[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Cyberforensik boomt
... nicht nur beim FBI, sondern vor allem bei privaten Anbietern.
Firms increasingly call on cyberforensics teams
By Deborah Radcliff
(IDG) -- Businesses with intellectual property and online customers to
are increasingly calling on cyberforensics investigators to get to the
cases of employee wrongdoing and electronic crimes. "People are calling
when they find malicious software installed on their servers, when
leaking sensitive information, when they suspect employee harassment --
even in cybersquatting cases," says Ed Skoudis, vice president of
hacking at Predictive Systems Inc., a technology services firm in New
Forensic techniques vary depending on the type of investigation. For
investigative firms, like Brandon Internet Services, simply track and
trace over the
Internet and sort through other publicly available electronic records.
Large businesses use cyberinvestigators to set up alarms and traps to
watch and catch intruders and criminals within their networks.
To show a cross-section of different types of cyberinvestigations and
the tools used
to conduct them, Computerworld profiles three ways that organizations
have dealt with crime -- and sometimes criminals -- in their midst.
The Case of the Freaky Accounts
How techniques of Internet and database investigations thwarted two
Russian "carders" (credit card thieves):
There were too many Hudsens and Stivensons opening accounts with PayPal
an online payment processing company in Palo Alto, California. John
PayPal's lead fraud investigator (and a former military intelligence
discovered 10 names opening batches of 40 or more accounts that were
to buy high-value computer goods in auctions on eBay.com. So PayPal
funds used to pay for the eBay goods (all to be shipped to an address in
started an investigation.
Then, one of PayPal's merchants reported that it had been redirected to
a mock site
called PayPaI. Kothanek's team set up sniffer software, which catches
traffic, at the mock site. The software showed that operators of the
mock site were
using it to capture PayPal user log-ins and passwords. Investigators
also used the
sniffer to log the perpetrators' own IP address, which they then used to
against PayPal's database. It turned out that all of the accounts under
scrutiny were opened by the same IP address.
Using two freeware network-discovery tools, TraceRoute and Sam Spade,
found a connection between the fake PayPal server address and the
address in Russia to which the accounts were trying to send goods.
calls were pouring in from credit card companies disputing the charges
the suspect PayPal accounts. The perpetrators had racked up more than
in fraudulent charges using stolen credit cards -- and PayPal was fully
"Carders typically buy high-value goods like computers and jewelry so
resell them," says Ken Miller, PayPal's fraud control director.
PayPal froze the funds in those accounts and began to receive e-mail and
calls from the perpetrators, who demanded that the funds be released.
"They were blatant," says Kothanek. "They thought we couldn't touch them
they were in Russia."
Then PayPal got a call from the FBI. The FBI had lured the suspects into
by pretending to be a technology company offering them security jobs.
Using a forensics tool kit called EnCase, Kothanek's team helped the FBI
tie its case to PayPal's by using keyword and pattern searches familiar
to the PayPal
investigators to analyze the slack and ambient space -- where deleted
until overwritten -- on a mirror-image backup of the suspects' hard
"We were able to establish a link between their machine's IP address,
cards they were using in our system and the Perl scripts they were using
accounts on our system," Kothanek says.
The alleged perpetrators, Alexey Ivanov and Vassili Gorchkov, were
multiple counts of wire fraud in May. Gorchkov was convicted in
September on 20
counts of wire fraud and is awaiting sentencing. Ivanov is still
The Case of Mastering the Zombies
How a systems and network examination helped the University of
a cracker out of 30 of its systems:
The calls started on July 1. Frantic administrators were asking why
subnets and IP
addresses from Dave Dittrich's 50,000-node network were scanning and
them with denial-of-service (DOS) packets. "We were shutting affected
off as we found them, but at one point, we had over 30 of our systems
and sending DOS attacks to over 9,000 targets," says Dittrich, senior
engineer at the University of Washington in Seattle.
Using Irvine, California-based Foundstone Inc.'s Fport scanner
team located directory and file names uncommon to the Windows operating
systems he ran on the network. The program also showed that all of the
directories and files were running communications through the same
high-level port, which was also uncommon to standard configurations.
"That tipped me off that I should be listening to network traffic to and
port, so I set up sniffers on those ports," Dittrich says.
Dittrich used a freeware sniffer called TCPDump (www.tcpdump.org), which
captured the unusual traffic going to and from Internet Relay Chat
commanding his machines to send the scans and DOS attacks. Dittrich
the compromised machines from their wall jacks and, with a team of 40
spent two weeks contacting 9,106 downstream targets, reformatting the
on compromised machines, and patching the Unicode vulnerability the
to get in.
"It takes detailed network and host forensics to determine what type of
installed on the system and how it functions," he says. "That's why I
findings to the general public: to help improve the training in
The Case of the Sneaky Engineer
ð How forensics examinations of many machines helped one company
intellectual property and stop the bad guy from using it again:
An engineer left a West Coast manufacturing company, which we'll call
due to pending litigation. When that same engineer turned up at Company
competitor, in September earning $10,000 more than market rate, Company
executives worried that some of their intellectual property had been
the competitor. Company A's executives filed a court motion for
then called New Technologies Inc. (NTI), a computer forensics support
training firm in Gresham, Ore.
In cases like this one, forensics rules must be strictly followed or
evidence won't be accepted in court. The first rule is to not tamper
with evidence, so NTI's team made a mirror image of Company A's
engineering servers and the perpetrator's old
computer. To do that, they used a tool called SafeBack, which captures
time-stamps the perpetrator's hard drive contents without altering the
original, says Paul French, lab manager at NTI.
While NTI investigators found signs of file copying to removable media
engineer's computer at Company A, French's team couldn't find empirical
of wrongdoing there. So under a court order for discovery, the NTI team
searched the suspect's home computer.
Using another NTI file search utility called FileListPro, the NTI team
several product engineering drawings had been copied onto the home
after the engineer had left the company. (FileListPro tells when a file
created, accessed and modified.)
The engineer claimed that the clock on his computer had malfunctioned
and that the
drawings were copied while he was employed at Company A. But simple
told a different story. The date on a letter written in the same time
corresponded with the machine's time stamp on that letter.
This was enough evidence to prompt an investigation of the engineer's
his new employer. The team found drawings that were similar to those
Company A, but with some differences. But through searches using
diagrams and the name of Company A, French says his team found an e-mail
on the engineer's new desktop that "cinched it." The e-mails, which
the engineer and his girlfriend, detailed their mutual possession of the
question. One written by the engineer said that the investigators
wouldn't be able to tie anything back to them. And another, written by
the girlfriend, asked the engineer what he wanted her to do with the
drawings he'd sent her.
The result: "a court injunction against this engineer and his company
products based off our client's intellectual property," French says. "If
they do come out with a widget too similar in design, they'll slap them
with criminal charges."
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.