The press release states that the criminals use these phones to capture SMS messages with TAN codes (one time passwords to sign an online banking transaction) of online banking systems. But it does not give any proof for these claims.

How would this work? The attacker will need your login credentials for the online banking website and your mobile phone number. Of course the mobile phone number can for a lot of people be found on the social networks, but then they still need your credentials. They can not retrieve your mobile phone number from the online banking website, as this is – at least at the Dutch ING bank – partly obscured and can not be changed online without a letter being sent to your postal address to confirm the change. The attackers need quite some information from you before they can target you with this kind of attack. Capturing TAN codes is just a small part of the attack in that case.

But let’s assume that the attacker indeed has retrieved your credentials, your mobile phone number and he is targeting you. Will in that case your own phone disconnect from the providers network during the attack? If so, you would most likely notice your phone being disconnected from the network, which is a nice trigger that something is going on.

The other way is that both you and the attacker will receive the SMS message at the same time, like some sort of cloned connection. In that case it is a nice warning system when your account is being plundered, because you will receive a TAN SMS at a time when you are most likely not even using the online banking system. If you call the bank as soon as you receive the SMS, the bank should have enough time to get your money back.

I doubt if this attack will work better than the current Man in the Middle and Man in the Browser attacks which only need a little piece of malware installed on the victims PC and don’t require the difficult intelligence phase to collect the credentials and the mobile phone numbers.

Well if the attack would work, how much would the criminals pay for this phone? The press release quotes the amount of 25.000 Euro’s (around 32.000 dollars), which is quite a lot for a phone even with these characteristics – you would need to be able to finish quite a lot of successful transactions to even get your investment back, let alone make some money. What kind of things could you do with 25.000 Euro’s? Well for starters you could build your own hardware which mimics the hardware from the Nokia 1100. If it is just for stealing SMS messages from other people it doesn’t matter if the device doesn’t look like a phone. Criminals are smarter than to hunt down old mobiles if they can build the hardware themselves. So why didn’t they build the hardware themselves? Possibly because it needs to be a phone, not some SMS receiver. But why does it need to be a phone?

One of the people leaving a comment on this subject on the Engadget website is Paul Prijs. Paul explains that the phones can be used to send out SMS messages to someone else using the same provider, the provider then does not keep records of where the SMS has been send to. This is of course highly useful for criminals, they can communicate by SMS without traces. That is worth something isn’t it? They are not going to walk around with some home made device for this, so it needs to be the Nokia 1100. Of course until someone finds a way to modify any phone to do this.

I hope UltraScan is wrong, but if they are right we have much worse problems than criminals trying to snoop our TAN codes. If the story would be true then it doesn’t mean that the attackers can only steal TAN codes by SMS but that the whole SMS system has been broken. Since this is a problem with an old phone it seems that it can not be solved from the providers point of view. Or it can and they just don’t seem to bother to fix it.

In that case from this day on we can not trust SMS anymore. All your SMS messages to your loved one, all your SMS messages with passwords or any SMS you could think of can be read by another. But on the other side, I just looked through my SMS messages and overall they are actually pretty boring, who would want to read those anyways.

On the topic of UltraScan I could probably write another long blog post, which I won’t at this moment. The Dutch based ‘company’ however does not have a Dutch Chamber of Commerce registration and therefore is not a real company. Despite having cool flowcharts containing al the different parts of the ‘company’ and claims of more than 3000 informants on their websites the only person that ever surfaced to the outside world is Frank Engelsman. You might just think that it is just a big one man show.

I wouldn’t dare to say that Frank Engelsman has great delusions. But people could think that, and you can’t blame them.

First let’s provide some examples of what I feel web 2.0 applications are in this  context, since that too is still a matter of debate. Sharing pictures with friends using Flickr, keeping in touch with those friends through MySpace, adding content to Wiki pages, updating your Twitter. The list can go on and on. For the record, this is not my definition of Web 2.0, these are just some examples of a trend that I sure will continue.

More and more data we produce is no longer stored on the disk in our computer, but on a network server, often far away and not always within reach or within our control. And when it is stored on our disk, often in part and quickly overwritten.

We see this trend also in webmail. Five years ago it was not uncommon to track entire Hotmail correspondence on disk, each opened e-mail item creating digital traces on a file system. Nowadays, with the usage of Ajax for example, content is offered in a more dynamic fashion, often resulting in less footprint on a (local) disk. At least, this is what I am seeing. Perhaps my interpretation is flawed or my experience too narrow.

So, digital traces of our activity will be more dispersed, perhaps making it more difficult to obtain a complete (and truthful) view of ones actions off- and online. Perhaps threat is not a good choice of words. You could also see it as an incentive to further innovate digital forensic methodology and technics.

Personally I feel we need to change our way of working, or in the future we might find ourselves inadequate to keep up with investigative needs.

A lot of readers will probably already know this site, but just for those few who don’t: Arnoud Engelfriet regularly blogs (in Dutch only) about law, more specifically internet/ICT law. And as a new year is a good time to look back, a link to his overview of what happened in this area in 2008.

When you run into one of these machines, it might give you a bit of a forensic challenge, as you have to deal with both another operating system (which is luckily Unix/BSD based) and with new hardware. Take a look at the various guides at http://www.ifixit.com/Guide/Mac/ to get a feeling about the number of screws you have to remove to get to a hard drive in a MacBook Pro for example…(luckily there are some other ways to create an image without removing the drive, for example using target disk mode).

To gain more insight into doing forensics on these machines, Ryan Kubasiak’s website http://www.macosxforensics.com/ is an excellent resource for all hardware and software related questions. The site covers not just Apple computers, but also iPhones and iPods.  Since a few days, he has added a forum to the website so that might be cool to checkout as well.

He also announced the upcoming release of a new book on Macintosh Forensics, of which he is one of the co-authors. It should be available in December (Christmas present ?) and you can already pre-order it via Elsevier.

Finally, if you are interested in having one of these shiny machines as your own forensic workstation, check out the section on the setup of your own Forensic Macintosh

I think it’s a very suggestive article based on some vague assumptions, seemingly written to tie together the current 2 worst (perceived) sources of evil: paedophiles and terrorists (oh wait, even worse: Muslim terrorists).

First of all, all information is presented in very vague terms (“Times investigation”, “security services are aware of the trend”, “source confirms”). No named sources, only assumptions and suspicions, some cases that have never led to any convictions.

Secondly, it doesn’t make sense in a technical way: if you want to hide something, why choose the type of image that is bound to attract the attention of every police force all around the world? And why use sites that might even be blocked in a lot of countries? There are multiple other secure communication ways available. And if you want to the fancy steganography stuff, why not use your vacation pictures and put them on your Facebook account?

Luckily, there are already some politicians ready to jump on the subject and give their firm comments and call for action (pfew, we can all rest assured and sleep safe at night).

It gets almost ridiculous at the end when they even manage to tie in the Nazis (Godwin’s Law anyone).

Don’t get me wrong, both child abuse and terrorism are very serious matters that need our attention and we always need to be on the lookout for new trends, but articles like this one look to me like they are only written to support someone’s hidden agenda using (IMHO) very dubious measures.

The comments at the newspaper’s website are worth a read as well.

Here’s what Microsoft has to say about this functionality: “InPrivate Browsing prevents Internet Explorer from storing data about your browsing session. This includes cookies, temporary Internet files, history, and other data” . Ouch, when implemented right a feature like that could wreak havoc to us forensic dudes, so one could be inclined to think But did Microsoft implement it correctly?

Initial tests we conducted show it didn’t, which is strange. Didn’t it state that this function prevents data from being written? Well, it doesn’t, which is good for us forensic folk, but bad for you if you trust this feature to provide you with your desired level of privacy.

I browsed several sites using the InPrivate function, used several search engines and to top it of logged into my online (SSL protected) banking website and transfered my monthly rent. Traces of this activity were easily recovered from the disk using both a simple Hex editor, Pasco and FTK.

It’s true some records are not written to the index.dat history file, namely the host records. This results in the user seeing an empty history overview in the browser. However, all other records related to a visit to a specific website are written to the index.dat file. Keep in mind that most websites are built-up of tens of separate webpage elements, filling up the Index.dat file quickly.

What’s worse, in contrary what Microsoft states, the temporary Internet files cache is used, files are written to disk but after closing the browser the cache is cleared/deleted. Not erased. Oopsss. Unless I use some sort of erase/wipe tool information on my browsing session is all there.

Of course it would still be fairly easy to recover the cached files using carving techniques, but one could argue that this is not something a regular user would or could do. I disagree. Just a simple Google query in search for data recovery tool yields almost 1.5 million results. We’re not talking quantum physics here.

Microsoft plays down the story, stating that the privacy of regular users is protected, at least against other regular users. Maybe so, but I would not rely on this feature too much until we know more.

On a side note: I did find information about the wire transfer (my monthly rent), which surprised me. And in case you are wondering, the traces were not part of the pagefile but located in freespace.

I’m not done with IE8, expect an update when I’ve had some more time to chew on this.

The SpaceRef website states: Theory is virus either in initial software load or possibly transferred from personal compact flash card.

Well, only a theory is not enough, is it? This sounds like a very good reason to do a full forensic investigation. Send an investigator to space, that might be quite a challenging job. 

So NASA, if you are looking for a forensic investigator: Just contact us

More info can be found on:
http://www.shortinfosec.net/2008/07/competition-computer-forensic.html

No rewards on this one, but like stated before: Challenges are a great way to see what the status of your current knowledge is and you also might learn something from it.

The contest started on Friday 1st of August 2008 at 12:00 and is already almost over as it ends on August 3rd 2008 at 11:59 (EET). By the time of this writing you can’t win the prices anymore as two people already solved the last round. But that shouldn’t spoil the fun in participating in it of course. Challenges are a great way to see how good your current knowledge is and you also might learn quite some new things.

Ok, back to level 2!

Officers may detain documents and electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location.

What does this mean for a traveling Forensic Investigator? At first, how are you going to do your job when your electronic friend is being held for investigation. What is a “Reasonable period of time”, maybe you can pick it up again when you are leaving?

And if it is being detained, what data is on it? Of course you should never have any case data on your own laptop, right? But what if you have a new case and you did a quick investigation on the secured evidence with your own laptop? There might be some traces left in the slack and free space. Let’s hope the data doesn’t contain any references to terrorist acts, it might be a long stay then instead of a short trip.

Or, what if you just made a forensic copy for a case and you are traveling with that copy to deliver it in your own lab for your investigation. If the hard disk with the forensic copy is being detained how does that look on your chain of evidence? Not to think of the data that might be on a just newly imaged evidence item.

Of course if you keep thinking about it there will be a lot more consequences when your items are being detained at the border. But then again, why would a good Forensic Investigator be stopped at the border for such a investigation? Oh well, as long as they don’t take my PSP.