Computer security is not just a science but also an art.

It is an art because no
system can be considered secure without an examination of how it is to be used.
All components much be examined and you must know how an attacker goes about a
system before you can truly understand how to best defend yourself. This is where
this guide comes in; it exists for the purpose of examining these methods of attack
and the implementation for attack mitigation. You will learn the common techniques
used for attack and how to protect yourself from them. This guide should not be
used as an in-depth analysis of each attack, but a reference for each of the
attacks that exist.

Acknowledgements

RogerNyght

I want to thank RogerNyght for creating the Tails Guide. This amazing guide steps
you through the process of installing and using Tails at home as well as the
features that it hosts. For anyone thinking about using this Operating System for
true anonymity and security, should read this to guide its entirety. All credits,
attributions, and works go to him for this section. Thanks again!

CuriousVendetta, Goodguy, RogerNyght, B4pubebot and All

After writing this guide, it was apparent that was a bunch of errors littered
throughout the thing. Thanks to everyone for spending the time going over it and
performing a sanity check. It was found that I am only half as crazy as I thought.
Thanks everyone!

Warning: THIS GUIDE MAKES MENTION OF AND HOSTS LINKS TO WEBSITES AND CHATROOMS
THAT MAY CONTAIN MATERIAL OF AN ILLEGAL NATURE SUCH AS CHILD PORNOGRAPHY. USE AT
YOUR OWN DISCRETION.

You will notice that this guide mentions figures and illustrations that do not
appear to be included in this guide. Please visit the website or PDF when
available to view there.

PDF Version: NOT READY

Changelog: NOT READY
Signature File (Updated): NOT READY
SHA1:NOT READY

You should ALWAYS use an alternative PDF viewer such as Foxit PDF Viewer. Also,
you should make sure that PDF documents are viewed safely and securely. Block your
PDF viewer from talking to the internet, disable JavaScript, and for best security,
view it from within a Virtual Machine.

To verify the PDF document with the signature provided you will need to import my
public key using gpg and use the command line switch provided. For Windows users,
you will need to download and install Gpg4win to verify the signature and the Tor
Browser Bundle to download the signature.
Public Key: You can view my profile
Switch: gpg --verify signature document (example: gpg --verify
c:\SecuringWindows.sig c:\SecuringWindows.pdf) *command prompt

Foreword: For this version I have made significant improvements over the last one
by adding content to nearly every section including: content, context,
inconsistency changes, error fixes, diagrams, and step-by-step guides on the varies
techniques discussed, tools used by hackers and forensic investigators, and more.
I have also included new sections within the guide on new, varies subjects that
have not been discussed within the guide before. Since nearly everything was
updated, all topics and information are still relevant today

Note: This SHOULD be the LAST version. I hope this is not too long and provide a
great resource for any subject you are interested in knowing a bit more about.

Table of Contents

1. The CIA Triad

2. Recommendation
2.1. Learn how to chat
2.2. Intro to Tails
2.3. Intro to Whonix
3. Encryption
3.1. Encryption Dealing with Confidentiality
3.2. Encrypting Files or the Hard Drive
3.3. Securely Exchanging Messages or Data
3.4. Steganography
3.5. Authentication Factors
3.6. Password Attacks and Account Recovery Attacks
3.7. Creating Secure Passwords
3.8. Hashing, Hashing Collisions, and Birthday Attacks
3.9. Cold Boot Attacks
4. Data
4.1. A Quick Word
4.2. Deleted Data
4.3. Deleting Data Securely
4.4. File Slack
4.5. Alternate Data Streams
4.6. Where to Hide Your Data
4.7. Changing File Headers to Avoid Detection
4.8. Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser
Cache
4.9. Temporary Application Files and Recent Files Lists
4.10. Shellbags
4.11 Prefetching and Timestamps
4.12. Event Logs
4.13. Printers, Print Jobs, and Copiers
4.14. Cameras, Pictures, and Metadata
4.15. USB Information
4.16. SSD - Solid State Drive
4.17. Forensic Software Tools
5. Continuity
5.8. Security Concerns with Backups
5.2. Security Concerns with Sleep and Hibernation
5.3. Ensuring Information and Service Continuity
5.4. DoS and DDoS attacks
6. System Hardening
6.1. Uninstall Unnecessary Software
6.2. Disable Unnecessary Services
6.3. Disable Unnecessary Accounts
6.4. Update and Patch Windows and Other Applications
6.5. Password Protection
7. Antivirus, Hardware Keyloggers, Firewalls, DLP's, and HIDS's
7.1. Antivirus
7.2. Hardware Keyloggers
7.3. Firewalls
7.4. DLP's
7.5. HIDS's
7.6. Other Considerations
8. Networks and Networking Protocols
8.2. Intro to Networking
8.1. Private vs. Public IP Address
8.2. MAC Address
8.3. Public Wireless
8.4. Security Protocols
8.2. Virtual Private Networks
8.5. Chat Sites - How Attackers Attack
8.6. Other Considerations
8.2. Extra: MAC Address Spoofing and ARP Attacks - How they work
9. Download Links

1. The CIA Triad

In this guide I am going to reference a well-known security policy that was

developed to identify problem areas and the recommended solutions when dealing with
information security. This policy is known as the CIA and stands for:
Confidentiality, Integrity, and Availability. This triad was developed so people
will think about these important aspects of security when implementing security
controls. There should be a balance between these three aspects of security to
ensure the proper use and control of your security solutions.

Confidentiality is, as the word implies, having something be confidential or

secure. In essence, privacy is security and confidentiality means that third party
individuals cannot read information if they do not have access to it. Data to
think about keeping confidential is data stored on a computer (temporary data, data
saved, etc.), data stored for backup, data in transit, and data intended for
another person. Confidentiality will be the main focus point of this article as it
is most often referred to as the most important aspect of security.

The I in CIA stands for Integrity and is specifically referring to data integrity.
Integrity is the act of ensuring that data was not modified or deleted by parties
that are not authorized to do so. It also ensures that if the data was changed,
that the authorized person can make changes that should not have been made in the
first place. Simply, if you send a message to someone, you want to make sure that
the person does not receive a message that was altered during transit. Integrity
also confirms that you are in fact speaking to who you think you are speaking to
(for example: we download an add-on from the website, you want to make sure that
you are downloading from that website and not an unscrupulous third-party).

Finally, the A stands for Availability and ensures that when you need the data it
is available to you. Not only does data have to be available to you, but it has to
be reasonably accessible. There's no point in security controls if you cannot
access the data! This component is a concern, but for the average end user, there
is not much that can be done to ensure availability when dealing with webpages, or
IRC servers or anything else managed by a third party host. For this reason we
will not be discussing Availability except for backing up your data in this guide.

2. Recommendation

Windows was not built with security in mind, therefor should not be used. Tails is
recommended as it is a live DVD or USB that was created to preserve your anonymity
and privacy (Chapter 10). It allows you to browse the internet anonymously and
safely as all applications are preconfigured to run through Tor. Other uses
includes encrypting your files, sending and receiving emails and instant
messaging, photo editing, document editing and more. Tails also operates
completely in RAM so it does not leave a trace on your computer. RAM is Random
Access Memory and is wiped when the machine shuts down. Everything that you want
saved is done so in secure, encrypted persistent storage. Tails link: Here. A
step-by-step for installing Tails can be found below. Another distro I would
recommend is Whonix. Whonix is an operating system focused on anonymity, privacy
and security. It's based on the Tor anonymity network, Debian GNU/Linux and
security by isolation. DNS leaks are impossible, and not even malware with root
privileges can find out the user's real IP. If you cannot use Tails or Whonix – or
better yet – do not want to use them, you should make sure that Windows is secure.

Windows:

Truecrypt – I would download TrueCrypt and enable FDE (Full Disk Encryption) to
make sure that all evidence is encrypted thus allowing you to skip Chapter 4. If
you do not want to enable FDE, I would create a container and have a Virtual
Machine inside the container. Otherwise, EVIDENCE CAN BE EASILY GATHERED BY
INVESTIGATORS. (Section 3.2)
Tor Browser Bundle - This allows you to browse the internet anonymously. Using
TBB will also allow you to visit .onion sites as well as to join the .onion IRC
servers with TBB's instance or Tor. (Section 9.1)
Anti-Virus and a Firewall - This will keep your computer protected from viruses
as well as remote intruders (most all-in-one anti-virus software has these
features). (Section 7)
I have decided to move a recommendation from later on in this guide to up here.
One good recommendation is to create and use a standard account with no
Administrative privileges. This way, if a virus is executed, it only has the
privileges of the account that you are in. Also, I would make sure your username
does not contain your full name as many applications such as Pidgin can share this
information. Furthermore, make sure that you create a Windows password that is
difficult to guess/attack, as your computer can be explored using that password,
over the network.
(Optional) TorChat - TC is a chat application that runs over Tor to provide an
anonymous way to chat. (Section 2)
(Optional) IRC Client - An IRC client allows you to enter Tor chat rooms to
talk to many individuals at one time. You will need one with proxy settings so you
can run the client through Tor. Make sure to NOT use DCC as it can expose your IP
address. . There are several IRC servers that run over Tor (.onion addresses)
that you can use. They are all logically connected, so connecting to one will
connect you to all. (Section 2)
(Optional) GPG - for sharing messages and files back and forth over a common
medium, GPG ensures confidentiality and integrity. (Setion 3.3)

Sample Security Checklist:

Check authentication
Checking authorization and access control
Auditing your system
Verifying firewalls, proxy settings, and other security
Verifying encryption for both public and private key encryption
Check communication encryption, including: email, chat, web browsing, and
Operating System data
Update system software, including Anti-Virus software and scanners
ackup and storing sensitive data securely
Harden your system by removing unnecessary software and services

Things to be mindful of:

Don’t assume that something is secured by another layer or process. Verify

that the data is secured and that the data being transmitted over the network or
the internet is protected from attackers. Different levels of sensitivity means
different levels of security
Know the limitations of each security product. Each product addresses a
specific set of issues within a specific context. Make sure to know the
differences between the employed solutions and how they protect you. For example,
using a VPN does not stop anyone one from stealing your laptop and gathering all
your data. Use several layers of security for maximum security.
Do not relay on authentication at the session initiation alone. Use several
levels of authentication to ensure that the person you are communicating with is
whom they say they are and vice versa.
Assume everything you use is insecure and treat everything like a security
threat. Build your security model based on what you do; security is dynamic, not
static.
Plan for handling failures, errors, intrusions, and downtime. Focus on what to
do when things go bad. Plan and practice that plan. Good security means nothing
if what you do does not work.

2.1 Learn how to chat

There are a couple of ways to chat over Tor depending on your wants and needs. In
this guide, I will only be talking about two ways to chat with other people: IRC
and TorChat. Using an IRC server allows you to chat with many people at one time
as well as chat with another person in a private chat room. TorChat on the other
hand only allows you to chat privately with someone, but it allows you to share
files with another person whereas the IRC does not.

The first way I will describe is how to connect to the Onionnet IRC. The Onionnet
is a network of servers that are connected together to increase redundancy. For
those of you whom don’t know, IRC stands for Internet Relay Chat and was intended
for group communication in discussion forums, called channels, but also allows one-
to-one communication via private message as well as chat and data transfer,
including file sharing. When using the Onionnet servers however (as described
below), DCC file sharing is disabled and other security restrictions apply.

Try it Out - Set up IRC client for Tor:

Download you IRC client; Personally, I used Pidgin. The link is provided for
you: http://pidgin.im/. There is a portable version of Pidgin available if you
plan on using the client on several machines (which is not recommended as the
computer can contain spyware). Also, Pidgin allows you to connect to several
servers at once in the chance you get disconnected from a server or a netsplit
occurs.
To create an account, Click Accounts followed by Manage Accounts. You can add
as many accounts as you want; I created a few accounts to connect to the different
IRC servers for the reason described above.
Select Add. Under Basic, your settings should look like this: Protocol -
IRC, Username - your username, Server - IRC server, Local alias - your username.
Again, you can use any of the several Tor IRC servers as they are all connected.
Alternatively, you can use one of the several IRC relays instead of connecting to
the Tor servers directly.
Under Advanced, your settings should look like this: Port - 6667, Username -
your username. In Pidgin, if you do not specify a username under the Advanced
settings, your username will be exposed. When you enter or leave the chat room the
username will appear before the hostname. For example, if your ID is TheBest and
your username is Bob, then it will appear as TheBest [Bob@OnionNet].
Under Proxy, your settings should look like this: Proxy type - SOCKS 5, Host
- 127.0.0.1, Port -9050 (Tor Port) *version 2.3.25-4 use port 9150. If you are
using Privoxy, the port will be 8118.
Click Buddies and Join a Chat to join a channel. Add Chat will permanently add
the channels to the Chats list so you don't have to remember the channel name every
time. Right-clicking the chat under Chats will give you a host of options. I
selected Persistent to receive the messages in the chat-room even though they are
not currently open. You can use /list to get a list of all the channels or you can
use /join #room to join a specific room. #security and #public are two good
channels when asking general questions or questions related to privacy or security.
You can use the /msg "username" command to send a private message to someone or
use the /query "username" command which will open a new window in both clients for
private messaging. I would advise looking up the IRC client commands for full
functionality. Lastly, even though I recommended disabling DCC, the servers
disable the functionality altogether.
Lastly, you should know that most -if not all- IRC clients cache your username
for functionality. Pidgin, takes this further by creating logs for specific
channels and individual users that you chat with using private messaging by
default. Under Preferences > Logging, you should disable Log all instant messages
and Log all chats.

IRC Servers

Here is a list of the Tor IRC servers (note that all servers are linked):

FTW: ftwircdwyhghzw4i.onion
Renko: ircd5ilf47whabg4.onion/ (Down)
Nissehult: nissehqau52b5kuo.onion
OFTC: irc.oftc.net:9999 (NOT ONIONNET – CLEARNET IF NOT CONFIGURED FOR TOR)

IRC Channels

Here is a list of some of the popular Tor IRC channels (ordered by user count at
the moment of writing):

• #boys! • #knaben
• #pedo • #torchan
• #cams • #public
• #mjb • #security
• #girls • #hackbb
• #tor (OFTC) • #nottor(OFTC)

The other method I wanted to talk about is by using TorChat. TorChat is a peer to
peer instant messenger with a completely decentralized design, built on top of
Tor's location hidden services, giving you extremely strong anonymity while being
very easy to use without the need to install or configure anything. This program
runs completely portable and can be easily moved, protected or backed up. Like I
said before, TorChat can be used to share data with another person through Tor as
it was built is natively with security in mind.

Try it Out - TorChat:

Download TorChat from github as it is now the official source for the TorChat
project. At of the time writing the article, the direct link is
https://github.com/prof7bit/TorChat. Once the page is loaded, click the Downloads
button over on the right. Select the latest build as denoted by the version
number. Make sure to download the Windows executable version for Windows, Debian /
Ubuntu package for Debian/Ubuntu, or the Pidgin plugin if that is what you want to
do. If the build is in Alpha, then it is not recommended.
 The file will be downloaded as a .zip file. Once the file is fully downloaded,
open the file and extract the contents with your favorite archive file manager. I
extracted the file to the default location in Windows which is the Downloads
folder. You can move the folder at any time as TorChat is portable.
Open the TorChat folder, expand the bin folder, and run torchat.exe to start
TorChat for the first time. Once loaded, you will be provided your TorChat ID (16
characters that are comprised of letters and numbers).
To add a contact, just right-click in the white space of the program and click
Add Contact… Alternatively, you can edit the buddy-list file in the bin
directory. Double-clicking a contact will initiate a chat (right-clicking and
selecting Chat…, will accomplish the same thing). You can also edit and delete a
contact by Right-Clicking the user and selecting the appropriate function. Sending
a file is as simple as dragging the file into the chat window or right-clicking the
username and selecting Send file… (Windows can only send one file at a time
whereas Debian/Ubuntu can send many at one time).
If you are upgrading your version of TorChat than make sure to backup and copy
over bin\buddy-list.txt, bin\Tor\hidden_service\hostname[b/], and
bin\Tor\hidden_service\private_key. If you do not copy over the latter two files,
you will be provided a new TorChat ID.

2.2 Intro to Tails

If you are handling anything sensitive that you don’t want found, or if you don’t
want to leave any trace on your computer, I recommend you use another Operating
System altogether. A good alternative that was built with security in mind is
Tails. Tails was built to route all internet traffic through Tor, to run
completely in RAM, and to save nothing unless explicitly defined to. In this
section, I will only be talking about installing Tails on a DVD or USB as there is
another, thorough guide that can be found in the the Guides section of this board

Try it Out - Installing Tails:

Download Tails from the official Tails website. You can either download Tails
via the direct link or the Torrent; which might be faster. However, the direct
link is recommended as is downloading and verifying the Tails Signature. The link
to the Tails download page is here: https://tails.boum.org/download/index.en.html.
Under option 2, select the latest release to start downloading. To verify the
download, use GPG to verify the Tails signature to ensure that your image has not
been modified in any way
Once downloaded you have a couple of options: you can burn the image to a DVD
or a USB (the image is too big to fit on a CD). If you burn the image on a DVD-R,
an attacker cannot modify the contents as the disk is read only. This also means
that you cannot save anything or make any permanent changes on the disk. DVD-RW
and the USB can be written to and re-written to, meaning files and settings can be
saved in persistent storage. But, this comes at a risk as an attacker can
maliciously modify Tails
Installing an image to a DVD is easy, all you need is the right software. ISO
Image Burner is a good software for Windows that can do this for you. Mac's and
computers running Ubuntu can burn the image natively. Once your ISO burning
program is open, insert the blank DVD into the disk drive and burn the Tails ISO
image to the blank disk (or a DVD-RW disk)
When installing the Tails ISO image onto a USB, it is recommended that you
download and install Oracle VM VirtualBox, and use that virtualization program to
boot into Tails. Otherwise, you cannot create persistent storage for saving files
and settings. Once you successfully boot into Tails, you can use the built in Tails
USB installer to install Tails on the USB device
I downloaded and installed VirtualBox from here. Once installed, start
VirtualBox and Click New to create a new VM. Fill out the Name[b/] textbox, select
Linux for the Type, and select Other Linux for the version. Proceed past the next
page and select Do not add a virtual hard drive and click Create. At the top of
the Oracle VM VirtualBox Manager click on Settings to modify the settings of the VM
you just created. Select Storage and next to Controller: IDE click on the little
disk icon to add a CD/DVD device. Click Choose disk and select the Tails ISO you
just downloaded. Under Controller: IDE you should see the image you just selected.
Selected that image and check Live CD/DVD over on the right under Attributes.
Click OK. Start the VM to boot into Tails
At this point you should be asked if you would like to view more options. I am
going to kill two birds with one stone and cover how to install Tails on a USB as
well as what I recommend after you install the ISO on the USB. Select Yes on this
screen and create an Administrator password on the next screen. Under Applications
> Tails you can create a persistent volume as well as use the Tails USB Installer.
When creating a persistent volume, I would select all the applications you will use
as well as if you are going to save any materials

2.3 Intro to Whonix

Quoting directly from the manufacturers’ website: Whonix is an operating system

focused on anonymity, privacy and security. It's based on the Tor anonymity
network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and
not even malware with root privileges can find out the user's real IP. Whonix
consists of two parts: One solely runs Tor and acts as a gateway, which we call
Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely
isolated network. Only connections through Tor are possible.

Features (from the Whonix website):

• Adobe Flash anonymously
• Browse The Web Anonymously
• Anonymous IRC
• Anonymous Publishing
• Anonymous E-Mail with Mozilla Thunderbird and TorBirdy
• Add a proxy behind Tor (Tor -> proxy)
• Based on Debian GNU/Linux.
• Based on the Tor anonymity network.
• Based on Virtual Box.
• Can torify almost any application.
• Can torify any operating system
• Can torify Windows.
• Chat anonymously.
• Circumvent Censorship.
• DNSSEC over Tor ¹
• Encrypted DNS ¹
• Full IP/DNS protocol leak protection.
• Hide the fact that you are using Tor ¹
• Hide the fact you are using Whonix
• Hide installed software from ISP
• Isolating Proxy
• Java anonymously
• Javascript anonymously
• Location/IP hidden servers
• Mixmaster over Tor
• Prevents anyone from learning your IP.
• Prevents anyone from learning your physical location.
• Private obfuscated bridges supported.
• Protects your privacy.
• Protocol-Leak-Protection and Fingerprinting-Protection
• Secure And Distributed Time Synchronization Mechanism
• Security by Isolation
• Send Anonymous E-mails without registration
• Stream isolation to prevent identity correlation through circuit sharing
• Virtual Machine Images
• VPN/Tunnel Support
• Whonix is produced independently from the Tor (r) anonymity software and
carries no guarantee from The Tor Project about quality, suitability or anything
else.
• Transparent Proxy
• Tunnel Freenet through Tor
• Tunnel i2p through Tor
• Tunnel JonDonym through Tor
• Tunnel Proxy through Tor
• Tunnel Retroshare through Tor
• Tunnel SSH through Tor
• Tunnel UDP over Tor ¹
• Tunnel VPN through Tor
• Tor enforcement
• TorChat ¹
• Free Software, Libre Software, Open Source
• ¹ via Optional Configuration

Note: When using Whonix, you will be responsible for three Operating Systems. The
Whonix gateway, the Whonix workstation, and the host machine. Whonix is only
intened to run on VirtualBox, so VMWare is not recommended.

Set-up Whonix:

First things first: download both the gateway and the workstation from the
manufacturers’ website: Download links can be found here
You will need to download and install VirtualBox
Next step is to import both of the Virtual Machines into VirtualBox: use
VirtualBox to open both the .ova images (File > Import Appliance…)
Click choose and select the Whonix-Gateway.ova from your download folder and
press Open
Click Next until you reach the Appliance Import Settings. Click Import without
changing any of the settings. Repeat the process for both VM’s
Now start both Virtual machines (gateway followed by the workstation)
When you login for the first time, I recommend changing the password:
At Terminal enter: sudo su
Enter the default password changeme
Change the password using this command: passwd and passwd user for both VM’s
To learn more about Whonix security and additional functionality, go here:
https://www.whonix.org/wiki/Main_Page

After you setup and both the Whonix workstation and gateway, you can customize it
however you want. Unlike Tails, Whonix is entirely persistent with a start of 50Gb
of space. If you need to increase the size of Whonix, you will need to utilize
VirtualBox. I recommend increasing the size pre-setup versus after the fact as it
will be much easier (and safer). Once you are done and want to shut down the
machine, you can use the Shutdown button on the workstation and type Sudo poweroff
in the gateway. Another helpful command is sudo arm in the gateway to check the
status of Tor and use the character N to force a new identity when you are viewing
the arm output.

Chat in Whonix (using XChat:

XChat is an IRC client and is recommended as it is already preinstalled and

configured to be used on Whonix. The following steps walk you through the process
of configuring a username and adding the onion servers as found in the previous
chat section (section 1.1).

Once XChat is opened click the XChat button from the menubar
Select Network List… from the drop down
Fill in the information under User Information. These names are used by
default for each connection and will be visible to everyone
Under Networks, click Add, to add a server that you will connect to
Give this new value a name. For example, I entered Onion, so I knew it
contained all the IRC servers for OnionnetTest
Press the Enter key on your keyboard and select the Edit… button in the program
Once you see the Edit page come up, you will see one default server in the
Servers for Test list. You can select that item and click Edit
The format for adding a new server is as follows: serveraddress.onion/port.
For example, I entered this: ftwircdwyhghzw4i.onion/6667
Remember, the program already configured the proxy information, so this is all
you need to do. If you want specific channels to open once you are connected to
the server, you can add them to the Favorites list. You can now close this page
Once you are back to the Network List, select the newly created network and
press Connect
You can use the same IRC commands as in Section 1.1.

To chat in Whonix using Torchat, you will need to modify both the Workstation and
the Gateway. You can instructions on how to do this on the Whonix website.

KGPG

Whonix uses KGpg, which is a simple interface for GnuPG, a powerful encryption
utility. GnuPG allows to encrypt and sign your data and communication, features a
versatile key management system as well as access modules for all kinds of public
key directories. For ease of use, you can import the keys into KGpg and use the
GPG commands found in section 4 for full functionality. To import a public key in
KGpg: open the program and click Import Key from the menubar. Select the public
key you downloaded and click Open. Once the keys are imported, you can encrypt
data using the program (right-click the file in Dolphin browser, and click Encrypt)
or use the command line switches. GnuPG is recommended for secure communication.

3. Encryption

ncryption is the process of encoding messages (or information) in such a way that
eavesdroppers or hackers cannot read it, but that authorized parties can. Using
cryptography three purposes are fulfilled: confidentiality, integrity, and non-
repudiation. Encryption has long been used by militaries and governments to
facilitate secret communication. It is now commonly used in protecting information
within many kinds of civilian systems. Also, many compliance laws require
encryption to be used in businesses to ensure that confidential client data be
secured if the device or data is stolen. In this section I will be talking about
using encryption for confidentiality and integrity. Non-repudiation is used, but
is not normally implemented for our purposes.

3.1 Encryption Dealing with Confidentiality

Computer encryption is based on the science of cryptography, which has been used as
long as humans have wanted to keep information secret. The earliest forms of
encryption where the scytale’s and the creation of cipher texts. These forms of
cryptography would rely on both parties knowing the key used or the correct cipher
before the message could be delivered. Here's an example of a typical cipher, with
a grid of letters and their corresponding numbers
 1 2 3 4 5
1 A B C D E
2 F G H I/J K
3 L M N O P
4 Q R S T U
5 V W X Y Z

Let’s say a general wanted to send the message “I love ponies” he would write the
series of corresponding numbers: 42 13 43 15 51 53 43 33 42 51 34. Only the person
with this cipher text would be able to reach the message. Now obviously, to make
the message more difficult to decipher, the letters inside the table would be
arranged differently. Computer encryption uses algorithms to alter plain text
information into a form that is unreadable. Most people believe that AES will be a
sufficient encryption standard for a long time coming: A 128-bit key, for instance,
can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key
combinations. Today’s AES standard is AES 256bit encryption which has 2 ^ 256
possible combinations.

Done right, encryption protects private or sensitive data by making it difficult

for the attacker to uncover the plaintext. This is the idea of encryption: to make
it harder for others to uncover our secrets. The idea behind it is that whatever
amount of expertise and computer time/resources is needed to decrypt the encrypted
data should cost more than the perceived value of the information being decrypted.
Knowing what to use encryption how it works, and what type of encryption to use
depending on the circumstances will allow you to better your security and make it
harder for an attacker to do his job.

As we said before, there are many reasons for encryption. One purpose of
encryption is the act of transforming data from a state that is readable to a state
that cannot be read by a third party that does not have permission. The result of
the process is encrypted information (in cryptography, referred to as ciphertext).
The reverse process, i.e., to make the encrypted information readable again, is
referred to as decryption (i.e., to make it unencrypted). It is also important to
know that the word encryption can implicitly refer to the decryption process. For
example, if you get an encryption program, it encrypts information as well as
decrypts it.

There are a few types of encryption that should be used for two different purposes:
symmetric and asymmetric (public key encryption). Symmetric encryption can also be
known as private key encryption or single key encryption. “Symmetric” means the
encryption and decryption processes are reverses of each other. I must share the
secret passphrase with anyone I want to be able to decrypt my encrypted data. It
is used the most because it is fast, easy to use, and is the most widely needed.
You will use this form of encryption when there is only one password being used
(such as TrueCrypt or another simple file encryption utility). The problem with
this is as stated before, it uses only one key, so exchanging that key is not done
securely between two people. Asymmetric encryption fixes that problem by utilizing
two keys instead of just one.

Asymmetric (or Public key) encryption uses two keys, one key to encrypt information
and the other to decrypt the information. “Asymmetric” means that the process of
encryption with the public key can only be reversed (decrypted) by using the
private key (and vice versa). Although a message sent from one computer to another
won't be secure since the public key used for encryption is published and available
to anyone, anyone who picks it up can't read it without the private key. This type
of encryption is slower, but is more secure when sending confidential information
to someone, signing data, or verifying to a person is who they say they are. If you
want to send me an encrypted message, you must have my public key-- and only
someone who has access to my private key (presumably, just me) can decrypt messages
encrypted with my public key. So, when Bob wants to send you a message, his
computer encrypts the document with a symmetric key, then encrypts the symmetric
key with your Public. When you receive the data, your computer uses its own private
key to decode the symmetric key. It then uses the symmetric key to decode the
document.

Last word of note when using encryption is to make sure that you use open-source
encryption programs such as Truecrypt, as most companies will hand over the
encryption keys to law enforcement. Most companies use the EnCase® Decryption
Suite to decrypt a suspect’s hardrive or other portable media device. This list is
pulled directly from EnCase® and provides a list of built in keys that can be used
to read media on encrypted devices:

Microsoft BitLocker, GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk

Encryption. Ultimaco SafeGuard Easy, McAfee SafeBoot, WinMagic SecureDoc Full Disk
Encryption, PGP Whole Disk Encryption, Microsoft Encrypting File System (EFS), and
CREDANT Mobile Guardian. Mounted file types include: PST, S/MIME encrypted email
in PST files, NSF (Lotus Notes), Protected storage (ntuser.dat), Security hive, and
Active Directory 2003 (ntfs.dit)

3.2 Encrypting Files or the Hard Drive

You will most commonly want to encrypt files for storage or if you want to upload
them to several people securely. Using your computer is also a security risk if
you simply created a Windows password and stopped your security there. Windows
hashes your password and checks that against the password you enter when logging
into the device. In no way does it attempt to encrypt your files; meaning they are
all in the clear just waiting for someone to take them. And even if you use
Windows encryption, law enforcement can just request the keys. Furthermore, many
of you think that using BIOS passwords are great for security, which is also not
the case. They can be broken as easily as Windows password can.

There are several programs that run outside of Windows to either remove or crack a
password. Removing the password does just that; removes the password completely.
Cracking a password on the other hand allows you to obtain the password, instead of
removing it. Doing so allows you to log into the device as the user, or as many
people do, use the same password across several logins across several systems.

Trinity Rescue Kit (removing a password:

Use this link to download TRK: click here. I recommend using the executable,
self-burning from Windows only format to easily burn the image to a CD
Once the burning process is complete, keep the CD in the CD tray and reboot
your device
Bootup from the device (you might need to google how to do so)
When TRK boots up, you will see a bunch of options. Select the first option:
Run Trinity Rescue Kit 3.4 (default mode, with text menu)
Click the down-arrow until you select: Windows password resetting
Click the down-arrow again until you reach the desired option. In this
example, select the first option: Reset password on built-in Administrator (default
action)
When prompted, enter 1 to Clear (blank) user password

I won’t get into cracking password with Ophcrack as that is an involved process.
Ophcrack cracks passwords using what they call Rainbow Tables which basically is a
list of stored hashed to be used against the hashes stored on the machine. These
tables come in several forms depending on the complexity you are expecting. You
will need to download and store these tables so they can be accesses when you are
attempting to attack a device. Also, make sure you have plenty of space on the
harddrive and they can reach to a couple Terabytes of data.

There are a couple of programs that support this type file and folder encryption
and most of you probably already heard of them. These programs I am referring to
are TrueCrypt and 7Zip and they both provide symmetric file encryption. TrueCrypt
is a program that allows you to encrypt your entire hard drive or to create an
encrypted container. 7Zip on the other hand is a program that allows you to create
an encrypted archive. Remember that symmetric file encryption has only one key for
the encryption and decryption process. So you will need to share the key in
cleartext if you plan on sharing the files.

When using Caeser Cipher's, as with the fundamentals of the Caesar Cipher, all the
characters are shifted, usually by 3 characters. If he wanted to say "You will
never guess this," for instance, he'd write down "BRXZLOO HYHU JXHVV WKLV" instead.
As you can see, the text is also broken up into even groups in order to make the
size of each word less obvious. You can change the orders of the letters and
change the number of shifts per letter to complicate the process for the attacker
even further.

Creating an encrypted container with TrueCrypt will allow you to store data within
the encrypted container. When mounted, it will look as another drive on your
computer. TrueCrypt containers are secure but using them still comes with the
risks of leaving your recent files lists, thumb files, and other temporary and
cache data exposed. It is recommended that you use TrueCrypt and encrypt the
entire disk for maximum security. The process of encryption your entire disk is
called FDE (Full Disk Encryption). Furthermore, it is recommended that you use a
hidden volume when using TrueCrypt. Investigators cannot determine whether or not
you have a hidden volume in your TrueCrypt container unless you tell them. One
drawback with using FDE with a hidden volume versus using FDE without a hidden
volume is you will have two Operating Systems instead of just one. You can also
use TrueCrypt to encrypt portable drives using the Traveler Disk Setup. For
information about using TrueCrypt on SSD’s, please reference SSD – Solid State
Drives (section 4.10).

Try it out - Create TrueCrypt Container:

Download and install TrueCrypt ; http://www.truecrypt.org/downloads. Start

TrueCrypt
Click on Volumes (menu item) in TrueCrypt
Click on Create New Volume... (menu item)
Select Create an encrypted file container (radio button) and click Next >
(button)
Select Hidden TrueCrypt volume (radio button) and click Next > (button)
Select Normal mode (radio button) followed by Next > (button)
Click Select File... (button)
In this step you will specify the name and location of your TrueCrypt
container. If you try to save the file and get an "access denied" error, try
creating the container in your Documents folder or elsewhere. Choose the location
in the Explorer window and specify the File name: (edit) in Specify Path and File
Name [...]. Click Save (button) in the Specify Path and File Name dialog box
Click Next > (button) followed by Next > (button) on the next page
In the dropdown, I selected AES (list item) for the Encryption Algorithm. This
is the most secure and provides 256bit encryption which is a 32 character password.
You can read up on the other encryption algorithms for further explanation. SHA-
512 (list item) was my choice for the Hash Algorithm. You can also read further on
the hashing algorithms. Click Next > (button)
In this step you want to specify the size of the TrueCrypt container. Most
likely you will want to select GB (radio button) to specify you want to size to be
in Gigabytes. This is recommended if you are going to store pictures or videos.
In the textbox, enter the total size that you want to container to be and not just
the size of your Outer Volume. So, if you want your Outer Volume to be 50GB and
your Inner Volume to be 25GB, you will need to enter 75 here. Click Next >
(button)
Enter and re-enter your password for the Outer Volume Passwor. This is the
password that you will be able to reveal if you are forced to do so. You are
allowed to enter a password up to 64 characters
For the Large Files step, I selected Yes, so it would format as NTFS; it is up
to you though. Click Next > (button)
Once all the settings are set, move your mouse around to add security. Click
Format (button) to start formatting the volume. Depending on the size and your
hard drive speed and other factors, this process could take several hours. Once
complete click Next > (button)
You will now create your Hidden Volume, or the volume that you do not want
others to find. Select Next > (button) to start the process
I used the same settings as before. Click Next > (button) until you are
prompted to create the Hidden Volume Size. This size is less than the Outer Volume
Size and should leave ample room so you can store enough non-private data in your
Outer Volume whilst allowing plenty of room for private material in this Hidden
Volume. Click Next > (button)
Create a Hidden Volume Password This password should be as secure as this
container will hold your private data. The maximum possible length for a password
in this step is also 64 characters. This is the password that you do not want to
give out under any circumstances. The government cannot determine if a hidden
container exists therefore they will not know that this password even exists. Do
not fall victim to social engineering attacks whereas someone tricks you into
giving them the password.
Select Next > (button), choose whether Large Files are going to be used in the
next window, and click Format (button) to finalize the process (again, make sure to
move your mouse around on that step for better security)
Open TrueCrypt again and mount the Outer container. To start, I would mount
the Outer Container so we can add some decoy data in there in case you are forced
to give the password. To do this, just select the drive letter, click Select
File… (button), select the TrueCrypt file you created in Step 8, and press Mount.
Simply, you will enter the Outer Volume Password or the Hidden Volume Password
depending on which volume you want to mount. Make sure when moving decoy data over
that it is completely legal and that it CANNOT be confused for something illegal.
Also, make sure it would be something you would truly want hidden. Porn, data
backups, and etc. are good ideas. To move the files over to either of these
volumes you will simply open Windows Explorer and navigate to the drive letter.

Try it Out - WinRAR:

Download and install WinRAR: Click Here. Start WinRAR.

If you are in the WinRAR program window, select the file(s) and click the Add
button. This is denoted as an icon of a stack of books with binding around them.
Alternatively, you can right-click the file(s) in the explorer window and click Add
to archive…
The Archive name and parameters page will open. Please note the size of the
file you are about to upload and the size limit that you are allowed to upload on
each site
In the Split to volumes, bytes input field under the General tab, enter the
appropriate size of each archive. For example: If you have a file that is 200MB
(or 204800KB) and the file upload size limit is 50MB, for the Split to volumes,
bytes input field, you will enter 50MB. In this case four files will be created,
each 50MB a piece
 Select the Advanced tab and hit the Set Password… button. Enter the password
in the first field and re-enter the password for verification. Remember this
password; if it is lost the file is NOT recoverable. Most people also select
Encrypt file names for extra security

As said before, when using TrueCrypt, as presented in the “Try it out” section, it
is a good idea to use a hidden container. Here’s why… Let’s say you have two
videos: video A and video B. Video A is of your pet hamster frolicking around in
the fish-tank with your preciousness goldfish named Garry (the fish, not the
hamster). On the other hand, Video B is a recording of your grandmother doing the
naughty with the pizza delivery man. Now, I am going to make a sweeping assumption
in claiming that you don't mind other people seeing video A, so it is deemed that
the video can be "public" or "not hidden." Video B on the other hand is just plain
nasty and if the pizza delivery man were 12, and you needed to hide that video at
all costs, this video would need to be "private" or "hidden." So, you would stick
Video A in the container that you could give the key away to and Video B would go
in a container that you would protect at all costs. If you use the key for Video
A, you can see video A and so forth.

So, on the same lines, a hidden container (or, a hidden OS), is a hidden, encrypted
container that the LEA cannot prove exists. So, you have two keys: a key for the
public container and a private container. You can unlock one or the other at one
time, but not both at the same time. So, you can give the LEA the key that opens
up your public container whilst hiding the key for your private container. The LEA
cannot determine if you have a private, hidden OS, or a private container. If you
use the key for your non-sensitive container, you will boot into container.

In essence (when dealing with hidden OS’s), think of two Operating Systems on one
computer and you can choose which one to boot into depending on the password. A
hidden OS, is hidden and the LEA cannot prove that it exists. The advantage of
this is you can have one OS for normal data whilst hiding your other material and
use it when you need it. A hidden OS also has all the sensitive data leaks
inherent with any OS. So, instead of anti-forensic techniques or saying, "opps, I
forgot the password", you can view all sensitive material in the hidden OS and not
worry about anything sensitive being leaked (paging, recent file lists, db files,
caching, etc). Remember this: if you are forced to give the encryption key, you can
do so whilst keeping your hidden container hidden which is the main advantage of a
hidden container.

You can also use programs such as PGP or GPG (GPG being a free replacement for PGP)
to securely encrypt data or messages which are both programs that are mainly
intended for asymmetric encryption, but will work for our purposes. Notice that I
said they are used to encrypt data and messages; they cannot be used like Truecrypt
to encrypt entire drives, partition, or used to create encrypted containers. And
like I said above, they are subject to the same problem when exchanging the key.
The key still must be sent in clear text.

The simplest command line switch for encrypting a file with GPG (assuming you have
GPG installed and have the command prompt open) is this: gpg -c inputfile.ext.
Let break this down a bit. Gpg is the name of the program; so you are telling the
computer to open the program GPG. The –c is telling the program that you want to
use the abbreviation for --symmetric. Finally, the inputfile.ext (replace ext with
the file extension), tells the program that you want to encrypt the inputfile.ext
file on your computer. Now when you look in the same directly you will see the
same file with a new file with the same name and extension, but with a .gpg added
to the end. So, for example, the new encrypted file name will be
inputfile.ext.gpg.
Decrypting the file using symmetric encryption is as easy as putting the file on
your computer and telling the program to decrypt it. The command line switch for
the decryption process is similar to the encryption process. The decrypt a file,
you must use GPG and enter this: gpg --decrypt inputfile.ext.gpg. The program will
then recognize it used symmetric encryption and will ask for the key to decrypt it.
Again, the key to encrypt the file is the same key you will now use to decrypt the
file. You should also know that when encrypting the file, the program GPG does
nothing to the clear text file. So it is still sitting on your computer and can be
read by anybody who gains access to it. Deleting a file securely will be discussed
later on.

When you originally encrypt the file you will notice that the output looks like a
bunch of gibberish. To combat this GPG as a command option for ASCII Armor output.
When GPG originally encryption message without the ASCII armor output you are
saying that is called the binary output. Binary output is machine-readable but we
cannot make sense of it. ASCII armor ensures that the only characters used are
ASCII characters so they can be read easily. For example, if I want to encrypt
data using the symmetric algorithm with the armor output I would put in the command
as followed: gpg -ac. The “a” generates the armor output and the –c, as above,
specifies that want to use the symmetric algorithm. Using this switch will specify
a message manually within the command prompt as no input file is specified. When
you are done you will have to enter an ‘end-of-file’ sequence). On Windows: press
Enter, then ctrl-z, then Enter. On OS X/Linux: press Enter, then ctrl-d. Pressing
ctrl-c (“abort”) quits GnuPG without executing any command.

3.3 Securely Exchanging Messages, Data, and Signing Data

The problem with symmetric encryption is that it only uses one password to encrypt
and decrypt data. But what if you wanted to send a message to somebody? Somehow,
you will need to share the key while reducing the risk of anyone being able to
intercept the password and use it to decrypt the data. Asymmetric encryption
tackles this problem by implementing a secure key exchange. With this form of
encryption there are two keys used, a public key and a private key. The public key
is given to the world and is used to encrypt data whereas the private key is used
to decrypt the data and to verify the data being received is legitimate. A popular
program to securely share data and messages between two people (using asymmetric
encryption) is PGP or GPG (GPG being a free replacement for PGP). For the purposes
of this guide, I will be using GPG, the free replacement for PGP.

First things first, exchanging the public so someone who wants to give you a
message can secure the data before sending it to you. Assuming that you both have
GPG installed on your machines, you can use the Try it out – create GPG key example
to create, export, and exchange your public keys. The public key is only used to
encrypt data. So for an attacker to decrypt data, they must have your private key.
Once the initial public key exchange is done you can now securely exchange data.
You will also notice that I used the armor output option so when I want to exchange
my public key via email or form, it can easily be copied by the recipient trying to
import it. You should only give out your public key, and never your private key.
It is best to keep your key pairs on an encrypted drive. If someone obtains your
private key they will be able to read all encrypted messages intended for you. If
compromised, create a new private and public key pair and give out your new public
key. Also note, that your key pair comes with an expiration date if specified.
Once the expiration date is reached, people can no longer send you encrypted
messages using that expired public-key.

Here is an example of a GPG encrypted message:

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v2.0.17 (MingW32)
mQINBFAisdkBEADQeOmbSJ5acqwBAxAEKicWg50sPSR0oO0roRsrSziDpnJf+nxC
Y5uUDPOCs/KDHeSv1XIvK0yv5rpesh7lZeIESpJSyBG9IlEl8vQhmt+Bohy53xWs
r5NJIktmeU+whCil8X9SYndc63UrdOoEVlKLApLDrskR91NDbx/YAv/YeNYQO4iB
jP38E0bRliO5yxHENZLdP0PAhksBnC/rYXOiilBHqUFMKZJzaH1flTBjpiawojb1
9jOQPcIQ8eNC3EKl0LkaZs9dzlmF69ore8A3swck+bHnII9dhzmJS09iMc1KQDHb
xjeF3XzvaQzwq6TtZcRyzEpcHtnIBe2w6LNgSEzuEIPKHVLKqDWfzbuAL6/+DPGf

-----END PGP PUBLIC KEY BLOCK-----

When you give someone the message - or key or signature - you want to copy all
the text including everything you see in the example above.

Now that you have created your own key pair and imported someone else’s, you can
start encrypting and decrypting data respectively. You can follow the Try it out –
Encrypting and decrypting a message/file to learn how to encrypt and decrypt a
file. I will elaborate on how that works a little more. To begin, you will use
gpg to start the program GPG and –e to tell the program that you want to use the
asymmetric encryption versus the symmetric encryption (-c) as used before.
--output "output file" is the name of the output file that will contain the
encrypted data. --local-user "your username" is the name of the user that the
message is coming from (in this case, you). -r "recipient" is the person whom you
are sending the data to, --armor specifies the program to use the ASCII armor
output, and --sign clear.txt will create a signature file. Given a signed
document, you can either check the signature or check the signature and recover the
original document.

Try it Out - GPG Setup:

For Windows (since this is a Windows guide), I recommend downloading and installing
Gpg4win. If you are using Linux you can simply use gpg and stick with command
line. Here is a guide from their website on how to install the program:
http://gpg4win.de/handbuecher/novices_5.html. When Gpg4win is installed, follow
these steps to create your key pair for encryption/decryption (note: the following
instructions are for creating a key size of 4096 which I recommend. You can create
a 2048bit encryption key using the program Kleopatra):

Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in
Search Programs and Features. A black box should pop up.
Type in gpg --gen-key
Enter 1 and press Enter
The default key is 2048, I recommend 4096
Set the value to 0 here. If you set the key to expire, you will need to go
through this same process of creating and redistributing your public keys
When is asks for a confirmation, enter y
Your real name will most likely be your screenname. I will enter missionman
here
For this step, input an email address. For this I entered my tormail email
address.
Enter a comment if you wish, this step is optional
If you wish to change something, now is the time to do it. Everything is
correct and I am done so I will enter o
At this point you should see a popup prompting you to create a secret key.
This is also referred to as a private key. Make sure when creating this password
that it conforms to strong password guidelines
Re-enter the password to confirm you entered it correctly
You will now want to type a lot of random data in a text program of your choice
or move your mouse around the screen so the key can be generated until the key
generation is complete
If there are no errors, then you have successfully created your public and
private key!
Now, to give people your Public key (which they use to encrypt data they want
to send to you) you will type in gpg --export -a 'username' > 'location'. For
example I typed in gpg --export -a missionman > c:\missionman.key
When people want to add the key, they can either use the program Kleopatra that
was installed or they can type in gpg --import 'keyfile'. To import mine for
example you would download my key file (or copy the contents to a file and save it)
and type in gpg --import missionman.key (you can get mine here:
http://xqz3u5drneuzhaeo.onion/users/missionman/pubickey.txt

Encrypting and decrypting a message/file:

First, find the location of your file or save a message to a text document
The command to encrypt a file is gpg -e --output "output file" --local-user
"your username" -r "recipient" --armor --sign"filename". For example, I typed in
gpg -e --output C:\encrypted.txt --local-user missionman -r testuser --armor --sign
clear.txt
To decrypt a file you will simply enter gpg-d --local-user "username" -o
"output file" "input file". For example, I entered gpg-d --local-user missionman -
o C:\decrypted.txt C:\encrypted.txt

“A digital signature certifies and timestamps a document. If the document is

subsequently modified in any way, a verification of the signature will fail. A
digital signature can serve the same purpose as a hand-written signature with the
additional benefit of being tamper-resistant. The GnuPG source distribution, for
example, is signed so that users can verify that the source code has not been
modified since it was packaged.”

“Creating and verifying signatures uses the public/private keypair in an operation

different from encryption and decryption. A signature is created using the private
key of the signer. The signature is verified using the corresponding public key.
For example, Alice would use her own private key to digitally sign her latest
submission to the Journal of Inorganic Chemistry. The associate editor handling her
submission would use Alice's public key to check the signature to verify that the
submission indeed came from Alice and that it had not been modified since Alice
sent it. A consequence of using digital signatures is that it is difficult to deny
that you made a digital signature since that would imply your private key had been
compromised.”

An example on how to sign a document without encrypting the document is as follows:

gpg --output doc.sig --sign doc. Notice in this example that I did not specify
that I want to use my public key to sign the document. If you need to specify you
as the sender, you can also use the --local-user "your username" command. Given a
signed document, you can either check the signature or check the signature and
recover the original document. To check the signature use the --verify option. To
verify the signature and extract the document use the --decrypt option. The signed
document to verify and recover is input and the recovered document is output. gpg
--output doc --decrypt doc.sig is the command line switch to verify a document
using the persons signature.

In such situations where it is undesirable to compress the document while signing

it the option --clearsign causes the document to be wrapped in an ASCII-armored
signature but otherwise does not modify the document. However, a signed document
has limited usefulness. Other users must recover the original document from the
signed version, and even with clearsigned documents, the signed document must be
edited to recover the original. Therefore, there is a third method for signing a
document that creates a detached signature. --detach-sig will create a separate
signature file.

Note: If you want people to send you messages or files, you will give out your
PUBLIC key. NEVER GIVE OUT YOUR PRIVATE KEY, EVER! Also, make sure that nobody
steals your private key; keep it on an encrypted drive. You can exchange public
keys or data either via in a file, or plain text in a forum. --armor specifies the
output is easily copied when you copy the text versus sending the file and --sign
attaches a digital signature so the receiver knows it is coming from you. Here is a
good site with some of the common commands:
http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html

One final word about signatures is the usability of them to verify packages
downloaded from the internet. You will notice that there are usually two types of
verification options: signature files and hash outputs. Verifying the packages
that you download from the internet establishes that the package you have on your
computer was not altered in any way during transit. To verify a package, you will
follow the same process of using the vendors Public key and signature file (or just
verify the file if the signature is not detached) and using the --verify option as
used above. Using the hash verification, you will need to create a hash output of
the downloaded file and compare it to the hash specified from the vendor. You can
read more about hashing below.

Much like anything, you want to make sure that you are keeping up with the
encryption standards today. This means that using the new algorithms to replace to
older ones. As a real world example, there are leaked documents claiming the NSA
(National Security Agency) paid RSA $10,000,000USD to have a backdoor planted
inside Elliptical Curve Cryptography (ECC) algorithms. Products such as Tor were
affected and should be update to defeat these attacks.

One-Time pad[/u]

I wanted a section on OTP’s, however, I did not want to give it a full number
besides its name. You might notice that most of this information is taken directly
from Wikipedia; the reason is that I did not want to reinvent the wheel in sharing
this information. In cryptography, the one-time pad (OTP) is a type of encryption
that is impossible to crack if used correctly. Each bit or character from the
plaintext is encrypted by a modular addition with a bit or character from a secret
random key (or pad) of the same length as the plaintext, resulting in a ciphertext.
If the key is truly random, at least as long as the plaintext, never reused in
whole or part, and kept secret, the ciphertext will be impossible to decrypt or
break without knowing the key. Saying that, this form of encryption is the most
secure form of encryption out there.

One popular method is implementation, is the XOR method, which is often used to
combine the plaintext and the key elements, and is especially attractive on
computers since it is usually a native machine instruction and is therefore very
fast. However, ensuring that the key material is actually random, is used only
once, never becomes known to the opposition, and is completely destroyed after use
is hard to do. The XOR method operates according to this principle:

A θ 0 = A,
A θ A = 0,
(A θ B) θ C = A θ (B θ C),
(B θ A) θ A = B θ 0 = B

Now, you are probably wondering to yourself, “What does that even mean?” Let me
explain. The θ denotes the exclusive disjunction (XOR) operation which can be used
on every character in the plaintext string using a given key. To decrypt the
output, the same process is used and the cipher will be converted back to
plaintext. Below is an example on how the XOR operation is used. You will notice
that 0 + 0 and 1 + 1 return the output of 0 whereas 1 + 0 and 0 + 1 returns the
output of 1. The string below, "Wiki" (01010111 01101001 01101011 01101001 in 8-
bit ASCII), can be encrypted with the repeating key 11110011 as follows:

01010111 01101001 01101011 01101001

θ 11110011 11110011 11110011 11110011
= 10100100 10011010 10011000 10011010
And conversely, for decryption:
10100100 10011010 10011000 10011010
θ 11110011 11110011 11110011 11110011
= 01010111 01101001 01101011 01101001

The XOR operator is extremely common as a component in more complex ciphers. By

itself, using a constant repeating key, a simple XOR cipher can trivially be broken
using frequency analysis. If the content of any message can be guessed or otherwise
known then the key can be revealed. Its primary merit is that it is simple to
implement, and that the XOR operation is computationally inexpensive. A simple
repeating XOR cipher is therefore sometimes used for hiding information in cases
where no particular security is required.

3.4 Steganography

Another good form of encryption is steganography which is the act of hiding data
within text, graphic files, or audio files. The purpose of this method is nobody
will know that there is a private message inside the median (photo, document, etc.)
because it is hidden. Let's say Bob wants to send private messages to Steve over a
public forum read by numerous people. Bob grabs a picture, puts a hidden message
inside and uploads it to the website. Nobody knows the message is there except for
Steve, which is able to save the picture to his computer and read the message
hidden inside. Forensic examiners will need to be looking at each individual file
to determine if steganography was used. So for example if you have 1000 pictures,
they will need to go through each and every one to determine which ones have
steganography and which ones do not.

To show how easy steganography is, I started out by downloading one of the more
popular freeware tools out now: F5, then moved to a tool called SecurEngine, which
hides text files within larger text files, and lastly a tool that hides files in
MP3s called MP3Stego. I also tested one commercial steganography product, Steganos
Suite. These tools may contain backdoors as with all encryption programs therefor
should not be used with data you are trying to hide from any party that may hold
the decryption key.

3.5 Authentication Factors

There are several types of authentication factors when accessing resources, and
most of you have only been using one of them. In the security field they are
referred to something you know, something you have, and something you are. A
username and password falls into the something you know category. This is because
you know in your mind what your username and password is. Something you have is a
physical device such as a smart card or token. Finally, something you are refers
to a fingerprint, an iris scan, or another physical feature.

The idea behind “something you know” is keeping a secret that only you know. Thus,
knowledge of a secret distinguishes you from all other individuals. And the
authentication system simply needs to check to see if the person claiming to be you
knows the secret. This method is also used between two or more persons to verify
they are whom they claim to be. This is often called challenge-response
authentication and even though it is moreso used as a token, it can be used between
several people.

If you have ever watched the movie “Bourne Ultimatum” you have already seen this in
action. Halfway during the movie, one of that characters is presented with a
Duress Challenge in which she is asked a question and depending on the response,
she is either normal or under duress. Such the same, many people can create a
similar model of authentication that moves past a simple password that can convey
duress as well as authenticate the user. For example, in the movie the challenge
word was sparrow and the response if under duress is “ruby” and the response if
normal was “Everest”.

One popular challenge-response mechanism uses tokens to authenticate the user.

These methods are becoming increasingly popular and is even employed by such
services such as Google and Truecrypt. Disconnected tokens such as those deployed
by several online services have neither a physical nor logical connection to the
client computer. They typically do not require a special input device, and instead
use a built-in screen to display the generated authentication data, which the user
enters manually themselves via a keyboard or keypad. Smart cards, other physical
tokens, and keyfiles are also methods that fall under the “something you have”
category.

Let’s say that you want to log into a system and use a detached token. You will
most likely be given a set of characters to input into the system to verify that
you are whom you say you are. So, you fire up the token and request you one-time
pin code. The server that generates the code will load up the list and select a
set of characters from the tables. In this example, we will say the challenge are
the characters H, G, A, I, P, and S (yellow). Your token will then generate a
response of J, I, C, K, R, and U (red). The server will then verify that the
response the token created matches up to the response the server expects. Once
this is complete, the server will allow you into whatever system you were trying to
access.

The third authentication type is biometric authentication as is known to be the

best form of authentication as it is the best way to determine that a person is who
they say they are. I have pasted a chart to show a comparison of biometric types
below:

Comparison of Biometric technologies[/u]

This list was comiled from NIST publications

Characteristic Fingerprints Hand Geometry Retina Iris

Face Signature Voice
Ease of Use High High Low Medium Medium
High High
Error incidence Dryness, dirt, age Hand injury, age Glasses
Poor lighting Lighting, age, glasses, hair Changing signatures
Noise, colds, weather
Accuracy High High Very High Very High High
High High
Cost * * * * * * *
User acceptance Medium Medium Medium Medium Medium
Medium High
Required security level High Medium High Very High
Medium Medium Medium
Long-term stability High Medium High High Medium
Medium Medium
Another term that is used, is: multifactor authentication. Multifactor
authentication, which is as it implies, is when the user uses two or more
authentication factors. When you are trying to access resources (such as getting
into a Truecrypt container) for example, the system requires the approval of both
factors before access is granted into the system. The combination of more than one
factor decreases the changes of someone other than yourself obtains this access.
For this reason, it is recommended as a best security practice when setting up a
protected system.

For most users reading this guide, you will only need to concern yourself with
setting up more than one factor when using TrueCrypt. Most of you are only use a
password, which is adequate for most scenarios, and is what most people use in
general. But another feature of TrueCrypt that most people don’t realize is that
it does allow for multifactor authentication. This means that you can set up
Truecrypt to utilize both a password and a keyfile (or token or smartcard) when
logging into the system. The link provided will elaborate more on key files,
security tokens, and smart cards when using TrueCrypt: Click here.

The go back to the beginning, I told you that using multiple authentication factors
are best practice, but you might be wondering to yourself, “why?” Two or more
factors further ensures that the protection of your data does not rely on a single
factor alone. For example, let’s say you have a machine that’s encrypted with
TrueCrypt. You know that the encryption employed by TrueCrypt is strong, however,
you created a password that is weak and easily guessed. This is where the
multifactor authentication comes in. The attacker might have guessed your password
but if you have another factor such as a token, the attacker will also have to have
access to that token during the entire session in order for them to get in.

Another method of attack is with the use of spyware, which is a type of maleware
that attempts to spy on you by recording everything you do on the computer. Such
the same, hardware keyloggers (which can be in the form of spyware), attempts to
record everything that you type in on a keyboard. If successful, a keylogger will
capture your password that can be used later on for an attack. To mitigate this
type of threat, you will once again rely on multifactor authentication to
authenticate you into the system. And for additional security, you can check for
new hardware devices attached to your computer and make sure that you use some sort
of anti-virus software to mitigate the threat of software installations.

3.6 Password Attacks and Account Recovery Attacks

There are several types of password attacks that people perform when trying to
decrypt informat and ion. These are known as dictionary attacks, brute force
attacks, and random guess attacks. Creating complex passwords will help prevent
against dictionary attacks. Creating long passwords will help prevent against
brute force attacks. And creating passwords that do not include your username or
any other identifiable information will help against random guess attacks. This is
why your password should be long, complex, and should not include any identifiable
information.

Another common attack that people do not usually think of is account recovery
attacks. This is when someone is trying to login into your account by attempting
to reset your password by using your account recovery questions. For this reason
you should make sure when creating security questions and answers that they are not
easily guessed or found. A good recommendation is to make the answers as
complicated as the passwords, but still can be easily remembered.

Case: The Sarah Palin email hack occurred on September 16, 2008, during the 2008
United States presidential election campaign when the Yahoo! personal email account
of vice presidential candidate Sarah Palin was subjected to unauthorized access.
The hacker, David Kernell, had obtained access to Palin's account by looking up
biographical details such as her high school and birthdate and using Yahoo!'s
account recovery for forgotten passwords.

3.7 Creating Secure Passwords

The problem with passwords is they are usually too easy to crack or they are too
hard for the users to remember. Therefore, both of these problems should be
considered when creating a new password. Start by creating a password that is at
least 16 characters. Use as many different types of characters as possible,
including: lowercase letters, uppercase letters, numbers, and symbols. Never reuse
a previous password and never use the same password for more than one account.
Don't use password-storage tools, whether software or hardware. Make sure that your
password does not include anything identifiable such as: names, usernames, pet
names, or words in a dictionary. Lastly, make sure that the password is not too
hard for you to remember so you don't forget the password or have to write it down
or save it. Here is an example of a site that can create a secure password:
http://www.pctools.com/guides/password/.

3.8 Hashing, Hashing Collisions, and Birthday Attacks

When people refer to hashing, they are referring to a type of encryption. Hashing
is the process of creating an encrypted output that cannot be decrypted (it
performs a one-way encryption) and is used to ensure that a message or file was not
modified from the original copy. Hashing is also commonly used to help
authenticate somebody. For example, many websites store a hashed copy of your
password instead of the password in the clear. There are several types of hashing
algorithms and the newer versions are better than the outdated versions for
security purposes. SHA256 is the newest version and is recommended as of right now
when you are checking file or message hashes.

Using asymmetric encryption provides integrity as well as the already explained

confidentiality. When you successfully decrypt a message that another user sent
you, you have verified its integrity. Another way to ensure integrity is to create
the hash of a file or a message and allow people to check the hash they generate
against the hash you gave them. For example: let’s say Bob uploads a file for
Steve. Bob uploads a file and generates a hash (let’s say a value of 456) so Steve
can make sure that when he downloads the file, it was not changed along the way.
After downloading and saving the file, Steve also generates a hash of the saved
file. If Steve generates the same hash, the file was not altered. But if Steve
generates a different value (let’s say 334), than the file has been changed.
Personally, I use HashMyFiles because it is easy to use and is a standalone
program.

Also, you should know that since there are several types of encryption methods, you
need to specify which hash algorithm you want to use when verifying data. The
newer the algorithm, the better chances you have of mitigating the eventuality of
hash collision. Adding to what we talked about earlier about asymmetric
encryption, when you create a file signature for the recipient to verify the
contents they receive; they are actually decrypting the hash value of the data for
verification. So in essence, the same process for verifying the contents are the
same, with the added benefit of verifying the sender and the file when using
asymmetric encryption.

Try it out - Hashing

Downloading and save this file:

http://ocrlwkklxt3ud64u.onion/files/1343933815.txt. If the file opens up in your
browser, then save everything to a text file and save as ‘hash.txt'
Download the program HashMyFiles and start it when that is complete
Click File > Add Files and select ‘hash.txt'
Record the hash of the file (press F7 on your keyboard) * I used MD5 for this
test
Compare your hash to the hash I generated before uploading the file
(83a814a08b5edfa57c003415224f8b46)

Another good method of ensuring that a file is actually sent from someone who
claims they sent it is if they digitally sign a message using their private key.
What you need to know is that you can digitally sign a message or file without
actually sending the message or file. This is helpful if you want to share a file
in which everybody knows what the password is whilst allowing them to confirm that
it came from you.

Try it out - Digital Signatures

I am assuming that have already setup GPG and have created your Private/Public
key pair
Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in
Search Programs and Features. A black box should pop up
The command to create a digital signature is gpg --output "output file"
--local-user "user name" --detach-sign "input file". For example, I typed in gpg
--output final.sig --local-user missionman --detach-sign test.txt
To verify the digital signature, type gpg --verify "signature" "file name".
For example, I typed in gpg --verify final.sig c:\test.txt

While talking about hashing, I should mention Hashing Collisions. Hashing

Collisions occur when two distinctly different messages produce the same hash
result. Birthday attacks attempt to exploit this vulnerability by relying on the
likelihood of the collisions occurred between the random attack attempts and the
number of permutations. “As an example, consider the scenario in which a teacher
with a class of 30 students asks for everybody's birthday, to determine whether any
two students have the same birthday. Intuitively, this chance may seem small. If
the teacher picked a specific day (say September 16), then the chance that at least
one student was born on that specific day is 1 - (364/365)^{30}, about 7.9%.
However, the probability that at least one student has the same birthday as any
other student is around 70.”

3.9 Cold Boot Attacks

In cryptography, a cold boot attack (or to a lesser extent, a platform reset

attack) is a type of side channel attack in which an attacker with physical access
to a computer is able to retrieve encryption keys from a running operating system
after using a cold reboot to restart the machine. The attack relies on the data
reminisce property of DRAM and SRAM to retrieve memory contents which remain
readable in the seconds to minutes after power has been removed. Basically, when a
computer is restarted, the encryption keys (passwords) might still exist in RAM and
may be recoverable to the extent that they can be used to decrypt your device.

To simplify what I just said, cold boot attacks work like this. After you turn off
your computer, RAM isn't automatically erased when it no longer has power. Instead,
RAM degrades over time, and even after a few seconds without power, you still can
recover a significant amount of data. Researchers also found that if you chill the
RAM first, using liquid nitrogen or even a can of compressed air turned upside
down, you can preserve the RAM state for more than 30 seconds up to minutes at a
time—more than enough time to remove the RAM physically from a machine and place it
in another computer. Once inside another computer, an investigator can use that
data that is temporarily stored inside the RAM and read it.

There are a few ways to mitigate this risk. The best method is to make sure to
dismount the drive before ending the program or shutting the computer down. Most
software programs will erase the key from memory after you perform this action.
This method is the best way to prevent cold boot attacks. Shutting the computer
down cleanly should also ensure that the key is erased from memory. Another
mitigation technique is with using a security token or smart card. This can be
fooled though if the attacker grabs the key and has the token/smart card in hand.

I should mention that while cold boot attacks are present, grabbing an encryption
key from RAM is not widely used by many forensic investigators. Until recently,
grabbing these keys via RAM was thought of only as a theory and not actually
accomplishable. However, there is other data that you should be concerned with
cold boot attacks. Data such as unwritten emails, words in a test document, and
pictures can be recovered from RAM. Even if it is partial data, it can be read and
used against you.

If you are interested in obtaining data contained in RAM, there are several
programs out there that can assist you. Most of these programs are not free and do
not come with any sort of trail. You can utilize these programs after you freeze
the RAM and insert it into another machine that hosts the RAM analyzer. You may
use the same programs to Image the RAM on your own machine and you would use after
freezing and moving the RAM over. There are also Key-scanning tools that is the
second set of tools that you can use to scan the RAM image you have created for
encryption keys. The names of the tools are pretty self-explanatory. The aeskeyfind
tool searches for AES keys, and the rsakeyfind tool searches for RSA keys. Note:
AES is symmetric encryption and RSA is an asymmetric encryption.

4. Data

This section will talk about data in general: how it gets stored and what happens
when it is deleted. Furthermore, we will take about recent file lists and data
caching. Knowing how Windows and other applications handle these files will help
eliminate the risks associated with evidence left over after your session. You
will learn how to find and remove this data completely and securely from your
computer. In some instances, you will also learn how to prevent these risks from
happening altogether.

4.1 A Quick Word

In this section, we will mainly be focusing on NTFS drives. I am not saying that
the following information does not apply to XP or earlier, it just does not ALL
apply to what we are talking about. Among improvements in NTFS file systems are
increased file size potential (roughly 16TB versus 4GB for FAT32), increased volume
size potential (roughly 256TB versus 2TB for FAT32), and the recording of Last
Accessed times (in Windows NT/2k/ XP/2k3, and in Vista/2k8/7 if enabled). In
addition, NTFS uses a data structure called the Master File Table (MFT) and entries
called index attributes instead of a file allocation table (FAT) and folder entries
in order to make the access and organization of data more efficient.

4.2 Deleted Data

A common misconception that computer users have is, when you delete a file, it is
completely removed from the hard disk. However, you should know that highly
sensitive files such as pictures, passwords, chat logs, and so forth still remain
on the hard disk. Even after they are deleted from your recycle bin, they are
still located on the hard drive and can be retrieved with the right software. Take
for example when you use WinRAR to extract the file that someone sent you. The
program extracts the data to a temporary file before it reaches its destination on
your hard disk; this may lead to a data leak.

Any time that a file is deleted from a hard drive, it is not erased. When you
delete a file, the two bytes located at record offset 22 within the file’s MFT
record are changed from \x01\x00 (allocated file) to \x00\x00 (unallocated file).
The operating system uses these pointers to build the directory tree structure (the
file allocation table), which consists of the pointers for every other file on the
hard drive. When the pointers are changed, the file essentially becomes invisible
to the operating system. The file still exists; the operating system is just ready
write over them. You should also know that the deleted file’s entry is removed
from its parent index, and the file system metadata (i.e., Last Written, Last
Accessed, Entry Modified) for the file’s parent folder are updated. It is also
possible that the metadata for the deleted file itself may be updated because of
how the user interacted with the file in order to delete it (e.g., right-clicking
on the file).

There is another process when a file is deleted and is sent to the recycle bin.
Post Windows Vista (XP, 95, etc.), when a file is sent to the recycle bin, a record
in the INFO2 file is created. Starting with Windows Vista, Microsoft went away
with the INFO2 file in favor of a new method of storing deleted data. Below is a
table that shows where each record is located. Note that the <User SID>, or
Security Identifier, is the unique identifier for each user on the machine. You
can find your SID by following the steps in section 6.1 Disable Unnecessary
Accounts. *Remember though, you do not need to delete the key from the registry.

Operating System Common File Structure Location of Deleted Files

Windows 95/98/ME FAT32 C:\Recycled\INFO2
Windows NT/2K/XP NTFS C:\Recycler\<User SID>INFO2
Windows Vista/7/8/8.1 NTFS C:\$Recycle.Bin\<USER SID>\

I will not be getting into the actual process of examining the INFO2 files or the
newest file format for Windows Vista on forward. Rather, I will give a very brief
overview of what to expect when examining these two formats. Starting with INFO2,
when a file is moved to the Recycle Bin, it is typically renamed to DC#.EXT, where
“#” is an integer and “EXT” is the original file’s extension. The only thing that
you really need to know, is that when you remove an individual file from the
recycle bin, the file details are not removed from the INFO2 file. Instead, it is
simply marked as deleted to avoid the process of rebuilding the INFO2 file. It is
only when you completely empty the deleted files does the INFO2 file go away.

Moving along to Windows Vista, 7, and 8, Windows has significantly changed how the
files and corresponding details are represented when sent to the recycle bin. As
the table above illustrates, the new format still involves using the users SID but
are now found in the C:\$Recycle.Bin\<USER SID>\ directory. In this new format,
where Vista on forward begins to handle deleted files differently is that a deleted
file is renamed to $R, followed by a series of six random characters and then the
original file extension. Then a second file is created of the same name, with $1
instead of $R, containing information similar to that contained within the INFO2
file. However, this file contains only the original filename, the file’s original
size, and the data/time the file was deleted.

A great program to investigate these “Index file” is rifiuti2, a free program to

read both INFO2 files and the new file formats. You can download the program from
the official page, here: Click here.

Shadow data is the fringe data that remains on the physical track of storage media
after it is deleted, sweeped, or scrubbed. A mechanical device called a head is
used to write the data, and it is stored electronically in magnetic patterns of
ones and zeros. The patterns are in the form of sectors which are written
consecutively in concentric rings called tracks. However, head alignment is just a
little bit different each time an attempt is made to erase data, and data remnants
sometimes bleed over the tracks. This is the reason why government agencies require
multiple scrubs or burning, because there is no guarantee of complete elimination
of fringe, or shadow, data.

The only way that you can permanently delete this data is to override it with
special software or wait for the operating system to overwrite the data. There are
files on the hard disk that do not have any pointers in the file allocation table
so it will eventually be overridden with something new. Even files that are
fragmented or are partially written over are recoverable and can be used against
you. Special software will overwrite these files securely and immediately. One
such recommended software that securely cleans the white space is CCleaner and
Recuva to erase the actual data left over. As a word of note, people suggest
that's simply defragging a hard drive will overwrite these pointers; this is not
true. Drives formatted using NTFS are especially not affected using this method.
This is because of the way NTFS stores data; it essentially makes defragging the
hard drive useless.

Try it out - CCleaner

Download and install CCleaner

Open CCleaner press Tools on the left
Select Drive Wiper
Select Free Space Only in the drop-down box next to Wipe
In the security drop-down box, I recommend selecting the complex overwrite
Choose the drive letter you wish to clean and pressed Wipe

4.3 Deleteing Data Securely

As mentioned before, when you delete data, it is not actually deleted and can be
easily recovered. To prevent data from being recovered you must secure erase (or
shred) the data. What special programs do to securely erase contents from a
computer is they enumerate through each bit of data and replace it with a random
bit. The shredding method I recommend is 7 passes. This process makes the bits
unknown as recovery of this data difficult, if not impossible. This can be done
with file eraser programs, or it can be done to the entire drive with bootable
software. DBAN is recommended if you are trying to erase your entire drive. Note
however, DBAN does not erase bad sectors or HPA/DCO areas. Some programs such as
Blancco implement HPA/DCO wiping by default, other tools could allow the user to
choose whether or not to wipe HPA/DCO while other tools are not able to wipe
HPA/DCO at all.

HPA stands for Host Protected Area and is a section of the hard drive that is
hidden for the operating system and the user. The HPA is often used by
manufacturers to hide a maintenance and recovery system for the computer. For this
reason, the HPA is not a big concern, but you can securely remove data here
nonetheless. A DCO is a Device Configuration Overlay and is another hidden area of
today’s hard drives. Similar to the HPA, the DCOs can be securely erased in such
the same way.

While recovery of information wiped out in this manner is far more difficult, and
in many cases impossible, some recovery techniques exist that specialists can
employ to retrieve some of the data. Factors such as the size of the hard drive,
the accuracy of the mechanical system in the drive, the power with which the
information was recorded, and even the length of time the information was left on
the drive prior to wiping all will have an effect on the probabilities for
recovery.

Another method is to physically destroy the hard drive to a state that is

irreparable. The best method for this is to open the hard disk and grind the
platters to obliterate all data. Another method for hard drives that use disks is
to use an industrial strength magnet to remove the data. Optical disks (CD’s,
DVD’s, etc.) can be shredded if they are not writable. Also, optical disks can be
destroyed be cooking them and is the best method for destroying data on optical
media. Cooking them however is not recommended for practicing or everyday use as
they release a toxic fume.

4.4 File Slack

To understand file slack, one first needs to understand how disks are organized at
the lowest level. As can be seen in the diagram below, disks are subdivided into a
set of tracks. These tracks are further subdivided into a set of sectors and
collection of sectors form together to make a cluster. If you write a 1 KB file
that has a cluster size of 4 KB, the last 3 KB is wasted. This unused space
between the logical end-of-file and the physical end-of-file is known as slack
space.

The perhaps somewhat unexpected consequence from this is that the file slack
contains whatever data was on the disk before the cluster was allocated, such as
data from previously deleted files. Using file slack, it would be possible not only
to recover previously discarded (and potentially sensitive information)
information, but also to effectively hide data. The ability to hide data arises
because the operating system does not modify data within a cluster once it has been
allocated. This means that any data that is stored in the slack is safe (provided
the files size does not change). Using forensics examiner software such as EnCase
or FTK, an investigator can recover this data contained in slack space.

To wipe this slack space, I use a software called “Eraser” which has utilities to
wipe unallocated file space and slack space disk. I recommend utilizing the 3 pass
method to ensure that no shadow data exists after the process is complete. You
will notice after running the program to remove the slack space, that your secret
message you just entered is erased.

Try it out - Hiding data in file slack space

Open Microsoft Office and create a .Doc file. Enter anything you like.
Download and install your favorite Hex Editor. I Hex Workshop Hex Editor is a
good one and will fulfill our purpose for this example.
Start the program. I will be covering the steps when using Hex Workshop.
Select the file that you just created and load it in the program. The hex
output will appear in the main portion of the screen
Once the file opens, click on Edit/Find to open the Find dialog box.
In the Find dialog box, click on the drop-down box next to “Type:” and select
“Text String.” Enter the part of the text you entered in the first step.
On the right side of the screen, navigate to a blank line and remember that
position. On the blank line, type a secret message.
Click on File/Save As and save the file to whatever you want (IMPORTANT: Save
as Word 97-2003 format)
Close Hex Workshop and open MS-Word
In MS-Word, open the new file you just created in the Hex Workshop
Confirm that your hidden message is not visible within MS-Word

4.5 Alternate Data Streams

ADS’s, or Alternate Data Streams, have been around since the very beginning of the
NTFS file system. The invention was attributed to help support Macintosh
Hierarchical File System (HFS) which uses resource forks to store icons and other
information for a file. However, using ADS’s, you can hide data easily that will
go undetected without specialized software or close inspection. This method
requires nothing more than a Windows device that is formatted using NTFS – which is
practically everyone now. It works by appending one file to another whilst hiding
the sensitive data from view and keeping the file size of the original data. You
need to know, that you hidden file is in no way encrypted. So, if an attacker
knows the file is there, he will be able to read the contents.

A few commands before we get started:

CD – Change Directory (cd \path\to\change\to or cd .. to reverse one directory

or cd C:\Absolute\Path)
DIR – List contents of directory (dir to show current folder or dir \folder)
TYPE – Used to view small files
Echo – Display text or write to a file
Start – Starts an executable program

Let’s start with the basics, hiding a text file within a text file:

Open command prompt. Start > Run > type “cmd”

When opened, the directory is C:\Windows\System32. Change this directory to
C:\ by typing cd C:\
We are going to create our first text file and write data into it. The command
to do that is echo This file is seen >seen.txt. If you get an Access Denied error,
you might need to run cmd as Administrator or change the directory to your home
directory (cd C:\Users\%YourUsername%\Documents). You can test to see if the file
was created and if data was written to it by using type seen.txt[/li]
Now we will use a colon as the operator to tell our commands to create or
use an ADS. Type: echo You can't see me>seen.txt:secret.txt
To read the file you will want to use the following syntax: type
seen.txt:secret.txt
Unfortunately, the use of the colon operator is a bit hit or miss in its
implementation and sometimes does not work as we might expect. Since the type
command does not understand the colon operator we will have to use notepad to read
the file: notepad seen.txt:secret.txt
If it all worked correctly, you should see the contents of secret.txt. You
should also note that the file size did not change what you added the secret.txt
file
You should also note that you can hide data inside a directly as well.
Type md test to create a directory and cd test to navigate to that directory. Then
using the same syntax as above, we will hide our data by typing this: echo Hide
stuff in a directory>:hide.txt
You can test to see that the file is hidden by listing all the files in the
directory by using the dir command. To open the file you will just enter
notepad :hide.txt

So, now you have successfully hidden two files from view! But that is only the
beginning as there are many more nifty features that can be used on the NTFS
system. For the next example, we will be hiding executable files within a text
file that can be run using the start command. This method is actually not much
harder than then the method above:

Open command prompt. Start > Run > type “cmd”

When opened, the directory is C:\Windows\System32. Change this directory
to C:\ by typing cd C:\. Again, you may need to change your directory to your
documents folder or something similar: (cd C:\Users\%YourUsername%\ Documents)
First, we are going to make a file to write to: echo Test>test.txt. you
can check the size of the text document by typing in dir test.txt
Next, we are going to hide an executable in the test.txt file: You can find
any file that you wish to run. For this example, we will be using notepad: type
notepad.exe>test.txt:note.exe. So, what we just said was copy and rename the
program notepad.exe to note.exe and add it the text document test.txt. Again, to
make sure the file size did not change, you can check the size of the text document
by typing in dir test.txt
To run the file, you will type in: start .\test.txt:note.exe

Finally, the last thing we will talk about is hiding videos in ADS’s. This
method is the same as the above methods, however you will need to call the actual
video player to play the videos.

Open command prompt. Start > Run > type “cmd”

When opened, the directory is C:\Windows\System32. Change this directory
to C:\ by typing cd C:\. Again, you may need to change your directory to your
documents folder or something similar: (cd C:\Users\%YourUsername%\ Documents)
Make sure that a video exists in the same directory. The command to hide a
video inside a text document is this: type "hello kitty.avi" >"sample.txt:hello
kitty.avi". When dealing with files that include spaces, you always want to use
quotes. And obviously, replace the file names with your own.
Now, to play the video, you will need to know the exact path of the video
player. Here is a sample syntax to open the video with Windows Media Player:
"C:\Program Files\Windows Media Player\wmplayer.exe" " sample.txt:hello kitty.avi".
This tells Windows to use wmplayer.exe to play “hello kitty.avi” that is hidden in
sample.txt

4.6 Where to Hide Your Data

HPA: Host Protected Area is an area of a hard drive that is not normally
visible to an operating system and is protected from user activity. To hide data
there, you will need to write a program, or find a program, to write information
there.
MBR: The Master Boot Record only requires a single sector thereby leaving
62 open sectors for hiding data
Partition slack: File systems store data in block, which are made of
sectors. If the total number of sectors in a partition is not a multiple of the
block size, there will be some sectors at the end of the partition that cannot be
accessed by the operating system using any typical means.
Volume slack: If the partitions on a hard drive do not use up all of the
available space, the remaining area cannot be accessed by the operating system by
conventional means (e.g., through Windows Explorer). This wasted space is called
volume. It is possible to create two or more partitions, put some data into them,
and then delete one of the partitions. Since deleting the partition does not
actually delete the data, that data is now hidden.
File slack: This is the unused space between the end-of-file marker and the
end of the hard drive cluster in which the file is stored.
Unallocated space: Any space in a partition not currently allocated to a
particular cannot be accessed by the operating system. Until that space has been
allocated to a file, it could contain hidden data.
Boot Sector in non-bootable partitions: Every partition contains a boot
sector, even if that partition is not bootable. The boot sectors in non-bootable
partitions are available to hide data.
Good blocks marked as bad: It is possible to manipulate the file system
metadata that identifies bad blocks (e.g. the File Allocation Table in a FAT file
system or $BadClus in NTFS) so that usable blocks are marked as bad and therefore
will no longer be accessed by the operating system. Such metadata will produce
blocks that can store hidden data.

4.7 Changing File Headers to Avoid Detection

Major forensic software use two methods for identifying file types: file
extensions (.exe, .jpg, .txt) and file headers (characters at the beginning of the
file). A person trying to hide an image might simply change the extension from
.jpg to .zip to try to fool an investigator. Most people will try to open the
file, but they will encounter an error and they will probably move on to the next
file. As this method might work on somebody whom doesn’t have specialized software
to view the header information, it doesn’t fool those whom use products such as
EnCase. This is because, as I said before, there is another method to determine to
type of file they are reviewing. Yet, if the file extension and the header
information matches, they might look over the file completely as it might not be
the file type they are looking for.

When forensic investigator looks at a file that has a mismatch between the
extension and the file header, he might get suspicious and further investigate the
discrepancy. For this reason it is important to change both file extension and
header information to match. By changing this information, you can effectively
hide whatever it is you are trying to hide. You should note however, if an
investigator opens the file with the correct program, he will still be able to view
the contents of the file. For example, you can change a .jpg’s extension and
header information to a .txt, but if the file is opened in Picture Viewer, you will
still be able to see the picture.

First things first: change the file’s extension. For this example, we will be
changing a .rar to an .exe. So find a .rar file on your machine and change the
extension to exe. This part is the easiest part and can be done in only a few
seconds:

Start Windows Explorer and navigate to the folder that contains the file
you wish to hide
If you do not see the file extensions, you might have to change a setting
to view them. For XP and 7, you will click Tools > Folder Options > View and
uncheck Hide extensions for known file types
Once you can see the file extension, you can now right-click the file and
click Rename to change the file extension

I should also note that for the first couple of times before you feel
comfortable testing this out on your own, to use a file that you don’t want or to
create a copy of a file to test this on. The next part is to change the header
information of the same file you just changed the extension for. This is done with
a program that you can freely download over the internet. For this example, I am
using HxD Hex Editor and can be downloaded from here and modifying a .rar file.

Open HxD Hex Editor, click File > Open, select the file, and click Open
You will notice that the hex view shows the file header for .rar files are
52 61 72 21 in hexadecimal and Rar! In ASCII (Figure 1). This is the information
you are going to change
Click you cursor right before the first hexadecimal character on the left,
the 5. Now, when you start typing, the new characters will replace the existing
characters and they will appear red
To change the file signature of this RAR archive we simply take the file
signature of an executable file and add it to the start of this file. In this case
I will add 4D 5A to the start of the file (Figure 2)
Save the file
 This technique will fool the forensics software as it will not return the file
when it is looking for .RAR files. However, even though you change the file type,
you may not be able to fool the investigator depending on when is contained inside
the file. Changing .doc or .docx files to .jpegs for example might not be the best
idea in the world as they can still see all the text contained within the document.
.RAR files might also contain the filename even though encryption is enabled if
Encrypt file names is not used.

4.8 Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser
Cache

A swap file allows an operating system to use hard disk space to simulate extra
memory. When the system runs low on memory, it swaps a section of RAM that an idle
program is using onto the hard disk to free up memory for other programs. Then when
you go back to the swapped out program, it changes places with another program in
RAM. This feature ensures that Windows is usable when memory runs out. Even though
this feature is helpful, sensitive information might be contained within the swap
space that could incriminate you.

Let's say you download sensitive material and after you were done with it, you
delete it securely. If you ran out of memory (RAM) the temporary data might have
been saved to swap space thereby rendering your method of removing the file
useless. The best way to attack this problem is to disable paging altogether
while viewing sensitive information. If you are using applications that use large
amounts of memory, you can turn paging back on during your session.

Try it out - Disable paging

Open the Start Menu and go to Control Panel
Click on the System icon
Select the Advanced tab
Under Performance, click Settings
Go to Advanced
Under Virtual Memory, click Change
Select No Paging File and then click Set
Click OK in all the menus
Restart
To enable paging again, simply select Automatically manage paging file size
for all drives

ReadyBoost is another caching feature introduced in Windows Vista and was

continued with Windows 7. It works by using flash memory, a USB flash drive, SD
card, CompactFlash or any kind of portable flash mass storage system as a cache.
Data that is written to the removable drive is encrypted using AES-128bit
encryption before written to the drive. This means that an examiner who recovers
the drive with the ReadyBoost information will find it difficult to decipher this
data.

Another way that Windows operates under the surface is when creating temporary
internet files. Temporary Internet Files is a folder on Microsoft Windows which
holds browser caches. The directory is used by Internet Explorer and other web
browsers to cache pages and other multimedia content, such as video and audio
files, from websites visited by the user. This allows such websites to load more
quickly the next time they are visited. Not only web browsers access the directory
to read or write, but also Windows Explorer and Windows Desktop Search.

You can see how this is a problem if you ever want to download (or view)
pictures or files that contain sensitive material. Furthermore, other applications
might use temporary files when handling content. For example, when I talked about
WinRAR earlier, I explained that when you unpack data from an archive, the program
creates a temporary file on your file system before it is moved to its destination.
The only way around this (excluding internet cache) is to periodically wipe slack
data as stated before. When dealing with internet data, you should be concerned
with deleting internet cache and cookies. More information can be found here:
http://support26v5pvkg6.onion/index.php?topic=1046.0

Try it out - Delete internet cache

Start Firefox
Click Tools (if you do not see the menu-bar press the Alt key on your
keyboard. The menu-bar should appear.)
Click Options
Click Privacy
Select TorBrowser will: Use custom settings for history and check Clear
history when TorBrowser closes

Note: There are several other vulnerabilities that you need to be aware of
concerning web browsers. I will not be covering those in this security guide and
they have been thoroughly explained in another.

Note 2: You can change the location where WinRAR extracts the temporary data
to. Navigate to Options > Settings > Paths. You can change the path under Folder
for temporary files.

4.9 Temporary Application Files and Recent File Lists

Every time you open up a file from Windows Explorer or the Open/Save dialog
box, the name of the file is recorded by Windows. This feature was introduced
into Windows and other applications to make those applications more user friendly
by allowing easy access to those recently used files. Such the same, some
applications create cache that is stored on your computer so the application can
run faster the next time it is loaded or a specific project is being worked on.

Recent file lists and application caching does make the experience more
friendly, but it also added security risks. If for example, someone took a video
and loaded it into a video editing software. The software might take pieces of the
video and save it to your hard drive for fast access. The same goes for viewing
videos/images that are sensitive by nature. Whoever is looking at the recent files
list for your computer, will know what the names of files are as well as possibly
knowing the location of those files.

First we are going to talk about what is known as thumbnail caching.

Thumbnails are the little pictures that are loaded for every file in Windows
Explorer as a little “preview” of sorts. A thumbnail cache is used to store
thumbnail images for Windows Explorer's thumbnail view. This speeds up the display
of thumbnails as these smaller images do not need to be recalculated every time the
user views the folder. You can see where this is a problem when you open a folder
containing sensitive pictures or videos. Thumbnail caches are stored in thumbs.db
files and the locations will vary depending on the Operating System. In Windows
XP, the thumbs.db files will be stored in every folder.

Windows 7 and Vista saves all the thumbnails in a central location. The cache
is stored at %userprofile%\ AppData \Local \Microsoft \Windows \Explorer as a
number of files with the label thumbcache_xxx.db (numbered by size); as well as an
index used to find thumbnails in each database. This makes it easier for us to
locate and remove the caches of these thumbnails. You can use CCleaner to remove
the existing cache. I recommend using this page to enable/disable thumbnail
caching. Click here

Try it out - View thumbnail cache

 Download Thumbcache Viewer from here
Start the program and press File > Open
Locate you thumb files, select them, and press Open
The images that were cached will populate in the listbox. Select a file to
view the image preview

Try it out - Delete thumbnail cache using CCleaner

Open CCleaner
Make sure Thumbnail Cache under Windows Explorer is check
You can set all security setting in the Options > Settings menu
Click Run CCleaner

Another feature of Windows and several applications is recent files lists.

There are several locations where these lists can appear, yet there are only two
ways they are saved: the registry or as a file. Windows XP saves file names in
the registry and a centralized location in Windows Explorer whereas Windows 7
introduces yet another list known as a "jump list" which can also be cleaned by
using CCleaner.

Jump Lists appear on the Start menu as well as on the Taskbar when you right-
click on an icon. You can use it to perform specific actions, but for security
purposes, it can record files that were recently opened.

Try it out – Disable jump lists

Right-click the Start Menu and click Properties
Expand the Start Menu tab
Uncheck Store and display recently opened items in the Start menu and the
taskbar[b]
Click OK

CCleaner erases most all (if not all) of the recent file lists for Windows as
well as for a few other applications. Listed below are common locations where
these recent file lists and application caches can be found at (I would look into
winapp2.ini for more locations which is an add-on for CCleaner):

Registry:
(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs
(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\
ComDlg32\OpenSaveMRU
(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ RunMRU
(Windows) Software\Microsoft\MediaPlayer\Player
(Windows) Software\Microsoft\ Internet Explorer\TypedURLs
(Media Player Classic) Software\Gabest\Media Player Classic\Recent File
List
(Media Player Classic) Software\Gabest\Media Player Classic\Settings

Files:
(Recent file list) %appdata%\Microsoft\Windows\Recent
(Jump list) C:\Users\<user
name>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
(Temp data – Vista/7) C:\Users\<user name>\AppData\Local\Temp
(Temp data – XP) C:\Documents and Settings\<user name>\Local
Settings\temp

Note: Note: Other applications include PrivaZer for Windows and Bleachbit for
Linux.

Try it out - Setting up CCleaner

 Download and install CCleaner to your machine. Make sure when you download
CCleaner from the internet, as with all programs, you download from the
manufacturer's website only. The link has been provided for you:
http://www.piriform.com/ccleaner/download/standard
Once the program is open click the Options button on the left hand side of
the window
Next, click on Settings
Make sure that Secure file deletion (Slower) is checked, Complex Overwrite
(7 passes) is selected in the dropdown box and Wipe MFT Free Space is checked. Very
Complex Overwrite can be selected instead of Complex Overwrite. The Complex
Overwrite is the minimum you should choose
Click Cleaner on the left
Make sure they all the items are checked under Windows Explorer

Another thing I do is set CCleaner to perform a clean when the user logs into
the machine and every hour thereafter. Cleaning your computer automatically will
help with managing this program as you will not have to remember to manually run
the program every so often. One drawback with this method however is if an
application is using temporary data that is erased by CCleaner, the application
might perform incorrectly or stop working altogether.

Try it out - Setting up CCleaner to automatically run (Windows Vista/7)

Start CCleaner and select Options on the left
Check Save all settings to INI file under the Advanced tab
Open the Start Menu and enter Task Scheduler into the search box
Click on the Action header in the menu bar and select Create Basic Task
Follow the steps of the wizard to create the task. In the first window,
name the task and give it a description to help you remember what it is later
On the next page, select how often you want this to run. I checked the When
I log on check box
Select the option labeled Start a program on the next page
Hit Browse and navigate to the directory you installed CCleaner to. Add
/AUTO to the text field labeled Add arguments
Click Finish

Finally, for those of you who switched to Windows 8 should know about the app
data. Windows 8 for starters has made significant strides over Windows 7 in
respects to the interface. They have added the Metro interface which hosts a
plethora of apps that can possibly leak important data. Two such apps are the
Windows Photos and Windows Video. When viewing a photo or video, you can
immediately see that the photo or video cap is cached as they are still apparent
even after the material is deleted. Obviously, you can see the glaring issue with
this when it concerns security.

I have not too much research on the matter, so I am going to be brief. For
starters, all your apps are located in your appdata folder. Specifically, the
folder paths are as follows (per user settings):

Location of all your apps: C:\Users\"Username"\AppData\Local\Packages

Windows Photos:
C:\Users\"Username"\AppData\Local\Packages\microsoft.windowsphotos_8wekyb3d8bbwe\Lo
calState

When the app is closed the cached images no longer appear on the Metro
interface. Furthermore, the cached images don't appear when you open the app
again. I did some more investigating into Windows Photos and notice that several
files get increasingly larger after I view images in the Windows Photos app –
even after the app is closed. Specifically, those files are the
Microsoft.WindowsLive.ModernPhotos.etl, Microsoft.WindowsLive.ModernPhotosLast.etl,
and ModernPhoto.edb. Other files exist that show the last 5 images that were
cycled through on the Windows Photos Metro app. These files are LargeTile1(through
5) and SmallTile1(through 5). The latter files should not be an issue unless they
contained sensitive images.

I cannot read what is actually contained within the files themselves, but I can
be reasonably sure that with everything Windows, image previews are being cached
and stored to limit I/O usage and speed up the loading process. Saying this, it is
recommended that you delete these files securely if you accidently – or purposely
– open pictures using the Windows Pictures app (and it is going to happen, trust
me). To do this you should close the Pictures app (from the gesture on the left
side or the task manager) and securely erase those files using a program of choice.

When setting up a user profile in Windows 8, if you gave your actual name when
creating the Hotmail profile you used when logging into Windows 8, that name will
be automatically embedded as metadata in a variety of documents. So make sure that
you have a metadata cleaner if you plan on uploading anything sensitive. If you
use Bing which is the default search provider and included pre-installed as an app,
you should know that Bing creates a separate web history of its own and stored the
data over the internet. So make sure that anything sensitive gets purged. People
also expressed concerns with ReFS, which is not used on Windows 8 devices moreso is
it used with Windows Server 2012 (Windows Server 8). Also, with the advent of
Office 2013, the default location that the documents will be saved is Windows
Skydrive; so you can see how that might be a security concern if you save something
sensitive without looking. Concerning content saved to Windows Skydrive, here is
part of Microsoft's TOA:

Quote

You will not upload, post, transmit, transfer, distribute, or facilitate

distribution of any content (including text, images, sound, video, data,
information or software) or otherwise use the service in a way that:

• depicts nudity of any sort, including full or partial human nudity, or
nudity in nonhuman forms such as cartoons, fantasy art or manga.

• incites, advocates, or expresses pornography, obscenity, vulgarity,

profanity, hatred, bigotry, racism, or gratuitous violence.

So, they scan your documents (and pictures) for anything that violates its TOA,
and if they find anything, you are banned and possibly facing criminal charges.
Hotmail accounts and Windows 8 account will have to be re-created, your XBOX live
and Skydrive account will be disabled as well. They also actively scan for child
pornography so make sure you don't accidentally save to a Skydrive account either.
This seems like a huge invasion of privacy digging deep within all your documents
and pictures (even if it is automatic) and the repercussions can be immense.

4.10 Shellbags

When you open a folder in Windows Explorer and customize the GUI display
Windows uses the Shellbag keys to store user preferences. Everything from visible
columns to display mode (icons, details, list, etc.) to sort order are tracked. If
you have ever made changes to a folder and returned to that folder to find your new
preferences intact, then you have seen Shellbags in action. In the paper “Using
shellbag information to reconstruct user activities”, the authors write that
"Shellbag information is available only for folders that have been opened and
closed in Windows Explorer at least once.” So basically, if you visit that folder,
a shellbag is created.
 Thanks to the wonders of Windows Registry last write timestamps, we can also
identify when that folder was first visited or last updated (and correlate with the
embedded folder MAC times also stored by the key). In some cases, historical file
listings are available. This means that even if you dismount a drive (let’s say
you are only using a TrueCrypt container) or delete a folder, the folders that you
opened will still be recorded. Normally, this would not be an issue because just
the folder names are recorded here, but if you name your folder to that of
something sensitive and the name alludes to criminal activity, you will be in
trouble.

Registry Keys

Windows uses the following Registry keys to save the folders information:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
HKEY_CURRENT_USER\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell (Only in Windows Vista)

If you are curious as to what forensic data can be found out by using
shellbags, a good program to view all of the shellbags is Shellbag Analyzer and can
be found here. You can also remove the shellbags that contain sensitive
information that you wish not be found.

To disable them all together you can do this:

Navigate here in the Registry (if you do not know what you are doing, then I DO
NOT RECOMMEND THIS): [HKEY_CURRENT_USER\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell]

Left-click on the Shell key and in the right pane, if you can see BagMRU Size
then there is no need to undertake this step. If it isn't there however, right-
click and select New>DWORD 32-bit Value and name it BagMRU Size. Now set this value
to 0 in Decimal view. In Windows 8, set the value to 1 (thanks to whomever pointed
this out to me).

4.11 Prefetching and Timestamps

To start, there is a feature that began with Windows XP that is known as

Windows Prefetching. Windows Prefetch files are designed to speed up the
application startup process. Prefetch files contain the name of the executable (the
program you are running), a Unicode list of DLLs (Dynamic Link Libraries; files
that supports the program in order to run) used by that executable, a count of how
many times the executable has been run, and a timestamp indicating the last time
the program was run. This means that if you are trying to use programs such as
TrueCrypt or secure deletion programs or other file encryption programs, a Prefetch
file will be created thus alerting the forensic investigators. This is not usually
an issue unless you are trying to counter forensic techniques without letting the
investigator know.

An example where Prefetching is troublesome is when you are trying to change

the Windows Timestamps for files. Every time a file is created, accessed, or
modified a Timestamp is created. Changing the timestamps are a good idea to throw
the investigators off. Also, it is easy to change as there are programs that can
do that for you. A popular program is TimeStop; but an investigator can
investigate the Prefetch file and determine that the program was run. When this
happens they can be reasonably certain that the timestamps were changed
maliciously. So, before you download the file I would pack the file using a
program such as UPX (Ultimate Packer for eXecutables). This will change the hash
of the file so the investigator does not know TimeStop was used when examining the
Prefetch files.

4.12 Event Logs

Event logs are special files that record significant events on your computer,
such as when a user logs on to the computer or when a program encounters an error.
Whenever these types of events occur, Windows records the event in an event log
that you can read by using Event Viewer. An investigator can determine security
related information (These events are called audits and are described as successful
or failed depending on the event, such as whether a user trying to log on to
Windows was successful), application and service information, and more. As
security information is not incriminating, investigators can tell when you
attempted to log in and out of the computer, which can correspond to suspected
times. Also, application data might not be incriminating, but depending on what
the application actually logs, file names and other incriminating evidence might be
recorded.

Try it out – Erase event logs

Open the Start Menu and go to Control Panel
Click on Administrative Tools and open Event Viewer
Expand Windows Logs on the left
Right-click Application, Security, and System and click Clear Log…

4.13 Printers, Print Jobs, and Copiers

There are several things that you should be concerned about when printing
sensitive documents. Print data might be left on your computer, on the printer's
hard drive, or through transit. Before you can know where to look, you must first
know how Windows prints a document. When you send something to a printer the
document is first spooled and two files are created in the
c:\windows\system32\spool\printers folder. These two files are the shadow file and
a spool file. The files are named as complimentary pairs; for example, one job
sent to the printer results in the creation of one FP00007.SDH file and one
FP00001.SPL file for the same job, while the next job will create FP00002.SDH and
FP00002.SPL.

The shadow file (.SHD) can contain information about the job itself, such as
the printer name, computer name, files accessed to enable printing, user account
that created the print job, the selected print processor and format, the
application used to print the file, and the name of the printed file (which can be
the URL if a file is printed from the web). All of this data can be seen in
Unicode using a hex editor or forensic software.

Spool files (.SPL) on the other hand contain the actual data to be printed.
This means that if you print a picture for example, a copy of the picture is
created and temporarily stored in the spool folder. Next, the print job is finally
sent to the printer and both the .SHD file and the .SPL file are deleted. If there
is an error whereas the document waits in the queue list, these files can easily be
read and the contents of the file revealed. It is also important to note that
these two files were deleted insecurely, so there is the possibility of recovery.

Since 2002, every copier has the capacity to store copies of the documents that
are copied or printed. Furthermore, copiers mark the documents they copy with a
hidden code to provide an identifier for the copier. This means that printed
documents and copies might be stored on the printer's hard drive, or they might be
recoverable if they were already deleted. There is also a security concern whereas
printed documents can be tied to specific printers. Lastly, print documents can be
captured if you are sending them to a printer that is located over the network.
Currently, it is up to the manufacturer to provide security when sending jobs to a
printer.

Try it out - Read spool data

I am going to assume that you already have a printer installed on your
machine
Disconnect the printer's power source. This will allow us to view the .SHD
file and the .SPL file
Send a print job to that printer that you just disconnected
Open Windows Explorer and in the address bar, type in %windir%\
System32\spool\PRINTERS
You should notice the two files I mentioned: a .SHD file and a .SPL file.
If you have more than two files, then you might have additional print jobs in the
queue
Select the file with the extension .SPL, right-click and select Copy.
Paste the file in the location of your choice.
Download and install the program SPLView from the manufacturer's website:
http://www.lvbprint.de/html/splviewer1.html
Either open the file from within SPLView, or if you associate the .SPL
extension with the program, you can simply double-click the file
To view SHD file, I recommend downloading a using SPLViewer:
http://www.undocprint.org/_media/formats/winspool/splview.zip. If the file is
locked, you can follow Try it out – removing services in section 5.2, and disable
the Print Spooler service
Turn the printer back on to finish printing the document or delete the
files when the Print Spooler service is stopped (Try it out – removing services
in section 5.2)

4.14 Cameras, Pictures, and Metadata

Metadata may be written into a digital photo file that will identify who owns
it, copyright & contact information, what camera created the file, along with
exposure information and descriptive information such as keywords about the photo,
making the file searchable on the computer and/or the Internet. Some metadata is
written by the camera and some is input by the photographer and/or software after
downloading to a computer.

EXIF information, the Exchangeable Image File format, describes a format for a
block of data that can be embedded into JPEG and TIFF image files, as well as RIFF
WAVE audio files. Information includes date and time information, camera settings,
location information, textual descriptions, and copyright information. In some
instances, especially with the use of cameras in cell phones, the location where
the picture was taken might also be embedded with the use of geocaching.
Furthermore, the images contain metadata images themselves that can reveal the
image before any editing was done. This information should be removed before the
photo is shared with someone else or stored unprotected.

To remove EXIF information from an image, or a batch of images, you will need
to get a special program that strips this data. I recommend the program
BatchPurifier that can remove this information from batch of files or a single
file. A good program to read EXIF information from PEG, TIFF and EEIX template
files is Opanda IEXIF. If you want to remove metadata from a RAW image, you will
need to get a separate program such as Exiv2. Opanda IEXIF can’t remove the data,
but it can show you what data is contained within each picture that you take
(unless you purchase the professional version).

You cannot stop cameras from recording metadata and embedding them in pictures,
so the above steps are the only way to ensure the pictures are clean. To further
clean the image that you took, you will want to crop and remove identifiable
information contained within the actual pictures itself. The best program that can
do this is Adobe Photoshop, but a good, free program is Gimp. Identifiable
information should include names, faces, logos, labels, prescriptions, anything
that includes handwriting, toys specific to a particular regions or store, etc.

It is also important to know that digital cameras leave a telltale fingerprint

buried in the pixels of every image they capture. Now forensic scientists can use
this fingerprint to tell what camera model was used to take a shot. Furthermore,
these scientists can tell the specific camera that took a specific picture if they
had the camera in hand. I would either use a separate camera for on-topic material
or change the photo by either resizing or re-rendering the image after making
global changes (blurring, filtering, etc.). Photoshop, Paint.Net, or GIMP are all
good program that enable you to edit a photo without making changes to the
original. This allows you to go back and make further changes (or undo changes) in
the future if needed.

You should also know that pictures are not the only material that can contain
sensitive information. Documents can include Microsoft Office® documents (Word,
Excel, PowerPoint), OpenOffice.org documents, PDF documents, and popular image and
media file types such as JPEG, JPEG 2000, PNG, SVG, AVI, WAVE, AIFF, MP3, MP4, and
F4V. It is best to either remove the data from these files before sharing them or
it is best not to share them all together. You should know that changing the file
extension does not trick the investigators. They use file header information to
gather pictures/videos. Click here for a good list.

For example: When we look at a jpeg header there are multiple parts we can use
to identify the type of image and formats used. The first part to look at is the
first two bytes of the file. The hex values FF D8 will identify the start of the
image file. This is often enough to know that you have an actual JPEG file. The
next two bytes are the Application marker typically FF E0. This marker can change
depending on the application used to modify or save the image. I have seen this
marker as FF E1 when pictures were created by Canon digital cameras. The next two
bytes are skipped. Read the next five bytes to identify specifically the
application marker. This would typically be 4A 46 49 46 (JFIF) and 00 to terminate
the string. Normally this zero terminated string will be "JFIF" but using the
previous example of Canon digital cameras this string will be 45 78 69 66 (Exif).
Most image editors handle all JPEG formats unless a proprietary format is used that
does not follow the JPEG standard.

Case: During an investigation into an internal child porn ring, detectives

tracked down a toy bunny, seen in a photo, was used to trace the suspect to
Amsterdam. Investigators have discovered that the bunny was a character in a
children's book popular in the Netherlands. The detective also traced the boy's
orange sweater to a small Amsterdam store that had sold only 20 others like it.
That led to the capture and arrest of 43 other individuals.

As we are talking about pictures, you should also be concerned what is in the
pictures themselves. Law Enforcement Agencies have teams of analysts that pick
apart background data to determine names, addresses, geographic data, demographics,
and etc. As the case provided, detectives were able to determine where the suspect
lived based on a toy bunny and an orange sweatshirt as seen in one of the photos.
You should attempt to remove all information that includes names, dates, addresses,
paraphernalia or anything in nature that is region specific, or anything else that
can be identifiable. Tattoos, and other body parts (not specific to the face) are
identifiable too. For example, characteristics on the genitalia can be linked to a
specific person. Recently, somebody was taking photos of his underage daughter and
posting them online. The problem is he posted one with a clear view of a
prescription bottle in the background and got busted. They were able to use that
information to locate the individual.
 When editing a photo for the first time, I usually crop the sides of the image,
add blurring (even though some investigators have recently been able to reverse the
blurring process and render this useless) and the halo effect, smooth physical
features of adults, remove items that are identifiable, and sometimes replace the
background altogether. If you really want to get involved, you can change physical
features such as eye or hair color. Doing this will not trick an investigator, but
it will obscure the features of a photo making it harder for someone to identify
you. Also, if done correctly, it will enhance the photo visually and the
presentation will be much better.

4.15 USB Information

Whenever a device is plugged into the system, information about that device is
stored in the registry and the setupapi.log file (Windows XP and earlier). The
registry key can be found here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and the setupapi.log file
can be found here: %windir%\setupapi.log. All of the subkeys under USBSTOR will
contain information about every device that was plugged into your computer via the
USB. The setupapi.log file contains information about device changes, driver
changes, and major system changes, such as service pack installations and hotfix
installations.

To delete this registry key and or subkeys you must first right-click the key
and choose permissions. You can then set the "everyone" group with full permission
to the key or subkeys so that they can then be deleted. I'm sure it isn't too
difficult to whip up a script or piece of software to automate this. Also, if you
have system restore enabled, the information might be contained in there as well.
The setupapi.log file should be securely deleted as you would with anything
sensitive. As pointed out to me by a forum that I frequent, here is a program that
will do this for you: https://code.google.com/p/usboblivion/.

4.16 SSD - Solid State Drives

Unlike HDDs, SSDs have a feature known as a garbage collector wherein cells
that are marked to be deleted are permanently erased in the background, usually
within several minutes of being deleted. It is important to know that this process
happens on the SSD hardware level, so simply leaving the SSD powered on regardless
if it is attached to anything will result in the destruction of the data (also
known as self-corrosion). Even though SSD's implement garbage collecting,
encrypting or securely deleting the device is hard.

SSD's use load balancing, which is a feature that evenly balances I/O
operations between allocation pools. This means that when you attempt to encrypt or
delete a bit of data, it will move past the actual to the next bit. Also, SSDs
should not be encrypted using programs that are meant to encrypt HDs because of
another feature called "wear leveling". TrueCrypt for example recommends that
"TrueCrypt volumes are not created/stored on devices (or in file systems) that
utilize a wear-leveling mechanism (and that TrueCrypt is not used to encrypt any
portions of such devices or filesystems)". You should know however, that was
referring to existing data already stored on the hard drive. New data that has not
been written to the disk will be secured because it is encrypted before physical
storage on the hard drive. This still can allow for data leaks, so it is still not
recommended.

On the SSDs you cannot save to a specific sector on the drive therefor if it
theoretically possible that there are multiple instances of the same data stored on
the drive. Let's say for example that you change the TrueCrypt volume header; the
old header might still be accessible on the drive as you cannot write over it
individually. An attacker, knowing this information can attack the container using
the old header information.

4.17 Forensic Software Tools

Category of Tools Examples

Chat recovery tools Chat Examiner
Computer activity tracking tools Visual TimeAnalyser
Disk imaging software SnapBack DatArrest, SafeBack, Helix
E-mail recovery tools Email Examiner, Network and Email Examiner
File deletion tools PDWipe, Darik's Boot and Nuke, Blancco
File integrity checkers FileMon, File Date Time Extractor, Decode-Forensic
Date/Time Decoder
Forensic work environments X-Ways Forensics
Internet history viewers Cookie Decoder, Cookie View, Cache View, FavURLView,
NetAnalysis, Internet Evidence Finder
Linux/UNIX tools Ltools, Mtools
Multipurpose tools and tool kits Maresware, LC Technologies Software,
WinHEX Specialist Edition, ProDiscover DFT, NTI Tools, Access Data, FTK, EnCase
Partition managers Partimage
Password recovery tools @Stake, Decryption Collection Enterprise, AIM
Password Decoder, Microsoft Access Database Password Decoder, Cain and Able,
Ophcrack
Slack space and data recovery tools Ontrack Easy Recovery, Paraben Device
Seizure 1.0, Forensic Sorter, Directory Snoop
Specialized software for analyzing registries, finding open ports, patching
file bytes, simplifying log file analysis, removing plug-ins, examining
P2Psoftware, and examining SIM cards and various brands of phones Registry
Analyzer, Regmon, DiamondCS OpenPorts, Port Explorer, Vision, Autoruns, Autostart
Viewer, Patchit, PyFlag, Pasco Belkasoft RemovEx, KaZAlyser, Oxygen Phone Manager
for Nokia phone, SIM Card Seizure
Text search tools Evidor

5. Continuity

Service and data continuity is the activity performed by you to ensure that
files and services will be available to yourself and others for the applicable
lifetime. There are several methods to provide continued support including:
backing up data, using controls and techniques to restrict access, and implementing
controls on servers, networks, and other devices. This step is often overlooked
when securing your information but assures availability is met.

5.1 Security Concerns with Backups

To start, Windows backup and restore is a feature of Windows and does exactly
as it implies; it backs up your data. Without much explanation, there are three
types of Windows backups: full, differential, and incremental. A full backup
provides a backup regardless of previous backups. A Differential backup only backs
up data that was changed since the last full backup and an incremental backup backs
up data that was changed from the last full backup, or the last incremental backup.

I know I am stating the obvious, but make sure that you do not backup anything
that is confidential. Whether by accident or on purpose, once you backup sensitive
data, it does not matter if you remove the file from your computer because a copy
is already made. Personally, I keep all my sensitive information in an encrypted
container by itself so I don't confuse it with my other stuff. After I move all of
my sensitive information into a container by itself I have ensured two things, 1)
my information is secured and 2) nothing is being backed up this is not supposed
to.
 5.2 Security Concerns with Sleep and Hibernation

There are two other features with Windows that you should know of: sleep and
hibernation. If you need to walk away from your laptop for a small –or extended
– period of time but want your Windows session to resume quickly, you will use
either of these two features. The difference is that with sleep mode, your
computer stores everything in memory and with hibernation mode, everything in RAM
is saved to your hard drive. Sleep is for short-term storage and hibernation is
for long term storage.

If you use sleep or hibernation, the encryption keys and everything else that
is open at that time is saved, allowing a third party to bypass the security
measures you have in place. For example, everything that you have opened at this
moment, including mounted containers and open documents, will be viewable by
forensic investigators. The best mitigation technique is not to use them or to
disable both hibernation and sleep altogether.

Note: Windows 8, the latest Operation System Microsoft is coming out with
hibernates the system kernel, but does not put memory in storage

5.3 Ensuring Information and Service Continuity

Keeping a backup of all your private/sensitive materials is a good idea for the
continuity of such data, as long as that data is secure. Securely storing data has
been discussed in another section, so I will only make a recommendation. I would
create a container with TrueCrypt and store all sensitive data within that
container before saving the backup somewhere else. Doing this will achieve two
goals in the CIA triad, confidentiality and availability.

There are two locations that need to be considered when backing up data:
locally and remotely. A local copy is a good idea when data loss occurs and you
want an immediate, speedy recovery of the backed up data. But what if a natural
disaster or a fire occurs and it destroys both your computer and your local backup
device? This is where a remote backup solution comes in; it prevents data loss in
off-chance that this happens. Common methods of remote backups are remote backup
services, tapes, external drives, or hosted services. Another common method is
finding someone else in another location (another state preferably) and you each
keep a backup for one another.

For example: let’s say that I have a friend (okay, I did say as an example)
and that friend lives in another state. One good way that I can back up my data at
his place and his at mine, is we setup a VPN to connect our networks together.
This way, we can send the files securely over the internet without much
complication. Make sure however, that you trust the other party as they will have
your Public IP Address. Another device that allows for storage redundancy is a
RAID device. RAID (redundant array of independent disks) is a storage technology
that combines multiple disk drive components into a logical unit. Basically, it is
a device that is comprised of several disks for the purpose that if one (or more)
drive(s) fail, data is not lost. This can come in the form of a RAID controller
(or software controller) on your computer, or a network device (such as a NAS box).
A NAS box is a Network Attached Storage and is a device that plugs into your
network so you can backup multiple devices. These devices are standalone devices
and usually have RAID functionality.

There are a few more solutions if you are going to set up a service that you
host and are concerned with continuity and service availability. All these methods
are assuming that you have multiple servers available and can configure them and
the network they reside in. Firstly, you can configure the site for mirroring
which is the act is creating an exact copy of one server to another server.
Clustering (or failover clustering) is another method of ensuring availability as
it is a group of devices that act as a single device. When one device fails in a
cluster, another device starts providing the service (a process known as a
failover). And finally, you can implement load balancing on your network which
distributes the traffic load between several devices in your network.

5.4 DoS and DDoS attacks

DoS (Denial of Service) attacks are the acts of making resources for legitimate
users unavailable. DDoS (Distributed Denial of Service) attacks are the same thing
as DoS attacks, but they use hundreds (even thousands) of machines to disrupt
access to resources. Usually this is performed by flooding the service with ICMP
packets forcing the router (or server) to respond to the attackers’ request (by
replying to the ICMP packet). Other attacks including sending malformed ICMP
packets, flooding the site with resource requests, or SYN flood attacks.

Even though ICMP traffic uses the TCP protocol, it is not supported via Tor.
This attack will be best accomplished with Clearnet sites. Ping of Death attacks
can be accomplished in two ways: the attacker can send too many packets or they
can send malformed packets. For example, Windows has a packet size limit of 65500.
So anything received that is higher, might crash the machine or enable the attacker
to successfully perform a privilege escalation attack. Flooding the site with
requests for resources (videos, pictures, login requests, etc.) is an example of a
DoS attack that is more commonly used with Tor sites.

These attacks are mostly an issue that has to be prevented with hardware
controls versus implementations within the website itself. Assuming that you are
hosting and managing the website and the server the website resides on, you can
implement ingress filtering on your network to help block some of the attack. The
backscatter traceback method is a good strategy for that. Also, I would block ICMP
packets on your external interface (WAN interface). You should also make sure that
all "unallocated source address'" are blocked. This means that you should block
all packets with private IP address that are coming into your network. You cannot
stop DDoS attacks, only mitigate the effect.

Another type of DoS attack is known as an Application layer DoS attack. This
type of attack bypasses the firewall as it uses legitimate traffic to attack the
service directly. Application-layer attacks can affect many different
applications. A lot of them target HTTP, in which case they aim to exhaust the
resource limits of Web services. Often, they are customized to target a particular
Web application by making requests that tie up resources deep inside the affected
network. These attacks are typically more efficient than TCP- or UDP-based attacks,
requiring fewer network connections to achieve their malicious purposes. They are
also harder to detect, both because they don’t involve large amounts of traffic and
because they look similar to normal benign traffic.

Tools for DDoS attacks

To initiate DDoS attacks, you will need to right tools based on your
preferences and other factors such as your platform of attack. The following are
samples of DDoS attack tools:

Low Orbit Ion Cannon - LOIC attacks a server by flooding the server with
TCP or UPD traffic. Specifically, it mostly floods the server with ICMP traffic
which is ping traffic
Trinoo - Trinoo is easy to use and has the ability to command and control
many systems to launch an attack
Tribal Flood Network - TFN can launch ICMP, ICMP Smurf, UDP, and SYN Flood
attacks against a victim. This tool was the first publically available DDoS tool
Stacheldraht - This tool features that are seen in both Trinoo and TFN and
sends commands via ICMP and TCP packets to coordinate an attack. Another feature
of Stacheldraht is that it can encrypt the communication between the client to the
handlers
TFN2K - An upgrade to TFN, this program offers some more advanced features
including spoofing of packets and port configuration options
Shaft - This works much the same way as Trinoo except it includes the
ability for the client to configure the size of the flooding packets and the
duration of the attack
MStream - This program utilizes spoofed TCP packets to attack a designated
victim
Trinity - This performs several DDoS functions including: fraggle,
fragment, SYN, RST, ACK, and others
Slowloris - Application-layer attack that is a HTTP GET-based attack. The
basic idea is simple: a limited number of machines, or even a single machine, can
disable a Web server by sending partial HTTP requests that proliferate endlessly,
update slowly, and never close
SlowPost - This attack works in somewhat the same way as Slowloris, except
that it uses HTTP POST commands—transmitted very, very slowly—instead of GETs to
tie up Web services
SIP INVITE Flood - The two attacks above both target HTTP; this one is a
VoIP flood that targets SIP (Session Initiation Protocol)
Torshammer - Slow post DOS testing tool written in Python. It can also be
run through the Tor network to be anonymized

Do do they mean?

Let me take a second to define some of the attack turns as presented above:

ICMP DOS – An attacker can use either the ICMP "Time exceeded" or
"Destination unreachable" messages. Both of these ICMP messages can cause a host to
immediately drop a connection
ICMP packet magnification - An attacker sends forged ICMP packets to bring
down a host. As an example (as presented above), Windows has a packet size limit
of 65500. So anything received that is higher will be fragmented. Since the
machine cannot reassemble the packet, it might crash or reboot
ICMP Smurf attack - An attacker sends forged ICMP echo packets to
vulnerable networks' broadcast addresses. Doing this will tell all the systems on
the network (inside the broadcast domain) to send ICMP echo replies to the victim,
consuming the targets available bandwidth
SYN flood attacks – A SYN flood attack takes advantage of the TCP three-
way handshake. In normal communication between a client and a server, the client
sends a SYN message. The server returns a message called an ACK, which stands for
acknowledged, to the client. The client then returns an ACK message back to the
server. A SYN flood attacks spoofs the IP address thereby forcing the server to
keep open the connection while waiting for the ACK message (which is never sent)
from the client and uses resources in the process. Flooding the server with ACK
messages causes its resources to dwindle, and the server becomes slow or
unresponsive to other clients
RST attacks – This attack works by injecting RST packets into TCP packets
tricking the server to close the connection. RST attacks are performed against
other users trying to use a particular resource
Fraggle attacks – Fraggle attacks are similar to Smurf attacks except
that Fraggle attacks uses UDP packets instead of TCP packets

6. System Hardening

System hardening is the process of securing a system by reducing its surface of

vulnerability (attack surface). A system has a larger vulnerability surface the
more that it does; in principle a single-function system is more secure than a
multipurpose one. We will also go over several other risk mitigating methods when
dealing with Windows. This will include the removal of unnecessary software,
unnecessary usernames or logins and the disabling or removal of unnecessary
services.

In the security field, an attack surface is the components of a system that an

attacker can use to break into the system.

6.1 Uninstall Unnecessary Software

The first step in hardening a system is to remove unnecessary programs. Start

by removing unnecessary third party programs that are installed on the machine.
You also want to look at programs that were installed when downloading or
installing other products, whether intentional or not. For example, when you
purchase a machine there is a bunch of software that comes preinstalled that you
probably never use. I would recommend reviewing everything that is installed and
remove all software that you do not need.

Try it out – Uninstalling software

Open the Start Menu and go to Control Panel
Select Uninstall a program or Add/Remove Program
Right-click the unnecessary programs from the list and click Uninstall

6.2 Disable Unnecessary Services

Once all of the software has been uninstalled from the machine, you should then
start by disabling all of the unnecessary services that are running in the
background. Each service will provide support for the application that they
support; many of them providing functionality for Windows. You should get a
listing of all the system services running on the system and evaluate whether each
service is needed. Also know that I am more referring to third-party services
versus Windows services. Make sure to do your research on each service before
disabling anything.

Try it out – Removing services

Open the Start Menu and go to Control Panel
Select Administrative Tools and open Services
Review and identify each unnecessary service
Right-click the unnecessary service and select Disabled in the dropdown box
next to Startup type. Stop the service and press OK

6.3 Disable Unnecessary Accounts

An aspect that is overlooked often is disabling accounts that are not currently
being used. You will need to determine if you need information from that account
(if you remove account data) or to use services that can only be used from within
that account. Windows XP has the administrative account enabled with a blank
password be default whereas Windows Vista and 7 disable the account by default.
Also, a quick word from the real world, make sure when creating a user account to
not use anything that can possibly identity you as doing something illegal. A real
world example, someone actually created a separate account name “childporn”, so he
can hide all his illegal materials in that account. Better yet, he hid all
materials in a folder on his desktop named “childporn”! Not only can forensic
investigators see all the accounts that are currently on the machine, but they can
see previously deleted accounts as well.

Try it out - Removing user accounts

 Open the Start Menu and go to Control Panel
Expand User Accounts and select the account you wish to delete
Click Delete the account

Note: One good recommendation is to create and use a standard account with no
Administrative privileges. This way, if a virus is executed, it only has the
privileges of the account that you are in.

What I meant by that, if all the account data is contained in the Windows
Registry and will contain user accounts that are being used now and those that were
deleted from within the Control Panel. For this reason, forensics investigators
use the registry keys when performing the analysis. Furthermore, they can view
other sensitive artifacts from the users unique registry is they are left intact.
The location to the registry keys that contain the user information is here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

As you can tell from the image, the selected user account has the username of
admin. This can be seen from the ProfileImagePath registry key. Remember the SID
for later use. Once you have gone through all the keys under ProfileList and have
located yours, you can right-click the key as shown in the image above and
selecting Delete. Now that you have deleted the user account from the registry,
you should now delete the actual user data from the registry as well. You should
now navigate to HKEY_USERS\%SID% to remove the data for the current user. This
data can include recent file lists, open file dialogs, shell bags, etc.

Finally, you should locate the profile path in Explorer to remove all files
that are contained within the hierarchy. For Windows Vista/7/8, the location will
be C:\Users\%username% and for XP, this path will be C:\Documents and Settings\
%username%. This should be done securely to ensure that no data can be recovered.

6.4 Update and Patch Windows and Other Applications

Another step in hardening the system is updating the Operation System and all
software installed on the machine. When you patch the system, you are applying
security fixes to known vulnerabilities to the software that is running on the
system. These vulnerabilities are what remote attackers use to gain access to the
system. Without patching the system, you are opening up your machine to attack by
these malicious hackers.

Windows updates should be enabled as they provide many fixes concerning Windows
security. Individual software and applications should also be updated as soon as a
known stable version of the update is available. Usually, when vendors release an
update, they are stable unless stated otherwise. I recommend the use of a tool
that checks the programs installed on the machine and reports the ones that are
out-of-date. A good program for this purpose is Secunia PSI. This program will
constantly check the programs installed on your machine and report which ones are
out-of-date, which ones are scheduled for an update, and which ones can be updated
manually.

Note: A program that I would recommend looking into is Microsoft Baseline

Security Analyzer (MBSA) which is a free security and vulnerability assessment (VA)
scan tool to improve security management process and assess or determine security
state in accordance with Microsoft security recommendations and offers specific
remediation guidance.

6.5 Password Protection

A final practice you should incorporate in system hardening is password

protecting your devices. On your computer, you should make sure that all of the
user accounts that are enabled are password protected. This is especially true
when folder shares are involved. Make sure that the passwords on your machine are
all strong so an attacker cannot use that account to gain access to your machine.
For example, Windows shares you primary drive that can be explored over the
network. Worse yet, when you mount a TrueCrypt container in Windows; that will be
shared as well!

Try it out – Password protect computer accounts

Open the Start Menu and go to Control Panel
Expand User Accounts and select the account you want to create a password
for
Click Change Password

Try it out – Explore your computer from another machine

Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type
cmd in Search Programs and Features. A black box should pop up
Type in ipconfig and under the adapter you are using, record the IP address
next to IPv4 (example: 192.168.1.5) *rarely will people use IPv6
Hop onto the other computer and open up Windows Explorer
In the address are, type in ‘\\' followed by your computers IP address
finished with a ‘\', your drive letter and a ‘$' (usually C). For example, I
type in \\192.168.1.5\C$
You will be prompted to enter the username and password for your machine

Note: When you mount a TrueCrypt container in Windows, it can be explored

though another computer in the network using an account in Windows if they have the
correct permission. For this reason, make sure that your Windows password is not
easily guessed! You can test this out by trying the Try it out – Explore your
computer from another machine and replacing the "C$" with whatever the TrueCrypt
container is. You can also see if your container is mounted via Windows Shares and
if is, you can stop the share. Also, I would change the permissions for the
TrueCrypt file.

7. Antivirus, Firewalls, DLP's, and HIDS's

Malware, short for malicious software, is software used or created to disrupt

computer operation, gather sensitive information, or gain access to private
computer systems. It can appear in the form of code, scripts, active content, and
other software. This is not only annoying, but if malware is running on your
machine, your security is at risk. Notice that all these solutions can be either
hardware or software. Hardware solutions are usually on the perimeter as in the
form of an all in one device (SonicWall or Fortigate for example).

7.1 Antivirus

'Malware' is a general term used to refer to a variety of forms of hostile,

intrusive, or annoying software. This software comes in several different flavors,
but we will only be talking about Spyware and Trojan Horses. Trojan horses are
often delivered through an email message where it masquerades as an image or joke,
or by a malicious website, which installs the Trojan horse on a computer through
vulnerabilities in web browser software such as Microsoft Internet Explorer.
Spyware on the other hand covertly monitors your activity on your computer,
gathering personal information, such as usernames, passwords, account numbers,
files, and even driver’s license or social security numbers.

Antivirus software can protect you from viruses, worms, Trojan horse and other
types of malicious programs. More recent versions of antivirus programs can also
protect from spyware and potentially unwanted programs such as adware. Having
security software gives you control over software you may not want and protects you
from online threats is essential to staying safe on the Internet. Your antivirus
and antispyware software should be configured to update itself, and it should do so
every time you connect to the Internet.

Case: The Computer and Internet Protocol Address Verifier (CIPAV) is an illegal
data gathering tool that the Federal Bureau of Investigation (FBI) uses to track
and gather location data on suspects under electronic surveillance. The software
operates on the target computer much like other forms of illegal spyware, whereas
it is unknown to the operator that the software has been installed and is
monitoring and reporting on their activities.

The CIPAV captures location-related information, such as: IP address, MAC

address, open ports, running programs, operating system and installed application
registration and version information, default web browser, and last visited URL.
Once that initial inventory is conducted, the CIPAV slips into the background and
silently monitors all outbound communication, logging every IP address to which the
computer connects, and time and date stamping each.

7.2 Hardware Keyloggers

Hardware keyloggers are used for keystroke logging, a method of capturing and
recording computer users' keystrokes, including sensitive passwords. They can be
implemented via BIOS-level firmware, or alternatively, via a device plugged inline
between a computer keyboard and a computer. They log all keyboard activity to their
internal memory. Hardware keyloggers have an advantage over software keyloggers as
they can begin logging from the moment a computer is turned on (and are therefore
able to intercept passwords for the BIOS or disk encryption software).

You might think that physical inspections are one way to defend against
hardware keyloggers, but it is not. Nor is using a wireless keyboard, as that sort
of keylogger, doesn't necessarily have to be hidden outside of the keyboard. A
dedicated attacker may just as well place an extra chip inside of the keyboard or
replace it all together by a manipulated keyboard of the same model to record
keystrokes without any obvious visual cues. So, the best way may to the use
different keyboard layouts before entering the password. Furthermore, you can also
enter random data within the password and going back to remove them later. And
finally, you can use tokens as well as a password when logging into your computer.

7.3 Firewalls

A firewall is usually your computer's first line of defense-it controls who and
what can communicate with your computer online. You could think of a firewall as a
sort of "policeman" that watches all the data attempting to flow in and out of your
computer, allowing communications that it knows are safe and blocking "bad" traffic
such as attacks from ever reaching your computer. Configuring your firewall can
prevent Spyware or other confidential data from leaving your network entirely. It
can also prevent remote attackers from "hacking" into your computer. Most AIO
(all-in-one) security solutions such as Norton or McAfee or BitDefender have a
firewall built in. For a free firewall, Comodo firewall is a good alternative:
https://personalfirewall.comodo.com/.

Note: In most Linux distros including Redhat / CentOS / Fedora Linux installs
iptables by default. It has become a standard option in all distros. If it is not
installed, you can use the command yum install iptables or apt-get install iptables
if you are using Ubuntu.

7.4 DLS's

Data leakage prevention solution is a system that is designed to detect

potential data breach incidents in timely manner and prevent them by monitoring
data while in-use (endpoint actions), in-motion (network traffic), and at-rest
(data storage). Importantly, personal DLP software can protect you from accidently
disclosing confidential or sensitive data. Some AIO security software does this as
well as free software.

7.5 HIDS's

The principle operation of a HIDS depends on the fact that successful intruders
(hackers) will generally leave a trace of their activities. In fact, such intruders
often want to own the computer they have attacked, and will establish their
"ownership" by installing software that will grant the intruders future access to
carry out whatever activity (keystroke logging, identity theft, spamming, botnet
activity, spyware-usage etc.) they envisage.

In theory, a computer user has the ability to detect any such modifications,
and the HIDS attempts to do just that and reports its findings. Intrusion attempts
can be keylogger attempts (spyware), Internet Explorer leaks, DLL injections,
malware drivers, etc. HIDS's are installed on your machine and a baseline must be
performed before HIDS's can detect any anomalies. Many anti-virus programs have a
basic HIDS built into the software as an added feature.

Network IDS's on the other hand sit on your network to monitor all traffic
coming into your network to alert you to any attacks. There are several methods of
detecting an attack including anomaly based detection and signature based
detection. Also, there is either a passive or active based detection depending on
if you want the IDS to actually take action or not. You should know when setting
up an IDS, that there will be false positives as it takes a while for the IDS to
learn and for you to teach. Also, you will need to be there to monitor the alerts.
Snort is a good, free NIDS and is widely used in businesses.

7.6 Other Considerations

What you download can affect security. Make sure that what you download is
safe; it should go without saying, but is good to hear nonetheless. PDF, word
documents, executables, broken pictures, and binders are all security issues. Make
sure that you protect yourself by downloading alternative PDF viewers (or block
your PDF application from connecting to the internet), disable Macros if you use
Microsoft Office programs, disable JavaScript in Adobe Acrobat/Reader if you use
it, etc. Lastly, make sure that you are updating your web browser, and if you are
using the Tor Bundle, you update that as well. These releases are extremely
important for security and often include patches for found vulnerabilities.

8. Networks and Networking Protocols

Keeping your network secure is a must to ensure to keep intruders out and your
information from getting into the wrong hands. Furthermore, it protects you from
other people hopping on your network, doing something illegal, and having the
evidence point to you. Network security covers a variety of computer networks,
both public and private, and you should concern yourself with both. This chapter
will explain some of the common methods of security and a brief introduction on a
few networking terms as well as security concerns when hopping on another person's
network. This will include both hardware and software methods to ensure this
security.

8.1 Intro to Networking

Before we being diving into this section, we are going to discuss the
fundamentals of networking. If you are wondering why, it’s because we are going to
use networking terminology and the functionality they serve. So the first question
you may ask will be answered first. What is a network?

A computer network or data network is a telecommunications network that allows

computers to exchange data. There are two types of networks: a public and a
private network. A private network is typically the devices within your home or
place of business. Within the private network, you have interconnected devices
such as computers, gaming devices, phones, media servers, and etc. Then we have a
public network, which is an interconnected network of private networks reachable on
the internet.

Now that you know what a network is, we are moving on to how these devices in a
network physically connect to each other. Inside a private network, all the
devices that connect via a cable (also called Ethernet cables), are plugged into a
network switch – or the less popular device known as a network hub. I specify
network switch as there are a couple different types of switches. Switches provide
more speed and security then network hubs. We won’t get into the security features
in this guide.

I will state later on in this guide that if the administrator of the network
device is using a hub, they can capture all data easily. Most of you are familiar
with a basic home router. But most of you don’t know that with a home router, the
ports in the back are actually switch ports, which is built into the router itself.
There are two primary differences between hubs and switches: hubs are half-duplex
whereas switches are full-duplex and hubs have one collision domain versus switches
which has a collision domain per port. Basically, full duplex means the hubs can
send and receive information at the same time whereas half-duplex devices cannot.
Wireless devices send data in half-duplex mode as well; this is one reason why
wireless connections are slower than wired connections.

A network collision occurs when more than one device attempts to send a packet
on a network segment at the same time. And a collision domain defines where
packets can collide with one another. So for example, let’s say you have a 5 port
hub. A hub has one collision domain; so all the information being sent through any
one of those ports can collide with any data from the same port or another port.
If you are plugged into port 1, information will be sent to port 1, 2, 3, 4, and 5.
A switch on the other hand may have 5 ports, but each port only transfers packets
through the host that is using that port. So, port 1 transfers packets only
through port 1, port 2 through port 2, port 3 through port 3, and so on. I also
said that a switch can send and receive packets at the same time, make collisions
near impossible. As you can see in the illustration, when Host A wants to send
information to Host B, a hub sends the data to all ports and a switch only sends
the data to the port Host B resides on. An attacker can sit on Host C or D and
capture all the traffic coming from another device.

Now you know how device are connected within a private network; with the use of
switches. Next, we are going to talk about how different networks connect with one
another and how devices within a network can talk with each other. Remember
though; this is an intro to networking, so I will not be going into any technical
details. Saying that, a group of networks are connected with one another using a
router. And a router does just as the name implies; it routes between two or more
networks. Look below for a basic network diagram.

So, let’s talk about the illustration above to learn more about how these
devices communicate. As you can see, two or more networks communicate via a
router. This can be seen in the diagram as Router A and Router B and specify two
different types of networks. Branching off from the routers, a network switch is
used. Again, the switch’s connects the devices within the network and the router
routes traffic between networks. Finally, connected to each switches are the
devices within each private network.

Moving on, what we just describes was how devices connect to each other
physically, but not logically. I told you the basics on network switches and hubs
and how they route traffic. But they cannot route traffic if the devices in the
network do not have IP addresses. An Internet Protocol address (IP address) is a
numerical label assigned to each device (e.g., computer, printer) so that they may
communicate with one another. To help facilitate this, there is a service know as
a DHCP service, which stands for Dynamic Host Configuration Protocol, and is
responsible for leasing out IP addresses to devices connected to the network.

There are two types of IP address: a public IP address and a private IP

address. Public IP addresses are used over the internet and private IP addresses
are used within private networks. Private address’s fall within these ranges:

192.168.0.1 to 192.168.255.254
172.16.0.1 to 172.31.255.254
10.0.0.1 to 10.255.255.254

When dealing with IP addresses and networking, there are two other numbers that
you should also know about: subnet masks and default gateways. A subnet allows the
flow of network traffic between hosts to be segregated based on a network
configuration. By organizing hosts into logical groups, subnetting can improve
network security and performance. For example, most home devices give a subnet
mask of 255.255.255.0 which looks like 11111111 11111111 11111111 00000000 in
binary notation. Without getting into subnetting which can take me pages to
explain, any device that has the same numbers in the first three octects with a
subnet mask of 255.255.255.0 can communicate.

For example: 192.168.1.2 and 192.168.1.3 and 192.168.1.4 and so on can

communicate with each other but devices with IP addresses of 192.168.1.2 and
192.168.2.2 cannot communicate. This is because they are in two different networks
therefor are logically separated. Furthermore, by changing the subnet you can
change the amount of hosts per network. We won’t into that at all as again, that
deals with subnetting. You might also notice that if you network is full the first
IP address and the last IP address is not used at all. In this case: 192.168.1.0
and 192.168.1.255 are not used. 192.168.1.0 is the network address and
192.168.1.255 is the broadcast address. Finally, the default gateway is the last
resort gateway and is used to route traffic when it does not know where to go.
Practically speaking, your home router acts as your default gateway (and your DHCP
server) as it knows how to send data within the network and over the internet.

Another area concerning networking are ports and the actual process of data
traversing networks. Every service is assigned a port and usually these ports do
not change. For example, Port 80 is always used for HTTP (web traffic), port 433
for HTTPS, port 53 for DNS, and so forth. When you request a service, you are
requesting the service by using that particular port, and not by the DNS name
(Google.com) that you wish to use. Let’s say that you opened up FireFox and want
to go to Google.com. Your computer will first be requesting the data on port 53
(DNS) to request an IP address for Google.com and port 80 to request the actual
information. If you are using another service for Google.com, such as their music
service, you will be requesting the service using a different port. More
information on this process can be found in section 8.3.

Moving along, when your computer is requesting information, the socket (or
communication flow) is actually assigned a random port number to make the request.
This new port number is per connection and not per packet. So, for example, if you
are requesting HTTP traffic (port 80), you are actually assigned a random port of,
for example, port 1000001. This is if in case you have multiple applications
requesting different information for the same service/port number. Opening up
several tabs in FireFox provides good illustration of this; each tab is assigned a
different port number, so your computer knows where to send to traffic once
received by your computer. Not only does your computer do this, but your router
does when using a feature called PAT, the other routers do this when being sent
across the world, and the webserver (Google.com) does this when open a connection
and sending information back to you. The easiest way to think of a reason why
opening up random ports, is that the random ports are uniquely assigned names for
each service requesting the information.

Note: PAT stands for Port Address Translation and is when multiple devices on
the network must use one Public IP address. You may have heard people refer to
this process as NAT, or Network Address Translation, which is accepted for use, but
technically incorrect. Example: most home users that use a router are using PAT
without knowing it. PAT is used so all the devices in your network can access the
internet with the Public IP address that is assigned by your ISP.

The above illustration briefly, and simplistically, demonstrates how data is

forwarded from one network to another. You will see that Bob wants to view the
site Freepizza.com to get some delicious, free pizza. One fundamental concept you
need to realize is that routers do not use MAC addresses. Without getting into the
OSI model, MAC addresses, also explained in section 8.3, are only used for your
local network. When data is sent through the internet, or across networks (as
demonstrated by different routers), only the IP address is used. Let me go over
the illustration above.

Bob wants to send the data to freepizza.com, but he does not know how to get
there. So, Bob sends a packet to Router 1. He says, “This packet is going to
192.168.1.1 (Router 1) and is from 192.168.1.2.” Router 1 sees that Router 2 knows
how to get to Freepizza.com so he proceeds by sending the packet to Router 2. Now
again, routers do not care about MAC addresses so they remove the MAC address and
replace the IP addresses (Source and Destination) with its own source and
destination header. In this case, the Source IP Address or 192.168.1.2 and
Destination IP Address of 192.168.1.1 are replaced with the Source IP address of
192.168.1.1 and Destination IP Address of 192.168.2.1. When Router 2 receives the
packet, he will say, “Hey, I know where Freepizza.com is! He is at 192.168.2.2.”
Again, without getting into how MAC addresses work and when they are used, Router 2
will replace that IP Address information with the Source IP Address of 192.168.2.1
and Destination IP Address of 192.168.2.2. The MAC address will be used inside the
network between the switch (not in the diagram) and the router/pizza.com server.

Phew, aren’t you glad that’s over with? Not quite I say! We still have to
describe how data is sent back through the network back to Bob. This part will go
much quicker as we have already described the fundamentals on how the packet got
there in the first place. So, when Freepizza.com is ready to send the information
back to Bob, it follows the exact same process in getting there, except it uses the
Source IP address to send the data back to whomever sent it in the first place.
The data headers are still replaces and the MAC addresses are still removed.

It is for this very reason that when you are a Tor exit node, you are at risk
at people coming to your house if someone does something illegal and gets caught
doing it. The Tor exit node only has the IP address information of the Router it
is at (known as the Public IP address). All the IP address information of the Tor
user and all hops in-between are stripped away and only accessible by each
individual hop. Now, Tor uses encryption and varies other methods of hiding the IP
address information, but this a simple explanation on how data travels across
networks.

Wrapping this up, when computers want to communicate in a network they send an
ARP command that is used by the network devices and the network switch to send data
to other devices within the same network. I described this process further down in
the guide when explaining about ARP replay attacks, so I will skip it for now.
Routers can communicate directly with one another using a DCE/DTE cable or through
the internet via a modem. Old modems converted the incoming data from analog to
digital and vice versa on the way out. Cable modems, which are used most nowadays,
converts the cable feed into a format that can be used by several devices in your
home. Your ISP uses DHCP services to lease you out an IP address so you have
internet access. When you are finally able to communicate within your network or
over the internet, data is sent in what is called packets. Packet and packet
forensics is described below in section 8.4.

8.2 Private vs. Public IP Address

A private IP address (assigned by the owner's wireless device) is assigned per

device in the network from a DHCP pool. DHCP pulls a list of available IP
addresses and assigns it when a device is attached to the network. A certain IP
address is not assigned to a specific device (there is no static mapping) therefor
people cannot use IP addresses to located your specify device. Static IP
addressing can be used, but typically is not used in a home environment. When you
connect to a wireless device, it is possible that it changes each and every time
you connect, depending on what else is connected to the network. Also, unless the
IP address is currently leased out, nobody will be able to look in a log
(typically) to determine what IP address what connected when.

The other IP address is known as a Public IP address. This type of address is

what your ISP (Internet Search Provider) uses to identify you. When you log into a
website, this is the IP address that is logged. When you use proxy or VPN
services, the Public IP address that is hidden and the VPN/proxy IP address is
exposed. If somebody has your IP address, they can get the geographical location
of where you live whereas your ISP has your name, telephone number, home address,
and whatever else you have given them. Lastly, when you are connected to a person
directly (DCC, video chat, P2P, etc.); they can also log your Public IP address.

8.3 MAC Address

Think of a MAC address like a bank account number; we are each given a bank
account number so when we make a purchase, at a grocery store for example, the
grocery store knows how to send the payment to your bank and vice-versa.
Similarly, a MAC address, which is unique to your wireless card, allows the router
to know where to send the data. And if you really care, the MAC address is held in
an ARP table, but we won't get into that.

When you connect to a network, the router logs the computers MAC address and
temporary saves the computers IP address. People can also sniff the network to see
what you are doing and record your MAC address that way. And yet another way
people can get your MAC address is if they use software that monitors the network
and records all the devices automatically. All these methods have one this in
common (besides the obvious), they can only record the addresses that are
broadcasted, meaning if you change your MAC address, these methods are useless.

People use MAC address changers for many reasons; mostly for getting free WiFi
by bypassing MAC address filtering or performing MAC flood attacks. If you connect
to a public network, or your neighbor's network, I would use a MAC address changer
to make it hard to locate you. Earlier, we said that a MAC address is unique to
your computer; so if they were to look at all of the devices in your house, they
won't find the device with the MAC address that was logged because it has been
changed. The easiest way to change the MAC address is to download a program to do
it for you; otherwise you can change it in your network settings. Win7 MAC Address
Changer Portable is a good program to do this for you.

As a quick note, another recent discovery that can identify individual

computers that cannot be spoofed (as of yet) is with using the computers graphics
card. The PUFFIN Project (physically unclonable functions found in standard PC
components) has brought forward research suggesting that GPU manufacturing
processes leave each product with a unique "fingerprint." The PUFFIN team has
created software that can detect these physical differences between GPUs. This is
another way that someone can determine whether your device was used in a crime if
your GPU "fingerprint" was obtained. PUFFIN's research will run until 2015.

Note: To change the MAC address in Linux, you can use the hw ether command.
ifconfig eth0 down > ifconfig eth0 hw ether 00:00:00:00:00:00 > ifconfig eth0 up >
ifconfig eth0 |grep HWaddr. Notice, you will use a custom MAC address instead of
00:00:00:00:00:00 and run each command separately (as defined by the ‘>'
character). Also, you will want to replace eth0 with the adapter that you are
using.

8.4 Public Wireless

It is up to you whether or not to stop using the neighbors wireless. But know
they can see Tor traffic if they: use a packet sniffer and perform a MiTM attack
if their wireless network is not protected, if they were using a network hub which
broadcasts information out of all ports, if they have a managed switch and enable
port mirroring, or if they change the MAC address of their computer to that of the
AP (Access Point). Even though they can see Tor traffic, they cannot see what you
are doing inside of Tor and they still will have no clue that it was you. If they
could, the purpose of Tor would be defeated. They are other risks with using
public networks (or your neighbor’s network) therefore it is not recommended
(unless you are absolutely sure that you are safe).

These risks includes attackers remotely logging into your computer via a known
backdoor or an exploit. The best known Operating System to attack a machine is
Backtrack. BackTrack is a Linux-based penetration testing arsenal that aids
security professionals in the ability to perform assessments in a purely native
environment dedicated to hacking. The methods of attack in BackTrack are against
operating systems, applications, phones, networks, internet protocols, websites,
and etc. The best part about BackTrack is that it is free! I would start with
getting a good firewall and anti-virus for your computer. Also, make sure you
follow System Hardening (Section 6) section to help correctly configure your
machine.

As always, I would use Tor for all sensitive information in which you do not
want anyone to learn your location or monitor your browsing habits. To protect all
other sensitive data that does not require such autonymity, I would recommend the
use of a VPN. A VPN reroutes all computer traffic through a secure tunnel to a
trusted third-party (or a designated network) before the information reaches its
destination. This provides security against anyone sniffing your computer traffic
as all information is encrypted. Common reasons for a VPN is when: checking
emails, checking your bank account, application data security, or transmitting
insecure data over a secure data stream. The difference between Tor and a VPN is
that when using Tor, nobody knows who you are whereas in a VPN somebody always
does.

Network Sniffing Tools

Wireshark – One of the most popular packet sniffing programs available.
Wireshark is a successor to Etheral and offers a tremendous number of features to
assist dissecting and analyzing traffic
Omnipeek – Created and manufactured by Wildpackets, Omnipeek is a
commercial product that is the evolution of Etherpeek
Dsniff – A suite of tools designed to perform sniffing as well as other
tools to reveal passwords. Dsniff is designed for UNIX and Linux platforms and does
not have a complete equivalent for Windows
Cain and Able – Cain and Able provides much of the same tools as Dsniff
but also provides features such ARP Poisoning (MiTM attack can be performed inside
a network), enumeration of Windows systems, and password cracking
Etherape – A UNIX/Linux tools that was designed to show the connection
going in and out of the system graphically
Netwitness Investigator – A free tool that allows a user to perform
network analysis tools as well as packet reassemble and dissection

Here is an example of what captured packets look like in Wireshark. If you

want to learn more about network investigations, using packet sniffers and
analyzing the data is a good way to start. Starting with the fundamentals, I would
learn about simple networking and the basic port numbers and what they are used
for. Let’s use the example above and learn what is going on.

The first for packets we will talk about (No. 8 - 11) are all DNS packets.
Packet 8 is a DNS request from IP address 192.168.82.133 to IP address
208.67.222.222 for the domain www. LINK HERE -----> file2hd.com/Default.aspx?
url=https://www.youtube.com. The Source field is your IP address (or the address
of the originating computer. The Destination field is the address where the data
is going. The protocol is DNS as scene in the Protocol field. DNS is Domain Name
Service and is the protocol used the get the IP address from a Domain Name. And
finally, the Info field contains the data within the packet. In this case, packet
8 requests the packet (Standard query A www. LINK HERE ----->
file2hd.com/Default.aspx?url=https://www.youtube.com) and packet 9 responds with
the CNAME record and the IP address (Standard query response). The A record is the
standard record that maps the domain name to the IP address and the CNAME record is
a type of DNS record that specifies that the domain name is an alias of another,
canonical domain name.
oving on, packets 12 – 14 is the standard TCP three-way handshake. More
information can be found in section 8.5 and is denoted by the packets [SYN], [SYN,
ACK], then [ACK]. Once the final [ACK] packet has been sent, the connection is
made and information can flow.
The next packet is the GET request. This packet is telling the HTTP server
that it is requesting resources (in this case, the content on the webpage). If you
submit data you will see a POST request meaning that you are sending resources to
the webserver.
Finally, the user is sending and receiving information from the website as
you can see by the Source port in the information pane. Port 80 (http) denotes
webtraffic and is used when a user is trying to access a webpage.

This is the basic overview of webtraffic that can be captured and read.
Protocols such as FTP and HTTP are all done in cleartext, meaning you can read all
the data that is contained within the packets. This is especially a problem for
the user if information such as usernames or passwords are being sent. FTP for
example requires the user the login to the server, but does sends all the
information in the clear. The picture below is an example of network traffic that
captured the FTP username and password. The destination field tells you that the
FTP server has an IP address of 10.0.8.126 and the user requesting it has an IP
address of 10.0.4.232.

There are two more things that I want to discuss before moving on to the next
section:
When using Wirehark, you should familiarize yourself with filtering and
Follow TCP Stream
Reassembling packets to view data such as images and getting detailed view
of packet analysis

One popular feature of Wireshark is to follow the stream of captured packets.

Let’s say that a user is sending an email and has attached a compressed file along
with it. Using Wireshark, you can find a packet in the stream, right-click the
packet, and select Follow TCP Stream. A new window will open will all the data in
the stream, which will contain the file you are trying to download. Once the new
window is opened and fully loaded, you can click Save-as to save to data to a file.
The file is now ready to be opened with the program that handles the file type.

Moving along to the second item on the list, you can also reassemble packets to
view the information contained within those packets. Let’s say for example that
someone views a bunch of images over the internet. Reassembling the packets will
allow you to view the images the user viewed. Now, Wireshark is good for capturing
packets and is a great program for a bunch of purposes, but it is not a great
program when trying to do this. Personally, I use a program called NetWitness
Investigator that will not only allow you to view the data that was captured, but
it will allow you to do so graphically. Everything is point and click and there is
no real need to know about packet analysis beyond the very basics. And finally,
this program shows a detailed view of the packets captured.

8.4 Security Protocols

Securing your network should be as important as securing your computer.

Allowing people access to your network opens you up to attack and as previously
stated, legal issues, because they can got caught doing something they weren’t
supposed to on your network. If you are doing everything secure on your network
computer but someone gets caught downloading child porn, the government is coming
after you. There are several ways to protect your network depending on your
equipment and if you use custom firmware or not. If you get a router, plug it in,
and start using it; you are NOT protected!

The first thing that anybody needs to do is change the default password for the
device so nobody can log in and change the security settings. Followed by changing
the device password, you should create a wireless password to limit the people who
can get on the device in the first place. There are several types of protocols
that limit access: WEP, WPA, WPA2, MAC Address Filtering, etc. WEP, WPA, and WPA2
are protocols that rely on password authentication to accept users who are trying
to connect to your wireless device. MAC Address Filtering on the other hand only
allows specific wireless devices access to the network depending on the MAC
addresses.

WEP has been demonstrated to have numerous flaws and has been deprecated in
favor of newer standards such as WPA and WPA2. WPA is also deprecated making the
recommended security protocol WPA2. WPA2 is the strongest protocol as it has not
been cracked, yet it might not be supported by all devices. If you want to get
technical, WPA uses TKIP whereas WPA2 uses AES-CCMP. TKIP is Temporal Key
Integrity Protocol and AES-CCMP is Advanced Encryption Standard- Counter Cipher
Mode with Block Chaining Message Authentication Code Protocol. MAC address
filtering filters wireless devices allowing only those that are allowed into the
network. The problem is however, it can be easily defeated if someone changes
their MAC address to one that is allowed.

Wireless Hacking Tools

Kismet - Using Kismet one can see all the open wireless networks, as well
as those Wireless Networks which don't broadcast their SSID's. It's a matter of
minutes to use this tool and identify networks around you
Netstumbler - NetStumbler is a freeware Wi-Fi hacking tool that's
compatible with Windows only. It can be used to search open wireless networks and
establish unauthorized connections with them
Medieval Bluetooth Scanner - This program can analyze and scan your
Bluetooth network finding Bluetooth devices that can be attacked (see bluejacking
or bluesnarfing or bluebugging)
Coreimpact - This it is widely considered to be the most powerful
exploitation tool available. However, CoreImpact is not cheap and will set anybody
back at least $30,000
Wireshark - Wireshark Wi-Fi hacking tool not only allows hackers to find
out all available wireless networks, but also keeps the connection active and helps
the hacker to sniff the data flowing through the network
AirSnort - Most Wi-Fi hacking tools work only when there is no encrypted
security settings. While NetStumblr and Kismet fail to work if there is a wireless
encryption security being used, AirSnort works to break the network key to get you
inside the network
CowPatty - CowPatty is an another Wi-Fi network hacking tool that has crack
got a WPA-PSK protection feature and using this hackers can even break into more
secure Wi-Fi environments
Reaver - This program takes advantage of the weakness inherent with WPS
(WiFi Protected Setup)

Common attack methods and terminology

ARP Spoofing - Address Resolution Protocol (ARP), is a service that
converts IP addresses to MAC addresses that are uses by the local LAN (Local Area
Network). ARP spoofing is a technique whereby an attacker sends fake ("spoofed")
ARP messages onto a LAN. Generally, the aim is to associate the attacker's MAC
address with the IP address of another host (such as the default gateway), causing
any traffic meant for that IP address to be sent to the attacker instead.
MAC Spoofing - ork interface on a networked device. The MAC address is
hard-coded on a network interface controller (NIC) and cannot be changed. However,
there are tools which can make an operating system believe that the NIC has the MAC
address of a user's choosing. The process of masking a MAC address is known as MAC
spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any
reason, and it is relatively easy. This can be an attack to get past security
safeguards, to masquerade as another device, or to try a device into sending data
to it.
Fragmentation - IP fragmentation is the process of breaking up a single
Internet Protocol (IP) datagram into multiple packets of smaller size. Every
network link has a characteristic size of messages that may be transmitted, called
the maximum transmission unit (MTU). There are several attacks regarding IP
fragmentation and can be used by services that do not protect themselves from these
types of attacks.
Buffer Overflow - an anomaly where a program, while writing data to a
buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a
special case of violation of memory safety. This may result in erratic program
behavior, including memory access errors, incorrect results, a crash, or a breach
of system security. Thus, they are the basis of many software vulnerabilities and
can be maliciously exploited.
DNS Poisoning - DNS spoofing (or DNS cache poisoning) is a computer hacking
attack, whereby data is introduced into a Domain Name System (DNS) name server's
cache database, causing the name server to return an incorrect IP address,
diverting traffic to another computer (often the attacker's) or a website. Doing
this, the attacker can capture all data, inject data, or log information such as IP
addresses or other sensitive computer information.
IMCP Redirect - An ICMP Redirect tells the recipient system to over-ride
something in its routing table. It is legitimately used by routers to tell hosts
that the host is using a non-optimal or defunct route to a particular destination,
i.e. the host is sending it to the wrong router. The wrong router sends the host
back an ICMP Redirect packet that tells the host what the correct route should be.
If you can forge ICMP Redirect packets, and if your target host pays attention to
them, you can alter the routing tables on the host and possibly subvert the
security of the host by causing traffic to flow via a path the network manager
didn't intend. ICMP Redirects also may be employed for denial of service attacks,
where a host is sent a route that loses it connectivity, or is sent an ICMP Network
Unreachable packet telling it that it can no longer access a particular network.
Proxy Manipulation - This attack involves altering the proxy settings of
the target machine to redirect traffic to the attacker’s computer or service.
Doing this, the attacker can capture all data, inject data, or log information such
as IP addresses or other sensitive computer information.
Rouge DNS - DNS hijacking or DNS redirection is the practice of subverting
the resolution of Domain Name System (DNS) queries. This can be achieved by malware
that overrides a computer's TCP/IP configuration to point at a rogue DNS server
under the control of an attacker, or through modifying the behavior of a trusted
DNS server so that it does not comply with internet standards.
Rouge AP - A rogue access point is a wireless access point that has either
been installed on a secure company network without explicit authorization from a
local network administrator, or has been created to allow a hacker to conduct a
man-in-the-middle attack. For the purposes of the guide, a rouge AP can be setup
by an attacker as so a victim will unknowingly connect the to the AP and send all
data through the attacker.
Honeypot - A honeypot is a trap set to detect, deflect, or in some manner
counteract attempts at unauthorized use of information systems. Generally it
consists of a computer, data, or a network site that appears to be part of a
network, but is actually isolated and monitored, and which seems to contain
information or a resource of value to attackers.
Padded Cell - A padded cell is a honey pot that has been protected so that
that it cannot be easily compromised. In other words, a padded cell is a hardened
honey pot. In addition to attracting attackers with tempting data, a padded cell
operates in tandem with a traditional IDS. When the IDS detects attackers, it
seamlessly transfers them to a special simulated environment where they can cause
no harm the nature of this host environment is what gives the approach its name,
padded cell.

8.6 Virtual Private Networks

Throughout this guide I mention the use of Virtual Private Networks (VPN’s),
and now I am going to explain exactly what it is. In the simplest of terms, a VPN
transmits data from one network to another, as if they were on the same network.
For example, let’s say that you have a file server on your home network that you
will to access while on vacation. A VPN allows you to log into the network and
view those files as if you were sitting at home. Furthermore, tunneling your
connection through an untrusted network to a trusted network with the use of VPN’s,
ensures that no private data is leaked to unscrupulous parties.

There are several reasons to use VPN’s and there are even more people who use
them. Most often, you will see the use of this technology employed by businesses
that have employees that want to connect to the office or several offices that need
to connect to the home office. There are a few types of configurations that
include: host-to-host, gateway-to-gateway, and host-to-gateway. Host-to-host is
more often used when one person needs to directly communicate with another person
(share files from one PC to another, chat, etc.), gateway-to-gateway is when two or
more locations needs to share data between networks, and host-to-gateway is when
users need to connect to a network to access network resources (like in our first
example).

Saying this, the access of resources is not the only reason why you would want
to use a VPN. As I said in the first example, a VPN can be used for a secure
communication between the two nodes. What I mean is this: let’s assume that you
are at an untrusted network or you are exchanging data over an untrusted medium,
such as the internet. A VPN encrypts your data, creates a secure tunnel between
you and the host machine (the device receiving the VPN traffic), and transfers the
data without anyone being able to see or inject anything harmful along the way.
Note: when I say they cannot inject, both sides perform a check of the data. If
someone injects or modifies the data, it will be discarded and resent.

Moving on, the use of the acronym VPN does not implicitly refer to secure data
transmission, but refers to how data is transfered from one point to another. You
can break a VPN into two parts: the tunneling protocols and encryption protocols.
Tunneling protocols defines how data transverses across networks and the internet.
By its very nature, these protocols do not provide any encryption. It’s like
driving a car without any airbags; it’s not worried about safety, it just cares
that it gets there. Encryption protocols on the other hand are concerned with just
that: encrypting the data.

Used together, VPN’s can provide for confidentiality, integrity, and

authentication:
Confidentiality: When the data is encrypted and sent to a secure, private
network, you can mitigate the risk of third parties reading your data while in
transit
Integrity: VPN’s are also used to detect changes in data when received on
either side
Authentication: When you connect to a host or a client, you can be
reasonably sure that the other person is who they say they are. This is because
tunnel endpoints must verify the other party before a connection is established

Selecting both tunneling and encryption protocols will mostly depends on your
needs and what you have at your disposal. For example, for a client to client
connection, you can use LogMeIn Hamachi to establish a secure VPN between.
Sonicwall’s use SSL VPN’s that can be used host-to-host or host-to-client and
custom firmware routers use OpenVPN can do the same thing but adds host-to-host to
the mix. For the purposes of this guide, I recommend using OpenVPN as it is free
and open source.

Without getting into too much detail about how VPN’s works and what is
happening behind the scenes, I will give you a broad overview of the types of
tunnels and encryption protocols VPN’s use.

Protocals
Point-to-Point Protocol (PPP) - This protocol defines data that is
transmitted over serial lines. Mostly, nowadays, PPP is not used but when using
Dial Up connections between modems.
Point-to-Point Tunneling Protocol (PPTP) - PPTP (Point to Point Tunneling
Protocol) is a good, lightweight VPN protocol offering basic online security with
fast speeds. PPTP is built-in to a wide array of desktop and mobile devices and
features 128-bit encryption. PPTP is a good choice if OpenVPN isn't available on
your device and speed is top priority.
Layer Two Tunneling Protocol (L2TP)/IPSec - L2TP (Layer 2 Tunneling
Protocol) with IPsec (IP Security) is a very secure protocol built-in to a wide
array of desktop and mobile devices. L2TP/IPsec features 256-bit encryption, but
the extra security overhead requires more CPU usage than PPTP. L2TP/IPsec is an
excellent choice if OpenVPN is not available on your device, but you want more
security than PPTP.
Internet Protocol Security (IPsec) - IPsec is actually a collection of
multiple related protocols. It can be used as a complete VPN protocol solution or
simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network
layer (Layer Three) of the OSI model. If you are choosing to use IPSec, you should
know about the two modes it uses to transport the data: tunnel and transport.
Tunnel: In tunneling mode, the entire packet it encrypted, including the header
information. The packet is then encapsulates the encrypted packet and adds a new
header before sending the data. Specifically, Encapsulating Security Payload (ESP)
and Authentication Header (AH) are the two IPSec security protocols used to provide
these security services. However, we will not get into that in this guide.
Transport: This mode encrypts the payload, but does nothing to protect the header
information. Again, the header information provides information such as: source
and destination IP address, port information, frame sequence, flags, etc.
OpenVPN - OpenVPN is the premier VPN protocol designed for modern broadband
networks, but is not supported by mobile devices and tablets. OpenVPN features 256-
bit encryption and is extremely stable and fast over networks with long distances
and high latency. It provides greater security than PPTP and requires less CPU
usage than L2TP/IPsec. OpenVPN is the recommended protocol for desktops, including
Windows, Mac OS X, and Linux.
Secure Socket Layer (SSL) - An SSL VPN is a form of VPN that can be used
with a standard Web browser. In contrast to the traditional Internet Protocol
Security (IPsec) VPN, an SSL VPN does not require the installation of specialized
client software on the end user's computer. It's used to give remote users with
access to Web applications, client/server applications and internal network
connections.

How a VPN connection is made:

Assume a remote host with public IP address 1.2.3.4 wishes to connect to a

server found inside a company network. The server has internal address 192.168.1.10
and is not reachable publicly. Before the client can reach this server, it needs to
go through a VPN server / firewall device that has public IP address 5.6.7.8 and an
internal address of 192.168.1.1. All data between the client and the server will
need to be kept confidential, hence a secure VPN is used.
The VPN client connects to a VPN server via an external network interface.
The VPN server assigns an IP address to the VPN client from the VPN
server's subnet. The client gets internal IP address 192.168.1.50, for example, and
creates a virtual network interface through which it will send encrypted packets to
the other tunnel endpoint (the device at the other end of the tunnel). (This
interface also gets the address 192.168.1.50.)
When the VPN client wishes to communicate with the company server, it
prepares a packet addressed to 192.168.1.10, encrypts it and encapsulates it in an
outer VPN packet, say an IPSec packet. This packet is then sent to the VPN server
at IP address 5.6.7.8 over the public Internet. The inner packet is encrypted so
that even if someone intercepts the packet over the Internet, they cannot get any
information from it. They can see that the remote host is communicating with a
server/firewall, but none of the contents of the communication. The inner encrypted
packet has source address 192.168.1.50 and destination address 192.168.1.10. The
outer packet has source address 1.2.3.4 and destination address 5.6.7.8.
When the packet reaches the VPN server from the Internet, the VPN server
decapsulates the inner packet, decrypts it, finds the destination address to be
192.168.1.10, and forwards it to the intended server at 192.168.1.10.
After some time, the VPN server receives a reply packet from 192.168.1.10,
intended for 192.168.1.50. The VPN server consults its routing table, and sees this
packet is intended for a remote host that must go through VPN.
The VPN server encrypts this reply packet, encapsulates it in a VPN packet
and sends it out over the Internet. The inner encrypted packet has source address
192.168.1.10 and destination address 192.168.1.50. The outer VPN packet has source
address 5.6.7.8 and destination address 1.2.3.4.
The remote host receives the packet. The VPN client decapsulates the inner
packet, decrypts it, and passes it to the appropriate software at upper layers.

One last thing that I want to talk about is split tunneling. Split tunneling
is the act of being connected to both a WAN network (VPN) and a LAN network (your
local home network) at the same time. When enabled, data intended for the secure
VPN might accidently leak out the insecure part of the network. Another negative
risk, is that an attacker can gain access to your computer via the LAN network and
have access to your private network you are connected to over the WAN. For best
security, it is advised to have split tunneling disabled at all times.

8.7 Chat Sites - How Attackers Attack

Some people where asking me about the risks involved in Omegle and downloading
pictures to your computer. So, briefly, I am going to describe here what I told
them. Firstly and most obviously, Tor does not support cam sites for the reason
listed in section 9.11. Quite simply, Tor does not support UDP traffic in which
video streaming operates. So, if you wondering how people actually captures this
traffic and obtains your IP address, this is how:

Try it out - Capture IP Address from Omegle

First, you will need to download a packet sniffer. I would either use
Wireshark, Ethereal, or NetWitness Investigator. The first two will simply capture
the packets whereas the latter will captures the packets and has the ability to put
them back together. This is useful if you want to rebuild the video that was
streaming.
Start Omegle (or an alternative chat site) and get connected to somebody on
the other end. Capturing the IP address can also be done via text, but for this
method, you must use your camera.
Start the packet sniffer of choice; for this example I will be using
"Wireshark."
To select the interface you will need to select "Capture" than
"Interfaces."
Determine the interface that you are using (usually the one with the most
packets) and press "Start" to start capturing the packets.
All you need is a few packets, even though you will get a few hundred to a
few thousand. Once you have enough packets press "Stop the running live capture".
This is denoted by the forth icon at the top with the "X" or you can select "Stop"
under "Capture." FAILURE TO STOP THE CAPTURE WILL CRASH YOUR MACHINE! THE AMOUNT
OF PACKETS YOU CAN CAPTURE IS DEPENDENT ON THE AMOUNT OF MEMORY YOUR MACHINE HAS!
You are only concerned with UDP traffic, so in the "Filter" field, enter
"udp"
Now, you will notice that there is more UDP traffic from two specific IP
addresses than anything else; these IP addresses will be your IP address and the
individual on the other end of the webcam. Your IP address will either start with
a 192.x.x.x or a 10.x.x.x or possibly a 172.x.x.x. Most likely, a 192.x.x.x.
There are restrictions, so if you have any questions, ask or refer to a Private IP
address list. The other IP address will be theirs.
Copy their IP address. This can be denoted via four octets separated by
decimals or with dashes. It can also contain words or letters. 93.53.23.231, pd-
93-53-23-231, or 93-52-23-231.abc.dgf.net will all be the same thing. In either
case, you want to copy it down as 93.53.23.231. Notice that the words might be
different; only concern yourself with the numbers.
That is it; you can use a reverse IP address lookup to find basic
information.

That described simply how to capture the IP address via a packet sniffer. When
connected, this connection can also be seen in your netstat list; but familiarizing
yourself with this might be a challenge if you don’t know what you are looking at.
The reason being is UDP traffic connects directly to your machine. TCP traffic
connects to a third party site such as Omelge. Another method is getting the
person to go to a honeypot that captures the users IP address when they click on a
link and navigate to that site. They are a few out there, and it is easy for
people to be baited into navigating to these sites.
 Looking at the illustration below, you will see an example of a netstat output.
The local address (red) with be your computer and the foreign address (yellow) is
the remote device. 127.0.0.1 is your computers loopback address. So, this is
telling you that the computer with the IP address of 192.168.0.6 is connecting to a
website at 66.102.1.104 and 72.232.101.40. You know this because the “:80” next to
the foreign addresses. Port 80 is used for HTTP traffic when a user wants to
connect to a website. The other ports next to 192.168.0.6 are random ports
assigned by the system. And using an IP lookup tells you that the first IP address
of 66.102.1.104 belongs to google whereas 72.232.101.40 belongs to Layered
Technologies. Note: you can either find a website to lookup the IP address or you
can try to enter the IP address directly into the address bar.

Proto – or protocol – is the internet protocol being used; this can being
either TCP or UDP. TCP connection oriented and a lost packet will be resent so
there is no loss of data during transmission. UDP on the other hand is
connectionless and if a packet is lost, the packet is lost forever. There are
about 12 states that you can familiarize yourself with, but we won’t get into that
much in this guide. For this example, established means that the connection
(socket) has been established, listening means that the socket (the program that
created the connection) is waiting for incoming connections, and time_wait means
that the socket is waiting after close to handle packets still in the network.
Finally, the PID is the program that is handling the connection. This PID number
is created per program and can change every time to program is started.

To look up the application associated with the particular PID, you can use
Windows Task Manager. The Task Manager can be opened by right-clicking the Taskbar
and selecting Task Manager. However, Task Manager does not display PID information
by default. To display the PID value in Task Manager, go to Processes tab, click
on View menu, then click on Select Columns…. In the “Select Columns” or “Select
Process Page Columns” dialog, tick and check the checkbox for PID (Process
Identifier), and click OK. You can right-click the process and click Properties to
view which program is being run and where.

If you are really interested in learning more about gathering an IP address,

there are two things that happen when you are connected via webcam. The first
thing is the handshake - or the initial connection - and is facilitated by the chat
website (Omegle, ChatRoulette, etc). This connection is the first step that is
performed to connect you to the other person whom you are trying to connect with.
After this initial process is complete, you are now directly connected to the
person you are chatting with. At this point, the stream is no longer being passed
through the chat website. The webcam traffic is UDP traffic, which is not
supported by Tor. Continue below for an expanded explanation.

The picture above shows the typical three-way handshake when capturing traffic
in Wireshark. You will see [SYN], [SYN, ACK], then [ACK]. Host A send a
SYNchronize packet to Host B, Host B responds with the SYNchronize-ACKnowledgement
packet back to Host A, and Host A once finalizes the connection with a
ACKnowledgement packet to Host B. Once the handshake is complete you will see a
flood of UDP traffic. Again, the UDP traffic is all the webcam traffic data and is
the only traffic you are going to concern yourself with.

When looking at all this traffic, you want to concern yourself with three
fields in particular: Source, Destination, and Protocol. The source is where the
information is coming from, the destination is where the traffic is going to, and
the protocol defines the protocol being used. The picture below shows what traffic
will look like in Wireshark when the UDP protocol is being used. Notice that this
picture only shows UDP traffic flowing through the network. This is because you
can filter traffic in WireShark to show pretty much whatever you want it to show.
 So, the three fields I will be describing are the Source and Destination
fields. You will notice that there are two IP address being used: 192.168.0.103
and 78.167.170.99. If you followed the Try it out - Capture IP Address from Omegle
you might remember that 192.168.0.103 is the address of local user that is
capturing the traffic and the 78.168.170.99 is the user that is connected on the
other side. Your IP address will either start with a 192.168.x.x or a 10.x.x.x or
possibly a 172.x.x.x. Most likely, a 192.168.x.x. The other IP address will the
address of the user that is connected to you; this is the IP address that you are
looking for and is the IP address that attackers will look for as well.

Another popular method of getting IP addresses and other computer information

such as usernames, passwords, keystrokes, screenshots and etc., if with the use of
spyware. I am not going to go into detail about spyware (or a keylogger or
malware), but I will go over a popular delivery method. When people send pictures
– or videos – via TorChat or an alternative medium, they can use a binder program
to attach a picture file to an executable. When the file is opened, the picture
appears as normal along with the spyware in the background.

To protect yourself when dealing with UDP information (audio or video chat),
you can use a UDP proxy, a VPN, or configure a VPN over Tor. I usually just use a
VPN that claims to not log any traffic; but who knows if that claim holds merit.
Simple text chat uses TCP packets which Tor can protect. Obviously, do not use
shortlinks as they can link to a honeypot or another rouge site. And if you do
decided to open links you are unsure about, make sure you do via Tor with JS
disabled.

8.8 Other Considerations

Most people have home routers with stock firmware, so most of this does not
apply. For those of you interested in having more granular control of your router,
you can search the internet for custom firmware; for example, DD-WRT is a good
Linux-based firmware. Also, you can purchase managed ports and wireless access
points specifically for this purpose. Most commercial equipment can manage what I
am about to talk about, but they usually run in the several thousands, if not
hundreds of thousands.

One of the basic hardening techniques for wireless security is the use of
VLAN's. If the attacker gets passed your wireless controls and into your network,
VLAN's will ensure that they cannot read your network traffic. Let's say some
ports on switch A are in VLAN 10 and other ports on switch B can are in VLAN 10.
Broadcasts between these devices will not be seen on any other port in any other
VLAN, other than 10. However, these devices can all communicate because they are on
the same VLAN. Without additional configuration, they would not be able to
communicate with any other devices, not in their VLAN. You should also know that
VLAN's can be set up on the same switch.

WPS, or WiFi Protected Setup, is a way for individuals to easily connect

devices to the wireless router. In this method, the standard requires a PIN to be
used during the setup phase. As it is not a technique to add security to the
network, you should know that WPS should be disabled at all times. The
vulnerability discovered in WPS makes that PIN highly susceptible to brute force
attempts. It takes approximately 4-10 hours to break WPS pins (passwords) with
Reaver.

You should also know about rouge AP's; specifically when an attacker
impersonates an SSID. Rouge Access Points are a security concern because an
attacker can set up a device such as a router or computer to have a similar or the
same SSID as the wireless Access Point you connect to. Unscrupulous parties can
connect to this rouge device and all traffic can be logged and MiTM attacks can be
performed. This threat is of low concern because it is not very likely to happen.

One final security configuration I am going to mention is a DMZ. The purpose

of a Demilitarized Zone is to add an additional layer of security to your local
area network (LAN – Private network); an external attacker only has access to
equipment in the DMZ, rather than your entire network. This would be if you were
setting up anything that you want people from outside your network to have access
to whilst protecting your internal network. Examples of such services would be
Websites, IRC servers and relay servers.

8.9 Extra: MAC Address Spoofing and ARP Attacks - How they work

Two methods I want to talk about are: ARP poisoning and MAC address spoofing.
As many of you already know MAC address spoofing is also a way to hide your
computer or to get free Internet when places either filter computers by MAC
addresses or have a pay to-use-system. A few of you have asked how this works and
instead of reinventing the wheel each and every time I decided to create this
fundamental, quick how-it-works section. These are a couple of reasons why you
should lock down your private network and never use public networks.

When a computer decides it wants to talk to another computer on the network it

has four primary fields it uses to communicate. In a packet, these fields are:
source IP address, destination IP address, source MAC address, and destination MAC
address. Again, most of you even know about IP addresses so we won’t get into that
at all. But what most of you don’t know is the computer transfers traffic based on
the computers MAC address (which is a unique identifier for each device) and not
the computer’s IP address. The computer uses the IP address to learn the MAC
address but does not actually send data with it. Let me explain.

Let’s say Bob wants to talk the Alisha on the same network (send data). There
is a protocol called ARP, which stands for Address Resolution Protocol, that will
send a request to the switch (or all of the devices in the network if you’re using
a hub) that you are trying to communicate with Alisha. When Alisha responds, she
will send back the MAC address of her computer to the switch. The switch, will then
learn Alisha’s MAC address if it doesn’t already know and send it back to Bob. Now
Bob, having Alisha’s MAC address, will fill in the destination MAC address (which
is Alisha’s computer) and send data using that information.

Here’s an example: Bob wants to send Alisha a file over the network. Bob
first sends an ARP request to the switch (most, if not all, home routers have a
switch build in) saying “hey, I want to talk to Alisha, here is her IP address.
What is her MAC address so I can send the data?” The switch looks in the MAC
address table and determines that Alisha’s MAC address is F026:EA98:EB03:C68E (if
the MAC address is not known, it sends the ARP request to ALL of the computers on
the network, except for Bob’s, until Alisha responds back, “It’s me!”) Once the
MAC address is determined, it is sent back to Bob so he can transfer the data.

This is where MAC address spoofing comes in, because as you just learned,
computers do not transfer data using the IP address, but instead the MAC address.
So MAC address spoofing, tricks the switch into thinking your computer (let’s say
you are Steve), is actually Alisha’s computer. So now when Bob wants to send data
to Alisha, half the packets will go to Alisha and half the packets will go to
Steve. For the same reason this works, the pay to-use-system can be defeated as
well. This pay to-use-system uses the MAC addresses to send data to already
authorized computers which in turn is tricked and data is sent to you without
charge.

ARP poisoning on the other hand when an attacker is able to compromise the ARP
table on the other machine and changes the MAC address so that the IP address
points to another machine. If the attacker makes the compromised device’s IP
address point to his own MAC address then he would be able to steal the
information, or simply eavesdrop and forward on communications meant for the
victim.

THIS IS EDUCATIONAL AND PROVIDED TO HELP YOU PROTECT YOURSELF BY EXPLAINING THE
METHODS OF ATTACKS BY OFFENDERS. I DID NOT WRITE THIS WITH THE INTENTION FOR
ANYBODY TO USE IT AGAINST ANYONE ELSE. SO PLEASE DON'T!

ARP Poisoning Demonstration (you will need Cain and Able installed on your
machine):
Open Cain
Click the Sniffer tab and turn on the network sniffer (the network
interface button next to the folder icon on the second row)
This should already be selected, but ensure that the Hosts tab is selected
at the bottom
At the top, click the blue Plus button to scan for MAC addresses.
Alternatively, you can right-click anywhere in the datagrid (white box) and select
Scan MAC Addresses
Once populated with devices other than your Default Gateway (usually any IP
address ending with the octet of 1) or your computer, select the APR tab at the
bottom
Make sure APR is selected over on the left and click anywhere in the top
datagrid (the top field that is blank). The Plus button at the top should no
longer be greyed out.
Once the New APR Poisoning Routing dialog box appears, you will select the
computers that you wish to attack
Over on the left, you will select your Default Gateway and over on the
right you will select the computer you wish to attack (the datagrid on the right
will populate once the GW is selected on the left) *Doing this has the potential of
causing a DoS attack whereas the victim cannot access the internet or any data in
the network
Finally, select the "session" that you just created (under Status, it will
say Idle) and click the ARP Poisoning button on the top that is next to the sniffer
button you clicked on earlier. If successful, the status will change from Idle to
Poisoning
From here, you can capture data packets, usernames, passwords, email
addresses, and etc.
The only way to defeat this is to use encryption such and client to hosts
VPN's, PKI, or Tor
To stop the attack, you can click the ARP Poisoning button and the Sniffer
button once more

Again, I should provide the warning that there are other ways they can see your
traffic if they: use a packet sniffer and perform a MiTM attack if their wireless
network is not protected, if they were using a network hub which broadcasts
information out of all ports, if they have a managed switch and enable port
mirroring, or if they change the MAC address of their computer to that of the AP
(Access Point) as mentioned above.

MiTM attack stands for Man in The Middle attack and is when an attacker inserts
himself between you and the person – or service – you are connected to. As I said
before, one this is accomplished, the attacker can then capture all information,
strip SSL to obtain information such as passwords, insert malicious code, redirect
the user, or block the user from a service all together. To prevent again MiTM
attacks, you can use a VPN or encryption to authenticate you and the remote host
alike. These attacks are used moreso on local networks then used over the
internet; however, it is still possible.