Episode 14 – BBC (Big Botnet Controversy)

In this episode Lee & Simon discuss the BBC hacking into thousands of computers and Lee talks with Matthew Shannon of F-Response.

Desensitisation

Working for a UK based forensic company I do a lot of work with cases involving indecent images of children (known commonly as child porn).  When such pictures or videos are found on a computer they are categorised.  The categorising of these pictures is according to the scale below:

1) Nudity or Erotic Posing of Child(ren)

2) Sexual Activity Between Children or Solo Masturbation

3) Non-Penetrative Sexual Activity Between Adult(s) and Child(ren).

4) Penetration of Child(ren)

5) Sadism/Bestiality Involving Children

Recent legislation also means that the above categories are divided into three subcategories based on the age of the subjects.

In our office we have a man who spends most of his time categorising material according to this scale.  Sentencing is also based on the level of images found on a suspect’s computer, if a suspect has level 5 images they will be given a more substantial sentence than if they possess level 1 images.  This individual has a job that I do not envy but he has been doing this kind of work for decades, and he has some interesting stories – but that’s for another time.

The work that he does helps us considerably.  First, we don’t have to spend hours doing the task ourselves and second, our exposure to this material is reduced.  We import his work into EnCase as bookmarks and perform a normal investigation.

This week this person had annual leave booked.  This meant that the tasks of categorising of images fell back on the investigators.  The last place I worked we did all of our own categorising so I’m familiar with the material and just got on with it.  I’ve worked in this field for three years and, in this time, I’ve seen and categorised several millions of these images.  Am I used to it? Have I become desensitised to this kind of material? Not in the least.

I can honestly say that categorising pictures this week has been horrible.  I am disgusted and appalled by the things I see.  Some people in this field will answer this with “You’re in the wrong business,” or “Don’t worry, you’ll learn to cope with it.”  These kinds of comments are not helpful or even true.

After three years these people suggest that I should have developed some sort of immunity to this material but I don’t agree.  I believe it is my disgust at these images that separates me from those people that view it illegally.  I never want to sit down to do such a case and not feel terrible about doing it.  I’m not saying that I can’t cope with the work, I can handle it just fine, but I never want to get to a point where it doesn’t affect me.  If I ever reach it I will consider leaving the field in order to preserve my own humanity.

This is the main reason that I won’t stop arguing that we, as forensic investigators, should not be debating the difference between a 15 and a 16 year old, we should be left to get on with what we do best.  We are not experts in child development, we are not paediatricians, we are digital forensic experts. I’m going to wave this banner until something changes or I die, whichever comes first.  Sadly, knowing the legal system in the UK I have a feeling I know which one will arrive most quickly.

Should the BBC be Prosecuted for Hacking Offences?

I occasionally watch a TV show on the BBC by the name of ‘Click’.  This series looks at the latest technology news and also does some investigations into the darker side of the internet.  I was watching the most recent episode in which the host and his guest bought a botnet consisting of over 20,000 ‘bots’.  These bots are compromised computers from around the world that act as part of a remote-control network.

Theses two individuals first set up several dummy email accounts, including Windows Live and Gmail accounts, and used the botnet to send spam to these email addresses.

Next they set up a web server and used the botnet to launch a distributed denial of service (DDOS) attack on that server.

Finally they changed the background wallpaper of each of the infected computers to a message stating that they were infected.  They then removed the bots from these computers.

I have a few problems with this.

1. I pay a TV license fee, most of which goes to the BBC.  The fact that the BBC use this to buy a botnet from an unknown man disgusts me.  My license fee money has been spent in funding cyber-terrorism and who knows what else.
2. According to the Computer Misuse Act 1990 the BBC have gained unauthorised access to each of these computers.  This is a criminal offence in this country.
3. Not only have the BBC gained unauthorised access to these computers but they have gone on to use these computers to send spam.  Although the email addresses were set up by the BBC the accounts were hosted by major service providers.  I’m sure that Google and Microsoft wouldn’t be impressed by that, and neither would the users of the compromised computers.
4. I do not know the exact locations of these bots so this can only be considered conjecture, but if these bots are located in other countries the BBC have likely broken their laws too.
5. By altering data on the compromised computers, regardless of their intentions, they are treading on dodgy ground. This could be interpreted as a worse offence than that mentioned in point 2 dependant on their perceived intent.

No investigation or notice of intended prosecution has been announced and no apology given by the BBC. Can someone please explain to me why?

MacBook Air Acquisition

The MacBook Air presents a unique problem that is not found with other Apple products.  With other Apple computers the ‘Macquisition’ tool can be used to create an image of the drive in question if the drive is not easily accessible.  Unfortunately Macquisition requires a free firewire (IEEE 1394) port in order to boot the computer into acquisition mode.  The MacBook Air has only one USB port, no firewire port, and no optical drive.  The Apple website suggests that only an Apple branded USB optical drive will allow booting from optical media (such as Helix).  These drives can be costly and largely pointless to purchase.
This guide provides a (relatively) simple method of removing the internal drive and imaging the drive using EnCase (or whatever brand of imaging tool you use).
Firstly, meet the MacBook Air:

The first thing you will notice is that this is a very thin computer; it has an aluminium (aluminum for you non-Brits) case.  This is quite slippery so take care not to drop it.
The first thing you will need to do is turn it over.
There are ten screws that need removing (circled below).  The front six screw are the same size; the rear-corner screws are a little longer; the middle-rear screws are longer still.  Keep track of these for putting it back together.

Once the bottom of the case is off you are going to focus your attention on the rear-right corner of the computer (highlighted below).

When you look closer at this corner you can see two ribbon cables.  The first of these is disconnected at ‘A’ by pulling on tab ‘B’ below:

Once this has been completed you will see four more screws (circle below).  The top two screws are easily enough removed, the bottom two screws are partially obscured by a thin wire.  The wire is tucked in the drive cage.  Gently pry the cable away until the screws are exposed and remove the screws.

We are now ready to remove the second ribbon cable.  Gently pull it away (marked in red below) until it is no longer connected.

Removing the drive is not difficult, carefully life the drive cage and slide the hard drive out from underneath.  Do not pull it out from the top or try to remove the drive cage as you may cause irreparable damage.

Once you have removed the drive the drive turn it over and carefully remove the black tape covering the ribbon connection (marked below).

Once the tape has been removed the ribbon connection is exposed.  Carefully pull the ribbon cable out of the connector (marked below).

When finished you should have something the looks like the picture below:

This is a ‘ZIF’ drive.  These drives are commonly found in iPods and ultraportable PCs.  In order to image this drive you will require the following:

• Either a ‘Tableau T14 IDE’ or a ‘Tableau T35e’ write blocking device
• A ‘TDA5-ZIF’ drive adapter kit

Why so specific? Well, Tableau state that the ‘ZIF’ adapter is only guaranteed to work with one of the two Tableaux mentioned above.  I do not want to risk something going wrong so I’ll follow their advice.  Thankfully I had a ‘T35e’ already available.  You can try using this adapter with a different model, or even a different brand of write-blocker, but its not recommended.
Carefully insert the new ribbon (provided with the adapter) into the ribbon connector on the hard drive and then connect the other end of the ribbon into the adapter (see below).  Then plug the adapter into the Tableau.

From this point forward it is exactly the same as acquiring any other hard drive.  The Tableau will pick up the drive allowing you to image as normal.

Hope this is useful to someone out there.

Law Enforcement Only

Before I begin I want make it clear that I work as a subcontractor for several different police forces throughout England.  I work for several private/defence clients too.  I feel that this gives me good insight and a balanced point of view towards the two.  I know that this can be a somewhat emotive subject but, having said that, I am not one to stay quiet on subjects that I feel strongly about.  My colleagues know that, if they discuss it, that I will interject and verbally assault anyone that disagrees with me.

As a contractor for the police we are tasked with providing forensic reports and statements based on computer or phone evidence. During our day to day work we encounter the same material to which the police themselves are exposed. We perform an investigation on the submitted evidence and then send the evidence, and the reports, back to the relevant constabulary while we retain copies for archiving purposes. We act on behalf of the prosecution in these cases.  We are, in essence, doing the job of a trained cop.

As such it is my opinion that we should be permitted access to all the same training and software that are furnished for law enforcement officers.

Earlier this year a conference was held with the subject matter based on mobile/cell phone forensics.  On average our company completes around 80 phone investigations for various forces per month.  With this in mind we decided it would be a good idea to send a couple of our phone invesigators along to learn about any new developments.  Upon contacting the organisers of the event we were told that we could not attend as we were not law enforcement. Factually this may be the case but in what way do we really differ from law enforcement officers? We do the same work, their work, and we’re even on the ‘same side’ so to speak, so what reason could there be to exclude us? No explanation was offered. Not even an irrational explanation.

Excluding private and defence experts from such conferences is a strange practice.  Expert reports and statement that form part of a criminal case, along with the testimonies given, are made public record (obviously with some exclusions).  As a result any new investigation techniques discussed at closed conferences will seen become open knowledge anyway, so what is the point of restricting the flow of information in the first place?

The chasm between law enforcement and non-LE personnel widens drastically when you look further afield.  Commercial software and training is offered to law enforcement at a significantly reduced rate.  Why is this?  Everyone that I have discussed this matter with has been unable to provide a concise answer.  Is it due to budgetary requirements?  Everyone has budgetary requirements to meet, in what ways do private companies and police forces differ in that regard?

Software such as iLook, COFEE, and many others are released as forensic and/or indicent response tools for the use of law enforcement personnel only.  Once again, the question is ‘why’?  We work in an adversarial legal system where fairness and equality for both prosecution and defence should be central to each and every case.  The legal system should be fair. The evidence and tools used by the prosecution experts should be accessible to the defence, how else can the legal system claim to be fair? A defence expert may be left with no recourse if the prosecution presents evidence that has been found using one of these ‘LE only’ tools that has not, and can not, be indepently verified or the results challenged.  Should the court allow this? Of course not. But for some reason it is acceptable.

The legal system is about fairness and equality. How can disqualifying forensic practitioners from events or software be in the best interest of the law or justice? Why should it matter whether or not they wear a badge and carry a gun?

Something ironic to finish.  One of the organisers of the aforementioned conference (a police officer) recently contacted our company asking for some information relating to a case that we recently completed for a different force.  We do not do any work for his force in fact they do not outsource any of their work or permit the evidence out of their compound. We’ll gladly furnish him with the data but he’s not going to like our conditions or the cost.

This subject is not going away.  We will be discussing this very topic on a future episode of Forensic 4cast.  If you want to appear on that episode to share your own point of view let me know.