Category: Other

Other computing tips

Computer forensics Linux distribution CAINE

CAINE (Computer Aided INvestigative Environment) is an Ubuntu based Linux distribution targeted at computer forensic investigators, from law enforcement to private digital investigators. It comes with friendly graphical interfaces for most forensic tools making this OS a good choice for students and computer forensic amateurs, as well as professionals. There is a front end called XSteg for Stegdetect, a tool to detect messages hidden in images (steganography), dd, a command tool to mirror and restore files can be used with a front end called AIR (Automated Image & Rescue) supporting dc3dd an enhanced dd version that includes features like hashing and zeroing files specially developed for digital forensics by the US Department of Defense Cyber Crime Center. The Sleuth Kit, a set of command line tools can be used in CAINE through Autopsy, a graphical front end that looks like a browser, a command based network scanner called nmap can be used with point and click thanks to zenmap.

CAINE computer forensics distribution

Once you have finished your work CAINE makes it easy to create a written report as .rtf or HTML. For those who don’t know, unlike .docx or .odf (Open Document Fortmat), .rtf (Rich Text Format), files, although Microsoft proprietary, they are widely supported by most software and do not include metadata.

Computer forensics live CDs are widely used during investigations because they do not write anything to the host computer, however you should use a widely tested distribution to make sure that it works as expected and do not trust what a community or vendor distribution claims because only wide testing can find out unexpected bugs.

When you boot this live CD you will be given the choice to install the OS in your hard drive, I would not advise you to use CAINE as your everyday operating system because it comes with very few applications that are not computer related and it won’t be of much for a home user daily entertainment activities. You should not confuse this distribution with a penetration testing operating system like BackTrack, there are no offensive tools included in CAINE and only a few network related tools (WireShark, Cryptcat and Zenmap), CAINE purpose is to perform a post-mortem of a machine after an incident and gather data.

Home users can use this live DVD to reset a user’s password on a Windows machine with chntpw , recover corrupted data with ddrescue, partition a disk with Gparted, or monitor a hard drive health and temperature with HDSentinel.

Visit CAINE homepage

22 October, 2012
Steganography and encryption with StegHide UI

StegHide UI is a GUI interface for Steghide, an open source steganography program to encrypt and hide data inside images (.jpeg, .bmp) and audio files (.wav, .au), it allows users to do everything Stegide can do with a point and click mouse saving you the command line learning curve. There is a tab where you can use this steganography tool in command line mode were you to feel inclined to do so, StegHide UI offers you the best of both worlds, a GUI and command line all in one program.

There is no need for installation, administrator rights are only needed to change the program settings. You can change the default encryption method, an already secure AES128-bit in CBC mode, set the default output folder or change the command line background colour, font and font colour. The only included help manual consists of the command line tab where you can type “help” and get a list of possible commands. GUI operation is fairly easy, to hide and encrypt files go to the “Embed” tab, select the carrier image or sound where to hide the data and the file you would like to hide, enter a password and choose the encryption algorithm and method using a drop down menu.

Steganography and encryption StegHide UI

To decrypt an steganographic message reverse the process using the “Extract” tab, enter the password and choose the output file with resulting extension, you will need to know what type of file is hidden (.txt, .mp3, .jpg, etc) to get the extension right and be able to view it with the correct program. There is a wide range of encryption algorithms available, the safest are AES Rijndael 128/192/256, Blowfish, TripeDES, Twofish and Serpent, other low strength ciphers like Enigma, Gost, CAST128/256 and Arcfour are included too.

If you would like to defeat steganalysis, the art of detecting hidden data inside files, make sure to securely erase the original file, comparing two files side by side and looking at their differences it is possible to see that data has been embedded in one of them making the extraction easier for an attacker, but encryption with a strong password should still stop adversaries.

Visit StegHide UI homepage

24 August, 2012
Erase hidden data with the Metadata Anonymisation Toolkit

Metadata embedded in a document or media file can tell a lot about its author, creation time and date, original file author and modifications, location on a computer network where data was created, standards used and custom metadata can all be included in text documents, images, PDFs, spreadsheets, video files, music and others, most people are not even aware that they are leaking information in the documents they publish on the Internet and free tools like Metagoofil, included with Backtrack, can easily extract this metadata and expose who is behind certain document or image and where and when it was taken.

Supported file formats

– Portable Network Graphics (PNG)
– JPEG (.jpeg, .jpg, …)
– Open Document (.odt, .odx, .ods, …)
– Office Openxml (.docx, .pptx, .xlsx, …)
– Portable Document Fileformat (.pdf)
– Tape ARchive (.tar, .tar.bz2, .tar.gz)
– ZIP (.zip)
– MPEG Audio (.mp3, .mp2, .mp1, .mpa)
– Ogg Vorbis (.ogg)
– Free Lossless Audio Codec (.flac)
– Torrent (.torrent)

Tails Metadata Anonymisation Toolkit

The Metadata Anonymisation Toolkit will remove all metadata in files leaving it empty, however watermarks or steganographic tags won’t be removed but unlike metadata being added by default by many utilities, like Microsoft Office adding author name and smartphones adding GPS coordinates in photographs, watermarks are not usually inadvertently added and the original author will likely be aware of their existence, often inserted to track down forbidden sharing of confidential documents or pre-release movie versions. Summing up, MAT will protect you from accidental metadata leakage but not from customized metadata specifically included to track down the author.

This software can be found in Tails, JonDo Live-CD and Debian Linux, if you need a Windows or MAC tool check my list of programs to edit Exif data.

Visit Metadata Anonymisation Toolkit homepage

20 August, 2012
Hardware encryption adapters Enova Enigma vs CipherUSB

These encryption adapters are not to be confused with encrypted USB thumbdrives, the dongles do not store any data themselves, they are are simple hardware devices with a cryptochip to perform the encryption process making data only accessible using the dongle.

The USB ciphering dongle sits in between a USB host (desktop computer) and a USB device (thumbdrive, external HDD, blu-ray, etc), encrypting all data going through it before writing everything on the external device, there is no need to install drivers and no software is involved, encryption is hardware based with little performance issues, the dongle will work in any operating system.

In addition to desktop computers these devices can be used to encrypt data in tablets and smartphones as long as a USB port is present

Enova Enigma USB

NIST (National Institute of Standards and Technology)/CSE (Communications Security Establishment) certified, using hardware AES-256 ECB/CBC encryption strength. Data written to the USB drive through the Enova Enigma dongle is automatically encrypted and decrypted when read out from the drive, requiring no additional hardware or software.

Enova Enigma USB encryption dongle

It works in Windows, Mac, Linux and Android but configuration can only be done in Windows and data can not be encrypted in place you will have to start from zero wiping everything. USB3 compliant, there is more than one model, AES128/256bit in ECB or CBC mode, Cipher Block Chaining with AES256 is the most secure dongle, all models are strong enough to withstand state sponsored attackers but AES256 in CBC mode should buy you more time in case of future cryptographic breakthroughs.

A recovery password of up to 32 characters can be set up and used if you lose the device. A “Write-Protect” function protects the USB stick from malware infections, FIPS 140-2 certification of the crypto module is in progress.

Visit Enova Enigma homepage

Addonics CipherUSB

Hardware-based, FIPS-certified AES 256-bit encryption, strong enough to protect top secret information in Government agencies, it does not require software or driver installation, operating system agnostic (Windows, Mac, Linux, Solaris, BSD), it can encrypt Blu-Ray, DVD or CD discs using an external burner connected to the dongle.

It is not possible to encrypt content already in place, you will have to format the drive first and restore the data.

Addonics CipherUSB encryption adapter

CipherUSB can be daisy-chained, if you insert two or more devices together to encrypt a drive it will be impossible to decrypt it again unless it is using the same two chained devices, this allows you to split the decryption keys in between more than one person.

The enclosure is made of plastic but tamper resistant, preventing opening of the unit without destroying the plastic housing, a power/activity LED will show that everything is working as expected. There is no backdoor but you have the option of inserting a recovery password of up to 32 characters long, if you lose your device you can buy a new one and decrypt the data using this recovery password, if you do not set it up the data would remain undecipherable.

CipherUSB can be used for full disk encryption, including the Master Boot Record, encrypted disks will show as blank when viewed.

Visit CipherUSB homepage

Conclusion Enova Enigma vs CipherUSB

After looking at the specs, both encryption adapters are equally secure, certified and fast, there is little difference in between them, Enova Enigma has the unique “read only” feature that stops malware from installing into the USB but CipherUSB specifically mentions on its page that they have no backdoor, Enova Enigma does not confirm nor deny anything about backdoors, this is an important piece of information that all security vendors should make clearly visible.

I would probably go for CipherUSB if I had to buy one of them, CipherUSB is slightly cheaper and I would get peace of mind about no factory backdoors included.

15 August, 2012
Brute force a Truecrypt volume with TrueCrack

Truecrack is an open source Linux only tool optimized with Nvidia Cuda (Compute Unified Device Architecture ) technology, a computing platform able to process queries in parallel that can be used to crack Truecrypt volumes greatly speeding up brute force attacks, Truecrack will only work if the volume has been encrypted with the default Truecrypt settings RIPEMD160 and XTS block cipher mode based on AES. The software can read a list of passwords from a text file or generate a list of possible passwords from a charset of symbols defined by the user, a dictionary attack of 10,000 possible passwords with a length of 10 characters each will take 11 minutes to execute on an Intel Core i7 computer CPU, the same list of possible passwords in GPU mode (Nvidia Cuda technology) only takes 30 seconds to execute.

Truecrack will open a Truecrypt volume and retrieve the masterkey from its header section checking the success of the deciphering operation, if the password is right or wrong, querying the true and crc32 fields.

Truecrack brute force Truecrypt

This is not the first tool designed to crack Truecrypt, while Truecrypt default settings are safe, for what I have seen in other similar tools they are all optimized to crack Truecrypt encryption having into account that the user did not change the default cipher (AES) or key derivation (RIPEMD160) and they do not work when keyfiles have been used. Choosing a strong passphrase should stop any brute force attack on your Truecrypt volume but if you would like to play the paranoid card it would be a good idea to change the default settings to something else, like a cascade algorithm, and add a keyfile.

Visit TrueCrack homepage

11 July, 2012
Free speech hosting in Iceland with OrangeWebsite

OrangeWebsite is a hosting company specialised in free speech hosting with its headquarters and servers based in Iceland, their terms and conditions allow you to host any controversial material with the only exception of neonazi websites because ethnic agitation is a crime in Iceland and sites that promote potential harm to minors or link to child pornography. You are also allowed to run a tor proxy or VPN using one of their servers, their range of services embrace private whois domain registration (outside the USA), shared hosting for small businesses or personal websites, virtual servers and dedicated servers. Customers can sign up for hosting, affiliate program and domain registration anonymously, you will only be asked for your email address and Bitcoins will be used for payments.

I was given a package to test their services and I was quite pleased with everything, I have been using cPanel for years but I had not problem getting used to their ispCP (Internet Service Provider Control Panel) administration panel used to manage domains and files, it is more simple than cPanel and has less features but enough to get the job done, if you would like to install WordPress or a similar platform and do not know how to do it, you can request to have it installed for you at no extra cost when you order the hosting plan. The welcome email will include all the details you need to set your website, host IP to FTP files, DNS server for your domain and a URL to access webmail (RoundCube), one of the addresses is indicated as special access without leaving any logs.

OrangeWebsite hosting control panel

Backups are performed daily but the SQL database will have to be downloaded manually using using phpMyAdmin where the username is your database user and password is the database user password, one main difference to have into account in comparison with cPanel.

OrangeWebsite should fulfill the needs of those longing for reasonably priced offshore free speech hosting and/or privacy email service (hosted or forwarded) located outside the EU and USA, the best part is that they accept Bitcoin payments making anonymity easier to achieve cutting payment processing companies and their silly terms and conditions out of the equation, this hosting company should also be suitable for people in need of personalised in-house support as opposed to big hosting companies where customers are just a ticket number to the staff. It should not be difficult for a customer to contact OrangeWebsite CEO if you have to.

UPDATE 2013: OrangeWebsite is now using cPanel for webhosting.

Visit OrangeWebsite hosting

2 July, 2012
Cain & Abel Windows password cracker

Cain&Abel is a long standing password recovery tool that can sniff passwords from the network you are in, crack encrypted passwords using dictionary, brute force and cryptanalysis attacks, record VoIP conversations creating an MP3 audio file, reveal password boxes, analyse encrypted SSH and HTTPS connections and much more. The target public are security researchers, network administrators and IT teachers but it can also be exploited by the bad guys of course, the developer will not help in illegal activities.

I downloaded this program from the official site and AVG antivirus gave me a warning that the software contained a trojan horse, due to how password crackers work it is possible your antivirus will trigger a security warning too, it is up to you to decide what to do, I also got a popup warning from Cain&Abel saying that I had Windows firewall enabled and this would stop some features, implying that I should disable it for everything to work. You will be asked to optionally install WinPCap a packet capture library, without it Cain&Abel wireless packet sniffing won’t work.

Cain&Abel password cracker

How to record a VoIP call with Cain&Abel

To record a VoIP call with Cain&Abel go to “Configure“, click the “Sniffer” tab, select the network interface card from the list and save the settings, now go to the “Sniffer” tab in the main window choose “VoIP” and “Start Sniffing“, from now on any voice over IP call that goes through the network will be encrypted and saved as MP3, you will have to wait until enough traffic has been generated before being able to listen to the audio file.

The configuration window can also be used to create self-signed fake digital certificates, retrieve a digital certificate using a proxy with the “Certificates Collector” or launch an ARP (Arp Poison Routing) attack with a real or spoofed IP and MAC address. This free password cracker is one of the most complete available in the market and an excellent tool to learn about computer security, everything is easily classified in tabs “Decoders“, “Network“, “Sniffer“, “Cracker“, “Traceroute“, “CCDU“, “Wireless” and “Query“, each one of those tabs contains related extra options.

To use Cain&Abel you should have some computer security background, this is not a tool for the complete beginner, the most basic tool Cain&Abel includes is a Base64 password decoder going up to a WPA PSK (Pre-Shared Key) calculator and an RSA SecurID Token calculator, this is an excellent tool to find out about passwords, it contains a password decoder, cracker and dumper as well as hash calculators with support for Wifi for network monitoring.

Visit Cain&Abel homepage

20 May, 2012