Monthly Archives: January 2014

Over Thinking Problems

I think one of the problems we may have in this industry is over thinking the problem, and doing more than is needed for the problem. For example, I upgraded my personal VPS server recently, the one that runs this site and Rats and Rogues. It required a reboot, but because I rarely reboot this box, I keep forgetting that iptables isn’t persistent. I usually remember and restart it fairly quickly when it reboots.

The night of the upgrade wasn’t much different. However I messed up the command, being a lazy admin I use the built in tools to do work for me. I love control-r and how it scrolls through your history based on a few characters you type. Well instead of iptables-restore < firewall.rulz I typed iptables-save > firewall.rulz. Yes, I overwrote my rules with nothing.

My very first thought was WOOHOO I get to do forensics on my live system. I went to twitter to brag, though I’m not sure if people realized that was the point. @secbuff asked why not restore from backup. He was right. The majority of the rules I have are for blocking ssh brute force attempts (the ones that make it past denyhosts), blocking mail relay attempts, and blocking user account enumeration. While playing forensics would be cool, this is a live host on the internet with services that do get attacked. It would have left the box exposed way to long to the internet, and was a case of over thinking the problem.

So I went grabbed a back up file. Instead of  uploading it though, I opened it in a text editor, hand sorted the rules by network number, and then pasted them in to the terminal window. I also finally dealt with that persistence issue too, we’ll see if iptables-persistence.dpkg worked right on the next reboot. Oh and since I add networks on a regular basis (when reviewing my logs) I wrote a small shell script to make two copies of the rules in different locations, with a spare backup.

Research Project I’m trying to get off the ground

There is a project idea I’ve had for a few months now, tracking what happens to credit and debit cards that get posted to twitter. People are posting pictures of their cards to twitter. If I had to guess, because they are excited, want to show off, and think only their friends can read it.

Continue reading

My name is Chris J, and this is how I do OSINT.

I’ve always been a fan of Lifehacker’s How I Work series, while this isn’t for Lifehacker, this is my “How I do Open Source Intelligence”. Recently a friend called and asked how I tracked data when doing OSINT. These are the tools and processes I use. It’s the what works for me, and your mileage may vary.

The tools I use are a legal pad, a computer, a web browser, a personal wiki, a data analysis tool and depending on the work Tails and a SD card. 

Continue reading

Book Review: The Private Investigator’s Handbook

I’ve just finished The Private Investigator Handbook: The Do-It-Yourself Guide to Protect Yourself, Get Justice, or Get Even by Chuck Chambers, P.I.

The book’s subtitle is the key. The Do-It-Yourself Guide… I’ve been thinking of getting my P.I. License, it’s required to do Digital Forensics in the state I live in. I figured if I was going to do that, it would probably be a good idea to read up on the subject.

This book isn’t a how to be a private investigator, it is a book about doing a lot of the leg work that the P.I. is going to charge lots of money for, yourself before hiring a pro. Some of it, you may get lucky and working with your lawyer not need a Private Investigator for. For the most part I was disappointed with the book.

My disappointment stemmed in part about the book not being what I was expecting. The first several chapters on finding and hiding assets, creating case files, social engineering, and the like, I think the areas are covered better in other books (See Michael Bazzell).

However, the book really comes through in the last couple of chapters and the appendixes. Chapters Seven and Eight are Surveillance and Counter Surveillance. Again, while I think other books cover this better (see Antonio Mendez), this one breaks it down so anyone can learn it. Where as the other books you have to think about what they’re telling you.

Lastly the chapter on missing persons was pretty good as well. There were things he didn’t go in to deep details on, but there is enough information there to get a good jump on finding someone that is missing.

Over all I’d say this a a three out of five star book. As I said some of the topics covered are covered better in other books. There are several times in each chapter that Mr. Chambers is reminding you he’s not showing you everything, and you need to hire a professional. You can just save yourself some time and money first.

What I think should be on your book shelf.

Recently a Professor asked me what 5 fiction books someone new to Information Assurance should read to get a feel for the Cybersecurity industry.

That got me thinking. What should someone in Cybersecurity have on their books shelf?

Time Management for System Administrators – Tom Limoncelli

This book teaches time management tricks and techniques to System Admins. However don’t hold that against the book. Published in 2005, this is the number one book I recommend anyone in any IT related field reads. While it’s a little dated in some of the technology, the methods Mr. Limoncelli teaches are worth it. It is probably the number one book I recommend to everyone.

While there are other books out there that people like, like Get Things Done, or home brewed systems, this is the one I found that resonated with me. It’s more than just managing your time at work, it covers how to manage your work life balance. Sometimes people ask me how I do as much as I do. This book is secret.

It’s Not All About Me: The Top  Ten Techniques for Building Quick Rapport with Anyone – Robin Dreeke

One thing I’ve seen again, and again, in our industry. People lack social skills. We get along fine amongst ourselves, but dealing with non-technical people we get a little short. Mr. Dreeke isn’t a technical person. He’s a counter terrorism expert for the FBI. What this book is, is his top ten techniques to talk to anyone. While this book has been popular in the Social Engineering circles of our industry, it’s one of those books that everyone should be reading, just to learn how to interact. Using these techniques will leave one feeling more fulfilled, and surprised at the doors that get opened.

On Writing Well, 30th Anniversary Edition: The Classic Guide to Writing Nonfiction – William Zinsser

While some people have problems accepting it, our industry is moving away from letting our code and technical skills talking for us. Like the book above about talking, this is one of the go to books for writing. The book is designed to improve the writing skills of anyone working through it, regardless of how good a writer the person is to start with. In an industry where writing is becoming more important in our Reports and even text communication, we need to find something to step up our writing skills. I like this one.

The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win – Gene Kim, Kevin Behr, and George Spafford

Reading this book, made me stop several times and try to figure out which of authors I worked with previously. Then I realized, we’re all fighting the same battle. Our biggest roadblock is ourselves. We have large egos, and see everything from a technical standpoint. There is a problem, it’s technical, or the solution is. However we lose sight of the fact, we only have our jobs because of the business side of the house. While the story in this novel follows someone tossed in to the role of VP, some of the topics covered in the book will improve anyone in IT’s relationship to the business.

Rework – Jason Fried and David Heinemeier Hansson

This book is written by the people at 37 signals. It really does give the reader a 21st century view of business, and how to be successful. My whiteboard at work has a quote from the book on it, it’s about 7 one line bits, but content from this book is over the top useful. It covers the basics of everything a Company, Department, or team would need to be successful and how.

Little Brother – Cory Doctorow 

Mr. Doctorow’s Young Adult novel about a teen and his desire to strike back at a corrupt government that became very draconian, after a bombing in his home town. While some of the things mentioned in the book don’t exist, a lot of the tech, and the descriptions of how to use it were. This book reminds the reader that it only takes one person with determination to start an army and strike back at Big Brother.

Homeland – Corry Doctorow

The follow up to Little Brother.

Snow Crash – Neal Stephenson

Classic style cyberpunk. It has everything. The VR world, the dystopian future, double crossing conspiracies, corporation owned walled cites. This book gives us an idea of using a computer program to reprogram peoples brains along with quite a few other things.

Daemon – Daniel Suarez and Freedom(TM) – Daniel Suarez

These two books are one larger story, a software developer creates an AI, and using his gaming engines recreates society in the real world. The Darknet is how those in the new society communicate and interact. It’s currency is a lot like the Bit Coin trend we see going on now, The Governments of the World and Big Business don’t like the way things are going. Really this shows a lot of Geek Culture and where it could go as things like Maker Spaces and others come on line. The technology helps form the way.

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage – Cliff Stoll

While this one reads like a fantasy novel, it’s pretty much where Cybersecurity started. While there were other people doing similar work this one shows the things they had to go through to get it all started. Setting up a paging system to contact the admin when a user logged, so the admin wouldn’t have to sleep at the office. Creating packet capture devices using printers. Working with the Government and private industry to track a phone call to another country, and having to create “interesting” data to keep the attacker on the line long enough to perform said trace.

* Note, all the links do go to Amazon, no I don’t have an affiliate program set up. It was just convenient.

Agree, Disagree, or want to add a few you think we have, add them to the comments.

One more post on Open Source Tools and DF in court.

Email from the professor this morning (Emphasis added by professor):

We also had some discussion regarding tool acceptance in court.  I wanted to provide some additional detail on this.  Remember its the testimony of the witness that is being accepted.  *Disclaimer I am not an attorney* Rule 702 of the Federal Rules of Evidence (FRE) say the following:

Rule 702. A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:

(a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;

(b) the testimony is based on sufficient facts or data;

(c) the testimony is the product of reliable principles and methods; and

(d) the expert has reliably applied the principles and methods to the facts of the case.

END RULE 702

While several FRE rules discuss acceptance of evidence (Rules 401-404) and testimony( Article VI  and Article VII) 702 explains much. …  Michigan’s Rules of Evidence follows the FRE closely.

a little less confused now.

So, I went and looked things up on my own, in regards to my last post about being a little confused on Digital Forensics and Open Source Tools. Like usual, Google is your friend.

The search term I used was: “digital forensics open source tools court approved”, without the quotes. Which returned this page: https://www.google.com/search?q=digital+forensics+open+source+tools+court+approved

I think the best line out of everything I read was:

Saying that one tool is court approved and another is not, is like saying you can take crime scene photos with a Nikon, but not a Kodak. It’s just silly, and it’s a myth perpetuated by those who seek to benefit from the existence of such a rumor.

The Digital Standard
That really does make sense. When you think about it, it is the person on the stand and their testimony that is being checked. Yes, methodology and procedure go with the testimony but why would one tool matter, as long as it gets the same results as the expert from the other side. Does it have to have all the fancy bells and whistles, or does it just have to get the job done?

One thing that has bothered me about the “No open source tools” argument is that DD for raw disk copies is acceptable. Most of the other tools doe the same work and then add compression or other bells and whistles, but really are based off it. So why is it O.K. to use some of the tools but not all.

A little confused about Digital Forensics and the tools to use

So I took Digital Forensics 1 at Eastern. The professor that taught the class owns his own forensics business. One of the things the professor kept repeating through out the semester: “You can’t use Open Source Tools for Forensics, it won’t stand up in court”. “You have to use Court approved tools, tools that the court has accepted in previous trials”.

Tonight, we started Digital Forensics 2. It’s a different professor. This one does Digital Forensics for a living as well for the Department of Justice. He said that you can use Open Source tools for Forensics, does so regularly, and testifies in court for it. This professor said there are no such thing as court approved tools, even though that Encase claims otherwise in their marketing material.

So I’m confused. Can you or can you not use Open Source tools Digital Forensics? I know there are books on the subject like Digital Forensics with Open Source Tools by Cory Altheid, but don’t know how it’s viewed over all when using Open Source tools.

It’s really not hard to search the internet

Looking at twitter the other day, I’m left wondering whatever happened to people working for news agencies doing research, has researching things you see died?

A tweet came out:

Winter gales on Lake Michigan have encased the St. Joseph Lighthouse in a thick coating of ice (c. John McCormick): pic.twitter.com/PaxuxEhpqS

Embedded image permalink
c. John McCormick – http://www.michigannutphotography.com

Now, that’s an awesome looking photo. To me the ice looks a little like butter cream frosting, so I went and did a little checking, to see if it’s real. It was, and the checking took me all of 10 seconds to find a large image. Un-edited so it still contained it’s exif data. I used the reverse image search tool for Chrome. The exif data for the original photo is from Jan 23, 2013

Back to the tweet however. If you notice, in the tweet the Scott Meiklejoh said it wasn’t his photo, and gave credit to the original artist. Yet the first response to the tweet in the timeline is:

Anthony Morrison ‏@THETonyMorrison3 Jan

@ScottyTWN this is crazy!! Can we use this photo on CNN?? Tweet me!!

Looking at Mr. Morrison’s information he does work at CNN as a photographer. So you would think he’d actually be diligent enough to make sure he was asking the right person for permission to use a photo. I’m not trying to shame or insult Mr. Morrison, I’m just surprised at the instant request for usage without digging any.

So the question is, what ever happened to people researching things and doing a little leg work?

Welcome to my new blog

I’ve wanted to create this blog for a while, but never seemed to find the time to set it up the way I wanted it. If you’ve seen me around you know that I had chrisrattis.blogspot.org, and I have www.ratsandrogues.com. The first one was ok, but I wanted more control over the site. The second one is for the Podcast I started with Infosec Rogue, and had MWJComputing join recently.

About Me:

I work full time, currently doing Network security audits for application design, designed a point of presence for working with business partners, firewall rule design, and maintaining a web based terminal emulator.

I started my Cybersecurity / Information Security / IT career in doing physical work, changing locks, running cables, building POPs and Data Centers, and then moved in to Network Operation Centers, and System Administration.

I’ve worked in Networking Service, Telecommunication, Automotive, Publishing, and Infrastructure as a Service.

I’m a senior at Eastern Michigan working on my degree in Applied Information Assurance. My classes have included Intelligence Analysis, Cyber Crime Investigations, Cyber Law, Digital Forensics, and Foreign and Domestic Terrorism and Information Warfare

I run the Ann Arbor chapter of TOOOL

I hold the following licences, certifications, certificates and degrees:

  • Associate of Applied Science, Computer Information Systems
  • Associate in General Studies focus on Anthropology
  • Security+
  • Offensive Security Wireless Professional
  • New Mexico Tech Energetic Materials Research and Testing Center – Incident Response to Terrorist Bombings program – Awareness Level
  • Eastern Michigan University Center for Regional and National Security – Incident Response to Weapons of Mass Destruction
  • Technician class Amateur Licenses

I also podcast, teach lock picking, and speak at conferences.