Mashed Articles

If you think you have the skills to match Graveyard Shift Supervisor with the Las Vegas Police Department Catherine Willows then read on.

The super-sleuth detectives in TV show CSI have some very nifty tools to help solve crimes. But the need to keep things interesting and wrap the show up in an hour means the technology used in each episode bears little resemblance to the work of real forensic experts. Or does it? When it comes to computer forensics, today’s tools are becoming more advanced, leaving fewer places to hide information. This tension between fact and fiction took on a whole new dimension when Microsoft’s police-only forensic toolkit was leaked on the internet. Reports say that it has more in common with CSI than The Bill.

We’re going to show you how to mimic Microsoft’s offering using open-source software to unlock Windows accounts, investigate suspicious activity, see any file on a Windows disk and even peruse files that others believe have been permanently deleted.

Forensic toolkit

During November 2009, it was announced that someone had leaked Microsoft’s secret crime-fighting software online. Described as a collection of programs linked by a sophisticated script, hackers and other cybercriminals had been dying to get their hands on it for some time. Now it’s reportedly available to anyone brave enough to download and install it.

The Computer Online Forensic Evidence Extractor (or COFEE for short) has been available to police forces since at least summer 2007, and is designed to gather forensic evidence at crime scenes and during raids from the still-running PCs of suspects and victims. COFEE reportedly takes the average police officer about 10 minutes to master, and comes supplied on a bootable USB pen drive. It enables trained officers to gather evidence from a running system without the need to call in cybercrime specialists, thereby speeding up investigations.

The USB drive itself is said to contain a package of about 150 forensic programs that enable an investigator to record sensitive information like internet history files and complete practical tasks like deleting Windows passwords. It also enables them to upload the recorded data for further analysis. By April 2008, it was reportedly in use by over 2,000 law enforcement officers throughout 15 countries.

At the time of the leak, Microsoft claimed that COFEE was nothing more than a collection of commercially available programs brought together in a single handy package, which it makes available free of charge (if hitherto secretly) to help combat computer crime.

If that’s true, then is it also possible to create your own version of COFEE using free, open- source software that will grant you complete access to a Windows computer? The answer is a resounding yes, but we must stress that using what you’re about to learn for malicious purposes on a computer you don’t own isn’t big and it’s certainly not clever.

Don’t use the following information to try to hack other people’s computers or networks. Without the in-depth knowledge required to cover your tracks, you’ll be caught and will probably face prosecution. If you hack computer systems in the US and get caught, you should be prepared to undergo a one-sided extradition process and go through a judicial system that will put you on a par with hardened terrorists before forcing you to serve a long prison sentence. There are plenty of commercial computer forensics systems around these days, but many of them cost serious money or are only available to the police. However, the open source community has a solution in the form of a special Linux distribution called Backtrack 4.

Introducing Backtrack 4

Backtrack 4 is based on a stripped-down version of Ubuntu Linux, which is a popular choice for home users because of its ease of installation and use. The makers of Backtrack 4 have stacked the application with special security and forensics tools. These make it extremely useful to network security specialists and police forces, as well as anyone interested in knowing exactly what’s happening on their own networks and any second-hand machines they’ve bought.

Backtrack contains a formidable array of hacking tools.

Despite being Linux-based, Backtrack will grant you complete access to data stored on computers running any version of Microsoft Windows. That’s because Windows isn’t running when Backtrack is booted from a DVD or USB pen drive. Linux can read Windows disks, but it doesn’t obey the file permissions, so the machine’s hard disk simply seems to contain a lot of files waiting to be accessed.

As well as booting and running directly from a DVD as a Live CD installation that never installs on your computer, you can also install Backtrack on a hard disk as the only operating system, or next to an existing Windows installation. If you plan to install Backtrack on a USB pen, you’ll need one with a minimum 2GB capacity. This booting option brings Backtrack closer to Microsoft’s COFEE than any other option.

First, you need to download the Backtrack 4 ISO file, which is just under 1.6GB. You can download it from the Backtrack site directly or click the ‘Torrent’ link on the same page. There are multiple sources from which you can leech parts of the file in parallel, so in practice it’s faster to download the ISO as a torrent. Click here to download the Vuze BitTorrent client, after which you can just click the ‘Torrent’ button on the BackTrack site’s download page.

Once the ISO has downloaded, use it to make a bootable DVD. We’ve listed a free and easy-to- use CD/DVD package capable of making bootable disks in the Resources section. When that’s done, test your work by ensuring your BIOS is set to boot from CD/DVD before attempting to boot from your hard disk, then insert the DVD and reboot the PC. Select the option to boot with a screen resolution of 1,024 x 768. When Backtrack has booted, you’ll see a command line. To start a desktop environment, enter the command startx and press [Enter]. After a few seconds, the standard KDE desktop will start.

Don’t be put off by the command line that appears when you first boot up.

Find your way around

Backtrack is loaded with all the obscure little utilities used by professional security consultants. Many of them are fiddly command-line programs, but a lot have graphical front ends that make them simple to use.

Hover your mouse over the icons on the menu bar at the bottom of the desktop and KDE will tell you the name of each one. We’ll use the names that appear when you do this to make thing easy to identify here.

The network interface cards are designed for network security work, and are disabled by default when you boot up Backtrack. This is because if anyone (or anything) is listening to network traffic, the last thing you want to do is announce your presence by requesting an IP address over DHCP.

To enable networking, click the black Konsole icon to open a terminal window, then enter the following command: /etc/init.d/networking start. After a moment or two, during which lots of verbiage scrolls up the screen, open Firefox (the icon is next to the terminal on the menu bar) and enter www.google.com as a URL. You should see the world’s favourite search engine appear.

Much like the Start button in Windows, the left-hand icon on the menu bar brings up the installed programs and system configuration options. This is called the K menu and is organised into subject areas. The one we’re most interested in is the first: ‘Backtrack’. Click on this and you’ll see a submenu containing categories of hacking programs, with which Backtrack has been preloaded. Clicking one of these reveals nested subcategories right down to individual programs.

Map the neighbourhood

Let’s begin by scanning the local network for hosts (another name for networked computers). Starting from the K menu, select ‘Backtrack | Network Mapping | Identify Live Hosts | Autoscan’. A wizard will appear. Click ‘Forward’ and you’ll be asked for the name of a network to scan. Leave this as ‘Local network’ and click ‘Forward’ again. The next screen asks where the network is located. We’re scanning the local network, so accept the default of it being connected to your computer by clicking ‘Forward’ once more.

Next, select the default network adaptor. This will usually be called ‘eth0’. If you don’t see any adaptors in the pulldown menu, it’s because you didn’t start networking earlier. Close Autoscan, start networking and run Autoscan again. Click ‘Forward’ one last time to confirm what you’ve asked Autoscan to do, then maximise the user interface that appears so you can see everything. Autoscan now contacts every possible IP address on the local subnet to see if there’s a machine connected to it. If there is, it adds an entry to the left-hand pane. Notice that in some cases, Autoscan can even tell you the username that’s logged in.

When you select a host, Autoscan will attempt to gain more information about it for you. A wizard will also appear, asking you to add it to the Autoscan online database. Cancel this. You can go between tabs between the interface’s right-hand panes to display a summary of the machine, detailed information or an inventory.

Autoscan works by sending a stream of specially crafted packets to each host in turn. These are designed to return information about the running system and can give away a surprising amount of information. Autoscan is a useful tool for detecting whether your neighbours are leeching your Wi-Fi, for example. If you don’t recognise a host, it’s probably an intruder – so up your security!

Wipe passwords

Logging into a Windows system is easy using Backtrack, even if you don’t know any of the usernames or passwords that have been set up. That’s because you can use a utility bundled with Backtrack to remove the password on any Windows account, including administrator accounts. This is possible because of a file called the SAM (Security Access Manager), which is normally locked by the Windows kernel so that no one else can read it. This is modifiable while Windows isn’t running.

First, we need to find out where the system’s hard disk resides in Linux. To do this, click the Konqueror icon on the desktop menu bar. This will open the Konqueror desktop browser. Click the ‘Storage media’ link. If you don’t see anything right away, press [F5] to refresh the view. Among the media that Backtrack knows about on your system, you’ll see your hard disk. Click this and you’ll see the folders in C:\, which is useful if you need to copy, add or modify files without logging into Windows directly.

Now select the Home icon on the Konqueror toolbar (the one that’s shaped like a house) and click the blue ‘up’ arrow next to it. Click the Media folder, and then the ‘Hard disk’ icon again. The location bar will change to give the name we must use to access the disk. It’ll be something like ‘/media/disk’.

Now, from the Start menu, select ‘Backtrack | Privilege Escalation | Password Attacks | Chntpw’. ‘Chntpw’ stands for ‘Change NT Passwords’ and it works on all versions of Windows. When you run the command, a terminal window opens. You can ignore the verbiage on the screen and enter the following command: chntpw -i /media/disk/Windows/System32/config/SAM. The capitalisations are very important here – ‘chntpw’ is all lowercase. If your Windows partition is called something other than ‘disk’, put its name in place of this in the command. Press [Enter] and a text-based menu will appear. Select ‘Option one’ and press [Enter] again. This gives you a list of the Windows user accounts. Type the name of the account you want to change (taking care to use the correct case for each letter) and then press [Enter].

Using the Chntpw utility to wipe a user’s password enables you to log into that account unhindered.

Chntpw displays lots of details about the account and gives you a number of options. Select ‘Option one’ and the password will be removed from the account. To exit, type ! and press [Enter], then press [Q] and hit [Enter] again. Chntpw will ask if you want to write the hive files. You do, so press [Y] followed by [Enter].

If you now reboot into Windows, you’ll be able to log into the account you’ve changed without being prompted to enter a password.

Recovering deleted files

Many people believe that when they delete a file and then empty the Recycle Bin, it’s gone for good – but this isn’t the case. Windows, like all modern domestic OSes, simply marks the sectors on the disk occupied by the deleted file as available for future reuse. It would be inefficient to overwrite the data those sectors contain until new data is ready to be stored. In the meantime, the old file is still there, available to be read by anyone with access to a file recovery utility.

Backtrack contains several such applications. Among the easier to use is PhotoRec, which is capable of scanning a hard disk and recovering a comprehensive list of all files marked as deleted. In fact, it can recover far more than just files deleted by users, including temporary files left over from when the operating system was installed. This means it’s a good idea to have a spare USB pen drive handy to store the recovered files for later perusal, because they can easily run into the thousands. To get going, insert the drive and run Konqueror. Click ‘Storage media’ and then select your USB pen drive to ensure that Backtrack is aware of it. You can leave Konqueror open and check the scan’s progress later.

Now run PhotoRec by navigating to ‘Backtrack | Digital Forensics | Forensic Analysis’ and then selecting ‘PhotoRec’.

The program itself runs on the command line, but it’s menu-driven, making it easier to use. When PhotoRec runs, it first presents you with a list of the hard disk partitions on the computer. In the case of a Windows-only machine, there’ll probably be only one large one. However, in some Windows 7 installations, there may be a second, small partition that the system uses to store recovery data. Use the up and down arrow keys to select the main partition, then press [Enter] to continue.

PhotoRec can understand a large number of partition table types and will automatically identify the one used on your disk, so accept the default on the next screen by pressing [Enter] again.

The next screen enables you to specify the file types to recover. Use the left and right arrow keys to highlight ‘File Opt’ at the bottom of the screen. Next, press [Enter]. The resultant display will give you a long list of all the recognised types. If you only want to recover one file type (JPG, for example), press [S] to deselect everything, then scroll down to the relevant type and press [Space]. You can use the [Page up] and [Page down] keys to navigate through the list more quickly.

 

Once you’re happy with your file type selections, press [Enter] and select the filesystem you want to scan. Use the left and right arrow keys to select the ‘Search’ option, then press [Enter]. This presents you with a choice of filesystem types. For a Windows filesystem, make sure you select ‘Other’, then press [Enter]. On the next screen, select ‘Free’ to ensure that the program only scans disk sectors that are marked as free space. Press [Enter] again to continue.

You’ll now be asked where to store the recovered files. The default is the directory ‘/usr/local/bin’, which is on the boot media. Press the left arrow key three times to get back to the root directory, then press the down arrow key repeatedly to navigate to the media directory. When you reach it, press [Enter] to see the media connected to the system. One of the devices you find should be the USB pen drive you inserted and navigated to in Konqueror just a moment ago. Select this and press [Enter] again. Finally, press [Y] to begin recovering deleted files.

The extraction process can take quite a while, depending on how much free space there is to scan on the disk and the number of file types you’ve specified. As the scan progresses, the number of files of each type will increase. PhotoRec creates a long list of subfolders in which it stores all the files it’s recovered. By perusing these, you may be able to locate some interesting or even incriminating pictures and other documents.

There are three reasons why Linux isn’t succeeding on the desktop, and none of them are to do with missing functionality, using the command line or the politics of free software. The first is that there’s too much momentum behind Microsoft Windows and too many preconceptions about the alternatives. Linux is perceived as having too much of a learning curve for relatively few advantages and an unknown heritage. Migrating big business to a Linux desktop is akin to turning a T1-class supertanker around mid-Atlantic. The opposite direction may look brighter, but it’s easier to chug onwards into the storm.

You only have to look at the number of people clinging to Microsoft’s venerable Office suite to see this point clearly. For the vast majority, most of its functional fecundity is wasted. Many people could arguably be just as (un)productive with Notepad, Calculator and Paint, let alone using an open-source alternative such as OpenOffice.org. Its use seems to have more to do with keeping face when attaching files to an email than a genuine operational advantage. Most people will only consider an alternative when there are bigger issues, larger icebergs or uncertain territories on the horizon.

Away from the desktop, Linux is faring better. Smaller, more agile businesses quickly quantify the cost advantages to produce cheaper and more competitive products. This is why embedded Linux has been such a success on everything from Chinese mobile phones to almost every NAS box around. This may mean that success on the desktop is only a matter of time, or it may mean that the Linux desktop is too far removed from the Linux kernel.

The second reason for failure is that Linux lacks centralised marketing. This is because there’s no real Linux Central. It’s just a trademark owned by its creator, Linus, and a term normally reserved for just the kernel of the operating system – hardly the easiest product to sell. There are plenty of people advertising their own Linux endeavours, all keen to push their own angle on its advantages. This divided effort compounds the problem. With the likes of Red Hat, Novel and Canonical all fighting for their own slice of the pie, there’s no one left to push Linux as a distinctive brand. That’s something Apple and Microsoft do extremely well, and something Linux leaves to Tux the penguin.

Many would argue that standards are the answer to this conundrum, and that would mean a single base distribution. This could then be the only distribution called ‘Linux’ – everything else would become ‘Linux-based’. Mozilla manages this well with the use of the Firefox brand. It’s freely distributable and modifiable, but it can only be called ‘Firefox’ in its untouched incarnation. Change anything and you need to change the name. For example, Debian calls its Firefox build ‘IceMonkey’ because it needs to reserve the right to make modifications, thus breaking Mozilla’s standards. This may cause confusion if you look for Firefox on your Debian desktop, but it also sets a precedent for the kind of experience that Mozilla expects its users to have, and Debian hackers still have the code to mess around with if they need to. It’s a compromise, but it might work in a world with hundreds of Linux distros.

The third reason is easy to see but harder to solve. It’s the reason why you’re not using Linux now. The solution would make all other problems redundant. The reason why you’re not using Linux now is because there isn’t a good enough reason to. Sober advantages such as better security, improved performance, rock- solid stability and low cost aren’t going to win converts. These advantages aren’t exciting enough; they’re the equivalent of a spreadsheet of mortgage repayments.

What we really want is a significant upgrade, something you’d normally pay for. Perhaps we should focus on value. Recent analysis of the kernel by Jon Corbet showed that 75 per cent of the 2.8 million lines of code in recent contributions were written by paid-for developers. That puts Linux freedom in context.

But the biggest challenge is sexiness. There’s very little of it in Linux unless you’re an antisocial geek, and products like the Apple’s iPad illustrate this massive divide painfully. As Jim Zemlin, Executive Director of the Linux Foundation, puts it, “Linux can compete with the iPad on price, but where’s the magic?”

Linux has the programmers, the managers, the community, the innovation, the time and the skill. But to succeed in 2010 and the coming decade, what it really needs is a magician or two.

Twitter has been the social-networking world’s flavour of the moment for quite some time, however it’s not without its issues.

Could anything be more dangerous to the modern celebrity than Twitter? The media has always been ready to pounce on famous personalities’ smallest mistakes, but Twitter lends its high-profile users a foghorn. If Jonathan Ross (@Wossy) wasn’t already in enough trouble for leaving lewd messages on Andrew Sachs’ answering machine, his antics on Twitter made him an even juicier tabloid target. “Utterly unwepentant” sniffed The Daily Mail after Ross wrote an update stating “Suspension is fun” on the micro-blogging service during the period that his shows were off-air. Another Mail headline branded the 49 year-old presenter “shameless” after he tweeted, “I am very polite in person. I’m just not great with answering machines.”

And Ross isn’t the only famous Twitter user to find themselves in hot water following a carelessly worded tweet. The BBC’s technology correspondent Rory Cellan-Jones (@ruskin147) was asked via Twitter why he chose to omit Wordscraper from a piece on Facebook’s word game applications. “’Cos i couldn’t be bothered!” came the reply. Cellan-Jones’s response was promptly republished on a blog along with the withering comment, “Years from now, when British journalism has finally breathed its last, this phrase will be engraved on its tombstone.”

However, Cellan-Jones seemed to be intrigued rather than embarrassed by the matter, using it as inspiration for a blog on the tricky business of working out what is and isn’t appropriate to say on social-networking sites. “My throwaway remark has been turned into the basis for an indictment of the whole of British journalism,” he commented. “[It’s] a useful reminder that Twitter – like so many other online forums – is a public place, and what you say there may be used in evidence against you.”

To tweet, to whom?

Most of the time, people don’t see danger coming. “Because it’s more immediate, people are perhaps thinking even less about what they do,” says Iain Connor, a partner at technology specialist law firm Pinsent Masons. Tweets might have a short shelf life, he argues, “but that’s not to say that sufficient damage can’t be done in a short period of time”.

One person who knows this better than most is basketball team owner Mark Cuban (@mcuban). Cuban owns the Dallas Mavericks and, after a game in March, he used Twitter to complain that an opposing player wasn’t whistled for a foul. “How do they not call a tech on JR Smith for coming off the bench to taunt our player on the ground?” he fumed. A few days later the NBA smacked him with a $25,000 fine. Still, the billionaire managed to see the funny side of his punishment, adding “Can’t say no one makes money from Twitter now,” as he paid up.

You may not be a celebrity, but the wrong words could find you out of a job, in hot water with friends or facing charges.

Mark Borkowski is a PR expert who has represented Michael Jackson, Eddie Izzard and Van Morrison. He says that Twitter is “dangerous for anybody”, but that it poses particular risks for stars. “You’re live all the time – no editing,” he says. “[What someone] thinks about in the nanosecond that they’re tweeting could become an enormous issue, and it’s global.” No stars seem to have been permanently damaged by mis-tweeting yet, but it’s possible, says Borkowski. “It depends what you say. If you make a racist or outrageous comment then it’s very difficult to come back from.”

Today’s headlines

Twitter isn’t all self-immolation on the part of celebrities, either. With the ability of tweets to spread like wildfire – first across Twitter itself and then across news websites worldwide – a hacked account spells disaster. “Britney has passed today,” said a tweet on Britney Spears’ account (@britneyspears) after it was hacked in June. Spears had more than two million followers at the time, meaning that the ‘news’ travelled fast. But this isn’t the first – or last – time that Spears’ account has been hacked. Mid-November saw her account spammed with updates telling the world that the singer had started worshipping Satan, and back in January followers were surprised to see this message from the star: “Hi y’all! Brit Brit here, just wanted to update you all on the size of my vagina. It’s about four feet wide with razor sharp teeth.” Perhaps Spears and her team need to take password security a little more seriously in future.

Twitter attempts to limit the potential damage done by celebrity impersonators by using Verified accounts. “That means we’ve been in contact with the person or entity the account is representing and verified that it is approved,” says the site. But what about the impersonators that Twitter knows exist, yet continue to post in the celebrity’s name?

Verified accounts were Twitter’s first push towards professional services. Commercial accounts are on the way.

“Twitter’s pretty poor at actually taking off fakes,” says Borkowski, but the amount of damage done by hackers is usually limited. Big social-networking sites are “incredibly reasonable” when it comes to removing objectionable content, according to lawyer Iain Connor. “They need to keep their credibility [and] they need to keep their trusted brand,” he says.

Verified accounts don’t mean safety for the celebrity, however: they simply confirm that it was probably the star who wrote the message. Without the usual filter of PR managers, talent agents or editors to prevent the publication of anything potentially damaging, such accounts are a dream for the media. Twitter is “a newswire direct from the celebrity” that newspapers turn into stories, confirms Borkowski.

Business as usual

But even if individual stars are at risk from Twitter, corporations should be safe, shouldn’t they? After all, “just about every organisation has a PR department now,” according to Managing Director of Racepoint PR, Blaise Hammond. Racepoint PR manages public relations for social media sites such as Digg, eHarmony and BlogHer.

The illusion that all companies tread carefully with new services such as Twitter was shattered in June, however, when furniture retailer Habitat (@habitatuk) attempted to cash in on the site. The store tweeted about deals it was offering, then attempted to give its tweets greater visibility by attaching unrelated hashtags (a hash symbol followed by a keyword that enables Twitter users to search for and follow a popular ‘trending topic’). “#Mousavi Join the database for free to win a £1,000 gift card” read one tweet, disastrously mixing the Iranian presidential candidate with a drive to sign people to its mailing list. “#iPhone Our totally desirable Spring collection now has 20% off!” read another.

Habitat acted swiftly to remove the offending tweets, but the damage was done. The story was picked up by mainstream news organisations such as Sky and the BBC, provoking outrage that the company was abusing the hashtag system and essentially spamming users. Habitat was quick to acknowledge its blunder and offered contrition. “We are treating this very seriously,” said the company. “We were shocked when we discovered what happened and are very sorry for the offence that was caused. This is totally against our communications strategy.”

Adding irrelevant hashtags to marketing tweets was “incredibly stupid”, according to Hammond. “It was very easy to find out, and they got found out straight away.” He says companies need to think carefully about how they tweet. “Thoughtlessness coupled with stupidity equals big impact,” he says. “Common sense is missing in so many cases.” Even when a company has a specific Twitter strategy, “more often than not it’s not as good as it could be because they just don’t think about it enough”.

Gun, foot, aim, fire

While Twitter clearly poses problems for high-profile Twitterers, it can be a threat to individuals as well. Few know this better than Connor Riley (@theconnor), a student at the University of California in Berkeley who was offered a summer internship last year by networking giant Cisco.

“Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work” she tweeted to her followers. But she soon regretted it. “Who is the hiring manager? I’m sure they would love to know that you will hate the work. We here at Cisco are versed in the web” tweeted Tim Levad, a services consultant at Cisco, in response. Before long, the story had hit MSNBC, The Los Angeles Times and hundreds of blogs worldwide. Riley now calls her misguided tweet “a stupid mistake”, and says that it was the result of treating Twitter like Facebook, where only your close friends are able to see what you say.

Mark Borkowski advises celebrities on how to manage their ‘brand’ through social media sites.

However, Iain Connor notes that “it’s perfectly legal” for companies to monitor what their employees are up to on social-networking sites. “As an employee you have a duty of good faith to your employer,” he says. “That duty of good faith extends not just to your nine to five.”

So what’s a Twitterer to do? “Don’t drink and tweet,” advises Borkowski. More importantly, don’t take it too seriously. Borkowski says social media refusniks are dying out. “Take it with a pinch of salt and it’s fun, it’s interesting, and you learn more,” he recommends. Just remember to think twice before you say anything that you wouldn’t want your mother – or your employer – to read.