Concealing one’s activities on the Web is something every Investigator should understand. You should understand this for your own use and to understand how these techniques may deny you needed information. Yet using these techniques may also target you as an undesirable in some circumstances.
The following are methods used to obscure Internet traffic and avoid IP blacklists and content filters.
When a Windows PC, in its default configuration, is unable to find any wi-fi access point, it actively seeks one out. In doing this it broadcasts signals trying to connect with any network to which it has previously connected. It will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by anyone with a simple wireless tool running in “sniffing mode” nearby. All of the network names it connected with are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the PC owner – where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Any network that PC has connected to using wi-fi is an open book.
The incinerator and shredder were the crook’s best friend prior to the computer era. Today, software is available for the same purpose. A search for “anti-forensics” turns-up a lot of usable information and guidance for those so-inclined.
Of particular interest should be the Metasploit Anti-Forensics Project. If you are unaware of the tools that come under the term, anti-forensics, then an article from CIO entitled, How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab, should illustrate that Investigators now face anti-forensics as part of everyday life.
The pocket spy: Will your Smartphone rat you out?
by Linda Geddes,14 October 2009 issue of New Scientist
Facebook recently responded to a subpoena from Virginia by saying that it was “overly broad” because the federal Electronic Communications Privacy Act (ECPA) protects the privacy of user accounts. The lawyer who issued the subpoena then requested a “contempt citation against Facebook” from the Virginia’s Workers Compensation Commission. Facebook argued successfully that “Courts have interpreted the ECPA to prohibit services such as Facebook from producing a non-consenting subscriber’s communications even when those communications are sought pursuant to a court order or subpoena.” This was a case were a claimant’s Facebook content contradicted the details of her claim.
For many years, “privacy rights” have been used to conceal the proceeds or methods of crime. Some businesses like Facebook aggressively support “privacy rights” to enhance their bottom line.
The article cited above, displays of how large internet services such as Facebook can make investigation and litigation impractical from time and cost standpoints. This article illustrates the type of a battle you may be forced into to get evidence in not only civil cases, but also in criminal cases such as fraud. These multimillion dollar internet companies have the money to fight the production of any court ordered information. If the word “privacy” can be attached to any issue, then these companies are indorsed by assorted “privacy rights” groups.
Yet, in Toronto, Canada, we see how Facebook seems to be acting in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA) for refusing to grant Playboy model Anissa Holmes access to her own pictures or delete them from Facebook servers after shutting down her profile. This isn’t the first time Facebook has run afoul of Canada’s premier privacy law, PIPEDA.
It seems that it doesn’t matter which side of the privacy issues you’re on, it’s a good payday for lawyers.
Delivery of large reports and file material is becoming a problem for many organisations. Electronic file delivery poses risks to the integrity and security of the data, and delivery of printed copies is too slow and expensive. Email delivery is not possible in many cases as the files may be too large, even when zipped.
You can resort to establishing an FTP site of your own, or create a secure delivery site using something like OWL, or use a third party service.
A usable third party solution to this problem is YouSendIt. This lets you send and receive files up to 2GB in size. A zipped 2GB file represents a large volume of data. Passwords control access to files you are sending and receiving, but YouSendIt does not encrypted files on their servers.
Regardless of the solution selected, the person transmitting the data must assume responsibility for the encryption. Never, ever, let somebody else take responsibility for the encryption — do it yourself on your own computer.
Your mobile phone can become a slave bracelet if it is compromised by malicious software.
In a previous post we mentioned XeroBank as a possible alternative to TOR.
Once you’ve figured it out, XeroBank is a great system! It’s a VPN connection to their servers which assigns you either a Dutch,
US or Canadian IP address; other nation’s IP addresses are not available. There is some confusion on their website as to whether other countries are available or not. The website merely says you can choose a country.
Once connected via the VPN, you can use all your browser and other programs to access the internet. We did not try their email service. The system is fast and you can even stream in video quite easily. Basically, it’s a great service if you have lots of time to read up on it and figure it out on your own because there is no customer support or documentation from the company; the public forums are the only place you’ll get any answers.
The sign up process and administration process are not straightforward. It is very hard to understand how to log in to the account and how to use it. Four emails to customer service over the course of 3 weeks after sign up and no answers.
They say the first month of the service is free but as you’re signing up you’re asked for your credit card and they charge you $1 for the first month; it is then very difficult to cancel your subscription, actually you can only put it on hold by going onto the website of the billing company that they use and suspend your account, but we only learned that by asking the question on their public forum where we received an answer from someone we presume to be an employee; emails to support were never answered.
Customer support is non-existent. They are more interested in the technology than their customers. (If you want to see the people who might be behind the XeroBank, please have look at the delegation they sent to the last DEFCON event.)
The following article illustrates the dangers of using web-base collaborative applications.
Google Privacy Blunder Shares Your Docs Without Permission
by Jason Kincaid on March 7, 2009
In a privacy error that underscores some of the biggest problems surrounding cloud-based services, Google has sent a notice to a number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them.
With Windows XP, to clear the page file on shutdown go to Control Panel->Administrative Tools-> Local Security Policy->Local Policies->Security Options->Shutdown: Clear Virtual Memory Pagefile … enable it. It is wise to enable this setting on every computer you use.
We tell people to travel with a “clean” laptop. However, Windows creates a lot of temporary files. The most damaging can be the Page file. Everything that went into virtual memory is there in a file on the hard drive. Of course you should also use a good file erasure programme before shutting off the laptop.
Evidence Eliminator and similar software can kill out files and perform other tasks. But their use can raise red flags in a legal dispute.
But the wiper programs don’t ensure a clean getaway. They leave behind a kind of digital calling card.
“Not only do these programs leave a trace that they were used, they each have a distinctive fingerprint,” Kessler said. “Evidence Eliminator leaves one that’s different from Window Washer, and so on.”
I recommend the use of file erasure tools, especially when crossing international borders with computers. If you use such a programme regularly you have plausible deniability if you’re accused of erasing data to keep it from the police or the courts. If you always use it, then its “fingerprint” will always be there. If the install date matches the computer’s purchase date, then they can’t say you did this to eliminate the evidence the courts or police were seeking. Also, get a receipt for the wiper programme to show when it was purchased for the same reason.
File erasure programmes are part of prudent security practices and should not be viewed as something suspicious.
This is not a new issue. A 2004 PC World article described the technology. In February, 2008, I wrote about the EU concerns that these secret printer ID codes may break EU Privacy laws. The EFF has a list of the printers that print these secret codes used by the US government to match a document to the laser printer that produced it.
Another article about this appeared in USA Today a few days ago.
Printer dots raise privacy concerns
The dots, invisible to the naked eye, can be seen using a blue LED light and are used by authorities such as the Secret Service to investigate counterfeit bills made with laser printers…
Privacy advocates worry that the little-known technology could ensnare political dissidents, whistle-blowers or anyone who prints materials that authorities want to track.
The dots are produced only on laser devices and not ink-jet printers, which are most commonly used at home…
As an investigator, this might present an opportunity if the dot pattern is consistent enough to be matched to a particular printer or printer type without being able to decode the dots. If this were the case, then you might not need the ability to decode the dots in some instances. For example, at a company with many different types of laser printers. The process of elimination might indicate which printer(s) could have created a document.
An interesting study that found that 87% of data breaches are the result of incompetence and carelessness.
Another study shows that a large disconnect between the executives tasked with protecting customer data and marketing departments, which use the data for advertising purposes or share it with third parties.
a third of marketing execs said they don’t place any limits on the data they share with third parties, such as e-mail marketing agencies or online advertisers. By contrast, 75% of privacy officers believe that their companies limit the sharing of customer data.
These findings are a good reminder that asking questions will yield useful data that they shouldn’t divulge. It’s all in how you ask the question.
Online advert system Phorm could make the net less secure and breaches human rights, the service’s creators have been told.
BT, Virgin and Carphone Warehouse have signed up to trial Phorm.
Phorm works by connecting a users’ web surfing habits to a series of advertising channels in order to target adverts.
Keywords in websites visited by a user are scanned and connected to advertising categories, and then matched to particular adverts.