Posts tagged forensics
The FBI confronted a pervert named Kamil Mezalka in his home for downloading and distributing child pornography via bittorrent. He thought he would try to destroy the evidence by pulling out a ninja sword and stabbing his tower PC with it. Uh, yeah, those hard drives can be hard to hit. He missed and the forensics team was able to recover plenty of evidence of his sick crimes.
From the DailyMail here:
A 21-year-old man tried to destroy his child pornography stash by stabbing his computer with a Samurai sword after FBI agents burst into his home.
The home of Kamil Mezalka, 21, was stormed by officers on Tuesday to seize his machine after an undercover agent downloaded horrific images and videos from the man’s computer via a file sharing service. Mezalka was said to have come out of a second-floor bedroom and then quickly shut to door at the house in Palm Coast, Florida when he saw the men brandishing a warrant.
When the FBI demanded he come out and he refused to do so, agents burst into the bedroom where he was ‘standing in his underwear, holding a two-handed samurai sword which he had stabbed into the side of a desktop computer’, according to agent Jonathan MacDonald.
When the 21-year-old began to swing the sword towards the screen, he was pinned to the floor by agents.
During an interview with FBI agents, Mezalka admitted ‘having a file sharing program on his computer which he used to download pornography to include child pornography’, according to The Smoking Gun.
An FBI computer expert found hundreds of pornographic images of children on Mezalka’s desktop computer.
He was charged with possessing child porn and is due to appear before U.S. District Court in Jacksonville tomorrow.
What an idiot. I hope he enjoys a nice long stay in PMITA prison.
I’ve been working for a while on a new gig, and I still get to use NetWitness on client networks, so that’s awesome- but I generated a new philosophical discussion over my refusal to encrypt email updates to the client.
My team mates on the project suggested to me that, “Best practices dictate that any communications to the customer takes place over secured channels.”
“Why?” I countered. “My communications to my home server is encrypted. My home server sends out email via TLS. If the customer somehow downloads the email unencrypted, then I’ll just list that as a finding for the final report.”
“But what if the adversary is somehow reading the email?” they asked. For years, incident response teams in unfamiliar territory on a network have to make a presumption that the adversaries on the network might be listening and intercepting communications.
I replied, “I don’t think the adversary is interested in what we have to say, and besides, I don’t care if he knows we are on the network and are shutting him out.”
The team mates seemed shocked. “Look,” I continued, “I’m tired of keeping the red carpet out for these A-holes. They aren’t welcome on this network. You think they might be peeking at application data? I have the biggest packet sniffer ever on this network. I have the advantage from now on. He might see one thing we do, but we see everything he does. Let him know we are here; have the bigger guns. I hope he’s scared and will delete everything and never come back. The game has changed. We are in charge now.”
And I saw some shrugs and nods and could tell they were considering my words. Back in the day when an incident responder had to crawl from system to system with a limited set of disk-based forensics tools, that forensics examiner was always playing defense, attempting to reconstruct network movement based on snippets of data files or incomplete logs. Now with a network-wide sniffer like NetWitness, a forensics investigator can quickly locate adversaries and work to alter control systems to block the intruders. Its only defense for the first moments, and then the power shifts away from the adversary and back to where it belongs- the owner of the network.
One person mentioned it was like creating an “area denial weapon” for a network and then he showed me the Metal Storm video. Thats the kind of power you feel you have when you are matching NetWitness against intruders on a network.
No more welcome mats.
There are loads of malware authors out there on the Internets. Some of them work for national groups, and others are just in it for the cash. So where does a virus author go when he needs to validate, in a secure fashion, that his own malware is undetectable by all the big AV companies?
Hiding Malware Right Behind Their Backs.
Maybe something like Scan4You. This is a hacker’s service that will store your binary malware, keep it out of the hands of the big AV companies, and will run corporate Antivirus scans against it every day. If an AV signature triggers, the hacker gets notified that his binaries can be detected.
Scan4u.biz is essentially a “criminal virustotal plus”. That is, it is a service where a miscreant can submit a newly created malware binary to gauge the detection rate of various antivirus vendors. While similar to virustotal in this regard, the key is that scanned binaries aren’t submitted to the antivirus vendors in question, as is done with virustotal. And it’s even affordable and easy to pay for…$25 a month or 15 cents per scan, and a discount for referrals. As well as flexible payment options and multiple contact points.
This means that your AV will only catch the old and busted viruses. It is simply blind to the real modern threats and malware that could impact your network. IDS, AV and firewalls won’t stop it.