Wednesday, August 23, 2017

RMRI, LLC. AND SLACK SPACE DATA: A New Era In Cyber-Investigations




Today I was joined by Donald Warren for a consultation on an Internet Investigation. Donald came in and consulted to me on a case that I am working. After some conversation, Donald and I decided that I'd subcontract technical projects to him.

Donald Warren is a consummate professional, who has just started his own business. Donald is multi-talented, and one of the hardest workers that I have ever known.

Donald will be working various technical projects with me. He is also building and coding some really nice machines for furthering cyber-investigation work.

With a licensed investigator and a very knowledgeable technical consultant working together, you get the best of both worlds working for you at RMRI, LLC. Now you have and unbeatable team, a strong investigator that can get you all of the information you need on any subject that you are having to identify on the Internet, and a strong tech person that can navigate the highly technical framework encountered in cyber-investigations.

Digital Forensics, Email Tracing, Internet Profiling, Penetration Testing are just some of the services that we can offer you.

NOW YOU HAVE AN UNBEATABLE TEAM WORKING FOR YOU!


RMRI, LLC.:
PHONE: (573) 234-4871

Slackspace Data
PHONE: (573) 355-5044



Friday, April 22, 2011

All Licensed Private Investigators Are Computer Forensic Examiners! Really?

There appears to be a trend within various states to require Computer Forensic Examiners to hold a Private Investigator's license. I was talking to a fellow Private Investigator on the phone today and she mentioned that she had heard that Illinois has now went this route. I have to admit that this trend makes no sense to me whatsoever.

It seems to me that any licensed Private Investigator is not necessarily a good Computer Forensics Examiner make. I mean if the only competency requirement to be a Computer Forensics Examiner is to hold a Private Investigator's license then some Private Investigator that barely knows how to turn a computer on can call theirself a Computer Forensics Examiner; right?  I thought that the goal of licensing was to have at least a minimum competency standard in the profession that one is working in? It would seem that holding a Private Investigator's license is ridiculously below the minimal competency standard to be able to perform a competent forensic examination of a hard drive or any other device that may contain digital evidence.

As it stands right now in some states; if you hold a Private Investigator's license you can conduct computer forensics and even call yourself a Computer Forensics Examiners. Isn't it just a little odd that someone with a Private Investigator's license that does not even know what the terms "MD5", "SHA256", "Checksum", "Hashing", "Metadata", "Write Blocker", "DD", "Mirror Image", and "Regex" mean as they apply to Digital Forensics can actually call theirself a Computer Forensics Examiner?

The first problem that I have with the notion that a Private Investigator's license is all that is required to conduct computer forensic examinations is that there is no minimal competency standard whatsoever. If there is one issue in any profession that really makes that profession look bad to the public; it is allowing incompetent people to practice in that profession. Now I am not saying that people should not have an opportunity to pursue whatever legal profession they would like. What I am saying is that part of that pursuit to make a living in a chosen profession is to make sure that one is educated, competent, and at the very least has a cursory understanding of the profession they are choosing to work in. There are plenty of classes, schools, seminars, and even on-line learning materials for one to become educated in computer forensics. All one has to do is read, study, and practice to become proficient in computer forensics. Without a minimum competency standard all it takes is just one person to make a mistake that they would have otherwise not made that ends up sending an innocent person to prison; and we all look like a bunch of "half-wits" to the public. In my opinion this is the harm that this ridiculous standard can cause our profession.

The second problem that I have with the notion that a Private Investigator's license is all that is required to conduct computer forensic examinations is that this excludes some of the most competent Computer Forensics Examiners that there are today from working in a profession that they have been working in before any Private Investigator ever thought of conducting computer forensics examinations. I don't think this is fair to the public. It certainly seems to limit the public's access to competent Computer Forensics Examiners.

The third problem that I have with the notion that a Private Investigator's license is all that is required to conduct computer forensic examinations is that I don't think that a Computer Forensics Examiner is as much of an Investigator as they are an Expert Witness. Certainly conducting computer forensics examinations does require one to employ some investigative techniques; but computer forensics is thought of by the courts as a science and this is why often enough one may have to qualify as an expert witness to give testimony on their results from their computer forensics examination. Usually one would have to qualify under the Daubert Standard if opposing counsel challenges their knowledge of computer forensics. My belief is that this definition more aptly applies to a Computer Forensics Examiner: "An expert witness, professional witness or judicial expert is a witness, who by virtue of education, training, skill, or experience, is believed to have expertise and specialised knowledge in a particular subject beyond that of the average person, sufficient that others may officially and legally rely upon the witness's specialized (scientific, technical or other) opinion about an evidence or fact issue within the scope of his expertise, referred to as the expert opinion, as an assistance to the fact-finder than this definition: "A private investigator (often abbreviated to PI), private detective or (informally) private eye is a person who can be hired by individuals or groups to undertake investigatory law services". Thus I see no reason whatsoever to require anyone that conducts computer forensic examinations to hold a Private Investigator's license.

I do see a very simple solution to this issue. Why not require people to be certified by the state as Computer Forensics Examiners? The state could develop a test or a battery of tests (written, oral, and "hands-on demonstrations") that would demonstrate that the person that is certified has at least demonstrated that they have a minimum standard of competency to conduct computer forensics examinations  The state would still generate a revenue. The state would also be effectively requiring Computer Forensics Examiners to demonstrate a level of competency that would intelligently protect the consumer. I believe that this is a far more intelligent route to go if the state wants to protect the consumer from professional incompetence in the Digital Forensics field.

I hope that this article is read by enough people in the right places to see the sense in repealing this legal standard or law in states that have instituted this legal standard or law. I think it makes far more sense than what some states are doing or moving towards currently.

As always; this is just my opinion!














Ricky Gurley.


Sunday, July 12, 2009

Keystroke Loggers: "The NEW Threat"!

We all know that Keystroke Loggers or "Key Loggers" have been around for a long time, and we have seen many cases in which they have been abused. Typically the reason they are discovered is because the person that is installing a Key Stroke Logging Device has to gain physical access to the computer, and their time for doing this is usually very limited. With Key Stroke Logging Software, while physical access to the computer might not be needed (as in they can be installed remotely with such techniques as using an email attachment), this type of Key Stroke Logger might not be as reliable as a Key Stroke Logging Device, their are usually software solutions to help detect them, and getting them past the computer owner is usually pretty dicey.

Enter the "NEW" Key Stroke Loggers. There are two types of Key Stroke Loggers that are being experimented with now. One uses the electrical signals that emanate from the cable from the keyboard to the PC to the ground wire, and from that ground wire to the ground wire used to power the actual PC, none of which are shielded (It Is A TEMPEST Concept). These signals from the keyboard are then picked up and translated to readable format, with software. This method can be implemented from up to 15 feet from the electrical outlet that he PC is plugged into. No longer is it necessary to gain physical access to the computer to install a reliable Key Stroke Logging Device.

The other method uses a laser scope to beam the vibrations that are caused by punching the keys on the keyboard of a laptop. Each vibration that is caused by punching the keys on a laptop is unique, and each unique vibration can be translated into the letter or number that was punched on the keyboard. So, what happens is a laser scope is pointed at a shiny part of the laptop, or even a shiny object that is in close proximity to the laptop, and then the vibrations are beamed back through that laser beam to a receiver that translates the vibrations that are caused by punching the keys on the laptop into readable format, a sound card is used to translate the vibrations from the target punching the keys on the laptop. 

Here is a link with more detailed information on this technology: "The NEW Key Loggers"

Right now, these concepts are fairly new and are in rudimentary form. The concern is that this was all researched, and the concepts were all proofed in less than a week. This was demonstrated at the latest Black Hat Conference. Imagine how far this technology can be extended with a dedicated team of researchers working on it for a few months. 

This is the face of the new threat that we will confront in Data Theft!


Ricky B. Gurley  Best Cyber Investigator



Tuesday, June 24, 2008

Maltego2: A VERY Useful Tool For Private Investigators

I try to share as much as I can with others on the net. I am of the belief that knowledge should be shared. I am not fearful of those that might have the same tools that I have, because I know what my investigative abilities are and I know that my abilities allow me to do some things that the average layman just can't do.

A while back I found a tool that is nothing short of impressive considering what can be done with it. It is a tool that Law Enforcement and some of our top Intelligence Agencies use to analyze data with. I would like to share that tool with you here today.

Maltego2 is a very nice all around tool for performing almost any kind of an investigation with; from cyber investigations, to background checks to criminal defense investigations, it is amazing. First of all it is a graphical tool. Second of all, it has the ability to show data relationships, and third of all, I have seen it pull data that one would have to search multiple sites for.



Below are some pictures of what Maltego2 does.




As you can see from the top screenshot I have started compiling data on an IP Number. You can see that as I move along I am compiling more data to include server information, phone numbers, information related to the phone numbers, and I can keep going and going. I can search by IP Number, DNS Name, Domain, Phone Number, Person's Name, and EVEN a phrase.

I can show various relationships between the data that I accumulate as I do my research. I can delete data that is not pertinent to my investigation and strip the final results down to only pertinent data. I can research each piece of data by making one click to take me to the place on the Internet that Maltego2 found my data.

Maltego2 comes in a Commercial Edition and a Community Edition. The Community Edition is free and the Commercial Edition costs $430.00 for the first year and $320.00 for each year after. The Community Edition has limitations, but some of them can be gotten around, for example you can not save the maps in the Community Edition, but you can take a screen shot as I did above. You can also save the data from your browser as you click on the details view and open up your browser to view the information that you found. You can then print that data and mark it to coordinate with the information on your actual screen shot of the map. Not as pretty, but you still have all of the data there and you still have a good representation of that data.

Here is the link for Maltego2: Maltego2 Link

Here is a wiki instruction manual for Maltego2: Maltego2 Instruction Manual

Here are some News Articles on Maltego2: Maltego2 News Articles


As always, I hope this helps some P.I. somewhere.

Enjoy.



Ricky B. Gurley Best Cyber Investigator




Sunday, June 15, 2008

Computer Forensics Examiners: To License or NOT.........

I have been reading a great deal of articles concerning the trend that some states are taking to require Computer Forensics Examiners to be licensed as a Private Investigator before they can commercially offer this service. I have to admit that I have mixed feelings about this.

First, let me say that I am a licensed Private Investigator, so one might assume that I would be all in favor of this type of requirement. Of course this would be an ASSumption, and it would be incorrect.

While on one hand I will say that computer forensics is a type of investigation since it's results are going to be used in court by it's very definition, there may be an argument as to why a person would need a Private Investigator's license to perform this service.

On the other hand, are these same states that are requiring that a Computer Forensic Examiner have a P.I. License going to require EVERY expert witness that has to go over specific case details, run tests on evidence, interpret these test results, and report on them to have a P.I. License? In the truest sense of what an Expert Witness is supposed to do, he or she is performing a type of investigation also. Will tire tread experts now have to have a P.I. License?

There is a larger consideration to make here also. A P.I. License does NOT make a person a competent Computer Forensics Expert. There are Private Investigators right now that have less than 5 years of Computer Forensics Examination experience that are going into court and testifying on their examination results that would not know the difference between a yellow and a black hardware write-blocker from Tableau. Think about the implications here. By requiring Computer Forensic Examiners to have a P.I. License, there would seem to be a limiting effect on the quality of Computer Forensics Examiners made available to the defendant's attorney. What about the people that have been in the business of conducting Computer Forensic Examination for 10 and 15 years, like Dan Farmer and Andrew Rosen? I could not imagine being charged with a serious computer crime, and wanting to be able to hire the very best Computer Forensics Examiner I could find like Andrew Rosen, and instead having to settle for a Private Investigator that only 5 years ago could not even figure out how to turn his computer on. I don't want to hire a Computer Forensic Examiner that BOUGHT a certification, I want to hire the Examiner that wrote the program that these certifications are being brought from. I don't want to have to sit through some P.I.'s "guesswork" as to what might have occurred on my computer, I want to be communicating with someone that can tell me what happened on my computer and that he can actually prove it. Maybe it is just me, but I feel that this new legislation that some states are passing that require Computer Forensics Examiners to have a P.I. License is not very well thought out.

If these states that are now requiring Computer Forensics Examiners to have a P.I. License would have given it a little more thought, they may have found that requiring a separate state certification to offer Computer Forensics Examinations might have been the wiser way to go.



Ricky B. Gurley Best Cyber Investigator


Tuesday, May 27, 2008

The Power of Linux over Windows Vista: BREAKING IN!


With the Linux Live DC known as BackTrack 3, you are past the security on a Windows Vista Box in no time flat!


One of the really nice things about Linux is the Live CDs that are out there, that were made from various Linux Distributions; Knoppix being one of the most popular. A Live CD is just an Operating System that you can run from a CD instead of your hard drive. It allows you to keep the OS you have installed, and run a completely different OS from a CD.

I personally like BackTrack. It was derived from the flavor of Linux known as Slackware. While Slackware is not quite as "user friendly" as some of the other Linux distributions like Kubuntu and Mandriva, it is a very POWERFUL flavor of Linux, with more of a minimalist approach to software. Most people that are comfortable with Slackware operate in command line environment quite a bit more than relying on the GUI. The BackTrack CD allows the user to avoid what some might consider the daunting task of installing the Slackware distribution, but yet gives the user the very best of the Pen. Testing, Security Testing, and Digital Forensics Features of Slackware. Below are three links, the first is the Wiki Page for Backtrack and two Links to get BackTrack 3; the latest version of BackTrack. You can get the ISO to burn to CD and you can also get the install for a Thumb Drive:

BackTrack 3 Wiki



BackTrack 3 ISO

BackTrack 3 USB (Thumb Drive)



Now, the primary purpose of this article here is to give the reader a way to get into a Windows Vista Box and gain System Access without having a username and password. You only need three things to do this. (1) Physical Access to the machine, (2) Backtrack 3, and (3) "The Know How". Okay, I solved the problem of getting you the right tool by giving you the links to download BackTrack 3, and I am getting ready to give you "the know how", now you provide the Vista Box.

Once you have downloaded the Backtrack 3 file and burned the ISO to disk, you have a copy of BackTrack 3 all ready to go.

Now, study the video below:

Breaking Into Vista with BackTrack 3

Here is what the video is showing you how to do. You are renaming cmd.exe to Utilman.exe, thus you are invoking the Utility Manager before you log into the system. You are actually gaining SYSTEM ACCESS, which is even a level higher than Admin Access.



Also, here are some more videos from the people that found this exploit for Windows Vista:

Offensive Security Videos



Offensive Security is an absolutely LETHAL Computer Security Company. The have impressed me a great deal. For those of you out there that want to learn about Computer Security, these are the guys to go to. Below is their website:

Offensive Security



This information is designed to be used by Investigators with a LEGITIMATE purpose for it. Computer Forensics Examiners MAY have a use for it, Computer Security Personnel should have a use for it, and even Computer Repair Personnel may have a use for it in the case that a customer has forgotten their username and password.




Rick Gurley: Best Cyber Investigator




Thursday, May 22, 2008

.Nix v. Windows

Interesting title, aye?

Well, I'd like to get some opinions from various people in the Hi-Tech Investigation Arena as to which OS you prefer to work from, and why?

I'll go first...

I use both Operating Systems, Linux and Windows. And both have their advantages and disadvantages..

The Windows OS:

I find that nothing beats Microsoft when it comes to "out of the box" usage. I also find the Office Suite offered by Microsoft absolutely unbeatable. The range of software that one can download with a Windows systems and the ease in which this can be done is also second to none. All of these factors add up to a powerful, user friendly Operating System.

I also find that Windows is very vulnerable to viruses. Most people believe that this has to do with the popularity of the Windows OS, but this is not really the case. While Windows is currently the most popular OS on the market hands down; .nix systems still have a HUGE following, and are popular enough to be targeted by virus makers. The fact is, it is far more difficult to make a virus that would execute it's payload as effectively on a .nix system than it would on a Windows System. It is simply a matter of kernel differences and differences in how the two Operating Systems are set up. Don't misinterpret this, there ARE viruses written for the .nix platforms and they ARE effective. But, they are fewer and further between, and there has to be quite a bit more work in getting them to successfully deliver their payload; below is a saying that illustrates my point: (click to see the article this is quoted from)

"To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it."



Windows also takes away some of the control over the Operating System by making it more user friendly, and that is fine for the casual computer user, but not so fine for the "power user". Most people can live with this.



The .nix OSs.

I like knowing that I am working in a fairly secure environment, and I like knowing that I have COMPLETE control over my Operating System. Linux meets both of these issues pretty well. I am less concerned with viruses, and I can get to EVERY part of my OS and alter it as needed; when working on my Linux Boxes.

Pretty, Pretty, Pretty... When the .nix systems were first developed, the emphasis was on security, stability, and functionality; it did not have to be pretty, it just had to work well. Back in the day, most "nixers" did not even use a gui (Graphical User Interface - the pretty windows), they used terminal and did everything in command line, BASH being the most popular (BASH; a variant of the Bourne Terminal - Bourne Again SHell). Now the .nix system has come a long way, and have some very beautiful Graphical User Interfaces, and some darned nice "eye candy" like Compiz. So, we are seeing improvements.

And despite a heavy emphasis on the Graphical User Interfaces for .nix systems these days, still nothing beats them for stability, raw computing power, security, and functionality, like how the .nix systems takes better advantage of the hardware layer than Window's systems do.

Software is not quite as abundant for Linux as it is Windows, and might be a little harder to install. But there are still TONs of programs out there for the .nix systems, and the installation is becoming less and less of a problem with RPM Packaging, Apt, and YAST, the developers of the various types of .nix system have realized a need for making installation easier for the people that might want to explore making the switch from Windows, and they are addressing this issue in leaps and bounds.

On the other hand, .nix systems can "crush the faint of heart". The learning curve for using .nix systems is a little steeper than it is with Windows Systems. But the .nix systems are getting better and better in this regard all of the time. I HIGHLY recommend the Linux flavor known as Kubuntu for people that have no experience with .nix systems, but want to see what they are all about.

Well, that's my take. Anyone else?



Rick Gurley: Best Cyber Investigator