Adli Aşırma Analizi
WCopyfind_2.7
http://www.plagiarism.phys.virginia.edu/home.html
http://etest.vbi.vt.edu/etblast3/
Forensic Civciv
Mala Gallina Malum Ovum
Stealing $10 Million, 20 cents at a time
On June 28, 2010, the Federal Trade Commission unveiled a law suit againt unknown credit card fraudsters, seizing the assets of 16 companies run by at least fourteen “money mules”. The companies named were: API Trade, LLC; ARA Auto Parts Trading LLC; Bend Transfer Services, LLC; B-Texas European, LLC; CBTC, LLC; CMG Global, LLC; Confident Incorporation; HDPL Trade LLC; Hometown Homebuyers, LLC; IAS Group LLC; IHC Trade LLC; MZ Services, LLC; New World Enterprizes, LLC; Parts Imports LLC; SMI Imports, LLC; SVT Services, LLC. Each of these companies was run by a money mule recruited for the job via a spam email message. Each of them was instructed to establish their LLC to receive payments from small transactions, which they would then aggregate and wire to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. Before the law suit hit, a Preliminary Injunction had already been issued back in March to freeze the assets of the company in question.
This is the sort of case that raises strongly a point that I continually preach at UAB: Modern cybercrime law enforcement is not possible without strong computer science and data mining skills. At UAB, I work as the “Director of Research in Computer Forensics”. My normal pitch about the program is that Computer Scientists solve problems by applying technology and algorithms. Criminal Justice professionals are facing more and more crimes that can only be solved by the application of Computer Science. In our program, we introduce the two to each other. Some of our graduates will be tool users — law enforcement and corporate investigators who now know the range of technology solutions that might be possible to make them better cybercrime investigators. Other graduates will be tool makers — computer scientists who now understand the range of problems being faced by modern law enforcement and who are now equipped to design solutions to those problems.
In this case, the criminals, who have been active since at least 2006, are documented to have placed at least 1.3 million credit and debit card charges without the authorization of the card holder. Can you imagine working a case with 1.3 million fraudulent charges without the benefit of data mining technology? The defendants “somehow obtain the consumers’ account numbers and proceed to sneak the charges onto the accounts. Defendants purposely make their unauthorized charges less than $10 in the hopes that consumers will not notice them or will choose not to contest the charges.” (Quoted from the FTC Memorandum of Support.
Unknown defendants, referred to as “the Doe Defendants”, manage the creators of the sixteen fake LLCs, referred to as the “Money Cashing Defendants” from somewhere in Eastern Europe. The Doe Defendants create hundreds of fake companies and corresponding websites which are named in ways that come close to the names of real organizations, making them difficult to search. Often the listed addresses and phone numbers are also similar to a real organization.
The consumers are charged as little as 20 cents in a single fraudulent transaction, and as much as $10. 90% of the charges were never disputed. Those that were received instructions to call non-existent telephone numbers, or answering services from which calls were never returned. More than 1000 consumers have filed complaints with the FTC about these illegal practices.
How much effort would YOU go to to right the wrong of an illegal $3 charge on your credit card?
The Memorandum of Support filed by the FTC describes three roles of various criminal groups in this action:
A. The Money Mules
This group is described as “an expansive network of money mules in the United States to cash out the unauthorized charges.” The Doe Defendants sent out emails to recruit their money mules “announcing that an international financial services company is seeking a US finance manager to process transactions and cash checks, money orders, and international wire transfers.” The claim is that there is a tax benefit to the company to have many tiny charges aggregated in the United States. In order to realize this tax savings, the Does will send the payments from their US customers to the Money Mules, who receive the payments and send them on to the “international financial services company.”
B. The Money Cashing Defendants
The “international financial services company” required that the money mules form corporate entitites and establish bank accounts in the names of these corporate entities. Between the sixteen corporations established, more than three hundred merchant bank accounts were opened. While this sounds like the same group of people as Group A, Group A is the people themselves, while defendant Group B is actually the group of corporations formed by the people in Group A.
These companies then established merchant accounts at numerous “credit card clearing companies” in order to have charges processed by a clearing company and have the cash placed into their bank accounts. The companies used “virtual offices” through a company that sells “non-PO box” addresses to give the company a sense of legitimacy. Rather than establish their own Employer Identification Numbers (tax numbers required to be on file for merchant banking accounts), the companies “borrowed” the EINs of existing organizations with similar sounding names.
In order to pass the “due diligence” checks used when establishing merchant accounts, fake websites were created for each of the companies, claiming they sold various types of office supplies, and providing business and “home” telephone numbers for each of the organizations. All of the numbers forwarded to a cell phone number in Belarus. The “Owners” of these companies were real people, who included their name, social security number, and date of birth on the merchant account applications. The Defendant Does ran credit checks on each of the “borrowed” identities to make sure their credit scores were good before using their identities.
kaynak: http://garwarner.blogspot.com
Flasher Boxes: Back to Basics in Mobile Phone Forensics
The following are some basic guidelines that need to be considered to preserve the integrity of data when using a flasher box to extract it.
* Normal chain of custody documentation, as required by geographical jurisdiction.
* If the device is switched on, consider isolating it from a live network during its transportation and subsequent analysis.
o Useful hints for temporary faraday solutions in an emergency:
+ Transportation – Using aluminum foil is an easy and quick way to isolate the device from communicating to a network. However, some foil is thin therefore it is recommended that the device be wrapped a minimum of five times to ensure it does not leak. Alternatively switch on the “flight mode” of the device to prevent it from communicating to the network if this option is supported on the suspect device.
+ Analysis – Most cities have underground parking lots. Identify a parking lot located below ground where no signal can be received. If the mobile forensic solution of choice has its own power supply or a portable power supply is available such as a cigarette lighter in most vehicles, the extraction can then be conducted with some degree of confidence. Some extractions can take some time, in which case underground lots are not a suitable option. Using the Ramsey Faraday portable solution may be an alternative, cost effective solution. Some devices boot to a “local mode,” and therefore do not communicate to a network and their memory can be extracted without the use of a faraday environment.
o Any solution chosen must be tested prior to using it on a live suspect device. The signal strength between service providers may vary, and there are many different makes and models of handsets available. Therefore, just because an LG XXX model on a Verizon network may not receive a signal five levels below the ground, do not take it for granted that a new iPhone 4G device on an AT&T network will not have the ability to communicate. Where possible test like for like, apples with apples, etc.
* Conduct a photographic survey of the device prior to commencing any extraction or analysis. Ensure that a record of any on screen activity is included, e.g. date and time stamps. This process is no different than handling a computer, as a picture tells a thousand words. Always use a trusted control date and time for the comparison of dates and times recorded on a suspect device. A recognized and acceptable method for such comparisons is the use of a GPS atomic clock.
* Where possible, ALWAYS use an appropriate mobile forensic extraction/copy tool to collect all available data prior to attempting to recover physical memory using a flasher box.
* If the flasher box creates an audit/processing log, this must be preserved and saved with the extracted hex dumped file. Consider recording the entire extraction via video if the selected flasher box does not record an audit log. This may not be practical as some extractions can be time consuming.
* DO NOT OPEN OR REVIEW THE EXTRACTED FILE ONCE IT HAS COMPLETED THE RECOVERY PROCESS.
* Create a forensic copy of the extracted data using FTK Imager or a similar tool that not only creates a secure forensic, read only copy of the extracted data but also generates a verification hash value of the extracted data. This phase should be done as soon as possible after the extraction to ensure the integrity and continuity of the evidence extracted.
* Conduct the analysis using the various forensic or HEX analysis tools of choice.
Conclusion
Do not put your head in the sand and have the death of a child or hundreds of people on your conscience because you ignored a possible alternative to interrogate a mobile phone when all else failed. Remember one thing “every contact leaves a trace”. It’s just a matter of where to look, how to retrieve it with integrity and controlled procedures, and what to use in retrieving it that makes the difference.
kaynak: DFI News
A Neuroscientist Uncovers A Dark Secret
The criminal brain has always held a fascination for James Fallon. For nearly 20 years, the neuroscientist at the University of California-Irvine has studied the brains of psychopaths. He studies the biological basis for behavior, and one of his specialties is to try to figure out how a killer’s brain differs from yours and mine.
About four years ago, Fallon made a startling discovery. It happened during a conversation with his then 88-year-old mother, Jenny, at a family barbecue.
“I said, ‘Jim, why don’t you find out about your father’s relatives?’ ” Jenny Fallon recalls. “I think there were some cuckoos back there.”
Fallon investigated.
“There’s a whole lineage of very violent people — killers,” he says.
Mac ile Forensics
The writeblocker, iBlock, would only image at 1 mb/s and would have a non-replacable internal battery with a 12-month lifespan. When everyone who was going to buy one had done so, they’d release an iBlock ‘s’ – this writes at a speed approaching the commercial standard but still has the battery problem. Apple dismiss this as a ‘false negativity point by uncreative people’ and sue anyone publicly criticising it.
The software imaging tool, iMage, would only create .aef (Apple Evidence File) images. This is a proprietary format that only Apple products can read or create. It wouldn’t be able to compress data, and would only store one item of metadata. Although marketed in a cutesy, hip, fluffy, anti-corporate way, any attempt to open the format would be met by an annihilating swarm of lawyers, screaming out of the cloudless California sky like a squadron of Stukas, complete with a court-ordered press blackout. aef files can only be read if stored on an Apple-branded hard drive. Plugging this drive into a workstation other than your own would delete all of the files on it.
A clause in the .aef DRM licence would stipulate that any data acquired in it becomes the property of Apple, which they would rent back to the investigating authority. The upside of this would be that Steve Jobs would be imprisoned indefinitely for being the biggest ever possessor of indecent images of children. Whilst in prison he would develop the iShiv, a piece of white shiny plastic sharpened to a vicious point, perfect for passing from palm to palm in the exercise yard; and a new smaller iPhone that he could hide between his scrawny buttocks during a cell search. This would come with an app for working out the price of any given commodity in a cigarette-based currency.
The forensic analysis suite, iNalyse, would only work with .aef files. Although it would have a cute interface, the software would actually do very little. All of the messy behind-the-scenes hex and filesystem info would be hidden and any files that were shown to the analyst would be converted into an equivalent Apple format first – for example any photo collections the suspect had would be converted into iPhoto databases, and all videos would become Quicktime files. This would, of course, render them evidentially worthless but it’d make the end user experience far more in line with the Apple way of doing things.
The whole collection would be launched by Steve Jobs in front of an audience vetted by Apple’s Department of User Sycophancy. Although Jobs would fail to make any useful remarks, his every word would be lapped up and cooed over by his followers. The BBC would report breathlessly on the whole event with no attempt at balance, and their whole Technology reporting team would then ritually sacrifice their credibility on a shiny white plastic altar, in exchange for continued access to Apple press events. Following this, every story involving computer forensics would only mention the Apple tools, as if they had invented the field.
source: http://happyasamonkey.wordpress.com