Steganography After the September 11 attacks on the WTC, security agencies in the US set on working in this direction. It was found that the "culprits" used steganography to transmit messages. Steganography is the method of hiding text or even programs inside pictures. This is possible as all files have some empty space in them. In some formats, such a space is deliberately left to mention the copyright details and other information about the creator. A harmless picture may contain textual instructions or even a full program inside it. A virus, Happy99, used such a technique to damage computers a few years ago. It showed fireworks on the screen but executed a harmful program in the background that deleted important files from the computer. The suspects of the Parliament attack have been reported to be possibly connected with the Al-Qaida network. As mentioned earlier, WTC attackers are suspected to have used steganography as one of the mediums of information exchange. They are also said to be associated with Al-Qaida, hence the importance to study this aspect. A sample file can be attached. It could, well, be a picture of a legend, say, Sachin Tendulkar. The picture is perfect to be set as wallpaper. But the files may also have an embedded text of about 2500 characters length. Similarly, the pictures of the Parliament found on the laptop may contain data such as instructions or details about the area. The sample file as mentioned above may also be downloaded from http://ijss.tripod.com/steganography/files/stegdemo.zip and the instructions are in readme.txt file included in the archive. MS Word It is the most commonly used program for word processing. Though not ideally suited for typing letters to be sent by e-mail, people still use it for the same purpose. They type the content, and then either cut/paste the typed text or use the "Send" option provided in the Menu. Word Document is probably the first thing the experts try to lay their hands on. There maybe password protected documents but that protection is limited and can be easily overcome. So nothing much is needed to be said about retrieval of Word documents. Scanning e-mail E-mail is an integral part of modern day communication. The fact that the criminals in question may have used e-mail, can lead us to more links in the chain. One jumps to the most obvious question "How?" E-mail uses an email alias or a username that it shows when we receive mail in the "from" field. Every computer on the Internet, when connected, has an address, called the IP address. The mails "from" field can be spoofed, but not the IP address (technically speaking, that is also possible but needs a very tedious and expert process, so rarely used). Reading the source of the mail that was received on the laptop, we can come to know where the sender is located. This is possible by scanning the source IP address. If the source IP address is in India, the corresponding ISP maybe contacted for further details. They may or may not have further info but if they have, they’d be glad to provide the same. As such, it is mandatory to keep "logs" by ISPs as per the IT Act 2000. That way we can also come to know if the sender is in some other country. This can be a vital information to "find missing links in the chain". Another aspect of E-mail is the "Sent Mail" and "Deleted Items" or "Trash" and other folders. Under normal settings, when we delete mail, it remains on the server for some time, until they need the server space. If Outlook Express is used, it maybe possible to review the deleted items folder. In case the service is by a Web mail provider it may still be possible to view the deleted mail but one needs the password in this case. There are various ways to retrieve passwords also, but success cannot be guaranteed in that case. Temporary files Windows is designed to cache all visited paged if not configured otherwise. If the space configured does not fill up, then usually pages visited in the past 20 days are available in a special set of folders called the "Temporary Internet Files". These are under "c:\ Windows\ temporary Internet Files\ Content.IE5" and have random names of 8 character such as BCH9T0Y2 or 8HY3JG3U. Note that these are hidden folders, so won’t be visible normally. To view the files visited, one can open the files by opening Internet Explorer and typing "C:\ windows\ Temporary Internet Files" in the address bar. Sometimes, web based e-mail pages can be viewed offline with this method!! Also sometimes files in the system’s temporary folder provide useful info. The folder can be identified by issuing "SET" command at the command prompt. Cookies Like Temporary Internet Files, cookies also can provide important information about a person’s online character. By default, Cookies are enabled in IE. Whenever one visits a Website, it stores a cookie on the local computer for various purposes. It may store username-password information for the particular Website, the visitors logged-in name or even the time visited. Each cookie contains the Web address besides the other information as mentioned. One can study the cookies and conclude what Websites might have been visited. It may be noted here that there maybe cookies for "actively non-visited" sites also, such as those appearing in the ad banners. Careful compilation of the cookie data can reveal vital information. Deleted files Assuming that the attack was planned before hand, one cannot rule out the possibility of the suspects deleting files on the eve of the crime or even before that. Technically, deleting files removes the reference of the file(s) from what is called the "File Allocation Table" (FAT) of the operating system. These files may still exist on the hard disk unless some other file needs that space. When required by other file(s) the contents are over-written by the new file. So if fortunate enough, the data may still be on the laptop and one can view the contents of the hard disk on physical sector basis. Since sector-by-sector analysis of the hard disk data can take a long time, one can start by searching for words like "Parliament" or "Sansad" or "minister" etc. If the word is found, the nearby sectors maybe analysed for inappropriate content. This is the most tedious, but nevertheless, most useful technique used to retrieve data from even from a crashed hard disk. Chat With the advent of instant messaging, online communication has become one of the most comfortable and economic ways to express one’s ideas, sharing knowledge, knowing other people or their well being, and dispersing/gathering other information. MSN and Yahoo! are two prime Instant message service providers. There are others also but because of these two being prime free e-mail providers they are the most commonly used ones. If Yahoo! messenger is installed on the laptop, it may be used to retrieve information in many ways. To begin with, one may look for archived messages. Yahoo! has been offering to archive messages for some time now and if enabled, all messages are archived on the remote (Yahoo’s) server. If archiving is not enabled, there still maybe off-line messages for the user’s account. One can thus come to know of the others’ username(s) and then techniques of social engineering (described later) maybe used to get further data/information from them. If "remember my password"
feature is enabled, one can log in and see who responds to the online
presence of the id in question. One can also see which ids are added as
"friends" in the user’s list and later they can be used to
extract information. There maybe other methods devised to get
information once it is certain that they used instant messaging. Chat
session cookies are stored on the computer with (sometimes) user still
"logged" on. That is, the username and/or password are
permanently set on the computer. The user does this in order to ease the
login process next time. If lucky, the investigation agencies may lay
their hands on this information that could be of immense help. When
logged on, other people can be "fooled" to talk about the user
logged on or any other information that they may be having. This is
called "social engineering" and is known to be used to extract
passwords from unsuspecting persons. |