Monday, January 7, 2002		Article

Dead ultras tell no tales, their laptop may
Inderjeet Singh Sodhi

AS was made public that the December 13 attack on the Parliament was backed by digital equipment and associated messaging systems, it is possible to extract information from the laptop confiscated by the police.

Though the ‘level’ of computer literacy of those arrested and those killed is not known yet it can be assumed that they knew moderately about the internals of the working of operating system (assuming it to be MS Windows 95/98/Me). Before we go any further to mention the traits usually used, I’d like to mention what is e-Security. As the most basic explanation, e-security is the method of securing Internet systems from malicious use. We study the operating systems in detail and try to compromise the security in order to secure it further. It also incorporates tracking down such use by others wherever possible, besides other avenues such as tracking misuse and intercepting anti-social exchange of information.

Now to mention the possible ways in which the laptop might have been used for the crime and also the methods to retrieve whatever information we can get out of it. The principle is fairly simple, everything they communicated about, was typed on the laptop. If we can get hold of the typed material, we can lay our hands on vital information. Here’s how one can go about doing a "post-mortem", if I may say so, on a computer.

After the September 11 attacks on the WTC, security agencies in the US set on working in this direction. It was found that the "culprits" used steganography to transmit messages. Steganography is the method of hiding text or even programs inside pictures. This is possible as all files have some empty space in them. In some formats, such a space is deliberately left to mention the copyright details and other information about the creator. A harmless picture may contain textual instructions or even a full program inside it. A virus, Happy99, used such a technique to damage computers a few years ago. It showed fireworks on the screen but executed a harmful program in the background that deleted important files from the computer.

The suspects of the Parliament attack have been reported to be possibly connected with the Al-Qaida network. As mentioned earlier, WTC attackers are suspected to have used steganography as one of the mediums of information exchange. They are also said to be associated with Al-Qaida, hence the importance to study this aspect. A sample file can be attached. It could, well, be a picture of a legend, say, Sachin Tendulkar. The picture is perfect to be set as wallpaper. But the files may also have an embedded text of about 2500 characters length. Similarly, the pictures of the Parliament found on the laptop may contain data such as instructions or details about the area.

The sample file as mentioned above may also be downloaded from http://ijss.tripod.com/steganography/files/stegdemo.zip and the instructions are in readme.txt file included in the archive.

It is the most commonly used program for word processing. Though not ideally suited for typing letters to be sent by e-mail, people still use it for the same purpose. They type the content, and then either cut/paste the typed text or use the "Send" option provided in the Menu. Word Document is probably the first thing the experts try to lay their hands on. There maybe password protected documents but that protection is limited and can be easily overcome. So nothing much is needed to be said about retrieval of Word documents.

E-mail is an integral part of modern day communication. The fact that the criminals in question may have used e-mail, can lead us to more links in the chain. One jumps to the most obvious question "How?" E-mail uses an email alias or a username that it shows when we receive mail in the "from" field. Every computer on the Internet, when connected, has an address, called the IP address. The mails "from" field can be spoofed, but not the IP address (technically speaking, that is also possible but needs a very tedious and expert process, so rarely used). Reading the source of the mail that was received on the laptop, we can come to know where the sender is located. This is possible by scanning the source IP address. If the source IP address is in India, the corresponding ISP maybe contacted for further details. They may or may not have further info but if they have, they’d be glad to provide the same. As such, it is mandatory to keep "logs" by ISPs as per the IT Act 2000. That way we can also come to know if the sender is in some other country. This can be a vital information to "find missing links in the chain".

Another aspect of E-mail is the "Sent Mail" and "Deleted Items" or "Trash" and other folders. Under normal settings, when we delete mail, it remains on the server for some time, until they need the server space. If Outlook Express is used, it maybe possible to review the deleted items folder. In case the service is by a Web mail provider it may still be possible to view the deleted mail but one needs the password in this case. There are various ways to retrieve passwords also, but success cannot be guaranteed in that case.

Windows is designed to cache all visited paged if not configured otherwise. If the space configured does not fill up, then usually pages visited in the past 20 days are available in a special set of folders called the "Temporary Internet Files". These are under "c:\ Windows\ temporary Internet Files\ Content.IE5" and have random names of 8 character such as BCH9T0Y2 or 8HY3JG3U. Note that these are hidden folders, so won’t be visible normally. To view the files visited, one can open the files by opening Internet Explorer and typing "C:\ windows\ Temporary Internet Files" in the address bar. Sometimes, web based e-mail pages can be viewed offline with this method!! Also sometimes files in the system’s temporary folder provide useful info. The folder can be identified by issuing "SET" command at the command prompt.

Like Temporary Internet Files, cookies also can provide important information about a person’s online character. By default, Cookies are enabled in IE. Whenever one visits a Website, it stores a cookie on the local computer for various purposes. It may store username-password information for the particular Website, the visitors logged-in name or even the time visited. Each cookie contains the Web address besides the other information as mentioned. One can study the cookies and conclude what Websites might have been visited. It may be noted here that there maybe cookies for "actively non-visited" sites also, such as those appearing in the ad banners. Careful compilation of the cookie data can reveal vital information.

Assuming that the attack was planned before hand, one cannot rule out the possibility of the suspects deleting files on the eve of the crime or even before that. Technically, deleting files removes the reference of the file(s) from what is called the "File Allocation Table" (FAT) of the operating system. These files may still exist on the hard disk unless some other file needs that space. When required by other file(s) the contents are over-written by the new file. So if fortunate enough, the data may still be on the laptop and one can view the contents of the hard disk on physical sector basis. Since sector-by-sector analysis of the hard disk data can take a long time, one can start by searching for words like "Parliament" or "Sansad" or "minister" etc. If the word is found, the nearby sectors maybe analysed for inappropriate content. This is the most tedious, but nevertheless, most useful technique used to retrieve data from even from a crashed hard disk.

With the advent of instant messaging, online communication has become one of the most comfortable and economic ways to express one’s ideas, sharing knowledge, knowing other people or their well being, and dispersing/gathering other information. MSN and Yahoo! are two prime Instant message service providers. There are others also but because of these two being prime free e-mail providers they are the most commonly used ones. If Yahoo! messenger is installed on the laptop, it may be used to retrieve information in many ways. To begin with, one may look for archived messages. Yahoo! has been offering to archive messages for some time now and if enabled, all messages are archived on the remote (Yahoo’s) server. If archiving is not enabled, there still maybe off-line messages for the user’s account. One can thus come to know of the others’ username(s) and then techniques of social engineering (described later) maybe used to get further data/information from them.

If "remember my password" feature is enabled, one can log in and see who responds to the online presence of the id in question. One can also see which ids are added as "friends" in the user’s list and later they can be used to extract information. There maybe other methods devised to get information once it is certain that they used instant messaging. Chat session cookies are stored on the computer with (sometimes) user still "logged" on. That is, the username and/or password are permanently set on the computer. The user does this in order to ease the login process next time. If lucky, the investigation agencies may lay their hands on this information that could be of immense help. When logged on, other people can be "fooled" to talk about the user logged on or any other information that they may be having. This is called "social engineering" and is known to be used to extract passwords from unsuspecting persons.