Introduction
You have probably heard more than once stories about how law enforcement officers, having burst into the apartment of another failed hacker, detain, invite attesting witnesses, draw up a protocol, seal and take the hacker's workstation with them for examination. Many even laugh at the competence of our employees of the "K" department, citing as evidence only the fact that often, together with the system unit, the police officers take both the keyboard and the monitor. This can be answered by the fact that ordinary police officers confiscate the equipment, often having a distant idea of computers, and, as a rule, in addition to delivering the hacker's computer to the department for examination, they still have a bunch of unsolved cases - so that to stand on ceremony with some piece of iron they just needlessly. The Russian mentality works: "We will take everything - and then they will figure it out." Everyone has heard about this whole process, but not everyone knows what happens next at that very examination, by the same "incompetent" specialist. This article will consider one of the aspects of the work of an expert in obtaining the necessary information, which can later be attached to a criminal case, and be used against a hacker in court.
Situation
August 5, 2005, at 8.25 am an employee of the design department of the largest Volgograd construction company "Volgo-Stroy" Krasnokutskiy M.Yu. I just finished my project of a new nine-storey building in the center of Volgograd and decided to upload all the data to the company's information server provided by Volgo-Host. But he could not - the error message read: “The free space limit has been reached. Please contact your system administrator. ”Which Krasnokutskiy did by immediately calling DI Ivanov, who worked as a system administrator at Volgo-Stroy.
But to Krasnokutsky's surprise, their system administrator was not there - the answering machine in his office squeaked: “I went to Turkey on vacation. I'll be there in 2 weeks. " After a request was sent to Volgo-Host about the lack of free space and a response was later received - the director of the company was horrified to learn that more than 300 GB of music, recently released films and programs were found on their server in the folder of their system administrator. as well as child pornography. The company was charged with illegal possession of pirated products and a criminal case was opened. The investigation was transferred to one of the "N" divisions.
Investigation
Any investigation begins with "getting to know" the suspects. In our case, the main suspect is the Volgo-Stroy system administrator Ivanov. The expert will have to establish his social circle, occupation and interests. Often, the starting point in an investigation is the environment where the suspect spends most of his time, and for us it is the Internet itself. When examining a suspect's Internet activity, an expert first of all examines the history and cache of browsers. On Ivanov's machine, Internet Explorer (IE) and Mozilla FireFox (FF) were installed. The expert decided to investigate IE.
Microsoft's Internet Explorer (IE)
This browser is installed by default in all windows systems. IE caches by default (saves the content of web pages you view to your hard drive to prevent them from reloading). The cache for each user is stored in a separate profile at:
C: \ Documents and Settings \ ivanov \ Local Settings \ Temporary Internet Files \ Content.IE5 \
Inside the \ Content.IE5 directory there are additional folders with "randomly" generated names, which are stored information about visiting a particular web resource. In addition to the cache, there are two additional stores of information about user activity. This is History, where the URL and the date it was visited is stored. History is stored at: C: \ Documents and Settings \ ivanov \ Local Settings \ History \ History.IE5 \
Also, the browser saves cookies received by the user, containing additional information. C: \ Documents and Settings \ ivanov \ Cookies \ The
expert conducting the analysis will check all three directories, but often the cache store is the most valuable information. Inside the \ Content.IE5 directory there is an index.dat file, which contains the information we are interested in. After decrypting it, we will be able to view the same pages as Ivanov. And following from this, it will already be possible to form the first idea of the suspect. The index.dat file is encrypted using a special algorithm developed by Microsoft.
Mozilla FireFox (FF) The
second browser installed on Ivanov's system was Mozilla FireFox. It also stores information about the user's Internet activity like IE.
It should be said that FF uses a special page caching algorithm. The directory where the information of interest is directly stored: C: \ Documents and Settings \ <user> \ Application Data \ Mozilla \ FireFox \ Profiles \ <random text> \ Cache
For both types of browsers, the process of reconstructing cached files is the main task of an expert. For this purpose, there are a number of programs that analyze the index.dat and history.dat files and extract all the most useful information from there. After completing the reconstruction of the web pages, the expert will begin to analyze the information he has obtained.
Reconstruction and subsequent analysis
You can use the Web Historian or FTK utility to reconstruct cached files. The main feature of these programs is that they support the following browsers: Internet Explorer, Mozilla FireFox, Netscape, Opera and allow you to provide a report, both in the form of a text file and in html. After the final report is received, all the fun begins. The expert now faces a difficult task from the whole heap of pages to filter out and consider those that are directly related to this case.
Analysis of the data obtained during the reconstruction of the cache in IE
Among the hundreds of pages saved by the browser, the investigator was able to identify the following, rather interesting points:
1) System administrator Ivanov, used the free hotmail mail and had an account
[email protected] . Having opened the page from the cache - the investigator saw the inbox folder of his mailbox - no letters "interesting" for the investigation were found.
2) Ivanov visited the online store ozone.ru and made requests for literature suitable for the "Hacking" category.
3) I had accounts on various security forums. But he was not very active. By the number of posts, one could say that he preferred to read the posts of others and not participate in discussions. By the topics he looked at, he was most interested in the networking aspects.
4) The caches of the pages of the sites for cracking were found. Basically, Ivanov made requests for rare software, most likely, therefore, there were no results for his requests.
5) By viewing the pages of Yandex, Ivanov, recently, was looking for information about Turkey: attractions, hotels, rest.
6) He had an account on a paid porn server.
In addition to this information, the investigator also had the exact date of visiting a particular page. The first stage of the cache research was completed, but there was still not enough information to draw at least some conclusions about Ivanov's personality.
Analysis of data obtained by reconstruction of the cache in FF
When working with the FF cache, the Cache View program was used. The size of the cached files was much smaller than in the case of IE, apparently Ivanov preferred it to FF. The relatively small volume of pages allowed the investigator to familiarize himself with the available information in more detail. As a result, two key points were identified:
1) The forum page of one of the mortise portals was discovered. Moreover, the branch for the administration was viewed.
2) Another hotmail page was also found, but only the logged in user was not ivanov1975. Someone Dmitry, who had an account [email protected], received a letter from a person [email protected] . Examining the contents of the letter saved in the cache dotted the i's.
B forwarded to Dmitry the login and password of the system administrator Ivanov and the details of the account that was required to be created.
Using the information obtained in further investigation
The next day, all employees were interviewed at the Volgo-Stroy office and, based on their responses, it was established that: Dmitry was a student who took a job at the company not long before Ivanov's vacation. The place of residence of Dmitry was established.
In compiling his conclusion, the investigator took into account all the information obtained from Ivanov's computer. An analysis of Dmitry's hard drive and a thorough study of the cache, browser history, logs of his ICQ, deleted files, and additional information confirmed Dmitry's involvement in the crime, and also additionally established his involvement in the madwarez.com group, which used the server of Volgo-Stroy »As a repository of prohibited information. To gain access to which the hackers needed to know not only the administrator's login and password, but also to have physical access to Ivanov's computer, since for authorization on the server, a special key file with distributed privileges was needed, which was located only on the administrator's hard drive.
All the information obtained from both computers was added to the case. After that, the verdict was read out to Dmitry.
In conclusion
All events described in this article are fictional. Any coincidence of names and company names is inadvertent. The only task that stood before me, while writing this text, was to show you that seemingly such insignificant things as a cache can give support to investigators for further actions. Nowadays, especially in the Russian segment, there is a belief that such information cannot be used as evidence or even disclosed in court proceedings. You may be right, and the corresponding law has not yet been signed, but I am more than sure that its time is rapidly approaching.
While living in the United States, I had the opportunity to talk with an IT crime investigator. It was she who told me about some methods of identifying information of interest to the investigation. To my surprised question: "And that all this is evidence and can be considered in court?" Kate smiled and calmly replied: "Is it different in your country?"
The only and necessary conclusion from all of the above is that you need to take much more seriously the information that is created without your knowledge, to those things that everyone is so used to, and no one raises the question of their reliability.
PS This article was just edited by me.
You have probably heard more than once stories about how law enforcement officers, having burst into the apartment of another failed hacker, detain, invite attesting witnesses, draw up a protocol, seal and take the hacker's workstation with them for examination. Many even laugh at the competence of our employees of the "K" department, citing as evidence only the fact that often, together with the system unit, the police officers take both the keyboard and the monitor. This can be answered by the fact that ordinary police officers confiscate the equipment, often having a distant idea of computers, and, as a rule, in addition to delivering the hacker's computer to the department for examination, they still have a bunch of unsolved cases - so that to stand on ceremony with some piece of iron they just needlessly. The Russian mentality works: "We will take everything - and then they will figure it out." Everyone has heard about this whole process, but not everyone knows what happens next at that very examination, by the same "incompetent" specialist. This article will consider one of the aspects of the work of an expert in obtaining the necessary information, which can later be attached to a criminal case, and be used against a hacker in court.
Situation
August 5, 2005, at 8.25 am an employee of the design department of the largest Volgograd construction company "Volgo-Stroy" Krasnokutskiy M.Yu. I just finished my project of a new nine-storey building in the center of Volgograd and decided to upload all the data to the company's information server provided by Volgo-Host. But he could not - the error message read: “The free space limit has been reached. Please contact your system administrator. ”Which Krasnokutskiy did by immediately calling DI Ivanov, who worked as a system administrator at Volgo-Stroy.
But to Krasnokutsky's surprise, their system administrator was not there - the answering machine in his office squeaked: “I went to Turkey on vacation. I'll be there in 2 weeks. " After a request was sent to Volgo-Host about the lack of free space and a response was later received - the director of the company was horrified to learn that more than 300 GB of music, recently released films and programs were found on their server in the folder of their system administrator. as well as child pornography. The company was charged with illegal possession of pirated products and a criminal case was opened. The investigation was transferred to one of the "N" divisions.
Investigation
Any investigation begins with "getting to know" the suspects. In our case, the main suspect is the Volgo-Stroy system administrator Ivanov. The expert will have to establish his social circle, occupation and interests. Often, the starting point in an investigation is the environment where the suspect spends most of his time, and for us it is the Internet itself. When examining a suspect's Internet activity, an expert first of all examines the history and cache of browsers. On Ivanov's machine, Internet Explorer (IE) and Mozilla FireFox (FF) were installed. The expert decided to investigate IE.
Microsoft's Internet Explorer (IE)
This browser is installed by default in all windows systems. IE caches by default (saves the content of web pages you view to your hard drive to prevent them from reloading). The cache for each user is stored in a separate profile at:
C: \ Documents and Settings \ ivanov \ Local Settings \ Temporary Internet Files \ Content.IE5 \
Inside the \ Content.IE5 directory there are additional folders with "randomly" generated names, which are stored information about visiting a particular web resource. In addition to the cache, there are two additional stores of information about user activity. This is History, where the URL and the date it was visited is stored. History is stored at: C: \ Documents and Settings \ ivanov \ Local Settings \ History \ History.IE5 \
Also, the browser saves cookies received by the user, containing additional information. C: \ Documents and Settings \ ivanov \ Cookies \ The
expert conducting the analysis will check all three directories, but often the cache store is the most valuable information. Inside the \ Content.IE5 directory there is an index.dat file, which contains the information we are interested in. After decrypting it, we will be able to view the same pages as Ivanov. And following from this, it will already be possible to form the first idea of the suspect. The index.dat file is encrypted using a special algorithm developed by Microsoft.
Mozilla FireFox (FF) The
second browser installed on Ivanov's system was Mozilla FireFox. It also stores information about the user's Internet activity like IE.
It should be said that FF uses a special page caching algorithm. The directory where the information of interest is directly stored: C: \ Documents and Settings \ <user> \ Application Data \ Mozilla \ FireFox \ Profiles \ <random text> \ Cache
For both types of browsers, the process of reconstructing cached files is the main task of an expert. For this purpose, there are a number of programs that analyze the index.dat and history.dat files and extract all the most useful information from there. After completing the reconstruction of the web pages, the expert will begin to analyze the information he has obtained.
Reconstruction and subsequent analysis
You can use the Web Historian or FTK utility to reconstruct cached files. The main feature of these programs is that they support the following browsers: Internet Explorer, Mozilla FireFox, Netscape, Opera and allow you to provide a report, both in the form of a text file and in html. After the final report is received, all the fun begins. The expert now faces a difficult task from the whole heap of pages to filter out and consider those that are directly related to this case.
Analysis of the data obtained during the reconstruction of the cache in IE
Among the hundreds of pages saved by the browser, the investigator was able to identify the following, rather interesting points:
1) System administrator Ivanov, used the free hotmail mail and had an account
[email protected] . Having opened the page from the cache - the investigator saw the inbox folder of his mailbox - no letters "interesting" for the investigation were found.
2) Ivanov visited the online store ozone.ru and made requests for literature suitable for the "Hacking" category.
3) I had accounts on various security forums. But he was not very active. By the number of posts, one could say that he preferred to read the posts of others and not participate in discussions. By the topics he looked at, he was most interested in the networking aspects.
4) The caches of the pages of the sites for cracking were found. Basically, Ivanov made requests for rare software, most likely, therefore, there were no results for his requests.
5) By viewing the pages of Yandex, Ivanov, recently, was looking for information about Turkey: attractions, hotels, rest.
6) He had an account on a paid porn server.
In addition to this information, the investigator also had the exact date of visiting a particular page. The first stage of the cache research was completed, but there was still not enough information to draw at least some conclusions about Ivanov's personality.
Analysis of data obtained by reconstruction of the cache in FF
When working with the FF cache, the Cache View program was used. The size of the cached files was much smaller than in the case of IE, apparently Ivanov preferred it to FF. The relatively small volume of pages allowed the investigator to familiarize himself with the available information in more detail. As a result, two key points were identified:
1) The forum page of one of the mortise portals was discovered. Moreover, the branch for the administration was viewed.
2) Another hotmail page was also found, but only the logged in user was not ivanov1975. Someone Dmitry, who had an account [email protected], received a letter from a person [email protected] . Examining the contents of the letter saved in the cache dotted the i's.
B forwarded to Dmitry the login and password of the system administrator Ivanov and the details of the account that was required to be created.
Using the information obtained in further investigation
The next day, all employees were interviewed at the Volgo-Stroy office and, based on their responses, it was established that: Dmitry was a student who took a job at the company not long before Ivanov's vacation. The place of residence of Dmitry was established.
In compiling his conclusion, the investigator took into account all the information obtained from Ivanov's computer. An analysis of Dmitry's hard drive and a thorough study of the cache, browser history, logs of his ICQ, deleted files, and additional information confirmed Dmitry's involvement in the crime, and also additionally established his involvement in the madwarez.com group, which used the server of Volgo-Stroy »As a repository of prohibited information. To gain access to which the hackers needed to know not only the administrator's login and password, but also to have physical access to Ivanov's computer, since for authorization on the server, a special key file with distributed privileges was needed, which was located only on the administrator's hard drive.
All the information obtained from both computers was added to the case. After that, the verdict was read out to Dmitry.
In conclusion
All events described in this article are fictional. Any coincidence of names and company names is inadvertent. The only task that stood before me, while writing this text, was to show you that seemingly such insignificant things as a cache can give support to investigators for further actions. Nowadays, especially in the Russian segment, there is a belief that such information cannot be used as evidence or even disclosed in court proceedings. You may be right, and the corresponding law has not yet been signed, but I am more than sure that its time is rapidly approaching.
While living in the United States, I had the opportunity to talk with an IT crime investigator. It was she who told me about some methods of identifying information of interest to the investigation. To my surprised question: "And that all this is evidence and can be considered in court?" Kate smiled and calmly replied: "Is it different in your country?"
The only and necessary conclusion from all of the above is that you need to take much more seriously the information that is created without your knowledge, to those things that everyone is so used to, and no one raises the question of their reliability.
PS This article was just edited by me.
