Securing Windows PDF

2013
Information Security
and Anti-Forensics
VERSION 3
MISSIONMAN
Page |1
Foreword
Computer security is not just a science but also an art. It is an art because no system can be considered
secure without an examination of how it is to be used. All components much be examined and you
must know how an attacker goes about a system before you can truly understand how to best defend
yourself. This is where this guide comes in; it exists for the purpose of examining these methods of
attack and the implementation for attack mitigation. You will learn the common techniques used for
attack and how to protect yourself from them. This guide should not be used as an in-depth analysis of
each attack, but a reference for each of the attacks that exist.
Page |2
Acknowledgements
RogerNyght
I want to thank RogerNyght for creating the Tails Guide. This amazing guide steps you through the
process of installing and using Tails at home as well as the features that it hosts. For anyone thinking
about using this Operating System for true anonymity and security, should read this to guide its entirety.
All credits, attributions, and works go to him for this section. Thanks again!
CuriousVendetta, Goodguy, RogerNyght, and All

After writing this guide, it was apparent that was a bunch of errors littered throughout the thing.
Thanks to everyone for spending the time going over it and performing a sanity check. It was found that
I am only half as crazy as I thought. Thanks everyone!
Page |3
Table of Contents
Chapter 1
_The CIA Triad ........................................................................................................................... 7
Chapter 2
_ Recommendations ................................................................................................................. 8
1.1.
Learn how to chat ....................................................................................................................... 10
1.2.
Intro to Tails ................................................................................................................................ 12
1.3.
Intro to Whonix ........................................................................................................................... 13
Chapter 3
_ Encryption ............................................................................................................................ 18
3.1.
Encryption Dealing with Confidentiality ..................................................................................... 19
3.2.
Encrypting Files or the Hard Drive .............................................................................................. 21
3.3.
Securely Exchanging Messages, Data, and Signing Data ............................................................ 27
3.4.
Steganography ............................................................................................................................ 30
3.5.
Authentication Factors................................................................................................................ 31
3.6.
Password Attacks and Account Recovery Attacks ...................................................................... 33
3.7.
Creating Secure Passwords ......................................................................................................... 34
3.8.
Hashing, Hashing Collisions, and Birthday Attacks ..................................................................... 34
3.9.
Cold Boot Attacks ........................................................................................................................ 36
Chapter 4
_ Data ...................................................................................................................................... 38
4.1
A Quick Word .............................................................................................................................. 39
4.2
Deleted Data ............................................................................................................................... 39
4.3
Deleting Data Securely ................................................................................................................ 40
4.4
File Slack ...................................................................................................................................... 41
4.5
Alternate Data Streams............................................................................................................... 43
4.6
Where to Hide Your Data ............................................................................................................ 45
4.7
Changing File Headers to Avoid Detection ................................................................................. 46
4.8
Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache..................... 48
4.9
Temporary Application Files and Recent Files Lists .................................................................... 49
4.10
Shellbags ..................................................................................................................................... 55
4.11
Prefetching and Timestamps ...................................................................................................... 56
4.12
Event Logs ................................................................................................................................... 57
4.13
Printers, Print Jobs, and Copiers ................................................................................................. 58
Page |4
4.14
Cameras, Pictures, and Metadata ............................................................................................... 59
4.15
USB Information .......................................................................................................................... 62
4.16
SSD Solid State Drives .............................................................................................................. 62
4.17
Forensic Software Tools .............................................................................................................. 63
Chapter 5
_ Continuity ............................................................................................................................. 65
5.1
Security Concerns with Backups ................................................................................................. 66
5.2
Security Concerns with Sleep and Hibernation .......................................................................... 66
5.3
Ensuring Information and Service Continuity ............................................................................. 67
5.4
DoS and DDoS attacks ................................................................................................................. 68
Chapter 6
_ System Hardening ................................................................................................................ 72
6.1.
Uninstall Unnecessary Software ................................................................................................. 73
6.2.
Disable Unnecessary Services ..................................................................................................... 73
6.3.
Disable Unnecessary Accounts ................................................................................................... 74
6.4.
Update and Patch Windows and Other Applications ................................................................. 75
6.5.
Password Protection ................................................................................................................... 76
Chapter 7
_ Antivirus, Keyloggers, Firewalls, DLPs, and HIDs................................................................ 78
7.1.
Antivirus ...................................................................................................................................... 79
7.2.
Hardware Keyloggers .................................................................................................................. 80
7.3.
Firewalls ...................................................................................................................................... 80
7.4.
DLPs ............................................................................................................................................ 80
7.5.
HIDSs and NIDs.......................................................................................................................... 81
7.6.
Other Considerations .................................................................................................................. 81
Chapter 8
_ Networks .............................................................................................................................. 82
8.1
Intro to Networking. ................................................................................................................... 83
8.2.
Private vs. Public IP Address ....................................................................................................... 86
8.3.
MAC Address ............................................................................................................................... 86
8.4.
Public Wireless ............................................................................................................................ 87
8.5.
Security Protocols ....................................................................................................................... 91
8.6.
Virtual Private Networks ............................................................................................................. 94
8.7.
Chat Sites - How Attackers Attack............................................................................................... 99
8.8.
Other Considerations ................................................................................................................ 103
8.9.
Extra: MAC Address Spoofing and ARP Attacks - How they work............................................ 105
Chapter 9
_ Web Browser Security ........................................................................................................ 108
Page |5
9.1.
Downloading and Using the Tor Browser Bundle ..................................................................... 109
9.2.
Configuring Web-Browsers and Applications to Use Tor.......................................................... 110
9.3.
What is Sandboxing and What is JIT Hardening, and Why Do I Care? ...................................... 112
9.4.
JavaScript .................................................................................................................................. 112
9.5.
Cookie Protection and Session Hijacking Attacks ..................................................................... 113
9.6.
Caching ...................................................................................................................................... 114
9.7.
Referers ..................................................................................................................................... 114
9.8.
CSRF/CSRF Attacks (XSS Attack) ................................................................................................ 115
9.9.
Protect Browser Settings .......................................................................................................... 115
9.10.
DNS Leaks .............................................................................................................................. 116
9.11.
User Awareness, Accidents and System Updates ................................................................. 117
9.12.
Limitations............................................................................................................................. 117
9.13.
Extra ...................................................................................................................................... 118
Chapter 10 _ Tails...................................................................................................................................... 119

10.1.1.
Tails concept ........................................................................................................................ 120
10.1.2.
Why cant I use another OS / Windows in a VM? ................................................................. 121
10.2.1.
How to choose strong passphrases ...................................................................................... 121
10.3.1.
Requirements for Tails .......................................................................................................... 122
10.4.1.
First steps .............................................................................................................................. 122
10.4.2.
Using Tails as a completely amnesic system ......................................................................... 122
10.4.3.
Using Tails with a persistent volume .................................................................................... 123
10.5.1.
Encryption of an external drive............................................................................................. 123
10.5.2.
How to mount a LUKS-encrypted volume in Windows......................................................... 123
10.6.1.
Secure deletion of a drive or partition .................................................................................. 124
10.7.1.
Using the persistent volume ................................................................................................. 124
10.7.2.
Storing files on the persistent volume .................................................................................. 125
10.7.3.
Firefox bookmark management............................................................................................ 125
10.7.4.
The password manager - Passwords and Encryption Keys ................................................... 126
10.7.5.
Pidgin for IM/Chat/IRC .......................................................................................................... 127
10.8.1.
Installing software: The basics .............................................................................................. 127
10.8.2.
Recommended software additions ....................................................................................... 128
10.8.3.
I2P / iMule (not recommended) ........................................................................................... 130
10.8.4.
TorChat (not working) ........................................................................................................... 130
Page |6
10.9.1.
10.10.1.
File and folder handling in Terminal ..................................................................................... 130

General advice .................................................................................................................. 131
Chapter 11 _ Standard Acronyms ............................................................................................................. 132

Chapter 12 _ Download Links ................................................................................................................... 132
Page |7
Chapter 1 _The CIA Triad
In this guide I am going to reference a well-known security policy that was developed to identify problem
areas and the recommended solutions when dealing with information security. This policy is known as
the CIA and stands for: Confidentiality, Integrity, and Availability. This triad was developed so people will
think about these important aspects of security when implementing security controls. There should be a
balance between these three aspects of security to ensure the proper use and control of your security
solutions.
Confidentiality is, as the word implies, having something be confidential or secure. In essence, privacy is
security and confidentiality means that third party individuals cannot read information if they do not have
access to it. Data to think about keeping confidential is data stored on a computer (temporary data, data
saved, etc.), data stored for backup, data in transit, and data intended for another person. Confidentiality
will be the main focus point of this article as it is most often referred to as the most important aspect of
security.
The I in CIA stands for Integrity and is specifically referring to data integrity. Integrity is the act of ensuring
that data was not modified or deleted by parties that are not authorized to do so. It also ensures that if
the data was changed, that the authorized person can make changes that should not have been made in
the first place. Simply, if you send a message to someone, you want to make sure that the person does
not receive a message that was altered during transit. Integrity also confirms that you are in fact speaking
to who you think you are speaking to (for example: we download an add-on from the website, you want
to make sure that you are downloading from that website and not an unscrupulous third-party).
Finally, the A stands for Availability and ensures that when you need the data it is available to you. Not
only does data have to be available to you, but it has to be reasonably accessible. There's no point in
security controls if you cannot access the data! This component is a concern, but for the average end user,
there is not much that can be done to ensure availability when dealing with webpages, or IRC servers or
anything else managed by a third party host. For this reason we will not be discussing Availability except
for backing up your data in this guide.
Page |8
Chapter 2_ Recommendations
indows was not built with security in mind, therefor should not be used. Tails is recommended
as it is a live DVD or USB that was created to preserve your anonymity and privacy (Chapter
10). It allows you to browse the internet anonymously and safely as all applications are
preconfigured to run through Tor. Other uses includes encrypting your files, sending and receiving emails
and instant messaging, photo editing, document editing and more. Tails also operates completely in
RAM so it does not leave a trace on your computer. RAM is Random Access Memory and is wiped when
the machine shuts down. Everything that you want saved is done so in secure, encrypted persistent
storage. Tails link: Here. A step-by-step for installing Tails can be found below. Another distro I would
recommend it Whonix. Whonix is an operating system focused on anonymity, privacy and security. It's
based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are
impossible, and not even malware with root privileges can find out the user's real IP. If you cannot use
Tails or Whonix or better yet do not want to use them, you should make sure that Windows is secure.
Windows:
Truecrypt I would download TrueCrypt and enable FDE (Full Disk Encryption) to make sure that
all evidence is encrypted thus allowing you to skip Chapter 4. If you do not want to enable FDE, I
would create a container and have a Virtual Machine inside the container. Otherwise,
EVIDENCE CAN BE EASILY GATHERED BY INVESTIGATORS. (Section 3.2)
Tor Browser Bundle This allows you to browse the internet anonymously. Using TBB will also
allow you to visit .onion sites as well as to join the .onion IRC servers with TBBs instance or Tor.
(Section 9.1)
Anti-Virus (AV) and a Firewall This will keep your computer protected from viruses as well as
remote intruders (most all-in-one anti-virus software has these features). (Section 7)
I have decided to move a recommendation from later on in this guide to up here. One good
recommendation is to create and use a standard account with no Administrative privileges. This
way, if a virus is executed, it only has the privileges of the account that you are in. Also, I would
make sure your username does not contain your full name as many applications such as Pidgin
can share this information. Furthermore, make sure that you create a Windows password that
is difficult to guess/attack, as your computer can be explored using that password, over the
network.
Page |9
(Optional) TorChat TC is a chat application that runs over Tor to provide an anonymous way to
chat. (Section 2)
(Optional) IRC Client An IRC client allows you to enter Tor chat rooms to talk to many
individuals at one time. You will need one with proxy settings so you can run the client through
Tor. Make sure to NOT use DCC as it can expose your IP address. There are several IRC servers
that run over Tor (.onion addresses) that you can use. They are all logically connected, so
connecting to one will connect you to all. (Section 2)
(Optional) GPG for sharing messages and files back and forth over a common medium, GPG
ensures confidentiality and integrity. (Section 3.3)
Sample Security Checklist:
Check authentication
Checking authorization and access control
Auditing your system
Verifying firewalls, proxy settings, and other security
Verifying encryption for both public and private key encryption
Check communication encryption, including: email, chat, web browsing, and Operating System
data
Update system software, including Anti-Virus software and scanners
Backup and storing sensitive data securely
Harden your system by removing unnecessary software and services
Things to be mindful of:
Dont assume that something is secured by another layer or process. Verify that the data is
secured and that the data being transmitted over the network or the internet is protected from
attackers. Different levels of sensitivity means different levels of security
Know the limitations of each security product. Each product addresses a specific set of issues
within a specific context. Make sure to know the differences between the employed solutions
and how they protect you. For example, using a VPN does not stop anyone one from stealing
your laptop and gathering all your data. Use several layers of security for maximum security.
Do not relay on authentication at the session initiation alone. Use several levels of
authentication to ensure that the person you are communicating with is whom they say they are
and vice versa.
Assume everything you use is insecure and treat everything like a security threat. Build your
security model based on what you do; security is dynamic, not static.
Plan for handling failures, errors, intrusions, and downtime. Focus on what to do when things
go bad. Plan and practice that plan. Good security means nothing if what you do does not
work.
P a g e | 10
2.1. Learn how to chat

There are a couple of ways to chat over Tor depending on your wants and needs. In this guide, I will
only be talking about two ways to chat with other people: IRC and TorChat. Using an IRC server allows
you to chat with many people at one time as well as chat with another person in a private chat room.
TorChat on the other hand only allows you to chat privately with someone, but it allows you to share
files with another person whereas the IRC does not.
The first way I will describe is how to connect to the Onionnet IRC. The Onionnet is a network of servers
that are connected together to increase redundancy. For those of you whom dont know, IRC stands for
Internet Relay Chat and was intended for group communication in discussion forums, called channels,
but also allows one-to-one communication via private message as well as chat and data transfer,
including file sharing. When using the Onionnet servers however (as described below), DCC file sharing
is disabled and other security restrictions apply.
Set up IRC Client:

1. Download your IRC client. Personally, I use Pidgin. The link is provided for you:
http://pidgin.im/. There is a portable version of Pidgin available if you plan on using the client on
several machines (which is not recommended as the computer can contain spyware). Also,
Pidgin allows you to connect to several servers at once in the chance you get disconnected from
a server or a netsplit occurs
2. To create an account, Click Accounts followed by Manage Accounts. You can add as many
accounts as you want; I created a few accounts to connect to the different IRC servers for the
reason described above
3. Select Add. Under Basic, your settings should look like this: Protocol IRC, Username your
username, Server IRC server (listed below), Local alias your username. Again, you can use
any of the several Tor IRC servers as they are all connected. Alternatively, you can use one of
the several IRC relays instead of connecting to the Tor servers directly.
4. Under Advanced, your settings should look like this: Port 6667, Username your username.
In Pidgin, if you do not specify a username under the Advanced settings, your username will be
exposed. When you enter or leave the chat room the username will appear before the
hostname. For example, if your ID is TheBest and your username is Bob, then it will appear as
TheBest [Bob@OnionNet]. If you are trying to use OFTC, you will replace port 6667 with port
9999 as seen in the IRC Server below (you can also remove the :9999 below if using Pidgin)
5. Under Proxy, your settings should look like this: Proxy type SOCKS 5, Host 127.0.0.1, Port 9150 (Tor Port). If you are using Privoxy, the port will be 8118
6. Click Buddies and Join a Chat to join a channel. Add Chat will permanently add the channels to
the Chats list so you dont have to remember the channel name every time. Right-clicking the
P a g e | 11
chat under Chats will give you a host of options. I selected Persistent to receive the messages in
the chat-room even though they are not currently open. You can use /list to get a list of all the
channels or you can use /join #room to join a specific room. #security and #public are two good
channels when asking general questions or questions related to privacy or security
7. You can use the /msg username command to send a private message to someone or use the
/query username command which will open a new window in both clients for private
messaging. I would advise looking up the IRC client commands for full functionality. Also, even
though I recommended disabling DCC, the servers disable the functionality altogether
8. Lastly, you should know that most -if not all- IRC clients cache your username for functionality.
Pidgin, takes this further by creating logs for specific channels and individual users that you chat
with using private messaging by default. Under Preferences > Logging, you should disable Log
all instant messages and Log all chats
IRC Servers:
Here is a list of the Tor IRC servers (note that all servers are linked):
FTW: ftwircdwyhghzw4i.onion
Nissehult: nissehqau52b5kuo.onion
Renko:
OFTC: irc.oftc.net:9999 (NOT ONIONNET CLEARNET IF NOT CONFIGURED FOR TOR)
IRC Channels:
Here is a list of some of the popular Tor IRC channels (ordered by user count at the moment of writing):
#boys2
#pedo
#cams
#mjb
#girls
#tor (OFTC)
#knaben
#torchan
#public
#security
#hackbb
#nottor(OFTC)
The other method I wanted to talk about is by using TorChat. TorChat is a peer to peer instant
messenger with a completely decentralized design, built on top of Tor's location hidden services, giving
you extremely strong anonymity while being very easy to use without the need to install or configure
anything. This program runs completely portable and can be easily moved, protected or backed up.
Like I said before, TorChat can be used to share data with another person through Tor as it was built is
natively with security in mind.
P a g e | 12
Set up Torchat:
1. Download TorChat from github as it is now the official source for the TorChat project. At of the
time writing the article, the direct link is https://github.com/prof7bit/TorChat. Once the page is
loaded, click the Downloads button over on the right. Select the latest build as denoted by the
version number. Make sure to download the Windows executable version for Windows,
Debian / Ubuntu package for Debian/Ubuntu, or the Pidgin plugin if that is what you want to
do. If the build is in Alpha, then it is not recommended
2. The file will be downloaded as a .zip file. Once the file is fully downloaded, open the file and
extract the contents with your favorite archive file manager. I extracted the file to the default
location in Windows which is the Downloads folder. You can move the folder at any time as
TorChat is portable
3. Open the TorChat folder, expand the bin folder, and run torchat.exe to start TorChat for the first
time. Once loaded, you will be provided your TorChat ID (16 characters that are comprised of
letters and numbers)
4. To add a contact, just right-click in the white space of the program and click Add Contact
Alternatively, you can edit the buddy-list file in the bin directory. Double-clicking a contact will
initiate a chat (right-clicking and selecting Chat, will accomplish the same thing). You can also
edit and delete a contact by Right-Clicking the user and selecting the appropriate function.
Sending a file is as simple as dragging the file into the chat window or right-clicking the
username and selecting Send file (Windows can only send one file at a time whereas
Debian/Ubuntu can send many at one time)
5. If you are upgrading your version of TorChat than make sure to backup and copy over
bin\buddy-list.txt, bin\Tor\hidden_service\hostname, and
bin\Tor\hidden_service\private_key. If you do not copy over the latter two files, you will be
provided a new TorChat ID
2.2. Intro to Tails

If you are handling anything sensitive that you dont want found, or if you dont want to leave any trace
on your computer, I recommend you use another Operating System altogether. A good alternative that
was built with security in mind is Tails. Tails was built to route all internet traffic through Tor, to run
completely in RAM, and to save nothing unless explicitly defined to. In this section, I will only be talking
about installing Tails on a DVD or USB as there is another, thorough guide that can be found in section
10.
Installing Tails:
1. Download Tails from the official Tails website. You can either download Tails via the direct link
or the Torrent; which might be faster. However, the direct link is recommended as is
P a g e | 13
2.
3.
4.
5.
6.
downloading and verifying the Tails Signature. The link to the Tails download page is here:
Here. Under option 2, select the latest release to start downloading. To verify the download,
use GPG to verify the Tails signature to ensure that your image has not been modified in any
way
Once downloaded you have a couple of options: you can burn the image to a DVD or a USB (the
image is too big to fit on a CD). If you burn the image on a DVD-R, an attacker cannot modify the
contents as the disk is read only. This also means that you cannot save anything or make any
permanent changes on the disk. DVD-RW and the USB can be written to and re-written to,
meaning files and settings can be saved in persistent storage. But, this comes at a risk as an
attacker can maliciously modify Tails
Installing an image to a DVD is easy, all you need is the right software. ISO Image Burner is a
good software for Windows that can do this for you. Macs and computers running Ubuntu can
burn the image natively. Once your ISO burning program is open, insert the blank DVD into the
disk drive and burn the Tails ISO image to the blank disk (or a DVD-RW disk)
When installing the Tails ISO image onto a USB, it is recommended that you download and
install Oracle VM VirtualBox, and use that virtualization program to boot into Tails. Otherwise,
you cannot create persistent storage for saving files and settings. Once you successfully boot
into Tails, you can use the built in Tails USB installer to install Tails on the USB device
I downloaded and installed VirtualBox from here. Once installed, start VirtualBox and Click
New to create a new VM. Fill out the Name textbox, select Linux for the Type, and select Other
Linux for the version. Proceed past the next page and select Do not add a virtual hard drive and
click Create. At the top of the Oracle VM VirtualBox Manager click on Settings to modify the
settings of the VM you just created. Select Storage and next to Controller: IDE click on the little
disk icon to add a CD/DVD device. Click Choose disk and select the Tails ISO you just
downloaded. Under Controller: IDE you should see the image you just selected. Selected that
image and check Live CD/DVD over on the right under Attributes. Click OK. Start the VM to
boot into Tails.
At this point you should be asked if you would like to view more options. I am going to kill two
birds with one stone and cover how to install Tails on a USB as well as what I recommend after
you install the ISO on the USB. Select Yes on this screen and create an Administrator password
on the next screen. Under Applications > Tails you can create a persistent volume as well as use
the Tails USB Installer. When creating a persistent volume, I would select all the applications
you will use as well as if you are going to save any materials.
2.3. Intro to Whonix

Quoting directly from the manufacturers website: Whonix is an operating system focused on
anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and
security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out
the user's real IP. Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call
Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network.
Only connections through Tor are possible.
P a g e | 14
Features (from the Whonix website):
Adobe Flash anonymously

Browse The Web Anonymously
Anonymous IRC
Anonymous Publishing
Anonymous E-Mail with Mozilla Thunderbird and TorBirdy
Add a proxy behind Tor (Tor -> proxy)
Based on Debian GNU/Linux.
Based on the Tor anonymity network.
Based on Virtual Box.
Can torify almost any application.
Can torify any operating system
Can torify Windows.
Chat anonymously.
Circumvent Censorship.
DNSSEC over Tor
Encrypted DNS
Full IP/DNS protocol leak protection.
Hide the fact that you are using Tor
Hide the fact you are using Whonix
Hide installed software from ISP
Isolating Proxy
Java anonymously
Javascript anonymously
Location/IP hidden servers
Mixmaster over Tor
Prevents anyone from learning your IP.
Prevents anyone from learning your physical location.
Private obfuscated bridges supported.
Protects your privacy.
Protocol-Leak-Protection and Fingerprinting-Protection
Secure And Distributed Time Synchronization
Mechanism
Security by Isolation
Send Anonymous E-mails without registration
Stream isolation to prevent identity correlation through
circuit sharing
Virtual Machine Images
VPN/Tunnel Support
Whonix is produced independently from the Tor (r)
anonymity software and carries no guarantee from The
Tor Project about quality, suitability or anything else.
Transparent Proxy
Tunnel Freenet through Tor
Tunnel i2p through Tor
Tunnel JonDonym through Tor
Tunnel Proxy through Tor
Tunnel Retroshare through Tor
Tunnel SSH through Tor
Tunnel UDP over Tor
Tunnel VPN through Tor
Tor enforcement
Note: When using Whonix,

you will be responsible for
three Operating Systems. The
Whonix gateway, the Whonix
workstation, and the host
machine. Whonix is only
intened to run on VirtualBox,
so VMWare is not
recommended.
P a g e | 15
TorChat
Free Software, Libre Software, Open Source
via Optional Configuration
Set-up Whonix:
1. First things first: download both the gateway and the workstation from the manufacturers
website: Download links can be found here
2. You will need to download and install VirtualBox
3. Next step is to import both of the Virtual Machines into VirtualBox: use VirtualBox to open both
the .ova images (File > Import Appliance)
4. Click choose and select the Whonix-Gateway.ova from your download folder and press Open
5. Click Next until you reach the Appliance Import Settings. Click Import without changing any of
the settings. Repeat the process for both VMs
6. Now start both Virtual machines (gateway followed by the workstation)
7. When you login for the first time, I recommend changing the password:
a. At Terminal enter: sudo su
b. Enter the default password changeme
c. Change the password using this command: passwd and passwd user for both VMs
8. To learn more about Whonix security and additional functionality, go here:
https://www.whonix.org/wiki/Main_Page
After you setup and both the Whonix workstation and gateway, you can customize it however you want.
Unlike Tails, Whonix is entirely persistent with a start of 50Gb of space. If you need to increase the size
of Whonix, you will need to utilize VirtualBox. I recommend increasing the size pre-setup versus after
the fact as it will be much easier (and safer). Once you are done and want to shut down the machine,
you can use the Shutdown button on the workstation and type Sudo poweroff in the gateway. Another
helpful command is sudo arm in the gateway to check the status of Tor and use the character N to force
a new identity when you are viewing the arm output.
Chat in Whonix (using XChat):

XChat is an IRC client and is recommended as it is already preinstalled and configured to be used on
Whonix. The following steps walk you through the process of configuring a username and adding the
onion servers as found in the previous chat section (section 1.1).
1. Once XChat is opened click the XChat button from the menubar
2. Select Network List from the drop down
3. Fill in the information under User Information. These names are used by default for each
connection and will be visible to everyone
4. Under Networks, click Add, to add a server that you will connect to
P a g e | 16
5. Give this new value a name. For example, I entered Onion, so I knew it contained all the IRC
servers for OnionnetTest
6. Press the Enter key on your keyboard and select the Edit button in the program
7. Once you see the Edit page come up, you will see one default server in the Servers for Test list.
You can select that item and click Edit
8. The format for adding a new server is as follows: serveraddress.onion/port. For example, I
entered this: ftwircdwyhghzw4i.onion/6667
9. Remember, the program already configured the proxy information, so this is all you need to do.
If you want specific channels to open once you are connected to the server, you can add them
to the Favorites list. You can now close this page
10. Once you are back to the Network List, select the newly created network and press Connect
11. You can use the same IRC commands as in Section 1.1.
Chat in Whonix (using Torchat):

The following instructions were taken directly from the Whonix website.
On Whonix-Gateway
1. Open torrc using this command: sudo nano /etc/tor/torrc
2. Search for:
a. #HiddenServiceDir /var/lib/tor/torchat_service/
b. #HiddenServicePort 11009 192.168.0.11:11009
3. Once found, remove the comment characters from the beginning of each line
4. Save the file
5. Reload Tor using this command using this command: sudo service tor reload
6. Get your onion address
a. First enter this command to become root: sudo su. Enter your password when
prompted
b. Next, open the file that contains your onion address: nano
/var/lib/tor/torchat_service/hostname
7. You can back up your private key in case you need to restore in on another machine: nano
/var/lib/tor/torchat_service/private_key
On Whonix-Workstation
1. Open up the terminal window: Start > Terminal
2. Install Torchat on the machine: sudo apt-get install torchat
3. Open the torchat.ini which is in the hidden folder /home/user/.torchat/torchat.ini. Look for
the following line: own_hostname = <your onion hostname without the .onion ending>
P a g e | 17
4. Replace it with your onion hostname. For example if your onion hostname is
idnxcnkne4qt76tg.onion replace it enter idnxcnkne4qt76tg, so it looks like this: own_hostname
= idnxcnkne4qt76tg
KGPG
Whonix uses KGpg, which is a simple interface for GnuPG, a powerful encryption utility. GnuPG allows
to encrypt and sign your data and communication, features a versatile key management system as well
as access modules for all kinds of public key directories. For ease of use, you can import the keys into
KGpg and use the GPG commands found in section 4 for full functionality. To import a public key in
KGpg: open the program and click Import Key from the menubar. Select the public key you downloaded
and click Open. Once the keys are imported, you can encrypt data using the program (right-click the file
in Dolphin browser, and click Encrypt) or use the command line switches. GnuPG is recommended for
secure communication.
P a g e | 18
Chapter 3_ Encryption
ncryption is the process of encoding messages (or information) in such a way that eavesdroppers
or hackers cannot read it, but that authorized parties can. Using cryptography three purposes are
fulfilled: confidentiality, integrity, and non-repudiation. Encryption has long been used by militaries
and governments to facilitate secret communication. It is now commonly used in protecting information
within many kinds of civilian systems. Also, many compliance laws require encryption to be used in
businesses to ensure that confidential client data be secured if the device or data is stolen. In this section
I will be talking about using encryption for confidentiality and integrity. Non-repudiation is used, but is
not normally implemented for our purposes.
Topics
This Chapter will cover the following topics:
Encryption Dealing with Confidentiality

Encrypting Files or the Hard Drive
Securely Exchanging Messages or Data
Steganography
Authentication Factors
Password Attacks and Account Recovery Attacks
Creating Secure Passwords
Hashing, Hashing Collisions, and Birthday Attacks
Cold Boot Attacks
P a g e | 19
3.1.
Encryption Dealing with Confidentiality
Computer encryption is based on the science of cryptography, which has been used as long as humans
have wanted to keep information secret. The earliest forms of encryption where the scytales and the
creation of cipher texts. These forms of cryptography would rely on both parties knowing the key used or
the correct cipher before the message could be delivered. Here's an example of a typical cipher, with a
grid of letters and their corresponding numbers:
1
2
3
4
5
1
A
F
L
Q
V
2
B
G
M
R
W
3
C
H
N
S
X
4
D
I/J
O
T
Y
5
E
K
P
U
Z
Lets say a general wanted to send the message I love ponies he would write the series of corresponding
numbers: 42 13 43 15 51 53 43 33 42 51 34. Only the person with this cipher text would be able to reach
the message. Now obviously, to make the message more difficult to decipher, the letters inside the table
would be arranged differently. Computer encryption uses algorithms to alter plain text information into a
form that is unreadable. Most people believe that AES will be a sufficient encryption standard for a long
time
coming:
A
128-bit
key,
for
instance,
can
have
more
than
300,000,000,000,000,000,000,000,000,000,000,000 key combinations. Todays AES standard is AES
256bit encryption which has 2 ^ 256 possible combinations.
Done right, encryption protects private or sensitive data by making it difficult for the attacker to uncover
the plaintext. This is the idea of encryption: to make it harder for others to uncover our secrets. The idea
behind it is that whatever amount of expertise and computer time/resources is needed to decrypt the
encrypted data should cost more than the perceived value of the information being decrypted. Knowing
what to use encryption how it works, and what type of encryption to use depending on the circumstances
will allow you to better your security and make it harder for an attacker to do his job.
As we said before, there are many reasons for encryption. One purpose of encryption is the act of
transforming data from a state that is readable to a state that cannot be read by a third party that does
not have permission. The result of the process is encrypted information (in cryptography, referred to as
ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to as
decryption (i.e., to make it unencrypted). It is also important to know that the word encryption can
implicitly refer to the decryption process. For example, if you get an encryption program, it encrypts
information as well as decrypts it.
P a g e | 20
There are a few types of encryption that should be used for two different purposes: symmetric and
asymmetric (public key encryption). Symmetric encryption can also be known as private key encryption
or single key encryption. Symmetric means the encryption and decryption processes are reverses of
each other. I must share the secret passphrase with anyone I want to be able to decrypt my encrypted
data. It is used the most because it is fast, easy to use, and is the most widely needed. You will use this
form of encryption when there is only one password being used (such as TrueCrypt or another simple file
encryption utility). The problem with this is as stated before, it uses only one key, so exchanging that key
is not done securely between two people. Asymmetric encryption fixes that problem by utilizing two keys
instead of just one.
Asymmetric (or Public key) encryption uses two keys, one key to encrypt information and the other to
decrypt the information. Asymmetric means that the process of encryption with the public key can only
be reversed (decrypted) by using the private key (and vice versa). Although a message sent from one
computer to another won't be secure since the public key used for encryption is published and available
to anyone, anyone who picks it up can't read it without the private key. This type of encryption is slower,
but is more secure when sending confidential information to someone, signing data, or verifying to a
person is who they say they are. If you want to send me an encrypted message, you must have my public
key-- and only someone who has access to my private key (presumably, just me) can decrypt messages
encrypted with my public key. So, when Bob wants to send you a message, his computer encrypts the
document with a symmetric key, then encrypts the symmetric key with your Public. When you receive the
data, your computer uses its own private key to decode the symmetric key. It then uses the symmetric
key to decode the document.
Symmetric
Asymmetric
P a g e | 21
Last word of note when using encryption is to make sure that you use open-source encryption programs
such as Truecrypt, as most companies will hand over the encryption keys to law enforcement. Most
companies use the EnCase Decryption Suite to decrypt a suspects hardrive or other portable media
device. This list is pulled directly from EnCase and provides a list of built in keys that can be used to
read media on encrypted devices:
3.2.
Encrypting Files or the Hard Drive
You will most commonly want to encrypt files for storage or if you want to upload them to several people
securely. Using your computer is also a security risk if you simply created a Windows password and
stopped your security there. Windows hashes your password and checks that against the password you
enter when logging into the device. In no way does it attempt to encrypt your files; meaning they are all
in the clear just waiting for someone to take them. And even if you use Windows encryption, law
enforcement can just request the keys. Furthermore, many of you think that using BIOS passwords are
great for security, which is also not the case. They can be broken as easily as Windows password can.
P a g e | 22
There are several programs that run outside of Windows to either remove or crack a password. Removing
the password does just that; removes the password completely. Cracking a password on the other hand
allows you to obtain the password, instead of removing it. Doing so allows you to log into the device as
the user, or as many people do, use the same password across several logins across several systems.
Trinity Rescue Kit (removing a password):

1. Use this link to download TRK: click here. I recommend using the executable, self-burning from
Windows only format to easily burn the image to a CD
2. Once the burning process is complete, keep the CD in the CD tray and reboot your device
3. Bootup from the device (you might need to google how to do so)
4. When TRK boots up, you will see a bunch of options. Select the first option: Run Trinity Rescue
Kit 3.4 (default mode, with text menu)
5. Click the down-arrow until you select: Windows password resetting
6. Click the down-arrow again until you reach the desired option. In this example, select the first
option: Reset password on built-in Administrator (default action)
7. When prompted, enter 1 to Clear (blank) user password
I wont get into cracking password with Ophcrack as that is an involved process. Ophcrack cracks
passwords using what they call Rainbow Tables which basically is a list of stored hashed to be used against
the hashes stored on the machine. These tables come in several forms depending on the complexity you
are expecting. You will need to download and store these tables so they can be accesses when you are
attempting to attack a device. Also, make sure you have plenty of space on the harddrive and they can
reach to a couple Terabytes of data.
There are a couple of programs that support this type file and folder encryption and most of you probably
already heard of them. These programs I am referring to are TrueCrypt and 7Zip and they both provide
symmetric file encryption. TrueCrypt is a program that allows you to encrypt your entire hard drive or to
create an encrypted container. 7Zip on the other hand is a program that allows you to create an encrypted
archive. Remember that symmetric file encryption has only one key for the encryption and decryption
process. So you will need to share the key in cleartext if you plan on sharing the files.
P a g e | 23
Below is an example of a very simple encryption process known as the Caesars Cipher:
In this example, as with the fundamentals of the Caesar Cipher, all the characters are shifted, usually by 3
characters. If he wanted to say "You will never guess this," for instance, he'd write down "BRXZLOO HYHU
JXHVV WKLV" instead. As you can see, the text is also broken up into even groups in order to make the
size of each word less obvious. You can change the orders of the letters and change the number of shifts
per letter to complicate the process for the attacker even further.
Creating an encrypted container with TrueCrypt will allow you to store data within the encrypted
container. When mounted, it will look as another drive on your computer. TrueCrypt containers are
secure but using them still comes with the risks of leaving your recent files lists, thumb files, and other
temporary and cache data exposed. It is recommended that you use TrueCrypt and encrypt the entire
disk for maximum security. The process of encryption your entire disk is called FDE (Full Disk Encryption).
Furthermore, it is recommended that you use a hidden volume when using TrueCrypt. Investigators
cannot determine whether or not you have a hidden volume in your TrueCrypt container unless you tell
them. One drawback with using FDE with a hidden volume versus using FDE without a hidden volume is
you will have two Operating Systems instead of just one. You can also use TrueCrypt to encrypt portable
drives using the Traveler Disk Setup. For information about using TrueCrypt on SSDs, please reference
SSD Solid State Drives (section 4.10).
Try it out Create TrueCrypt Container

1.
2.
3.
4.
5.
6.
7.
Start TrueCrypt
Click on Volumes (menu item) in TrueCrypt
Click on Create New Volume... (menu item)
Select Create an encrypted file container (radio button) and click Next > (button)
Select Hidden TrueCrypt volume (radio button) and click Next > (button)
Select Normal mode (radio button) followed by Next > (button)
Click Select File... (button)
P a g e | 24
8. In this step you will specify the name and location of your TrueCrypt container. If you try to
save the file and get an access denied error, try creating the container in your Documents
folder or elsewhere. Choose the location in the Explorer window and specify the File name:
(edit) in Specify Path and File Name [...]. Click Save (button) in the Specify Path and File
Name dialog box
9. Click Next > (button) followed by Next > (button) on the next page
10. In the dropdown, I selected AES (list item) for the Encryption Algorithm. This is the most
secure and provides 256bit encryption which is a 32 character password. You can read up on
the other encryption algorithms for further explanation. SHA-512 (list item) was my choice
for the Hash Algorithm. You can also read further on the hashing algorithms. Click Next >
(button)
11. In this step you want to specify the size of the TrueCrypt container. Most likely you will want
to select GB (radio button) to specify you want to size to be in Gigabytes. This is
recommended if you are going to store pictures or videos. In the textbox, enter the total size
that you want to container to be and not just the size of your Outer Volume. So, if you want
your Outer Volume to be 50GB and your Inner Volume to be 25GB, you will need to enter 75
here. Click Next
12. Enter and re-enter your password for the Outer Volume Password. This is the password that
you will be able to reveal if you are forced to do so. You are allowed to enter a password up
to 64 characters
13. For the Large Files step, I selected Yes, so it would format as NTFS; it is up to you though.
Click Next > (button)
14. Once all the settings are set, move your mouse around to add security. Click Format (button)
to start formatting the volume. Depending on the size and your hard drive speed and other
factors, this process could take several hours. Once complete click Next > (button)
15. You will now create your Hidden Volume, or the volume that you do not want others to find.
Select Next > (button) to start the process
16. I used the same settings as before. Click Next > (button) until you are prompted to create the
Hidden Volume Size. This size is less than the Outer Volume Size and should leave ample
room so you can store enough non-private data in your Outer Volume whilst allowing plenty
of room for private material in this Hidden Volume. Click Next > (button)
17. Create a Hidden Volume Password. This password should be as secure as this container will
hold your private data. The maximum possible length for a password in this step is also 64
characters. This is the password that you do not want to give out under any circumstances.
The government cannot determine if a hidden container exists therefore they will not know
that this password even exists. Do not fall victim to social engineering attacks whereas
someone tricks you into giving them the password.
18. Select Next > (button), choose whether Large Files are going to be used in the next window,
and click Format (button) to finalize the process (again, make sure to move your mouse
around on that step for better security)
19. Open TrueCrypt again and mount the Outer container. To start, I would mount the Outer
Container so we can add some decoy data in there in case you are forced to give the
password. To do this, just select the drive letter, click Select File (button), select the
TrueCrypt file you created in Step 8, and press Mount. Simply, you will enter the Outer
Volume password or the Hidden Volume password depending on which volume you want to
mount. Make sure when moving decoy data over that it is completely legal and that it
CANNOT be confused for something illegal. Also, make sure it would be something you would
P a g e | 25
truly want hidden. Porn, data backups, and etc. are good ideas. To move the files over to
either of these volumes you will simply open Windows Explorer and navigate to the drive
letter.
Try it out 7zip:

1. If you are in the WinRAR program window, select the file(s) and click the Add button. This is
denoted as an icon of a stack of books with binding around them. Alternatively, you can
right-click the file(s) in the explorer window and click Add to archive
2. The Archive name and parameters page will open. Please note the size of the file you are
about to upload and the size limit that you are allowed to upload on each site.
3. In the Split to volumes, bytes input field under the General tab, enter the appropriate size of
each archive. For example: If you have a file that is 200MB (or 204800KB) and the file upload
size limit is 50MB, for the Split to volumes, bytes input field, you will enter 50MB. In this case
four files will be created, each 50MB a piece.
4. Select the Advanced tab and hit the Set Password button. Enter the password in the first
field and re-enter the password for verification. Remember this password; if it is lost the file
is NOT recoverable. Most people also select Encrypt file names for extra security.
As said before, when using TrueCrypt, as presented in the Try it out section, it is a good idea to use a
hidden container. Heres why Lets say you have two videos: video A and video B. Video A is of your
pet hamster frolicking around in the fish-tank with your preciousness goldfish named Garry (the fish, not
the hamster). On the other hand, Video B is a recording of your grandmother doing the naughty with the
pizza delivery man. Now, I am going to make a sweeping assumption in claiming that you don't mind
other people seeing video A, so it is deemed that the video can be "public" or "not hidden." Video B on
the other hand is just plain nasty and if the pizza delivery man were 12, and you needed to hide that video
at all costs, this video would need to be "private" or "hidden." So, you would stick Video A in the container
that you could give the key away to and Video B would go in a container that you would protect at all
costs. If you use the key for Video A, you can see video A and so forth.
So, on the same lines, a hidden container (or, a hidden OS), is a hidden, encrypted container that the LEA
cannot prove exists. So, you have two keys: a key for the public container and a private container. You
can unlock one or the other at one time, but not both at the same time. So, you can give the LEA the key
that opens up your public container whilst hiding the key for your private container. The LEA cannot
determine if you have a private, hidden OS, or a private container. If you use the key for your non-sensitive
container, you will boot into container.
In essence (when dealing with hidden OSs), think of two Operating Systems on one computer and you
can choose which one to boot into depending on the password. A hidden OS, is hidden and the LEA cannot
prove that it exists. The advantage of this is you can have one OS for normal data whilst hiding your other
P a g e | 26
material and use it when you need it. A hidden OS also has all the sensitive data leaks inherent with any
OS. So, instead of anti-forensic techniques or saying, "opps, I forgot the password", you can view all
sensitive material in the hidden OS and not worry about anything sensitive being leaked (paging, recent
file lists, db files, caching, etc). Remember this: if you are forced to give the encryption key, you can do so
whilst keeping your hidden container hidden which is the main advantage of a hidden container.
You can also use programs such as PGP or GPG (GPG being a free replacement for PGP) to securely encrypt
data or messages which are both programs that are mainly intended for asymmetric encryption, but will
work for our purposes. Notice that I said they are used to encrypt data and messages; they cannot be
used like Truecrypt to encrypt entire drives, partition, or used to create encrypted containers. And like I
said above, they are subject to the same problem when exchanging the key. The key still must be sent in
clear text.
The simplest command line switch for encrypting a file with GPG (assuming you have GPG installed and
have the command prompt open) is this: gpg -c inputfile.ext. Let break this down a bit. Gpg is the name
of the program; so you are telling the computer to open the program GPG. The c is telling the program
that you want to use the abbreviation for --symmetric. Finally, the inputfile.ext (replace ext with the file
extension), tells the program that you want to encrypt the inputfile.ext file on your computer. Now when
you look in the same directly you will see the same file with a new file with the same name and extension,
but with a .gpg added to the end. So, for example, the new encrypted file name will be inputfile.ext.gpg.
Decrypting the file using symmetric encryption is as easy as putting the file on your computer and telling
the program to decrypt it. The command line switch for the decryption process is similar to the encryption
process. The decrypt a file, you must use GPG and enter this: gpg --decrypt inputfile.ext.gpg. The
program will then recognize it used symmetric encryption and will ask for the key to decrypt it. Again, the
key to encrypt the file is the same key you will now use to decrypt the file. You should also know that
when encrypting the file, the program GPG does nothing to the clear text file. So it is still sitting on your
computer and can be read by anybody who gains access to it. Deleting a file securely will be discussed
later on.
When you originally encrypt the file you will notice that the output looks like a bunch of gibberish. To
combat this GPG as a command option for ASCII Armor output. When GPG originally encryption message
without the ASCII armor output you are saying that is called the binary output. Binary output is machinereadable but we cannot make sense of it. ASCII armor ensures that the only characters used are ASCII
characters so they can be read easily. For example, if I want to encrypt data using the symmetric algorithm
with the armor output I would put in the command as followed: gpg -ac. The a generates the armor
output and the c, as above, specifies that want to use the symmetric algorithm. Using this switch will
specify a message manually within the command prompt as no input file is specified. When you are done
P a g e | 27
you will have to enter an end-of-file sequence). On Windows: press Enter, then ctrl-z, then Enter. On OS
X/Linux: press Enter, then ctrl-d. Pressing ctrl-c (abort) quits GnuPG without executing any command.
3.3.
Securely Exchanging Messages, Data, and Signing Data
The problem with symmetric encryption is that it only uses one password to encrypt and decrypt data.
But what if you wanted to send a message to somebody? Somehow, you will need to share the key while
reducing the risk of anyone being able to intercept the password and use it to decrypt the data.
Asymmetric encryption tackles this problem by implementing a secure key exchange. With this form of
encryption there are two keys used, a public key and a private key. The public key is given to the world
and is used to encrypt data whereas the private key is used to decrypt the data and to verify the data
being received is legitimate. A popular program to securely share data and messages between two people
(using asymmetric encryption) is PGP or GPG (GPG being a free replacement for PGP). For the purposes
of this guide, I will be using GPG, the free replacement for PGP.
First things first, exchanging the public so someone who wants to give you a message can secure the data
before sending it to you. Assuming that you both have GPG installed on your machines, you can use the
Try it out create GPG key example to create, export, and exchange your public keys. The public key is
only used to encrypt data. So for an attacker to decrypt data, they must have your private key. Once the
initial public key exchange is done you can now securely exchange data. You will also notice that I used
the armor output option so when I want to exchange my public key via email or form, it can easily be
copied by the recipient trying to import it. You should only give out your public key, and never your private
key. It is best to keep your key pairs on an encrypted drive. If someone obtains your private key they will
be able to read all encrypted messages intended for you. If compromised, create a new private and public
key pair and give out your new public key. Also note, that your key pair comes with an expiration date if
specified. Once the expiration date is reached, people can no longer send you encrypted messages using
that expired public-key.
Here is an example of a GPG encrypted message with armor output:

-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v2.0.17 (MingW32)
mQINBFAisdkBEADQeOmbSJ5acqwBAxAEKicWg50sPSR0oO0roRsrSziDpnJf+nxC
Y5uUDPOCs/KDHeSv1XIvK0yv5rpesh7lZeIESpJSyBG9IlEl8vQhmt+Bohy53xWs
r5NJIktmeU+whCil8X9SYndc63UrdOoEVlKLApLDrskR91NDbx/YAv/YeNYQO4iB
jP38E0bRliO5yxHENZLdP0PAhksBnC/rYXOiilBHqUFMKZJzaH1flTBjpiawojb1
9jOQPcIQ8eNC3EKl0LkaZs9dzlmF69ore8A3swck+bHnII9dhzmJS09iMc1KQDHb
xjeF3XzvaQzwq6TtZcRyzEpcHtnIBe2w6LNgSEzuEIPKHVLKqDWfzbuAL6/+DPGf
-----END PGP PUBLIC KEY BLOCK-----
P a g e | 28
When send or receive a message or key or signature you want to include everything including the ----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----. When
imported a Public key from another person, you will not need to use your private key, nor will they
need to have access to your public key. The begging and ending signatures will also appear
different depending on what you are doing. Finally, if you do not use the armor output option, the
begin and end signature will not appear.
Now that you have created your own key pair and imported someone elses, you can start encrypting and
decrypting data respectively. You can follow the Try it out Encrypting and decrypting a message/file to
learn how to encrypt and decrypt a file. I will elaborate on how that works a little more. To begin, you
will use gpg to start the program GPG and e to tell the program that you want to use the asymmetric
encryption versus the symmetric encryption (-c) as used before. --output "output file" is the name of the
output file that will contain the encrypted data. --local-user "your username" is the name of the user
that the message is coming from (in this case, you). -r "recipient" is the person whom you are sending
the data to, --armor specifies the program to use the ASCII armor output, and --sign clear.txt will create
a signature file. Given a signed document, you can either check the signature or check the signature and
recover the original document.
Try it out create GPG key:

For Windows (since this is a Windows guide), I recommend downloading and installing Gpg4win. If
you are using Linux you can simply use gpg and stick with command line. Here is a guide from their
website on how to install the program: http://gpg4win.de/handbuecher/novices_5.html. When
Gpg4win is installed, follow these steps to create your key pair for encryption/decryption (note: the
following instructions are for creating a key size of 4096 which I recommend. You can create a
2048bit encryption key using the program Kleopatra):
1. Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in Search
Programs and Features. A black box should pop up
2. Type in gpg --gen-key
3. Enter 1 and press Enter
4. The default key is 2048, I recommend 4096
5. Set the value to 0 here. If you set the key to expire, you will need to go through this same
process of creating and redistributing your public keys. When is asks for a confirmation, enter
y
6. Your real name will most likely be your screenname. I will enter missionman here
7. For this step, input an email address. For this I entered my tormail email address.
8. Enter a comment if you wish, this step is optional
9. If you wish to change something, now is the time to do it. Everything is correct and I am done
so I will enter o
10. At this point you should see a popup prompting you to create a secret key. This is also
referred to as a private key. Make sure when creating this password that it conforms to
strong password guidelines
11. Re-enter the password to confirm you entered it correctly
P a g e | 29
12. You will now want to type a lot of random data in a text program of your choice or move your
mouse around the screen so the key can be generated until the key generation is complete
13. If there are no errors, then you have successfully created your public and private key!
14. Now, to give people your Public key (which they use to encrypt data they want to send to
you) you will type in gpg --export -a username > c:\public.key. For example I typed in gpg -export -a missionman > c:\missionman.key
Try it out Encrypting and decrypting a message/file:
1. First, find the location of your file or save a message to a text document
2. The command to encrypt a file is gpg -e --output "output file" --local-user "your username" r "recipient" --armor --sign "filename". For example, I typed in gpg -e --output
C:\encrypted.txt --local-user missionman -r testuser --armor --sign clear.txt. --detach-sig
will create a separate signature file
3. To decrypt a file you will simply enter gpg-d --local-user username -o output file input
file. For example, I entered gpg-d --local-user missionman o C:\decrypted.txt
C:\encrypted.txt.
A digital signature certifies and timestamps a document. If the document is subsequently modified in any
way, a verification of the signature will fail. A digital signature can serve the same purpose as a handwritten signature with the additional benefit of being tamper-resistant. The GnuPG source distribution,
for example, is signed so that users can verify that the source code has not been modified since it was
packaged.
Creating and verifying signatures uses the public/private keypair in an operation different from
encryption and decryption. A signature is created using the private key of the signer. The signature is
verified using the corresponding public key. For example, Alice would use her own private key to digitally
sign her latest submission to the Journal of Inorganic Chemistry. The associate editor handling her
submission would use Alice's public key to check the signature to verify that the submission indeed came
from Alice and that it had not been modified since Alice sent it. A consequence of using digital signatures
is that it is difficult to deny that you made a digital signature since that would imply your private key had
been compromised.
An example on how to sign a document without encrypting the document is as follows: gpg --output
doc.sig --sign doc. Notice in this example that I did not specify that I want to use my public key to sign the
document. If you need to specify you as the sender, you can also use the --local-user "your username"
command. Given a signed document, you can either check the signature or check the signature and
recover the original document. To check the signature use the --verify option. To verify the signature and
extract the document use the --decrypt option. The signed document to verify and recover is input and
the recovered document is output. gpg --output doc --decrypt doc.sig is the command line switch to
verify a document using the persons signature.
P a g e | 30
In such situations where it is undesirable to compress the document while signing it the option --clearsign
causes the document to be wrapped in an ASCII-armored signature but otherwise does not modify the
document. However, a signed document has limited usefulness. Other users must recover the original
document from the signed version, and even with clearsigned documents, the signed document must be
edited to recover the original. Therefore, there is a third method for signing a document that creates a
detached signature. --detach-sig will create a separate signature file.
Here is a good site with some of the common commands:

http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
One final word about signatures is the usability of them to verify packages downloaded from the
internet. You will notice that there are usually two types of verification options: signature files and hash
outputs. Verifying the packages that you download from the internet establishes that the package you
have on your computer was not altered in any way during transit. To verify a package, you will follow
the same process of using the vendors Public key and signature file (or just verify the file if the signature
is not detached) and using the --verify option as used above. Using the hash verification, you will need
to create a hash output of the downloaded file and compare it to the hash specified from the vendor.
You can read more about hashing below.
3.4.
Steganography
Another good form of encryption is steganography which is the act of hiding data within text, graphic files,
or audio files. The purpose of this method is so that nobody will know that there is a private message
inside the medium (photo, document, etc.) because it is hidden. Lets say Bob wants to send private
messages to Steve over a public forum read by numerous people. Bob grabs a picture, puts a hidden
message inside and uploads it to the website. Nobody knows the message is there except for Steve, which
is able to save the picture to his computer and read the message hidden inside. Forensic examiners will
need to be looking at each individual file to determine if steganography was used. So for example if you
have 1000 pictures, they will need to go through each and every one to determine which ones have
steganography and which ones do not.
Using steganography is as easy as downloading the right software from the internet. I started out by
downloading one of the more popular freeware tools out now: F5, then moved to a tool called
SecurEngine, which hides text files within larger text files, and lastly a tool that hides files in MP3s called
MP3Stego. I also tested one commercial steganography product, Steganos Suite. These tools may contain
backdoors as with all encryption programs therefor should not be used with data you are trying to hide
from any party that may hold the decryption key.
P a g e | 31
3.5.
Authentication Factors
There are several types of authentication factors when accessing resources, and most of you have only
been using one of them. In the security field they are referred to something you know, something you
have, and something you are. A username and password falls into the something you know category.
This is because you know in your mind what your username and password is. Something you have is a
physical device such as a smart card or token. Finally, something you are refers to a fingerprint, an iris
scan, or another physical feature.
The idea behind something you know is keeping a secret that only you know. Thus, knowledge of a
secret distinguishes you from all other individuals. And the authentication system simply needs to check
to see if the person claiming to be you knows the secret. This method is also used between two or more
persons to verify they are whom they claim to be. This is often called challenge-response authentication
and even though it is moreso used as a token, it can be used between several people.
If you have ever watched the movie Bourne Ultimatum you have already seen this in action. Halfway
during the movie, one of that characters is presented with a Duress Challenge in which she is asked a
question and depending on the response, she is either normal or under duress. Such the same, many
people can create a similar model of authentication that moves past a simple password that can convey
duress as well as authenticate the user. For example, in the movie the challenge word was sparrow and
the response if under duress is ruby and the response if normal was Everest.
One popular challenge-response mechanism uses tokens to authenticate the user. These methods are
becoming increasingly popular and is even employed by such services such as Google and Truecrypt.
Disconnected tokens such as those deployed by several online services have neither a physical nor
logical connection to the client computer. They typically do not require a special input device, and
instead use a built-in screen to display the generated authentication data, which the user enters
manually themselves via a keyboard or keypad. Smart cards, other physical tokens, and keyfiles are also
methods that fall under the something you have category. Below is a very simply example of how
some challenge-response mechanism work.
A
B
C
D
E
F
G
H
B
C
D
E
F
G
H
I
C
D
E
F
G
H
I
J
D
E
F
G
H
I
J
K
E
F
G
H
I
J
K
L
F
G
H
I
J
K
L
M
G
H
I
J
K
L
M
N
H
I
J
K
L
M
N
O
I
J
K
L
M
N
O
P
J
K
L
M
N
O
P
Q
K
L
M
N
O
P
Q
R
L
M
N
O
P
Q
R
S
M
N
O
P
Q
R
S
T
N
O
P
Q
R
S
T
U
O
P
Q
R
S
T
U
V
P
Q
R
S
T
U
V
W
P a g e | 32
Lets say that you want to log into a system and use a detached token. You will most likely be given a set
of characters to input into the system to verify that you are whom you say you are. So, you fire up the
token and request you one-time pin code. The server that generates the code will load up the list and
select a set of characters from the tables. In this example, we will say the challenge are the characters
H, G, A, I, P, and S (yellow). Your token will then generate a response of J, I, C, K, R, and U (red). The
server will then verify that the response the token created matches up to the response the server
expects. Once this is complete, the server will allow you into whatever system you were trying to
access.
The third authentication type is biometric authentication as is known to be the best form of
authentication as it is the best way to determine that a person is who they say they are. I have pasted a
chart to show a comparison of biometric types below:
Comparison of Biometric technologies

Characteristic
Fingerprints
Ease of Use
Error
incidence
High
Dryness,
dirt, age
Hand
Geometry
High
Hand
injury, age
Retina
Iris
Face
Signature
Voice
Low
Glasses
Medium
Poor
lighting
High
Changing
signatures
High
Noise,
colds,
weather
Very
High
*
Medium
High
High
*
Medium
Very
High
*
Medium
Medium
Lighting,
age,
glasses,
hair
High
Accuracy
High
High
Cost
User
acceptance
Required
security level
Long-term
stability
*
Medium
*
Medium
*
Medium
*
High
High
Medium
High
Medium
Medium
Medium
High
Medium
High
Very
High
High
Medium
Medium
Medium
Compiled from NIST publication
Another term that is used, is: multifactor authentication. Multifactor authentication, which is as it
implies, is when the user uses two or more authentication factors. When you are trying to access
resources (such as getting into a Truecrypt container) for example, the system requires the approval of
both factors before access is granted into the system. The combination of more than one factor
decreases the changes of someone other than yourself obtains this access. For this reason, it is
recommended as a best security practice when setting up a protected system.
P a g e | 33
For most users reading this guide, you will only need to concern yourself with setting up more than one
factor when using TrueCrypt. Most of you are only use a password, which is adequate for most scenarios,
and is what most people use in general. But another feature of TrueCrypt that most people dont realize
is that it does allow for multifactor authentication. This means that you can set up Truecrypt to utilize
both a password and a keyfile (or token or smartcard) when logging into the system. The link provided
will elaborate more on key files, security tokens, and smart cards when using TrueCrypt: Click here.
The go back to the beginning, I told you that using multiple authentication factors are best practice, but
you might be wondering to yourself, why? Two or more factors further ensures that the protection of
your data does not rely on a single factor alone. For example, lets say you have a machine thats
encrypted with TrueCrypt. You know that the encryption employed by TrueCrypt is strong, however,
you created a password that is weak and easily guessed. This is where the multifactor authentication
comes in. The attacker might have guessed your password but if you have another factor such as a
token, the attacker will also have to have access to that token during the entire session in order for
them to get in.
Another method of attack is with the use of spyware, which is a type of maleware that attempts to spy
on you by recording everything you do on the computer. Such the same, hardware keyloggers (which
can be in the form of spyware), attempts to record everything that you type in on a keyboard. If
successful, a keylogger will capture your password that can be used later on for an attack. To mitigate
this type of threat, you will once again rely on multifactor authentication to authenticate you into the
system. And for additional security, you can check for new hardware devices attached to your computer
and make sure that you use some sort of anti-virus software to mitigate the threat of software
installations.
3.6. Password Attacks and Account

Recovery Attacks
Case: The Sarah Palin email hack occurred
on September 16, 2008, during the 2008
United States presidential election
campaign when the Yahoo! personal email
account of vice presidential candidate
Sarah Palin was subjected to unauthorized
access. The hacker, David Kernell, had
obtained access to Palin's account by
looking up biographical details such as her
high school and birthdate and using
Yahoo!'s account recovery for forgotten
passwords.
There are several types of password attacks that people

perform when trying to decrypt information. These are
known as dictionary attacks, brute force attacks, and
random guess attacks. Creating complex passwords will
help prevent against dictionary attacks. Creating long
passwords will help prevent against brute force attacks.
And creating passwords that do not include your
username or any other identifiable information will help
against random guess attacks. This is why your
password should be long, complex, and should not
include any identifiable information.
P a g e | 34
Another common attack that people do not usually think of is account recovery attacks. This is when
someone is trying to login into your account by attempting to reset your password by using your account
recovery questions. For this reason you should make sure when creating security questions and answers
that they are not easily guessed (or found). A good recommendation is to make the answers as
complicated as the passwords, but still can be easily remembered.
3.7.
Creating Secure Passwords
The problem with passwords is they are usually too easy to crack or they are too hard for the users to
remember. Therefore, both of these problems should be considered when creating a new password. Start
by creating a password that is at least 16 characters. Use as many different types of characters as possible,
including: lowercase letters, uppercase letters, numbers, and symbols. Never reuse a previous password
and never use the same password for more than one account. Dont use password-storage tools, whether
software or hardware. Make sure that your password does not include anything identifiable such as:
names, usernames, pet names, or words in a dictionary. Lastly, make sure that the password is not too
hard for you to remember so you dont forget the password or have to write it down or save it. Here is
an example of a site that can create a secure password: click here.
3.8.
Hashing, Hashing Collisions, and Birthday Attacks
When people refer to hashing, they are referring to a type of encryption. Hashing is the process of creating
an encrypted output that cannot be decrypted (it performs a one-way encryption) and is used to ensure
that a message or file was not modified from the original copy. Hashing is also commonly used to help
authenticate somebody. For example, many websites store a hashed copy of your password instead of
the password in the clear. There are several types of hashing algorithms and the newer versions are better
than the outdated versions for security purposes. SHA256 is the newest version and is recommended as
of right now when you are checking file or message hashes.
Using asymmetric encryption provides integrity as well as the already explained confidentiality. When
you successfully decrypt a message that another user sent you, you have verified its integrity. Another
way to ensure integrity is to create the hash of a file or a message and allow people to check the hash
they generate against the hash you gave them. For example: lets say Bob uploads a file for Steve. Bob
uploads a file and generates a hash (lets say a value of 456) so Steve can make sure that when he
downloads the file, it was not changed along the way. After downloading and saving the file, Steve also
generates a hash of the saved file. If Steve generates the same hash, the file was not altered. But if Steve
generates a different value (lets say 334), than the file has been changed. Personally, I use HashMyFiles
because it is easy to use and is a standalone program.
P a g e | 35
Also, you should not that since there are several types of encryption methods, you need to specify which
hash algorithm you want to use when verifying data. The newer the algorithm, the better chances you
have of mitigating the eventuality of hash collision. Adding to what we talked about earlier about
asymmetric encryption, when you create a file signature for the recipient to verify the contents they
receive; they are actually decrypting the hash value of the data for verification. So in essence, the same
process for verifying the contents are the same, with the added benefit of verifying the sender and the
file when using asymmetric encryption.
Try it out Hashing

1. Downloading and save this file: http://ocrlwkklxt3ud64u.onion/files/1343933815.txt. If the
file opens up in your browser, then save everything to a text file and save as hash.txt
2. Download the program HashMyFiles and start it when that is complete
3. Click File > Add Files and select hash.txt
4. Record the hash of the file (press F7 on your keyboard) * I used MD5 for this test
5. Compare your hash to the hash I generated before uploading the file
(83a814a08b5edfa57c003415224f8b46)
Another good method of ensuring that a file is actually sent from someone who claims they sent it is if
they digitally sign a message using their private key. What you need to know is that you can digitally sign
a message or file without actually sending the message or file. This is helpful if you want to share a file in
which everybody knows what the password is whilst allowing them to confirm that it came from you.
Try it out Digital Signatures

1. I am assuming that have already setup GPG and have created your Private/Public key pair
2. Start the command prompt: Start > Run > cmd > OK *Windows Vista/7, type cmd in Search
Programs and Features. A black box should pop up
3. The command to create a digital signature is gpg --output output file --local-user user
name --detach-sign input file. For example, I typed in gpg --output final.sig --local-user
missionman --detach-sign test.txt
4. To verify the digital signature, type gpg --verify signature file name. For example, I typed
in gpg --verify final.sig c:\test.txt
While talking about hashing, I should mention Hashing Collisions. Hashing Collisions occur when two
distinctly different messages produce the same hash result. Birthday attacks attempt to exploit this
vulnerability by relying on the likelihood of the collisions occurred between the random attack attempts
and the number of permutations. As an example, consider the scenario in which a teacher with a class
of 30 students asks for everybody's birthday, to determine whether any two students have the same
P a g e | 36
birthday. Intuitively, this chance may seem small. If the teacher picked a specific day (say September 16),
then the chance that at least one student was born on that specific day is 1 - (364/365)^{30}, about 7.9%.
However, the probability that at least one student has the same birthday as any other student is around
70.
3.9.
Cold Boot Attacks
In cryptography, a cold boot attack (or to a lesser extent, a

platform reset attack) is a type of side channel attack in which
an attacker with physical access to a computer is able to
retrieve encryption keys from a running operating system
after using a cold reboot to restart the machine. The attack
relies on the data reminisce property of DRAM and SRAM to
retrieve memory contents which remain readable in the
seconds to minutes after power has been removed. Basically,
when a computer is restarted, the encryption keys
(passwords) might still exist in RAM and may be recoverable
to the extent that they can be used to decrypt your device.
Note: Many forensic

investigators carry a can of
compressed air with them to
a crime scene to freeze the
RAM stick for further analysis.
To simplify what I just said, cold boot attacks work like this. After you turn off your computer, RAM isn't
automatically erased when it no longer has power. Instead, RAM degrades over time, and even after a
few seconds without power, you still can recover a significant amount of data. Researchers also found
that if you chill the RAM first, using liquid nitrogen or even a can of compressed air turned upside down,
you can preserve the RAM state for more than 30 seconds up to minutes at a timemore than enough
time to remove the RAM physically from a machine and place it in another computer. Once inside another
computer, an investigator can use that data that is temporarily stored inside the RAM and read it.
There are a few ways to mitigate this risk. The best method is to make sure to dismount the drive before
ending the program or shutting the computer down. Most software programs will erase the key from
memory after you perform this action. This method is the best way to prevent cold boot attacks. Shutting
the computer down cleanly should also ensure that the key is erased from memory. Another mitigation
technique is with using a security token or smart card. This can be fooled though if the attacker grabs the
key and has the token/smart card in hand.
I should mention that while cold boot attacks are present, grabbing an encryption key from RAM is not
widely used by many forensic investigators. Until recently, grabbing these keys via RAM was thought of
only as a theory and not actually accomplishable. However, there is other data that you should be
concerned with cold boot attacks. Data such as unwritten emails, words in a test document, and
pictures can be recovered from RAM. Even if it is partial data, it can be read and used against you.
P a g e | 37
If you are interested in obtaining data contained in RAM, there are several programs out there that can
assist you. Most of these programs are not free and do not come with any sort of trail. You can utilize
these programs after you freeze the RAM and insert it into another machine that hosts the RAM
analyzer. You may use the same programs to Image the RAM on your own machine and you would use
after freezing and moving the RAM over. There are also Key-scanning tools that is the second set of
tools that you can use to scan the RAM image you have created for encryption keys. The names of the
tools are pretty self-explanatory. The aeskeyfind tool searches for AES keys, and the rsakeyfind tool
searches for RSA keys. Note: AES is symmetric encryption and RSA is an asymmetric encryption.
P a g e | 38
Chapter 4_ Data
his section will talk about data in general: how it gets stored and what happens when it is deleted.
Furthermore, we will take about recent file lists and data caching. Knowing how Windows and
other applications handle these files will help eliminate the risks associated with evidence left over
after your session. You will learn how to find and remove this data completely and securely from your
computer. In some instances, you will also learn how to prevent these risks from happening altogether.
Topics
Deleted Data
Deleting Data Securely
File Slack
Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache
Temporary Application Files and Recent Files Lists
Event Logs
Printers, Print Jobs, and Copiers
Cameras, Pictures, and Metadata
USB Information
SSD Solid State Drive
Where to Hide Your Data
P a g e | 39
4.1
A Quick Word
In this section, we will mainly be focusing on NTFS drives. I am not saying that the following information
does not apply to XP or earlier, it just does not ALL apply to what we are talking about. Among
improvements in NTFS file systems are increased file size potential (roughly 16TB versus 4GB for FAT32),
increased volume size potential (roughly 256TB versus 2TB for FAT32), and the recording of Last
Accessed times (in Windows NT/2k/ XP/2k3, and in Vista/2k8/7 if enabled). In addition, NTFS uses a data
structure called the Master File Table (MFT) and entries called index attributes instead of a file allocation
table (FAT) and folder entries in order to make the access and organization of data more efficient.
4.2
Deleted Data
A common misconception that computer users have is, when you delete a file, it is completely removed
from the hard disk. However, you should know that highly sensitive files such as pictures, passwords, chat
logs, and so forth still remain on the hard disk. Even after they are deleted from your recycle bin, they
are still located on the hard drive and can be retrieved with the right software. Take for example when
you use WinRAR to extract the file that someone sent you. The program extracts the data to a temporary
file before it reaches its destination on your hard disk; this may lead to a data leak.
Any time that a file is deleted from a hard drive, it is not erased. When you delete a file, the two bytes
located at record offset 22 within the files MFT record are changed from \x01\x00 (allocated file) to
\x00\x00 (unallocated file). The operating system uses these pointers to build the directory tree structure
(the file allocation table), which consists of the pointers for every other file on the hard drive. When the
pointers are changed, the file essentially becomes invisible to the operating system. The file still exists;
the operating system is just ready write over them. You should also know that the deleted files entry is
removed from its parent index, and the file system metadata (i.e., Last Written, Last Accessed, Entry
Modified) for the files parent folder are updated. It is also possible that the metadata for the deleted file
itself may be updated because of how the user interacted with the file in order to delete it (e.g., rightclicking on the file).
Note: You can change the location where WinRAR extracts the temporary data to. Navigate
to Options > Settings > Paths. You can change the path under Folder for temporary files.
P a g e | 40
Shadow data is the fringe data that remains on the physical track of storage media after it is deleted,
sweeped, or scrubbed. A mechanical device called a head is used to write the data, and it is stored
electronically in magnetic patterns of ones and zeros. The patterns are in the form of sectors which are
written consecutively in concentric rings called tracks. However, head alignment is just a little bit different
each time an attempt is made to erase data, and data remnants sometimes bleed over the tracks. This is
the reason why government agencies require multiple scrubs or burning, because there is no guarantee
of complete elimination of fringe, or shadow, data.
The only way that you can permanently delete this data is to override it with special software or wait for
the operating system to overwrite the data. There are files on the hard disk that do not have any pointers
in the file allocation table so it will eventually be overridden with something new. Even files that are
fragmented or are partially written over are recoverable and can be used against you. Special software
will overwrite these files securely and immediately. One such recommended software that securely
cleans the white space is CCleaner and Recuva to erase the actual data left over. As a word of note, people
suggest that's simply defragging a hard drive will overwrite these pointers; this is not true. Drives
formatted using NTFS are especially not affected using this method. This is because of the way NTFS
stores data; it essentially makes defragging the hard drive useless.
Try it out CCleaner

1. Download and install CCleaner to your machine. Make sure when you download CCleaner
from the internet, as with all programs, you download from the manufacturers website only.
The link has been provided for you: http://www.piriform.com/ccleaner/download/standard
2. Open CCleaner press Tools on the left
3. Select Drive Wiper
4. Select Free Space Only in the drop-down box next to Wipe
5. In the security drop-down box, I recommend selecting the complex overwrite
6. Choose the drive letter you wish to clean and pressed Wipe
4.3
Deleting Data Securely
As mentioned before, when you delete data, it is not actually deleted and can be easily recovered. To
prevent data from being recovered you must secure erase (or shred) the data. What special programs do
to securely erase contents from a computer is they enumerate through each bit of data and replace it
with a random bit. The shredding method I recommend is 7 passes. This process makes the bits unknown
as recovery of this data difficult, if not impossible. This can be done with file eraser programs, or it can
be done to the entire drive with bootable software. DBAN is recommended if you are trying to erase your
entire drive. Note however, DBAN does not erase bad sectors or HPA/DCO areas. Some programs such
P a g e | 41
as Blancco implement HPA/DCO wiping by default, other tools could allow the user to choose whether or
not to wipe HPA/DCO while other tools are not able to wipe HPA/DCO at all.
HPA stands for Host Protected Area and is a section of the hard drive that is hidden for the operating
system and the user. The HPA is often used by manufacturers to hide a maintenance and recovery system
for the computer. For this reason, the HPA is not a big concern, but you can securely remove data here
nonetheless. A DCO is a Device Configuration Overlay and is another hidden area of todays hard drives.
Similar to the HPA, the DCOs can be securely erased in such the same way.
While recovery of information wiped out in this manner is far more difficult, and in many cases impossible,
some recovery techniques exist that specialists can employ to retrieve some of the data. Factors such as
the size of the hard drive, the accuracy of the mechanical system in the drive, the power with which the
information was recorded, and even the length of time the information was left on the drive prior to
wiping all will have an effect on the probabilities for recovery.
Another method is to physically destroy the hard drive to a state that is irreparable. The best method for
this is to open the hard disk and grind the platters to obliterate all data. Another method for hard drives
that use disks is to use an industrial strength magnet to remove the data. Optical disks (CDs, DVDs, etc.)
can be shredded if they are not writable. Also, optical disks can be destroyed be cooking them and is the
best method for destroying data on optical media. Cooking them however is not recommended for
practicing or everyday use as they release a toxic fume.
4.4
File Slack
To understand file slack, one first needs to understand how disks are organized at the lowest level. As can
be seen in the diagram below, disks are subdivided into a set of tracks. These tracks are further subdivided
into a set of sectors and collection of sectors form together to make a cluster. If you write a 1 KB file that
has a cluster size of 4 KB, the last 3 KB is wasted. This unused space between the logical end-of-file and
the physical end-of-file is known as slack space.
P a g e | 42
The perhaps somewhat unexpected consequence from this is that the file slack contains whatever data
was on the disk before the cluster was allocated, such as data from previously deleted files. Using file
slack, it would be possible not only to recover previously discarded (and potentially sensitive information)
information, but also to effectively hide data. The ability to hide data arises because the operating system
does not modify data within a cluster once it has been allocated. This means that any data that is stored
in the slack is safe (provided the files size does not change). Using forensics examiner software such as
EnCase or FTK, an investigator can recover this data contained in slack space.
To wipe this slack space, I use a software called Eraser which has utilities to wipe unallocated file space
and slack space disk. I recommend utilizing the 3 pass method to ensure that no shadow data exists after
the process is complete. You will notice after running the program to remove the slack space, that your
secret message you just entered is erased.
Try it out Hiding data in file slack space

1. Open Microsoft Office and create a .Doc file. Enter anything you like.
2. Download and install your favorite Hex Editor. I Hex Workshop Hex Editor is a good one and
will fulfill our purpose for this example.
3. Start the program. I will be covering the steps when using Hex Workshop.
4. Select the file that you just created and load it in the program. The hex output will appear in
the main portion of the screen
5. Once the file opens, click on Edit/Find to open the Find dialog box.
P a g e | 43
6. In the Find dialog box, click on the drop-down box next to Type: and select Text String.
Enter the part of the text you entered in the first step.
7. On the right side of the screen, navigate to a blank line and remember that position. On the
blank line, type a secret message.
8. Click on File/Save As and save the file to whatever you want (IMPORTANT: Save as Word 972003 format)
9. Close Hex Workshop and open MS-Word
10. In MS-Word, open the new file you just created in the Hex Workshop
11. Confirm that your hidden message is not visible within MS-Word
4.5
Alternate Data Streams
ADSs, or Alternate Data Streams, have been around since the very beginning of the NTFS file system.
The invention was attributed to help support Macintosh Hierarchical File System (HFS) which uses
resource forks to store icons and other information for a file. However, using ADSs, you can hide data
easily that will go undetected without specialized software or close inspection. This method requires
nothing more than a Windows device that is formatted using NTFS which is practically everyone now.
It works by appending one file to another whilst hiding the sensitive data from view and keeping the file
size of the original data. You need to know, that you hidden file is in no way encrypted. So, if an
attacker knows the file is there, he will be able to read the contents.
A few commands before we get started:
CD Change Directory (cd \path\to\change\to or cd .. to reverse one directory or cd

C:\Absolute\Path)
DIR List contents of directory (dir to show current folder or dir \folder)
TYPE Used to view small files
Echo Display text or write to a file
Start Starts an executable program
Lets start with the basics, hiding a text file within a text file:
P a g e | 44
1. Open command prompt. Start > Run > type cmd

2. When opened, the directory is C:\Windows\System32. Change this directory to C:\ by typing cd
C:\
3. We are going to create our first text file and write data into it. The command to do that is echo
This file is seen >seen.txt. If you get an Access Denied error, you might need to run cmd as
Administrator or change the directory to your home directory (cd C:\Users\%YourUsername%\
Documents). You can test to see if the file was created and if data was written to it by using
type seen.txt
4. Now we will use a colon as the operator to tell our commands to create or use an ADS. Type:
echo You can't see me>seen.txt:secret.txt
5. To read the file you will want to use the following syntax: type seen.txt:secret.txt
6. Unfortunately, the use of the colon operator is a bit hit or miss in its implementation and
sometimes does not work as we might expect. Since the type command does not understand
the colon operator we will have to use notepad to read the file: notepad seen.txt:secret.txt
7. If it all worked correctly, you should see the contents of secret.txt. You should also note that
the file size did not change what you added the secret.txt file
8. You should also note that you can hide data inside a directly as well. Type md test to create a
directory and cd test to navigate to that directory. Then using the same syntax as above, we will
hide our data by typing this: echo Hide stuff in a directory>:hide.txt
9. You can test to see that the file is hidden by listing all the files in the directory by using the dir
command. To open the file you will just enter notepad :hide.txt
So, now you have successfully hidden two files from view! But that is only the beginning as there are
many more nifty features that can be used on the NTFS system. For the next example, we will be hiding
executable files within a text file that can be run using the start command. This method is actually not
much harder than then the method above:

C:\. Again, you may need to change your directory to your documents folder or something
similar: (cd C:\Users\%YourUsername%\ Documents)
3. First, we are going to make a file to write to: echo Test>test.txt. you can check the size of the
text document by typing in dir test.txt
4. Next, we are going to hide an executable in the test.txt file: You can find any file that you wish
to run. For this example, we will be using notepage: type notepad.exe>test.txt:note.exe. So,
what we just said was copy and rename the program notepad.exe to note.exe and add it the
text document test.txt. Again, to make sure the file size did not change, you can check the size
of the text document by typing in dir test.txt
5. To run the file, you will type in: start .\test.txt:note.exe
P a g e | 45
Finally, the last thing we will talk about is hiding videos in ADSs. This method is the same as the above
methods, however you will need to call the actual video player to play the videos.
C:\. Again, you may need to change your directory to your documents folder or something
similar: (cd C:\Users\%YourUsername%\ Documents)
3. Make sure that a video exists in the same directory. The command to hide a video inside a text
document is this: type "hello kitty.avi" >"sample.txt:hello kitty.avi". When dealing with files
that include spaces, you always want to use quotes. And obviously, replace the file names with
your own.
4. Now, to play the video, you will need to know the exact path of the video player. Here is a
sample syntax to open the video with Windows Media Player: "C:\Program Files\Windows
Media Player\wmplayer.exe" " sample.txt:hello kitty.avi". This tells Windows to use
wmplayer.exe to play hello kitty.avi that is hidden in sample.txt
4.6
Where to Hide Your Data
Location
HPA
MBR
Partition slack
Volume slack
File slack
Unallocated space
Information
Host Protected Area is an area of a hard drive that is not normally visible
to an operating system and is protected from user activity. To hide data
there, you will need to write a program, or find a program, to write
information there.
The Master Boot Record only requires a single sector thereby leaving 62
open sectors for hiding data
File systems store data in block, which are made of sectors. If the total
number of sectors in a partition is not a multiple of the block size, there
will be some sectors at the end of the partition that cannot be accessed by
the operating system using any typical means.
If the partitions on a hard drive do not use up all of the available space, the
remaining area cannot be accessed by the operating system by
conventional means (e.g., through Windows Explorer). This wasted space
is called volume. It is possible to create two or more partitions, put some
data into them, and then delete one of the partitions. Since deleting the
partition does not actually delete the data, that data is now hidden.
This is the unused space between the end-of-file marker and the end of
the hard drive cluster in which the file is stored.
Any space in a partition not currently allocated to a particular cannot be
accessed by the operating system. Until that space has been allocated to a
file, it could contain hidden data.
P a g e | 46
Boot Sector in nonbootable partitions

Good blocks marked as
bad
4.7
Every partition contains a boot sector, even if that partition is not

bootable. The boot sectors in non-bootable partitions are available to hide
data.
It is possible to manipulate the file system metadata that identifies bad
blocks (e.g. the File Allocation Table in a FAT file system or $BadClus in
NTFS) so that usable blocks are marked as bad and therefore will no longer
be accessed by the operating system. Such metadata will produce blocks
that can store hidden data.
Changing File Headers to Avoid Detection
Major forensic software use two methods for identifying file types: file extensions (.exe, .jpg, .txt) and
file headers (characters at the beginning of the file). A person trying to hide an image might simply
change the extension from .jpg to .zip to try to fool an investigator. Most people will try to open the file,
but they will encounter an error and they will probably move on to the next file. As this method might
work on somebody whom doesnt have specialized software to view the header information, it doesnt
fool those whom use products such as EnCase. This is because, as I said before, there is another method
to determine to type of file they are reviewing. Yet, if the file extension and the header information
matches, they might look over the file completely as it might not be the file type they are looking for.
When forensic investigator looks at a file that has a mismatch between the extension and the file
header, he might get suspicious and further investigate the discrepancy. For this reason it is important
to change both file extension and header information to match. By changing this information, you can
effectively hide whatever it is you are trying to hide. You should note however, if an investigator opens
the file with the correct program, he will still be able to view the contents of the file. For example, you
can change a .jpgs extension and header information to a .txt, but if the file is opened in Picture Viewer,
you will still be able to see the picture.
First things first: change the files extension. For this example, we will be changing a .rar to an .exe. So
find a .rar file on your machine and change the extension to exe. This part is the easiest part and can be
done in only a few seconds:
1. Start Windows Explorer and navigate to the folder that contains the file you wish to hide
2. If you do not see the file extensions, you might have to change a setting to view them. For XP
and 7, you will click Tools > Folder Options > View and uncheck Hide extensions for known file
types
P a g e | 47
3. Once you can see the file extension, you can now right-click the file and click Rename to change
the file extension
I should also note that for the first couple of times before you feel comfortable testing this out on your
own, to use a file that you dont want or to create a copy of a file to test this on. The next part is to
change the header information of the same file you just changed the extension for. This is done with a
program that you can freely download over the internet. For this example, I am using HxD Hex Editor
and can be downloaded from here and modifying a .rar file.
1. Open HxD Hex Editor, click File > Open, select the file, and click Open
2. You will notice that the hex view shows the file header for .rar files are 52 61 72 21 in
hexadecimal and Rar! In ASCII (Figure 1). This is the information you are going to change
3. Click you cursor right before the first hexadecimal character on the left, the 5. Now, when you
start typing, the new characters will replace the existing characters and they will appear red
4. To change the file signature of this RAR archive we simply take the file signature of an
executable file and add it to the start of this file. In this case I will add 4D 5A to the start of the
file (Figure 2)
5. Save the file
Figure 1
Figure 2
This technique will fool the forensics software as it will not return the file when it is looking for .RAR
files. However, even though you change the file type, you may not be able to fool the investigator
depending on when is contained inside the file. Changing .doc or .docx files to .jpegs for example might
not be the best idea in the world as they can still see all the text contained within the document. .RAR
files might also contain the filename even though encryption is enabled if Encrypt file names is not
used.
P a g e | 48
4.8
Windows Swap Files, ReadyBoost, Temporary Internet Files and

Browser Cache
A swap file allows an operating system to use hard disk space to simulate extra memory. When the system
runs low on memory, it swaps a section of RAM that an idle program is using onto the hard disk to free up
memory for other programs. Then when you go back to the swapped out program, it changes places with
another program in RAM. This feature ensures that Windows is usable when memory runs out. Even
though this feature is helpful, sensitive information might be contained within the swap space that could
incriminate you.
Lets say you download sensitive material and after you were done with it, you delete it securely. If you
ran out of memory (RAM) the temporary data might have been saved to swap space thereby rendering
your method of removing the file useless. The best way to attack this problem is to disable paging
altogether while viewing sensitive information. If you are using applications that use large amounts of
memory, you can turn paging back on during your session.
Try it out Disable paging

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Open the Start Menu and go to Control Panel

Click on the System icon
Select the Advanced tab
Under Performance, click Settings
Go to Advanced
Under Virtual Memory, click Change
Select No Paging File and then click Set
Click OK in all the menus
Restart
To enable paging again, simply select Automatically manage paging file size for all drives
ReadyBoost is another caching feature introduced in Windows Vista and was continued with Windows 7.
It works by using flash memory, a USB flash drive, SD card, CompactFlash or any kind of portable flash
mass storage system as a cache. Data that is written to the removable drive is encrypted using AES-128bit
encryption before written to the drive. This means that an examiner who recovers the drive with the
ReadyBoost information will find it difficult to decipher this data.
Another way that Windows operates under the surface is when creating temporary internet files.
Temporary Internet Files is a folder on Microsoft Windows which holds browser caches. The directory is
used by Internet Explorer and other web browsers to cache pages and other multimedia content, such as
P a g e | 49
video and audio files, from websites visited by the user. This allows such websites to load more quickly
the next time they are visited. Not only web browsers access the directory to read or write, but also
Windows Explorer and Windows Desktop Search.
You can see how this is a problem if you ever want to download (or view) pictures or files that contain
sensitive material. Furthermore, other applications might use temporary files when handling content.
For example, when I talked about WinRAR earlier, I explained that when you unpack data from an archive,
the program creates a temporary file on your file system before it is moved to its destination. The only
way around this (excluding internet cache) is to periodically wipe slack data as stated before. When
dealing with internet data, you should be concerned with deleting internet cache and cookies. You should
also know that even if you use Private Browsing mode in any of the popular Internet browsers,
temporary internet files might still exist on the harddrive. Always perform checks, even when using this
mode.
Try it out Delete internet cache

1. Start Firefox
2. Click Tools (if you do not see the menu-bar press the Alt key on your keyboard. The menu-bar
should appear.)
3. Click Options
4. Click Privacy
5. Select TorBrowser will: Use custom settings for history and check Clear history when
TorBrowser closes
4.9
Temporary Application Files and Recent Files Lists
Every time you open up a file from Windows Explorer or the Open/Save dialog box, the name of the file is
recorded by Windows. This feature was introduced into Windows and other applications to make those
applications more user friendly by allowing easy access to those recently used files. Such the same, some
applications create cache that is stored on your computer so the application can run faster the next time
it is loaded or a specific project is being worked on.
Recent file lists and application caching does make the experience more friendly, but it also added security
risks. If for example, someone took a video and loaded it into a video editing software. The software
might take pieces of the video and save it to your hard drive for fast access. The same goes for viewing
videos/images that are sensitive by nature. Whoever is looking at the recent files list for your computer,
will know what the names of files are as well as possibly knowing the location of those files.
P a g e | 50
First we are going to talk about what is known as thumbnail

caching. Thumbnails are the little pictures that are loaded
for every file in Windows Explorer as a little preview of
sorts. A thumbnail cache is used to store thumbnail images
for Windows Explorer's thumbnail view. This speeds up the
display of thumbnails as these smaller images do not need
to be recalculated every time the user views the folder.
You can see where this is a problem when you open a
folder containing sensitive pictures or videos. Thumbnail
caches are stored in thumbs.db files and the locations will
vary depending on the Operating System. In Windows XP,
the thumbs.db files will be stored in every folder.
Windows 7 and Vista saves all the thumbnails in a central location. The cache is stored at %userprofile%\
AppData \Local \Microsoft \Windows \Explorer as a number of files with the label thumbcache_xxx.db
(numbered by size); as well as an index used to find thumbnails in each database. This makes it easier for
us to locate and remove the caches of these thumbnails. You can use CCleaner to remove the existing
cache. I recommend using this page to enable/disable thumbnail caching. Click here
Try it out View thumbnail cache

1.
2.
3.
4.
Download Thumbcache Viewer from here

Start the program and press File > Open
Locate you thumb files, select them, and press Open
The images that were cached will populate in the listbox. Select a file to view the
image preview
Try it out Delete thumbnail cache using CCleaner

1.
2.
3.
4.
Open CCleaner
Make sure Thumbnail Cache under Windows Explorer is check
You can set all security setting in the Options > Settings menu
Click Run CCleaner
P a g e | 51
Another feature of Windows and several applications is recent files

lists. There are several locations where these lists can appear, yet
there are only two ways they are saved: the registry or as a file.
Windows XP saves file names in the registry and a centralized location
in Windows Explorer whereas Windows 7 introduces yet another list
known as a jump list which can also be cleaned by using CCleaner.
Jump
list
location
can
be
found
here:
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations.
Try it out Disable jump lists

5.
6.
7.
8.
Right-click the Start Menu and click Properties

Expand the Start Menu tab
Uncheck Store and display recently opened items in the Start menu and the taskbar
Click OK
To read the data contained within the jumplist data files, you can use the JumpListsView program found
here.
CCleaner erases most all (if not all) of the recent file lists for Windows as well as for a few other
applications. Listed below are common locations where these recent file lists and application caches can
be found at (I would look into winapp2.ini for more locations which is an add-on for CCleaner):
P a g e | 52
Registry (all are in HKEY_CURRENT_USER):
(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs

(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ ComDlg32\OpenSaveMRU
(Windows) Software\Microsoft\ Windows\CurrentVersion\Explorer\ RunMRU
(Windows) Software\Microsoft\MediaPlayer\Player
(Windows) Software\Microsoft\ Internet Explorer\TypedURLs
(Media Player Classic) Software\Gabest\Media Player Classic\Recent File List
(Media Player Classic) Software\Gabest\Media Player Classic\Settings
Files:
(Recent file list) %appdata%\Microsoft\Windows\Recent

(Jump list) C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent\
AutomaticDestinations
(Temp data Vista/7) C:\Users\<user name>\AppData\Local\Temp
(Temp data XP) C:\Documents and Settings\<user name>\Local Settings\temp
Try it out Setting up CCleaner

1. Download and install CCleaner to your machine. Make sure when you download CCleaner
from the internet, as with all programs, you download from the manufacturers website only.
The link has been provided for you: http://www.piriform.com/ccleaner/download/standard
2. Once the program is open click the Options button on the left hand side of the window
3. Next, click on Settings
4. Make sure that Secure file deletion (Slower) is checked, Complex Overwrite (7 passes) is
selected in the dropdown box and Wipe MFT Free Space is checked. Very Complex Overwrite
can be selected instead of Complex Overwrite. The Complex Overwrite is the minimum you
should choose
5. Click Cleaner on the left
6. Make sure they all the items are checked under Windows Explorer
Another thing I do is set CCleaner to perform a clean whenever I log into the machine and every hour
thereafter. Cleaning your computer automatically will help with managing this program as you will not
have to remember to manually run the program every so often. One
drawback with this method however is if an application is using
temporary data that is erased by CCleaner, the application might
Note: Other applications
perform incorrectly or stop working altogether.
include PrivaZer for
Windows and Bleachbit
for Linux.
P a g e | 53
Try it out Setting up CCleaner to automatically run (Windows Vista/7)

1.
2.
3.
4.
5.
6.
7.
8.
9.
Start CCleaner and select Options on the left

Check Save all settings to INI file under the Advanced tab
Open the Start Menu and enter Task Scheduler into the search box
Click on the Action header in the menu bar and select Create Basic Task
Follow the steps of the wizard to create the task. In the first window, name the task and give
it a description to help you remember what it is later
On the next page, select how often you want this to run. I checked the When I log on check
box
Select the option labeled Start a program on the next page
Hit Browse and navigate to the directory you installed CCleaner to. Add /AUTO to the text
field labeled Add arguments
Click Finish
Finally, for those of you who switched to Windows 8 should know about the app data. Windows 8 for
starters has made significant strides over Windows 7 in respects to the interface. They have added the
Metro interface which hosts a plethora of apps that can possibly leak important data. Two such apps are
the Windows Photos and Windows Video. When viewing a photo or video, you can immediately see that
the photo or video cap is cached as they are still apparent even after the material is deleted. Obviously,
you can see the glaring issue with this when it concerns security.
I have not too much research on the matter, so I am going

to be brief. For starters, all your apps are located in your
appdata folder. Specifically, the folder paths are as
follows (per user settings):
Location of all your apps:

C:\Users\Username\AppData\Local\Packages.
Windows Photos: C:\Users\Username

\AppData\Local\Packages
\microsoft.windowsphotos_8wekyb3d8bbwe
\LocalState
When the app is closed the cached images no longer
appear on the Metro interface. Furthermore, the cached
images dont appear when you open the app again. I did
some more investigating into Windows Photos and
notice that several files get increasingly larger after I view
images in the Windows Photos app even after the app
is closed.
P a g e | 54
Specifically, those files are the: Microsoft.WindowsLive.ModernPhotos.etl,

Microsoft.WindowsLive.ModernPhotosLast.etl, and ModernPhoto.edb.
Other files exist that show the last 5 images that were cycled through on the Windows Photos Metro app.
These files are LargeTile1 (through 5) and SmallTile1 (through 5). The latter files should not be an issue
unless they contained sensitive images.
I cannot read what is actually contained within the files themselves, but I can be reasonably sure that with
everything Windows, image previews are being cached and stored to limit I/O usage and speed up the
loading process. Saying this, it is recommended that you delete these files securely if you accidently or
purposely open pictures using the Windows Pictures app (and it is going to happen, trust me). To do
this you should close the Pictures app (from the gesture on the left side or the task manager) and securely
erase those files using a program of choice.
When setting up a user profile in Windows 8, if you gave your actual name when creating the Hotmail
profile you used when logging into Windows 8, that name will be automatically embedded as metadata
in a variety of documents. So make sure that you have a metadata cleaner if you plan on uploading
anything sensitive. If you use Bing which is the default search provider and included pre-installed as an
app, you should know that Bing creates a separate web history of its own and stored the data over the
internet. So make sure that anything sensitive gets purged. People also expressed concerns with ReFS,
which is not used on Windows 8 devices moreso is it used with Windows Server 2012 (Windows Server
8). Also, with the advent of Office 2013, the default location that the documents will be saved is Windows
Skydrive; so you can see how that might be a security concern if you save something sensitive without
looking. Concerning content saved to Windows Skydrive, here is part of Microsofts TOA:
You will not upload, post, transmit, transfer, distribute, or facilitate distribution of any
content (including text, images, sound, video, data, information or software) or
otherwise use the service in a way that:
1. depicts nudity of any sort, including full or partial human nudity, or nudity in
nonhuman forms such as cartoons, fantasy art or manga.
2. incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred,
bigotry, racism, or gratuitous violence.
So, they scan your documents (and pictures) for anything that violates its TOA, and if they find anything,
you are banned and possibly facing criminal charges. Hotmail accounts and Windows 8 account will have
to be re-created, your XBOX live and Skydrive account will be disabled as well. They also actively scan for
child pornography so make sure you don't accidentally save to a Skydrive account either. This seems like
a huge invasion of privacy digging deep within all your documents and pictures (even if it is automatic)
and the repercussions can be immense.
P a g e | 55
4.10 Shellbags
When you open a folder in Windows Explorer and customize the GUI display Windows uses the Shellbag
keys to store user preferences. Everything from visible columns to display mode (icons, details, list, etc.)
to sort order are tracked. If you have ever made changes to a folder and returned to that folder to find
your new preferences intact, then you have seen Shellbags in action. In the paper Using shellbag
information to reconstruct user activities, the authors write that "Shellbag information is available only
for folders that have been opened and closed in Windows Explorer at least once. So basically, if you
visit that folder, a shellbag is created.
Thanks to the wonders of Windows Registry last write timestamps, we can also identify when that folder
was first visited or last updated (and correlate with the embedded folder MAC times also stored by the
key). In some cases, historical file listings are available. This means that even if you dismount a drive
(lets say you are only using a TrueCrypt container) or delete a folder, the folders that you opened will
still be recorded. Normally, this would not be an issue because just the folder names are recorded here,
but if you name your folder to that of something sensitive and the name alludes to criminal activity, you
will be in trouble.
Registry Keys
Windows uses the following Registry keys to save the folders information:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
(Only in Windows Vista)
If you are curious as to what forensic data can be found out by using shellbags, a good program to view
all of the shellbags is Shellbag Analyzer and can be found here. You can also remove the shellbags that
contain sensitive information that you wish not be found.
P a g e | 56
To disable them all together you can do this:

Navigate here in the Registry (if you do not know what you are doing, then I DO NOT RECOMMEND
THIS): [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell]
Left-click on the Shell key and in the right pane, if you can see BagMRU Size then there is no need to
undertake this step. If it isn't there however, right-click and select New>DWORD 32-bit Value and name
it BagMRU Size. Now set this value to 0 in Decimal view. In Windows 8, set the value to 1 (thanks to
whomever pointed this out to me).
4.11 Prefetching and Timestamps

To start, there is a feature that began with Windows XP that is known as Windows Prefetching. Windows
Prefetch files are designed to speed up the application startup process. Prefetch files contain the name of
the executable (the program you are running), a Unicode list of DLLs (Dynamic Link Libraries; files that
supports the program in order to run) used by that executable, a count of how many times the executable
has been run, and a timestamp indicating the last time the program was run. This means that if you are
trying to use programs such as TrueCrypt or secure deletion programs or other file encryption programs,
P a g e | 57
a Prefetch file will be created thus alerting the forensic investigators. This is not usually an issue unless
you are trying to counter forensic techniques without letting the investigator know.
An example where Prefetching is troublesome is when you are trying to change the Windows Timestamps
for files. Every time a file is created, accessed, or modified a Timestamp is created. Changing the
timestamps are a good idea to throw the investigators off. Also, it is easy to change as there are programs
that can do that for you. A popular program is TimeStop; but an investigator can investigate the Prefetch
file and determine that the program was run. When this happens they can be reasonably certain that the
timestamps were changed maliciously. So, before you download the file I would pack the file using a
program such as UPX (Ultimate Packer for eXecutables). This will change the hash of the file so the
investigator does not know TimeStop was used when examining the Prefetch files.
One good program to view the prefetch data is with this program: WinPrefetchView and can be
downloaded from here. You can remove information from the prefetch folder, but note that running
these programs and booting up the system will take a considerable more amount of time to boot as this
information will once again need to be collected. C:\Windows\Prefetch is the path to the prefetch data.
4.12 Event Logs

Event logs are special files that record significant events on your computer, such as when a user logs on
to the computer or when a program encounters an error. Whenever these types of events occur, Windows
records the event in an event log that you can read by using Event Viewer. An investigator can determine
security related information (These events are called audits and are described as successful or failed
depending on the event, such as whether a user trying to log on to Windows was successful), application
and service information, and more. As security information is not incriminating, investigators can tell
when you attempted to log in and out of the computer, which can correspond to suspected times. Also,
application data might not be incriminating, but depending on what the application actually logs, file
names and other incriminating evidence might be recorded.
Try it out Erase event logs

1.
2.
3.
4.

Click on Administrative Tools and open Event Viewer
Expand Windows Logs on the left
Right-click Application, Security, and System and click Clear Log
P a g e | 58
4.13 Printers, Print Jobs, and Copiers

There are several things that you should be concerned about when printing sensitive documents. Print
data might be left on your computer, on the printers hard drive, or through transit. Before you can know
where to look, you must first know how Windows prints a document. When you send something to a
printer the document is first spooled and two files are created in the %system32%\spool\printers folder.
These two files are the shadow file and a spool file. The files are named as complimentary pairs; for
example, one job sent to the printer results in the creation of one FP00001.SDH file and one FP00001.SPL
file for the same job, while the next job will create FP00002.SDH and FP00002.SPL.
The shadow file (.SHD) can contain information about the job itself, such as the printer name, computer
name, files accessed to enable printing, user account that created the print job, the selected print
processor and format, the application used to print the file, and the name of the printed file (which can
be the URL if a file is printed from the web). All of this data can be seen in Unicode using a hex editor or
forensic software.
Spool files (.SPL) on the other hand contain the actual data to be printed. This means that if you print a
picture for example, a copy of the picture is created and temporarily stored in the spool folder. Next, the
print job is finally sent to the printer and both the .SHD file and the .SPL file are deleted. If there is an
error whereas the document waits in the queue list, these files can easily be read and the contents of the
file revealed. It is also important to note that these two files were deleted insecurely, so there is the
possibility of recovery.
Since 2002, every copier has the capacity to store copies of the documents that are copied or printed.
Furthermore, copiers mark the documents they copy with a hidden code to provide an identifier for the
copier. This means that printed documents and copies might be stored on the printers hard drive, or
they might be recoverable if they were already deleted. There is also a security concern whereas printed
documents can be tied to specific printers. Lastly, print documents can be captured if you are sending
them to a printer that is located over the network. Currently, it is up to the manufacturer to provide
security when sending jobs to a printer.
Try it out Read spool data

1.
2.
3.
4.
I am going to assume that you already have a printer installed on your machine
Disconnect the printers power source. This will allow us to view the .SHD file and the .SPL file
Send a print job to that printer that you just disconnected
Open Windows Explorer and in the address bar, type in %windir%\
System32\spool\PRINTERS
P a g e | 59
5. You should notice the two files I mentioned: a .SHD file and a .SPL file. If you have more than
two files, then you might have additional print jobs in the queue
6. Select the file with the extension .SPL, right-click and select Copy. Paste the file in the
location of your choice.
7. Download and install the program SPLView from the manufacturers website: click here.
8. Either open the file from within SPLView, or if you associate the .SPL extension with the
program, you can simply double-click the file
9. To view SHD file, I recommend downloading a using SPLViewer: click here. If the file is
locked, you can follow Try it out removing services in section 5.2, and disable the Print
Spooler service
10. Turn the printer back on to finish printing the document or delete the files when the Print
Spooler service is stopped (Try it out removing services in section 5.2)
4.14 Cameras, Pictures, and Metadata

Metadata may be written into a digital photo file that will identify who owns it, copyright & contact
information, what camera created the file, along with exposure information and descriptive information
such as keywords about the photo, making the file searchable on the computer and/or the Internet. Some
metadata is written by the camera and some is input by the photographer and/or software after
downloading to a computer.
EXIF information, the Exchangeable Image File format, describes a format for a block of data that can be
embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and
time information, camera settings, location information, textual descriptions, and copyright information.
In some instances, especially with the use of cameras in cell phones, the location where the picture was
taken might also be embedded with the use of geocaching. Furthermore, the images contain metadata
images themselves that can reveal the image before any editing was done. This information should be
removed before the photo is shared with someone else or stored unprotected.
Before
After
P a g e | 60
To remove EXIF information from an image, or a batch of images, you will need to get a special program
that strips this data. I recommend the program BatchPurifier that can remove this information from batch
of files or a single file. A good program to read EXIF information from PEG, TIFF and EEIX template files is
Opanda IEXIF. If you want to remove metadata from a RAW image, you will need to get a separate
program such as Exiv2. Opanda IEXIF cant remove the data, but it can show you what data is contained
within each picture that you take (unless you purchase the professional version).
You cannot stop cameras from recording metadata and embedding them in pictures, so the above steps
are the only way to ensure the pictures are clean. To further clean the image that you took, you will want
to crop and remove identifiable information contained within the actual pictures itself. The best program
that can do this is Adobe Photoshop, but a good, free program is Gimp. Identifiable information should
include names, faces, logos, labels, prescriptions, anything that includes handwriting, toys specific to a
particular regions or store, etc.
It is also important to know that digital cameras leave a telltale fingerprint buried in the pixels of every
image they capture. Now forensic scientists can use this fingerprint to tell what camera model was used
to take a shot. Furthermore, these scientists can tell the specific camera that took a specific picture if
they had the camera in hand. I would either use a separate camera for on-topic material or change the
photo by either resizing or re-rendering the image after making global changes (blurring, filtering, etc.).
Photoshop, Paint.Net, or GIMP are all good program that enable you to edit a photo without making
changes to the original. This allows you to go back and make further changes (or undo changes) in the
future if needed.
You should also know that pictures are not the only material that can contain sensitive information.
Documents can include Microsoft Office documents (Word, Excel, PowerPoint), OpenOffice.org
documents, PDF documents, and popular image and media file types such as JPEG, JPEG 2000, PNG, SVG,
AVI, WAVE, AIFF, MP3, MP4, and F4V. It is best to either remove the data from these files before sharing
them or it is best not to share them all together. You should know that changing the file extension does
not trick the investigators. They use file header information to gather pictures/videos. Click here for a
good list.
For example: When we look at a jpeg header there are multiple parts we can use to identify the type of
image and formats used. The first part to look at is the first two bytes of the file. The hex values FF D8 will
identify the start of the image file. This is often enough to know that you have an actual JPEG file. The
next two bytes are the Application marker typically FF E0. This marker can change depending on the
application used to modify or save the image. I have seen this marker as FF E1 when pictures were created
by Canon digital cameras. The next two bytes are skipped. Read the next five bytes to identify specifically
the application marker. This would typically be 4A 46 49 46 (JFIF) and 00 to terminate the string. Normally
this zero terminated string will be "JFIF" but using the previous example of Canon digital cameras this
P a g e | 61
string will be 45 78 69 66 (Exif). Most image editors handle all JPEG formats unless a proprietary format
is used that does not follow the JPEG standard.
As we are talking about pictures, you should also be concerned what is in the pictures themselves. Law
Enforcement Agencies have teams of analysts that pick apart background data to determine names,
addresses, geographic data, demographics, and etc. As the case provided, detectives were able to
determine where the suspect lived based on a toy bunny and an orange sweatshirt as seen in one of the
photos. You should attempt to remove all information that includes names, dates, addresses,
paraphernalia or anything in nature that is region specific, or anything else that can be identifiable.
Tattoos, and other body parts (not specific to the face) are identifiable too. For example, characteristics
on the genitalia can be linked to a specific person. Recently, somebody was taking photos of his underage
daughter and posting them online. The problem is he posted one with a clear view of a prescription bottle
in the background and got busted. They were able to use that information to locate the individual.
Case: During an investigation into an internal child porn ring, detectives tracked down a toy
bunny, seen in a photo, was used to trace the suspect to Amsterdam. Investigators have
discovered that the bunny was a character in a children's book popular in the Netherlands.
The detective also traced the boy's orange sweater to a small Amsterdam store that had sold
only 20 others like it. That led to the capture and arrest of 43 other individuals.
When editing a photo for the first time, I usually crop the sides of the image, add blurring (even though
some investigators have recently been able to reverse the blurring process and render this useless) and
the halo effect, smooth physical features of adults, remove items that are identifiable, and sometimes
replace the background altogether. If you really want to get involved, you can change physical features
such as eye or hair color. Doing this will not trick an investigator, but it will obscure the features of a
photo making it harder for someone to identify you. Also, if done correctly, it will enhance the photo
visually and the presentation will be much better.
P a g e | 62
4.15 USB Information

Whenever a device is plugged into the system, information about that device is stored in the registry and
the setupapi.log file (Windows XP and earlier).
The registry key can be found here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and the setupapi.log file can be
found here: %windir%\setupapi.log. All of the subkeys under USBSTOR will contain information about
every device that was plugged into your computer via the USB. The setupapi.log file contains information
about device changes, driver changes, and major system changes, such as service pack installations and
hotfix installations.
To delete this registry key and or subkeys you must first right-click the key and choose permissions. You
can then set the everyone group with full permission to the key or subkeys so that they can then be
deleted. Im sure it isnt too difficult to whip up a script or piece of software to automate this. Also, if you
have system restore enabled, the information might be contained in there as well. The setupapi.log file
should be securely deleted as you would with anything sensitive. As pointed out to me by a forum that I
frequent, here is a program that will do this for you: https://code.google.com/p/usboblivion/.
4.16 SSD Solid State Drives

Unlike HDDs, SSDs have a feature known as a garbage collector wherein cells that are marked to be
deleted are permanently erased in the background, usually within several minutes of being deleted. It is
important to know that this process happens on the SSD hardware level, so simply leaving the SSD
powered on regardless if it is attached to anything will result in the destruction of the data (also known
as self-corrosion). Even though SSDs implement garbage collecting, encrypting or securely deleting the
device is hard.
SSD's use load balancing, which is a feature that evenly balances I/O operations between allocation pools.
This means that when you attempt to encrypt or delete a bit of data, it will move past the actual to the
next bit. Also, SSDs should not be encrypted using programs that are meant to encrypt HDs because of
another feature called "wear leveling". TrueCrypt for example recommends that "TrueCrypt volumes are
not created/stored on devices (or in file systems) that utilize a wear-leveling mechanism (and that
TrueCrypt is not used to encrypt any portions of such devices or filesystems). You should know however,
that was referring to existing data already stored on the hard drive. New data that has not been written
to the disk will be secured because it is encrypted before physical storage on the hard drive. This still can
allow for data leaks, so it is still not recommended.
On the SSDs you cannot save to a specific sector on the drive therefor if it theoretically possible that there
are multiple instances of the same data stored on the drive. Lets say for example that you change the
P a g e | 63
TrueCrypt volume header; the old header might still be accessible on the drive as you cannot write over
it individually. An attacker, knowing this information can attack the container using the old header
information.
4.17 Forensic Software Tools

Category of Tools
Examples
Chat recovery tools
Chat Examiner
Computer activity tracking tools
Visual TimeAnalyser
Disk imaging software
SnapBack DataArrest, SafeBack, Helix
E-mail recovery tools
Email Examiner, Network and Email Examiner
File deletion tools
PDWipe, Dariks Boot and Nuke, Blancco
File integrity checkers
FileMon, File Date Time Extractor, DecodeForensic Date/Time Decoder
Forensic work environments
X-Ways Forensics
Internet history viewers
Cookie Decoder, Cookie View, Cache View,

FavURLView, NetAnalysis, Internet Evidence
Finder
Linux/UNIX tools
Ltools, Mtools
Multipurpose tools and tool kits
Maresware, LC Technologies Software, WinHEX

Specialist Edition, ProDiscover DFT, NTI Tools,
Access Data, FTK, EnCase
Partition managers
Partimage
Password recovery tools
@Stake, Decryption Collection Enterprise, AIM

Password Decoder, Microsoft Access Database
Password Decoder, Cain and Able, Ophcrack
Slack space and data recovery tools
Ontrack Easy Recovery, Paraben Device Seizure

1.0, Forensic Sorter, Directory Snoop, FTK, EnCase
Specialized software for analyzing registries,

finding open ports, patching file bytes, simplifying
log file analysis, removing plug-ins, examining
P2Psoftware, and examining SIM cards and
various brands of phones
Registry Analyzer, Regmon, DiamondCS

OpenPorts, Port Explorer, Vision, Autoruns,
Autostart Viewer, Patchit, PyFlag, Pasco Belkasoft
RemovEx, KaZAlyser, Oxygen Phone Manager for
Nokia phone, SIM Card Seizure
Text search tools
Evidor
P a g e | 64
P a g e | 65
Chapter 5_ Continuity
ervice and data continuity is the activity performed by you to ensure that files and services will be
available to yourself and others for the applicable lifetime. There are several methods to provide
continued support including: backing up data, using controls and techniques to restrict access, and
implementing controls on servers, networks, and other devices. None of these controls should be skipped
as they are all equally important. This step is often overlooked when securing your information but
assures availability is met.
Topics
Security Concerns with Backups

Security Concerns with Sleep and Hibernation
Ensuring Information and Service Continuity
DoS and DDoS attacks
P a g e | 66
5.1
Security Concerns with Backups
To start, Windows backup and restore is a feature of Windows and does exactly as it implies; it backs up
your data. Without much explanation, there are three types of Windows backups: full, differential, and
incremental. A full backup provides a backup regardless of previous backups. A Differential backup only
backs up data that was changed since the last full backup and an incremental backup backs up data that
was changed from the last full backup, or the last incremental backup.
I know I am stating the obvious, but make sure that you do not backup anything that is confidential.
Whether by accident or on purpose, once you backup sensitive data, it does not matter if you remove the
file from your computer because a copy is already made. Personally, I keep all my sensitive information
in an encrypted container by itself so I dont confuse it with my other stuff. After I move all of my sensitive
information into a container by itself I have ensured two things, 1) my information is secured and 2)
nothing is being backed up that is not supposed to.
5.2
Security Concerns with Sleep and Hibernation
Note: Windows 8, the

latest Operation System
Microsoft is coming out
with hibernates the
system kernel, but does
not put memory in
storage
There are two other features with Windows that you should know of: sleep
and hibernation. If you need to walk away from your laptop for a small
or extended period of time but want your Windows session to resume
quickly, you will use either of these two features. The difference is that
with sleep mode, your computer stores everything in memory and with
hibernation mode, everything in RAM is saved to your hard drive. Sleep is
for short-term storage and hibernation is for long term storage.
If you use sleep or hibernation, the encryption keys and everything else
that is open at that time is saved, allowing a third party to bypass the
security measures you have in place. For example, everything that you
have opened at this moment, including mounted containers and open documents, will be viewable by
forensic investigators. Looking at the picture below, you can see that the user had a website open the
moment he used hibernation mode on his Windows device. This information amongst anything else that
was stored in RAM at the moment can be read. The best mitigation technique is not to use them or to
disable both hibernation and sleep altogether.
P a g e | 67
5.3
Ensuring Information and Service Continuity
Keeping a backup of all your private/sensitive materials is a good idea for the continuity of such data, as
long as that data is secure. Securely storing data has been discussed in another section, so I will only make
a recommendation. I would create a container with TrueCrypt and store all sensitive data within that
container before saving the backup somewhere else. Doing this will achieve two goals in the CIA triad,
confidentiality and availability.
There are two locations that need to be considered when backing up data: locally and remotely. A local
copy is a good idea when data loss occurs and you want an immediate, speedy recovery of the backed up
data. But what if a natural disaster or a fire occurs and it destroys both your computer and your local
backup device? This is where a remote backup solution comes in; it prevents data loss in off-chance that
this happens. Common methods of remote backups are remote backup services, tapes, external drives,
or hosted services. Another common method is finding someone else in another location (another state
preferably) and you each keep a backup for one another.
For example: lets say that I have a friend (okay, I did say as an example) and that friend lives in another
state. One good way that I can back up my data at his place and his at mine, is we setup a VPN to connect
our networks together. This way, we can send the files securely over the internet without much
complication. Make sure however, that you trust the other party as they will have your Public IP Address.
Another device that allows for storage redundancy is a RAID device. RAID (redundant array of
independent disks) is a storage technology that combines multiple disk drive components into a logical
unit. Basically, it is a device that is comprised of several disks for the purpose that if one (or more) drive(s)
P a g e | 68
fail, data is not lost. This can come in the form of a RAID controller (or software controller) on your
computer, or a network device (such as a NAS box). A NAS box is a Network Attached Storage and is a
device that plugs into your network so you can backup multiple devices. These devices are standalone
devices and usually have RAID functionality.
There are a few more solutions if you are going to set up a service that you host and are concerned with
continuity and service availability. All these methods are assuming that you have multiple servers
available and can configure them and the network they reside in. Firstly, you can configure the site for
mirroring which is the act is creating an exact copy of one server to another server. Clustering (or failover
clustering) is another method of ensuring availability as it is a group of devices that act as a single device.
When one device fails in a cluster, another device starts providing the service (a process known as a
failover). And finally, you can implement load balancing on your network which distributes the traffic load
between several devices in your network.
5.4
DoS and DDoS attacks
DoS (Denial of Service) attacks are the acts of making resources for legitimate users unavailable. DDoS
(Distributed Denial of Service) attacks are the same thing as DoS attacks, but they use hundreds (even
thousands) of machines to disrupt access to resources. Usually this is performed by flooding the service
with ICMP packets forcing the router (or server) to respond to the attackers request (by replying to the
ICMP packet). Other attacks including sending malformed ICMP packets, flooding the site with resource
requests, or SYN flood attacks.
P a g e | 69
Even though ICMP traffic uses the TCP protocol, it is not supported via Tor. This attack will be best
accomplished with Clearnet sites. Ping of Death attacks can be accomplished in two ways: the attacker
can send too many packets or they can send malformed packets. For example, Windows has a packet size
limit of 65500. So anything received that is higher, might crash the machine or enable the attacker to
successfully perform a privilege escalation attack. Flooding the site with requests for resources (videos,
pictures, login requests, etc.) is an example of a DoS attack that is more commonly used with Tor sites.
These attacks are mostly an issue that has to be prevented with hardware controls versus
implementations within the website itself. Assuming that you are hosting and managing the website and
the server the website resides on, you can implement ingress filtering on your network to help block some
of the attack. The backscatter traceback method is a good strategy for that. Also, I would block ICMP
packets on your external interface (WAN interface). You should also make sure that all "unallocated
source address'" are blocked. This means that you should block all packets with private IP address that
are coming into your network. You cannot stop DDoS attacks, only mitigate the effect.
Another type of DoS attack is known as an Application layer DoS attack. This type of attack bypasses the
firewall as it uses legitimate traffic to attack the service directly. Application-layer attacks can affect many
different applications. A lot of them target HTTP, in which case they aim to exhaust the resource limits of
Web services. Often, they are customized to target a particular Web application by making requests that
tie up resources deep inside the affected network. These attacks are typically more efficient than TCP- or
UDP-based attacks, requiring fewer network connections to achieve their malicious purposes. They are
also harder to detect, both because they dont involve large amounts of traffic and because they look
similar to normal benign traffic.
Tools for DDoS attacks

To initiate DDoS attacks, you will need to right tools based on your preferences and other factors such as
your platform of attack. The following are samples of DDoS attack tools:
Low Orbit Ion Cannon LOIC attacks a server by flooding the server with TCP or UPD traffic.
Specifically, it mostly floods the server with ICMP traffic which is ping traffic
Trinoo Trinoo is easy to use and has the ability to command and control many systems to
launch an attack
Tribal Flood Network TFN can launch ICMP, ICMP Smurf, UDP, and SYN Flood attacks against a
victim. This tool was the first publically available DDoS tool
Stacheldraht - This tool features that are seen in both Trinoo and TFN and sends commands via
ICMP and TCP packets to coordinate an attack. Another feature of Stacheldraht is that it can
encrypt the communication between the client to the handlers
P a g e | 70
TFN2K An upgrade to TFN, this program offers some more advanced features including
spoofing of packets and port configuration options
Shaft - This works much the same way as Trinoo except it includes the ability for the client to
configure the size of the flooding packets and the duration of the attack
MStream This program utilizes spoofed TCP packets to attack a designated victim
Trinity This performs several DDoS functions including: fraggle, fragment, SYN, RST, ACK, and
others
Slowloris Application-layer attack that is a HTTP GET-based attack. The basic idea is simple: a
limited number of machines, or even a single machine, can disable a Web server by sending
partial HTTP requests that proliferate endlessly, update slowly, and never close
SlowPost - This attack works in somewhat the same way as Slowloris, except that it uses HTTP
POST commandstransmitted very, very slowlyinstead of GETs to tie up Web services
SIP INVITE Flood - The two attacks above both target HTTP; this one is a VoIP flood that targets
SIP (Session Initiation Protocol)
Torshammer - Slow post DOS testing tool written in Python. It can also be run through the Tor
network to be anonymized
What do they mean?

Let me take a second to define some of the attack turns as presented above:
ICMP DOS An attacker can use either the ICMP "Time exceeded" or "Destination
unreachable" messages. Both of these ICMP messages can cause a host to
immediately drop a connection
ICMP packet magnification - An attacker sends forged ICMP packets to bring down a
host. As an example (as presented above), Windows has a packet size limit of 65500. So
anything received that is higher will be fragmented. Since the machine cannot reassemble the
packet, it might crash or reboot
ICMP Smurf attack - An attacker sends forged ICMP echo packets to vulnerable
networks' broadcast addresses. Doing this will tell all the systems on the network
(inside the broadcast domain) to send ICMP echo replies to the victim, consuming
the targets available bandwidth
SYN flood attacks A SYN flood attack takes advantage of the TCP three-way handshake. A SYN
flood attacks spoofs the IP address thereby forcing the server to keep open the connection while
waiting for the ACK message (which is never sent) from the client and uses resources in the
process
RST attacks This attack works by injecting RST packets into TCP packets tricking the server to
close the connection. RST attacks are performed against other users trying to use a particular
resource
P a g e | 71
Fraggle attacks Fraggle attacks are similar to Smurf attacks except that Fraggle attacks uses
UDP packets instead of TCP packets
P a g e | 72
Chapter 6_ System Hardening
ystem hardening is the process of securing a system by reducing its surface of vulnerability (attack
surface which is the components of a system that an attacker can use to break into the system.). A
system has a larger vulnerability surface the more that it does; in principle a single-function system
is more secure than a multipurpose one. We will also go over several other risk mitigating methods when
dealing with Windows. This will include the removal of unnecessary software, unnecessary usernames or
logins and the disabling or removal of unnecessary services.
Topics
Uninstall Unnecessary Software

Disable Unnecessary Services
Disable Unnecessary Accounts
Update and Patch Windows and Other Applications
Password Protection
P a g e | 73
6.1.
Uninstall Unnecessary Software
The first step in hardening a system is to remove unnecessary programs. Start by removing unnecessary
third party programs that are installed on the machine. You also want to look at programs that were
installed when downloading or installing other products, whether intentional or not. For example, when
you purchase a machine there is a bunch of software that comes preinstalled that you probably never use.
I would recommend reviewing everything that is installed and remove all software that you do not need.
Try it out Uninstalling software

1. Open the Start Menu and go to Control Panel
2. Select Uninstall a program or Add/Remove Program
3. Right-click the unnecessary programs from the list and click Uninstall
6.2.
Disable Unnecessary Services
Once all of the software has been uninstalled from the machine, you should then start by disabling all of
the unnecessary services that are running in the background. Each service will provide support for the
application that they support; many of them providing functionality for Windows. You should get a listing
of all the system services running on the system and evaluate whether each service is needed. Also know
that I am more referring to third-party services versus Windows services. Make sure to do your research
on each service before disabling anything.
Try it out Removing services

1.
2.
3.
4.

Select Administrative Tools and open Services
Review and identify each unnecessary service
Right-click the unnecessary service and select Disabled in the dropdown box next to Startup
type. Stop the service and press OK
P a g e | 74
6.3.
Disable Unnecessary Accounts
An aspect that is overlooked often is disabling accounts that are not currently being used. You will need
to determine if you need information from that account (if you remove account data) or to use services
that can only be used from within that account. Windows XP has the administrative account enabled with
a blank password be default whereas Windows Vista and 7 disable the account by default. Also, a quick
word from the real world, make sure when creating a user account to not use anything that can possibly
identity you as doing something illegal. A real world example, someone actually created a separate
account name childporn, so he can hide all his illegal materials in that account. Better yet, he hid all
materials in a folder on his desktop named childporn! Not only can forensic investigators see all the
accounts that are currently on the machine, but they can see previously deleted accounts as well.
Try it out Removing user accounts

2. Expand User Accounts and select the account you wish to delete
3. Click Delete the account
Note: One good recommendation is to create and use a standard account with no Administrative
privileges. This way, if a virus is executed, it only has the privileges of the account that you are in. Also, I
would make sure your username does not contain your full name as many applications such as Pidgin
can share this information.
What I meant by that, if all the account data is contained in the Windows Registry and will contain user
accounts that are being used now and those that were deleted from within the Control Panel. For this
reason, forensics investigators use the registry keys when performing the analysis. Furthermore, they
can view other sensitive artifacts from the users unique registry is they are left intact. The location to
the registry keys that contain the user information is here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
P a g e | 75
As you can tell from the image, the selected user account has the username of admin. This can be seen
from the ProfileImagePath registry key. Remember the SID for later use. Once you have gone through
all the keys under ProfileList and have located yours, you can right-click the key as shown in the image
above and selecting Delete. Now that you have deleted the user account from the registry, you should
now delete the actual user data from the registry as well. You should now navigate to HKEY_USERS\%SID%
to remove the data for the current user. This data can include recent file lists, open file dialogs, shell
bags, etc.
Finally, you should locate the profile path in Explorer to remove all files that are contained within the
hierarchy. For Windows Vista/7/8, the location will be C:\Users\%username% and for XP, this path will
be C:\Documents and Settings\%username%. This should be done securely to ensure that no data can
be recovered.
6.4.
Update and Patch Windows and Other Applications
Another step in hardening the system is updating the Operation System and all software installed on the
machine. When you patch the system, you are applying security fixes to known vulnerabilities to the
software that is running on the system. These vulnerabilities are what remote attackers use to gain access
to the system. Without patching the system, you are opening up your machine to attack by these
malicious hackers.
P a g e | 76
Windows updates should be enabled as they provide many fixes concerning Windows security. Individual
software and applications should also be updated as soon as a known stable version of the update is
available. Usually, when vendors release an update, they are stable unless stated otherwise. I
recommend the use of a tool that checks the programs installed on the machine and reports the ones that
are out-of-date. A good program for this purpose is Secunia PSI. This program will constantly check the
programs installed on your machine and report which ones are out-of-date, which ones are scheduled for
an update, and which ones can be updated manually.
Note: A program that I would recommend looking into is Microsoft Baseline Security
Analyzer (MBSA) which is a free security and vulnerability assessment (VA) scan tool to
improve security management process and assess or determine security state in accordance
with Microsoft security recommendations and offers specific remediation guidance.
6.5.
Password Protection
A final practice you should incorporate in system hardening is password protecting your devices. On your
computer, you should make sure that all of the user accounts that are enabled are password protected.
This is especially true when folder shares are involved. Make sure that the passwords on your machine
are all strong so an attacker cannot use that account to gain access to your machine. For example, when
you mount a TrueCrypt container, it can be explored though another computer in the network using an
account on the local machine if they have the correct permission. This means that even if you have the
worlds strongest password for TC, an attacker can still gain access to its contents using your Windows
password over the network. Also, by default Windows XP has the administrative account enabled without
a password by default. Windows 7 and 8 has this administrative account disabled by default.
Note: When you mount a TrueCrypt container in Windows, it can be explored though
another computer in the network using an account in Windows if they have the correct
permission. For this reason, make sure that your Windows password is not easily guessed!
You can test this out by trying the Try it out Explore your computer from another machine
and replacing the C$ with whatever the TrueCrypt container is. You can also see if your
container is mounted via Windows Shares and if is, you can stop the share. Also, I would
change the permissions for the TrueCrypt file.
P a g e | 77
Try it out Password protect computer accounts

2. Expand User Accounts and select the account which you want to create a password for
3. Click Change Password
Try it out Explore your computer from another machine
1. Find your IP address on your computer. Start the command prompt: Start > Run > cmd > OK
*Windows Vista/7, type cmd in Search Programs and Features. A black box should pop up
2. Type in ipconfig and under the adapter you are using, record the IP address next to IPv4
(example: 192.168.1.5) *rarely will people use IPv6
3. Hop onto the other computer and open up Windows Explorer
4. In the address are, type in \\ followed by your computers IP address finished with a \, your
drive letter and a $ (usually C). For example, I type in \\192.168.1.5\C$
5. You will be prompted to enter the username and password for your machine
P a g e | 78
Chapter 7_ Antivirus, Keyloggers,

Firewalls, DLPs, and HIDs
Malware, short for malicious software, is software used or created to disrupt computer operation, gather
sensitive information, or gain access to private computer systems. It can appear in the form of code,
scripts, active content, and other software. This is not only annoying, but if malware is running on your
machine, your security is at risk. Notice that all these solutions can be either hardware or software.
Hardware solutions are usually on the perimeter as in the form of an all in one device (SonicWall or
Fortigate for example).
Topics
Antivirus
Hardware Keyloggers
Firewalls
DLPs
HIDSs
Other Considerations
P a g e | 79
7.1.
Antivirus
'Malware' is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software.
This software comes in several different flavors, but we will only be talking about Spyware and Trojan
Horses. Trojan horses are often delivered through an email message where it masquerades as an image
or joke, or by a malicious website, which installs the Trojan horse on a computer through vulnerabilities
in web browser software such as Microsoft Internet Explorer. Spyware on the other hand covertly
monitors your activity on your computer, gathering personal information, such as usernames, passwords,
account numbers, files, and even drivers license or social security numbers.
Antivirus software can protect you from viruses, worms, Trojan horse and other types of malicious
programs. More recent versions of antivirus programs can also protect from spyware and potentially
unwanted programs such as adware. Having security software gives you control over software you may
not want and protects you from online threats is essential to staying safe on the Internet. Your antivirus
and antispyware software should be configured to update itself, and it should do so every time you
connect to the Internet.
Case: The Computer and Internet Protocol Address Verifier (CIPAV) is an illegal data gathering
tool that the Federal Bureau of Investigation (FBI) uses to track and gather location data on
suspects under electronic surveillance. The software operates on the target computer much
like other forms of illegal spyware, whereas it is unknown to the operator that the software
has been installed and is monitoring and reporting on their activities.
Location-related information, such as: IP address, MAC address, open ports, running
programs, operating system and installed application registration and version information,
default web browser, and last visited URL was captured. Once that initial inventory is
conducted, the CIPAV slips into the background and silently monitors all outbound
communication, logging every IP address to which the computer connects, and time and date
stamping each.
P a g e | 80
7.2.
Hardware Keyloggers
Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users'
keystrokes, including sensitive passwords. They can be implemented via BIOS-level firmware, or
alternatively, via a device plugged inline between a computer keyboard and a computer. They log all
keyboard activity to their internal memory. Hardware keyloggers have an advantage over software
keyloggers as they can begin logging from the moment a computer is turned on (and are therefore able
to intercept passwords for the BIOS or disk encryption software).
You might think that physical inspections are one way to defend against hardware keyloggers, but it is
not. Nor is using a wireless keyboard, as that sort of keylogger, doesn't necessarily have to be hidden
outside of the keyboard. A dedicated attacker may just as well place an extra chip inside of the keyboard
or replace it all together by a manipulated keyboard of the same model to record keystrokes without any
obvious visual cues. So, the best way may to the use different keyboard layouts before entering the
password. Furthermore, you can also enter random data within the password and going back to remove
them later. And finally, you can use tokens as well as a password when logging into your computer.
7.3.
Firewalls
A firewall is usually your computer's first line of defense-it controls

who and what can communicate with your computer online. You
could think of a firewall as a sort of "policeman" that watches all
the data attempting to flow in and out of your computer, allowing
communications that it knows are safe and blocking "bad" traffic
such as attacks from ever reaching your computer. Configuring
your firewall can prevent Spyware or other confidential data from
leaving your network entirely. It can also prevent remote
attackers from hacking into your computer. Most AIO (all-inone) security solutions such as Norton or McAfee or BitDefender
have a firewall built in. For a free firewall, Comodo firewall is a
good alternative: https://personalfirewall.comodo.com/.
7.4.
Note: In most Linux distros

including Redhat / CentOS /
Fedora Linux installs iptables
by default. It has become a
standard option in all
distros. If it is not installed,
you can use the command
yum install iptables or aptget install iptables if you are
using Ubuntu.
DLPs
Data leakage prevention solution is a system that is designed to detect potential data breach incidents in
timely manner and prevent them by monitoring data while in-use (endpoint actions), in-motion (network
traffic), and at-rest (data storage). Importantly, personal DLP software can protect you from accidently
disclosing confidential or sensitive data. Some AIO security software does this as well as free software.
P a g e | 81
7.5.
HIDSs and NIDs
The principle operation of a HIDS (Host Intrusion Detection System) depends on the fact that successful
intruders (hackers) will generally leave a trace of their activities. In fact, such intruders often want to own
the computer they have attacked, and will establish their "ownership" by installing software that will grant
the intruders future access to carry out whatever activity (keystroke logging, identity theft, spamming,
botnet activity, spyware-usage etc.) they envisage.
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do
just that and reports its findings. Intrusion attempts can be keylogger attempts (spyware), Internet
Explorer leaks, DLL injections, malware drivers, etc. HIDSs are installed on your machine and a baseline
must be performed before HIDSs can detect any anomalies. Many anti-virus programs have a basic HIDS
built into the software as an added feature.
Network IDSs on the other hand sit on your network to monitor all traffic coming into your network to
alert you to any attacks. There are several methods of detecting an attack including anomaly based
detection and signature based detection. Also, there is either a passive or active based detection
depending on if you want the IDS to actually take action or not. You should know when setting up an IDS,
that there will be false positives as it takes a while for the IDS to learn and for you to teach. Also, you will
need to be there to monitor the alerts. Snort is a good, free NIDS and is widely used in businesses.
7.6.
What you download can affect security. Make sure that what you download is safe; it should go without
saying, but is good to hear nonetheless. PDF, word documents, executables, broken pictures, and binders
are all security issues. Make sure that you protect yourself by downloading alternative PDF viewers (or
block your PDF application from connecting to the internet), disable Macros if you use Microsoft Office
programs, disable JavaScript in Adobe Acrobat/Reader if you use it, etc. Lastly, make sure that you are
updating your web browser, and if you are using the Tor Bundle, you update that as well. These releases
are extremely important for security and often include patches for found vulnerabilities.
P a g e | 82
Chapter 8_ Networks
eeping your network secure is a must to ensure to keep intruders out and your information from
getting into the wrong hands. Furthermore, it protects you from other people hopping on your
network, doing something illegal, and having the evidence point to you. Network security covers a
variety of computer networks, both public and private, and you should concern yourself with both. This
chapter will explain some of the common methods of security and a brief introduction on a few
networking terms as well as security concerns when hopping on another persons network. This will
include both hardware and software methods to ensure this security.
Topics
Private vs. Public IP Address

MAC Address
Public Wireless
Security Protocols
Chat Sites - How Attackers Attack
P a g e | 83
8.1.
Intro to Networking
Before we being diving into this section, we are going to discuss the fundamentals of networking. If you
are wondering why, its because we are going to use networking terminology and the functionality they
serve. So the first question you may ask will be answered first. What is a network?
A computer network or data network is a telecommunications network that allows computers to

exchange data. There are two types of networks: a public and a private network. A private network is
typically the devices within your home or place of business. Within the private network, you have
interconnected devices such as computers, gaming devices, phones, media servers, and etc. Then we
have a public network, which is an interconnected network of private networks reachable on the
internet.
Now that you know what a network is, we are moving on to how these devices in a network physically
connect to each other. Inside a private network, all the devices that connect via a cable (also called
Ethernet cables), are plugged into a network switch or the less popular device known as a network
hub. I specify network switch as there are a couple different types of switches. Switches provide more
speed and security then network hubs. We wont get into the security features in this guide.
I will state later on in this guide that if the administrator of the network device is using a hub, they can
capture all data easily. Most of you are familiar with a basic home router. But most of you dont know
that with a home router, the ports in the back are actually switch ports, which is built into the router itself.
There are two primary differences between hubs and switches: hubs are half-duplex whereas switches
are full-duplex and hubs have one collision domain versus switches which has a collision domain per port.
Basically, full duplex means the hubs can send and receive information at the same time whereas halfduplex devices cannot. Wireless devices send data in
half-duplex mode as well; this is one reason why
wireless connections are slower than wired
connections.
A network collision occurs when more than one device

attempts to send a packet on a network segment at the
same time. And a collision domain defines where
packets can collide with one another. So for example,
lets say you have a 5 port hub. A hub has one collision
domain; so all the information being sent through any
one of those ports can collide with any data from the
same port or another port. If you are plugged into port
1, information will be sent to port 1, 2, 3, 4, and 5. A
P a g e | 84
switch on the other hand may have 5 ports, but each port only transfers packets through the host that is
using that port. So, port 1 transfers packets only through port 1, port 2 through port 2, port 3 through
port 3, and so on. I also said that a switch can send and receive packets at the same time, make
collisions near impossible. As you can see in the illustration, when Host A wants to send information to
Host B, a hub sends the data to all ports and a switch only sends the data to the port Host B resides on.
An attacker can sit on Host C or D and capture all the traffic coming from another device.
Now you know how device are connected within a private network; with the use of switches. Next, we
are going to talk about how different networks connect with one another and how devices within a
network can talk with each other. Remember though; this is an intro to networking, so I will not be
going into any technical details. Saying that, a group of networks are connected with one another using
a router. And a router does just as the name implies; it routes between two or more networks. Look
below for a basic network diagram.
So, lets talk about the illustration above to learn more about how these devices communicate. As you
can see, two or more networks communicate via a router. This can be seen in the diagram as Router A
and Router B and specify two different types of networks. Branching off from the routers, a network
switch is used. Again, the switchs connects the devices within the network and the router routes traffic
between networks. Finally, connected to each switches are the devices within each private network.
Moving on, what we just describes was how devices connect to each other physically, but not logically.
I told you the basics on network switches and hubs and how they route traffic. But they cannot route
traffic if the devices in the network do not have IP addresses. An Internet Protocol address (IP address)
is a numerical label assigned to each device (e.g., computer, printer) so that they may communicate with
one another. To help facilitate this, there is a service know as a DHCP service, which stands for Dynamic
Host Configuration Protocol, and is responsible for leasing out IP addresses to devices connected to the
network.
P a g e | 85
There are two types of IP address: a public IP address and a private IP address. Public IP addresses are
used over the internet and private IP addresses are used within private networks. Private addresss fall
within these ranges:
192.168.0.1 to 192.168.255.254
172.16.0.1 to 172.31.255.254
10.0.0.1 to 10.255.255.254
When dealing with IP addresses and networking, there are two other numbers that you should also
know about: subnet masks and default gateways. A subnet allows the flow of network traffic between
hosts to be segregated based on a network configuration. By organizing hosts into logical groups,
subnetting can improve network security and performance. For example, most home devices give a
subnet mask of 255.255.255.0 which looks like 11111111 11111111 11111111 00000000 in binary
notation. Without getting into subnetting which can take me pages to explain, any device that has the
same numbers in the first three octects with a subnet mask of 255.255.255.0 can communicate.
For example: 192.168.1.2 and 192.168.1.3 and 192.168.1.4 and so on can communicate with each other
but devices with IP addresses of 192.168.1.2 and 192.168.2.2 cannot communicate. This is because they
are in two different networks therefor are logically separated. Furthermore, by changing the subnet you
can change the amount of hosts per network. We wont into that at all as again, that deals with
subnetting. You might also notice that if you network is full the first IP address and the last IP address is
not used at all. In this case: 192.168.1.0 and 192.168.1.255 are not used. 192.168.1.0 is the network
address and 192.168.1.255 is the broadcast address. Finally, the default gateway is the last resort
gateway and is used to route traffic when it does not know where to go. Practically speaking, your
home router acts as your default gateway (and your DHCP server) as it knows how to send data within
the network and over the internet.
Wrapping this up, when computers want to communicate in a network they send an ARP command that
is used by the network devices and the network switch to send data to other devices within the same
network. I described this process further down in the guide when explaining about ARP replay attacks,
so I will skip it for now. Routers can communicate directly with one another using a DCE/DTE cable or
through the internet via a modem. Old modems converted the incoming data from analog to digital and
vice versa on the way out. Cabled modems, which are used most nowadays, converts the cable feed
into a format that can be used by several devices in your home. Your ISP uses DHCP services to lease
you out an IP address so you have internet access. When you are finally able to communicate within
your network or over the internet, data is sent in what is called packets. Packet and packet forensics is
described below in section 8.4.
P a g e | 86
8.2.
Private vs. Public IP Address
A private IP address (assigned by the owners wireless device) is assigned per device in the network from
a DHCP pool. DHCP pulls a list of available IP addresses and assigns it when a device is attached to the
network. A certain IP address is not assigned to a specific device (there is no static mapping) therefor
people cannot use IP addresses to located your specify device. Static IP addressing can be used, but
typically is not used in a home environment. When you connect to a wireless device, it is possible that it
changes each and every time you connect, depending on what else is connected to the network. Also,
unless the IP address is currently leased out, nobody will be able to look in a log (typically) to determine
what IP address what connected when.
The other IP address is known as a Public IP address. This type of address is what your ISP (Internet Search
Provider) uses to identify you. When you log into a website, this is the IP address that is logged. When
you use proxy or VPN services, the Public IP address that is hidden and the VPN/proxy IP address is
exposed. If somebody has your IP address, they can get the geographical location of where you live
whereas your ISP has your name, telephone number, home address, and whatever else you have given
them. Lastly, when you are connected to a person directly (DCC, video chat, P2P, etc.); they can also log
your Public IP address.
8.3.
MAC Address
Think of a MAC address like a bank account number; we are each given a bank account number so when
we make a purchase, at a grocery store for example, the grocery store knows how to send the payment
to your bank and vice-versa. Similarly, a MAC address, which is unique to your wireless card, allows the
router to know where to send the data. And if you really care, the MAC address is held in an ARP table,
but we wont get into that.
Note: To change the MAC address in Linux, you can use the hw ether command. ifconfig
eth0 down > ifconfig eth0 hw ether 00:00:00:00:00:00 > ifconfig eth0 up > ifconfig eth0
|grep HWaddr. Notice, you will use a custom MAC address instead of 00:00:00:00:00:00
and run each command separately (as defined by the > character). Also, you will want to
replace eth0 with the adapter that you are using.
P a g e | 87
When you connect to a network, the router logs the computers MAC address and temporary saves the
computers IP address. People can also sniff the network to see what you are doing and record your MAC
address that way. And yet another way people can get your MAC address is if they use software that
monitors the network and records all the devices automatically. All these methods have one this in
common (besides the obvious), they can only record the addresses that are broadcasted, meaning if you
change your MAC address, these methods are useless.
People use MAC address changers for many reasons; mostly for getting free WiFi by bypassing MAC
address filtering or performing MAC flood attacks. If you connect to a public network, or your neighbors
network, I would use a MAC address changer to make it hard to locate you. Earlier, we said that a MAC
address is unique to your computer; so if they were to look at all of the devices in your house, they wont
find the device with the MAC address that was logged because it has been changed. The easiest way to
change the MAC address is to download a program to do it for you; otherwise you can change it in your
network settings. Win7 MAC Address Changer Portable is a good program to do this for you.
As a quick note, another recent discovery that can identify individual computers that cannot be spoofed
(as of yet) is with using the computers graphics card. The PUFFIN Project (physically unclonable functions
found in standard PC components) has brought forward research suggesting that GPU manufacturing
processes leave each product with a unique "fingerprint." The PUFFIN team has created software that
can detect these physical differences between GPUs. This is another way that someone can determine
whether your device was used in a crime if your GPU fingerprint was obtained. PUFFINs research will
run until 2015.
8.4.
Public Wireless
It is up to you whether or not to stop using the neighbors wireless. But know they can see Tor traffic if
they: use a packet sniffer and perform a MiTM attack if their wireless network is not protected, if they
were using a network hub which broadcasts information out of all ports, if they have a managed switch
and enable port mirroring, or if they change the MAC address of their computer to that of the AP (Access
Point). Even though they can see Tor traffic, they cannot see what you are doing inside of Tor and they
still will have no clue that it was you. If they could, the purpose of Tor would be defeated. They are other
risks with using public networks (or your neighbors network) therefore it is not recommended (unless
you are absolutely sure that you are safe).
These risks includes attackers remotely logging into your computer via a known backdoor or an exploit.
The best known Operating System to attack a machine is Backtrack. BackTrack is a Linux-based
penetration testing arsenal that aids security professionals in the ability to perform assessments in a
purely native environment dedicated to hacking. The methods of attack in BackTrack are against
operating systems, applications, phones, networks, internet protocols, websites, and etc. The best part
P a g e | 88
about BackTrack is that it is free! I would start with getting a good firewall and anti-virus for your
computer. Also, make sure you follow System Hardening (Section 6) section to help correctly configure
your machine.
As always, I would use Tor for all sensitive information in which you do not want anyone to learn your
location or monitor your browsing habits. To protect all other sensitive data that does not require such
autonymity, I would recommend the use of a VPN. A VPN reroutes all computer traffic through a secure
tunnel to a trusted third-party (or a designated network) before the information reaches its destination.
This provides security against anyone sniffing your computer traffic as all information is encrypted.
Common reasons for a VPN is when: checking emails, checking your bank account, application data
security, or transmitting insecure data over a secure data stream. The difference between Tor and a VPN
is that when using Tor, nobody knows who you are whereas in a VPN somebody always does.
Network Sniffing Tools

There are several sniffing tools available. Listed below are some of the common tools:
Wireshark One of the most popular packet sniffing programs available and is a successor to
Etheral offering a tremendous number of features to assist dissecting and analyzing traffic
Omnipeek Created and manufactured by Wildpackets, Omnipeek is a commercial product that
is the evolution of Etherpeek
Dsniff A suite of tools designed to perform sniffing as well as other tools to reveal passwords.
Dsniff is designed for UNIX and Linux platforms and does not have a complete equivalent for
Windows
Cain and Able and Able provides much of the same tools as Dsniff but also provides features
such ARP Poisoning (MiTM attack can be performed inside a network), enumeration of Windows
systems, and password cracking
Etherape A UNIX/Linux tools that was designed to show the connection going in and out of the
system graphically
Netwitness Investigator A free tool that allows a user to perform network analysis tools as
well as packet reassemble and dissection
P a g e | 89
Here is an example of what captured packets look like in Wireshark. If you want to learn more about
network investigations, using packet sniffers and analyzing the data is a good way to start. Starting with
the fundamentals, I would learn about simple networking and the basic port numbers and what they are
used for. Lets use the example above and learn what is going on.
The first for packets we will talk about (No. 8 - 11) are all DNS packets. Packet 8 is a DNS request
from IP address 192.168.82.133 to IP address 208.67.222.222 for the domain
www.youtube.com. The Source field is your IP address (or the address of the originating
computer. The Destination field is the address where the data is going. The protocol is DNS as
scene in the Protocol field. DNS is Domain Name Service and is the protocol used the get the IP
address from a Domain Name. And finally, the Info field contains the data within the packet.
In this case, packet 8 requests the packet (Standard query A www.youtube.com) and packet 9
responds with the CNAME record and the IP address (Standard query response). The A record is
the standard record that maps the domain name to the IP address and the CNAME record is a
type of DNS record that specifies that the domain name is an alias of another, canonical domain
name.
Moving on, packets 12 14 is the standard TCP three-way handshake. More information can be
found in section 8.5 and is denoted by the packets [SYN], [SYN, ACK], then [ACK]. Once the final
[ACK] packet has been sent, the connection is made and information can flow.
P a g e | 90
The next packet is the GET request. This packet is telling the HTTP server that it is requesting
resources (in this case, the content on the webpage). If you submit data you will see a POST
request meaning that you are sending resources to the webserver.
Finally, the user is sending and receiving information from the website as you can see by the
Source port in the information pane. Port 80 (http) denotes webtraffic and is used when a user
is trying to access a webpage.
This is the basic overview of webtraffic that can be captured and read. Protocols such as FTP and HTTP
are all done in cleartext, meaning you can read all the data that is contained within the packets. This is
especially a problem for the user if information such as usernames or passwords are being sent. FTP for
example requires the user the login to the server, but does sends all the information in the clear. The
picture below is an example of network traffic that captured the FTP username and password. The
destination field tells you that the FTP server has an IP address of 10.0.8.126 and the user requesting it
has an IP address of 10.0.4.232.
There are two more things that I want to discuss before moving on to the next section:
1. When using Wirehark, you should familiarize yourself with filtering and Follow TCP Stream
2. Reassembling packets to view data such as images and getting detailed view of packet analysis
One popular feature of Wireshark is to follow the stream of captured packets. Lets say that a user is
sending an email and has attached a compressed file along with it. Using Wireshark, you can find a
packet in the stream, right-click the packet, and select Follow TCP Stream. A new window will open will
P a g e | 91
all the data in the stream, which will contain the file you are trying to download. Once the new window
is opened and fully loaded, you can click Save-as to save to data to a file. The file is now ready to be
opened with the program that handles the file type.
Moving along to the second item on the list, you can also reassemble packets to view the information
contained within those packets. Lets say for example that someone views a bunch of images over the
internet. Reassembling the packets will allow you to view the images the user viewed. Now, Wireshark
is good for capturing packets and is a great program for a bunch of purposes, but it is not a great
program when trying to do this. Personally, I use a program called NetWitness Investigator that will not
only allow you to view the data that was captured, but it will allow you to do so graphically. Everything
is point and click and there is no real need to know about packet analysis beyond the very basics. And
finally, this program shows a detailed view of the packets captured.
Common port numbers:
Application Port
80,
HTTP
8080
443
HTTPS
Protocol
TCP
TCP,
UDP
TCP
IMAP
143
FTP
TCP
SSH
20 to
21
22
Telnet
DNS
23
53
POP3
SMTP
110
TCP
TCP,
UDP
TCP
TCP
8.5.
25
TCP
Notes
Hyptertext Transfer Protocol. Used by web browsers such
as Internet Explorer, Firefox and Opera.
Used for secure web browsing.
Email applications including Outlook, Outlook Express,
Eudora and Thunderbird.
File Transfer Protocol.
Secure Shell protocol. Provides a secure session when
logging into a remote machine.
Used for remote server administration.
Domain Name System protocol for converting domain
names to IP addresses.
Post Office Protocol. For receiving email.
Simple Mail Transfer Protocol, used for sending email.
Security Protocols
Securing your network should be as important as securing your computer. Allowing people access to your
network opens you up to attack and as previously stated, legal issues, because they can got caught doing
something they werent supposed to on your network. If you are doing everything secure on your network
computer but someone gets caught downloading child porn, the government is coming after you. There
P a g e | 92
are several ways to protect your network depending on your equipment and if you use custom firmware
or not. If you get a router, plug it in, and start using it; you are NOT protected!
The first thing that anybody needs to do is change the default password for the device so nobody can log
in and change the security settings. Followed by changing the device password, you should create a
wireless password to limit the people who can get on the device in the first place. There are several types
of protocols that limit access: WEP, WPA, WPA2, MAC Address Filtering, etc. WEP, WPA, and WPA2 are
protocols that rely on password authentication to accept users who are trying to connect to your wireless
device. MAC Address Filtering on the other hand only allows specific wireless devices access to the
network depending on the MAC addresses.
WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer
standards such as WPA and WPA2. WPA is also deprecated making the recommended security protocol
WPA2. WPA2 is the strongest protocol as it has not been cracked, yet it might not be supported by all
devices. If you want to get technical, WPA uses TKIP whereas WPA2 uses AES-CCMP. TKIP is Temporal
Key Integrity Protocol and AES-CCMP is Advanced Encryption Standard- Counter Cipher Mode with Block
Chaining Message Authentication Code Protocol. MAC address filtering filters wireless devices allowing
only those that are allowed into the network. The problem is however, it can be easily defeated if
someone changes their MAC address to one that is allowed.
Wireless Hacking Tools

I recommend obtaining a copy of Backtrack as there are many wireless hacking tools already installed.
Here are some other tools that you help you:
Kismet - Using Kismet one can see all the open wireless networks, as well as those Wireless
Networks which dont broadcast their SSIDs. Its a matter of minutes to use this tool and
identify networks around you
Netstumbler - NetStumbler is a freeware Wi-Fi hacking tool thats compatible with Windows
only. It can be used to search open wireless networks and establish unauthorized connections
with them
Medieval Bluetooth Scanner - This program can analyze and scan your Bluetooth network
finding Bluetooth devices that can be attacked (see bluejacking or bluesnarfing or bluebugging)
Coreimpact - This it is widely considered to be the most powerful exploitation tool available.
However, CoreImpact is not cheap and will set anybody back at least $30,000
Wireshark - Wireshark Wi-Fi hacking tool not only allows hackers to find out all available
wireless networks, but also keeps the connection active and helps the hacker to sniff the data
flowing through the network
AirSnort - Most Wi-Fi hacking tools work only when there is no encrypted security settings.
While NetStumblr and Kismet fail to work if there is a wireless encryption security being used,
AirSnort works to break the network key to get you inside the network
P a g e | 93
CowPatty - CowPatty is an another Wi-Fi network hacking tool that has crack got a WPA-PSK
protection feature and using this hackers can even break into more secure Wi-Fi environments
Reaver This program takes advantage of the weakness inherent with WPS (WiFi Protected
Setup)
Common attack methods and terminology

I call these methods common but they are really the more known and used attacks out there. The last
two definitions are methods for defense once at attacker enters the network. Note, that this list is nonexhaustive and more attacks exists.
ARP Spoofing Address Resolution Protocol (ARP), is a service that converts IP addresses to
MAC addresses that are uses by the local LAN (Local Area Network). ARP spoofing is a technique
whereby an attacker sends fake ("spoofed") ARP messages onto a LAN. Generally, the aim is to
associate the attacker's MAC address with the IP address of another host (such as the default
gateway), causing any traffic meant for that IP address to be sent to the attacker instead.
MAC Spoofing a technique for changing a factory-assigned Media Access Control (MAC)
address of a network interface on a networked device. The MAC address is hard-coded on a
network interface controller (NIC) and cannot be changed. However, there are tools which can
make an operating system believe that the NIC has the MAC address of a user's choosing. The
process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails
changing a computer's identity, for any reason, and it is relatively easy. This can be an attack to
get past security safeguards, to masquerade as another device, or to try a device into sending
data to it.
Fragmentation IP fragmentation is the process of breaking up a single Internet Protocol (IP)
datagram into multiple packets of smaller size. Every network link has a characteristic size of
messages that may be transmitted, called the maximum transmission unit (MTU). There are
several attacks regarding IP fragmentation and can be used by services that do not protect
themselves from these types of attacks.
Buffer Overflow an anomaly where a program, while writing data to a buffer, overruns the
buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory
safety. This may result in erratic program behavior, including memory access errors, incorrect
results, a crash, or a breach of system security. Thus, they are the basis of many software
vulnerabilities and can be maliciously exploited.
DNS Poisoning DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby
data is introduced into a Domain Name System (DNS) name server's cache database, causing the
name server to return an incorrect IP address, diverting traffic to another computer (often the
attacker's) or a website. Doing this, the attacker can capture all data, inject data, or log
information such as IP addresses or other sensitive computer information.
IMCP Redirect An ICMP Redirect tells the recipient system to over-ride something in its
routing table. It is legitimately used by routers to tell hosts that the host is using a non-optimal
or defunct route to a particular destination, i.e. the host is sending it to the wrong router. The
wrong router sends the host back an ICMP Redirect packet that tells the host what the correct
P a g e | 94
8.6.
route should be. If you can forge ICMP Redirect packets, and if your target host pays attention
to them, you can alter the routing tables on the host and possibly subvert the security of the
host by causing traffic to flow via a path the network manager didn't intend. ICMP Redirects also
may be employed for denial of service attacks, where a host is sent a route that loses it
connectivity, or is sent an ICMP Network Unreachable packet telling it that it can no longer
access a particular network.
Proxy Manipulation This attack involves altering the proxy settings of the target machine to
redirect traffic to the attackers computer or service. Doing this, the attacker can capture all
data, inject data, or log information such as IP addresses or other sensitive computer
information.
Rouge DNS DNS hijacking or DNS redirection is the practice of subverting the resolution of
Domain Name System (DNS) queries. This can be achieved by malware that overrides a
computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker,
or through modifying the behavior of a trusted DNS server so that it does not comply with
internet standards.
Rouge AP A rogue access point is a wireless access point that has either been installed on a
secure company network without explicit authorization from a local network administrator, or
has been created to allow a hacker to conduct a man-in-the-middle attack. For the purposes of
the guide, a rouge AP can be setup by an attacker as so a victim will unknowingly connect the to
the AP and send all data through the attacker.
Honeypot A honeypot is a trap set to detect, deflect, or in some manner counteract attempts
at unauthorized use of information systems. Generally it consists of a computer, data, or a
network site that appears to be part of a network, but is actually isolated and monitored, and
which seems to contain information or a resource of value to attackers.
Padded Cell - A padded cell is a honey pot that has been protected so that that it cannot be
easily compromised. In other words, a padded cell is a hardened honey pot. In addition to
attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDS.
When the IDS detects attackers, it seamlessly transfers them to a special simulated environment
where they can cause no harm the nature of this host environment is what gives the approach
its name, padded cell.
Virtual Private Networks
Throughout this guide I mention the use of Virtual Private Networks (VPNs), and now I am going to
explain exactly what it is. In the simplest of terms, a VPN transmits data from one network to another,
as if they were on the same network. For example, lets say that you have a file server on your home
network that you will to access while on vacation. A VPN allows you to log into the network and view
those files as if you were sitting at home. Furthermore, tunneling your connection through an untrusted
network to a trusted network with the use of VPNs, ensures that no private data is leaked to
unscrupulous parties.
P a g e | 95
There are several reasons to use VPNs and there are even more people who use them. Most often, you
will see the use of this technology employed by businesses that have employees that want to connect to
the office or several offices that need to connect to the home office. There are a few types of
configurations that include: host-to-host, gateway-to-gateway, and host-to-gateway. Host-to-host is
more often used when one person needs to directly communicate with another person (share files from
one PC to another, chat, etc.), gateway-to-gateway is when two or more locations needs to share data
between networks, and host-to-gateway is when users need to connect to a network to access network
resources (like in our first example).
Saying this, the access of resources is not the only reason why you would want to use a VPN. As I said in
the first example, a VPN can be used for a secure communication between the two nodes. What I mean
is this: lets assume that you are at an untrusted network or you are exchanging data over an untrusted
medium, such as the internet. A VPN encrypts your data, creates a secure tunnel between you and the
host machine (the device receiving the VPN traffic), and transfers the data without anyone being able to
see or inject anything harmful along the way. Note: when I say they cannot inject, both sides perform a
check of the data. If someone injects or modifies the data, it will be discarded and resent.
Moving on, the use of the acronym VPN does not implicitly refer to secure data transmission, but refers
to how data is transfered from one point to another. You can break a VPN into two parts: the tunneling
protocols and encryption protocols. Tunneling protocols defines how data transverses across networks
and the internet. By its very nature, these protocols do not provide any encryption. Its like driving a car
without any airbags; its not worried about safety, it just cares that it gets there. Encryption protocols
on the other hand are concerned with just that: encrypting the data.
P a g e | 96
Used together, VPNs can provide for confidentiality, integrity, and authentication:
Confidentiality: When the data is encrypted and sent to a secure, private network, you can
mitigate the risk of third parties reading your data while in transit
Integrity: VPNs are also used to detect changes in data when received on either side
Authentication: When you connect to a host or a client, you can be reasonably sure that the
other person is who they say they are. This is because tunnel endpoints must verify the other
party before a connection is established
Selecting both tunneling and encryption protocols will mostly depends on your needs and what you
have at your disposal. For example, for a client to client connection, you can use LogMeIn Hamachi to
establish a secure VPN between. Sonicwalls use SSL VPNs that can be used host-to-host or host-toclient and custom firmware routers use OpenVPN can do the same thing but adds host-to-host to the
mix. For the purposes of this guide, I recommend using OpenVPN as it is free and open source.
Without getting into too much detail about how VPNs works and what is happening behind the scenes, I
will give you a broad overview of the types of tunnels and encryption protocols VPNs use.
Protocols:
Point-to-Point Protocol (PPP): This protocol defines data that is transmitted over serial lines.
Mostly, nowadays, PPP is not used but when using Dial Up connections between modems.
Point-to-Point Tunneling Protocol (PPTP): PPTP (Point to Point Tunneling Protocol) is a good,
lightweight VPN protocol offering basic online security with fast speeds. PPTP is built-in to a
wide array of desktop and mobile devices and features 128-bit encryption. PPTP is a good choice
if OpenVPN isn't available on your device and speed is top priority.
Layer Two Tunneling Protocol (L2TP)/IPSec: L2TP (Layer 2 Tunneling Protocol) with IPsec (IP
Security) is a very secure protocol built-in to a wide array of desktop and mobile devices.
L2TP/IPsec features 256-bit encryption, but the extra security overhead requires more CPU
usage than PPTP. L2TP/IPsec is an excellent choice if OpenVPN is not available on your device,
but you want more security than PPTP.
Internet Protocol Security (IPsec): IPsec is actually a collection of multiple related protocols. It
can be used as a complete VPN protocol solution or simply as the encryption scheme within
L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model. If you are
choosing to use IPSec, you should know about the two modes it uses to transport the data:
tunnel and transport.
o
Tunnel: In tunneling mode, the entire packet it encrypted, including the header
information. The packet is then encapsulates the encrypted packet and adds a new
header before sending the data. Specifically, Encapsulating Security Payload (ESP) and
P a g e | 97
Authentication Header (AH) are the two IPSec security protocols used to provide these
security services. However, we will not get into that in this guide.
Transport: This mode encrypts the payload, but does nothing to protect the header
information. Again, the header information provides information such as: source and
destination IP address, port information, frame sequence, flags, etc.
OpenVPN: OpenVPN is the premier VPN protocol designed for modern broadband networks,
but is not supported by mobile devices and tablets. OpenVPN features 256-bit encryption and is
extremely stable and fast over networks with long distances and high latency. It provides greater
security than PPTP and requires less CPU usage than L2TP/IPsec. OpenVPN is the recommended
protocol for desktops, including Windows, Mac OS X, and Linux.
Secure Socket Layer (SSL): An SSL VPN is a form of VPN that can be used with a standard Web
browser. In contrast to the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does
not require the installation of specialized client software on the end user's computer. It's used
to give remote users with access to Web applications, client/server applications and internal
network connections.
Comparison chart:
PPTP
Built-in support for a
wide array of
desktops, mobile
devices, and tablets.
Windows
Mac OS X
Linux
iOS
Android
DD-WRT
L2TP/IPsec
Built-in support for a wide
array of desktops, mobile
devices, and tablets.
OpenVPN
Supported by most
desktop computers.
Encryption
128-bit
256-bit
Security
Basic encryption
Uses the highest

encryption. Data integrity
checking, encapsulates data
twice.
Compatibility
Supported
Systems
Windows
Mac OS X
Linux
iOS
Android
Windows
Mac OS X
Linux
Android
160-bit
256-bit
Highest encryption, no
known vulnerabilities,
authenticates the data
on both ends of the
connection through
digital certificates.
P a g e | 98
Stability
Very stable, accepted Stable if your device

by most Wi-Fi
supports NAT
hotspots
Setup
Easy to set up, builtin to most operating

systems
Fast because of
lower encryption
overhead
Requires custom
configuration
A good choice if
OpenVPN isn't
available on your
device and if ease-ofuse and speed are
priorities over
security.
More secure than PPTP but

not as fast and requires
additional configuration. A
good choice if OpenVPN
isn't available on your
device and security is a
priority over ease-of-use
and speed.
Speed
Conclusion
Requires the most CPU

processing
Most stable/reliable
even on non-reliable
networks, behind
wireless routers, and
on Wi-Fi hotspots
Easy to set up with
software
Best performance.
Fast, even across great
distances and on high
latency connections.
Best choice on
desktops, such
Windows Mac OS X
and Linux. Fast, secure
and reliable. OpenVPN
is the recommended
protocol.
How a VPN connection is made:

Assume a remote host with public IP address 1.2.3.4 wishes to connect to a server found inside a
company network. The server has internal address 192.168.1.10 and is not reachable publicly. Before
the client can reach this server, it needs to go through a VPN server / firewall device that has public IP
address 5.6.7.8 and an internal address of 192.168.1.1. All data between the client and the server will
need to be kept confidential, hence a secure VPN is used.
1. The VPN client connects to a VPN server via an external network interface.
2. The VPN server assigns an IP address to the VPN client from the VPN server's subnet. The client
gets internal IP address 192.168.1.50, for example, and creates a virtual network interface
through which it will send encrypted packets to the other tunnel endpoint (the device at the
other end of the tunnel). (This interface also gets the address 192.168.1.50.)
3. When the VPN client wishes to communicate with the company server, it prepares a packet
addressed to 192.168.1.10, encrypts it and encapsulates it in an outer VPN packet, say an IPSec
packet. This packet is then sent to the VPN server at IP address 5.6.7.8 over the public Internet.
The inner packet is encrypted so that even if someone intercepts the packet over the Internet,
they cannot get any information from it. They can see that the remote host is communicating
with a server/firewall, but none of the contents of the communication. The inner encrypted
P a g e | 99
4.
5.
6.
7.
packet has source address 192.168.1.50 and destination address 192.168.1.10. The outer packet
has source address 1.2.3.4 and destination address 5.6.7.8.
When the packet reaches the VPN server from the Internet, the VPN server decapsulates the
inner packet, decrypts it, finds the destination address to be 192.168.1.10, and forwards it to
the intended server at 192.168.1.10.
After some time, the VPN server receives a reply packet from 192.168.1.10, intended for
192.168.1.50. The VPN server consults its routing table, and sees this packet is intended for a
remote host that must go through VPN.
The VPN server encrypts this reply packet, encapsulates it in a VPN packet and sends it out over
the Internet. The inner encrypted packet has source address 192.168.1.10 and destination
address 192.168.1.50. The outer VPN packet has source address 5.6.7.8 and destination address
1.2.3.4.
The remote host receives the packet. The VPN client decapsulates the inner packet, decrypts it,
and passes it to the appropriate software at upper layers.
One last thing that I want to talk about is split tunneling. Split tunneling is the act of being connected to
both a WAN network (VPN) and a LAN network (your local home network) at the same time. When
enabled, data intended for the secure VPN might accidently leak out the insecure part of the network.
Another negative risk, is that an attacker can gain access to your computer via the LAN network and
have access to your private network you are connected to over the WAN. For best security, it is advised
to have split tunneling disabled at all times.
8.7.
Chat Sites - How Attackers Attack
Some people were asking me about the risks involved in Omegle and downloading pictures to your
computer. So, briefly, I am going to describe here what I told them. Firstly and most obviously, Tor does
not support cam sites for the reason listed in section 9.11. Quite simply, Tor does not support UDP traffic
in which video streaming operates. So, if you wondering how people actually captures this traffic and
obtains your IP address, this is how:
Try it out - Capture IP Address from Omegle
1. First, you will need to download a packet sniffer. I would either use Wireshark, Ethereal, or
NetWitness Investigator. The first two will simply capture the packets whereas the latter will
captures the packets and has the ability to put them back together. This is useful if you want
to rebuild the video that was streaming.
2. Start Omegle (or an alternative chat site) and get connected to somebody on the other end.
Capturing the IP address can also be done via text, but for this method, you must use your
camera.
3. Start the packet sniffer of choice; for this example I will be using Wireshark.
4. To select the interface you will need to select Capture than Interfaces.
P a g e | 100
5. Determine the interface that you are using (usually the one with the most packets) and press
Start to start capturing the packets.
6. All you need is a few packets, even though you will get a few hundred to a few thousand.
Once you have enough packets press Stop the running live capture. This is denoted by the
forth icon at the top with the X or you can select Stop under Capture. FAILURE TO STOP
THE CAPTURE WILL CRASH YOUR MACHINE! THE AMOUNT OF PACKETS YOU CAN CAPTURE IS
DEPENDENT ON THE AMOUNT OF MEMORY YOUR MACHINE HAS!
7. You are only concerned with UDP traffic, so in the Filter field, enter udp
8. Now, you will notice that there is more UDP traffic from two specific IP addresses than
anything else; these IP addresses will be your IP address and the individual on the other end
of the webcam. Your IP address will either start with a 192.168.x.x or a 10.x.x.x or possibly a
172.x.x.x. Most likely, a 192.168.x.x. There are restrictions, so if you have any questions, ask
or refer to a Private IP address list. The other IP address will be theirs.
9. Copy their IP address. This can be denoted via four octets separated by decimals or with
dashes. It can also contain words or letters. 93.53.23.231, pd-93-53-23-231, or 93-52-23231.abc.dgf.net will all be the same thing. In either case, you want to copy it down as
93.53.23.231. Notice that the words might be different; only concern yourself with the
numbers.
10. That is it; you can use a reverse IP address lookup to find basic information.
That described simply how to capture the IP address via a packet sniffer. When connected, this connection
can also be seen in your netstat list; but familiarizing yourself with this might be a challenge if you dont
know what you are looking at. The reason being is UDP traffic connects directly to your machine. TCP
traffic connects to a third party site such as Omelge. Another method is getting the person to go to a
honeypot that captures the users IP address when they click on a link and navigate to that site. They are
a few out there, and it is easy for people to be baited into navigating to these sites.
Looking at the illustration below, you will see an example of a netstat output. The local address (red) with
be your computer and the foreign address (yellow) is the remote device. 127.0.0.1 is your computers
loopback address. So, this is telling you that the computer with the IP address of 192.168.0.6 is connecting
to a website at 66.102.1.104 and 72.232.101.40. You know this because the :80 next to the foreign
addresses. Port 80 is used for HTTP traffic when a user wants to connect to a website. The other ports
next to 192.168.0.6 are random ports assigned by the system. And using an IP lookup tells you that the
first IP address of 66.102.1.104 belongs to google whereas 72.232.101.40 belongs to Layered
Technologies. Note: you can either find a website to lookup the IP address or you can try to enter the IP
address directly into the address bar.
P a g e | 101
Proto or protocol is the internet protocol being used; this can being either TCP or UDP. TCP connection
oriented and a lost packet will be resent so there is no loss of data during transmission. UDP on the other
hand is connectionless and if a packet is lost, the packet is lost forever. There are about 12 states that
you can familiarize yourself with, but we wont get into that much in this guide. For this example,
established means that the connection (socket) has been established, listening means that the socket (the
program that created the connection) is waiting
for incoming connections, and time_wait means
that the socket is waiting after close to handle
packets still in the network. Finally, the PID is the
program that is handling the connection. This PID
number is created per program and can change
every time to program is started.
To look up the application associated with the

particular PID, you can use Windows Task
Manager. The Task Manager can be opened by
right-clicking the Taskbar and selecting Task
Manager. However, Task Manager does not
display PID information by default. To display the
PID value in Task Manager, go to Processes tab, click on View menu, then click on Select Columns. In
the Select Columns or Select Process Page Columns dialog, tick and check the checkbox for PID
(Process Identifier), and click OK. You can right-click the process and click Properties to view which
program is being run and where.
If you are really interested in learning more about gathering an IP address, there are two things that
happen when you are connected via webcam. The first thing is the handshake - or the initial connection
- and is facilitated by the chat website (Omegle, ChatRoulette, etc). This connection is the first step that
P a g e | 102
is performed to connect you to the other person whom you are trying to connect with. After this initial
process is complete, you are now directly connected to the person you are chatting with. At this point,
the stream is no longer being passed through the chat website. The webcam traffic is UDP traffic, which
is not supported by Tor. Continue below for an expanded explanation.
TCP Handshake
The picture above shows the typical three-way handshake when capturing traffic in Wireshark. You will
see [SYN], [SYN, ACK], then [ACK]. Host A send a SYNchronize packet to Host B, Host B responds with the
SYNchronize-ACKnowledgement packet back to Host A, and Host A once finalizes the connection with a
ACKnowledgement packet to Host B. Once the handshake is complete you will see a flood of UDP traffic.
Again, the UDP traffic is all the webcam traffic data and is the only traffic you are going to concern yourself
with.
When looking at all this traffic, you want to concern yourself with three fields in particular: Source,
Destination, and Protocol. The source is where the information is coming from, the destination is where
the traffic is going to, and the protocol defines the protocol being used. The picture below shows what
traffic will look like in Wireshark when the UDP protocol is being used. Notice that this picture only shows
UDP traffic flowing through the network. This is because you can filter traffic in WireShark to show pretty
much whatever you want it to show.
P a g e | 103
So, the three fields I will be describing are the Source and Destination fields. You will notice that there
are two IP address being used: 192.168.0.103 and 78.167.170.99. If you followed the Try it out Capture IP Address from Omegle you might remember that 192.168.0.103 is the address of local user
that is capturing the traffic and the 78.168.170.99 is the user that is connected on the other side. Your
IP address will either start with a 192.168.x.x or a 10.x.x.x or possibly a 172.x.x.x. Most likely, a
192.168.x.x. The other IP address will the address of the user that is connected to you; this is the IP
address that you are looking for and is the IP address that attackers will look for as well.
Another popular method of getting IP addresses and other computer information such as usernames,
passwords, keystrokes, screenshots and etc., if with the use of spyware. I am not going to go into detail
about spyware (or a keylogger or malware), but I will go over a popular delivery method. When people
send pictures or videos via TorChat or an alternative medium, they can use a binder program to attach
a picture file to an executable. When the file is opened, the picture appears as normal along with the
spyware in the background.
To protect yourself when dealing with UDP information (audio or video chat), you can use a UDP proxy, a
VPN, or configure a VPN over Tor. I usually just use a VPN that claims to not log any traffic; but who knows
if that claim holds merit. Simple text chat uses TCP packets which Tor can protect. Obviously, do not use
shortlinks as they can link to a honeypot or another rouge site. And if you do decided to open links you
are unsure about, make sure you do via Tor with JS disabled.
8.8.
Most people have home routers with stock firmware, so most of this does not apply. For those of you
interested in having more granular control of your router, you can search the internet for custom
P a g e | 104
firmware; for example, DD-WRT is a good Linux-based firmware. Also, you can purchase managed ports
and wireless access points specifically for this purpose. Most commercial equipment can manage what I
am about to talk about, but they usually run in the several thousands, if not hundreds of thousands.
One of the basic hardening techniques for wireless security is the use of VLANs. If the attacker passes
your security controls and into your network, VLANs will ensure that they cannot read your network
traffic. Lets say some ports on switch A are in VLAN 10 and other ports on switch B can are in VLAN 10.
Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10.
However, these devices can all communicate because they are on the same VLAN. You should also know
that VLANs can be set up on the same switch.
WPS, or WiFi Protected Setup, is a way for individuals to easily connect devices to the wireless router. In
this method, the standard requires a PIN to be used during the setup phase. As it is not a technique to
add security to the network, you should know that WPS should be disabled at all times. The vulnerability
discovered in WPS makes that PIN highly susceptible to brute force attempts. It takes approximately 410 hours to break WPS pins (passwords) with Reaver.
You should also know about rouge APs; specifically when an attacker impersonates an SSID. Rouge Access
Points are a security concern because an attacker can set up a device such as a router or computer to have
a similar or the same SSID as the wireless Access Point you connect to. Unscrupulous parties can connect
to this rouge device and all traffic can be logged and MiTM attacks can be performed. This threat is of
low concern because it is not very likely to happen.
One final security configuration I am going to mention is a DMZ. The purpose of a Demilitarized Zone is
to add an additional layer of security to your local area network (LAN Private network); an external
attacker only has access to equipment in the DMZ, rather than the entire network. This would be if you
were setting up anything that you want people from outside your network to have access to whilst
protecting your internal network. Examples of such services would be Websites, IRC servers and relay
servers.
P a g e | 105
8.9.
Extra:
MAC Address Spoofing and ARP Attacks - How they work
Two methods I want to talk about are: ARP poisoning and MAC address spoofing. As many of you already
know MAC address spoofing is also a way to hide your computer or to get free Internet when places either
filter computers by MAC addresses or have a pay to-use-system. A few of you have asked how this works
and instead of reinventing the wheel each and every time I decided to create this fundamental, quick howit-works section. These are a couple of reasons why you should lock down your private network and never
use public networks.
When a computer decides it wants to talk to another computer on the network it has four primary fields
it uses to communicate. In a packet, these fields are: source IP address, destination IP address, source
MAC address, and destination MAC address. Again, most of you even know about IP addresses so we
wont get into that at all. But what most of you dont know is the computer transfers traffic based on the
computers MAC address (which is a unique identifier for each device) and not the computers IP address.
The computer uses the IP address to learn the MAC address but does not actually send data with it. Let
me explain.
Lets say Bob wants to talk the Alisha on the same network (send data). There is a protocol called ARP,
which stands for Address Resolution Protocol, that will send a request to the switch (or all of the devices
in the network if youre using a hub) that you are trying to communicate with Alisha. When Alisha
responds, she will send back the MAC address of her computer to the switch. The switch, will then learn
Alishas MAC address if it doesnt already know and send it back to Bob. Now Bob, having Alishas MAC
address, will fill in the destination MAC address (which is Alishas computer) and send data using that
information.
P a g e | 106
Heres an example: Bob wants to send Alisha a file over the network. Bob first sends an ARP request to
the switch (most, if not all, home routers have a switch build in) saying hey, I want to talk to Alisha, here
is her IP address. What is her MAC address so I can send the data? The switch looks in the MAC address
table and determines that Alishas MAC address is F026:EA98:EB03:C68E (if the MAC address is not
known, it sends the ARP request to ALL of the computers on the network, except for Bobs, until Alisha
responds back, Its me!) Once the MAC address is determined, it is sent back to Bob so he can transfer
the data.
This is where MAC address spoofing comes in, because as you just learned, computers do not transfer
data using the IP address, but instead the MAC address. So MAC address spoofing, tricks the switch into
thinking your computer (lets say you are Steve), is actually Alishas computer. So now when Bob wants
to send data to Alisha, half the packets will go to Alisha and half the packets will go to Steve. For the same
reason this works, the pay to-use-system can be defeated as well. This pay to-use-system uses the MAC
addresses to send data to already authorized computers which in turn is tricked and data is sent to you
without charge.
ARP poisoning on the other hand when an attacker is able to compromise the ARP table on the other
machine and changes the MAC address so that the IP address points to another machine. If the attacker
makes the compromised devices IP address point to his own MAC address then he would be able to steal
the information, or simply eavesdrop and forward on communications meant for the victim.
THIS IS EDUCATIONAL AND PROVIDED TO HELP YOU PROTECT YOURSELF BY EXPLAINING THE METHODS
OF ATTACKS BY OFFENDERS. I DID NOT WRITE THIS WITH THE INTENTION FOR ANYBODY TO USE IT
AGAINST ANYONE ELSE. SO PLEASE DON'T!
ARP Poisoning Demonstration:

1. Open Cain (you will need Cain and Able installed on your machine)
2. Click the Sniffer tab and turn on the network sniffer (the network interface button next to the
folder icon on the second row)
3. This should already be selected, but ensure that the Hosts tab is selected at the bottom
4. At the top, click the blue Plus button to scan for MAC addresses. Alternatively, you can rightclick anywhere in the datagrid (white box) and select Scan MAC Addresses.
5. Once populated with devices other than your Default Gateway (usually any IP address ending
with the octet of 1) or your computer, select the APR tab at the bottom
6. Make sure APR is selected over on the left and click anywhere in the top datagrid (the top
field that is blank). The Plus button at the top should no longer be greyed out.
7. Once the New APR Poisoning Routing dialog box appears, you will select the computers that
you wish to attack
P a g e | 107
8. Over on the left, you will select your Default Gateway and over on the right you will select the
computer you wish to attack (the datagrid on the right will populate once the GW is selected
on the left) *Doing this has the potential of causing a DoS attack whereas the victim cannot
access the internet or any data in the network
9. Finally, select the session that you just created (under Status, it will say Idle) and click the
ARP Poisoning button on the top that is next to the sniffer button you clicked on earlier. If
successful, the status will change from Idle to Poisoning
10. From here, you can capture data packets, usernames, passwords, email addresses, and etc.
11. The only way to defeat this is to use encryption such and client to hosts VPNs, PKI, or Tor
12. To stop the attack, you can click the ARP Poisoning button and the Sniffer button once more
Again, I should provide the warning that there are other ways they can see your traffic if they: use a
packet sniffer and perform a MiTM attack if their wireless network is not protected, if they were using a
network hub which broadcasts information out of all ports, if they have a managed switch and enable port
mirroring (where an admin sends data intended for another port to a designated port), or if they change
the MAC address of their computer to that of the AP (Access Point) as mentioned above.
MiTM attack stands for Man in The Middle attack and is when an attacker inserts himself between you
and the person or service you are connected to. As I said before, one this is accomplished, the attacker
can then capture all information, strip SSL to obtain information such as passwords, insert malicious code,
redirect the user, or block the user from a service all together. To prevent again MiTM attacks, you can
use a VPN or encryption to authenticate you and the remote host alike. These attacks are used moreso
on local networks then used over the internet; however, it is still possible.
P a g e | 108
Chapter 9_ Web Browser Security
n this section, I will talk about several vulnerabilities, what they accomplish, and the mitigation
techniques. Because web browsers are used so frequently, it is vital to configure them securely. Often,
the web browser that comes with an operating system is not set up in a secure default configuration.
Not securing your web browser can lead quickly to a variety of computer problems caused by anything
from spyware being installed without your knowledge to intruders taking control of your computer to
websites obtaining your IP address and running malicious scripts when you navigate to their webpage. I
will briefly go over some other security considerations, dealing primarily with web browsers. This section
does not encompass everything, so further research is necessarily!
Topics
Downloading and Using the Tor Browser Bundle

What is Sandboxing and What is JIT Hardening, and Why Do I Care?
JavaScript
Cookie Protection and Session Hijacking attacks
Caching
Referers
CSRF/CSRF Attacks (XSS Attack)
Protect Browser Settings
DNS Leaks
User Awareness, Accidents and System Updates
Configuring Web-Browsers and Applications to Use Tor
P a g e | 109
Lets start by talking about the browser itself. Personally, I use the Tor Bundle with Firefox, as do most.
Moreso, using Tails is recommended because of way it was designed; all traffic will run through Tor
regardless of the source and if is not running through Tor, it is dropped. A study was done though and it
was concluded that Google Chrome is the most secure browser largely because of Chromes sandboxing
and plug-in security. Comparatively, Internet Explorer implemented (lacking industry standard)
sandboxing and JIT Hardening whereas Firefox falls behind on sandboxing and does not implement JIT
hardening.
9.1.
Downloading and Using the Tor Browser Bundle
The Tor Project describes Tor as Tor protects you by bouncing your communications around a distributed
network of relays run by volunteers all around the world: it prevents somebody watching your Internet
connection from learning what sites you visit, and it prevents the sites you visit from learning your physical
location. Tor works with many of your existing applications, including web browsers, instant messaging
clients, remote login, and other applications based on the TCP protocol.
I recommend downloading and using the Tor Browser Bundle even though I provided a step-by-step
exercise on how to configure your existing browsers to run through Tor (Section 9.11). Many people in
the past have used the Tor Button for Firefox which is no longer supported due to its fairly new rapid
release cycle of Firefox. Also, the use of a web proxy is not needed if you are just browsing the internet
using the Tor Browser Bundle. I would recommend using the hardening techniques as described below.
You should know that even though you are using Tor, you data is compromised at the Tor Exit Node if
you are browsing the internet (non-onion websites).
P a g e | 110
Download and Start the Tor Browser Bundle

1. Navigate to the Tor website.
2. Under Tor Browser Bundle for Windows/Mac/Linux, select the appropriate version (32-bit vs.
64-bit). For Windows, just select the appropriate language.
3. Click Save File
4. Once the file is downloaded, open it. An example file I just downloaded was, tor-browser2.2.39-1_en-US.exe. Your version will probably be different than mine.
5. It is a self-extracting archive. Select your preferred location and press Extract.
6. Navigate to and open the folder and run Start Tor Browser.
7. Once Tor establishes a connection, a Firefox browser will open.
8. You can now browse the internet as you would normally without your ISP or another party
from seeing what you are doing within Tor itself. There are other vulnerabilities that should
be addressed, so I recommend reading on.
Tor Links
When you download and use Tor you can go to many .onion sites that are hidden from the clear internet.
Using these sites are completely anonymous as nobody knows you specifically are navigating there; not
even your exit node. Here is a list of a few Tor sites:
9.2.
Main Page - http:/kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page. This link is to the main

Hidden Wiki that hosts links to other hidden Tor websites. View this site for the full listing.
Silk Road - http://silkroadvb5piz3r.onion/. Silk Road - Private marketplace with escrow (Bitcoin).
You can purchase anything from illegal pictures and video, to drugs and drug paraphernalia, to
arms and ammunition.
HackBB - http://clsvtzwzdgzkjda7.onion/. Forums for hacking, carding, cracking, programming,
anti-forensics, and other tech topics. Also a marketplace with escrow.
Configuring Web-Browsers and Applications to Use Tor
Here, I am going to be talking about using Tor to encrypt HTTP traffic as well as FTP and SSL. To accomplish
this we will be using Tor as well as Polipo, a web caching web proxy. Basically, we are going to send all
the traffic to the port that Polipo is listening on and forwarding that traffic through Tor. Doing this will
encrypt all HTTP, FTP and SSL traffic. This is a substitute to using the Tor Browser Bundle. As stated
above, you should know that even though you are using Tor, you data is compromised at the Tor Exit
Node if you are browsing the internet (non-onion websites).
P a g e | 111
The first thing we need to do is download the Vidalia Bundle. This bundle includes Tor, Vidalia, and Polipo.
We are going to be configuring Firefox for this article. You should know however that all other browsers
and applications that allow for proxy settings will use the same configurations. However there are
limitations which we will discuss further down.
Starting the services

1. Start Polipo.
2. Start Vidalia.
3. Once you are connected to Tor (Connected to the Tor network in the Vidalia Control
Panel) we will begin setting the proxy settings for Firefox.
Firefox
1. Start Firefox.
2. Click Tools (if you do not see the menu-bar press the Alt key on your keyboard. The menubar should appear.).
3. Click Options followed by Advanced. Select the Network tab.
4. Under the Connection group select Settings
5. Check the Manual proxy configuration check box.
6. For HTTP, SSL, SOCKS and FTP you will use (127.0.0.1 with Port 8118).
P a g e | 112
9.3.
What is Sandboxing and What is JIT Hardening, and Why Do I Care?
Wikipedia defines a sandbox as a security mechanism for separating running programs. It is often used
to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users
and untrusted websites. Basically, think of it as, well a sandbox. If you put a whole bunch of kids in a
sandbox and want them to stay there, they cant leave. Sandboxes restrict system information, which is
extremely important for our purposes. Furthermore, as an additional layer of security, I use The Tor
Bundle in a virtual environment (a virtual application but a virtual machine is also recommended).
JIT hardening keeps the browser from compiling JavaScript that cannot be run on the users computer.
Basically, it is code that is compiled (compiling is like writing a book; you write several pages before you
bind the book together) on-the-fly to improve the
runtime performance of the JS. Attackers have long
relied on JIT techniques to convert JavaScript into
malicious machine code that bypasses exploit
mitigations such as ASLR.
9.4.
JavaScript
Javascript is just as it implies; a script that is executed in the browser or where it is run from. JavaScript is
a programming language that allows access to system resources of the system running the script. It runs
when the webpage is loaded or an event is triggered and is denoted by <script> and </script> alike. These
scripts can interface with all aspects of an OS just like programming languages, such as the C
language. This means that JScript, when executed, can potentiality damage the system or be used to send
information to unauthorized persons. Obviously, this is not all-inclusive and further vulnerabilities/exploits
can be managed by using JavaScript.
What should be pulled out of this is Javascript only runs scripts that are on the webpage; it cannot
magically get your IP address without it being explicitly written in the script. Thus, enabling JS on sites
that are known to be trusted, such as this site, you can be relatively safe in knowing that system
information (or your Public IP address) is not being leaked. But, however, as you may have guessed, this
is assuming that the scripts are not compromised which is a possibility at any time (though unlikely). In
any other scenario, you should disable JS for the site completely.
NoScript is recommended when dealing with JavaScript as it blocked all scripts unless explicitly defined
(as per script or site). Make sure when using NoScript, that Disable Scripts Globally is checked, because
if it enabled globally, you would defeat the purpose of the add-on. By default, it is already turned on.
When using The Tor Bundle or the outdated Tor Button, it is also good to know that dangerous JavaScript
P a g e | 113
is already hooked. Javascript is injected into pages to hook the Date object to mask your timezone, and
to hook the navigator object to mask OS and user agent properties not handled by the standard Firefox
user agent override settings. You can also disable JavaScript directly from the browser.
9.5.
Cookie Protection and Session Hijacking Attacks
Wikipedia defines a cookie as a small piece of data sent from a website and stored in a user's web browser
while a user is browsing a website. When the user browses the same website in the future, the data stored
in the cookie can be retrieved by the website to notify the website of the user's previous activity. When
you log into a webpage, that session is also stored on your computer as a cookie. More onion websites
are using cookies for several reasons, including DoS attacks and session hijacking attacks.
A session hijacking attack basically allows a third party attacker to connect to a website and access their
session. For example, when you log into a website, you have just created a session. There are two main
ways they perform a session hijacking attack: session ID guessing and stolen session cookies. Session is
usually not as big of an issue because of the length of the session ID (mostly). And the other way someone
could steal a session cookie, is at the Tor Endpoint when they are performing a MiTM attack. Sadly, MiTM
attacks cannot be mitigated and cookie hijacking is a real threat.
Cookies, in general are not dangerous, however all third party cookies should be blocked in the browser
settings to stop tracking from a third party. A third party cookie places a cookie from one site for another
site. For example, if you visit www.widgets.com and the cookie placed on your computer says www.statsfor-free.com, then this is a third-party cookie.
Firefox (version 10.0.5)

1. Start Firefox
2. Click Tools (if you do not see the menu-bar press the Alt key on your keyboard. The menubar should appear.)
3. Click Options
4. Click Privacy
5. Check, Tell websites I do not want to be tracked and either TorBrowser will: never
remember my history OR uncheck Accept third-party cookies. Note, this does not stop all
trackers websites do NOT have to abide by the Tell websites I do not want to be tracked
feature and this is not the only method.
P a g e | 114
9.6.
Caching
Internet cache is is a component that transparently stores data so that future requests for that data can
be served faster. Whenever you go to a website, internet cached is created and saved on your computer
for faster viewing. This means that when you go to a picture site, all the pictures that are loaded on the
screen are saved on your computer for future viewing. Obviously, this is a huge security risk and if
someone were to gain access to your system and view the cache, they would know what you have been
looking at.
As a real quick side note, in the USA at least, it is not illegal to view the images, just download them. Now,
if you have adequate knowledge, they can claim that you knew the cached images were there and you
kept them there as an attempt to download the images. You can configure the browser settings or have
a program erase the cache securely. CCleaner is a good, recommended (and free!) program that does
that.
Firefox (version 10.0.5)
1. Start Firefox
2. Click Tools (if you do not see the menu-bar press the Alt key on your keyboard. The menubar should appear.)
3. Click Options
4. Click Privacy
5. Select TorBrowser will: Use custom settings for history Note, this is not the only method
9.7.
Referers
Wikipedia defines referers as occurs as an HTTP header field identifies, from the point of view of an
Internet webpage or resource, the address of the webpage (commonly the Uniform Resource Locator
(URL). Basically, when you click on a picture for example (or when a picture loads in a webpage), the
website that hosts the information is sent a request that contains the last page you were in. Most recently,
on one of the sites that I frequent, there was an attack done whereas somebody performed session
hijacking attacks using referrer information
This was possible because the session ID was in the URL (again, the address of the webpage) and with the
use of referers, when a user loaded a page with live previews (or when a link was pressed), the session
was given to the attacker which allowed them to do whatever they wanted to the users account. Disabling
referers on the browser is recommended. This type of attack is another reason some sites are not
requiring cookies.
P a g e | 115
Disabling referers in the browsers setting or downloading an add-on is recommended. RefControl,

https://addons.mozilla.org/en-US/firefox/addon/refcontrol/ is a good add-on that accomplishes this. You
can also disable referers in the browser settings as such:
Firefox
1.
2.
3.
4.
5.
6.
7.
In the address bar, type about:config press Enter

Accept the prompt
Type network.http.sendRefererHeader into the Filter field
Double-click network.http.sendRefererHeader under Preference Name
In the white box, enter 1. The default value is two
Next, type network.http.sendSecureXSiteReferrer into the Filter field
Double-click network.http.sendSecureXSiteReferrer under Preference Name. The value
should change to False
8. Click "OK" and close the about:config window
9.8.
CSRF/CSRF Attacks (XSS Attack)
Wikipedia defines this attack as a type of malicious exploit of a website whereby unauthorized
commands are transmitted from a user that the website trusts. I wont go into much detail about XSS
attacks because there are so many. Basically, this is another way that an attacker might be able to gain
control of your session. I recommend the add-on RequestPolicy: https://addons.mozilla.org/enUS/firefox/addon/requestpolicy/
9.9.
Protect Browser Settings
No amount of configurations will help if maleware on your machine is able to change your browser
settings. One popular attack is changing the proxy settings of the browser which will transmit anything
to a third party location versus through Tor. Another example is if software or maleware changes your
search settings. You might unknowing type something in that you did not want searched with a particular
search engine. For this, I would recommend BrowserProtect: https://addons.mozilla.org/enUS/firefox/addon/browserprotect/ which protects your browsers settings and preference from being
changed.
P a g e | 116
9.10. DNS Leaks

Basically, a DNS leak is when your Public IP is leaked versus it going through Tor. If any traffic leaks, a third
party monitoring your connection will be able to log your webtraffic. There is a great how-to for Linux
found here: https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks. For Windows
users, I would block TCP port 53 on your firewall. Note that blocking port 53 will block ALL attempts from
any web browser whether in Tor or otherwise. Also, I would change your DNS settings to localhost (taken
from Microsoft and Mintywhite, whatever that is):
Vista/7
1. Open Network Connections by clicking the Start button , clicking Control Panel, clicking
Network and Internet, clicking Network and Sharing Center, and then clicking Manage
network connections.
2. Right-click the connection that you want to change, and then click Properties.
If you are
prompted for an administrator password or confirmation, type the password or provide
confirmation. Local Area Connection is usually the wired connection and Wireless is wireless.
For other adapters (dongles, etc.), you will have to right-click those or use the software
provided with the device.
3. Click the Networking tab. Under This connection uses the following items, click either Internet
Protocol Version 4 (TCP/IPv4).
4. To specify DNS server address settings, do one of the following:
5. To specify a DNS server address, click Use the following DNS server addresses, and then, in
the Preferred DNS server and Alternate DNS server boxes, type the addresses of the primary
and secondary DNS servers (127.0.0.1).
XP
1.
2.
3.
4.
5.
Locate and open Network Connections.

Double-Click your default Network Connection from the available list.
Click Properties.
Highlight Internet Protocol (TCP/IP) and click on Properties again.
To specify a DNS server address, click Use the following DNS server addresses, and then, in
the Preferred DNS server and Alternate DNS server boxes, type the addresses of the primary
and secondary DNS servers (127.0.0.1).
Furthermore, I would configure your browser to disable DNS prefetching:

Firefox
1.
2.
3.
4.
5.
6.
In the address bar, type about:config press Enter.

Accept the prompt.
Type network.dns.disablePrefetch into the Filter field.
Double-click network.dns.disablePrefetch under Preference Name.
In the white box, enter True.
Click "OK" and close the about:config window.
P a g e | 117
9.11. User Awareness, Accidents and System Updates

We are all human and therefor make mistakes; it is a simple fact of life. One the most common mistake
is accidently searching for something in a web browser when it contains sensitive information.
Unfortunately, common user errors are not preventable and cannot be completely solved. You can
change the search provider to ensure it does not log your IP address in the first place, which should be
done regardless. For this I recommend DuckDuckGo: https://duckduckgo.com/privacy.html.
9.12. Limitations
When using Tor people believe that all traffic is encrypted; this is not the case. It is a good idea
that people know when traffic will be sent in clear-text. As I said before, Tor works with many
applications including your instant messaging applications, remote logins and many other
applications based on the TCP protocol, but not the UDP protocol. Voice and video traffic are
examples of data that will likely be using UDP traffic; this means they are generally not safe to
use. This includes programs such as Skype, Google Voice, ChatRoulette, or Omegle. Those
programs/websites (when using webcam) will not be encrypted therefor they have no anonymity.
Even though I would not recommend it, you can send all traffic through a VPN and run the VPN through
Tor. Make sure to configure the VPN to use TCP traffic instead of the default UDP traffic though first. Also
know that there will be extreme performance degradation when doing this, so you might not even
consider this feasible. For example, it is possible to use OpenVPN to use TCP and set a proxy to 9150 to
run through Tor.
P a g e | 118
9.13. Extra
There are also more advanced features of Polipo that you could look into that offer additional security.
Polipo offers the option to censor given HTTP headers in both client requests and server replies. The main
application of this feature is to very slightly improve the user's privacy by eliminating cookies and some
content-negotiation headers. This can also be done using the FireFox windows (about:config) by
configuring
the
Header
and
Referrer
information.
As a number of HTTP servers and CGI scripts serve incorrect HTTP headers, Polipo uses a lax parser,
meaning that incorrect HTTP headers will be ignored (a warning will be logged by default). If the variable
laxHttpParser is not set (it is set by default), Polipo will use a strict parser, and refuse to serve an instance
unless it could parse all the headers. Recently, as per a new vulnerability, you should set
network.websocket.enabled
to
False.
If you are using Linux you can create rules in the firewall (iptables) to only allow traffic through Tor and
block everything else. Doing so ensures that nothing is accidently leaked (traffic wise). When using the
Tor Browser Bundle, or a computer that is multipurpose, I would recommend blocking UDP port 53. Port
53 is used for DNS, or Domain Name Service, and will ensure that your computer will not resolve websites
without going through Tor.
P a g e | 119
Chapter 10 _ Tails
Author: RogerNyght
his guide duplicates many topics that are already brilliantly covered by the Tails
documentation. https://tails.boum.org/doc/index.en.html. I urge you to read that! In
fact, my guide is not supposed to be a surrogate for the Tails documentation. Its also not
a pure walk-through. Its rather an explanatory article, showing you what Tails can do for you
and how.
This guide provides a complete solution for anyone trying to be as secure as possible for their
Tor adventures. That includes a secure operating system and encrypted storage for your files.
This section was created for versions .12 - .14. Things might be different and functionality
might have changed since then
Topics
Tails concept
Why cant I use Windows / Windows in a VM / Operating System XYZ?
How to choose strong passphrases
Requirements for Tails
First steps
Using Tails as a completely amnesic system
Using Tails with a persistent volume
Encryption of an external drive
How to mount a LUKS-encrypted volume in Windows
Secure deletion of a drive or partition
Using the persistent volume
Storing files on the persistent volume
More!
P a g e | 120
Tails is an operating system based on Debian/Linux. Its a live OS, meaning you dont install it to
a hard drive like Windows, but rather run it from DVD or USB stick. It is optimized for privacy
and anonymity.
10.1.1.
Tails concept
Tails is explicitly built for people who need strong anonymity. Thus, it provides the following
features out-of-the-box:
1. Tor setup: You dont need to configure Tor yourself. Tails enforces any connections to
go through the Tor network and/or blocks connections outside of Tor. This is a major
security advantage for the user - DNS leaks arent possible and unmasking attacks
become much harder, especially if compared to a vanilla Windows system using
TorBrowser. Tails also makes it easier to use other programs via Tor - Claws for Mail and
Pidgin for IM are already installed.
2. Amnesic live system: Tails boots from DVD or USB stick. It is designed to exclusively run
in RAM: No traces are left on hard drives (i.e., caches, logs, etc.). By design, nothing is
written on a hard drive - unless you explicitly tell it to do so (for instance, saving a file to
your encrypted external drive). The combination of the two facts above enables you to
take your secure Tor environment with you - You can safely boot from your Tails stick on
a foreign PC (only risks being surveillance cameras or hardware keyloggers). Also, you
can safely give away your PC for repairs: Unplug your USB stick (and the eventual,
encrypted external drive), and theres nothing left connecting your PC to your Tor
activities. This is one of the big reasons why to never mix regular Windows usage
(encrypted or not!) with your Tor activities. More on that in chapter 1.d.
3. Emergency exit: When push comes to shove, you just cant worry about deleting traces
of your running system. Tails makes it easy: Press the shutdown button and it will
initialize RAM-wipe, which only takes about 10-20 seconds. You can even rip out the
Tails USB stick from a running system, which should trigger RAM-wipe as well. Wiping
RAM is better than instantly removing power from the PC - RAM can hold information
without electricity for some seconds, up to some minutes. Granted, retrieving
information from cold RAM is not the most probable attack vector, but thats the
reason for Tails RAM wiping process.
4. Based on Free Open Source Software: Tails only includes software after reviewing its
source code. This is important for guaranteeing a secure OS. It also means for you that
installing additional software can break Tails secure setup. More on that in chapters 7
through 9.
P a g e | 121
5. Included encryption tools: You dont need to install any encryption software yourself.
Tails provides:
a.
b.
c.
d.
LUKS encryption for hard drives

a Password / OpenPGP-key manager
an OpenPGP applet for text encryption
TrueCrypt (legacy support)
10.1.2. Why cant I use another OS / Windows in a VM?

Sure, you are free to do so. But, there are always people asking questions of the kind: is it safe
to use program X with Tor and how do I disable/delete Windows caches and traces? Especially
if you dont have a good understanding of how things work, you will struggle with your setup
and always worry about its security - rightfully so.
Tails on the other hand is already optimized for anonymous internet access and overall security.
Yes, you could achieve comparable security by other means, but Tails is the most fail-safe
option. Especially if you dont exactly know what youre doing, attempts to create a secure
Windows environment will fail at some point or another.
10.2.1. How to choose strong passphrases

There are several occasions that require you to choose a safe passphrase, especially for
encryption. Keep in mind that short, simple passphrases will be cracked in a short time. I
recommend a combination of those two approaches:
1. DiceWare method: http://world.std.com/%7Ereinhold/diceware.html
2. Mnemonic approach: http://youtube.com/watch?v=VYzguTdOmmU
Remember that you are not only trying to defeat brute-force attacks. A passphrase like:
supercalifragilisticexpialidocious might be 34 characters long, but will be easily cracked with a
simple dictionary attack. That doesnt at all mean you shouldnt use dictionary words - but you
have to combine at least 5 random words, e.g. with the DiceWare method mentioned above,
creating passphrases looking like this: zen stunk ashley tipoff sudan gouda
This kind of passphrase is easy to type, easy to remember, yet, hard to crack. For explanatory
details, read the DiceWare FAQ: http://world.std.com/%7Ereinhold/dicewarefaq.html
P a g e | 122
10.3.1. Requirements for Tails
Basic:
o PC with (at least!) 1GB of RAM
o DVD drive
Advanced:
o USB stick with (at least!) 2GB
o Ability to boot from USB (depends on motherboard. Any problems, just google
motherboard-name boot from USB)
o External hard drive for encrypted file storage
Note: I have heard about problems booting from Tails USB sticks on Mac laptops. You might
need a boot manager like rEFIt. http://refit.sourceforge.net.
10.4.1. First steps

1. Download the Tails disk image: https://tails.boum.org/download/index.en.html
2. Burn it to DVD. If you dont know how to burn a disk image, heres a how-to for every
OS: https://help.ubuntu.com/community/BurningIsoHowto
3. Boot from DVD
Now you should think about how you want to use Tails. There are two options
10.4.2. Using Tails as a completely amnesic system

If you never intend to permanently save any files and just want to browse in Tor land, this is the
way to go. Out-of-the-box, Tails will not utilize your hard-drives. It completely stays in RAM.
Open your amnesias Home folder on the Desktop: Anything saved in there will be wiped on
shutdown
You can still make changes to Tails, like installing DownThemAll (Firefox-integrated download
manager), adding software packages through apt-get, but everything will be lost after
shutdown
If you use Tails this way, the big advantage is: No evidence at all. If youve decided that even
well-encrypted files are too much of a risk for you, this is the way to go. Theres no recoverable
evidence of your activities, no clean-up tools needed. You can look at pictures, even download
files to your amnesias Home folder - they will irrecoverably be gone on shutdown. Using Tails
for this kind of surfing is way more fail-safe and easier than cleaning up a Windows machine
every day
P a g e | 123
10.4.3. Using Tails with a persistent volume

If you want to do more with your Tails setup, you will need a USB-stick to put a persistent
volume on it. Installing Tails on a USB stick is best done within Tails, read the instructions here:
https://tails.boum.org/doc/firststeps/usbinstallation/index.en.html
Being able to boot from USB depends on your PCs motherboard - most can do it. You might
need to change BIOS settings, you will find that information on the web. Now that you have
booted from your Tails USB-stick, you can create a persistent volume on its remaining space.
Instructions: https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html
Read closely which files or features can be made persistent. Especially the GNOME keyring and
the saved APT Packages / APT lists can be very useful. I recommend enabling the Personal data
option, which means that you can permanently store files on the encrypted portion of the stick.
It will be represented by the folder called Persistent. You might not want to use it for your main
storage due to the size of your USB stick - read on how to setup an encrypted external drive.
10.5.1. Encryption of an external drive

I guess many of you use TrueCrypt. You can continue to use TrueCrypt on Tails - but not in the
long run. Right now, youd have to enable TrueCrypt in the boot options:
https://tails.boum.org/doc/encryptionandprivacy/truecrypt/index.en.html
In future versions of Tails, TrueCrypt support will be dropped entirely (reasons being: License
issues and concerns about TCs somewhat closed development). Instead, you should use LUKS,
the Linux standard for disk encryption. It is easily configured through the GNOME Disk Utility.
Youll find the instructions here:
https://tails.boum.org/doc/encryptionandprivacy/encrypted_volumes/index.en.html
Make sure you choose a strong passphrase, as described in chapter 2. Note that Disk Utility
allows you to change the volumes passphrase at any time without re-encrypting the whole
drive. Thats possible because of the two-layer encryption structure: Theres a master key that
encrypts your drive. Your passphrase encrypts the master key. Should you change your
passphrase, only the master key will be re-encrypted.
10.5.2. How to mount a LUKS-encrypted volume in Windows

Although its a Linux file system, there is a way to access it in Windows. If you ever feel the
need to access your drive in a Windows environment, use http://www.freeotfe.org. Not
recommended for various security reasons, but possible
P a g e | 124
10.6.1. Secure deletion of a drive or partition

If youve decided to ditch your old Windows environment, its important to destroy potential
evidence. Dont keep old drives that you used for downloading, viewing, or storing of anything
illegal or incriminating. Overwriting such a drive once is sufficient. Dont waste your time with
35-pass methods. Read here why.
How to do it in Tails:
1. Identify the ID of your drive or partition
2. Open GNOME Disk Utility from the menu bar: Applications > System Tools > Disk Utility
3. Click on the drive you plan to wipe. It should look like this: click here
4. You find the ID in the line Device. In the case shown in the screenshot, it would be
/dev/sdb/. A drives ID always looks like: /dev/sdX/. A partitions ID always looks like:
/dev/sdXY/
Use shred command in Terminal: shred is shipped with Tails, it does not have a GUI (Graphical
User Interface). You control it via the command line, which is called Terminal in Tails. In the
menu bar, click on the black item representing a command line prompt to launch Terminal.
The command: shred -vf -n 1 /dev/sdX/ will overwrite the drive /dev/sdX/ once with random
data (n -1), output progress info (-v), and operate as a force-overwrite (-f).The operation will
take some hours (500GB took me about 4-5 hours). - BE CAREFUL. Make sure you identified the
right drive. Once overwritten, data is lost.
10.7.1.
Using the persistent volume
If youve installed Tails on a USB stick, going to Applications - Tails - Configure persistent volume
will walk you through an installation wizard for the persistent volume. Make sure you choose a
strong password - read chapter 2
Despite the Persistence feature, Tails will never work like an installed OS that you are probably
used to. It will remain a live OS that can preserve some resources, but for the sake of security
and integrity, it cant be as comfortable as an installed OS. Go to Applications - Tails - Configure
persistent volume to take a look at the available options. You can sort the Persistence options
into four categories:
1. Persistent file storage (Personal Data)
2. Persistent configuration files for some Tails apps (e.g. Pidgin, GNOME Keyring, SSH
client)
P a g e | 125
3. Persistent software lists and software downloads (APT lists and APT Packages, read
chapter 8!)
4. Persistent directories (for instance, paths to configuration files for additionally installed
software - advanced!)
Items will be made persistent after a reboot. Any time you enable a Persistence feature, reboot
before using it.
10.7.2.
Storing files on the persistent volume
This is the most basic option. It enables a persistent a persistent folder found in
/amnesia/Persistent/. Keep in mind, all other directories, for instance the Desktop, are still not
persistent. Due to USB sticks limited capacities I dont recommend the Persistent folder as
your main storage. Its as secure as your password is, so you can use it for sensitive files though.
I, for one, only keep the following items in the Persistent folder:
o Backups of password keyrings and other important files
o Bookmarks
o Some notes and text files; stuff I want to have with me on the go
Thats just an example; use the folder however you like. Just choose a strong password as
described in chapter 2.
10.7.3.
Firefox bookmark management
You may have already noticed that a Persistence preset for the Firefox/Iceweasel browser is
missing. Main reason being, Tails wants to discourage you from changing anything browserrelated, for security reasons. That makes sense, but also means that we have to find sync
bookmarks manually.
Theoretically, you could make the bookmarks.html file persistent, in which the browser stores
all bookmarks. For technical reasons, this is harder than it looks, because the profiles directory
changes on each launch of Firefox. Unless someone finds a better solution for this, we are left
with two options for the bookmarks problem:
o Use Firefox/Iceweasels integrated Import and Backup feature:
1. create your bookmarks in Firefox/Iceweasel
2. go to Bookmarks - Show all bookmarks - Import and Backup - Backup
3. save this backup file in your Persistent folder
4. via the same menu, import this file the next time you boot Tails
o Keep the links in a plain text file (.txt), stored in Persistent folder
1. this might look a bit puritan, but its easier to handle.
P a g e | 126
10.7.4.
The password manager - Passwords and Encryption Keys
The tool is found in System > Preferences > Passwords and Encryption Keys. It allows you to:
1. store passwords or logins in an encrypted keyring
2. create an OpenPGP key for encrypting mails
I want to focus on the first feature. You may be registered on several Tor sites. Its a hassle to
choose passwords that are both easy to remember and secure. Thats why it might be a good
idea to use a password manager. Thus you can choose cryptic, ridiculously long logins, but only
have to remember the master password of your password manager. First, enable Persistence
for the GNOME Keyring. As always, this is done in Applications > Tails > Configure persistent
volume. Dont forget to reboot after making that change. Now, you can create persistent
password keyrings
To create a keyring:
1. Open the manager from System > Preferences > Passwords and Encryption Keys
2. Click File > New > Password Keyring, choose a name and password
To add a password to this keyring:
2. Click File > New > Stored password
3. Select your previously created keyring
4. For a description, e.g. use the sites URL or your accounts name
5. Type or paste the password
To access a password:
2. Right-click on the keyring, Unlock
3. Double-click the password entry
4. Expand the password field and click Show Password
Creating a backup of the keyring: In case you lose your USB stick, it might be handy to have a
backup of your passwords. Keyrings are small files that you can store on some other encrypted
volume (for instance, your encrypted external drive, chapter 5.a). In case you need to recover
the backup, just put the files back into their original location.
1. Open a file browser window. Click Go > Location ...
2. In the address field, insert: /home/amnesia/.gnome2/keyrings and press Enter
3. Youll see your keyring(s) with the file extension .keyring
4. Copy those files to another (encrypted!) volume
Recovering a keyring backup:
1. Close the program Passwords and Encryption keys if its open
2. Go to your backup location, copy the .keyring file(s)
P a g e | 127
3.
4.
5.
6.
7.
In the file browser, click Go - Location ...

In the address field, input: /home/amnesia/.gnome2/keyrings and press Enter
Paste your .keyring files into this folder
Restart Password and Encryption keys
Your keyring are back in place
10.7.5.
Pidgin for IM/Chat/IRC
Pidgin is pre-configured for chatting through Tor. Many chat protocols are supported. If you
want your account settings to be permanent, enable the Persistence option Pidgin in
Applications > Tails > Configure persistent volume and reboot
Whats not safe to do:
o For anonymous chatting, dont ever log into any services that could be traced back to
you. That includes:
o services that may have personal information about you (name, address, phone,
email, real-life friends, etc)
o services you previously logged into without Tor (always assume services log IP
addresses!)
o Whats safe to do:
o Using any of the supported chat protocols with accounts you created with Tor
and without giving personal information. The TorChat plugin:
Good news: The developer of TorChat has also created a TorChat Pidgin
plugin
Bad news: it doesnt work on Tails. Same problem as with standalone
TorChat, read about that issue in chapter 8.d
10.8.1. Installing software: The basics

Keep in mind you should modify Tails only when necessary and to the minimum. The whole
point of Tails is to provide a safely configured system. Dont tamper with it. Read the warnings
here. Yet, you sometimes need something thats not included in Tails.
o Tails is Linux/Debian based. You can install software thats provided in Debian
repositories (or manually download a .deb file)
o Youll need admin privileges for any installation. That requires to enable More
options when booting, after which you can set an admin password. You dont
need an insanely strong password here, because its not for encryption
o Installation is either done via: Synaptic Package Manager (System >
Administration > Synaptic Package Manager), Terminal command: sudo apt-get
P a g e | 128
install, or manually install a downloaded .deb file (Terminal: sudo dpkg -i

/path/to/file.deb). The last part is only necessary for applications that are not
included in the usual Debian repositories
It is recommended to enable the following Persistence options (Applications > System tools >
Configure persistent volume):
1. APT lists
2. APT packages
APT lists are information about software, its versions and their availability. Once you trigger an
update of that list via sudo apt-get update, the list will be kept. APT packages are the
applications you download via sudo apt-get install or Synaptic Package Manager. Important:
ONLY the packages are kept. Not the actual applications installation or the applications
configuration. This means that you have to install your applications again, on every boot. This
might feel cumbersome, but actually it is not.
Save a .txt file with the commands you need to run on every boot and paste them into
Terminal. You dont need to include sudo apt-get update, just append every application you
wish to install to sudo apt-get install. It could look like this: sudo apt-get install app1 app2 &&
sudo dpkg -i /PATH/app3.deb && app1. This line would do the following:
1.
2.
3.
4.
install app1
install app2
install app3 from local file
launch/initialize app1
Take a look at the syntax: with &&, you chain different commands, so you can put multiple
commands in one line. Obviously, all of the above is meant for advanced computer users.
Especially if you try and install a .deb file manually, so-called dependencies will come into play.
That means, to install the application, some other packages need to be installed to make it
work. This is also the case if you install via apt-get or Synaptic Package Manager, but in those
cases, dependencies are handled automatically
10.8.2. Recommended software additions

1. DownThemAll (via Firefox/Iceweasel)
2. Gnome-screensaver (via apt-get)
DownThemAll: Tails strongly advises against installing browser plugins. You should run a vanilla
Iceweasel for three reasons:
P a g e | 129
1. Dont change the browsers footprint. You want to look like every other TorBrowser out
there
2. The plugin could contain malicious or buggy code
3. Dont risk messing up the browsers safe setup. You dont want anything to interfere
with TorButton or proxy settings, for instance
On the other hand, without download managers, youd lose the ability to resume unstable
downloads. Adding a download manager is on Tails agenda, lets hope they do it soon. In the
meantime, Ive chosen DownThemAll for the following reasons:
1. It is Free Open Source software
2. It completely runs within Iceweasel/Firefox (does not have own proxy/network settings)
How to install DownThemAll:
1. Download the xpi-file from the developer http://www.downthemall.net/main/installit/downthemall-2-0-13/
2. Save it in your Persistent folder, so you dont need to download it for subsequent
installations
3. Drag it onto a running Iceweasel window, which will need to restart
Note: The fact youre saving a copy of DTA to your disk also means you should manually check
for updates once in a while.
gnome-screensaver (via apt-get): For some reason, Tails does not bring its own screen lock.
You should always lock the screen, even if youre just opening the door or feeding the dog.
Primal download and installation of gnome-screensaver:
1. Open a Terminal
2. Run: sudo apt-get update && sudo apt-get install gnome-screensaver && gnomescreensaver
3. To lock the screen, press CTRL+ALT+L or click Lock Screen in the menu bars System tab
Subsequent installations of gnome-screensaver:
1. Save the following command to a .txt file in your Persistent folder, so you can easily
paste it into a Terminal window: sudo apt-get install gnome-screensaver && gnomescreensaver
2. Note the difference to the primal installation: We dont update the package list again
(apt-get update) and also, the package gnome-screensaver will not be downloaded
again, if youve enabled the Persistence options for APT-Lists and APT-Packages. If you
need to chain multiple installations together I wrote a syntax example in chapter 7.a
P a g e | 130
10.8.3. I2P / iMule (not recommended)

If you dont know anything about I2P, dont use it. You are most likely better off with Tor, so
just stick with that. iMule is an eMule clone based on the anonymous darknet I2P. Although
Tails is focused on Tor, it also ships with an I2P console. The following steps are just an
orientation for advanced users only.
1. You can start I2P from the menu bar: Internet > i2p
2. Youll need to enable the SAM bridge for iMule: I2P Console > I2P Services > Clients >
SAM application bridge
3. Restart the console
4. iMule depends on libcrypto++8 and python / wxgtk, install it
5. Install iMule (download here and take the i386 squeeze Package)
6. Bootstrap with a nodes.dat; I took this
7. You should be up and running, wait for discovery of more clients.
8. iMule is slow anyway
10.8.4. TorChat (not working)

Its a pity, but TorChat is not being shipped with Tails (Tails developers disagree with TorChats
implementation). It is not impossible to get TorChat working with Tails. I got as far as:
installing TorChat
making the hidden service directory persistent
The major problem is the following: TorChat uses its own Tor instance - not the one thats
already running on the system. This conflicts with Tails setup. It could be resolved by putting
TorChat in client mode, which forces it to use the systems Tor instance. That requires making
changes to Tails torrc (Tor config), which I am not able to (safely) do. If somebody finds a safe
way, tell us. Remember, you actually dont want to make persistent changes to Tails system,
especially the Tor setup.
10.9.1. File and folder handling in Terminal

For the most part, you can stick with the graphical File Browser. Some tasks though require the
Terminal, for example joining a split file. Here are some the more basic commands such as cd change directory. A Terminal window always starts at /home/amnesia/. For example, the
command cd /home/amnesia/Persistent takes you to your Persistent folder. cd .. takes you
one level up in the directory hierarchy - in this case, back to the /amesia/ home folder. You can
P a g e | 131
also type cd and, before pressing Enter, drag a folder from File Browser onto the Terminal
window to add its full path! Works with individual files as well.
Ls list all files and folders in current directory. ls -a includes hidden files and folders. Cat is a
utility to join files. Example: You download a split video, with parts named Video 1.avi.001,
Video 1.avi.002, as so on. Steps to join the video:
Put all the parts of your video in one folder
Open a Terminal window and jump to your video folders path with: cd
/path/to/folder/
Remember, you can drag the folder onto Terminal to add its path
Run cat Video 1.avi * > Video 1.avi in Terminal
Take a close look at cats syntax to understand what it does: cat Video 1.avi * > Video 1.avi
This command means that cat will look at all files that begin with Video 1.avi and put them
all together in a single file called Video 1.avi. The asterisk works as a wildcard, just as in a file
search. The quotes are necessary because the Terminal doesnt like spaces in file names.
Before you delete the split parts, make sure that the joined file was created correctly. cat
doesnt give feedback and if a part were missing, it wont tell you.
That little file-joining operation should just serve as a tiny example of the command lines
capabilities. If you spend some time exploring it and search on the internet for Debian/Linuxrelated tips, youll get good use out of it, for example creating split .rar archives, encoding video
clips and much more.
10.10.1.
General advice
Dont lose your paranoia (dont feel totally safe with Tails). Paranoia keeps you thinking
and aware
Using Tails does not magically make you safe for all eternity
Updating Tails whenever a new version comes out is crucial for maintaining a secure
state
Dont screw with Tails
Dont make system paths persistent - that will prevent Tails from being properly
updated
If you can avoid it, dont install additional software
Dont install browser plugins. At most, DownThemAll
Dont try and make Iceweasel/Firefox persistent. The potential ill effects outweigh the
discomfort of adding DTA or bookmarks every time
Never leave incriminating files unencrypted on any drive. That includes your old
Windows system, if you ever downloaded, stored or viewed incriminating files with it
P a g e | 132
So, please erase all drives that could still keep unencrypted incriminating files or traces.
Read chapter 6 for a how-to. Better be safe than sorry
READ the Tails documentation. Browse in Tails forum to see how other people resolve
their problems.
Unsure about something? Ask questions!
P a g e | 133
Chapter 11 _ Standard Acronyms
AES: Advanced Encryption Standard

ARP: Address Resolution Protocol
AV: Anti-virus
CGI: Common Gateway Interface
DBAN: Dariks Boot and Nuke
DDoS: Distributed Denial of Service
DLL: Dynamic Link Library
DMZ: Demilitarized Zone
DoS: Denial of Service
EXIF: Exchangeable Image File Format
FTP: File Transfer Protocol
HIDS: Host Intrusion Detection System
HTTP: Hypertext Transfer Protocal
IP: Internet Protocol
ISP: Internet Search Provider
JS: JavaScript
LAN: Local Area Connection
MBR: Master Boot Record
MFT: Master File Table
NAS: Network-attached Storage
P2P: Peer to Peer
RAID: Redundant Array of Independent Disks
SHA: Secure Hash Algorithm
SSD: Solid State Drives
TBB: Tor Browser Bundle
TCP: Transmission Control Protocol
URL: Uniform resource locator
VLAN: Virtual Local Area Network
WAN: Wide Area Network
WPS: WiFi Protected Setup
AP: Access Point

ASLR: Address Space Layout Randomization
BIOS: Basic Input Output System
CIA: Confidentiality, Integrity, and Availability
DCC: Direct Client to Client
DHCP: Dynamic Host Configuration Protocol
DLP: Data Leakage Prevention
DNS: Domain Name Service
DRAM: Dynamic random-access memory
FDE: Full Disk Encryption
GPG: GNU Privacy Guard
HPA: Host Protected Area
ICMP: Internet Control Message Protocol
IRC: Internet Relay Chat
JIT Hardening: Just in Time Hardening
KB: Kilobyte
MAC Address: Media Access Control Address
MD: Message Digest
MiTM: Man in The Middle
NIDS: Network Intrusion Detection System
PGP: Pretty Good Privacy
RAM: Random Access Memory
SRAM: Static random-access memory
SSL: Secure Socket Layer
TC: TorChat/TrueCrypt
UDP: User Datagram Protocol
USB: Universal Serial Bus
VPN: Virtual Private Network
WiFi: Wireless Fidelity
XSS: Cross Site Scripting
P a g e | 134
Chapter 12 _ Download Links
Download Links
Listed below are the programs that I mentioned throughout this guide and the associated links:
Truecrypt (Encryption) - http://www.truecrypt.org/downloads

WinRAR (Encryption) - http://www.rarlab.com/download.htm
GPG (Encryption) - http://gnupg.org/download/index.en.html
GPG for Windows (GUI) (Encryption) - http://gpg4win.de/index.html
Tor Browser Bundle (Internet Safety) - https://www.torproject.org/download/downloadeasy.html.en
TorChat (Anonymous Chat) - https://github.com/prof7bit/TorChat
Pidgin (Chat Program) - http://pidgin.im/
Tormail (Anonymous Mail) - http://jhiwjjlqpyawmpjx.onion/
Tails (Secure Operating System) - https://tails.boum.org/download/index.en.html
HashMyFiles (File Hash) - http://www.nirsoft.net/utils/hash_my_files.html
CCleaner (Privacy Eraser) - http://www.piriform.com/ccleaner/download/standard
PrivaZer (Privacy Eraser) - http://privazer.com/download.php
Bleachbit (Privacy Eraser) - http://bleachbit.sourceforge.net/download
DBAN (Secure Partition Delete) - http://www.dban.org/download
Blancco (Secure Partition Delete) - http://www.blancco.com/us/download/
UPX (Executable Packer) - http://upx.sourceforge.net/
SPLView (SPL File Viewer) - http://www.lvbprint.de/html/splviewer1.html
SPLViewer (SPL File Viewer) http://www.undocprint.org/_media/formats/winspool/splview.zip
BatchPurifier (Meta Data Remover) - http://www.digitalconfidence.com/BatchPurifier.html
Exiv2 (Meta Data Viewer) - http://www.exiv2.org/download.html
Opanda IEXIF (Meta Data Viewer) - http://www.opanda.com/en/iexif/download.htm
Photoshop (Photo Editor) - http://www.photoshop.com/
Paint.Net (Photo Editor) - http://paint.net/
GIMP (Photo Editor) - http://www.gimp.org/downloads/#mirrors
P a g e | 135
USB Oblivion (Evidence Remover) - https://code.google.com/p/usboblivion/

Forensic Software Tools - 4.13 (DOWNLOAD PATHS NOT LISTED)
LOIC (DoS Attack Tool) - http://sourceforge.net/projects/loic/
TFN (DDoS Attack Tool) - http://packetstormsecurity.org/distributed/tfn2k.tgz
Stacheldraht (DDoS Attack Tool) - http://packetstormsecurity.org/distributed/stachel.tgz
Secunia PSI (Update Tool) - http://secunia.com/vulnerability_scanning/personal/
SuperAntiSpyware (Spyware Remover) - http://superantispyware.com/download.html
Comodo (Firewall) - https://personalfirewall.comodo.com/
Snort (IDS) - http://www.snort.org/start/download
BackTrack (Penetration Testing Tool) - http://www.backtrack-linux.org/downloads/
Wireshark (Packet Sniffer) - http://www.wireshark.org/download.html
Ethereal (Packet Sniffer) - http://ethereal.com/download.html
Omnipeek (Packet Sniffer) - http://www.wildpackets.com/
Dsniff (Network Auditing) - http://www.monkey.org/~dugsong/dsniff/
Cain and Able (Various Tools) - http://www.oxid.it/cain.html
Etherape (Packet Sniffer) - http://etherape.sourceforge.net/
Netwitness Investigator (Packet Sniffer) - http://www.netwitness.com/
Kismet (Packet Sniffer) - http://kismetwireless.net/download.shtml
NetStumbler (Packet Sniffer) - http://stumbler.net/
Medieval Bluetooth Scanner (Bluetooth Scanner) Unknown manufactures page
CoreImpact (Penetration Testing) - http://www.coresecurity.com/
AirSnort (Wireless Hacking) - http://sourceforge.net/projects/airsnort/files/
CowPatty (Wireless Hacking) - http://www.willhackforsushi.com/Cowpatty.html
Reaver (Wireless Hacking) - http://code.google.com/p/reaver-wps/

Securing Windows PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Securing Windows PDF

Enviado por

Direitos autorais:

Formatos disponíveis

2013

CuriousVendetta, Goodguy, RogerNyght, and All

_The CIA Triad ........................................................................................................................... 7

Learn how to chat ....................................................................................................................... 10

Intro to Tails ................................................................................................................................ 12

Intro to Whonix ........................................................................................................................... 13

Encryption Dealing with Confidentiality ..................................................................................... 19

Encrypting Files or the Hard Drive .............................................................................................. 21

Securely Exchanging Messages, Data, and Signing Data ............................................................ 27

Password Attacks and Account Recovery Attacks ...................................................................... 33

Creating Secure Passwords ......................................................................................................... 34

Hashing, Hashing Collisions, and Birthday Attacks ..................................................................... 34

Cold Boot Attacks ........................................................................................................................ 36

A Quick Word .............................................................................................................................. 39

Deleted Data ............................................................................................................................... 39

Deleting Data Securely ................................................................................................................ 40

File Slack ...................................................................................................................................... 41

Alternate Data Streams............................................................................................................... 43

Where to Hide Your Data ............................................................................................................ 45

Changing File Headers to Avoid Detection ................................................................................. 46

Temporary Application Files and Recent Files Lists .................................................................... 49

Prefetching and Timestamps ...................................................................................................... 56

Event Logs ................................................................................................................................... 57

Printers, Print Jobs, and Copiers ................................................................................................. 58

Cameras, Pictures, and Metadata ............................................................................................... 59

USB Information .......................................................................................................................... 62

SSD Solid State Drives .............................................................................................................. 62

Forensic Software Tools .............................................................................................................. 63

Security Concerns with Backups ................................................................................................. 66

Security Concerns with Sleep and Hibernation .......................................................................... 66

Ensuring Information and Service Continuity ............................................................................. 67

DoS and DDoS attacks ................................................................................................................. 68

_ System Hardening ................................................................................................................ 72

Uninstall Unnecessary Software ................................................................................................. 73

Disable Unnecessary Services ..................................................................................................... 73

Disable Unnecessary Accounts ................................................................................................... 74

Update and Patch Windows and Other Applications ................................................................. 75

Password Protection ................................................................................................................... 76

_ Antivirus, Keyloggers, Firewalls, DLPs, and HIDs................................................................ 78

Hardware Keyloggers .................................................................................................................. 80

HIDSs and NIDs.......................................................................................................................... 81

Other Considerations .................................................................................................................. 81

Intro to Networking. ................................................................................................................... 83

Private vs. Public IP Address ....................................................................................................... 86

MAC Address ............................................................................................................................... 86

Public Wireless ............................................................................................................................ 87

Security Protocols ....................................................................................................................... 91

Virtual Private Networks ............................................................................................................. 94

Chat Sites - How Attackers Attack............................................................................................... 99

Other Considerations ................................................................................................................ 103

_ Web Browser Security ........................................................................................................ 108

Downloading and Using the Tor Browser Bundle ..................................................................... 109

Configuring Web-Browsers and Applications to Use Tor.......................................................... 110

JavaScript .................................................................................................................................. 112

Cookie Protection and Session Hijacking Attacks ..................................................................... 113

Caching ...................................................................................................................................... 114

Referers ..................................................................................................................................... 114

CSRF/CSRF Attacks (XSS Attack) ................................................................................................ 115

Protect Browser Settings .......................................................................................................... 115

DNS Leaks .............................................................................................................................. 116

User Awareness, Accidents and System Updates ................................................................. 117

Extra ...................................................................................................................................... 118