Thursday, 11 December 2014

Android Malware Analysis Part 1:Static Android Malware Analysis

Android Malware Analysis Part 1:Static

Malware Analysis

Introduction
Malware is software used to disrupt gather sensitive information, or gain access to private systems. Any program or software which affects the working of a device can be called as a Malware.
Nowadays, Mobile phones have become the victim for the malware attacks. Among the mobile phones malware attacks, the android smart phones are largely targeted by the hackers. This is mainly due to the reason that, Android applications market provides an open platform to all the application. Another major factor is that over 50 mobile phone companies will manufacture smartphones with Android operating system 

Mobile malware detected in 2013 by platform and category
This massive user base of android has caught the attention of cybercriminals, who have begun to double down on their efforts to illegally obtain personal information from Android owners. Mobile malware can allow cybercriminals to intercept messages, monitor calls, steal personal information, and even listen in with the device's microphone.
The fake BBM app is a great example and it managed to secure more than 100,000 downloads before being removed.

Android Fundamentals

Android architecture layers are as follow:
A Linux Kernel that supports multiprocess and multithreads .Every application has its own Linux ID and runs in a separate process. Two applications with the same ID can exchange data between them.
· Some Open source libraries.
· Android run-time environment, wherein a Dalvik Virtual Machine runs an applications in the dex binary format.
· An application framework that possesses a Java interface. This layer consists of the Android NDK and SDK.
· Some pre-installed core applications
Most Android applications are written in the Java programming language. The compiled Java code, along with any data and resource files required by the application, is bundled into an Android package
Each Android application is composed of several components that can communicate between each other using Intent messages. Here is a list of those components and a short description of each one.
  • Activity: An activity represents a single screen with a user interface. One application might be composed of several activities.
  • Service: A service doesn't have a visual user interface, but rather runs in the background for an indefinite period of time.
  • Broadcast Receiver: A broadcast receiver listens to special messages being broadcast by the system or individual applications. For example when the phone receives an SMS, a broadcast message is sent by the system to inform that a message is available
  • Content Provider: A content provider is a kind of database where an application makes data available to other applications. You can store the data in the file system, a SQLite database, on the web, or any other persistent storage location your app can access.
For malware analysis of android I use Santoku, made by viaForensics, has three purposes which are Mobile Forensics, Mobile Forensics and Mobile Security.
Santoku has the best known tools to examining mobile malware and contains mobile device emulators, Utilities to simulate network services for dynamic analysis and decompilation and disassembly tools. There are two approaches for android malware analysis; static and dynamic.
AndApp.apk application was a malicious Android application for demonstration purpose.
Static analysis can yield a lot of useful information about an APK such as permissions requested, which API’s are called etc. For Static analysis we use disassembler, which is used to convert the code into a format which is easily understandable. We need to start with the Code Analysis to understand the working properly. For this we have to use the following approach. 

When a user installs apk on the device, the apk file is extracted and when that application is initialized it triggers an activity. These activities are mentioned in the Android Manifest file.
Apktool can decode the malicious code to its original code. Apktool used to convert the AndroidManifest binary XML file to a readable xml in order to have information about application components and permissions requested by this application during its install.
Open the command prompt window and navigate to the root directory of ApkTool. We decompile AndApp.apk file using the following command as shown: 

The AndroidManifest.xml file shows suspicious file permission granted to the application. 

Following are the permission used by this application.
· INTERNET: Allows an application to create network sockets.
· READ_PHONE_STATE: Allows read only access to phone state.(ex. phone number)
· ACCESS_COARSE_LOCATION: Location based on WIFI
· ACCESS_FINE_LOCATION:  Location based on GPS
· SEND_SMS: Send SMS
· READ_SMS: Read SMS
Unzip the compressed contents of the AndApp.apk file for analysis. 

· Meta INF Folder: This folder consists of information that allows users to make sure of the security of the system and integrity of the APK application.
· Res folder: This folder contains XMLs defining the layout, attributes etc.
· Android Manifest File: It is one of the most important XML file which contains information about the permissions that the application needs or accesses, the package name, version etc.
· Classes.dex: This file contains all the Java source code that is compiled. This file is run on the Dalvik Machine. This file consists of the complete byte code that the Dalvik Machine will interpret.
· Resources.arsc: This file is binary resource file that is obtained after compilation.
We need java code for better clarity for that we need to convert the classes.dex file to .jar file. Dex2Jar is a tool, which is used to convert the dex code into *.jar Java file. To open Dex2Jar we have to go to Santoku menu->Reverse Engineering-> Dex2Jar. 

Conversion of classes.dex file to .jar file can be done by the command given below: 

Once the jar file is generated we require a tool named JD-GUI which will load the jar and list out the packages and its corresponding java files. JD-GUI is tool, which is used to view classes_dex2jar.jar files. It provides a GUI which can load all the packages embedded in the jar file and lists the classes_dex2jar.jar code. To open JD-GUI we have to go to Santoku menu->Reverse Engineering-> JD-GUI. 

Using this tool we can browse the reconstructed source code for instant access to methods and fields.


MyActivity.class file sets alarm for Location based on WIFI, GPS, Send SMS, Read SMS etc and alarm will triggered/broadcasts signal after particular time period. The original activity gets started on the device and the user can’t notice the suspicious activity which is running in the background. 

Package com.org.andapp.listner contains all Broadcast listener classes, which listen broadcast messages. When a broadcast message is triggered the register class starts listening the event and start working in background.
GetGPSReciver set alarm (see localGregorianCalander.add(12,15)) from MainActivity.class. When the alarm triggered the onReceive method is called and the network information with Google account is sent to the server. 

SMSReciver.class registers itself with SMS broadcast service when app gets installed in our device. When device receive SMS, all listener classes will be called and onReceive method copies SMS and send it to the server.
SmsReceiver.class uploads the user data into the remote server using HTTP calls.

By seeing the source code of SmsReceiver.class it was observed that the class file named SmsReceiver.class seemed suspicious as this was a simple display text application and therefore SmsReceiver was not required. 
 We can get the more information about the malicious application by doing dynamic Android Malware Analysis which I cover in the next part of the tutorial.

Tuesday, 2 December 2014

Crash WhatsApp Remotely :Whatsapp Exploit

Crash WhatsApp Remotely :Whatsapp Exploit

A Vulnerability has been discovered in the wildly popular messaging app WhatsApp, which allows anyone to remotely exploit WhatsApp just by sending a specially crafted message.using this exploit mistreat attacker can batter the Victims whatsapp by just send a the whole little size statement to the victim.

Given Below is the exploit.For exploitation you have to just copy this code and send it to victim . 

ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ
㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠
ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰
ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊
ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㰟
Ѝ
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊊ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠
ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰
ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ
㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ
㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ㊠ ߘ㠊ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊠ ߘ㊰ߘ㊰ߘ㊠ ߘ
㊠ ߘ㠊

Monday, 1 December 2014

Free Computer Forensic tools for layman

Free Computer Forensic tools for layman

Computer Forensics is processes of analysing and evaluating digital data as evidence. Computer forensics is the analysis of information contained within and created with computer systems and computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve information which is magnetically stored or encoded.
Uses of Computer Forensics
Computer forensics is used for:
    Law enforcement
    Enforce employee policies
· To gather evidence against an employee that careful to follow the legal requirements for an organization wishes to terminate
· Recover data in the event of a hardware or software
    Understand how a system works.
Steps involved in computer forensics 
· Preparation: To identify the purpose as well as the resource required during the investigation.
· Acquisition:To identify the sources of digital evidence and preserve it.
· Analysis: To extract,collect and analyze the evidence.
· Reporting:Documenting and presenting evidence.
Types of Computer Forensics with free tools
1. Data Mirroring
One of the most important steps in the process of digital forensics is the process of data mirroring, more commonly known as disk imaging. Disk imaging takes a sector by sector copy usually for forensic purposes and as such it will contain some mechanism to prove that the copy is exact and has not been altered. It is the process of disk imaging that allows a forensic investigator to view the contents of a storage media or computer without altering the original data in anyway.
Tool: Live View
Live View is a forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk. This allows the forensic examiner to boot up the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.
The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.
Tool: DumpIt
DumpIt is used to generate a physical memory dump of Windows machines. It works with both 32-bits and 64-bits machines. Perfect to deploy the executable on USB keys, for quick incident responses needs.
The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
2. Registry Forensics
Registry Forensics involves extracting information and context from a largely untapped source of data and knowing the context which creates or modifies Registry data.
Tool: MuiCache View
Whenever a new application is installed, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the 'MuiCache'.
This allows you to easily view and edit the list of all MuiCache items on your system. You can edit the name of the application, or alternatively, you can delete unwanted MUICache items.
Tool: Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process activity.
Tool: Regshot
Regshot is a registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.
Results of comparisons between 2 shots are shown in the following manner.
Tool: USBDeview
USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used. For each USB device, extended information is displayed: Device name, description, device type, serial number (for mass storage devices), the date and time that device was added, Vendor ID, Product ID, and more.
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.
3. Disk Forensics
The process of acquiring and analyzing the data stored on physical storage media. Disk forensics includes both the recovery of hidden and deleted data and also files identification, the process of identifying who created a file or message.
Tool: ADS Locator
The ADS Locator can be used to find files that have alternate ADS streams attached. ADS is a technology used to store additional data related to files, and has a lot of legit uses by the system already. So this tool will only find those ADS entries that are of the user type alternate, which is sometimes used by spyware, malware and viruses.
Tool: Disk Investigator
Disk Investigator helps you to discover all that is hidden on your computer hard disk. It can also help you to recover lost data. Display the true drive contents by bypassing the operating system and directly reading the raw drive sectors. It helps to view and search raw directories, files, clusters, and system sectors. Verify the effectiveness of file and disk wiping programs. Undelete previously deleted files.
Tool: Recuva
Recuva is a free file Recovery program and capable of recovering lost or deleted files from local drives and external drives. And with an integrated wizard, users will be guided onto the whole recovery process with ease. It also supports removable media like Smart media; secure digital cards, Memory stick, digital cameras, flash cards and many more.
Tool: Encrypted Disk Detector
Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker volumes.
Encrypted Disk Detector is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.
Tool: Passware Encryption Analyzer
It scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file. With EA you get all password recovery and decryption options that are available for the files and hard disk images of the cases you are investigating.
4. Network forensics
Network forensics is related to monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. The ultimate goal of network forensics is to provide sufficient evidence to allow the criminal perpetrator to be successfully prosecuted. The practical application of Network Forensics could be in areas such as hacking, insurance companies, fraud, defamation etc.
Tool: Wireshark
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.
Tool: Network Miner
Network Miner is a Network Forensic Analysis Tool for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. Network Miner can also extract transmitted files from network traffic.
5. Email Forensics
Erasing or deleting an email doesn't necessarily mean that an email is gone forever. Often emails can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to traditional detective work. It is used for retrieving information from mailbox files.
Tool: MiTec Mail Viewer
It is a viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files. It displays list of contained messages with all needed properties as ordinary e-mail client. Message can be viewed in detailed view including attachments and HTML preview. It has powerful searching and filtering capability and also allows extracting all email address from all emails in opened folder to list by one click. Selected messages can be saved to eml files with or without their attachments. Attachments can be extracted from selected messages by one command.
Tool: OST and PST Viewer
Nucleus Technologies OST and PST viewer tools help you view OST and PST files easily without connecting to MS Exchange server. These OST and PST file viewer lets the user scan OST and PST files and displays the data saved in it including email messages, contacts, calendars, notes etc in a proper folder structure.

6. Internet Forensics
During most investigations, an individual's web browsing activity often provides investigative leads. Evidence of Internet web browsing typically exists in abundance on the user’s computer. Most web browsers utilize a system of caching to expedite web browsing and make it more efficient. This web browsing Internet cache is a potential source of evidence for the computer investigator. Following are the tools for browser forensics.
Tool: ChromeCacheView
ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, and more.
You can easily select one or more items from the cache list, and then extract the files to another folder, or copy the URLs list to the clipboard.
Tool: MozillaCookiesView
It displays the details of all cookies stored inside the cookies file (cookies.txt) in one table, and allows you to save the cookies list into text, HTML or XML file, delete unwanted cookies, and backup/restore the cookies file. It can read the cookies file created by any version of Netscape/Mozilla browser.
Tool: MyLastSearch
MyLastSearch utility scans the cache and history files of your Web browser, and locate all search queries that you made with the most popular search engines and with popular social networking sites .The search queries that you made are displayed in a table with the following columns: Search Text, Search Engine, Search Time, Search Type, Web Browser, and the search URL.
You can select one or more search queries and then copy them to the clipboard or save them into text/html/xml file.
Tool: PasswordFox
PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename.
7. Application Forensics
In application forensics we can extracts logs of applications those were stored during the execution of respective application. For any application we can see the restricted information of the application without knowing the password.
Tool: SkypeLogView
SkypeLogView reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account. You can select one or more items from the logs list, and then copy them to the clipboard, or export them into text/html/csv/xml file.
Tool: Yahoo! Messenger Archive Decoder
Yahoo! Messenger Archive Decoder allows you to view all the chat conversation without knowing the password. This software decodes normal conversation messages, private messages, conferences, and SMS/Mobile Messages to HTML or plain text, complete with time stamps, smileys and font formatting. It also supports Unicode text.
Conclusion
Computer forensics is all about collecting evidences from computers those are sufficiently reliable to stand up in court. The goal of computer forensics is to do a structured investigation and find out exactly what happened in a digital system, and who was responsible for it. There are many tools that are used in the process of examining digital evidence and evaluating system security. Some of the free tools those are described above will help you conduct a computer forensic investigation in a well defined manner.

Prevention Techniques: Cross-site request forgery (CSRF)

1. The best defense against CSRF attacks is unpredictable tokens, a piece of data that the server can use to validate the request, and wh...