Internet Investigations

Who does internet investigations

● Recon for social engineering (CTFs)

● Intelligence

● Internal investigations

● Criminal investigations

Recon for social engineering

● CTFs - Who is Eric Liang?

● Social Engineering○ Feign familiarity

○ Spear Phishing

● Recruit Sources (Double Agent)

○ Insider Threat

○ Insider may not know

CyberSeed

Intelligence

● HUMINT

● SIGINT

● IMINT

● GEOINT

● MASINT

● TECHINT

● CYBINT

● FININT

● OSINT

● All Source

● Aggregating

unclassified to get

classified

Internal Investigations

● Unauthorized use of resources

● Exfiltration of secrets

● Insider threats / Counter Intelligence

● E-Discovery

● FOIA

Criminal Investigations

● Black Markets○ Traditional Goods - Drugs, Weapons, Tools

○ Child exploitation

○ Human trafficking

○ Malware

○ Pwned Data

● Doxing and personal security

● Branding & Online Presence for ‘IRL’ crime

People incriminate themselves

Post evidence of illegal activity in plain site

#HCMT

But why???

● Branding

● Black Market Biz is still Biz

● Hashtags have replaced gang signs

Pepsi in a Coke glass #THUGLIFE

Types of Forensics

● Seized Computer

● Live

● Mobile

● Embedded

● Cloud

How does cyber tie in to forensics?

Online user ←------

| ^ | |

|_| | |

other --> Computer user

accounts

|

--> User

What are we looking for in an

image?

● Account info○ Passwords if you can

○ Wordlist for PW guessing

● Artifacts of user online activity

● Contraband○ May be classified info they are supposed to have

access to, but not on this device

What are we looking for online?

● Identifying Information

● IP address registration

● Social Networks (Who people talk to)

● Patterns of life

When you stare into the abyss,

It stares back into you….

● Online investigation machine is a separate

(virtual) machine from forensic workstation

● Sanitize meta-data

● Burner phones

● Disguise IP address

Virtual Machines / Appliances

Pen Test - Kali

Forensics - Sift

Reverse Engineer - Remnux

OSINT - Buscador

https://inteltechniques.com/buscador/

Online tools also exist but you would not use

those in a real investigation - fine for CTFs.

VM best practices

● Take snapshots

● Forensic VM is only online for updates &

installing tools

● Use removable media for collecting evidence○ Forensic wipe before and after use○ https://linux.die.net/man/1/nwipe

● Revert snapshot after investigation

IP and metadata

● IP lookup - dig, nslookup, naming authority

● TOR (onion router) and VPNs○ Tunnel bear https://www.tunnelbear.com/

○ Browser plugins

● Tracking Cookies○ Privacy badger, ublock

○ User Agent Switcher

● Document and email metadata

Documentation● Screencap

○ SnagIt, built in tools for Linux/Windows 10

○ Browser plugins - Awesomeshot, Fireshot

○ May have to save offline version of web page

■ wget -m -k or save as complete page

○ Noscript plugin to disable extra BS

○ Screenshot your tools, highlight important stuff

(break down Barney style / Snookify)

● Video Capture○ VLC, Camtasia

○ Downloader plugins

Assume that Snooki is a member of

the jury

Write your report

and notes

accordingly

(BTW Snooki is in

Google’s spell

check - no red

squiggles) :(

Search People

● Search Engines https://www.lifewire.com/search-engines-that-top-the-web-3482269

○ Piple

● Usernames across sites○ https://namechk.com/

○ http://checkusernames.com/

● Public records○ http://publicrecords.onlinesearches.com/FL_Leon.htm

● Twitter & Social Network maps

Search Images

● Google reverse search

● Tineye

● Fotoforensics

Search locations

● Public records○ County GIS

○ Voting records -https://registration.elections.myflorida.com/CheckVoterStatus

● Real Estate Sites

● Twitter

● Geotagged posts○ Document in Google MyMaps -> export kmz for

Google Earth Pro

Do you even google bro?

● Urban dictionary

● Drug Bible

● English. Do you speak it?

● Advanced Google searches

● Use other search engines (they do exist)○ Duckduckgo

REGEX

● http://www.regular-

expressions.info/reference.html

● Passwords and keys

● Contact info

● Specific kinds of evidence like PII or financial

info / credit cards

● GREP

● Python

Databases

● Many programs such as Chrome, Firefox,

and Skype use SQLite

● Forensic tools like sleuthkit catalog evidence

in a database.

● Windows Registry○ B-Tree “Hives”

● Thumbnails

Where do I start?● Breadth 1st search vs Depth 1st

● Recent activity○ RAM

○ Registry entries

○ Recent files - MRU, prefetch, jumplists

○ Recent websites - URLs, fav, icons, cookies, cache(index.dat)

○ USB drives - make, model, partition serial #

○ Printer

○ Notes and post-its

● Context of the investigation

● Anti Forensics

Walk through the registry● Document users and system time

● Recent activity

● Installed programs○ Encryption

○ Cleaners

● Devices

● Crack the SAM to get saved forms data○ https://www.techsupportalert.com/content/deeper-windows-

registry.htm

○ http://www.nirsoft.net/

○ http://juggernaut.wikidot.com/web

○ https://github.com/magnumripper/JohnTheRipper/blob/bleeding-

jumbo/doc/INSTALL-UBUNTU

RAM demo

LiMe - https://github.com/504ensicsLabs/LiMEinsmod ./lime-4.4.0-97-generic.ko path=/tmp/limedump format=lime

cd /tmp/

strings limedump | grep -i "Internet Investigations" | less

SQLite Demo

Windows GUI: sqlitebrowser.org

Linux: sudo apt install sqlite3

sqlite3 filename

.tables

.schema table

Select * from table;

Web demo

● Dark Web - will pwn for bitcoin○ https://hansamkt2rr6nfg3.onion

○ http://2ogmrlfzdthnwkez.onion/

● Pastebin

● Have I been pwned?

● Virus Total

● OSINT website