Tuesday, June 24, 2008

Maltego2: A VERY Useful Tool For Private Investigators

I try to share as much as I can with others on the net. I am of the belief that knowledge should be shared. I am not fearful of those that might have the same tools that I have, because I know what my investigative abilities are and I know that my abilities allow me to do some things that the average layman just can't do.

A while back I found a tool that is nothing short of impressive considering what can be done with it. It is a tool that Law Enforcement and some of our top Intelligence Agencies use to analyze data with. I would like to share that tool with you here today.

Maltego2 is a very nice all around tool for performing almost any kind of an investigation with; from cyber investigations, to background checks to criminal defense investigations, it is amazing. First of all it is a graphical tool. Second of all, it has the ability to show data relationships, and third of all, I have seen it pull data that one would have to search multiple sites for.

Below are some pictures of what Maltego2 does.

As you can see from the top screenshot I have started compiling data on an IP Number. You can see that as I move along I am compiling more data to include server information, phone numbers, information related to the phone numbers, and I can keep going and going. I can search by IP Number, DNS Name, Domain, Phone Number, Person's Name, and EVEN a phrase.

I can show various relationships between the data that I accumulate as I do my research. I can delete data that is not pertinent to my investigation and strip the final results down to only pertinent data. I can research each piece of data by making one click to take me to the place on the Internet that Maltego2 found my data.

Maltego2 comes in a Commercial Edition and a Community Edition. The Community Edition is free and the Commercial Edition costs $430.00 for the first year and $320.00 for each year after. The Community Edition has limitations, but some of them can be gotten around, for example you can not save the maps in the Community Edition, but you can take a screen shot as I did above. You can also save the data from your browser as you click on the details view and open up your browser to view the information that you found. You can then print that data and mark it to coordinate with the information on your actual screen shot of the map. Not as pretty, but you still have all of the data there and you still have a good representation of that data.

Here is the link for Maltego2: Maltego2 Link

Here is a wiki instruction manual for Maltego2: Maltego2 Instruction Manual

Here are some News Articles on Maltego2: Maltego2 News Articles

As always, I hope this helps some P.I. somewhere.


Ricky B. Gurley Best Cyber Investigator

Sunday, June 15, 2008

Computer Forensics Examiners: To License or NOT.........

I have been reading a great deal of articles concerning the trend that some states are taking to require Computer Forensics Examiners to be licensed as a Private Investigator before they can commercially offer this service. I have to admit that I have mixed feelings about this.

First, let me say that I am a licensed Private Investigator, so one might assume that I would be all in favor of this type of requirement. Of course this would be an ASSumption, and it would be incorrect.

While on one hand I will say that computer forensics is a type of investigation since it's results are going to be used in court by it's very definition, there may be an argument as to why a person would need a Private Investigator's license to perform this service.

On the other hand, are these same states that are requiring that a Computer Forensic Examiner have a P.I. License going to require EVERY expert witness that has to go over specific case details, run tests on evidence, interpret these test results, and report on them to have a P.I. License? In the truest sense of what an Expert Witness is supposed to do, he or she is performing a type of investigation also. Will tire tread experts now have to have a P.I. License?

There is a larger consideration to make here also. A P.I. License does NOT make a person a competent Computer Forensics Expert. There are Private Investigators right now that have less than 5 years of Computer Forensics Examination experience that are going into court and testifying on their examination results that would not know the difference between a yellow and a black hardware write-blocker from Tableau. Think about the implications here. By requiring Computer Forensic Examiners to have a P.I. License, there would seem to be a limiting effect on the quality of Computer Forensics Examiners made available to the defendant's attorney. What about the people that have been in the business of conducting Computer Forensic Examination for 10 and 15 years, like Dan Farmer and Andrew Rosen? I could not imagine being charged with a serious computer crime, and wanting to be able to hire the very best Computer Forensics Examiner I could find like Andrew Rosen, and instead having to settle for a Private Investigator that only 5 years ago could not even figure out how to turn his computer on. I don't want to hire a Computer Forensic Examiner that BOUGHT a certification, I want to hire the Examiner that wrote the program that these certifications are being brought from. I don't want to have to sit through some P.I.'s "guesswork" as to what might have occurred on my computer, I want to be communicating with someone that can tell me what happened on my computer and that he can actually prove it. Maybe it is just me, but I feel that this new legislation that some states are passing that require Computer Forensics Examiners to have a P.I. License is not very well thought out.

If these states that are now requiring Computer Forensics Examiners to have a P.I. License would have given it a little more thought, they may have found that requiring a separate state certification to offer Computer Forensics Examinations might have been the wiser way to go.

Ricky B. Gurley Best Cyber Investigator

Tuesday, May 27, 2008

The Power of Linux over Windows Vista: BREAKING IN!

With the Linux Live DC known as BackTrack 3, you are past the security on a Windows Vista Box in no time flat!

One of the really nice things about Linux is the Live CDs that are out there, that were made from various Linux Distributions; Knoppix being one of the most popular. A Live CD is just an Operating System that you can run from a CD instead of your hard drive. It allows you to keep the OS you have installed, and run a completely different OS from a CD.

I personally like BackTrack. It was derived from the flavor of Linux known as Slackware. While Slackware is not quite as "user friendly" as some of the other Linux distributions like Kubuntu and Mandriva, it is a very POWERFUL flavor of Linux, with more of a minimalist approach to software. Most people that are comfortable with Slackware operate in command line environment quite a bit more than relying on the GUI. The BackTrack CD allows the user to avoid what some might consider the daunting task of installing the Slackware distribution, but yet gives the user the very best of the Pen. Testing, Security Testing, and Digital Forensics Features of Slackware. Below are three links, the first is the Wiki Page for Backtrack and two Links to get BackTrack 3; the latest version of BackTrack. You can get the ISO to burn to CD and you can also get the install for a Thumb Drive:

BackTrack 3 Wiki

BackTrack 3 ISO

BackTrack 3 USB (Thumb Drive)

Now, the primary purpose of this article here is to give the reader a way to get into a Windows Vista Box and gain System Access without having a username and password. You only need three things to do this. (1) Physical Access to the machine, (2) Backtrack 3, and (3) "The Know How". Okay, I solved the problem of getting you the right tool by giving you the links to download BackTrack 3, and I am getting ready to give you "the know how", now you provide the Vista Box.

Once you have downloaded the Backtrack 3 file and burned the ISO to disk, you have a copy of BackTrack 3 all ready to go.

Now, study the video below:

Breaking Into Vista with BackTrack 3

Here is what the video is showing you how to do. You are renaming cmd.exe to Utilman.exe, thus you are invoking the Utility Manager before you log into the system. You are actually gaining SYSTEM ACCESS, which is even a level higher than Admin Access.

Also, here are some more videos from the people that found this exploit for Windows Vista:

Offensive Security Videos

Offensive Security is an absolutely LETHAL Computer Security Company. The have impressed me a great deal. For those of you out there that want to learn about Computer Security, these are the guys to go to. Below is their website:

Offensive Security

This information is designed to be used by Investigators with a LEGITIMATE purpose for it. Computer Forensics Examiners MAY have a use for it, Computer Security Personnel should have a use for it, and even Computer Repair Personnel may have a use for it in the case that a customer has forgotten their username and password.

Rick Gurley: Best Cyber Investigator

Thursday, May 22, 2008

.Nix v. Windows

Interesting title, aye?

Well, I'd like to get some opinions from various people in the Hi-Tech Investigation Arena as to which OS you prefer to work from, and why?

I'll go first...

I use both Operating Systems, Linux and Windows. And both have their advantages and disadvantages..

The Windows OS:

I find that nothing beats Microsoft when it comes to "out of the box" usage. I also find the Office Suite offered by Microsoft absolutely unbeatable. The range of software that one can download with a Windows systems and the ease in which this can be done is also second to none. All of these factors add up to a powerful, user friendly Operating System.

I also find that Windows is very vulnerable to viruses. Most people believe that this has to do with the popularity of the Windows OS, but this is not really the case. While Windows is currently the most popular OS on the market hands down; .nix systems still have a HUGE following, and are popular enough to be targeted by virus makers. The fact is, it is far more difficult to make a virus that would execute it's payload as effectively on a .nix system than it would on a Windows System. It is simply a matter of kernel differences and differences in how the two Operating Systems are set up. Don't misinterpret this, there ARE viruses written for the .nix platforms and they ARE effective. But, they are fewer and further between, and there has to be quite a bit more work in getting them to successfully deliver their payload; below is a saying that illustrates my point: (click to see the article this is quoted from)

"To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it."

Windows also takes away some of the control over the Operating System by making it more user friendly, and that is fine for the casual computer user, but not so fine for the "power user". Most people can live with this.

The .nix OSs.

I like knowing that I am working in a fairly secure environment, and I like knowing that I have COMPLETE control over my Operating System. Linux meets both of these issues pretty well. I am less concerned with viruses, and I can get to EVERY part of my OS and alter it as needed; when working on my Linux Boxes.

Pretty, Pretty, Pretty... When the .nix systems were first developed, the emphasis was on security, stability, and functionality; it did not have to be pretty, it just had to work well. Back in the day, most "nixers" did not even use a gui (Graphical User Interface - the pretty windows), they used terminal and did everything in command line, BASH being the most popular (BASH; a variant of the Bourne Terminal - Bourne Again SHell). Now the .nix system has come a long way, and have some very beautiful Graphical User Interfaces, and some darned nice "eye candy" like Compiz. So, we are seeing improvements.

And despite a heavy emphasis on the Graphical User Interfaces for .nix systems these days, still nothing beats them for stability, raw computing power, security, and functionality, like how the .nix systems takes better advantage of the hardware layer than Window's systems do.

Software is not quite as abundant for Linux as it is Windows, and might be a little harder to install. But there are still TONs of programs out there for the .nix systems, and the installation is becoming less and less of a problem with RPM Packaging, Apt, and YAST, the developers of the various types of .nix system have realized a need for making installation easier for the people that might want to explore making the switch from Windows, and they are addressing this issue in leaps and bounds.

On the other hand, .nix systems can "crush the faint of heart". The learning curve for using .nix systems is a little steeper than it is with Windows Systems. But the .nix systems are getting better and better in this regard all of the time. I HIGHLY recommend the Linux flavor known as Kubuntu for people that have no experience with .nix systems, but want to see what they are all about.

Well, that's my take. Anyone else?

Rick Gurley: Best Cyber Investigator