Penetration Testing

Introduction

A penetration test one of the security assessments that perform on a computer system in which the person performing the assessment attempts to hack into the system. The main purpose is to find out whether or not person with malicious intent can enter the system, and what that person can access once the system has been penetrated. It offered by a number of security firms which specialize in the security of computer systems.

Then the Host Assessments is meaning to ensure systems are as up to date and as hard to compromise as possible.

Penetration Testing

Penetration testing is assesses the security model of the organization as whole it reveals potential of a real attacker breaking into the network. Penetration taster is the different from an attacker only by his intent and lack of meanness and is not completed professionally, and can result in the loss of services and disruption of business continuity.

The outsourcing of penetration testing services is divide into two which is driver of sourcing pentest services and underwriting penetration testing.

To do the penetration testing it must have engagement meaning that organization will allow penetration test against any of production systems after it agree upon clearly stated rules of engagement and it can specify the desired code of conduct the procedures to be followed and the nature of the interaction between the taster and organization.

When doing the penetration testing, pentest team can choice of doing the test either remotely or on –site, a remote assessment may simulate an external hacker attack .however it may miss assessing internal guards and on - site assessment may be expensive and may not simulate and external threat exactly .

The penetration testing can be conducted to way which is automated testing and manual testing. Automated testing can result in time, cost saving over a long term and the tools that use can have high leaning curve any may need frequents to be effective. Manual testing is the best option because organization can choose to benefit from the experience of security professional

Type of Penetration Testing

1. External Testing

External testing is involves analysis of publicly available information, network enumeration phase, and the behavior of security analyzed.

2. Internal Testing

Internal testing will be performed from a number of network access points, representing each logical and physical segment

- Black –hat testing /zero – knowledge testing

- Gray- hat testing /partial –knowledge testing

- White-hat testing /complete –knowledge testing

Advantages and Disadvantages of FTK and EnCase

	FTK	EnCase
1. Advantages	1.K can analyze data from several sources, including image files from other vendors 2. FTK produces a case log file Supports options and advanced searching techniques, such as stemming 3.FTK provides you the following advantages: · Simple Users’ Interface · Fast Searching · EFS Decryption · Bookmarking · Reporting · Password Dictionary Creation 4. FTK can create a keyword index of the entire image at the start of the process which makes futures searches easy. It is rare that you start a case with all the correct keywords... as a case develops; you often need to repeat searches with new keywords which can waste a lot of time. 5. E-mail Display FTK allows you to view e-mail in a user-friendly HTML. You can view native formats such as AOL IP addresses, POP3 servers, and view attachments. You can also document them in HTML reports. FTK can print or export e-mail messages and all associated attachments. It recognizes the source of the e-mail messages based on e-mail archives and special headers. Example : Show the Email display :	1.EnCase is quite outstanding - it is capable of breaking down complex file structures for examination, such as the registry files, dbx & pst files, thumbs db etc 2. Encase have time Line 3. Encase has full scripting abilities and allows automation of report ,decryption and carving
2. Disadvantages	No progress bar No multi-tasking No scripting support HFS (Mac) Not support 2 million File limit On gallery view Foes not fit picture to window No PSD support and no AVI support FTK no Time line except for sorting colums	1. EnCase Index needs work (a lot of work.) 2. No Outlook 2003 PST/OST Support 3. No Internal Mail Viewer 4. Rough looking Report 5. No full Indexing of the Drive 6. Live searches only 7. On gallery view Encase is constantly crashes on corrupt pictures 8. EnCase does not have to re-index order to apply hash list .the Case only need to be hashed once

Cross-reference Functions EnCase VS FTK

Function	FTK	EnCase
1. Acquisition	1. In the Acquisition FTK can - Perform network-based, secure, single-system forensic acquisition of physical devices, logical volumes and RAM. § The agent is easy to deploy. § Doesn’t require a cumbersome installation and authentication process. Secure Remote Device Mounting 2. FTK can validates MD5 and SHA-1 hash for verification of the data-copying process 3. In the Acquisition function FTK can do the physical data copy , logical data copy ,data acquisition formats ,GUI process ,and verification	1. Encase can do the : § physical data copy § logical data copy § data acquisition formats § command –line process § GUI process § remote acquisition and do the verification 2. EnCase prompts to obtain MD5 hash value for verification of the data-copying process
2. Validation	FTK – can do the hashing ,filtering and analyzing the file headers	EnCase- can do the hashing ,filtering and analyzing the file headers
3. Extraction (Analysis)	1. Ability to read – FTK reads and indexes data from Microsoft PST and OST files, EnCase doesn’t – 2. FTK can analyze unallocated data areas of a drive/image file and locate fragments or entire file structures that can be carved and copied into a new file. 3. FTK can viewing the data ,do the Keyword searching decompressing , carving ,decrypting and bookmaking Example : Bookmaking function 4. FTK produces a list of possible passwords for an encrypted file from a suspect drive. FTK’s generated password list can be loaded into.	1. Ability to read - EnCase enable you to create script for extracting but FTK doesn’t 2. EnCase, can analyze unallocated data areas of a drive/image file and locate fragments or entire file structures that can be carved and copied into a new file. 3. EnCase: can viewing the data ,do the Keyword searching decompressing , carving , and bookmaking
4. Reconstruction	1. FTK can do the disk to disk copy , Image to disk copy	1. EnCase can do the disk to disk copy , Image to disk copy, do the partition-to-partition copy and Image-to-partition copy
5. Reporting	1.FTK –dynamic HTML report ,easily customizable ,exportable gallery view 2. FTK, can produce log reports that records activities the investigator performed You can create a section in the report that lists the bookmarks that were created during the case investigation. You can also choose to not create a bookmark section. · You can create a section in the report that displays thumbnail images of the case graphics. · You can create a section in the report that lists the file paths of files in selected categories. The List by File Path section simply displays the files and their file paths; it does not contain any additional information. However, you can export and link to the files in the File Path list by checking the Export to the Report box. · You can create a section in the report that lists file properties for different file types in selected categories.	1. Difficult customization, static content make big report

Investigation of Blackberry, Ipod and Pda

Introduction of Ipod Investigation

iPod is actually not just for entertainment and enjoyment, because it can be more that i seem we look like . The criminal for example find that ipod can be use “alternative” ways for a seemingly harmless device, and the criminal bags of trick.

Component of Ipod

1. In disk mode, the iPod can store other types of files, such as documents or pictures. Apple’s digital music player has a capacity of up to 60GB. With this much storage space, Apple has branched out and included features like calendar and contacts ("Apple iPod - music and more", 2004).
2. The latest versions include photo viewing and a color screen. Additionally with proper configuration,
3. iPod can run Linux and even contain all the necessary information for a computer system to run effectively. This would allow an individual to carry their entire computer around with them and boot it via their iPod attached to any computer.
4. The iPod different of file system for example :uses the Apple HFS+ file system when the device is run with an Apple system and uses the FAT32 file system when used with a Windows PC. configured with a variety of capacities.
5. The iPod uses the standard vCard file format for storing contact information. Calendar entries are stored in the industry standard v Calendar format. Music is stored in a range

Type of consideration when do the investigation on Ipod

Legal Considerations of ipod

When evidence is being prepared for possible submission to court proceedings, it is important for it to be collected in a forensically under the Daubert criteria.

1. First Care must be taken to ensure that evidence collected from an iPod meets these criteria. Because of the iPod’s large capacities and increased functionality,

2. The cyber forensic and law enforcement community should treat it in a similar manner to how they treat a suspect’s hard drive.

3. Suspects could potentially store key evidence on the iPod, and thus, a proper method for handling this type of evidence must be developed. This poses an interesting challenge for the forensic examiner, especially in terms of collection and analysis.

Crime Scene Considerations

It is now necessary to search a physical crime scene and a suspect’s personal effects for iPods or other digital music devices. Some considerations when an iPod is found at a crime scene include:

• The first responder should wait for the advice of a forensics specialist before any evidence is collected.

• Documentation of where the device is in the scene should be taken by photographing its location and anything around it

• The device should be left in its current state, as it is possible that the device could be booby trapped with a delete command set to execute if the device is disconnected from a charger or computer.

Forensic tool for ipod

The tool that use should provide facilities such as acquisition, examination, or reporting

Example tool

Access Data’s Forensic Tool Kit (FTK),

EnCase Forensic Edition,

Blackbag Technologies’ Macintosh Forensic Software (MFS)

Is forensic tool exclusive to Apple Macintosh platform

Introduction of PDA investigation

A PDA is a hand held computing device that combines a multitude of functions and features. These features include things like computing, telephone, fax and Internet.PDA can and most often does contain some form of networking or other form of connectivity .Pda also have reached such a level of power, and functionality they are in essence a mini-computer.

Component of PDA

1.PDAs are oriented toward mobility, they depend on battery power, emphasize wireless connectivity, and use specialized interfaces and media.

2.PDAs typically use volatile memory versus non-volatile memory for user data, such that loss of

battery power results in an immediate loss of data.

3.PDAs normally use different operating systems from desktop computers, which accommodate

mobility aspects such as power management, specialized file systems, automatic file compression,

and execute-in-place programs.

4 .PDAs are always in an active state; when powered off or idle various degrees of hibernation occur to avoid a lengthy delay when powered on again or activity resumes

Type of consideration when do the investigation on PDA

There are four main steps when it comes to performing a forensic investigation of a PDA. These four steps are identified as follows:

Step 1: Examination
understand the potential sources of the evidence, with a PDA these sources can be the device, the device cradle, power supply and any other peripherals or media that the device being examined has came into contact with. In addition to these sources you should also investigate any device that has synchronized with the PDA you are examining.

Step 2: Identification
In the identification step of PDA forensics we start the process by identifying the type of device we are investigating. Once we have identified the device we then have to identify the operating system that the device is using

Step 3: Collection
During this part of our forensic investigation it is imperative that we collect data and potential evidence from the memory devices that are part of or suspected to be part of the PDA we are investigating.

Step 4: Documentation
As with any component in the forensic process, the collect of our information and potential evidence, we need to record all visible data. Our records must document the case number, and the date and time it was collected. Additionally the entire investigation area needs to be photographed. This includes any devices that can be connected to the PDA, or currently are connected to the PDA. Another part of the documentation process is to generate a report that consists of the detailed information that describes the entire forensic process that you are performing. Within this report you need to annotate the state and status of the device in question during your collection process. The final step of the collection process consists of all of the information and storing it in a secure and safe location.

Palm dd (pdd)

Palm dd (pdd) is a Windows-based command line tool that performs a physical acquisition of information from Palm OS devices .Pdd is designed to work with most PDAs running the Palm OS in console mode. During the acquisition stage, a bit-for-bit image of the device’s memory can be obtained. The data retrieved by pdd includes all user applications and databases .

Pilot-Link

Pilot-link is an open source software suite originally developed for the Linux community to allow information to be transferred between Linux hosts and Palm OS devices. It runs on other desktop operating systems besides Linux, including Windows and Mac OS. Unlike pdd, which uses the Palm debugger protocol for acquisition, pilot-link uses the Hotsync protocol. Pilot-link does not provide hash values of the information acquired. A separate step must be carried out with an appropriate utility to obtain them.

POSE

POSE (Palm OS Emulator) is a software program that runs on a desktop computer under a variety of operating systems, and behaves exactly as a Palm OS hardware device, once an appropriate. ROM images can be obtained from the PalmSource Web site or by copying the contents of ROM from an actual device, using pdd, Pilot-Link, or a companion tool provided with the emulator. POSE is limited to Palm OS versions 4.x and below.

PDA Seizure

Paraben’s PDA Seizure is a commercially available forensic software toolkit that allows forensic examiners to acquire and examine information on PDAs for both the Pocket PC (PPC) and Palm OS platforms. PDA Seizure’s features include the ability to acquire a forensic image of Palm OS, Pocket PC, and BlackBerry devices, to perform examiner-defined searches on data contained within acquired files, generate hash values of individual files and to generate a report of the findings. PDA Seizure also provides book-marking capabilities to organize information, along with a graphics library that automatically assembles found images under a single facility, based on the graphics file extension of the acquired files.

EnCase

EnCase is a commercially available forensic software toolkit that provides acquisition of suspect media, search and analytical tools, hash generation of individual files, data capture and documentation features. Although more widely used for examining PCs, EnCase also supports Palm OS devices. Currently, support for Pocket PC is not available, but the ability to import a data dump of Linux-based PDAs exists. EnCase allows for the creation of a complete physical bit-stream image of a Palm OS device. Throughout the process, the integrity of the bit-stream image is continually verified by CRC (Cyclical Redundancy Check) values, which are calculated concurrent to acquisition.

Introduction of BlackBerry Investigation

The BlackBerry is also known as a RIM device. It was software that implementation of proprietary wireless-oriented protocols; furthermore, the device is supported by the RIM BlackBerry Message Center. It is always-on, and participating in some form of wireless push technology. As a result of this the BlackBerry does not require some form of desktop synchronization like the PDA does. Because this unique component of the BlackBerry device adds a different dimension to the process of forensic examination.

Component of BlackBerry

1. Have a OS that numerous capabilities and features. These features include; over the air activation, ability to synchronize contracts and appointments with Microsoft Outlook, a password keeper

2. Integrated wireless modem; this allows the device to communicate over the BellSouth Intelligent Wireless Network

3. Has a couple of transport encryption options. These options are the Triple Des (Data Encryption Standard) or AES (Advanced Encryption Standard.

Type of consideration when do the investigation on BlackBerry

1. First step in preserving the information is to eliminate the ability of the device to receive this data push. If possible you could turn the radio off, or a better solution is to take the device to an area where the signal cannot be received, this possibly can be achieved by putting the device inside of" a filing cabinet drawer, but your mileage will vary here.
2. Acquisition of Information Considerations
   look at the considerations you have to make when acquiring evidence from the Blackberry (RIM) device.
3. Device is in the "off" State
   If the unit is off at the time of acquisition, the investigator needs to take the unit to a shielded location before attempting to switch the unit on. If a shielded location is not readily available, you might have success using a safe or other room that can block the signal well enough to prevent the data push.
4. Device is in the "on" State
   If the device you are examining is in the "on" state then as outlined and detailed above, you need to take the device to a secure location and disable or turnoff the radio before beginning the examination.
5. Evidence Collection
   requiring the investigator to record logs kept on the unit that will be wiped after an image is taken.
6. Unit Control Functions
   The logs are reviewed by using the unit control functions; there are several functions \
7. Imaging and Profiling
   When you are conducting a forensic examination of a BlackBerry (RIM) device we need to conduct imaging and profiling. This is accomplished by extracting the logs from a developed image; acquiring an image of a bit-by-bit

Forensic tool Forensic tool for ipod

1. SDK

The SDK is available from www.blackberry.com and is essential for the forensic examiner when investigating a Blackberry. The SDK utility dumps the contents of the Flash RAM into a file. Once the Flash RAM is dumped it can be examined and reviewed using traditional methods with your favorite hex editor or other tool. In addition to reviewing the evidence with traditional methods, you can use the Simulator from the SDK to match the network and model of the investigated unit.

Conclusion

There are three small scale device that we discussed here with is blackberry ,ipod and pda .Each of device have differnt component and function ,the advantages of this be manipulated by the criminal to stroge all criminal activities without be suspected .There are different type of rule and tool be use to do investigation on this three device that already been discuss on this take from different type of resources that i found

Resources

[1]http://searchstoragechannel.techtarget.com/feature/Introduction-to-the-BlackBerry

[2]http://searchstoragechannel.techtarget.com/tip/PDA-BlackBerry-and-iPod-Forensic-Analysis-Introduction

[3]http://www.forensics.nl/mobile-pda-forensics

[4] iPod Forensics

Christopher V. Marsico Marcus K. Rogers Purdue University Cyber Forensics Lab

Department of Computer Technology Purdue University

[5] An Overview and Analysis of PDA Forensic Tools

Wayne Jansen, Rick Ayers

National Institute of Standards and Technology

Common Mistakes Made During a Computer Forensic

Case Study

A company suspects data on a computer and believes that it will be important to their case. The organization's lawyers subsequently ask the IT technician to print, download, and/or save the data to portable media. The technician goes to the site, turns on the computer, opens the files, prints the data, and saves the data on a CD.

From forensic investigator’s perspective, discuss mistakes that happen in the above scenario.

Introduction

In this case, computers have become an indispensable communications tool for many people and businesses. In this regard, several different applications are used to generate and store important documents. These documents contain vital data to the user and to an investigator, in the event that a crime is committed using that computer. The investigators try to reconstruct the evidence so it can be presented to a court of law, but the investigations have to be done carefully and followed the investigation step in forensic to make sure the evidence can be used in the court , in this case we can see a lot mistake have happen while do the investigation .

The Mistaken that Happen

1. Mistake One

The oanization law ask the IT technician which is can be clasifiated as internal IT

staff to conduct a computer forensics investigation

v In this situation there is information and data but there is no evidence ,because the IT staff is internal and not have the certified in computer forensics and not trained on the evident procedures ,as we know the Chain of Custody have to be maintain and followed others accepted evidence techniques to make evidence can use in court .

v Next is the when to the the collecting the evidence ,it not be done by printing ,and saving the file because the meta data is irrevocably changes .

v Next is the investigator have know the Act of turning on the computer is actually changes the caches ,the temporary file and the slack file space which along with alteration of mate-data seriously damaged and can destroyed the evidence on the computer .But if the damaged actually can be rescue by the computer forensics vendor . In this case the good solution is use the certified external vendor of computer evidence collection.

2. Mistake Two

No being prepared to preserve electronic evidence

v First a company have prepared to preserve electronic evidence at a moment’s notice .In the emerging case law standard is that the duty to preserve electronic evidence begins when the future litigants have a reasonable belief that there may be future litigation. Yet, the majority of corporations do not have a plan in place to respond to a preservation order. Because the failure to preserve electronic evidence can be exceedingly costly to a client and by extension, their external counsel

v Next the external counsel typically does not have the forensics capabilities necessary to preserve electronic evidence. Nevertheless, a qualified computer forensics team working with the external counsel and the client's IT and legal team can help prepare a client to respond to a preservation order. Consequently, even when there is just a “reasonable belief” that there may be litigation, it is a good rule of thumb to consult with your qualified computer forensics vendor on proactive electronic evidence preservation.

3. Mistake Three

Waiting until the last minute to perform a computer forensics exam

v Firstly to perform a complete computer forensics examination in every matter. The nature of forensic collection provides an elegant solution to this quandary. Forensic collection is based on the principal of imaging, which creates an exact bit-by-bit copy from electronic media that is protected from further alteration. Thus, collecting evidence from a system preserves a snapshot of that system at that particular moment in time which can be examined later.

v Compared to forensic examination, the process is relatively simple and inexpensive. Typically, forensic examination cost three to four times more than forensic acquisition.

v A complex forensic examination can be as much as or greater than nine to ten times more expensive than forensic collection.

v A good rule of thumb is that if there is even a slight chance that evidence will be needed, a Quick Analysis or imaging should be completed immediately

4.Mistake Four

Not selecting a qualified computer forensics team

v The first thing to consider is that computer forensics is more than just using programs to collect and analyze evidence. Operators may be certified in the use of a single program only, and are not certified computer forensic investigators. EnCase is a forensic product for the Windows operating system and is an essential and accepted tool for that environment.

v A qualified computer forensics vendor must have the capability to work across platforms and with older legacy systems. This expertise should also enable them to act as expert witnesses on you or your client's behalf.

v The second thing to consider is that your computer forensics expert needs to be a trusted advisor. They must be able to understand the cost trade-offs associated with late-versus-early or narrow-versus-broad forensic collection and analysis. This

v his extends to the ability to provide trusted and accurate advice to a client when they receive a preservation order for electronic evidence.

v Here are 6 questions to consider when choosing a computer forensics firm:

§ Do the follow accepted protocols and procedures?

§ Can they handle the nuances of different systems and hardware?

§ Do they know how to balance the cost of early versus-late-and broad-versus-narrow forensics collection and analysis?

§ Can they advise you and/or your client on discovery and preservation strategies?

§ Have they served as expert witnesses?

§ Who are their references?

§ How many years have they been in business?

§ How quickly can they react?

§ How large of a service area can they help your clients/branches?

§ Do they comply with DOJ practices in their own labs?

5.Mistake Five

Too narrowly limiting the scope of computer forensics

v It often be very difficult to know which systems have evidence and which do not. Did the principals use their home computers? Did they use the file servers? Which e-mail servers were involved? Is there data stored off site or on portable media? One of the most common mistakes, both in investigations and discovery,

v is too narrowly limiting the scope of computer forensics. There are two principle reasons this occurs.

§ First, it is an attempt to limit costs by restricting computer forensics. Second, it occurs because the individuals involved do not fully understand computer systems or forensics, and they do not know where to look for evidence.

Conclusion

Computer forensics tools to trace activities are necessary from a law enforcement perspective however, any data gathered with regard to an investigation must not violate the privacy rights of individuals. More important thing the procedures to conduct the investigation to make sure the evidence valid in court the 5 mistaken in this case study should be avoid because the important aspects of computer forensics and its goal of presenting evidence that is acceptable in a court.

source:http://www.newyorkcomputerforensics.com/learn/common_mistakes.php