Computer Crime File Content Analysis - Assignment Example

Computer Crime Computer Crime Microsoft Windows [Version 6 7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>ping www.independent.ie Pinging www.independent.ie [77.245.91.249] with 32 bytes of data: Reply from 77.245.91.249: bytes=32 time=355ms TTL=54 Reply from 77.245.91.249: bytes=32 time=349ms TTL=54 Reply from 77.245.91.249: bytes=32 time=355ms TTL=54 Reply from 77.245.91.249: bytes=32 time=367ms TTL=54 Ping statistics for 77.245.91.249: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 349ms, Maximum = 367ms, Average = 356ms C:\Windows\system32> Ping can generally be used by good guys to determine whether a computer is responding to IP requests by sending four normal sized internet control message protocol (ICMP) to determine whether it is still available. Ping is generally used to identify the hosts that are alive. However, bad guys can also use ping to send a humongous ICMP packet to the remote computer to flood its buffer so that the system reboots or helplessly hangs in a process known as the ping of death. the bad guys can send a ping request to a computer. They then get the numerical IP address such as 172.198.0.254 which isn’t risky. However, they can go on to use Ping to convert the IP address to into a domain name. the DNS will then reveal the matching domain name. Ping is usually the initial step that the bad guys use to propagate their crime. Since Ping uses ICMP to determine whether the destination is reachable, it will send echo packets to the destination hence the target will reply back with ICMP. C:\Windows\system32>nslookup whitehouse.gov Server: Unknown Address: 196.201.217.7 Non-authoritative answer: Name: whitehouse.gov Addresses: 2a02:26f0:ca:2a0::2add 2a02:26f0:ca:291::2add 184.86.50.35 C:\Windows\system32> The good guys use nslookup to find IP addresses that coincide with certain World Wide Web address . This takes the form of nslookup x.x.x.x where x.x.x.x is the World wide web address the user wishes to locate. This will bring the IP address of the server that hosts the website they are interested in. whois Lookup Registrar Info Domain name:           flemingcollege.ca Domain status:         registered Creation date:         2000/11/09 Expiry date:           2015/12/01 Updated date:          2014/10/30 DNSSEC:                Unsigned Registrar:     Name:              Webnames.ca Inc.     Number:            70 Registrant:     Name:              Sir Sandford Fleming College Administrative contact:     Name:              Roger Fitch     Postal address:    599 Brealey Drive                        Peterborough ON K9J7B1 Canada     Phone:             +1.7057495520x1225     Fax:               +1.7057495540     Email:             @flemingc.on.ca Technical contact:     Name:              Roger Fitch     Postal address:    599 Brealey Drive                        Peterborough ON K9J7B1 Canada     Phone:             +1.7057495520x1225     Fax:               +1.7057495540     Email:             @flemingc.on.ca Name servers:     auth1.dns.cogentco.com     auth2.dns.cogentco.com     daneeka.flemingc.on.ca 192.197.148.227     flemingx.flemingc.on.ca 192.197.148.225     ns1.easydns.com     ns2.easydns.com % WHOIS look-up made at 2015-04-02 19:50:43 (GMT) % % Use of CIRAs WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2015 Canadian Internet Registration Authority, (http://www.cira.ca/) Site Status Status Active Server Type Apache/2.2.3 (Red Hat) Traffic Info Alexa Rank (One Month) 420,359 114,628 Alexa Rank (Three Month) 446,391 65,278 Page Views Per Visit (One Month) 1.9 30.77% Page Views Per Visit (Three Month) 2.2 13.1% The bad guys can use whois utility to expose the registration information of internet users who had opted for privacy. This can be done without the user’s permission. To make it worse the information will be available on permanent basis because internet services keep whois archived. The good guys on the other hand use the whois utility to compile the data of users into whois databases so that then data can be safely stored. The stored data will then act as the internet phonebook so that people can research over them on the internet. Whois gives the bad guys a lot of information about what users see about them. They can then exploit this information for their malicious purposes. By performing a whois lookup through the wide variety of whois tools available over the internet they can gain a lot of information that gives them the edge over the good guys. For example, through whois lookup the bad guys can have access to internet domain name registration information that includes contract names because the DNS servers are the ones that hold this information. In the case of the flaming college the bad guys can use whois utility to access student credit card information. The IP address 193.242.111.55 provides the following geological information Geolocation Information Country: Ireland State/Region: Galway City: Galway Latitude: 53.2719  (53° 16′ 18.84″ N) Longitude: -9.0489  (9° 2′ 56.04″ W) The IP address 92.123.72.46 from Europe provides the following geological information Country: Europe Latitude: 47  (47° 0′ 0.00″ N) Longitude: 8  (8° 0′ 0.00″ E) This is probably in Switzerland From North America the route moves in The IP address is 216.182.236.112 Geolocation Information Country: United States State/Region: Washington City: Seattle Latitude: 47.5839  (47° 35′ 2.04″ N) Longitude: -122.2995  (122° 17′ 58.20″ W) Area Code: 206 Postal Code: 98144 The IP address 184-25-56-210 form North America provides the following geological information Geolocation Information Country: United States State/Region: Massachusetts City: Cambridge Latitude: 42.3626  (42° 21′ 45.36″ N) Longitude: -71.0843  (71° 5′ 3.48″ W) Area Code: 617 Postal Code: 02142 The IP address 198.32.176.127 provides the following information Country: United States State/Region: California City: Redwood City Latitude: 37.5331  (37° 31′ 59.16″ N) Longitude: -122.2471  (122° 14′ 49.56″ W) Area Code: 650 Postal Code: 94065 PDF trailers are used to show the location of the cross reference table together with the special objects within the document. It consists of three parts. The first part is the word ‘trailer’ and is preceded by a dictionary that is comprised of values for the fields. The second part is the keyword ‘startxref’, followed by a number in the following line. This number shows how far the word xref is from the documents start. These are followed by the %%EOF that marks the end of the file. All the PDF’s read from the computer had this trailer. For example from the PDF file I read the cross reference table is approximately 361461 bytes from the start of the file. trailer 66...)(X$X@>66...)] >> startxref 361461 %%EOF It can also be deduced that the size, root and some keys must be contained in the trailer dictionary. The size refers to the number of attributes contained in the cross reference table. The number must be an integer like for the said PDF the size is 62. The root refers to the indirect reference to the PDF catalog. In the opened PDF the catalogue is 1. RTF signatures must be composed of the following. The first byte must be an open brace i.e. {and the closing}. The second and third byte must be the tf i.e \rtf while the sixth byte must be the major version of the RTF document e.g. 1. The seventh to tenth byte must contain the \ansi which specifies the coding used. The file signature is composed of firstly the header which must start with the name rtf e.g. {\rtf} (Bill, 2014). Surprisingly all the paths lead to the same destination i.e www.smh.com.au . This means that using traceroute will direct the user to the correct destination regardless of the path followed. No wonder the paths from North America and Europe lead to the same destination. The paths are not always the same because the intermediate servers can send messages to different servers e.g. for the first time the UDP message could be sent to D1 but later sent to even C1 so that the paths are not the same. Furthermore, traceroute does not trace the route of a single packet. The user would therefore wish that they follow the same path because links often fail. This results in the packets being rerouted thus impacting the tracerroutes output. 2. the file’s checksum is contains ten digits. It is 3594581100. In hexadecimal it is represented as D640F46C. In SHA-2 (512bit) the checksum in hexadecimal contains more than 32 digits. The first seven digits are D9DB4A4 Changing the first letter to lowercase changes the checksum to 2207179089. In hexadecimal the representation is 838EE151. The first seven digits becomes D820CC8 Changing the name of the file to test.doc changes the checksum in CRC (32 bit) to 3808875671 while the hexadecimal value becomes E306D497. In SHA -2(512) the checksum becomes 663E1C5 The image lacked the markers that serve as headers in JPEG images. These markers are used to separate image parts. The parts separated include the EXIF data which is comprised of the image data. What was to be done was to add the start of the image data. The file can then be saved and viewed. The difficulty came in finding the appropriate markers. The three parts gives the byte number, hexadecimal number and the ASCII equivalent data of the document. The hexadecimal number is the one that was altered with. Each pair of the number in the hexadecimal is a byte. A clear analysis reveals that the first byte of the does not represent hexadecimal values. To recover the documents we locate the missing hexadecimal values and change back to hexadecimal Note that the first "good" file to be tested was a portrait orientation. That header resulted in a broken banding corruption of the image (disjointed bands of the image), but it opened in image viewer. Changing the header with one from a landscape oriented JPEG corrected this. If you see similar behavior with the final image, try a different source file for the header. After recovering the picture it looked as shown above. There is a black front box/ panel at the front with small squared boxes. The box has some words at the center that are too tiny for reading. At the near background there is an electric pole and a river. Whereas at the far background there is a house and some trees beyond the house. The word document on the other hand talks about Netscape 2.0. Works Cited Bill. (2014). File contents analysis. Retrieved April 3, 2015, from Security Site : http://asecuritysite.com/forensics/rtf?file=http%3A%2F%2Fasecuritysite.com%2Flog%2F1.rtf Read More