Forensic analysis of Microsoft Hotmail

I was talking with a friend the other day about how malware uses email to hack into computers. What’s malware? Read my previous article: Adware and Spyware – are they really consensual? Anyway, my friend responds back that he uses Hotmail to protect his identity and to avoid malware. Instead of getting into Internet Explorer or Microsoft bashing, I instead chose to focus on his comment of protecting his identity. Used properly, a web email address is great as a spam trap for all the products and web sites that require an email address to register. Create a fictitious web email address and use that as the spam catcher saving your “real” email address for friends and family. Unfortunately, my friend believed that a web email address couldn’t be traced back if used at work or other public computer such as a coffee shop kiosk. I plan to show both my friend and you just how exposed your private emails are.

A forensic analysis of a computer shows everything that exists on the hard drive – files, folders, deleted text and images, etc. The truth is that nothing is ever really deleted only eventually overwritten. The dirty joke you deleted last month can come back to embarrass you tomorrow. Let’s do a hypothetical forensic analysis of a computer where someone accessed a hotmail email account using Internet Explorer.

Internet explorer tracks the web actvity of each user in a file named index.dat. If you look at the text in the bottom right panel you will see hotmail.msn.com. Now that we know this user uses hotmail its time to see if there are any old messages to discover.

All hotmail emails opened on a system create a file named getmsg[#].htm, where the '#' is an incremented number. So a quick scan for getmsg*.htm finds the first email message. If only we could clean up this ugly html and see the email the same way the user did ...

That’s much better. Hmm I wonder what other messages were in his inbox ...

Similar to the getmsg*.htm files, all hotmail inbox web pages are named hotmail[#].htm. A simple search for hotmail*.htm finds another ugly html page. Let’s clean it up a bit.

Now we have his entire inbox in all its glory along with all the people who emailed him. I wonder what a search for those names would turn up. Well, maybe some other time. This is just a sample of how exposed web email is to discovery on any system you use to access your email. But wait, there's more! The emails fly across the Internet for all to see. Now I cheated and sniffed the email as it went across the Internet using a tool called Ethereal, which is available for anyone to download and use.

Ethereal is a good example of a protocol analyzer and one of my favorites. It is an open and free to use product with a good community support network that maintains a valuable User’s Guide online.

Getting back to our hypothetical analysis; let’s look at what we captured.

This is what anyone on the Internet *could* see – your coworker in the next office, the weird dude next to you in the coffee shop, anyone. Yes, you probably have to be a geek to understand what this stuff means, however, Ethereal has a feature near and dear to my heart. It’s called “follow TCP stream” that reassembles the network packets into something a human can read.

Ok maybe not that screenshot but how about we scroll down some ...

Hey look there is that all so secure and untraceable webmail message! Hmm, I guess my friends and family won’t ever let me borrow their computers again – darn. Now imagine you're in some coffee shop or airport with your wireless Internet connection chatting away and reading your email. Now look over and see the fella just staring at his screen – he looks up and makes eye contact and smiles. Now imagine the above screen shots are on his computer and that’s your email making him smile.

Now I hear you, “I empty my Internet cache! That protects me right?” Wrong.

Clearing history …. Deleting files ...

All those files ...

And I can still find them. See the nice red symbol in front of the file name? That means its “deleted”. Remember: Nothing is deleted on a computer - only overwritten. If you're using Microsoft Windows XP then you have some help from a tool called cipher.exe.

What cipher.exe can do, beyond encrypting your files (see my article Microsoft Encrypted File System – Digital forensic analysis) is to wipe or overwrite all the deleted files on the computer.

After a long while the content of all those deleted emails will be purged and non recoverable.

So is webmail more secure or untraceable that normal email? Depends on what you use it for. If you’re using a fake account to trap spam; the answer is yes. Are you using webmail because it’s available from anywhere? Well, let’s just hope that I’ve scared you off a little. Well till next time - see you at the coffee shop!

Forensic analysis of Microsoft Word documents

Microsoft Word documents are stored in a proprietary binary file format that records additional information, known as metadata, beyond just the text of the document in it. Some of the information contained in the documents that you create and distribute may be embarrassing or private in nature and has shown up in several news stories much to the sources embarrassment. A forensic analysis of these documents can recover this metadata. There are several easy to use tools to discover and clean metadata from Microsoft Word documents.

As several news stories highlight, sharing word documents with others may reveal more then you bargained for such as:

• Your name
• Your Initials
• Your company name
• Your computer name
• The name of the server where you saved the file
• File properties and summary information.
• Names of previous authors
• Document revisions
• Template information
• Hidden, delete text
• Editing comments

Knowing the information may be in a document is fine, however, seeing is believing. Let’s create a test Microsoft word document.

Using EnCase, a commercial forensic analysis program available from Guidance Software, it is possible to see just how messy Word documents are. Notice below that editing the document created three documents. One, ~$tadata document.doc, is the deleted backup file that gets created while a file is being edited. It stores the previous version which as highlighted below was empty.

Now let’s edit the document and add some text to discover.

Forensic analysis of the end of the file clearly shows that I was the user that edited the document, that the template I used was Normal.dot, and that I was using Microsoft Word 10.

While using a commercial forensic product like EnCase can show the raw metadata, it is much easier to use one of several commercially available products that can show and even remove metadata from Word documents. On such product is Metadata Assistant from Payne Consulting Group.

Using this program anyone can easily discover and clean the metadata from Word and other Microsoft Office documents. Simply start the program, select the document to analyze, and click analyze.

The program will display all the hidden metadata in the document.

If this is a document you are sending to others it is a simple click on clean to save a metadata free version of the document.

Security through obscurity

Protecting your identity online using anonymity

It seems like every week the newspapers are filled with horror stories of people’s identities being stolen, of millions of credit card numbers being stolen, of lives being ruined. People have been buying and selling goods and services literally since the dawn of humankind; so what has changed to cause this sudden massive increase in fraud? How are the purchasing habits of people today creating such opportunities for identity theft? What can we learn from the past to protect ourselves?

Identity Theft

Identity theft is when another person can take unauthorized actions that you become liable for. In modern societies, your identity consists of the documentation that uniquely identifies you. The scope of identity theft can vary from the ability to make unauthorized charges on your credit card, the ability to apply for unemployment, the ability to apply for new credit cards or loans, to the ability to apply for death benefits. The key issue is that making purchases today requires identifying yourself as part of the transaction. The act of identification allows for your information to be stolen and used for unauthorized purchases.

Money

So what is money anyway? It appears that money spontaneously arises in barter economies as society converges on a few key goods that meet the three requirements of money. Any object or token that can act as a store of value, a medium of exchange, and a unit of account may be used by a society as money. In addition to the three requirements, it is desirable that the object or token being used as money be difficult to counterfeit, be easily divisible, be easily transportable, be fungible, and be scarce.

So money is any object or token that people are willing to use to transact an exchange of goods and services. It is the people’s trust in the object or token and not some government’s mandate that determines its value. It all comes down to trust. Money has two forms of trust. Fiat money that is created by government entities for use under threat of force typically has minimal inherent value. The value of the object or token in relation to the goods and services being transferred is determined by the faith people have in the government to act in a rational and ethical manner. Since money must be scarce to have value, the ability for a government to print more money than the nations buying power or Gross Domestic Product (GDP) can support can and often does lead to inflation. Since inflation leads to the devaluation of the object or token representing money, fait money typically fails the requirement that it be a store of value which can be seen in the poor saving rate of the average American. Why own cash (savings) if its value diminishes in time?

If fait money depends on a rational government for its ability to act as a store of value then the only other alternative is commodity money. Commodity money is where the object or token of exchange has its own inherent value. Its value varies in relation to its perceived value verses the perceived value of the object being exchanged. Traditionally gold and silver have met the three requirements of an object to be used as money and have long been seen as a hedge against the vagaries of governments.

Anonymity

Being unknown. Being anonymous means keeping your identity hidden or protected. A strict definition of anonymity means that the parties of each transaction remain unknown to the point that it is impossible to know if two parties have had multiple transactions. An anonymous individual who walks in to a store and buys a pack of gum is only anonymous if there is no way to know if the individual has ever been in that store before. While preferable for some transactions for protection of the individuals involved most transactions prefer Pseudonymity or the use of a pseudonym. The use of a pseudonym allows an individual or an entire group to hide their real identity behind a single pseudonym. Pseudonymity allows for the creation of social networks that protect the true identity of individuals while still allowing for the pseudonym to gain trust through its interactions with others.

The purchase

Now that the basic principles behind identity theft and money have been explored, how does this relate to secure purchasing on the internet? The traditional business transaction since the dawn of humankind has been when two individuals come together in a buy sell arrangement and complete the transaction using a mutually trusted medium of exchange i.e. A person purchases a pack of gum from another person using money. The value of the gum in relation to the money is based on the trust the parties have in the money – not in each other. The purchase price is the relation of the worth of the gum to the perceived worth of the money. At no time does the identity of either party matter because the transaction is based on the perceived worth of the items being exchanged.

The flaw in Internet purchases that leads to identity theft is the fact that money isn’t used. Let’s repeat that. Money isn’t used to purchase products today – credit cards or debit cards are. Credit cards are a promise to pay later using money. Since the seller is only left with a promise of payment, who the buyer is matters. Can they pay? Who are they? Can they be found? Do they have a history of non-payment?

Solutions

Now that the root cause of identity theft has been highlighted, what are the solutions? Either a solution that allows for the creation of a pseudonym to limit identity exposure or a true electronic cash system allowing for anonymous transactions should be used.

A pseudonymous system would be one where the underlying transaction still requires the promise of payment but the trust issue is shifted from the buyer to a trusted third party. An example would be either a prepaid anonymous debit card or a single use credit card number. Either allow for some degree of protection.

A prepaid anonymous debit card becomes a bearer instrument where both parties trust is shifted and limited. The buyer limits exposure to theft and fraud buy determining how much money to entrust to the prepaid card and the seller has the trust in the buyer shifted to trust in the card providing institution.

A single use credit card number leverages an existing promise arrangement with a third party institution into a single transaction. The buyer requests a single use card number tied to an existing credit account for the purchase price of the goods from the seller. The card number is only good for a single transaction up to the requested amount. The buyer then provides the seller with all the information required plus the single use number. This allows the buyer to limit exposure to a predetermined amount. If the card number is stolen in transit the amount of loss is limited to a single one time loss of the requested amount.

While both of these systems – that are in use today – allow for the limited protection from identity theft by minimizing loss from existing credit lines, they don’t protect from the other forms of identity theft. Once enough personal information is disclosed it is possible for third parties to acquire new lines of credit in your name. The only solution is to limit the credit card transactions to trusted businesses.

A true electronic money system is one that meets the three requirements of money. Either the electronic object or token being used as money has a perceived inherent value such as commodity money or acts as fait money where the object or token is backed by a trusted entity. E-gold is an example of a commodity money system where the electronic tokens are backed by a commodity good – gold. The Octopus card is an example of a fait money system. Both systems work and allow anonymous transactions due to the fact that the transaction is base on the exchange of items of perceived equal worth.

"It is well enough that people of the nation do not understand our banking and monetary system, for if they did, I believe there would be a revolution before tomorrow morning."
- Henry Ford