(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Forensics’ Category

Jihadi Hacking Tutorials: Irhabi 007’s Text and More….

with 2 comments

I recently posted some preliminary findings on files found on Jihadist websites for hacking. Actual full tutorials on how to hack that ended up with actually useful data and tools for the jihadi’s to hack in the name of Allah. In looking at those files I also ran across a section of .pdf files that included a text, that if I read correctly, is from Younis Tsouli aka “Irhabi 007” (Terrorist 007) Like the autorun/distro like tutorials from earlier, these pdf’s run the gauntlet of current hacking attacks that are the hack-du-jour. PHP hacking, SQL, Linux/*NIX hacking, Database hacking of various kinds etc. Much of this data has been taken from other sites like MILW0RM and others, translated into Arabic with notations and put into the pdf format for dissemination on jihadi sites and or, certain Arabic hacking group sites like XP10.

With each tutorial though, the hackers had to add their own personal emails on there, so I have about 10 or so addresses to put into Maltego and Google. So far, “metoovet”, who created the tutorial on hacking that I posted about last, seems to be rather open in using his hotmail address on other sites including a business site for programming. The site is ostensibly his and via a whois I was able to get another address of his. The sum of the data points toward his being not only a hacker programmer, but he also claims to be a medical student.


I will continue the poking about on this, but I thought these files would be interesting for you all to see. They were uploaded to the megashare a while back and I am sure have proliferated all over.

The Files

On the 007 text though, I need a good way to translate the pdf file. His stuff was pretty comprehensive too…

More soon.


FBI’s “Investigative Kiosks” allow quick data extraction from cell phones = FAIL

leave a comment »

It seems that every day, manufacturers add features to the garden-variety cell phone that make these mobile devices increasingly valuable as items of evidence. Text messages, call logs, e-mails, photographs, videos—all of this data and more can be found on many cell phones today.

To help local, state, and federal law enforcement deal with an increased demand in analyzing cell-phone data, the FBI has been launching Cell Phone Investigative Kiosks (CPIKs) in FBI Field Offices and Regional Computer Forensics Laboratory (RCFL) locations across the country. The CPIK allows users to extract data from a cell phone, put it into a report, and burn the report onto a CD or DVD in as little as 30 minutes.

Kiosk users only need to have some familiarity with computers and are required to take a one-time only, hour-long training course. Assistance with the kiosks is also available on site at CPIK locations.

Each CPIK has two components: 1) a cell phone examination system that contains software and the necessary cables to download data; and 2) a photographic system that enables a user to take pictures of a cell phone’s screen.

Users of the CPIK are able to:

  • Copy data from a cell phone to a computer hard drive
  • Examine data in a report format on the computer screen
  • Copy the report onto a portable device (such as a CD or DVD)
  • Copy the photographs onto a portable device (such as a CD or DVD)

While the CPIK is intended to be a preview tool—not equivalent to a full-scale cell-phone examination such as that performed by a certified examiner—any evidence produced using the tool is admissible in a court of law.

Non-FBI personnel may access the kiosks at their local RCFL. For CPIKs located at an FBI Field Office, non-FBI personnel must have an FBI escort at all times.
To locate a CPIK near you and to learn more about the program, go to:

What this story fails to mention is that these “point and click” kiosks are just that.. Point and click, there is no expertise being used to look forensically at the data. For that matter, this system can fail to “see” the data in the first place due to the many different types of phone OS’s. Each OS has a different way of storing data, where they store it, how they store it, etc so when the kiosk is used by an unskilled agent, they may in fact be missing much.

How do I know this? I know this from speaking with and listening to a forensics specialist who works for the FBI as a consultant. So, here we have another chink in the forensics chain due to point and click mentality and a deep lack of understanding of Digital Forensics. Of course if you ask any agent or even police officer, you will hear that right now, digital forensics cases are backed up about six months at the labs. There is it seems, a deficit in qualified digital forensics examiners. *hint hint, good time to look into the CHFI kids* and a glut of cases, many many many of them now involving mobile phones and PDA’s.

Think about it.. How many dealers out there are doing their deals by text messages or SMS huh? How many bangers out there are making vids on their phones of beat downs etc? Yeah, there’s a lot of data out there and unless the feds and other LEO’s are performing these initial searches right, they might not only miss data, but in many cases with phones, screw the pooch by altering data.


Time to get your phone forensics on kids…


Written by Krypt3ia

2010/06/05 at 11:33

Al-Qaida Goes “Old School” With Tradecraft and Steganography

with 3 comments

al-Qaida: Shifting into the spy shadows

12 March 2010

When couriers get caught, so do key al-Qaida documents, plans and key communications. Shaffer says now al-Qaida is hiding their communications on the Internet. It’s not a new concept, but certainly one that’s gaining a lot of momentum since a growing number of critical commanders and operators have either been killed or arrested. How are these dead drops happening? “Steganography in photographs is a good example of a dead drop,” says Shaffer. In a nutshell, a dead drop in a photo involves embedding a message in a picture. .

WTOP, 12 March 2010: A growing list of terror suspects nurtured by al-Qaida is emerging. Former military interrogator Dave Gabutz informed WTOP Radio of this notion in June 2009 after he had spent years tracking al-Qaida sleeper units and recruiters. “We came across the first one in Falls Church, Va.,” Gabutz says. This “first one” was controversial Imam Anwar al-Awlaki, who worked at a location watched by Gabutz and his team. . . .

. . . Gabutz says the recruiters are spreading out. “Michigan, Florida, Texas, Nashville, Richmond, Knoxville, and California,” are prime locations, according to Gabutz. There are indications terrorist recruiters are using every available opportunity and option to lure more people into their world and plan attacks against the United States.

Hezbollah sympathizer Mahmoud Kourani was doing just that before his arrest near Detroit in 2002. “Kourani’s specialties appeared to be weaponry, spycraft, counterintelligence,” according to Tom Diaz, a former Congressional Crime Subcommittee staffer. Diaz says Khourani was recruiting people for training. Recruits were to be trained “to make things go bang, to attack, military type training, terror type training,” Diaz says. . . . .

. . . .One question that is puzzling investigators is how al-Qaida communicates with its foot soldiers and recruiters, some of whom may be embedded in the fabric of the U.S. military. With the almost daily capture and killing of key handlers in Pakistan, it seems al-Qaida is being forced to communicate in a completely different way. Since so many couriers and foot soldiers are being rolled up, al-Qaida is relying on “electronic dead-drops,” says Army Reserve Lt. Col. Tony Shaffer, a former Defense Intelligence Agency officer.

When couriers get caught, so do key al-Qaida documents, plans and key communications. Shaffer says now al-Qaida is hiding their communications on the Internet. It’s not a new concept, but certainly one that’s gaining a lot of momentum since a growing number of critical commanders and operators have either been killed or arrested. How are these dead drops happening? “Steganography in photographs is a good example of a dead drop,” says Shaffer. In a nutshell, a dead drop in a photo involves embedding a message in a picture. .

I have been seeing some hits these last couple days on my “Leggo My Steggo” post from a while back. The post covered some of what I had been finding on jihadist sites with regard to alleged “Stegged Images” that I had been testing to see if they were indeed hiding data.

Thus far I have found images that seem to be stegged but I have yet to actually crack an image open and see the data hidden within. So, it’s kind of up in the air if any of the images I have found are in fact stegged. Anyone who wants to give it a shot feel free to copy the files out of the share in the link above.

Of course this whole article and the premise that the jihadis have had to change their methods of command and control is on the whole correct I think. However, I believe that they have been using dead drops for some time and not only because of the roll ups recently. This is just a good standard “tradecraft” practice that should be used when waging such campaigns. Hell, they probably learned it from us or the Brits in the first place… Well maybe the KGB too.

Now that they have also made much more of their online persona, I am also sure that they have been maximizing this type of technique not only with steg, but also with dead drop email accounts. All one has to do is create an account, share the password, and then just talk amongst yourselves with draft emails. No need to hit the send button there huh. Add to that the use of TOR and you have a pretty safe way to communicate.

What’d be even more secure would be a one time pad.. But, I really don’t see them passing out OTP’s to each jiahdi cell.

This reminds me of “Hacking A Terror Network” which has a story line based approach talking about this very scenario of Steg use. I have talked to the author online and shared my data. The problem of how to prove these methods of communication are myriad. So, it may be hard to prove this theory…

I guess I am gonna have to wash some more pictures, video, and audio through the steg detection software and see what I get…


U.S. Fails Test In Simulated Cyberattack

leave a comment »

U.S. Fails Test In Simulated Cyberattack

Organizers, observers of “Cyber Shockwave” conclude that nation is not ready for the real thing

Feb 17, 2010 | 06:48 PM

By TimWilson

A large-scale simulated cyberattack on the U.S. yesterday proved one thing, according to organizers: the country isn’t prepared for a real attack.

In a press release issued today, the Bipartisan Policy Center — which organized “Cyber Shockwave” using a group of former government officials and computer simulations — concluded that the U.S is “unprepared for cyber threats.”

Former Secretary of Homeland Security Michael Chertoff, who chaired the simulated National Security Council, said cyber-terrorism “ought to be treated as a threat of sufficient seriousness that we give it the priority attention we’ve given weapons of mass destruction.” Cyber-terrorism is “more complicated by the fact that it involves every individual,” Chertoff said. “Anybody who has a smart phone, who downloads an app or gets on their PC is engaged in this process.”

Reports from those who witnessed the simulation indicate that the U.S. defenders had difficulty identifying the source of the simulated attack, which in turn made it difficult to take action.

“During the exercise, a server hosting the attack appeared to be based in Russia,” said one report. “However, the developer of the malware program was actually in the Sudan. Ultimately, the source of the attack remained unclear during the event.”

The simulation envisioned an attack that unfolds over a single day in July 2011. When the Cabinet convenes to face this crisis, 20 million of the nation’s smart phones have already stopped working. The attack, the result of a malware program that had been planted in phones months earlier through a popular “March Madness” basketball bracket application, disrupts mobile service for millions. The attack escalates, shutting down an electronic energy trading platform and crippling the power grid on the Eastern seaboard.

“A useful aspect of something like this simulation is it helps people visualize what is realistic and possible in some circumstances,” said John McLaughlin, who played the role of Director of National Intelligence. “The smart thing is to prepare now, to do the legislation now, to do the bipartisan work now, to do the intelligence work now, the foreign policy work. These are all very complicated things and we need to get started on them.”

Stephen Friedman, who played the role of Secretary of the Treasury, said of a potential cyber attack on the U.S.: “There is no question in my mind that this is a predictable surprise and we need to get our act together.””

The panel of government officials agreed that cyber-terrorism is a national security issue that needs to be addressed quickly in a bipartisan manner. “It raises an issue of the system’s responsibility to be able to come together in a nonpartisan way and figure out the answer to questions as opposed to kicking the can down the road until we’re in an emergency,” said Chertoff.

During the exercise, legal questions were raised regarding personal privacy versus national security. “We have to come to grips with the implications for our personal privacy and the relationship between the federal government and the private sector,” said Jamie Gorelick, who played the role of Attorney General.

Cyber ShockWave demonstrated the tremendous challenges the government has in dealing with potential cyber attacks,” said Jason Grumet, founder and president of the BPC. “Our goal for Cyber Shockwave was to identify real policy and preparedness issues that need to be addressed in order to combat an attack of this magnitude that escalates rapidly and is of unknown origin.”

So, I have been lamenting this outcome for years now and the one thing that really is running through my mind right now is

“Umm where was Tsar Schmidt?”

Was he involved? Was he watching? Has he a clue? So far I have heard dick out of him in the way of saying anything of meaning about his job. Perhaps he is not sure what is job is as yet anyway… Meh. In any case, this should be an interesting report to read.

Now on the “predictable surprise” comment.. Uhh What? What the hell does that mean? How is anything predictable a surprise? Is this the calibre of the people working on this problem? Ugh.

Lastly, the whole issue of the legal right to privacy seeming to be at risk to “solve” these issues really is a load of crap. FIND ways to take care of the problems without having to invade all our privacy please!

Time to start my plans for a big Faraday cage…

Sensing A Pattern

with one comment

Source SC- DIAL TELECOM Romania Slammer DTG Wireless Latvia DdoS Grid Hosting Turkey DOS/SYN Northern Telephone OSHKOSH BAD IP Interserver Inc NJ DOS/SYN China Telecom DOS/SYN Chinanet DOS/SYN UNICOM JL China DOS/SYN NINGHAI-XINYANG-LTD China Slammer Chinanet AH China DOS/SYN CNC Group CHINA169 Zhejiang Province Network TCP Nmap Scan MAINT-CHINANET-LN DOS/SYN MAINT-CHINANET-SD Slammer CHINANET jiangsu province network China DOS/SYN Kunde Htech Ltd Co China DOS/SYN CHINANET-HN Changsha node network DOS/SYN CHINANET Chongqing province network Slammer CHINANET SHANDONG PROVINCE NETWORK DOS/SYN China Unicom Shandong province network DOS/SYN China Unicom Beijing province network DOS/SYN TIANJIN-CHANGCHENGZHIBAO-LTD DOS/SYN China Unicom Hebei Province Network Korea DOS/SYN KORNET-10321992250 DOS/SYN ZHEJIANG-PEOPLE-GOV TCP Nmap Scan LY-GUANGDIAN-ISP China Slammer JINHUA-TELECOM-LTD Slammer China Unicom Liaoning province network DOS/SYN CHINANET Anhui province network Slammer China Mobile Communications Corporation – jiangxi Slammer Ratel Company Russia DOS/SYN SuperOnline Inc. Turkey Slammer CHINACOMM DOS/SYN CMNET-jilin DOS/SYN BEIJING ZHENG-BO TECHNOLOGY CO.LTD Slammer Shanghai University DOS/SYN App Anomaly RPC CHINANET Sichuan province network DOS/SYN SC-MY-SJDF-LTD China DOS/SYN CHINANET-ZJ-HZ DOS/SYN CNC Group CHINA169 Zhejiang Province Network TCP Nmap Scan CUCBUUDIENTW-NET DOS/SYN JIAXING-TELECOM-LTD DOS/SYN SJZ-FriendshipHotelNorthStateStreetstore China DOS/SYN Maxis Communications Bhd Malaysia DOS/SYN shantoushitianyingxinxijishuyou China DOS/SYN NTT Communications Corporation Japan BAD IP CHINANET Shanghai province network DOS/SYN

Since my little incident with j35t3r I have been paying more attention again to the IDS. In the last few days alone the system has seen some interesting traffic including another DDoS attempt from Latvia. I am seeing a pattern though for the most part. Our Chinese overlords have a lot of traffic coming my way from worms.

Also interesting to note is the Nmap traffic, guess some folks got interested in my system to see what ports I have open. They went away unhappy though. Kinda makes you wonder what your traffic is like huh? It also might make you wonder just how much your system is protected.. If it is at all.

If you are interested, you can take a scan for yourself with Shields Up. It’s a system in place to run a Nessus scan against your IP address and see whats what. It does a good job and will tell you what ports are open and perhaps what vulns you might have.

Just remember, if you have a persistent connection and your machine is on.. Well, they are knocking at the door.


Written by Krypt3ia

2010/01/24 at 01:23


1.16.2010 DD0S ABTS (Karnataka), CMSU-NET AMAZON-EC2-5 Research in motion Microsoft Centauri Comms Layer42.Net, Inc ViaWest ViaWest FR-METALLERIE-VILLEMIN PSINet, Inc. Silicon Valley Colocation, Inc. Road Runner HoldCo LLC Road Runner HoldCo LLC COMCAST Layer42.Net, Inc. Cricket Communications Inc Edgios Inc. Road Runner HoldCo LLC CABLE ONE Inc. Wave Broadband TELINEA BOSNIA SIL-UBIT SK-Gaming via Gameserver Asuk Creative Limited OVH SAS
1.17.2010 DD0S KORNET TOR node SHAWCABLE.NETE.NET BLUTMAGIE Olaf Selke Exploit Prevention Labs SCSNET-CATV-SEOKYUNG BORANET-1 Seoul Neucom Inc.

Pcaps have been parsed, there is much too much for a full disclosure, besides I don’t want to give out everything. Pcaps and forensics report have been passed to the authorities carrying out the investigation to add to the other data that they have gotten elsewhere.

The basics of the attack as of his last hit on me are these:

  • Using TOR nodes as well as perhaps a proxy, but most likely just tor sessions. If he were sneaky like though, he would be proxying to a box that then has poisoned TOR nodes at their disposal
  • Other compromised or complicit machines are also being used (admins will be being contacted by authorities) I am sure there are thousands of these botnet machines that the C&C can use. The irony is that trying to stamp out the compromised C&C boxes is kinda like trying to DoS all the Jihadi websites out there. For every one you take down, there are 5 more mirrors out there for content to be broadcast from
  • Much of the traffic was being sent from the EU focusing in the DE region, but there was also some Korea in there
  • 30 minutes at a time.. Either paying for increments of time to a botherd, or, the TOR nodes throttle out as this is something they do to try and prevent this type of misuse
  • He’s using a combination of syn/fin TCP callouts to flood the system with junk and hose the webserver.
  • In the last attack he was using what looked like canned scan scripts to flood the server with junk calls for different protocols/ports etc
  • He seems to have been using a C&C system that would call up a java script to check if the DDoS was in fact working. Now, if the script was working with the home IP address of the box initiating, then perhaps the GET’s like the FIOS address were actually his box looking for a file. Or maybe it was someone working with him… Or.. Them.
  • The FIOS address made a DIRECT call out to my webserver looking for a WMV file. That file has only been linked to my WordPress blog from some time back. This access coincided with the timing of the attack to be used as a method of seeing how the server was responding. By looking at the download bar one could tell just how horked the system was. As well, the download initiation would also engage much of the servers bandwith making the attack work even faster. Would he be that foolish to actually make this mistake? He is rather full of himself so, yeah, he seemed to think that I was some IT auditor without skills so maybe he just got lax. Maybe he is just a stupid kid with impulse issues…

Once the investigators do their thing, the nodes that they can reach will be closed. The TOR server admins will be told about the events, and if they are keeping any logging at all, they likely will help out. However, the TOR is really meant to not have any logging. Kinda like ANONINE the proxy he has been using.

Also while looking about I noticed that mypetjawa, seems to have redacted their post about j35t3r taking down Ahmadinejad’s site. Maybe its just an internal server error 500 as I see when I search their site directly, but its in their archive if you Google it. I am sure that DD0S-ing that site pretty much makes j35t3r no friends on either side of the political situation there.

… And me? My site? Still up.

Well, it’s no biggie if its down here and there. But, the opportunity to capture all the packet traffic, as well as get that .ru hotmail account from his direct correspondence is helping the boys do their thing. Of late though he has laid off with only the occasional twitter taunt to get me to respond.

Weak attempts at best.. And such bravado talking about how he has bested me. Well, it’s not really me he has to worry about. He will do himself and his pals in quite nicely on his own I think.

It’s mostly out of my hands now… Oh and deleting Twitters won’t be helping either.. Google cache is a wonderful thing.

Hope you look good in orange j35t3r, cuz I think that is the color that they will be giving you.



Written by Krypt3ia

2010/01/21 at 03:19

Framed for Child Porn: The State of Digital Forensics and the Law

leave a comment »

Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.

Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it’s your reputation that’s stolen.

Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they’ll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites.

Full Article

Aside from the US pronunciation of Paedophile, I can’t fault the premise here nor the overarching idea that the American justice system is ill prepared to handle these cases properly.

Having been on the periphery of the Amero case, I saw first hand how the prosecution, the police, and the legal system in general were really quite incapable of understanding the evidence never mind the principles behind the processes going into gathering  that evidence “per legal requirements”

So, that brings us up to this article and the case it cites. This poor bastard has had his life ruined because of a piece of malware and a lack of comprehension on the part of the justice system. His life is ruined and he has no redress because the state cannot be sued for any amount of money worth suing for! That is utter bullshit and it has to stop.

Now, on the side of the  equation, it can be difficult if not darn near impossible at times to say unequivocally, that someone actually “did” the crime in question. It is all dependent on many factors when you take a “no write” image of the subject machine. Had the machine been tampered with before seizure? Is there malware on there that is home brew and subtle enough to miss? have the users ID and password been compromised and the system physically accessed by someone else to perform these acts?

Many questions and as an expert witness you may not be able to decisively say yes to anything. It’s a slippery slope. Now add to this that there are many prosecutors out there looking to make a mark on the world by making a case even with weak or no real concrete evidence to prove it. All of this could find you in jail with no real way to prove your innocence because the system still does not “get” the whole “Digital Forensics” thing.

All I know is I am going to take that CHFI test and hope that the system changes…

Written by Krypt3ia

2009/11/11 at 00:29