Forensics Bulletin June 2014 | Volume - 3

Index 02 executive summary

eProtect Online complaint portal

05

whatsApp forensics Recovering & decrypting deleted conversations

07

biometric fraud Employee attendance system fraud & RFID trick

10

encrypted document malware Malware that encrypts your documents

13

intelligence gathering Tracking Pakistan Haxor Crew

15 about us

1

03

executive summary In this issue we would like to take our readers a step ahead from

cyber security to cyber & digital forensics. In this high-tech world

variety of computer crimes that take place in small scale as well

as large scale. The loss caused is dependent upon the sensitivity

of the computer data or the information for which the crime has

been committed. So computer forensics has become a vital

part in our corporate world.

Those golden days are gone when

criminals were using only guns and other

offensive equipment to commit a crime.

Now a day’s a mobile is used to connect

lives, run business, and same mobile is used

to commit crimes and hence it is next to

impossible to predict that who is actual

criminal when everyone is carrying

weapons i.e. phones in their pockets.

Someone who is carrying unauthorized guns can be declared a

criminal but what if billions of peoples are carrying same digital

weapons in their pockets?

We at CCFIS faced and solved several forensics cases that

cannot be solved by traditional pre-defined forensics

technologies and protocols. Sometimes forensics is more of a

research and behavioral analysis.

2

“Believe it or not

but we all have

committed some

cyber-crimes

intentionally or by

mistake”

eProtect Online complaint portal

3

Most of the time, we don’t want to share cybercrime happened

with us with anyone and that’s why they are remain unsolved and

culprits are getting encouragement to repeat it again. To

maintain anonymity and to resolve these cases we started

eProtect initially for students and staffs of Amity Education Group.

eProtect is an online complaint portal developed by CCFIS team

for students of Amity University to report any case ranging from

cyber-harassment incident on social media to online fraud. Once

a complaint is registered CCFIS incident response team gets

notified and acts to resolves it in minimum possible time.

4

Type Modus Operandi Incident Frequency

(Past 6 Months)

Harassing Text, IMs, Emails & Posts 4

Impersonation Fake profiles, Posing as someone else 14

Anonymous

Emails

Dummy mail IDs, Proxy Servers, Hijacked

Email Accounts

6

Data Recovery Virus Infection, Power Surges, Ransom

ware, Accidental Deletion/Format

28

Corporate Cases Embezzlements, Payroll Frauds, Employee

activity monitoring, Data Theft, Unauthor-

ized access

7

whatsapp forensics Recovering & decrypting deleted conversations

5

WhatsApp Messenger is a cross-platform

mobile messaging app which allows you to

exchange messages without having to pay

for SMS. Most of us use WhatsApp to

communicate with our loved ones.

We recently seized a mobile during an

investigation. After further analysis of mobile,

we found that all conversations were already been deleted by

user. But WhatsApp create database of all conversations and that

files still resided inside the mobile even after the conversations are

deleted. We initially tried to recover those messages from

database but the user was smart enough to delete these

databases too.

6

Finally, we tried mobile data recovery procedure and tried

recovering WhatsApp database. After all efforts these database

were recovered but were in encrypted state. At final stage our

research and development team were able to understand the

encryption methodology and developed in house tools to

decrypt those messages.

Biometric attendance

devices are used in almost

all offices. Every morning

we punch our card &

fingerprint before starting

our work and repeat the

same every day. But what

if data of these security

appliance can be manipulated? Most of the bio-metric devices

works on database authentication and comparison model.

Whenever an RFID enabled card is punched along with

fingerprint, it compares the data to original database and

authenticate the uses. Once the user is verified, a database entry

is made into ERP system that particular used punched at particular

timestamp.

Recently we resolved one biometric fraud case, in which none of

traditional forensics methodologies worked. Every day over 800s of

employee were using that biometric attendance system before

stating their work. The data from all 10 biometric devices were

saved in one central database and from there it was taken to

organization’s ERP and other departments like HR and accounts.

System administrators created rules to take automated regular

backup of everyday’s database.

biometric fraud Employee attendance system fraud & RFID trick

7

The fraud was came to knowledge of management when

employee was called up for a meeting and employee didn’t

showed up and mentioned that employee is not in office but em-

ployee was marked present in biometric attendance system and

everything was normal in ERP as well as all databases. Biometric

device vendor was called up and he checked all biometric de-

vices by taking 100s of sample, but everything was normal.

Management later on decided to have a forensics investigation

over this issues and case was handed over to CCFIS team for

further analysis. Initially we tested all biometric devices and realize

that everything was normal. Then we started comparing original

and backup database manually, and data were same

everywhere. We also found that few database entries were

deleted form database of both original and backup database.

After recovering those deleted database, we realized that

administrator who was in close relationship with employee

created several SQL scripts to manipulate both original as well as

backup database. This issue was resolved, management was

informed and employee was fired from office.

We thought that this was the end of investigation. But problem

started again when one busy day biometric device stopped

working and all employees were standing in line to punch their

card making chaos. Again the vendor was called, they checked

everything and blamed CCFIS forensics team that forensics

vendor CCFIS had done something with these devices. CCFIS

team again visited the premises, to investigate the issues.

8

After investigation, we found that one sticker based small RFID

chip was pasted on side of biometric device. So whenever

anyone was trying to punch their card, the device wasn’t working

as it was busy in reading that sticker based hidden RFID chip that

was hidden on side of device and it was so small that it left

unsuspicious to everyone.

After removing this sicker RFID sticker, everything was normal like

before and system started reading and processing all the cards.

And unfortunately these stickers are available at very low price

and accessible to anyone to purchase. Even few mobiles comes

with free RFID sticker to customize according to their needs.

9

We all know about CryptoLocker malware which encrypts all

documents of infected system. The Trojan encrypts data on the

affected computer, switching the extensions of affected files

to .cryptolocker afterwards. It uses a weaker encryption method

than the original, so it’s possible experts may be able to regain

access to the locked files, but this won’t be an option for most

infected users.

encrypted document malware Malware that encrypts your documents

10

We recently handled and solved a case related of infected server

by CryptoLocker. Entire server of user was infected and all

documents hosted over the site were corrupted. Ever the

document files that were hosted on company’s website and FTP

server was infected and infected document started spreading

internally through FTP and to outside world by company’s website.

Everytime administrator tried to decrypt the document, an alert

was generated and application was demanding money to

decrypt the files. Following were the reasons why server was

infected –

Administrator was visiting malicious sites for downloading

torrents and other stuffs on server.

Administrator didn’t installed ad-blocker to block malicious

advertisements.

Administrator clicked on some lucrative ads of his interested

and followed the instructions.

CryptoLocker cannot only infect server but it can infect your

systems also, recently in a blog post virus coders mentioned that

they are already working on development of CryptoLocker for

android and other handheld devices.

In order to resolve this case, we tried many different traditional

techniques. But as this version of CryptoLocker was working on

some different protocols so none of them were working. Later on

we realized that original filed were deleted by this tool and a

duplicate file of same name with .cryptolocker extension were

created for all documents hosted on server. So even if

administrator had paid the amount to the tool, he might not be to

get original documents.

11

Our forensics team started data recovery of deleted files and

since the hard disk was in good condition, so all original docu-

ments were recovered. Unfortunately the administrator had to for-

mat his server but documents were recovered.

Same case can happen with anyone of us and in most of the

cases, tools like CryptoLocker demands some money to unlock

these documents. Most of us think that the amount which the tools

is asking is much less than cost and importance of documents and

user pays the money. But as these tools are not from trustworthy

sources and should not be trusted that even after paying the

amount, the user will get his all documents. The same scenario

happened with administrator of this company

Following are some of recommendations to avoid these types of

malwares or ransom wares –

Instead of using internet explorer as your default browser, use

Chrome or Firefox. In your company policy forced you to use in-

ternet explorer then use the latest updated version of internet

explorer.

Avoid clicking on lucrative advertisements. For better security

you can install ad-block plugin in your browser.

Install original anti-virus software and update to avoid these

type of malwares.

Also, no matter how secure your computer is, if you are not

aware then you cannot stop these types of malwares from

infecting your computers as there is always a cat & mouse

game between malwares and anti-viruses.

12

intelligence gathering Tracking Pakistan Haxor Crew

Intelligence is what we all need to run our business effectively. But

in our case intelligence gathering helped us in resolving one major

controversial website hacking case.

Recently one site was hacked and attack was claimed by

hacking activist group called Pakistan Haxor Crew. This case was

brought to us for further investigation. Initially we started analyzing

server logs and retrieved a number of IPs through which site re-

ceived XSS, SQL injection, null byte, bruteforce and many more

active attacks to take down the site. Later on after analyzing and

tracing IP, we came to know that all IPs were fake and attacker

used multiple proxies and tor anonymising software to perform

these attacks. So we were not able to trace the trace the actual

culprit and with provided data.

13

After few hours, we started looking for Pakistan Haxor Crew over

different blogs and underground communities. We were able to

gather complete intelligence about the entire crew members,

their Facebook profile, their websites & blogs, sites hacked by

them, their future targets, and every possible detail they had over

internet.

With these data we were able to locate all the team member and

case was resolved by tracing IPs of their personal email ID and

Facebook login.

14

about us We at Amity Innovation Incubator have established a research lab “Center for Cyber Fo-

rensics and Information Security”. CCFIS (www.ccfis.net) is founded on the core belief

that cyber security is a growing concern worldwide, hence it is necessary to secure and

protect our country and national technology infrastructure to safeguard future of our

country and hence citizens.

CCFIS is a research organization and part of Amity Education Group, which is India lead-

ing Education Group having 1,00,000 Students, 5 Universities and many India and Global

Campuses. We intend to create Research collaboration forum so that Internet communi-

ty can fight together against Cyber Crimes.

Noida Office: Amity Innovation Incubator, Block E-3,1st Floor, Amity University, Sector-125 Noida,

UP-201301, India, Email Id: info@ccfis.net, Phone no: +91-120-4659156

Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP - 226028, India

Disclaimer—This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of their employees,

nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty, express or implied, or assumes any

legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or the results of such use of any information, appa-

ratus, product, or process disclosed, or represents that its use would not infringe privately owned rights.

© Center for Cyber Forensics & Information Security

15