SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Viva Las Vegas Forensics at BlackHat, SecurityBSidesLV, and DefCon

The 103 degree heat hits you in the face like a baseball bat. Some people say that 103 degrees (in the shade) is "no big deal", because, as they continue, "it's a dry heat." Yea, well, my oven is a dry heat, and I don't stick my head in it. But that is exactly the way the heat feels this time of year in Las Vegas. That's probably why DefCon (a "hacker" conference) was first held there 19 years ago. It was during the Las Vegas Convention "off season." From DefCon grew a more "professional" event that precedes, known as BlackHat Briefings, and, for the second year, a SecurityBSides Las Vegas, a sort of shadow conference that runs concurrent with BlackHat. Your Digital Forensic Case Leads reporter attended all three events last week in Las Vegas, and this edition will focus on highlights from these events.


  • From BlackHat: iOS Password Decryption Method Revealed"Overcoming iOS Data Protection to Re-Enable iPhone Forensics" was the title of Mr. Andrey Belenko of ElcomSoft talk at BlackHat2011.

    Mr. Belenko and Dmitry Sklyarov (if you don't know about Sklyarov and his arrest at DefCon in 2001 for his work on AdobePDF security, read this), conducted research into overcoming the encryption in iOS devices. There are a number of technical barriers in extracting information from a password protected iOS device. Although earlier versions of iOS (pre 3GS) had data protection methods that are generally considered very weak, newer versions of the iOS have stronger encryption deployed. Many digital forensic examiners have hit a wall when trying to acquire digital forensic evidence from password protected iOS devices.

    That's where ElcomSoft has stepped in. Mr Belenko's work focused on levering the iOS device itself to brute force the device password. As it turns out, the OS itself reveals password length and strength in clear text. For example, the device reveals in clear text, that the password is four characters long and only contains numbers. And since most users want a short PIN on their device, this pre-attack analysis by the ElcomSoft tool narrows down the scope of any brute force software effort. There are a number of smart techniques like this that the ElcomSoft team used in developing this tool.

    A demonstration of the tool was given to The CyberJungle after the talk. The CyberJungle entered in a the PIN 4111, but Vladimir Katalov, ElcomSoft's CEO did not see us enter in that PIN . Mr. Katalov was able to crack the iPhone 4G in a few minutes. The PIN was revealed, along with passwords to the user's Amazon account, email accounts, and other data secured by the devices so-called keybag. Mr. Katalov told the CyberJungle that the tool will dd "image" the device after breaking the PIN. According to Mr. Katalov, while other tools will image iOS devices, his team has the only tool that will both crack the PIN and image the device for analysis.

    According to Mr. Katalov the software will work on 4G, iPad1 and iPod. The lack of iPad2 support is due to the lack of software signatures by Apple, not a limitation on the technical abilities of the software.

    Mr. Belenko gave his talk at BlackHat. As Co-Host of CyberJungle Radio, I caught up with Mr. Belenko at DefCon, and interviewed him about this tool. You may download the MP3 file here, it's about 7 minutes long.

    Find out more about the Elcomsoft iOS Forensic Toolkit.

  • From SecurityBSidesLV: Researchers Release Anti-Forensics Tool That Can Hide Porn, and All Other Digital EvidenceA significant portion of law enforcement digital forensics efforts focus on locating various types of adult x-rated content. A team of researchers gave a presentation this week entitled, "How to Hide Your Pr0n." The team developed a cloud based proof of concept that encrypts and stegos the data in public photo sharing data and sites. You may download the segment here. The segment is about 8min long, and there is some conference noise at the very start of the interview.The link in the segment is:
  • From BlackHat: Many information security and incident response professionals have long known about the weak security in popular firewall/routers. Many IT people believe that these devices are "good enough" for most situations, other than "banks or the FBI."While in Las Vegas this week, CyberJungle Radio met a researcher named Pedro. Pedro set up a site that catalogues many of the vulnerabilities in popular routers. This segment is about 5min. You may download the file here, or listen to the stream below. The link in the segment is:


Good Reads:

  • At a Black Hat Las Vegas press conference, a team of UK-based embedded system hardware "hackers" unveiled a new credit card attack vector using the Square payments system. The attack streamlines a low-cost process to run stolen credit cards through the Square system. Your correspondent has his take on this hack below. Many of the stories written on this attack were not written by reporters actually in attendance at the conference. Here are stories from those that were:Elinor Mills from CNet wrote a piece on the attack Researchers find avenues for fraud in Square.

    Jennifer Valentino-DeVries from the Wall Street Journal wrote about the attack in this blog posting: Stealing Money With Square.

    To the best of my knowledge, I was the only forensicator at the press conference, and possibly the only reporter with experience in credit card security and incident response. Here is my take:

    Adam Laurie and Zac Franken of Aperture Labs have uncovered a flaw in the Square system that has a number of interesting technical and fraud elements.

    Square is a popular start-up designed to allow anyone with a smartphone or tablet to accept credit cards. A small cube plugs into the headphone jack of the device, and a magnet reader converts the credit card magnetic data to a sound file. That sound file then gets sent via the smartphone to Square for processing. The recipient of the monies has to give Square a bank account (in the USA), and the monies generated through the system are transferred every night into the account.

    Adam Laurie wrote two python scripts for credit card magnetic stripe data about five years ago. These scrips convert credit card mag strip data into binary data, and the other script converts the binary data into a sounds file. Those scripts were part of a talk Adam Laurie gave five years ago at DefCon, in Las Vegas.

    This summer, the scripts were combined, and a simple graphical user interface added (GUI). The researchers then purchased an off-the-shelf audio patch cable with an Apple compatible connector. Adam and his partner Zac, are able to get the credit card swipe data into a smartphone via the headphone jack.

    If that smartphone/tablet has the free Square app, the app will interpret that data as an authentic card swipe of a real card. The data could be card information that was purchased on the black market. Buying and selling credit card mag stripe data is very easy on the Internet's black market (what CyberJungle Radio calls The Dark Web).

    The hard part of the attack is getting a bank account that is not easily traceable by law enforcement. Here's how members of the Dark Web could convert stolen credit card data, using this attack:

    1. Download the scripts that were released online five years ago. We will not provide those here, but a determined attacker could find them, or recreate them.

    2. Find a money mule that has a US Bank account. Square will not allow users to send funds to a non-US Bank. The CyberJungle speculates that this maybe due, in part, to the Patriot Act. The Patriot Act requires strong identification for the opening on a US Bank Account. A money mule in the US could have the funds transferred into his account and withdraw it. In the common money mule schemes, the mules are rewarded with a commission to take the funds out of their account, and transfer a percentage of those funds via Western Union, to a member of the Dark Web overseas

    3. Purchase stolen credit card stripe data on the black market.

    4. Set up a Square account online. Point the Square account to the bank account of the money mule. The company promotes that an account can be set up right away, and transactions start to flow the same day. According to a researcher working with the research team, there is a few day delay as Square validates the bank account.

    5. Download and install the Square app on a supported device. Currently, Square software will work on Apple iOS devices (iPhone, iPod, iPad) and on Android devices. Although the attack demonstrated at Blackhat used an iPad, Zac Franken told The CyberJungle that there is no technical reason that the attack would not work on the Android platform.

    6. Attach an Apple compatible male-to-male audio patch cable between the computer running the converter scripts and the smart device running the Square App. For Android, the attacker would need a patch cable that worked on the specific Android device's headphone jack.

    7. Type, or cut-and-paste, the mag strip data into one field on the computer and run the scripts. The scripts converts the text data to binary and another script converts the binary to an audio file that gets sent to the audio out jack on the computer.

    8. The Square app will think that the user has swiped a physical card. Physical card transactions (often called ?wet signature' transactions) have a lower over all fraud rate, and therefore the lowest transaction rates in the card processing business.

    9. The attacker enters in the amount to be stolen, enters in a ?signature' on the screen, and runs the transaction.

    10. The monies are then transferred the same day to the money mule's bank account, and then re-transferred to the attacker via Western Union, or some other wire service.

    This attack is not a threat to Square users, but rather a threat to all credit card users, according to the researchers. Any user that has his data stolen can reverse the charges, as long as he alerts his bank within 60-days.

    The attack highlights a flaw in the Square system: the lack of end-to-end encryption. If that was enforced, the system would not accept a transaction attempt from a computer sending a "plain text" sound file. According to one of the researchers, Adam Laurie, the team alerted Square to the vulnerability. In response to Adan Laurie's disclosure, Square responded, saying that "? the threat was not significant, and that there are easier ways to commit fraud."

    The CyberJungle believes Square could fight this problem by limiting transactions for new merchants, by limiting transaction amounts by new merchants, by limiting the numbers of transactions that new merchants can conduct, and by clearing the charge after a waiting period for new users. The researchers said that Square has releasing a new version of their swipe "cube" that includes encryption. But unless the application on the smart device is also changes, The CyberJungle does not know how this would mitigate the attack.

    As of posting time, The CyberJungle was not able to reach a Payment Card Industry (PCI) certified auditor to ask this question: Is Square potentially in violation of PCI due to the lack of end-to-end encryption in it's system?



  • A dust up has developed in the area of web tracking. The Wall Street Journal has been running a very popular series of stories on the topic, entitled What They Know. The researcher that the Wall Street Journal used was Ashkan Soltani, an independent researcher and consultant focused on privacy, security, and behavioral economics. Mr. Soltani gave a talk at SecurityBSides entitled "When Zombies Attack - a Tracking Love Story."Mr. Soltani wrote a blog posting on yet another round of hard-to-block web tracking technologies. He gave a talk about this research at SecurityBSides Las Vegas. Here is my ~9min interview with Mr. Soltani after his talk at BSides. This is the response by KISSmetrics' CEO.
  • One of the other interesting talks at BlackHat this year was on the topic of Mac forensics and incident response. According to one the presenters, Alex Stamos, "Once you use OS X server, your security is toast."Read the coverage in this story - Anatomy Of A Mac APT Attack: Mac users might not have a lot of exploits to worry about, but their lack of security worries makes them an APT attacker's dream come true.



  • The Quadshot is a new kind of remote-control aircraft. It melds advanced open-source hardware, software and a unique airframe to provide the best parts of flying quadrocopters and airplanes. I saw the Quadshot while in the hallways of DefCon19. The creators claim it can be equipped with surveillance cameras. The next frontier in digital forensics? Quadshot is a Kickstart project, and the creators are looking to raise $25,000. Donors get the device once the funds are raised. See the link to the Kickstarter project, and all the details on the FlyQuadShot site. Listen to a conversation with Peter, one of the creators of Quadshot, recorded at DefCon19.



Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to

Digital Forensics Case Leads for 11, August 2011 was compiled by by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.