NMAP http-screenshot-html.nse with Windows

Chances are if you are reading this it is because you have been having a few issues with the  http-screenshot-html NMAP .nse script that can be found here: https://github.com/afxdub/http-screenshot-html.

This script is great – it lets you use NMAP (https://nmap.org/) to take screenshots of web pages – this is an updated / altered version of http-sceenshot which can be found here: https://github.com/breenmachine/httpscreenshot   (both take some trouble shooting if your using Windows – probably Linux too I’d guess)

Most of the issues you will run into will be because of simply the lack of documentation from blogs like this one – let me try and walk through some issues I found as well as walking through how to get this tool working in Windows – if you are serious about using this script in Windows this guide could save you tons of time.

  1. Big thing number 1: this script requires that you install wkhtmltopdf – http://wkhtmltopdf.org/

This will also install “wkhtmltoimage.exe” which is what you want – default location for that is C:\Program Files (x86)\wkhtmltopdf

  1. Ideally you already have NMAP installed on your system – if not go ahead and do that.
  2. Take “wkhtmltoimage.exe” and place it in your “PATH” variable – if you don’t know where that is http://superuser.com/questions/284342/what-are-path-and-other-environment-variables-and-how-can-i-set-or-use-them -check that out.


If you did a normal install of NMAP this should be in your NMAP folder.  So take your “wkhtmltoimage.exe” and place it in C:\Program Files (x86)\Nmap


  1. Next head on over to https://github.com/afxdub/http-screenshot-html/blob/master/http-screenshot-html.nse and copy the code to a .txt file so we can edit the code. We have a few changes to make here:

local cmd = “wkhtmltoimage  ––load-error-handling ignore ––quality ” .. imgquality .. ” -n ” .. prefix .. “://” .. host.ip .. “:” .. port.number .. ” ” .. outpath .. filename

And here:

cmd = “wkhtmltoimage  ––load-error-handling ignore ––quality ” .. imgquality .. ”  ” .. prefix .. “://” .. host.name .. “:” .. port.number .. ” ” .. outpath .. host.name .. “–” .. filename


Let’s make sure that “wkhtmltoimage” is spelled correctly. If it is not or it is in the wrong path you may see that error saying something like “Verify that wkhtmltoimage is in your path”


What I would do here is remove that “–n”. Why it’s there in the first place I’m not 100% sure but this makes the tool not save any images that use JavaScript. So if wkhtmltoimage doesn’t save javascript with http-screenshot-html that is why. I also added a custom height and width parameter because it was needed to make the final results nice and pretty. Lastly it is important that if you are going to be using javascript that you tell the tool what type of delay you want.  See below for what I would change those lines to:

local cmd = “wkhtmltoimage  ––javascript-delay 6000  ––width 1024  ––height 416 ––load-error-handling ignore ––quality ” .. imgquality .. ”  ” .. prefix .. “://” .. host.ip .. “:” .. port.number .. ” ” .. outpath .. filename


cmd = “wkhtmltoimage  ––javascript–delay 6000 ––width 1024 ––height 416 ––load–error–handling ignore ––quality ” .. imgquality .. ”  ” .. prefix .. “://” .. host.name .. “:” .. port.number .. ” ” .. outpath .. host.name .. “–” .. filename 

By the way – if you were looking for more tags for wkthmltopdf check here – I’m not sure why this isn’t on their home page:  http://madalgo.au.dk/~jakobt/wkhtmltoxdoc/wkhtmltoimage_0.10.0_rc2-doc.html

  1. Everything should be smooth sailing (if your scanning large IP ranges see below) and by default the images will be saved to your NMAP directory and to that “screenshot.html” document which will let you view them in a pretty sweet format.
  1. But wait! What if wkhtmltoimage freezes or wkhtmltoimage gets hung up when using http-screenshot-html or even http-screenshot —for Linux this guy here: https://www.pentestgeek.com/penetration-testing/using-nmap-to-screenshot-web-services-troubleshooting/ had a great idea to use a timeout function (unfortunately I could not figure out how to make the Windows equivalent to work ( wkhtmltopdf does not have a timeout function built in).

What I did was create a batch script to terminate the wkhtmloimage.exe from running – when it gets canceled it seems to just try again (or maybe it skips) but at least it doesn’t get hung up. This is very useful when scanning very large IP ranges like /16 or /8 or whatever you want.

My script was as follows (and run by saving as a .bat and running as an administrator):

cd c:/

timeout /T 3600 /nobreak & taskkill /F /im wkhtmltoimage.exe

timeout /T 3600 /nobreak & taskkill /F /im wkhtmltoimage.exe

timeout /T 3600 /nobreak & taskkill /F /im wkhtmltoimage.exe

timeout /T 3600 /nobreak & taskkill /F /im wkhtmltoimage.exe


(repeating on and on etc. etc.)


Essentially this would count down for an hour…and if wkhtmltoimage.exe was still running (ideally meaning it was hung up) it would stop it forcefully and then the scan would continue on reopening wkhtmltoimage for the rest of the scan (repeats and repeats).


  1. So time to actually run the script! Let’s say you are looking to scan an internal IP range of The command would look something like this:


nmap ––script http-screenshot–html -n -p 80,443,8080 –Pn


-n for no dns resolution because it would take forever (or a lot longer)

-p 80,443,8080 because those are the most common ports you would find websites running

-Pn because for some reason running this script seems to confuse something or use too much memory causing things to get lost. Using -Pn gives much more accurate results. Without it, you will see a lot of IPs missed. Running -Pn, nmap tests all the IPs as if they are online


There are args that can be used with this script – although I was having some difficulty getting them to function –but they seem to be primarily for convenience anyways so I wouldn’t be too concerned if those don’t work for you either.


Make sure you are running Command Prompt as admin (may throw a few errors if you are not)


Hopefully this helped somebody – I know something like this would have saved me many hours troubleshooting that wkhtmltoimage http-screenshot-html timeout in windows, or why wkhtmltoimage wasn’t saving JavaScript.

Adding the Secure Attribute on a Cookie

Adding the Secure Attribute on a Cookie

Chances are you arrived at this page because of a security scan that is requiring you to ensure that there is a “secure” attribute attached with all your cookies in your application. You may ask, well my application is using SSL already to why am I forcing these cookies to send over SSL if that’s all that I am using? The quick answer is double protection. To limit potential errors that may arise because of SSL issues, it is important to ensure that all cookies are being forcefully sent over SSL. Is this “secure” tag a huge concern if your application is using HTTPS? Not really but it definitely is something that should be fixed especially considering how easy it is to. Fortunately this is fairly easy to remediate and most of the time can take place at the server side.


Picture from: http://image.slidesharecdn.com/cookiereplayattack-unitwisepresentation-140612002225-phpapp02/95/cookie-replay-attack-unit-wise-presentation-8-638.jpg?cb=1402532621

What we are looking to do here is to add a “secure” attribute to the cookies that are being sent in the response.


To add the secure attribute on a cookie that is running ASP.NET or to add this attribute on an IIS server you should be able to simply edit the web.config. Here you can simply change where the it says <httpCookies requireSSL=”false” /> and simply change this to true and this will satisfy your security scan.

See: http://stackoverflow.com/questions/1442863/how-can-i-set-the-secure-flag-on-an-asp-net-session-cookie

Oracle Weblogic

For Oracle Weblogic it is likely that you are already seeing the WL_AUTHCOOKIE_JSESSIONID cookie with that “secure” attribute. This is set by default. To add this attribute to other cookies add the <cookie-secure>true</cookie-secure> tag in the <session-descriptor> part of the config.xml


See: https://blogs.oracle.com/wlscoherence/entry/how_to_set_up_secure http://docs.oracle.com/cd/E23943_01/doc.1111/e14308/securecookies.htm#OMADM4243


Oracle iPlanet

To add secure attributes to the cookies in Oracle iPlanet simply go to the web-apps.xml and you will see a “is secure” attribute for the cookie in question. This will by default be set to false, to fix just change this to true.

See: http://docs.oracle.com/cd/E19554-01/816-5689-10/war.htm


For Apache the fix varies a little bit. In general as a good starting point make sure that your application has the mod_headers.so enabled. Once this is good go ahead and add the following into the httpd.conf

Header edit Set-Cookie ^(.*)$ $1;Secure

For versions below 2.2.4 (which if your fixing this…well…let’s just say you shouldn’t be on 2.2.4)

Header set Set-Cookie Secure

See: http://geekflare.com/httponly-secure-cookie-apache/

Cyber Espionage / Spyware Tools

Cyber Espionage / Spyware Tools


Technology in general has worked collectively over the years to bring about a safer and more secure way to live our lives. Technology on the other hand can also bring about some down sides. The age of technology has brought about various different espionage tools that have capabilities that were never before able to be obtained. Illegal technological espionage tools work together to diminish the citizen’s trust in computer systems and devices. This paper will work to discuss several of these tools and what it is that they actually do to be considered “spying” type tools. This also will discuss why citizens loose trust in their personal computer security because of them.

First off for the malware named Careto is to be discussed. This is a type of malware that essentially works to siphon data to people whom the data does not belong. This malware is based in Spanish and targeted at governments as well government types of institutions ( “Kaspersky Lab..”, 2014). This particular malware sends documents, as well as encryption keys and configuration keys to the attackers ( “Kaspersky Lab..”, 2014). This threat is thought to be very advanced, and likely sponsored by some sort of governmental agency because of how professional parts of the program are constructed. This can be explained best by a quote from Costin Raiu, the director of the Global Research and Analysis Team at Kaspersky Lab:

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment. This level of operational security is not normal for cyber-criminal groups. ( “Kaspersky Lab..”, 2014)”

As mentioned above, the malware Duqu, is also very similar to Careto with a few exceptions. Obviously as mentioned above, Duqu is not as extensively written as Careto is believed to be. At the same time, Duqu is also believed at a 70% chance to have been written by a Government of some sort (Rapoza, 2011). This malware is also believed to be very similar to the ever popular Stuxnet virus that attacked centrifuges at Iranian nuclear power plants. This is believed because of the design of the malware as well as the physical similarities between the Daqu malware, and the Stuxnet malware (Rapoza, 2011). This malware essentially works to again “spy” on its targets, who in this case appeared to be mostly at random (Rapoza, 2011). The malware works to collect data, although it is unclear why some of the data gathered is being gathered. Yes, this malware has a key-logger function, as well as basic other data mining capabilities, although why this malware was created is still unclear.


These two examples of malware are malware that appear to be government sponsored. This is of great importance for numerous reasons. The first and most obvious reason is that this means that this malware is professional. This malware was not simply created by a script kiddie, who is an uneducated hacker simply using pre-fabricated tools. These authors were likely professionals, and therefore the threat of personal security begins to diminish for average users. Surely those script kiddies may diminish personal computer security; however it is fair to say that professionals may complete this task at a much different level.

Next comes the motion that these attacks are in fact attacks by other governments raising a whole new field of questions. Physical war, or physical spying in some cases, can be interpreted as terrorism or acts of war. If these two viruses mentioned above are in fact government sponsored, it is likely that no government will ever come forward because of the likely response that they would receive by other governments. Citizens will lose great trust in their devices as well as in their government should they feel as if they are being constantly monitored by their government. Private Spyware has its own place in malware, and at times is equally destructive if not more destructive.

There are various remote administration tools available to script kiddies (not professional hackers) for malware. This type of malware is known as RAT tools. This stands for literally remote administration tool, however the potential for harm with these tools are alarming. A very common type of this tool is a type of malware named Back Orifice.

RAT tools such as Back Orifice have the potential to do practically everything that a normal user on a computer can do. The remote administration part of the tool literally means remote control of the computer. These Trojans can be uploaded in various different ways, including email links, as well as downloading tainted files. An attacker with minimal skill can log into the interface which is normally a graphical user interface, and perform various tasks. These tasks can include flipping the screen, formatting drives, emailing files, turning off systems, as well as again anything that the user of the system can do (Rouse, 2009). Some remote administration tools also have the ability to black out screens and display chat messages to the users.

These tools are the ultimate form of spying on users as the person performing the task literally has access to everything that the victim does. RAT tools when used for illegal purposes really work to diminish the level of security trust in users of the systems because of the reasons mentioned above. Fortunately, the majority of these tools are caught by antivirus before they can make their way to harm individuals. If however a citizen is affected by such a tool, the distrust as well as the harm done may be hard to rebuild depending on what actually occurred.

Lastly, mobile spyware is a new and arising attack vector for malware artists. In today’s age with cell phones faster than computers were 20 years ago, spyware for cell phones proves to be an issue. Similar to an RAT tool, there is a malware that has been named FinFisher that allows for the remote control of a cell phone device. Normally users are infected by opening certain web links that exploit browser vulnerabilities (Conney, 2012). They could also open a text message that is disguised as type of system update (Conney, 2012). This sort of tool again has very similar consequences as the above RAT tools talked about for computer systems.

Other types of mobile spyware include a type of malware known as Loozfon.  This type of malware again affects cell phones and works to steal information from the phones address books as well as the devices phone number (Cooney, 2012). Normally this type of malware is introduced by users clicking work at home links that they received in their emails (Cooney, 2012).

Paid spy apps should also be mentioned, such as Mobile Spy. This application is available for iPhones, Android, and Blackberry phones, and allows for practically every sort of information available about these phones. This particular software costs 49.97 for three months however the uses of it are extraordinary. Not only can you view the screen as the user sees it, but you can read every text message, every iMessage, view watched YouTube videos, get the GPS location, the call log, email, contacts, apps installed, application blocking, as well as much more (iPhone Spy Software, n.d). The potential harm for this information that is gathered should not have to be mentioned. Should perhaps someone install this application on an unsuspecting person’s cell phone, the data that could be retrieved could prove to be of great value to the attacker.

Mobile devices are an extremely important aspect when it comes to citizens determining their trust in security. Should a citizen’s personal cell phone be compromised, it is more than likely that the citizen will not trust their device as well as they could. They may feel that what they are doing on their own personal device is being monitored. Mobile security issues are only going to increase, and therefor are very important to keep an eye on.

Spying using technology can be done by governments, as well as average users. This spying is usually done with malware when concerned with technology; however the victims of the spying can vary greatly. Governments have always spied on other governments, or at have least attempted to. When governments have the ability to spy on other governments via the use of malware, it appears that they will or at least can.  Individual users can be spied on; likewise, individual users can be the people acting as the person doing the spying. Likewise, the domains for the spying to occur can be from anything such as a government institution, all the way to a personal cell phone. This type of spyware malware is not going anywhere anytime soon, however neither are anti-virus companies. Spying on citizens or even governments using malware will likely cause as much trust issues as physical spying.



Conney, M. (2012, October 12). FBI warns Loozfon, FinFisher mobile malware hitting Android phones. Network World. Retrieved July 20, 2014, from http://www.networkworld.com/article/2223327/security/fbi-warns-loozfon–finfisher-mobile-malware-hitting-android-phones.html

iPhone Spy Software. (n.d). – Mobile Spy iPhone Monitoring App. Retrieved July 20, 2014, from http://www.mobile-spy.com/iphone.html

Kaspersky Lab Uncovers “The Mask”: One of the Most Advanced Global Cyber-espionage          Operations to Date Due to the Complexity of the Toolset Used by the Attackers. (2014).          Kaspersky Lab Uncovers “The Mask”: One of the Most Advanced Global Cyber-    espionage Operations to Date Due to the Complexity of the Toolset Used by the     Attackers. Retrieved July 20, 2014, from             http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-    One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-           Complexity-of-the-Toolset-Used-by-the-Attackers

Rapoza, K. (2011, October 21). ‘Duqu’ Virus Likely Handiwork Of Sophisticated Government, Kaspersky Lab Says. Forbes. Retrieved July 20, 2014, from           http://www.forbes.com/sites/kenrapoza/2011/10/21/duqu-virus-likely-handiwork-of- sophisticated-government-kasperky-lab-says/

Rouse, M. (2009, October 1). RAT (remote access Trojan). What is ?. Retrieved July 20, 2014, from http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan

Issues with Bitcoin

Issues with Bitcoin


This Article analyzes the Bitcoin network as well as the issues that have arisen in both law enforcement, and private citizen’s lives. From issues relating to money laundering, to issues relating to different types of Bitcoin malware will be discussed. The Bitcoin network and how it operates is discussed in depth, explaining the public key, and private for each bitcoin and how they relate to each other.  Bitcoin wallets, Bitcoin mining, Bitcoin block chains, are all mentioned in depth. A summary of how the Bitcoin system works, as well as an overview of its issues and prosperities are covered in this paper. The value of a bitcoin is discussed in depth, as well as places to spend bitcoins. This paper also examines instances of failed bitcoin exchanges such as the Mt. Gox exchange. Likewise, this paper examines why the bitcoin currency has negative views by many people in public because of the “dark web” websites such as the ever popular Silk Road website, or the Sheep Marketplace website.

Key Words:  Bitcoin, bitcoin, block chain, mining, bitcoin wallet, bitcoin mining, Cryptolocker, cryptocurrency

The purpose of this paper is to inform the reader of not only what and how the Bitcoin currency network works and operates, but also the struggles and concerns that this cryptocurrency has since created. A cryptocurrency is a currency that relies on mathematical formulas, and is not a physical currency, but rather a set hashes that with value. This will go more in depth later. This paper will analyze the Bitcoin network/how the concept works, the legal concerns, as well various other issues caused by an anonymous currency on the internet.

Bitcoin is a currency that exists solely in the digital world. As a brief overview that will go into more depth later, the Bitcoin system includes of a Bitcoin wallet, a block chain, private keys, and mining. The Bitcoin wallet is where the user collects and sends bitcoins. This is similar to that of how an email address works, except the addresses can change every time a bitcoin is sent for security and privacy. The block chain is where transactions are confirmed and found. This is basically a public ledger of all transactions as well. This is where the Bitcoin wallet is able to verify that bitcoins are legitimate. Private keys are used to verify that the bitcoin received was the bitcoin belonging to the owner of the bitcoin. This can be verified by the process known as mining.  Mining makes sure the block chain stays in order, and allows transactions to be verified as well as secured cryptographically (“How Does Bitcoin Work,”).

Ideally too many criminals as well as private parties want to have an anonymous currency for which purchases cannot be tracked back to the buyer. The purpose of this is nearly transparent, although this is for legal and privacy issues. This is a few of the reasons why many people have a want for such a currency.

Credit cards, bank accounts, PayPal accounts, nearly all forms of accounts holding any sort of monetary amount has a name/address attached to it. Sure, there is straight cash, although that has to be physically given to a person in order to be successful at transferring some monetary amount. Come the cyber age, this currency sees its fair share of issues because of the internet. A solution is something that is known as bitcoins. The word for word description of bitcoin is seen below:

“Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system (“Bitcoin”).”

The idea of bitcoins simply put is to have a currency that does is not linked to a name or address. Also it is important that there is no central authorizing figure. Everything is open source, which provides users the content minded view that their money is in fact their money. There is no fear of institutions collapsing or needing to be bailed out. The Bitcoin system itself is the very first decentralized digital currency that can be used practically worldwide. This system in 2013 had an economy of more $1 billion dollars in USD, and has since increased greatly (Brito, 2013). Come 2014, the Bitcoin economy is worth close to $15 billion (Gewirtz, 2014).

So what exactly is Bitcoin? First off, it is important to acknowledge the difference between “bitcoin” and “Bitcoin.” The Bitcoin refers to the networks and the software that allows the lowercase bitcoin currency to operate. The lowercase bitcoin is the currency itself (Bustillos, 2013).  Yes, bitcoin is its own currency. The bitcoin value changes fairly regularly dependent on many factors including how many bitcoins were mined, as well as how many bitcoins are being spent. Details on mining, as well as how they are spent will be discussed later on.

The bitcoins can be spent in whole, or in part, resulting in some users having less than one bitcoin. This is helpful come small purchases. When a purchase is made using a bitcoin, the transaction is logged in what is known as a block chain. This block chain is basically an audit of where each bitcoin is going and ending up. This ensures that the purchases made using bitcoins are actual bitcoins (Kumar, 2013).  Again, the Bitcoin system is open source which is where the Bitcoin miners come into play. These miners are people who use their computer systems, (normally with advanced GPUs) to verify the block chain. What they are doing is making sure that the transactions that are occurring are occurring correctly. The miners of Bitcoin are given new bitcoins as payment, as well as often paid some sort of fee from the person selling the product or service being paid for by bitcoin (Kumar, 2013).

As for the amount of bitcoins there are, there are 25 bitcoins per block chain. These block chains are made approximately every 10 minutes and created by mathematical formulas by the Bitcoin miners that were mentioned above. This 10 minute per 25 bitcoin will be in effect until roughly 2017, and then the amount of bitcoins made per block chain will change. If the miner is able to compute the mathematical formula the fastest for the block chain, they will be rewarded about 25 bitcoins from the block chain that was created (Vance, 2013). There is a cap of 21 million bitcoins that will be created by the various different block chains. Once there is 21 million bitcoins in circulation, there will be no more. As this is the case, and there is a concern that once the last bitcoin is mined that miners will stop mining and therefore the Bitcoin network will fail, miners will be rewarded transaction fees for verifying transactions  to solve  this (BRITO, 2013).

For the bitcoin itself it is exactly what they sound like, they are bits. There is a private key, and a public key for the bitcoin itself. The hash that is used is SHA256. The hash is what allows the private key and public key to verify each other. Both of these keys are needed for the transaction to complete. A public key for bitcoins commonly looks like the following:

“0450863AD64A87AE8A2FE83C1AF1A8403CB53F53E486D8511DAD8A04887E5B23522CD470243453A299FA9E77237716103ABC11A1DF38855ED6F2EE187E9C582BA6(“Technical background of,” )”

A private key commonly looks like: “16UwLL9Risc3QfPqBUvKofHmBQ7wMtjvM” (“Technical background of,” ). In order for a transaction to be completed the bitcoins public key must be known, as well as the matching private key. The private key can be matched up to the public key and confirmed to be authentic by what is known as hashing, a mathematical formula that each bit deals with to ensure the integrity of keys. This hashing creates a value which should match the value needed for the bitcoin.

To receive bitcoins in the first place the owner needs to setup a wallet for their bitcoins. These bitcoins are then held in the wallet. To receive the bitcoins you need to either sell something in exchange for bitcoins, or purchase bitcoins through a bitcoin exchange. (Kumar, 2013). This wallet is what allows the sender of the bitcoin to know where to send the bitcoin. There are many mobile applications for bitcoins as well for added mobility, as well as because the Bitcoin system is open source and available to the public to help with the advancement of the network.

In today’s market, a bitcoin is worth about $460 (USD). This value changes quite drastically and has seen quite a few changes in the past few years. On October 5th 2009, $1 USD was the equivalent to 1,309.03 bitcoins (“History,” ). This is compared to in today’s market a value that would have been over $600,000, which shows the sheer advancement in not only popularity but also value. Bitcoin values commonly have exceeded $1000 per bitcoin.

Bitcoins can be spent on many different websites. OkCupid, BitMit, Reddit, as well as many other legal websites allow for the exchange of bitcoin currency for their products and services. Domain hosting, VPN services, electronics, or just about anything can be purchased with bitcoins. There are many services online that also allow for the exchange of bitcoins for cash for a fee, as well as many websites that accept bitcoin as a payment method to perform a payment. There are organizations such as BitSpend and other such organizations that act as a middle man for online purchases. What happens is a Bitcoin user sends a link and description of an item that the user wants and pays the company in bitcoins to use their own credit card to make the purchase for a fee (Adinolfi, 2013).

Bitcoin has been the center of media attention basically because the anonymity of the users that are using this currency. Like physical cash, there is no real trail of where the bitcoins are being sent. Sure there is the hash value, but there is no name or address, or IP, attached to the value thanks to the help of the Bitcoin miners. There is a whole array of suspicious websites that have sprung up based on the idea of anonymous payments. These websites can be thought of as the underground of the Internet, the physical comparison to a street ally with dollar bill cash for currency.

There are also websites that sell clearly illegal items such as the ever popular Silk Road website or the not so popular Sheep Marketplace website. Both of these websites are known as “deep web” or dark net websites. A quick google search will bring up plenty of information about these two,These are websites that are not easily accessible, and websites that cannot be accidentally stumbled onto. These are websites that are not indexed by search engines and therefore are not easily found. When the average user uses the Internet they are simply looking at the surface Internet and not these harder to find webpages.(Pagliery, 2014). These are websites that require a tor browser, and then require the users to run the browser on an unusual port  to enhance the likelihood of people not looking for that website to stumble upon it. There are a lot of websites residing in the deep Internet that allow for the transfer of monetary value using bitcoins. Many of these sites sell illegal goods.

The Silk Road was a website that was notorious for using bitcoins to allow sellers to sell anything they wanted. Anything. Authorities have captured Ross Ulbricht in connection with the Silk Road website, and they also pulled over $28 million dollars’ worth of bitcoins on his computer. These bitcoins are now worth over $130 million dollars and likely will be forfeited because they are seen as proceeds of an illegal crime (Brandom, 2014). This website used a bitcoin tumbler system to allow for the identities of buyers and sellers to remain even more anonymous. It is believed that at the time of the Silk Road that between 4.5-9% of bitcoins in circulation were being used at the Silk Road’s website. This gave the idea of bitcoins a sour taste because of the illegal actions of the website (Nicolas, 2013).

A popular issue that arises because of bitcoins is the idea that there is no chargebacks, or other such regulatory implementations because simply put, there is no regulatory committee of any kind. Debit cards, credit cards, PayPal, checks, nearly every sort of transfer of monetary value has some sort of policy to remedy issues that occur when things don’t quite work out the way the buyer expected. For example if the buyer didn’t receive the product, they would be forced a refund by the agency that processed the currency. At the same time, this is why credit card companies and other such exchanges have fees, whereas Bitcoin transactions either have a small fee or none at all. Once a bitcoin is sent, there is no return, which opens the door to scams as well as other unethical scenarios.

There have been many issues with bitcoin exchanges in the past. This is not a direct reflection of the Bitcoin network, but rather the exchanges that offer the bitcoins for sale. The EBA or the European Banking Authority warns citizens of exchanges because of known hacking that has occurred as a direct result of the exchanges either not working as advertised, or hacking issues from third parties. Many people have lost substantial amounts of money, especially because of there is no real guaranteeing that you will get your money or bitcoins back (EBA, 2013). These exchanges are not banks, and thus they have no insurance. This is different from such as in America, the citizens have the FDIC. If the Bitcoin exchange fails, the customer is most of the time out of luck.  An example of this is Mt. Gox, which was the world’s largest bitcoin exchange. This was hacked and lost $400 million dollars’ worth of bitcoins and was forced to file bankruptcy.  Most of these customers were US citizens and lost a lot of money /bitcoins because of the supposed hacking, although what exactly happened to the bitcoins in this case is still a mystery. The CEO Mark Karpeles is supposed to appear in court on April 17, 2014 (Hals, 2014).

The Sheep Marketplace website mentioned above (the one that specialized in the sale of illegal goods) was believed to by some to a scam in itself. The administrator posted a note saying that they were hacked and therefor going to be shutting down. It is estimated that about the equivalent to $100 million dollars in bitcoins were taken. This website shot up in popularity after the ever popular Silk Road website was closed down. Regardless of if this was in fact as many believe to be a scam, many people lost money (even if they were engaging in illegal sales of contraband). This is yet another example of how trusting websites with bitcoins can prove to be risky (Wheatley, 2013).

There is a serious issue with malware when being related to bitcoins. There are many websites that take advantage of the viewer’s computing power to benefit their own personal gain in the Bitcoin mining process.

For example, www.bitcoinplus.com/miner/embeddable, provides a plug in that allows users to add a script to their website to allow for Bitcoin mining. These plugins are scripts that can be added into websites to allow the viewer’s computer to be used for the websites mining purposes. This is just one of the many tools that are used for data mining. Obviously this is an inconvenience to many website viewers as it slows computers by using their CPU and GPU for the website’s own benefits.



Aside from malware that is used for mining, there is also malware that works to actually steal the bitcoins. There are about 150 known pieces of malware that work to steal the information from various different types of Bitcoin wallets that are on a system (Hajdarbegovic, 2014). This number has increased drastically since the last year when there was only about 45 known malwares that targeted bitcoins on a person’s system. These malware systems generally work by searching a computer for Bitcoin wallet software and uploading the content to a remote server for analysis by the malware owner. Just recently a type of this malware known as the Pony Botnet was able to steal $220,000 of valued bitcoins from 30 different types of wallets storing the bitcoins. Upward of 99% of bitcoin malware is targeted against Windows machines (Hajdarbegovic, 2014).

There are also various types of ransom-ware that utilize the bitcoin currency. This has its benefits for obvious reasons, but most importantly the anonymity of the currency. It is not exactly possible to ask for cash through computer blackmail, although the bitcoin equivalent is appealing to many cyber criminals. An example of such malware is one that is known as Cryptolocker. This malware is normally spread via email looking like a legitimate email and once run encrypts an entire hard drive. This then displays a countdown demanding a ransom in bitcoins to remove the encryption. Once the countdown runs out, all data that is on the computer is deleted. Fortunately once the bitcoins are sent, the drive is decrypted. A police station in Massachusetts had a computer that was infected and as a result was forced to pay the ransom of 2 bitcoins, a substantial amount of money (Gibbs, 2013). Unfortunately because of the type of payment, the criminal was not caught.

Just recently it was determined by the International Revenue Service that bitcoins are not a currency, but rather that of property. Similar rules apply to bitcoins as does stock in a business. If a bitcoin is purchased and then sold for more, the IRS is obligated to receive a tax from such transaction because there is a percent profit that is occurring as a direct result of the bitcoin (Hern, 2014).

The more people who use the Bitcoin system, the more worried the politicians and law makers are of people who will be evading taxes. Essentially this is the same idea as using cash as a currency. It is very hard to be traced and therefore laundering is very easy. Likewise a simple flash drive could hold millions of dollars of key codes for these bitcoins. Transactions that occur with bitcoins are irreversible. Once they are done they are done. There would be no simple way that the United States government would be able to ban the trading of bitcoins.  This is because the IRS determined bitcoins were property, and to ban the trading of bitcoins would be to ban people of their property (Mick, 2013).

Although the United States seems to have strict concerns regarding the bitcoin currency, in reality they are one of the more Bitcoin friendly nations. China for example just recently banned the purchase of bitcoin currency. In China’s case it is their currency the yuan that may no longer be used to purchase bitcoins (Kelion, 2013)”. This is explained by Bobby Lee, the chief executive for BTC China:

“We essentially got notice from our third-party provider today that they will discontinue accepting payments for us and new deposits, “We’re still operating a Bitcoin exchange in China legally, and we’re still allowing people to deposit and withdraw Bitcoin, and withdraw renminbi [yuan]. (Kelion, 2013)”

The results of this country’s actions resulted in many users selling their bitcoins in fear that other countries would stop the sale of bitcoins, and eventually lead to the demise of the currency. Not just Bitcoin exchanges in China were affected, which shows the universal play that one country’s action can have on the Bitcoin market, demonstrating the risk of engaging in bitcoins. This drop being about the value of one bitcoin being $717 in value to about $480 after the news of the Chinese decision to no longer allow the yuan to purchase bitcoins in their country (Kelion, 2013)”.

In conclusion the Bitcoin network consists of bitcoins that are used as a digital currency with no central authority. These bitcoins are used as a crypto-currency making them hard to trace as users do not need to have a name or address attached to the accounts. This being the case, there is a lot of concern from law enforcement because this currency is essentially untraceable as far as who owns which bitcoins. Taxes, money laundering, chargebacks, country policies, theft, user protection, malware, are just some of the many issues that are affecting the use of bitcoins and the Bitcoin network. The system of anonymity makes bitcoins the currency of choice for criminals because of the ease of the system and the security they feel in anonymity. The Bitcoin economy is large enough to be around for much longer, and is continually growing. The next few years of digital currency will prove to be both interesting for criminals, sellers, buyers, and law enforcement alike.




Adinolfi, J. (2013, October 25). Where to spend your bitcoins. Retrieved from http://bitcoinmagazine.com/2651/where-to-spend-your-bitcoins/

Bitcoin. (n.d.). Retrieved from https://bitcoin.org/en/

Brandom, R. (2014, January 16). Us attorney seizes $28 million in bitcoin from the silk road          server. Retrieved from http://www.theverge.com/2014/1/16/5316948/us-attorney-seizes-        28-million-in-bitcoin-from-the-silk-road-server

BRITO, J. (2013). Bitcoin a primer for policymakers. Retrieved from http://mercatus.org/sites/default/files/Brito_BitcoinPrimer.pdf

BUSTILLOS, M. (2013, April 2). The bitcoin boom. Retrieved from             http://www.newyorker.com/online/blogs/elements/2013/04/the-future-of-bitcoin.html

Donny. (2013). Retrieved from http://www.bitcoinplus.com/miner/embeddable

EBA. (2013). “warning to consumers on virtual currencies. Retrieved from             http://www.eba.europa.eu/documents/10180/598344/EBA Warning on Virtual       Currencies.pdf

Gewirtz, D. (2014, January 21). Want to make money mining bitcoins? criminals have you beat.

Retrieved from http://www.zdnet.com/want-to-make-money-mining-bitcoins-criminals-    have-you-beat-7000025361/


Gibbs, S. (2013, November 21). Us police force pay bitcoin ransom in cryptolocker malware         scam. Retrieved from http://www.theguardian.com/technology/2013/nov/21/us-police-         force-pay-bitcoin-ransom-in-cryptolocker-malware-scam

Hals, T. (2014, April 1). Judge orders mt gox ceo to u.s. for questions on failed bitcoin exchange.   Retrieved from http://www.reuters.com/article/2014/04/01/us-bitcoin-mtgox-karpeles-         idUSBREA3021920140401

Hajdarbegovic, N. (2014, February 27). Nearly 150 Strains of Malware Are After Your Bitcoins.             CoinDesk RSS. Retrieved April 29, 2014, from http://www.coindesk.com/nearly-150-           strains-malware-bitcoins/

Hern, A. (2014, March 31). Bitcoin is legally property, says us irs. does that kill it as a        currency?. Retrieved from http://www.theguardian.com/technology/2014/mar/31/bitcoin-         legally-property-irs-currency

History. (n.d.). Retrieved from https://en.bitcoin.it/wiki/History

How does Bitcoin work?. (n.d.). Bitcoin. Retrieved April 28, 2014, from    https://bitcoin.org/en/how-it-works

Kelion, L. (2013, December 18). Bitcoin sinks after china restricts yuan exchanges. Retrieved        from http://www.bbc.com/news/technology-25428866

Kumar, R. (2013, December 13). Bitcoin explained in layman’s terms. Retrieved from             http://profit.ndtv.com/news/your-money/article-bitcoin-explained-in-laymans-terms-          376029

Mick, J. (2013, August 27). Bitcoin foundation meets with u.s. feds over legality of cryptocurrency. Retrieved from http://www.dailytech.com/Bitcoin Foundation Meets           With US Feds Over Legality of Cryptocurrency/article33243.htm

Nicolas, C. (2013). “traveling the silk road: A measurement analysis of a large anonymous online marketplace. Retrieved from http://www.andrew.cmu.edu/user/nicolasc/publications/Christin-WWW13.pdf

Pagliery, J. (2014, March 10). The deep web you don’t know about. Retrieved from             http://money.cnn.com/2014/03/10/technology/deep-web/index.html

Technical background of version 1 bitcoin addresses. (n.d.). Retrieved from             https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses

Vance, A. (2013, November 14). Bitcoin mining chips, a high-tech arms race. Retrieved from             http://www.businessweek.com/articles/2013-11-14/2014-outlook-bitcoin-mining-chips-a-   high-tech-arms-race

Wheatley, M. (2013, December 5). Sheep marketplace heist – $100m worth of bitcoin believed      stolen as site vanishes from the deep web. Retrieved from http://siliconangle.com/blog/2013/12/05/sheep-marketplace-heist-100m-worth-of-bitcoin-        believed-stolen-as-site-vanishes-from-the-deep-web/

Kali Linux for Penetration testers and Computer Forensics

Kali Linux for Penetration testers and Computer Forensics

Kali Linux is a more advanced version of the popular penetration testing operating system known as BackTrack. This is a Linux based operating system that is focused on vulnerability testing as well as computer forensics. The ISO for Kali Linux is around three gigabytes in size, which allows for the operating system to come built in with many penetration testing and vulnerability tools. Some of the tools that are built in include nmap, Wireshark, Aircrack-ng(http://en.wikipedia.org/wiki/Kali_Linux). The operating system is able to be booted directly from a CD or installed on a system, which makes the software very useful for various reasons. Kali Linux was developed by Offensive Security, as an Open Source software type. Kali Linux can be run in multiple different languages like most popular variations of Unix.


Kali Linux has both a 64 bit version and a 32 bit version to be used by the end user. Kali Linux is specifically geared towards those who are professionals, and it is recommended that if you are not familiar with Linux to not use Kali Linux because of the vast amount of potentially harmful tools that are found on Kali Linux(http://docs.kali.org/introduction/should-i-use-kali-linux. ) Without the proper permission it is possible that the tools included in Kali Linux could cause serious consequnces for the end user. This software is relevant for our class because of what it is…it is a tool that is specifically designed for vulnerability testing and includes a lot of the tools to do so built right into the software.

Kali Linux can run on various different platforms. First off there is a 32 bit and a 64 bit version of the software available for download on the websites download page. Various different systems can be used for various different tests. For example it may be easier to sneak a smartphone into a lab to do a penetration/vulnerability test compared to sneaking a desktop computer in. Or another example would be a Playstation 2. The following devices have been shown to successfully run Linux operating systems so it is assumed that they could be run with the Kali Linux version as well. PDAs, iPods, Gamecubes, Toasters, Sega Dreamcast, Desktops, Laptops, Cell Phones, Wireless Routers, Nintendo Wii, Xbox, as well as Xbox 360(http://fsckin.com/2007/11/06/20-awesome-devices-that-run-linux-but-werent-designed-to/. ) The list could really go on and on, for practically anything that has a computer inside it…examples being a dishwasher…or a even a car. The advantages of such a vulnerability testing tool placed in odd objects are really quite endless. Sure, what was mentioned above helps for sneaking around purposes…although some tools actually use specific code to further their vulnerability testing. For example a dishwasher has mechanical parts that a laptop or a desktop clearly don’t have…and who knows…maybe that will help.


Apple / Mac Computer Forensics

Apple Mac ForensicsMAC


Mac vs. Windows, as the debate continues it’s important to realize how different some forensic measures are that are taken when analyzing the two. Here I will disucss Macs.

Target disk mode is a forensic way to examine a Mac computer. Basically what this allows is the use of the Mac to work as an external FireWire disk (Kubasiak, 2007). This allows the investigator the ability to examine the disk with whatever operating system that they would prefer (Kubasiak, 2007). Target disk mode is able to be entered via the Mac assuming it is compatible via the following steps seen on macforensicslab.com:

            “To use Target Disk Mode in a forensically sound manner, use the following steps:

  1. Make sure that the target computer is turned off. If you are using a laptop as the target computer, you should also plug in its AC power adapter.
  2. Boot the target computer while holding down the Option key. This will yield one of two results. Either you will see a list of bootable devices (partitions) or you will see a prompt to enter the Firmware password. If the latter occurs, you CANNOT use Target Disk Mode.
  3. Use a FireWire cable to connect the target computer to your computer. The forensic Macintosh (your computer) does not need to be turned off.
  4. Start up the target computer and immediately press and hold down the T key until the FireWire icon appears. The hard disk of the target computer should become available to the host computer and will likely appear on desktop.
  5. When you are finished with the examination, drag the target computer’s hard disk icon to the Trash or select Put Away from the File menu (Mac OS 9) or Eject from the File menu(Mac OS X).
  6. Press the target computer’s power button to turn it off.
  7. Unplug the FireWire cable.

                To remain forensically sound, the Macintosh being used to view the Target should have  DiskArbitration   turned OFF.” (Kubasiak, 2007)

This allows the computer to directly connect to the investigators computer, although it should be mentioned that this is very different from Windows computers as Target Disk Mode is not read only (Kubasiak, 2007), and could compromise hash values as well as the integrity of the drive if done on a windows computer.

File vault is full volume encryption which causes issues in a forensic sense. This File Vault is comparable to Windows Bitlocker. FTK and Encase support encryption for Microsoft’s Bitlocker, although they do not support the encryption type that is found in File Vault (Khatri, 2013). For a forensics standpoint File Vault is a major issue. There is a password to access the drive, similar to that of a user password seen in Windows, and there is also a “safety net,” password that is given just in case the password is lost. This “safety net” is the recovery key for the encryption and essentially is the last hope for all data from being lost forever (Apple).

Although File Vault provides a whole array of issues because of the encryption, there are solutions to work past these issues forensically. Most rely on the machine being on at the time of acquisition. For example, Passware Kit Forensic v11.3 is able to recover passwords that are stored in memory in about 40 minutes or less from Mac computers that have File Vault encryption (Leyden, 2012). As said by Passware President Dmitry Sumin:

            “Full disk encryption is becoming a major obstacle for digital investigations. The latest                 version of              Passware Kit Forensic offers multiple approaches to overcoming this problem,           such as live memory            analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic          experts are better armed to approach investigative challenges with an effective and efficient solution that           significantly reduces decryption time and thus allows investigators to focus on data analysis.” (Leyden,              2012)

Spotlight is comparable to the windows search at the start menu. This Spotlight tool works to index files on the computer system so the user can find the files that they created or are looking for. For a forensic view point Spotlight uses a hidden file called “.Spotlight-v100” that has the data used for indexing.  This file can be helpful for investigators looking for certain files (Kubasiak, 2007). Spotlight is very useful for investigators simply because of all the files that it indexes. It is important to note that files or folders located in a different users account in their Documents, library, Music, Movies, or Pictures folders will not be indexed by that other users Spotlight (Kubasiak, 2007). Spotlight also indexes external storage devices such as a USB or an external hard drive which is possibly also useful for an investigator (Kubasiak, 2007).

Disk arbitration is what allows the Macintosh running computers to mount file systems (Kubasiak, 2007). Disk arbitration must be turned off when performing a forensic investigation because when the OS goes to mount a disk, USB, or other the volumes are mounted read/write (Kubasiak, 2007), which could alter the integrity of the computer. Below from www.appleexaminer.com shows how to activate and deactive Disk arbitration in a Mac computer:

“1. Make a backup of the file “/etc/mach_init.d/diskarbitrationd.plist”

  1. “sudo cp /etc/mach_init.d/diskarbitrationd.plist /Backup/”
  2. Remove /etc/mach_init.d/diskarbitrationd.plist
  3. “sudo rm /etc/mach_init.d/diskarbitrationd.plist”
  5. Reboot your system and Disk Arbitration is now o.
  6. To turn Disk Arbitration back on, copy the original file back to its original location
  7. “sudo cp /Backup/diskarbitrationd.plist /etc/mach_init.d/”
  8. Reboot your system and Disk Arbitration is now on” (Kubasiak, 2007).

Again disk arbitration should be disabled because of integrity issues.

For user information the Windows systems have a registry. Mac running computers do not, although they have something that is comparable. For a Windows computer the “SAM” file gives the investigator information on the user as well as possibly a password for the users account on that system.  Macs have plist files which lists accounts that are on the system as well as accounts that were deleted if there were any which is located at /Library/Preferences/com.apple.preferences.accounts.plist (Dan n.d.). This registry also records what USB devices have been plugged in for windows…on Mac computers the devices that are attached to the computer are not recorded which could possibly provide complications when the investigator tries showing that the USB was used in the Mac computer.

Macs also have what is known as an alias file. These are basically the same thing as a Windows Short cut. When seen they helps the investigator figure out if a certain file or program exists elsewhere if it is not on the computer system (Dan n.d.).

Mac computers also have an email system that is similar to that of Window’s Outlook Express. In Outlook, email information is generally found in the .pst file. In Macs, they are found /Library/Preferences/com.apple.mail.plist (Dan n.d.). Going on from emails, contact information on Macs are by default sent from a synced iPhone, giving the investigator the persons contact information from their phone on their computer. Going on with messaging, iChat is very popular for users to have on Mac computers. IChat transcripts can commonly be found on a suspect’s computer if they are running a Mac providing the investigator with potentially highly useful communications (Dan N.D.).

The last part of this paper will be comparing when a file is deleted in Windows compared to when a file is deleted on a Mac computer. When a file is deleted on a Windows computer it is often recoverable (data carving) because it only deletes the pointers to the file (“Mac vs windows,” 2013). There is also the INFO 2 file that records what is being thrown away in the recycle bin, so recovering things from the recycle bin normally isn’t a problem (“Mac vs windows,” 2013). When this is compared to a Mac computer there are many differences. First off when a file is deleted by a Mac computer it is not always recoverable because of the way that the file is deleted. In a Mac computer, when the a file is deleted, it is over written to ensure an actual deletion. This method of deletion makes data recovery from deleted files on a Mac computer harder for the forensic investigator compared to when a file is deleted in a Windows computer.

In summary forensics from Macintosh computers and Windows computers are different in many ways. As this is the case, the investigator should not only be prepared for an acquisition for a Macintosh computer, but he/she should also fully understand the differences between the two systems as well as take the necessary steps to ensure the integrity of the computer system.





Apple. (n.d.). Retrieved from http://support.apple.com/kb/HT4790

Dan. (n.d.). Comparing windows forensics artifacts to mac artifacts. Retrieved from             http://rockadoodee.com/comparing-windows-forensics-artifacts-to-mac-artifacts/

Khatri, Y. (2013). Decrypting apple filevault full volume encryption. Retrieved from             http://www.swiftforensics.com/2013/03/decrypting-apple-filevault-full-volume.html

Kubasiak, R. (2007). Forensically sound examination of a macintosh (part 1). Retrieved from             http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=document            _general_info&cPath=11&products_id=134&zenid=d9aed95b47234b25ff56cc4b258229 e0

Kubasiak, R. (2007). Macintosh forensics. Retrieved from             http://www.appleexaminer.com/Downloads/MacForensics.pdf

Leyden, J. (2012). Apple filevault cracked in under an hour by forensics biz. Retrieved from             http://www.theregister.co.uk/2012/02/03/apple_disc_crypto_broken/

Mac vs windows pt.1. (2013) Retrieved from http://digitalresidue.blogspot.com/2013/03/mac-    vs-windows-pt1.html4

Windows Event Logs for Computer Forensics

Windows Event Logs

Everyone loves logs.

Windows Event Logs stores various important information on the computer. These include information about hardware, security events as well as software problems. To access Windows Event Logs you must go to Start, Control Panel, System and Security, and click Event Viewer.


There are two types of logs. There are Windows Logs and there are Application and Service Logs. Application and Service logs are logs that are kept from certain programs such as various Windows applications. This also keeps logs of hardware changes. Forensically there is various information that can be gathered. Time changes, hardware changes, driver changes, all will show up in the event viewer. This information can be very useful for the investigator. It will also tell you when internet is connected as well as to what SSID you were using. That can be very useful in determining whether a computer was ever connected to a certain internet and if so at what time. It will also show you various Microsoft Office changes that were made as well as what they are and what.


Above is an example of a log made from Microsoft Office Excel. In this case it recorded a pop up message from Microsoft Excel that was trying to confirm my actions of a major change in the document.


Above is an example of a log showing wireless security being stopped. Keep in mind prior to opening, the date as well as the time the log was made is present giving the investigator a time frame to work with.

As for Windows logs, they displays logs from programs as well. It will display when someone is logged in, when programs have remained idol, as well as general changes that Windows feels is important to security as well as to Windows itself. There is a lot of information that the Event Viewer displays.


Above is a log showing a log created by a program that has stopped itself.


Above is an example of a log that has recorded a successful log in attempt. They will also record failed log in attempts which is clearly relevant to the forensic investigator.

In conclusion, Windows Event Logs are very useful in showing various logs and events that have taken place on a system. One of the most beneficial aspects of these logs is that they are in fact logs that have a recorded time on them. This makes relevant artifacts much easier to find as they have date parameters. Logs are made by default for a large amount of actions that take place on the computer. To not use these logs in a forensic investigation to at least browse would be not a good idea. The logs can you a basic idea of who was using the computer as well as if they were on the internet or not as well as much more data.


Anti Computer Forensics

Anti-forensics is the term used to in reference to computers when a person has taken steps to make analysis more difficult for the person that is trying to analyze the system or computer. Criminals make very good use of anti-forensics to make information very difficult to obtain or close to impossible. Anti-forensics can be done with the use of software or any sort of device that may allow data collection to be busy. Anti-forensics is something that the investigator must be very aware of in order to have a successful analysis.


One of the most common ways a person participating in anti-forensics can hide files is by changing the header of files. In other words, this is to make certain files look like different files to the naked eye. Not many if any people can read data hex. This can be done in several ways. Either this is done by finding a file for example a .docx file, and making it a .jpeg file. It most likely will be corrupt and not open, however it is very unsuspicious. To do this is actually very easy. Right click the file, click rename, and rename it with a dot then the extension. As an example being an item.jpeg. Doing this in turn changes the file signature of the file, making it look like it is a jpeg file when in reality is not. (“Changing a file,”) Investigators must be aware of this technique as if they are not, an investigator might only be looking at .docx files and completely miss the hidden document inside the jpeg.

Before we go any further it is important to understand how simple some anti-forensic measures can be. The simple act of deleting a file could be referred to as anti-forensics as the goal is to make something hard to find, or impossible to find. Deleting internet history is another such example. Extreme examples would include physical destruction of drives by use of force. Formatting a hard drive is also an example that could be used. It is also possible to change time stamps on certain files. Some investigations might have time being a very important factor. It is very important to understand that time on computers can be altered, so what may appear to be true may in fact not be true.

Meta-data is data that is on files that tells about the files. It is data about data. This is another thing that must not always be taken as facts as it can be manually changed. This meta-data can include such information as the date, time, location, file size, camera type, device used, the list can really go on and on especially for photos. Changing this meta-data can make the forensic investigators job difficult as a lot of useful data can be gotten from such meta-data. The investigator should keep an eye out for programs such as MetadataTouch, programs that can alter the meta-data on files. (“Metadatatouch,” )Remember that even if meta-data editors are not present, the meta-data still could have been changed so be sure to keep that in mind.

It is possible to hide data in slack space. When a file saves something, it takes up a certain amount of space regardless of if it uses up all the space. What hiding something in slack space does, is take advantage of the space that is not used up from the file and hide something in it. There is software that helps in this task. (Olzak) Basically a file saves to a location that you don’t want anyone to find. After a file you don’t care about people finding is saved in the same location, although you have it set up perfectly sized to not overwrite the old file so the old file can remain in the slack space. The slack space can be identified and read by most forensic tool kits. Again this is important for the investigator to understand and know so they know where data could potentially be hidden.

It is very easy to hide files inside of other files. This is known as steganography when referred to images. It is storing a file inside of another file. Normally it is impossible to tell from the naked eye when this has been done. Using an application such as Invisible Secrets, allows users to hide files inside other files, and also encrypt the file so  it can only be accessed by a password, and only by using the invisible secrets program. The file is compressed to fit inside the other file, and then it is de-compressed when the file is later wanted again. (“How to hide,” )

As for encryption there are many different types of encryption that are available. Here whole disk encryption as well as single file/folder encryption will be talked about. Encryption is the use of math and algorithms to make data different and unreadable. With a key, normally a password, this cypher is decrypted and made readable. In this case readable would be that of a file. Windows 7 Ultimate and Enterprise has a built in whole disk encryption that can be used. This is called bit locker. Without the login key, nothing on the hard drive can be viewed legibly. With bit locker the entire drive that windows are on is encrypted. All files, all folders, everything. (“Bitlocker drive encryption,”) There is third party whole disk encryption software as well, although they all do primarily the same function.

File/Folder encryption uses similar technology as whole disk encryption being that of using math and algorithms as well as a key to decipher the algorithms. Programs such as TrueCrypt make “folders” where you need a special password to enter. These folders are protected with encryption making gathering data that is inside the folder very difficult. It is important to note that the investigator will be able to be see the data in the folder. The data will just make no sense and be un-readable. There is much software available that will also encrypt single files. Again the same method is used.

Encryption causes many problems for the investigator. It is nearly impossible to obtain data from an encrypted system without a proper key. The investigator’s best option would be to know in advance whether the system was encrypted or not. The investigator really would have three best options at this point. First would be to try and search the memory to see if there is any passwords stored that might be the key to the encryption. If you can find the encryption key that would be very idea that way you can power off the computer and take your time with the analyses. Memory is volatile so if the password is there, it will not be there when you turn the computer back on. Second best option if there was no key in the memory would be to perform your investigation on a live system. A live acquisition would be best as there might not be another shot in the future. Third and last option would actually be the first and most easily obtainable method of getting the encryption key. This would be simply to ask what the password is. A lot of criminals without their lawyer normally end up getting themselves in trouble. Here is a perfect opportunity for the investigator to take advantage of such a situation. Knowing the key to encryption is very important and will make the analysis task at least possible. All in all, the investigator should have a good idea beforehand if the computer at question may have encryption software on it.

In conclusion it is very important for the investigator to know about anti-forensic measures that criminals may have taken to prevent being caught/prosecuted. From damaging a drive, to deleting internet history, the forensic investigator should be aware that these steps in preventing discovery so the investigator can counter act.



Bitlocker drive encryption. Retrieved from http://windows.microsoft.com/en-            US/windows7/products/features/bitlocker

Changing a file extension. Retrieved from http://www.computerhope.com/issues/ch000428.htm

How to hide files inside picture. Retrieved from http://www.instructables.com/id/How-to-            Hide-Files-Inside-Pictures/

Metadatatouch. Retrieved from http://digitalconfidence.com/MetadataTouch.html

Olzak, T. (n.d.). Computer forensics: Finding “hidden” data. Retrieved from             http://www.techrepublic.com/blog/security/computer-forensics-finding-hidden-data/232

Strickland, J. (n.d.). How computer forensics works. Retrieved from             http://computer.howstuffworks.com/computer-forensic3.htm


Volume Shadow Copies

Volume Shadow Copies!


Volume Shadow Copy is a service that is provided in Windows operating systems that creates copies of disk volumes. These volume shadow copies are what are used by such programs as System Restore. What these copies in short are is what the drive looked like at a certain point of time. System Restore uses these Volume Shadow Copies as a back-ups in case something goes terrible wrong. For example, a bad driver, or a software update that messed something up would be able to be fixed using System Restore.

System Restore points are made sporadically, as well as before certain important events such as the installation of a new program. This is done to help in the case that something goes terribly wrong. System restore does not affect personal files such as document files. These restore points are set to occur every 24Hours on Windows Vista, and Every 7 days in Windows 7. Of course a backup will also be made before a new program is installed. System restore is basically the most user friendly tool that uses Volume Shadow Copies. These restore points that System Restore sets up are kept until the amount of hard drive space that was allocated to be used by System Restore has been filled up. Once this happens, the oldest Restore Points are going to start being deleted. As for how much space must be allocated for System Restore to work, varies on the size of the hard drive being used. For starters for system restore to work at all, there needs to be at least 300MB of drive space being used for System Restore. The maximum that may be set is 15% of the hard drive for Vista, and 5% for Windows 7. For example, 15GBs could be used for System Restore back-up points if the hard drive used in the Vista system was 100GBs. It is also possible to make your own System Restore points without having to wait a day or download software. To do this you may enter System Protection in the control panel and click on create assuming your version of windows offers System Restore. (“Microsoft,” 2012)

A very interesting use of Volume Shadow Copies are that it can greatly help in the case of something be deleted. As mentioned above, System Restore points only help in the case that what is causing your problem is not that of a personal file. Let us say for example that John Doe was typing his 10 page research paper and accidently saved over his writing after deleting the entire thing. Using these Volume Shadow copies that were produced, John would be able to recover the previous version of this thought to be lost document. To do this, John would simply right click on the file and choose to restore previous versions, and then proceed to choose a date. Keep in mind that the copy would be read only, but a simple copy and paste could save John hours of work. What if the file is deleted entirely? Again Volume Shadow copies are going to help in reviving whatever document or file that was deleted. To do this, you would right click on the containing folder, and then proceed to restore to a previous version. (“Volume shadow copy,”)

Volume Shadow Copies should not be used as backups for numerous reasons. If your hard drive fails, you also lose all the Volume Shadow Copies as these copies are saved on the same volume or drives as the originals. Windows also deletes old copies when there is not enough space. For example, because of this it is likely that the files that you are looking to restore may not be present, or if they are the version that you are looking for may have already been deleted. Also it is worth noting that if there was not a Volume Shadow Copy made after a change was made, there will be no saved back-ups or shadow copies.

It is important to touch back on the fact that Volume Shadow Copies only use 5% of the Volume space in Windows 7, and 15% of the Volume space in Windows Vista. Logically thinking this would be impossible to store a whole volume into 5% of that same volume. How this works is that Volume Shadow Copies only store files that have been changed. They also work in a way to know what about the file has been changed to save even more space. For example, if I write this document and save it, then go back and delete this sentence and save it, the Volume Shadow Copy Service will still see the entire document. It will also know that it has been changed, and plug in whatever the change was into the shadow copy. Doing this allows the system to save a considerable amount of space. This example would be one sentence being saved, compared to 5 pages or so. (“Volume shadow copy,”)

At a forensic analysis stand point understanding shadow copies is very important. Generally speaking, there will be no live analysis of shadow copy data making going through and analyzing shadow copies a lot easier. There is software that does analyze shadow copies and one that is used commonly is Prodiscover which is based for use during the forensic computer investigations. When performing investigations using such computers it is important to realize that while deleted files may be present in a shadow copy, shadow copies are not a folder in which deleted files go to. Shadow copies are the forms that the files were in the past. So yes, deleted files may be found there, as well as files that were moved or altered, although deleted files are not moved to this folder.

Using a program known as VSS Examiner Enscript, (a product of encase) it is made a lot easier to find files that were deleted. What this program does is it compares shadow copies to the actual volume that is present day. Doing this, the program is able to fish out what files are present in the shadow copies, but not present in the current volume. This provides the investigator an easily obtained list of files that were deleted, moved, or changed for that matter. This is done by comparing the hash values of each file inside of the shadow copy. (“Examining volume shadow,” )

As mentioned above, System Restore does not affect personal files; it does however affect files that may contain malware. It is worth noting that while you may “restore” to a certain point using System Restore, you may also go back to before you restored. This is available to be done because before the system takes the change to apply a system restore, the system itself makes a shadow copy in case there is a chance that the user would like to go back or in the case that it did not fix the problem. To go back in Windows Vista, you would open System Restore and simply click “Undo System Restore.” Examiners dealing with malware have an equally challenging job when it comes to examining computers where a restore has taken place. Essentially these examiners use a lot of the same tools as mentioned above. It is worth while noting that examiners of malware also have shadow copies against them at times. For example, anti-virus software does not scan shadow copies. It is possible for an attacker to load malware, create a shadow copy, and then delete the malware. Doing this leaves the malware in the shadow copy. There would be no way to delete the malware other than by deleting the entire shadow copy. (Baggett)

In summary Volume Shadow Copies is a copy of what files used to look like before changes. It in a sense is a look into the past. Investigators use shadow copies for basically the same reasons. To view changes, as well as files that have moved or have been deleted. Shadow copies have greatly helped in investigation although at times they can make analysts jobs harder. A very important aspect to remember about Volume shadow copies is that it allows the investigator to easily find deleted information. Deleted files are very useful in an investigation as well are files that were changed, or moved / hidden. These all show that not only did the user of the system know that the files were there, but it also shows that they were in possession of the files. All in all, Volume Shadow copies are a very important tool in Windows that the computer forensic investigator should know not only about, but how to properly investigate shadow copies.



Baggett, M. (n.d.). Volume shadow copies – the lost post. Retrieved from    http://pauldotcom.com/2012/10/volume-shadow-copies—the-los.html

Examining volume shadow copies – the easy way!. (n.d.). Retrieved from http://encase-forensic-            blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html

Microsoft. (2012). Retrieved from http://windows.microsoft.com/en-US/windows-vista/System-   Restore-frequently-asked-questions

Volume shadow copy service. (n.d.). Retrieved from             http://blog.szynalski.com/2009/11/23/volume-shadow-copy-system-restore/

Windows Security and Defense, 7, 8, Vista

Windows Security!


As far as operating systems go, different versions of Windows are different operating systems from one another. For this particular reading 4 major Window’s operating system’s differences will be discussed in brief. Those are being Windows XP, Windows Vista, Windows 7, and Windows 8. As far as the user is concerned, there are quite significant changes in how each operating system is laid out. Windows XP being the most vastly different than the other three.

Windows Vista as well as Windows 7 and 8, have a search bar, called “Windows Search,” which helps find files and programs instantly. XP does not have such a search capability. Introduced in Windows 7 was what is known as “Jump Lists,” which are shortcuts to recently opened files on applications that are running. This is found on the search bar by right clicking the icon of the running program. (“Compare Windows,”) Windows 7 also introduces what known as several names but most is popularly known as Aero Desktop. This provides see thru windows, as well as snapping windows to the edges of the screen, for example making two windows fit the screen exactly even. (“Windows 7 feature,”)

When it comes to defense, introduced at Windows Vista, they have built in malware protection from what is known as Windows Defender. Windows Defender is an application designed to stop malware and other unwanted programs from accessing your computer. (“Windows defender,”) Windows Vista and 7 also introduced Parental Controls, allowing parents to set limits on computer usage, programs they can run, as well as setting other limits on the computer systems.  (“How to configure,”) Bitlocker for some versions Windows 7, 8, and Vista is also something Windows XP lacks. Bitlocker is a full drive encryption for users, making forensic investigations a challenge. The idea of Bitlocker is to prevent theft of data, as well as unauthorized viewing of data. As one can imagine, criminals have taken advantage of such a powerful encryption as this program is built into Windows itself.  (“Bitlocker drive encryption,”)

Windows 7 really improved performance with power management. Windows 7 was designed to have a faster “sleep” time as well as to draw less power than the previous operating systems.  It runs fewer background programs, powers off unused ports, as well dimming the screen automatically after the system has not been used in a certain amount of time.  This improvement was passed onto Windows 8. (“Power management,”) This “sleep” mode is important to the forensic investigator as passwords may be needed if a computer is allowed to go into this sleep mode. This knowledge as well may help to determine if the computer is “on” at a crime scene or if the computer is in “sleep” mode.

Windows 8 has a graphic user interface vastly different from that of previous Windows versions, although here will be mentioned a few of the major differences between Windows 7 and the new Windows 8. Windows 8 has the ability to sync accounts to another computer, making personal computers very easy to switch back and forth between. Another feature that may make the forensic process more difficult on Windows 8 computer is that it has a feature known as “Refresh and Reset.” This feature allows users to make a personal system image and reinstall the windows software to look exactly like it did at the time with just a click of a button. An investigator might run into issues with time stamps and other such important information being delete because of this “Refresh and Reset” utility. (Paul) As far as passwords go, they can provide issues for a forensic investigator as well. In windows 8, passwords can be pictures with three certain gestures on the picture. For example this password could be a line, circle and dots on a picture of a car.  On windows 7 as well as Vista and XP there is a Chkdsk utility that attempts to fix disk errors, as there also is with Windows 8. A big difference here is that this utility can run while the OS runs in Windows 8, where this is not the case for Windows 7. (Paul) Another major difference to mention in regards to computer forensics would be that Windows 8 has the potential to save all file history. This is not on by default, however if turned on, all versions of files would be backed up in the respected libraries. This if turned on, would provide an abundance of potential evidence.  (Paul)

There are several differences in the Task Scheduler between these operating systems as well. For example, Task Scheduler in Windows XP is in binary format and the results of these are stored in the Task Scheduler log file. In windows Vista as well as 7, Task Scheduler has default tasks recorded as XML files stored in the systems registry. (Carvey)

All in all, there are many differences between these 4 operating systems and they should each be treated differently. There are even many differences between versions of certain Windows operating systems such as the Bitlocker utility that was mentioned above.  As there are many differences, it is also appropriate to note that there are many similarities not mentioned here between these operating systems.




Bitlocker drive encryption. (n.d.). Retrieved from http://windows.microsoft.com/is-            IS/windows7/products/features/bitlocker

Carvey, H. Windows forensic analysis toolkit: Advanced analysis techniques for windows 7 .

Compare windows. (n.d.). Retrieved from http://windows.microsoft.com/is-           IS/windows7/products/compare?t1=tab20

How to configure parental controls in windows 7. (n.d.). Retrieved from     http://www.techtalkz.com/windows-7/516005-how-configure-parental-controls-windows-           7-a.html

Paul, I. (n.d.). Windows 7 to windows 8: The system’s biggest improvements. Retrieved from             http://www.pcworld.com/article/2012834/windows-7-to-windows-8-the-systems-biggest-

Power management. (n.d.). Retrieved from http://windows.microsoft.com/is-            IS/windows7/products/features/power-management

Windows 7 feature focus: Aero snaps. (n.d.). Retrieved from http://winsupersite.com/windows-7/windows-7-feature-focus-aero-snaps

Windows defender. (n.d.). Retrieved from http://windows.microsoft.com/is-            IS/windows7/products/features/windows-defender