You will use this form of encryption when there is only one password being used such as TrueCrypt or another simple file encryption utility.. Asymmetric or Public key encryption uses two
Trang 1VERSION 3
MISSIONMAN
and Anti‐Forensics
Trang 2Foreword
Computer security is not just a science but also an art. It is an art because no system can be considered secure without an examination of how it is to be used. All components much be examined and you must know how an attacker goes about a system before you can truly understand how to best defend yourself. This is where this guide comes in; it exists for the purpose of examining these methods of attack and the implementation for attack mitigation. You will learn the common techniques used for attack and how to protect yourself from them. This guide should not be used as an in‐depth analysis of each attack, but a reference for each of the attacks that exist.
Trang 4
Table of Contents
Chapter 1 _The CIA Triad 9
Chapter 2 _ Recommendations 10
2.1. Learn how to chat 12
2.2. Intro to Tails 14
2.3. Intro to Whonix 15
Chapter 3 _ Encryption 20
3.1. Encryption Dealing with Confidentiality 21
3.2. Encrypting Files or the Hard Drive 23
3.3. Securely Exchanging Messages, Data, and Signing Data 29
3.4. Steganography 34
3.5. Authentication Factors 34
3.6. Password Attacks and Account Recovery Attacks 37
3.7. Creating Secure Passwords 37
3.8. Hashing, Hashing Collisions, and Birthday Attacks 38
3.9. Cold Boot Attacks 39
Chapter 4 _ Data 41
4.1 A Quick Word 42
4.2 Deleted Data 42
4.3 Deleting Data Securely 44
4.4 File Slack 45
4.5 Alternate Data Streams 47
4.6 Where to Hide Your Data 49
4.7 Changing File Headers to Avoid Detection 49
4.8 Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache 51
4.9 Temporary Application Files and Recent Files Lists 53
4.10 Shellbags 58
4.11 Prefetching and Timestamps 60
4.12 Event Logs 60
4.13 Printers, Print Jobs, and Copiers 61
Trang 54.14 Cameras, Pictures, and Metadata 62
4.15 USB Information 65
4.16 SSD – Solid State Drives 65
4.17 Forensic Software Tools 66
Chapter 5 _ Continuity 68
5.1 Security Concerns with Backups 69
5.2 Security Concerns with Sleep and Hibernation 69
5.3 Ensuring Information and Service Continuity 70
5.4 DoS and DDoS attacks 71
Chapter 6 _ System Hardening 75
6.1. Uninstall Unnecessary Software 76
6.2. Disable Unnecessary Services 76
6.3. Disable Unnecessary Accounts 77
6.4. Update and Patch Windows and Other Applications 78
6.5. Password Protection 79
Chapter 7 _ Antivirus, Keyloggers, Firewalls, DLP’s, and HID’s 81
7.1. Antivirus 82
7.2. Hardware Keyloggers 83
7.3. Firewalls 83
7.4. DLP’s 83
7.5. HIDS’s and NID’s 84
7.6. Other Considerations 84
Chapter 8 _ Networks 85
8.1. Intro to Networking 86
8.2. Private vs. Public IP Address 91
8.3. MAC Address 91
8.4. Public Wireless 92
8.5. Security Protocols 96
8.6. Virtual Private Networks 99
8.7. Chat Sites ‐ How Attackers Attack 104
8.8. Other Considerations 108
8.9. Extra: MAC Address Spoofing and ARP Attacks ‐ How they work 110
Chapter 9 _ Web Browser Security 113
Trang 69.1. Downloading and Using the Tor Browser Bundle 114
9.2. Configuring Web‐Browsers and Applications to Use Tor 115
9.3. What is Sandboxing and What is JIT Hardening, and Why Do I Care? 117
9.4. JavaScript 117
9.5. Cookie Protection and Session Hijacking Attacks 118
9.6. Caching 119
9.7. Referers 119
9.8. CSRF/CSRF Attacks (XSS Attack) 120
9.9. Protect Browser Settings 120
9.10. DNS Leaks 121
9.11. User Awareness, Accidents and System Updates 122
9.12. Limitations 122
9.13. Extra 123
Chapter 10 _ Tails 124
10.1.1. Tail’s concept 125
10.1.2. Why can’t I use another OS / Windows in a VM? 126
10.2.1. How to choose strong passphrases 126
10.3.1. Requirements for Tails 127
10.4.1. First steps 127
10.4.2. Using Tails as a completely amnesic system 127
10.4.3. Using Tails with a persistent volume 128
10.5.1. Encryption of an external drive 128
10.5.2. How to mount a LUKS‐encrypted volume in Windows 128
10.6.1. Secure deletion of a drive or partition 129
10.7.1. Using the persistent volume 129
10.7.2. Storing files on the persistent volume 130
10.7.3. Firefox bookmark management 130
10.7.4. The password manager ‐ Passwords and Encryption Keys 131
10.7.5. Pidgin for IM/Chat/IRC 132
10.8.1. Installing software: The basics 132
10.8.2. Recommended software additions 133
10.8.3. I2P / iMule (not recommended) 135
10.8.4. TorChat (not working) 135
Trang 710.9.1. File and folder handling in Terminal 135
10.10.1. General advice 136
Chapter 11 _ Hacking Tools 138
Fingerprinting and Reconnaissance 140
DNS Interrogation Tools: 140
Email Tracking Tools: 140
Google hacking Tools: 140
Monitoring Web Updates Tools: 141
Traceroute Tools: 141
Website Footprinting Tools: 141
Website Mirroring Tools: 141
WHOIS Lookup Tools: 141
Other Links: 141
Scanning Networks 142
Banner Grabbing Tools: 142
Censorship Circumvention Tools: 142
Custom Packet Creator: 143
Network Discovery and Mapping Tools: 143
Packet Crafter Tool: 143
Ping Sweep Tools: 143
Proxy Tools: 143
Scanning Tools: 144
Tunneling Tools: 144
Vulnerability Scanning Tools: 144
System Hacking 145
Anti‐Rootkits: 145
Anti‐Spywares: 145
Covering Tracks Tools: 145
Keyloggers 146
Password Cracking Tools: 146
Viruses and Worms 147
Virus programs and Generators: 147
Viruses: 147
Trang 8Sniffing 148
ARP Spoofing Detection Tools: 148
DHCP Starvation Attack Tools: 148
MAC Flooding Tools: 148
MAC Spoofing Tools: 148
Sniffing Tools: 148
Social Engineering 149
DoS 149
Session Hijacking 150
Session Hijacking Tools: 150
Hacking Webservers 150
Information Gathering Tools: 150
Webserver Attack Tools: 150
Session Hijacking Tools: 150
Vulnerability Scanning Tools: 151
Web Application Security Scanners: 151
Webserver Footprinting Tools: 151
Webserver Security Tools: 151
Hacking Web Applications 151
Session Token Sniffing: 151
Web Application Hacking Tools: 152
Web Service Attack Tools: 152
Web Spidering Tools: 152
Webserver Hacking Tools: 152
Web Application Pen Testing Tools: 152
Web Application Security Tools: 153
SQL Injection 153
SQLi Injection Tools: 154
Hacking Wireless Networks 154
Bluetooth Hacking Tools: 155
GPS Mapping Tools: 155
Mobile‐based Wi‐Fi Discovery Tools: 155
Trang 9Spectrum Analyzing Tools: 155
WEP Encryption: 155
WEP/WPA Cracking Tools: 155
Wi‐Fi Discovery Tools: 156
Wi‐Fi Packet Sniffer: 156
Wi‐Fi Predictive Planning Tools: 156
Wi‐Fi Security Auditing Tools: 156
Wi‐Fi Sniffer: 156
Wi‐Fi Traffic Analyzer Tools: 156
Wi‐Fi Vulnerability Scanning Tools: 157
Evading IDS, Firewalls, and Honeypots 157
Firewalls: 157
Honeypot Detecting Tools: 158
Honeypot Tools: 158
Packet Fragment Generators: 158
Buffer Overflow 158
Chapter 12 _ Standard Acronyms 159
Chapter 13 _ Download Links 159
Trang 10
In this guide I am going to reference a well‐known security policy that was developed to identify problem areas and the recommended solutions when dealing with information security. This policy is known as the CIA and stands for: Confidentiality, Integrity, and Availability. This triad was developed so people will think about these important aspects of security when implementing security controls. There should be a balance between these three aspects of security to ensure the proper use and control of your security solutions.
Confidentiality is, as the word implies, having something be confidential or secure. In essence, privacy is security and confidentiality means that third party individuals cannot read information if they do not have access to it. Data to think about keeping confidential is data stored on a computer (temporary data, data saved, etc.), data stored for backup, data in transit, and data intended for another person. Confidentiality will be the main focus point of this article as it is most often referred to as the most important aspect of security.
The I in CIA stands for Integrity and is specifically referring to data integrity. Integrity is the act of ensuring that data was not modified or deleted by parties that are not authorized to do so. It also ensures that if the data was changed, that the authorized person can make changes that should not have been made in the first place. Simply, if you send a message to someone, you want to make sure that the person does not receive a message that was altered during transit. Integrity also confirms that you are in fact speaking
to who you think you are speaking to (for example: we download an add‐on from the website, you want
to make sure that you are downloading from that website and not an unscrupulous third‐party).
Finally, the A stands for Availability and ensures that when you need the data it is available to you. Not only does data have to be available to you, but it has to be reasonably accessible. There's no point in security controls if you cannot access the data! This component is a concern, but for the average end user, there is not much that can be done to ensure availability when dealing with webpages, or IRC servers or anything else managed by a third party host. For this reason we will not be discussing Availability except for backing up your data in this guide.
Trang 11
Windows:
Truecrypt – I would download TrueCrypt and enable FDE (Full Disk Encryption) to make sure that all evidence is encrypted thus allowing you to skip Chapter 4. If you do not want to enable FDE, I would create a container and have a Virtual Machine inside the container. Otherwise,
EVIDENCE CAN BE EASILY GATHERED BY INVESTIGATORS. (Section 3.2)
Tor Browser Bundle– This allows you to browse the internet anonymously. Using TBB will also allow you to visit .onion sites as well as to join the .onion IRC servers with TBB’s instance or Tor. (Section 9.1)
Anti‐Virus (AV) and a Firewall – This will keep your computer protected from viruses as well as remote intruders (most all‐in‐one anti‐virus software has these features). (Section 7)
I have decided to move a recommendation from later on in this guide to up here. One good recommendation is to create and use a standard account with no Administrative privileges. This way, if a virus is executed, it only has the privileges of the account that you are in. Also, I would make sure your username does not contain your full name as many applications such as Pidgin can share this information. Furthermore, make sure that you create a Windows password that
is difficult to guess/attack, as your computer can be explored using that password, over the network.
W
Trang 12 (Optional) TorChat – TC is a chat application that runs over Tor to provide an anonymous way to chat. (Section 2)
(Optional) IRC Client – An IRC client allows you to enter Tor chat rooms to talk to many
individuals at one time. You will need one with proxy settings so you can run the client through Tor. Make sure to NOT use DCC as it can expose your IP address. There are several IRC servers that run over Tor (.onion addresses) that you can use. They are all logically connected, so connecting to one will connect you to all. (Section 2)
(Optional) GPG – for sharing messages and files back and forth over a common medium, GPG ensures confidentiality and integrity. (Section 3.3)
Know the limitations of each security product. Each product addresses a specific set of issues within a specific context. Make sure to know the differences between the employed solutions and how they protect you. For example, using a VPN does not stop anyone one from stealing your laptop and gathering all your data. Use several layers of security for maximum security.
Do not relay on authentication at the session initiation alone. Use several levels of
authentication to ensure that the person you are communicating with is whom they say they are and vice versa.
Assume everything you use is insecure and treat everything like a security threat. Build your security model based on what you do; security is dynamic, not static.
Plan for handling failures, errors, intrusions, and downtime. Focus on what to do when things
go bad. Plan and practice that plan. Good security means nothing if what you do does not work.
Trang 132.1 Learn how to chat
There are a couple of ways to chat over Tor depending on your wants and needs. In this guide, I will only be talking about two ways to chat with other people: IRC and TorChat. Using an IRC server allows you to chat with many people at one time as well as chat with another person in a private chat room. TorChat on the other hand only allows you to chat privately with someone, but it allows you to share files with another person whereas the IRC does not.
The first way I will describe is how to connect to the Onionnet IRC. The Onionnet is a network of servers that are connected together to increase redundancy. For those of you whom don’t know, IRC stands for Internet Relay Chat and was intended for group communication in discussion forums, called channels, but also allows one‐to‐one communication via private message as well as chat and data transfer,
a server or a netsplit occurs
2 To create an account, Click Accounts followed by Manage Accounts. You can add as many
accounts as you want; I created a few accounts to connect to the different IRC servers for the reason described above
3 Select Add. Under Basic, your settings should look like this: Protocol – IRC, Username – your username, Server – IRC server (listed below), Local alias – your username. Again, you can use
any of the several Tor IRC servers as they are all connected. Alternatively, you can use one of the several IRC relays instead of connecting to the Tor servers directly.
4 Under Advanced, your settings should look like this: Port – 6667, Username – your username.
In Pidgin, if you do not specify a username under the Advanced settings, your username will be
exposed. When you enter or leave the chat room the username will appear before the
hostname. For example, if your ID is TheBest and your username is Bob, then it will appear as TheBest [Bob@OnionNet]. If you are trying to use OFTC, you will replace port 6667 with port
9999 as seen in the IRC Server below (you can also remove the :9999 below if using Pidgin)
5 Under Proxy, your settings should look like this: Proxy type – SOCKS 5, Host – 127.0.0.1, Port ‐
9150 (Tor Port). If you are using Privoxy, the port will be 8118
6 Click Buddies and Join a Chat to join a channel. Add Chat will permanently add the channels to the Chats list so you don’t have to remember the channel name every time. Right‐clicking the
Trang 14chat under Chats will give you a host of options. I selected Persistent to receive the messages in the chat‐room even though they are not currently open. You can use /list to get a list of all the channels or you can use /join #room to join a specific room. #security and #public are two good
channels when asking general questions or questions related to privacy or security
7 You can use the /msg “username” command to send a private message to someone or use the
/query “username” command which will open a new window in both clients for private
messaging. I would advise looking up the IRC client commands for full functionality. Also, even though I recommended disabling DCC, the servers disable the functionality altogether
8 Lastly, you should know that most ‐if not all‐ IRC clients cache your username for functionality. Pidgin, takes this further by creating logs for specific channels and individual users that you chat
Trang 15
1 Download TorChat from github as it is now the official source for the TorChat project. At of the time writing the article, the direct link is https://github.com/prof7bit/TorChat. Once the page is
loaded, click the Downloads button over on the right. Select the latest build as denoted by the version number. Make sure to download the Windows executable version for Windows,
Debian / Ubuntu package for Debian/Ubuntu, or the Pidgin plugin if that is what you want to
do. If the build is in Alpha, then it is not recommended
2 The file will be downloaded as a .zip file. Once the file is fully downloaded, open the file and extract the contents with your favorite archive file manager. I extracted the file to the default
location in Windows which is the Downloads folder. You can move the folder at any time as
TorChat is portable
3 Open the TorChat folder, expand the bin folder, and run torchat.exe to start TorChat for the first time. Once loaded, you will be provided your TorChat ID (16 characters that are comprised of letters and numbers)
4 To add a contact, just right‐click in the white space of the program and click Add Contact… Alternatively, you can edit the buddy‐list file in the bin directory. Double‐clicking a contact will initiate a chat (right‐clicking and selecting Chat…, will accomplish the same thing). You can also
edit and delete a contact by Right‐Clicking the user and selecting the appropriate function. Sending a file is as simple as dragging the file into the chat window or right‐clicking the
Trang 162 Once downloaded you have a couple of options: you can burn the image to a DVD or a USB (the image is too big to fit on a CD). If you burn the image on a DVD‐R, an attacker cannot modify the contents as the disk is read only. This also means that you cannot save anything or make any permanent changes on the disk. DVD‐RW and the USB can be written to and re‐written to, meaning files and settings can be saved in persistent storage. But, this comes at a risk as an attacker can maliciously modify Tails
3 Installing an image to a DVD is easy, all you need is the right software. ISO Image Burner is a
good software for Windows that can do this for you. Mac’s and computers running Ubuntu can burn the image natively. Once your ISO burning program is open, insert the blank DVD into the disk drive and burn the Tails ISO image to the blank disk (or a DVD‐RW disk)
click Create. At the top of the Oracle VM VirtualBox Manager click on Settings to modify the settings of the VM you just created. Select Storage and next to Controller: IDE click on the little disk icon to add a CD/DVD device. Click Choose disk and select the Tails ISO you just
downloaded. Under Controller: IDE you should see the image you just selected. Selected that image and check Live CD/DVD over on the right under Attributes. Click OK. Start the VM to
boot into Tails.
6 At this point you should be asked if you would like to view more options. I am going to kill two birds with one stone and cover how to install Tails on a USB as well as what I recommend after
you install the ISO on the USB. Select Yes on this screen and create an Administrator password
on the next screen. Under Applications > Tails you can create a persistent volume as well as use the Tails USB Installer. When creating a persistent volume, I would select all the applications
Trang 17 Adobe Flash anonymously
Browse The Web Anonymously
Anonymous IRC
Anonymous Publishing
Anonymous E-Mail with Mozilla Thunderbird and TorBirdy
Add a proxy behind Tor (Tor -> proxy)
Based on Debian GNU/Linux
Based on the Tor anonymity network
Based on Virtual Box
Can torify almost any application
Can torify any operating system
Can torify Windows
Chat anonymously
Circumvent Censorship
DNSSEC over Tor ¹
Encrypted DNS ¹
Full IP/DNS protocol leak protection
Hide the fact that you are using Tor ¹
Hide the fact you are using Whonix
Hide installed software from ISP
Isolating Proxy
Java anonymously
Javascript anonymously
Location/IP hidden servers
Mixmaster over Tor
Prevents anyone from learning your IP
Prevents anyone from learning your physical location
Private obfuscated bridges supported
Protects your privacy
Protocol-Leak-Protection and Fingerprinting-Protection
Secure And Distributed Time Synchronization
Mechanism
Security by Isolation
Send Anonymous E-mails without registration
Stream isolation to prevent identity correlation through
circuit sharing
Virtual Machine Images
VPN/Tunnel Support
Whonix is produced independently from the Tor (r)
anonymity software and carries no guarantee from The
Tor Project about quality, suitability or anything else
Transparent Proxy
Tunnel Freenet through Tor
Tunnel i2p through Tor
Tunnel JonDonym through Tor
Tunnel Proxy through Tor
Tunnel Retroshare through Tor
Tunnel SSH through Tor
Tunnel UDP over Tor ¹
Tunnel VPN through Tor
Tor enforcement
Note: When using Whonix, you will be responsible for three Operating Systems. The Whonix gateway, the Whonix workstation, and the host machine. Whonix is only intened to run on VirtualBox,
so VMWare is not recommended.
Trang 18 TorChat ¹
Free Software, Libre Software, Open Source
¹ via Optional Configuration
Set‐up Whonix:
1 First things first: download both the gateway and the workstation from the manufacturers’ website: Download links can be found here
of Whonix, you will need to utilize VirtualBox. I recommend increasing the size pre‐setup versus after the fact as it will be much easier (and safer). Once you are done and want to shut down the machine,
you can use the Shutdown button on the workstation and type Sudo poweroff in the gateway. Another helpful command is sudo arm in the gateway to check the status of Tor and use the character N to force
Trang 195 Give this new value a name. For example, I entered Onion, so I knew it contained all the IRC
servers for OnionnetTest
6 Press the Enter key on your keyboard and select the Edit… button in the program
7 Once you see the Edit page come up, you will see one default server in the Servers for Test list. You can select that item and click Edit
8 The format for adding a new server is as follows: serveraddress.onion/port. For example, I entered this: ftwircdwyhghzw4i.onion/6667
Trang 20KGpg: open the program and click Import Key from the menubar. Select the public key you downloaded and click Open. Once the keys are imported, you can encrypt data using the program (right‐click the file
in Dolphin browser, and click Encrypt) or use the command line switches. GnuPG is recommended for
Trang 21I will be talking about using encryption for confidentiality and integrity. Non‐repudiation is used, but is not normally implemented for our purposes.
Trang 223.1 Encryption Dealing with Confidentiality
Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. The earliest forms of encryption where the scytale’s and the creation of cipher texts. These forms of cryptography would rely on both parties knowing the key used or the correct cipher before the message could be delivered. Here's an example of a typical cipher, with a grid of letters and their corresponding numbers:
Done right, encryption protects private or sensitive data by making it difficult for the attacker to uncover the plaintext. This is the idea of encryption: to make it harder for others to uncover our secrets. The idea behind it is that whatever amount of expertise and computer time/resources is needed to decrypt the encrypted data should cost more than the perceived value of the information being decrypted. Knowing what to use encryption how it works, and what type of encryption to use depending on the circumstances will allow you to better your security and make it harder for an attacker to do his job.
As we said before, there are many reasons for encryption. One purpose of encryption is the act of transforming data from a state that is readable to a state that cannot be read by a third party that does not have permission. The result of the process is encrypted information (in cryptography, referred to as ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to as decryption (i.e., to make it unencrypted). It is also important to know that the word encryption can implicitly refer to the decryption process. For example, if you get an encryption program, it encrypts information as well as decrypts it.
Trang 23There are a few types of encryption that should be used for two different purposes: symmetric and asymmetric (public key encryption). Symmetric encryption can also be known as private key encryption
or single key encryption. “Symmetric” means the encryption and decryption processes are reverses of each other. I must share the secret passphrase with anyone I want to be able to decrypt my encrypted data. It is used the most because it is fast, easy to use, and is the most widely needed. You will use this form of encryption when there is only one password being used (such as TrueCrypt or another simple file encryption utility). The problem with this is as stated before, it uses only one key, so exchanging that key
is not done securely between two people. Asymmetric encryption fixes that problem by utilizing two keys instead of just one.
Asymmetric (or Public key) encryption uses two keys, one key to encrypt information and the other to decrypt the information. “Asymmetric” means that the process of encryption with the public key can only
be reversed (decrypted) by using the private key (and vice versa). Although a message sent from one computer to another won't be secure since the public key used for encryption is published and available
to anyone, anyone who picks it up can't read it without the private key. This type of encryption is slower, but is more secure when sending confidential information to someone, signing data, or verifying to a person is who they say they are. If you want to send me an encrypted message, you must have my public key‐‐ and only someone who has access to my private key (presumably, just me) can decrypt messages encrypted with my public key. So, when Bob wants to send you a message, his computer encrypts the document with a symmetric key, then encrypts the symmetric key with your Public. When you receive the data, your computer uses its own private key to decode the symmetric key. It then uses the symmetric key to decode the document.
Trang 24
3.2 Encrypting Files or the Hard Drive
You will most commonly want to encrypt files for storage or if you want to upload them to several people securely. Using your computer is also a security risk if you simply created a Windows password and stopped your security there. Windows hashes your password and checks that against the password you enter when logging into the device. In no way does it attempt to encrypt your files; meaning they are all
in the clear just waiting for someone to take them. And even if you use Windows encryption, law enforcement can just request the keys. Furthermore, many of you think that using BIOS passwords are great for security, which is also not the case. They can be broken as easily as Windows password can.
Trang 25There are several programs that run outside of Windows to either remove or crack a password. Removing the password does just that; removes the password completely. Cracking a password on the other hand allows you to obtain the password, instead of removing it. Doing so allows you to log into the device as the user, or as many people do, use the same password across several logins across several systems.
There are a couple of programs that support this type file and folder encryption and most of you probably already heard of them. These programs I am referring to are TrueCrypt and 7Zip and they both provide symmetric file encryption. TrueCrypt is a program that allows you to encrypt your entire hard drive or to create an encrypted container. 7Zip on the other hand is a program that allows you to create an encrypted archive. Remember that symmetric file encryption has only one key for the encryption and decryption process. So you will need to share the key in cleartext if you plan on sharing the files.
Trang 26
In this example, as with the fundamentals of the Caesar Cipher, all the characters are shifted, usually by 3 characters. If he wanted to say "You will never guess this," for instance, he'd write down "BRXZLOO HYHU JXHVV WKLV" instead. As you can see, the text is also broken up into even groups in order to make the size of each word less obvious. You can change the orders of the letters and change the number of shifts per letter to complicate the process for the attacker even further.
Creating an encrypted container with TrueCrypt will allow you to store data within the encrypted container. When mounted, it will look as another drive on your computer. TrueCrypt containers are secure but using them still comes with the risks of leaving your recent files lists, thumb files, and other temporary and cache data exposed. It is recommended that you use TrueCrypt and encrypt the entire disk for maximum security. The process of encryption your entire disk is called FDE (Full Disk Encryption). Furthermore, it is recommended that you use a hidden volume when using TrueCrypt. Investigators cannot determine whether or not you have a hidden volume in your TrueCrypt container unless you tell them. One drawback with using FDE with a hidden volume versus using FDE without a hidden volume is you will have two Operating Systems instead of just one. You can also use TrueCrypt to encrypt portable drives using the Traveler Disk Setup. For information about using TrueCrypt on SSD’s, please reference SSD – Solid State Drives (section 4.16).
Trang 278 In this step you will specify the name and location of your TrueCrypt container. If you try to save the file and get an “access denied” error, try creating the container in your Documents
folder or elsewhere. Choose the location in the Explorer window and specify the File name:
(edit) in Specify Path and File Name [ ]. Click Save (button) in the Specify Path and File Name dialog box
9 Click Next > (button) followed by Next > (button) on the next page
10 In the dropdown, I selected AES (list item) for the Encryption Algorithm. This is the most
secure and provides 256bit encryption which is a 32 character password. You can read up on
the other encryption algorithms for further explanation. SHA‐512 (list item) was my choice for the Hash Algorithm. You can also read further on the hashing algorithms. Click Next >
12 Enter and re‐enter your password for the Outer Volume Password. This is the password that
you will be able to reveal if you are forced to do so. You are allowed to enter a password up
to 64 characters
13 For the Large Files step, I selected Yes, so it would format as NTFS; it is up to you though. Click Next > (button)
someone tricks you into giving them the password.
18 Select Next > (button), choose whether Large Files are going to be used in the next window, and click Format (button) to finalize the process (again, make sure to move your mouse
around on that step for better security)
19 Open TrueCrypt again and mount the Outer container. To start, I would mount the Outer Container so we can add some decoy data in there in case you are forced to give the
password. To do this, just select the drive letter, click Select File… (button), select the
TrueCrypt file you created in Step 8, and press Mount. Simply, you will enter the Outer
Volume password or the Hidden Volume password depending on which volume you want to mount. Make sure when moving decoy data over that it is completely legal and that it
CANNOT be confused for something illegal. Also, make sure it would be something you would
Trang 283 In the Split to volumes, bytes input field under the General tab, enter the appropriate size of
each archive. For example: If you have a file that is 200MB (or 204800KB) and the file upload size limit is 50MB, for the Split to volumes, bytes input field, you will enter 50MB. In this case four files will be created, each 50MB a piece.
at all costs, this video would need to be "private" or "hidden." So, you would stick Video A in the container that you could give the key away to and Video B would go in a container that you would protect at all costs. If you use the key for Video A, you can see video A and so forth.
So, on the same lines, a hidden container (or, a hidden OS), is a hidden, encrypted container that the LEA cannot prove exists. So, you have two keys: a key for the public container and a private container. You can unlock one or the other at one time, but not both at the same time. So, you can give the LEA the key that opens up your public container whilst hiding the key for your private container. The LEA cannot determine if you have a private, hidden OS, or a private container. If you use the key for your non‐sensitive container, you will boot into container.
In essence (when dealing with hidden OS’s), think of two Operating Systems on one computer and you can choose which one to boot into depending on the password. A hidden OS, is hidden and the LEA cannot prove that it exists. The advantage of this is you can have one OS for normal data whilst hiding your other
Trang 29OS. So, instead of anti‐forensic techniques or saying, "opps, I forgot the password", you can view all sensitive material in the hidden OS and not worry about anything sensitive being leaked (paging, recent file lists, db files, caching, etc). Remember this: if you are forced to give the encryption key, you can do so whilst keeping your hidden container hidden which is the main advantage of a hidden container.
You can also use programs such as PGP or GPG (GPG being a free replacement for PGP) to securely encrypt data or messages which are both programs that are mainly intended for asymmetric encryption, but will work for our purposes. Notice that I said they are used to encrypt data and messages; they cannot be used like Truecrypt to encrypt entire drives, partition, or used to create encrypted containers. And like I said above, they are subject to the same problem when exchanging the key. The key still must be sent in clear text.
Decrypting the file using symmetric encryption is as easy as putting the file on your computer and telling the program to decrypt it. The command line switch for the decryption process is similar to the encryption
process. The decrypt a file, you must use GPG and enter this: gpg ‐‐decrypt inputfile.ext.gpg. The
program will then recognize it used symmetric encryption and will ask for the key to decrypt it. Again, the key to encrypt the file is the same key you will now use to decrypt the file. You should also know that when encrypting the file, the program GPG does nothing to the clear text file. So it is still sitting on your computer and can be read by anybody who gains access to it. Deleting a file securely will be discussed later on.
When you originally encrypt the file you will notice that the output looks like a bunch of gibberish. To combat this GPG as a command option for ASCII Armor output. When GPG originally encryption message without the ASCII armor output you are saying that is called the binary output. Binary output is machine‐readable but we cannot make sense of it. ASCII armor ensures that the only characters used are ASCII characters so they can be read easily. For example, if I want to encrypt data using the symmetric algorithm
with the armor output I would put in the command as followed: gpg ‐ac. The “a” generates the armor output and the –c, as above, specifies that want to use the symmetric algorithm. Using this switch will
specify a message manually within the command prompt as no input file is specified. When you are done
Trang 30you will have to enter an ‘end‐of‐file’ sequence). On Windows: press Enter, then ctrl‐z, then Enter. On OS X/Linux: press Enter, then ctrl‐d. Pressing ctrl‐c (“abort”) quits GnuPG without executing any command.
3.3 Securely Exchanging Messages, Data, and Signing Data
The problem with symmetric encryption is that it only uses one password to encrypt and decrypt data. But what if you wanted to send a message to somebody? Somehow, you will need to share the key while reducing the risk of anyone being able to intercept the password and use it to decrypt the data. Asymmetric encryption tackles this problem by implementing a secure key exchange. With this form of encryption there are two keys used, a public key and a private key. The public key is given to the world and is used to encrypt data whereas the private key is used to decrypt the data and to verify the data being received is legitimate. A popular program to securely share data and messages between two people (using asymmetric encryption) is PGP or GPG (GPG being a free replacement for PGP). For the purposes
of this guide, I will be using GPG, the free replacement for PGP.
First things first, exchanging the public so someone who wants to give you a message can secure the data before sending it to you. Assuming that you both have GPG installed on your machines, you can use the
Try it out – create GPG key example to create, export, and exchange your public keys. The public key is
only used to encrypt data. So for an attacker to decrypt data, they must have your private key. Once the initial public key exchange is done you can now securely exchange data. You will also notice that I used the armor output option so when I want to exchange my public key via email or form, it can easily be copied by the recipient trying to import it. You should only give out your public key, and never your private key. It is best to keep your key pairs on an encrypted drive. If someone obtains your private key they will
be able to read all encrypted messages intended for you. If compromised, create a new private and public key pair and give out your new public key. Also note, that your key pair comes with an expiration date if specified. Once the expiration date is reached, people can no longer send you encrypted messages using that expired public‐key.
Here is an example of a GPG encrypted message with armor output:
-BEGIN PGP PUBLIC KEY BLOCK -
Version: GnuPG v2.0.17 (MingW32)
Trang 31When send or receive a message – or key or signature – you want to include everything including the BEGIN PGP PUBLIC KEY BLOCK - and -END PGP PUBLIC KEY BLOCK - When
-imported a Public key from another person, you will not need to use your private key, nor will they need to have access to your public key The begging and ending “signatures” will also appear different depending on what you are doing Finally, if you do not use the armor output option, the begin and end signature will not appear
Now that you have created your own key pair and imported someone else’s, you can start encrypting and decrypting data respectively. You can follow the Try it out – Encrypting and decrypting a message/file to learn how to encrypt and decrypt a file. I will elaborate on how that works a little more. To begin, you
will use gpg to start the program GPG and –e to tell the program that you want to use the asymmetric encryption versus the symmetric encryption (‐c) as used before. ‐‐output "output file" is the name of the
output file that will contain the encrypted data. ‐‐local‐user "your username" is the name of the user that the message is coming from (in this case, you). ‐r "recipient" is the person whom you are sending
Gpg4win is installed, follow these steps to create your key pair for encryption/decryption (note: the following instructions are for creating a key size of 4096 which I recommend. You can create a
Trang 32“A digital signature certifies and timestamps a document. If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand‐written signature with the additional benefit of being tamper‐resistant. The GnuPG source distribution, for example, is signed so that users can verify that the source code has not been modified since it was packaged.”
“Creating and verifying signatures uses the public/private keypair in an operation different from encryption and decryption. A signature is created using the private key of the signer. The signature is verified using the corresponding public key. For example, Alice would use her own private key to digitally sign her latest submission to the Journal of Inorganic Chemistry. The associate editor handling her submission would use Alice's public key to check the signature to verify that the submission indeed came from Alice and that it had not been modified since Alice sent it. A consequence of using digital signatures
is that it is difficult to deny that you made a digital signature since that would imply your private key had been compromised.”
the recovered document is output. gpg ‐‐output doc ‐‐decrypt doc.sig is the command line switch to
verify a document using the persons signature.
12 You will now want to type a lot of random data in a text program of your choice or move your mouse around the screen so the key can be generated until the key generation is complete
Trang 33is not detached) and using the ‐‐verify option as used above. Using the hash verification, you will need
to create a hash output of the downloaded file and compare it to the hash specified from the vendor. You can read more about hashing below.
Much like anything, you want to make sure that you are keeping up with the encryption standards today. This means that using the new algorithms to replace to older ones. As a real world example, there are leaked documents claiming the NSA (National Security Agency) paid RSA $10,000,000USD to have a backdoor planted inside Elliptical Curve Cryptography (ECC) algorithms. Products such as Tor were affected and should be update to defeat these attacks.
One‐Time pad
I wanted a section on OTP’s, however, I did not want to give it a full number besides its name. You might notice that most of this information is taken directly from Wikipedia; the reason is that I did not want to reinvent the wheel in sharing this information. In cryptography, the one‐time pad (OTP) is a type
of encryption that is impossible to crack if used correctly. Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key (or pad) of the same length as the plaintext, resulting in a ciphertext. If the key is truly random, at least as long as the
plaintext, never reused in whole or part, and kept secret, the ciphertext will be impossible to decrypt or break without knowing the key. Saying that, this form of encryption is the most secure form of
encryption out there.
Trang 34
plaintext and the key elements, and is especially attractive on computers since it is usually a native machine instruction and is therefore very fast. However, ensuring that the key material is actually random, is used only once, never becomes known to the opposition, and is completely destroyed after use is hard to do. The XOR method operates according to this principle:
converted back to plaintext. Below is an example on how the XOR operation is used. You will notice that 0 + 0 and 1 + 1 return the output of 0 whereas 1 + 0 and 0 + 1 returns the output of 1. The string below, "Wiki" (01010111 01101001 01101011 01101001 in 8‐bit ASCII), can be encrypted with the repeating key 11110011 as follows:
Trang 35
3.4 Steganography
Another good form of encryption is steganography which is the act of hiding data within text, graphic files,
or audio files. The purpose of this method is so that nobody will know that there is a private message inside the medium (photo, document, etc.) because it is hidden. Let’s say Bob wants to send private messages to Steve over a public forum read by numerous people. Bob grabs a picture, puts a hidden message inside and uploads it to the website. Nobody knows the message is there except for Steve, which
is able to save the picture to his computer and read the message hidden inside. Forensic examiners will need to be looking at each individual file to determine if steganography was used. So for example if you have 1000 pictures, they will need to go through each and every one to determine which ones have steganography and which ones do not.
Using steganography is as easy as downloading the right software from the internet. I started out by downloading one of the more popular freeware tools out now: F5, then moved to a tool called SecurEngine, which hides text files within larger text files, and lastly a tool that hides files in MP3s called MP3Stego. I also tested one commercial steganography product, Steganos Suite. These tools may contain backdoors as with all encryption programs therefor should not be used with data you are trying to hide from any party that may hold the decryption key.
3.5 Authentication Factors
There are several types of authentication factors when accessing resources, and most of you have only been using one of them. In the security field they are referred to something you know, something you have, and something you are. A username and password falls into the something you know category. This is because you know in your mind what your username and password is. Something you have is a physical device such as a smart card or token. Finally, something you are refers to a fingerprint, an iris scan, or another physical feature.
The idea behind “something you know” is keeping a secret that only you know. Thus, knowledge of a secret distinguishes you from all other individuals. And the authentication system simply needs to check
to see if the person claiming to be you knows the secret. This method is also used between two or more persons to verify they are whom they claim to be. This is often called challenge‐response authentication and even though it is moreso used as a token, it can be used between several people.
If you have ever watched the movie “Bourne Ultimatum” you have already seen this in action. Halfway during the movie, one of that characters is presented with a Duress Challenge in which she is asked a question and depending on the response, she is either normal or under duress. Such the same, many people can create a similar model of authentication that moves past a simple password that can convey
Trang 36
One popular challenge‐response mechanism uses tokens to authenticate the user. These methods are becoming increasingly popular and is even employed by such services such as Google and Truecrypt. Disconnected tokens such as those deployed by several online services have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built‐in screen to display the generated authentication data, which the user enters
manually themselves via a keyboard or keypad. Smart cards, other physical tokens, and keyfiles are also methods that fall under the “something you have” category. Below is a very simply example of how some challenge‐response mechanism work.
Let’s say that you want to log into a system and use a detached token. You will most likely be given a set
of characters to input into the system to verify that you are whom you say you are. So, you fire up the token and request you one‐time pin code. The server that generates the code will load up the list and select a set of characters from the tables. In this example, we will say the challenge are the characters
H, G, A, I, P, and S (yellow). Your token will then generate a response of J, I, C, K, R, and U (red). The server will then verify that the response the token created matches up to the response the server expects. Once this is complete, the server will allow you into whatever system you were trying to access.
The third authentication type is biometric authentication as is known to be the best form of
authentication as it is the best way to determine that a person is who they say they are. I have pasted a chart to show a comparison of biometric types below:
Trang 37
Characteristic Fingerprints Hand
Geometry
Ease of Use High High Low Medium Medium High High
Error
incidence
Dryness, dirt, age
Hand injury, age
Glasses Poor
lighting
Lighting, age, glasses, hair
Changing signatures
Noise, colds, weather
Accuracy High High Very
High
Very High
decreases the changes of someone other than yourself obtains this access. For this reason, it is
recommended as a best security practice when setting up a protected system.
For most users reading this guide, you will only need to concern yourself with setting up more than one factor when using TrueCrypt. Most of you are only use a password, which is adequate for most scenarios, and is what most people use in general. But another feature of TrueCrypt that most people don’t realize
is that it does allow for multifactor authentication. This means that you can set up Truecrypt to utilize both a password and a keyfile (or token or smartcard) when logging into the system. The link provided will elaborate more on key files, security tokens, and smart cards when using TrueCrypt: Click here.
The go back to the beginning, I told you that using multiple authentication factors are best practice, but you might be wondering to yourself, “why?” Two or more factors further ensures that the protection of your data does not rely on a single factor alone. For example, let’s say you have a machine that’s
encrypted with TrueCrypt. You know that the encryption employed by TrueCrypt is strong, however, you created a password that is weak and easily guessed. This is where the multifactor authentication comes in. The attacker might have guessed your password but if you have another factor such as a token, the attacker will also have to have access to that token during the entire session in order for them to get in.
Trang 38on you by recording everything you do on the computer. Such the same, hardware keyloggers (which can be in the form of spyware), attempts to record everything that you type in on a keyboard. If
successful, a keylogger will capture your password that can be used later on for an attack. To mitigate this type of threat, you will once again rely on multifactor authentication to authenticate you into the system. And for additional security, you can check for new hardware devices attached to your computer and make sure that you use some sort of anti‐virus software to mitigate the threat of software
Another common attack that people do not usually think of is account recovery attacks. This is when someone is trying to login into your account by attempting to reset your password by using your account recovery questions. For this reason you should make sure when creating security questions and answers that they are not easily guessed (or found). A good recommendation is to make the answers as complicated as the passwords, but still can be easily remembered.
3.7 Creating Secure Passwords
The problem with passwords is they are usually too easy
to crack or they are too hard for the users to remember. Therefore, both of these problems should be considered when creating a new password. Start by creating a password that is at least 16 characters. Use as many different types of characters as possible, including: lowercase letters, uppercase letters, numbers, and symbols. Never reuse a previous password and never use the same password for more than one account. Don’t use password‐storage tools, whether software or hardware. Make sure that your password does not include anything identifiable such as: names, usernames, pet names, or words in a dictionary. Lastly, make sure that the password is not too hard for you to
Trang 393.8 Hashing, Hashing Collisions, and Birthday Attacks
When people refer to hashing, they are referring to a type of encryption. Hashing is the process of creating
an encrypted output that cannot be decrypted (it performs a one‐way encryption) and is used to ensure that a message or file was not modified from the original copy. Hashing is also commonly used to help authenticate somebody. For example, many websites store a hashed copy of your password instead of the password in the clear. There are several types of hashing algorithms and the newer versions are better than the outdated versions for security purposes. SHA256 is the newest version and is recommended as
of right now when you are checking file or message hashes.
Using asymmetric encryption provides integrity as well as the already explained confidentiality. When you successfully decrypt a message that another user sent you, you have verified its integrity. Another way to ensure integrity is to create the hash of a file or a message and allow people to check the hash they generate against the hash you gave them. For example: let’s say Bob uploads a file for Steve. Bob uploads a file and generates a hash (let’s say a value of 456) so Steve can make sure that when he downloads the file, it was not changed along the way. After downloading and saving the file, Steve also generates a hash of the saved file. If Steve generates the same hash, the file was not altered. But if Steve generates a different value (let’s say 334), than the file has been changed. Personally, I use HashMyFiles because it is easy to use and is a standalone program.
Also, you should know that since there are several types of encryption methods, you need to specify which hash algorithm you want to use when verifying data. The newer the algorithm, the better chances you have of mitigating the eventuality of hash collision. Adding to what we talked about earlier about asymmetric encryption, when you create a file signature for the recipient to verify the contents they receive; they are actually decrypting the hash value of the data for verification. So in essence, the same process for verifying the contents are the same, with the added benefit of verifying the sender and the file when using asymmetric encryption.
Try it out – Hashing
1 Downloading and save this file: http://ocrlwkklxt3ud64u.onion/files/1343933815.txt. If the file opens up in your browser, then save everything to a text file and save as ‘hash.txt’
Trang 40a message or file without actually sending the message or file. This is helpful if you want to share a file in which everybody knows what the password is whilst allowing them to confirm that it came from you.
of 30 students asks for everybody's birthday, to determine whether any two students have the same birthday. Intuitively, this chance may seem small. If the teacher picked a specific day (say September 16), then the chance that at least one student was born on that specific day is 1 ‐ (364/365)^{30}, about 7.9%. However, the probability that at least one student has the same birthday as any other student is around 70.”
3.9 Cold Boot Attacks
In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. The attack relies on the data reminisce property of DRAM and SRAM to retrieve memory contents which remain readable in the seconds to minutes after power has been removed. Basically, when a computer is restarted, the encryption keys (passwords) might still exist in RAM and may be recoverable to the extent that they can
be used to decrypt your device.
To simplify what I just said, cold boot attacks work like this. After you turn off your computer, RAM isn't automatically erased when it no longer has power. Instead, RAM degrades over time, and even after a