Internet Browsers:  First and foremost, run the most up-to-date version of your internet browser: Internet Explorer 8 (IE 8), FireFox 3.6, Safari 4, and Chrome.  Of the four browsers listed, we found FireFox to be the most secure and Safari, the least.  The reason for running the newest version is the new security features—mainly webpage warnings—in the browsers.  For example, when we used our less sophisticated MITN attack on IE 8, warnings appeared instructing the user not to continue on to the webpage; in IE 7, there were no such warnings.  However, the more sophisticated MITM attack showed all the browsers to be lacking as none of them flashed warnings.

Unsecured Networks: It’s best to avoid any free, unsecured wireless network.  There’s no telling who is on it or what they’re up to.  If you need to use the network, DO NOT login to your online bank account, important email accounts, or any other site you don’t want others to look at or access.

Alternatives: The best thing for you to do is to buy an Aircard from one of the cellular telephone companies.  These will cost a bit more, but your coverage and security will be significantly improved.  If you are a little more tech savvy, you can setup a VPN client to browse off of your home network.  This will be slower but also safer.  Also, when given the choice between free wireless and pay-to-use wireless, always pay to use it.  This will ensure there is at least some kind of security or encryption.

Best Practices: Whenever possible, only use networks you are familiar with and the security settings are known.  If travelling, invest in an Aircard.  Make sure your home networks are running at least a WPA encryption (WEP is too weak).

NO!  It’s not safe.  Our Elluma Discovery experts recently evaluated the security of different types of wireless networks, and what we discovered both amazed and scared us.

Utilizing a Man in the Middle attack (MITM) on a wireless network, we easily recovered usernames and passwords for some of the most commonly visited sites on the web.  The MITM attack essentially places the attacking computer in the middle of the victim’s computer and the internet router, so all the information—including the usernames and passwords—sent from the victim to the router can be intercepted by the attacker.

At first we weren’t able to see usernames and passwords that were encoded with SSL (the encoding used for HTTPS), which most banking, email, and social networking sites use to protect their clients and users.  Unfortunately, we found a way around the encryption.  At the end of the day we could read any password sent over the wireless network.

Our testing was done over an unsecured wireless network like those you might find in coffee shops, libraries, airports, hotels, and bookstores; however, your secured home wireless network could also be asking for intruders.  Most wireless networks, if secured use Wired Equivalent Privacy (WEP).  In short, these networks can be cracked in 5-10 minutes.  We recommend you use the stronger Wi-Fi Protected Access 2 (WPA2) encryption, which will take more time and know-how to break into.

Cell phone forensic expert Eric Robi was interviewed by CBS News about cell phone spyware technology. A forensic analysis of several different cell phone spy packages such as FlexiSpy and Mobile Spy showed that this type of software is effective at capturing private information such as SMS text messages, emails, and call logs all without the victim’s knowledge. One package was even allowed us to listen in on live test calls we made to our staff (with their full consent and cooperation obviously). We were also able to turn on the mic of our test phone and listen in on ourselves. We found that GPS tracking worked, albeit very poorly and we were even able to download pictures taken with the phone.

Fortunately since we were last interviewed for a cell phone story, several anti-malware software packages have appeared on the market, all of which have some degree of effectiveness. SMobile proved effective against spyware in our Blackberry tests. Forensically speaking, mobile phone spyware is quite difficult to detect. If you think you’re a victim, I urge you to read our article on getting spyware off your phone here.

Unfortunately, we won’t be able to assist you if you think you have this bit of nastiness on your phone. We work with corporate clients and law firms, but we do not work with consumers. Please have your attorney contact us. If you do not have an attorney we cannot help you at this time unless you are a corporation.

We do quite a bit of cell phone forensics and we will be happy to assist you understanding how the evidence on a mobile phone affects your case. Give us a call in our LAX Los Angeles office at 310-318-1073.

Download the PDF guide HOW TO ELIMINATE SPYWARE ON YOUR CELL PHONE

Our senior computer forensic expert Dave Kleiman appeared on CNN In Session to discuss the Devonni Benton murder trial. Benton is charged with the shooting murder of Jasmine Lynn at Clark Atlanta University.

The only person to identify the shooter is Brandon Hall who picked him out from a photo lineup. Apparently Hall sent a Facebook message to Benton’s girlfriend stating “I could have been mistaken, but I saw the Mohawk and Devo was the only one…” Hall denied sending the Facebook message.

Since Hall denies sending the message (that CNN has a copy of), is it possible that someone hacked into Hall’s account and sent the message? Kleiman, (Elluma’s Florida office) says that while it is possible to hack into a Facebook account, it is probably beyond the skill level of the ordinary user. In fact, it is quite possible to prove if Hall is telling the truth by sending a subpoena to Facebook and obtaining the IP addresses used to log into his account. Law enforcement has the power of a criminal subpoena which will get a response within a few days. In civil litigation, a subpoena can provide the same information, but it can take up to 30 days to obtain.

Since credibility of the only person to identify Benton is now in question, wouldn’t it make sense for law enforcement to trace the IP addresses used to log into Hall’s account? An IP address can link a person to a physical address. If it was actually Hall that was logged into his Facebook account at the time the message was sent, it seems likely he was the sender. Conversely, if the IP address recorded by Facebook when the message was sent was not Hall’s, then it would cast doubt on the authenticity of the message.

Elluma Computer forensic expert from our West Palm Beach Florida office appeared yesterday on CNN In Session discussing the Sarah Palin email hacking case. David Kernell is accused of breaking into Palin’s email account by using Yahoo’s email password reset utility. In this interview for In Session, Kleiman, author and technical editor of Perfect Passwords, discusses how to use incorrect answers to Yahoo’s security questions. By using false answers, it makes it much harder for someone to guess your answer and be able to reset your password. CNN’s Vinnie Politan interviewed Forensic expert Dave Kleiman and discussed how to track down a hacker and how to better protect yourself.
When we respond to an intrusion case, we often see instances of very weak passwords that were easily defeated by a password cracking utility, Sarah Palin’s case, simply by guessing the answer. Poor passwords are often the weakest link in an otherwise strong security system.

Computer forensics expert witness Dave Kleiman was featured on ABC News, Florida discussing an alleged computer security breach at the City of Lake Worth, Florida. Kleiman conducted an independent analysis of audit logs, security logs, and computers used by ex-employees in an effort to determine if there was unauthorized access. His forensic analysis revealed a lack of evidence indicating that there had been any intrusion.

When we examine a computer system to see if it has been ‘hacked’ or if there are unauthorized access, we will typically examine log files, registry artifacts and other items of forensic interest. Independent expert  Kleiman showed that there was no evidence that any computer was wrongfully used to access the city’s network. The City of Lake Worth manager Susan Stanton claims that the terminated employees failed to carry out their duties.

Working in the world of bits and bytes, one of the first things we will check during a document evaluation is metadata. Files such as Microsoft Word documents can contain hidden information known as metadata. Metadata is “data about the data.” If we were to use an analogy, if you were to investigate a homicide in which a gun was used, the metadata would be everything about the gun, including fingerprints on the handle and trigger, the type of bullet fired, the time and date it was fired, and the number of times it was fired.

The metadata embedded in a Microsoft Word document might reveal: the creator name, company name, when the file was created, where the file was saved, total editing time and potentially much more. This list is not exhaustive, instead just offering a peek of what most document metadata contains. Any of these elements can be used to show a document is authentic or not.

Unexpected Metadata Revelations
If someone is surreptitiously trying to backdate a contract created in Microsoft Word, one thing they might do is set the clock back and then save the document with an earlier date. Taking a casual look at the computer, you might see Windows shows that the document was created or modified on the earlier date. However, a deeper inspection of the document itself might reveal that the metadata embedded in the document is inconsistent with the Windows time/date stamps.

For example, Windows might show a Last Modified Date of Jan. 23, 2005 while the metadata embedded in the document itself might show a much later date and even a different author. The document metadata can also reveal the total document editing time. When a document is intentionally backdated by setting the clock back and then resaving the document, the total editing time indicated can be unrealistically high, sometime showing that the document was edited for years. Since typical document editing time is measured in hours or days, when we see a document that has been edited for years we become understandably suspicious.

Metadata used in conjunction with other elements of computer forensics such as internet activity, examination of emails and Windows time/date stamps can be used to determine if a document is the real deal or a forgery.

Is The Document Worth The Paper It’s Printed On?

Recently we have looked at a number of agreements, and letters of intent that are provided to us on paper. If the authenticity of the document is questioned, somehow the electronic version of the document is almost always difficult to get access to. However, in those cases where we are able to examine the electronic version of the document, often a very different story emerges, illuminated by the bright light of metadata.

Eric Robi, computer forensics expert witness and President of Elluma Discovery was interviewed on Fox 11 News in Los Angeles on “Scareware”.

Scareware is a type of malware that installs on a victim computer often by means of a compromised website or email attachment. It then informs the victim that his or her computer is infected and that in order to clean it, the victim must purchase the software. Unfortunately, even if the computer contains no malware, the victim is prompted for credit card information. The malware is very difficult to remove and sometimes requires a complete reinstallation of the operating system completely get rid of it.

Luckily, we quickly found another identical power supply on eBay. We plugged it thinking our computer forensic analyst mojo had properly diagnosed the problem. We plugged in the new power supply. Nothing. Zip. Nada.

Where did we go wrong? At this point we began to think it had a bad motherboard, memory or CPU. Of course being the antique that it is, parts had long gone out production. While we were still scratching our heads trying to figure out the next step an analyst said “Why don’t we pull out one of the CPUs and see if it will boot”. After a few days of waiting for the power supply and an anxious client waiting for their electronic discovery project to commence we were left with few options.

We pulled out our dust masks and gingerly extracted both CPUs. Then we swapped the position of one and left the other one out. What are the odds of this thing booting now? If you’re like us, you might think they are 1% or less – after all, we had exhausted most of our other options short of trying to locate a new motherboard.

We pressed the power button, and hung garlic from the monitor to ward off the digital vampires. Bingo! The server fired up! In the picture below you will notice the missing CPU as we’re now taking a verifiable forensic copy of the hard drives.