

Let’s present some.

 

Deep diving protocols:

 

Although the standard version of wireshark is able to process the most used protocols, there could be some specific areas that are not covered, or where the feature provided by wireshark could not be exhaustive.

 

The basic way to look into this kind of necessity is to find or build a component able to analyze the specific protocol you need.

 

Wireshark is able to capture raw network data and then show you the several component of single packet, it allow you also to create your specific component to read data, those components are called dissector.

 

A dissector is able to read a specific sequence inside your frame and define the type of protocol with its components. Then is able to send  the eventual incapsulated protocol to the appropriated dissector to further analyze.

 

 

 

 

 

Dissectors:

 

Each dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors for an encapsulated protocol.

 

Every dissection starts with the Frame dissector, which dissects the packet details of the capture file itself (e.g. timestamps). From there it passes the data on to the lowest-level data dissector, e.g. the Ethernet dissector for the Ethernet header. The payload is then passed on to the next dissector (e.g. IP) and so on. At each stage, details of the packet will be decoded and displayed.

 

Dissection can be implemented in two possible ways. One is to have a dissector module compiled into the main program, which means it’s always available. Another way is to make a plugin (a shared library or DLL) that registers itself to handle dissection.

 

There is little difference in having your dissector as either a plugin or built-in. On the Windows platform you have limited function access through the ABI exposed in libwireshark.def, but that is mostly complete.

 

The big plus is that your rebuild cycle for a plugin is much shorter than for a built-in one. So starting with a plugin makes initial development simpler, while the finished code may make more sense as a built-in dissector.

 

Monitoring/tracing tools

 

 

 

The following tools can process the libpcap-format files that Wireshark and TShark produce or can perform network traffic capture and analysis functions complementary to those performed by Wireshark. Some of them are useful for very specific needs or task, sometimes the same results are available with some digging and working by wireshark itself but some of those tools will make your life easier.

 

In brackets you will find the program license and the supported operating systems, in bold the ones we can’t live without.

 

 

 

  • Cap’r Mak’r generates new pcaps for various protocols
  • Chaosreader Extracts data streams from TCP connections and writes each stream to a file (GPL, Windows, various UN*Xes)
  • CloudShark Ability to view and analyze captures in a browser, annotate and tag them, and share them with a URL.
  • Cookie Cadger Helps identify information leakage from applications that utilize insecure HTTP GET requests.
  • Driftnet It is a program which listens to network traffic and picks out images from TCP streams it observes (GPL, Linux)
  • Ettercap Allows for sniffing of machines in a switched network LAN[1] (GPL, BSD/Linux/Solaris)
  • HUNT Allows for sniffing of machines in a switched network LAN as well as providing a very easy to use API to modify the intercepted frames before they are forwarded. Intercept and Modify. (GPL, Linux)

 

We should remember that Wireshark could analyze, in a switched environment, only the traffic presented to the sniffed network interface (direct traffic and broadcast type). To check all the traffic we should use a span-port or use tools like ettercap or hunt to make a classic poison mac sniffing.

 

Both those tools can do a lot of damage on the network so it is strongly suggested to pay a lot of attention mainly if you are collecting data in a live production environment. Although could be of some use to use the router mac address to explore the incoming\outgoing internet traffic, probably the performance of the network would decrease to an unacceptable low rate.

 

  • ipsumdump summarizes TCP/IP dump files into a self-describing ASCII format easily readable by humans and programs (uses the Click modular router).

 

This tool is particularly useful when data need to be presented and explained to people that is not so found on the forensic analysis we are performing.

 

  • Moluch Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system.
  • Mu DoS converts any packet into a DoS generator
  • Ntop Network top – tool that lets you analyze network traffic statistics (GPL, FreeBSD/Linux/Unix)
  • Online PCAP to MSC chart Generator generates MSC arrow diagram charts from PCAP files.
  • p0f versatile passive OS fingerprinting and many other tricks (Freeware, BSD/Linux/Win32/…).

 

P0f is a tool that utilizes an array of passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

 

Some of p0f’s capabilities include:

 

Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.

 

Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.

 

Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.

 

Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.

 

The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.

 

Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.

 

  • PacketShark™ A handheld hardware tap for 100% on-field capturing of Ethernet packets at wire speed; store captured data using an external storage device (SD memory card) and analyze using wireshark
  • pcap_diff compares pcap files for received, missing or altered packets.
  • Prelude Another network intrusion detection system (GPL, BSD/Linux/Unix)
  • RRDtool is “a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average)”. (GPL, various UN*Xes) Many RRDtool-based applications are listed on the RRD World page.
  • Snort Network intrusion detection system (GPL, BSD/Linux/Unix/Win32)
  • SplitCap A pcap file splitter.
  • tcpflow Extracts data streams from TCP connections and writes each stream to a file (GPL, UN*X/Windows)
  • Tele Traffic Tapper Graphical traffic-monitoring tool; can also read saved capture files (BSD style?, BSD/Linux)
  • TPCAT will analyze two packet captures (taken on each side of the firewall as an example) and report any packets that were seen on the source capture but didn’t make it to the destination (GPLv2, any OS with Python and pcapy)
  • VisualEther Protocol Analyzer generates sequence diagrams from Wireshark PDML output (Win32)
  • Xplico A network forensic analysis tool (GPL, Linux only)

 

Traffic generators

 

These tools will either generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.

 

  • Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write the result to another file (GPL, BSD/Linux/OSX/Windows)
  • Cat Karat – Easy packet generation tool that allows to build custom packets for firewall or target testing and has integrated scripting ability for automated testing. (Windows)
  • D-ITG – (Distributed Internet Traffic Generator) is a platform capable to produce traffic at packet level accurately replicating appropriate stochastic processes for both IDT (Inter Departure Time) and PS (Packet Size) random variables (exponential, uniform, cauchy, normal, pareto, …).
  • Mausezahn Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.
  • Nemesis is a command-line network packet crafting and injection utility. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. (GPL, BSD/Linux/Solaris/Mac OSX/Win32)
  • Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network. Network Expect uses libwireshark for all packet dissection tasks. (GPL, BSD/Linux/OSX)
  • Network Traffic Generator Client/Server based TCP/UDP traffic generator (GPL, BSD/Linux/Win32)
  • Ostinato is a network packet and traffic generator and analyzer with a friendly GUI. It aims to be “Wireshark in Reverse” and thus become complementary to Wireshark. It features custom packet crafting with editing of any field for several protocols: Ethernet, 802.3, LLC SNAP, VLAN (with Q-in-Q), ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunneling, TCP, UDP, ICMP, IGMP, MLD, HTTP, SIP, RTSP, NNTP, etc. It is useful for both functional and performance testing. (GPL, Linux/BSD/OSX/Win32)
  • Scapy Scapy is a powerful interactive packet manipulation program (in Python). It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. (GPL, BSD/Linux/OSX)

 

A more exaustive collection of traffic generators can be found at:

 

 

 

Capture file anonymization

 

These tools can be used to “anonymize” capture files, replacing fields such as IP addresses with randomized values. This is a mandatory requirement when presenting data to not authorized people. We should consider that IP address in many countries are considered “sensitive” data and so processing and showing those data could be ruled by privacy legislation.

 

  • AnonTool from the CRAWDAD archive of wireless traffic.
  • The bittwiste tool from Bit-Twist.
  • The Crypto-PAn tool.
  • The pktanon tool from the Karlsruhe Institute of Technology Institute of Telematics.
  • The SCRUB-tcpdump tool.
  • The tcpdpriv tool from the Internet Traffic Archive.
  • The tcprewrite tool from tcpreplay.
  • The TraceWrangler tool.

 

There’s a categorized list of anonymization tools at the CAIDA site http://www.caida.org/tools/taxonomy/anontaxonomy.xml

 

 

 

Capture file repair

 

These tools attempt to repair damaged capture files as much as can be done.

 

  • pcapfix can repair corrupted or truncated capture files.

 

 

 



[1] We should remember that Wireshark could analyze, in a switched environment, only the traffic presented to the sniffed network interface (direct traffic and broadcast type). To check all the traffic we should use a span-port or use tools like ettercap or hunt to make a classic poison mac sniffing.