Digital Forensics Tools

If we want to study and work in Computer Forensics, we should have a deep technical knowledge about file systems and how to recover files. Therefore, we have to know about raw file recovery, how to get metadata as well as we should understand how file systems work like FAT, Ext4, NTFS, HFS+, etc. On the other hand, choosing the right tools to get reliable information and preserve evidences is too important thus I’m going to write about some interesting tools we can use to analyse digital evidences.

Once we have digital evidences, it’s important to preserve evidences and they shouldn’t be modified under no circumstances for keeping valid evidences. There are many tools to do this but, for instance, we can use AccessData FTK Imager for hashing verification and read only access. In addition, this tool can be also used to know what files have been deleted as well as to recover files. Next, we can see a deleted file into the root directory from VOL02 partition, which has a FAT16 file system.

AccessData FTK Imager

 

Another interesting tool is Active Disk Editor which is a freeware tool available for Windows and Linux to view and edit raw sectors on physical disks, partitions, and files content in hexadecimal form. This is an excellent tool for opening partitions and volumes and searching into the file system as well as analysing the boot record like MBR (Master Boot Record) and partition table like GPT (GUID Partition Table). What’s more, there are many templates which are useful to highlight sectors by colours and they contain hyperlinks for easily navigation.

Active Disk Editor

 

PhotoRec is another file recovery freeware, older than FTK Imager at the moment, available for Windows and Linux. We can use this software for recovering files like video, documents, and archives from hard disks, CD-ROMs, USB memory sticks, memory cards, etc. Moreover, PhotoRec is able to recover more than 480 file extensions and it uses read-only access for recovering lost data which is mandatory to preserve digital evidences.

PhotoRec

 

As you can see, there are many file recovery tools and Recuva is another one. This is an easy to use tool, with a free version, to recover lost files from damaged or newly formatted drives. Furthermore, Recuva can be used to delete files securely thanks to industry and military standard deletion techniques for overwriting drives.

Recuva

 

Getting metadata information is powerful because we can have lots of interesting information from hidden data. I already knew FOCA from Eleven Paths but ExifTool is another excellent free and open-source software for reading, writing and manipulating image, audio, video and PDF metadata. ExifTool is used by the image hosting site Flickr to parse the metadata from uploaded images and it uses many types of metadata like Exif, IPTC, etc.

ExifTool

These are just some interesting tools useful for the examination and analysis process of Computer Forensics. However, we’ll need more tools and lots of technical knowledge when we are with a real evidence but this is a good point to start with analysis of digital evidences.

Regards my friends and keep studying!

Make your own malicious WhatsApp

We can see how to create a backdoor for Android systems in my last post but if we want to be more convincing to deploy a trojan into someone’s mobile, we’ll need to customize the malicious application. For instance, it would be a good idea to change the App name to WhatsApp Messenger, Facebook or some other social network, as well as customize permissions and modify the default App icon to some more convincing.

Step 1: The first step is to make the malicious mobile application with the MSFvenom tool from Kali Linux where we set the IP address and port of the C&C server.

Making the Malicious Apk

 

Step 2: Once the malicious application has been created, we have to decompile the application to get important files, which are going to be modified to make the application more convincing.

Decompiling the Malicious Apk

 

Step 3: It’s time to modify the AndroidManifiest.xml file to customize permissions and avoid warnings in the installation as well as to change the line highlighted to add icons.

Modifying App Permissions into the AndroidManifiest.xml file

 

On the other hand, we can edit the strings.xml file into the “values” folder, which is into the “res” folder, to modify the application name for some more convincing. For instance, WhatsApp Messenger Plus.

Modifying the App Name into the strings.xml file

 

If we want to customize application icons as well, we’ll have to make three new folders into the “res” folder and copy inside icon png files.

• We should have a 72x72 pixels file called icon.png into the drawable-hdpi-v4 folder.
• We should have a 36x36 pixels file called icon.png into the drawable-ldpi-v4 folder.
• We should have a 48x48 pixels file called icon.png into the drawable-mdpi-v4 folder.

Modifying App Icons into the rest folder

 

It’s easy to resize images on the net. There are many services to do this. For instance, resizeimage.net.

Step 4: The next step is to compile the custom application with the apktool command to make a new application with all our custom features. Once executed, we’ll see the new application into the “dist” folder.

Compiling the Malicious App

 

Step 5: We've almost done. Android systems don’t allow installing applications without signing thus we have to sign manually the application with jarsigner and our keystore.

Signing the Malicious Apk

 

Step 6: We are ready to deploy the custom application to someone’s mobile. As you can see, it’s simple and easy, and we just need social engineering to get our aim.

Fake WhatsApp Messenger Plus

Once malicious application is installed into some Android system, we’ll have to start the listener with multi/handler exploit from Metasploit, which will be our C&C system to control Android devices. We can know how to start the listener from my last post (step 3).

I’m not responsible for any illegal activity performed by the reader because this is for education purpose only.

Regards my friends and be a good guy!

How to create a Backdoor for Android systems

There are lots of documentation, how-to and videos today on the net to create our own backdoor for Android devices. Therefore, it’s increasingly easy to “develop” a backdoor and trojan to spy someone and thus this is extremely dangerous in the wrong hands. Once again, if we don’t want to be the victim, security awareness is too important to detect social engineering attacks and block access to malicious websites or unknown mail.

I’m going to write an easy how-to today to create a backdoor for Android devices although there are many tutorials on the net like this. Of course, I’m not responsible for any illegal activity performed by the reader because this is for education purpose only.

Step 1: We are going to create a payload .apk file from Kali Linux with the MSFvenom tool. This tool is a combination of msfpayload and msfencode, which are no longer used.

MSFvenom payload

-p = Payload to be used

LHOST = Localhost IP to receive a back connection. We have used private IP address for testing into the lab while if the victim are going to be on the Internet, LHOST should be a public IP address.

LPORT= Localhost Port on which the connection listen for the victim.

R = Raw format (We select apk).

Location = to save the file.

Step 2: Once successfully created .apk file, we have to sign the .apk file because Android devices don’t allow installing apps without the appropriately signed certificate. Therefore, we are going to sign the .apk file manually.

First, if we don’t have a valid keystore, we have to create our own keystore.

Keytool making Keystore

Second, we are going to sign the .apk file with our own key.

Signing an apk file with JARsigner

Third, we are going to align the .apk file into a new file with zipalign. It’s important to highlight that zipalign package isn’t installed by default in Kali Linux thus we’ll have to install zipaling previously with apt-get install zipalign.

Aligning the apk into new file using zipalign

 

Step 3: We have already finished with the backdoor app and it’s time for starting the listener with multi/handler exploit using Metasploit.

Starting Metasploit

 

We’ll also have to setting up the parameters for listening in the right IP address and TCP port number with a reverse TCP meterpreter:

Setting up the exploit

Finally, we run the exploit and wait for victims:

Executing the exploit

Step 4: It’s time for sharing and installing the android.apk file to the victim mobile device. If we have configure a public IP address into the apk payload, we can use the android.apk file everywhere, which is what attackers actually do. On the other hand, the way to share the android.apk file is up to you because what attackers actually do is sharing by social networks, mail, etc.

Installing the application on an Android device

Step 5: Once the App is installed into the victim mobile device, we can go back to Kali Linux to see a session meterpreter is opened, which means we have access to the mobile device.

Successfully got the meterpreter session

From a session meterpreter we can get contacts (dump_contacts), last calls (dump_calllog), upload/download files, record audio with the microphone (record_mic), even take picture or open the webcam.

Webcam Streaming

 

As we can see, it’s easy to create a backdoor for Android mobile devices. From my point of view, it’s a cyberweapon for spying that in the wrong hands, and with a little bit creativity, could be harmful for innocent people.

Regards my friends and be a good guy!

Governance of Information Security

Six years ago, I got my first certification about best practices for IT service management (ITSM), which was my first steps into processes, procedures and tasks to know how to align my daily tasks into the business needs. Next, the company where I work, Ariadnex, decided to get the ISO 20000 and the ISO 27001 to implement service quality and information security, which was a hard time because we were developing and writing many policies and procedures to define, measure and improve services, and at the same time, protecting the systems and information. After that, I got CISA and CISM certifications where I learnt about Information Systems Auditing and Information Security Management as well as about strategies, policies and procedures.

Today, after 8 years of working in IT, I've come across with many Security Frameworks, and IT Service Management Frameworks as well. Everybody knows about ISO 27001 and ISO 20000 but when we speak about COSO for Corporate Governance; COBIT, Val IT or ISO 38500 for IT Governance and Management; or ISO 27014 for Information Security Governance, it's difficult to understand well enough the differences. However, there are many other frameworks like SABSA, TOGAF, etc.

Topology of IT-related standards

Nevertheless, most of these frameworks are created for big companies where there is a department for compliance, monitoring and control, but Spain is different because most companies are medium and small companies where there is no department about compliance, monitoring and control nor security department either. I’m wondering how many companies there are in Extremadura with more than five people in the security department? One? Two?

I think the most known security standard is the ISO 27001 but, maybe, there should be a light ISO 27001 for medium and small companies as well because 14 security domains and 114 controls is too much for companies with less than 25 employees. On the other hand, if we speak about Governance of Information Security or the ISO 27014, most medium and small companies don’t know what I’m talking about because their needs are not to establish organization-wide information security, adopt a risk-based approach, set the direction of investment decisions, ensure conformance with internal and external requirements, foster a security-positive environment or review performance in relation to business outcomes, but they don’t have time to think about it and they are working without any alignment to the business needs.

ISO/IEC 27014

This last week, I read about a governance framework I didn’t know which is called Val IT. I came across to Val IT when I was reading about ISO 38500 and ISO 27014, and it’s a framework to create business value from IT investments which has three domains (Value Governance, Portfolio Management and Investment Management). This is an old framework developed by ISACA in 2008 that along with Risk IT and COBIT 4.1 was released the new COBIT 5.

Governance of Enterprise IT

I’m finishing of writing this post and I’ve just realised that I wrote about Information Security Governance two years ago when I was studying for CISA and CISM certifications thus this is a new thinking about Governance of Information Security.

Regards my friends and keep studying!

Computer Forensics

Technology grows exponentially and this is good for our society because we can live better, we can keep in touch easily with each other regardless where we are and even there will be more jobs opportunities in jobs that nobody knows today because they still have to be invented. However, this growth is challenging because there are increasingly more threats and we also have to keep studying again and again to learn new things. Therefore, I'm going to write about computer forensics this time which is a new field I’m studying these days, and it’s unknown for many IT engineers, but it is very important when we have to analyse an attack.

The forensic process has four phases which are collection, examination, analysis and reporting. The first one, collection, is for identifying, labelling, recording and collecting a data related to a specific event. The second one, examination, forensic tools and techniques are executed to identify and extract the relevant information from the collected data. The third one, analysis, is for analysing the results of the examination to get useful information. The last one, reporting, is for reporting the result of the analysis, which may include describing the actions performed, determining what other actions need to be done, etc.

Forensic Process

The investigator role is very important in forensics because if the investigator makes something wrong with digital evidences, they can be modified or destroyed, thus the evidence would be useless. This is the reason why there are usually two roles into the investigation. One role called Digital Evidence First Responder (DEFR) for identification, gathering, acquisition and preservation of the digital evidence, and another role called Digital Evidence Specialist (DES) to help DEFR with the expertise of analysing determined evidences.

Investigators should work in a laboratory where they can store evidences securely because the integrity and security of evidences are very important. On the other hand, investigators should have all kind of operating systems and many hardware and software tools like password recovery software, forensic analysis suites, virtualization software, management project software, antivirus, etc.

Forensic Analysis Suites

Investigators should also keep the chain of custody which is a process where evidences are handled without any modification to assure the integrity, authenticity, traceability, preservation and location of digital evidences. The chain of custody is done through documentation and hashing.

Chain of Custody

Finally, it’s important to highlight that everyone could be an investigator to perform forensic activities because it’s not required any certification, although it helps. What’s really mandatory is to say always the truth and we must be unbiased to show clearly and understandably to the judge those technical aspects difficult to understand in a court of law.

Regards my friends, extends your knowledge, keep studying!!