Hacking Forensics

Welcome 

 

Seminar Agenda 

• 7 .00 - 8.00 ( Presentation on Security ) 

Security Awareness Seminar 

Welcome 

Copyright © 2005-2007, Krishna Rajagopal. 


Welcome 

To Stop a Hacker is to Think Like One! 

 

About the speaker 

• Krishna Rajagopal from Malaysia. 

• Industry certifications – various certifications from 

Microsoft , Cisco, Sun, Adobe, EC-Council, etc. 

• Consultant to the Enforcement body in Malaysia, Saudi 

Arabia, Philippines. 

• Projects in Asia-Pacific, Europe, Middle East, USA, 

Caribbean. 

Hacking 

Forensics & 


Presented by Krishna Rajagopal 

CEO, XtremeSecurity 

Objectives 

Presentation Outline 

 

Seminar Objectives 

• Provide insight into current efforts and future plans 

for corporate network security via Ethical Hackers. 

• Provide helpful perspective on nature of today’s 

Internet security risk 

• Provide guidelines to achieving goals of rock-solid 

networks. 

• Demonstrations of how simple & dangerous hacking 

really is… 

Part 1: Hacking, Am I A Virgin 

Part 2: To Hack or Not to Hack .. 

Part 3: Forensics – Catch Me If You Can 

Part 4: Q & A 


Copyright © 2005-2007, Krishna Rajagopal.

Part 1: Hacking, Am I A Virgin 



Introduction 

Why Security 

 

 

 

 

Every day, all over the world, computer networks and hosts 

are being broken into. 

The level of sophistication of these attacks varies widely. 

It is generally believed that most break-ins succeed due to 

weak passwords, there are still a large number of intrusions 

that use more advanced techniques to break in. 

Less is known about the latter types of break-ins, because by 

their very nature they are much harder to detect. 

 

 

 

 

90% of large companies & govt. 

agencies had computer security 

breaches in 2002. 

The incidence of hacking, and 

associated financial loss, is far greater 

than what has been reported in the 

media. 

The majority of hacking incidents are 

covered up to protect reputation. 

Even if companies call in investigators 

once they suspect their systems have 

been infiltrated, they are extremely 

reluctant for any external parties to be 

aware of how much damage has really 

been caused. 

Source: 2002 CSI/FBI Computer Crime and Security Survey 



Meet Jim Fountain 

He assassinated political leaders 

in Vietnam. He monitored Russian 

missile silos during the Reagan 

administration, and he set up 

communications systems in 

Eastern Europe during the Cold 

War. If you hire Jim Fountain 

today, he won't kill people for you, 

but he'll do what many 

corporations around the world are 

asking him to do--spy on the 

competition. 

“companies are employing former 

government and military men like me 

more and more to gain a competitive 

edge on their rivals.” 

Real Instance 

 

 

 

Microsoft's main competitor, Bay Area 

computer firm Oracle, hired an intelligence 

company and a private investigator to 

search the trash of its rival. Oracle also tried 

to bribe Microsoft janitors for $1,200. 

It's our "civic duty," said brazen Oracle CEO 

Larry Ellison at the time. 

Boeing are being toasted by their 

competitor Airbus right now, because of 

Airbus' superb intelligence-gathering. 



Statistics 

Hey ! 

 

Fortune 1,000 companies lost more than $45 billion 

from the theft of proprietary information in 2002 

 

 

The majority of those hacking incidents hit tech 

companies. 

67 individual attacks with average theft of $15 million 

in losses. 

 

Hey ! That’s old statistics ! What 

happened in 2003, 2004, etc 

 

The reported damage estimate from the 

LoveLetter virus is as much as $10 Billion. 

 

The reported damage estimate from the 

Melissa virus was $385 Million. 

 

Including hard and soft dollar figures, the true 

cost of virus disasters is between $100,000 

and $1 Million per company. 

From ICSA.Net, 23 October 2000, http://www.securitystats.com/reports.asp , Computer Virus Prevalence Survey 



Unauthorized Use of Computers 

Financial Implications of Security 

Breaches 

Source: CSI/FBI Survey 2005 


Copyright © 2005-2007, Krishna Rajagopal. Source: CSI/FBI Survey 2005 

Action adopted by the Victims 

Reasons Why Organizations did not 

Report the Crime 



Befriending the insider 

External Attacks Most Frequent 

 

 

 

Teaming up with an insider 

or planting someone within 

the organization. 

A recent U.S. Treasury 

Department analysis noted 

that more than 60 percent 

of reported computer 

intrusions involved an 

insider. 

One kind of insider is a 

person who may have 

stumbled upon a glitch 

unknown to system 

administrators. 

Internet 

connection 

Internal 

systems 

Frequent Points of Attack 

38 

Source: 2000 CSI/FBI Computer Crime and Security Survey 

59 

0 20 40 60 80 

Percent of respondents 

 

 

Greater use of 

Internet 

Tools & techniques 

evolve to enable 

new opportunities 

for attack 



20-Year Trend: Stronger Attack Tools 

Trend Has Continued 

Relative Technical Complexity 

self-replicating 

code 

password 

guessing 

exploiting 

known 

vulnerabilities 

password 

cracking 

back 

doors 

disabling 

audits 

sniffer / 

sweepers 

hijacking 

sessions 

packet forging / 

spoofing 

GUI 

stealth 

diagnostics 


Tools 

Average 

Intruder 

Relative Technical Complexity 

Windows 

Remote 

Control 

Trinoo 

Melissa 

DDoS 

Insertion 

Tools 

Stacheldraht 

PrettyPark 

 


Tools 

Kiddie 

Scripter 

1980 1985 1990 1995 

Source: GAO Report to Congress, 1996 

1998 1999 2000 

2001 



Part 2: To Hack Or Not To Hack … 

Hacker Skills 

 

 

A Skilled hacker will possess the following skills: 

Hacker Technologies 

– Internet Engineering 

– TCP/IP, NFS, Wireless networks, GPRS 

– System Administration 

– Windows 2000, Linux, Solaris, Palm OS etc. 

– Network Management 

– SNMP, Tivoli, HP OpenView, Switches, Routers etc. 

– Reverse Engineering 

– Decompiles, circuit breakers 

– Distributing Computing 

– J2EE, RPC, Corba, Web Services 

– Cryptography 

– SSL, PKI, Digital Certificates 

– Social Engineering 

– Charm people, sweet talking, human deception techniques 

– Programming 

– C++, Java, Perl, JavaScript, HTML, ASP 

– Databases 

– SQL Server, Oracle, DB2, MySQL 



Hacking Tools 

Hacker Underground Web Site 

http://www.cleo-and-nacho.com 

 

Hacking Tools are available at 

various camouflaged 

underground websites. 

 

Hacking Tools become more 

and more sophisticated and 

powerful in term of 

• Efficiency 

• Distributing 

• Stealth 

• Automation 

• User friendliness 

Click Here 



Hacking Tools are Available from Google 

Host 

These hacking tools could be 

easily download from the 

Internet. 

• Hacker tool ability increases. 

• Knowledge of hacker decreases 

• Population of hacker increases 

• Some day, even elementary 

school kid may hack into your 

system 

Your host does not 

need to be as famous as 

yahoo or ebay to be 

targeted 

• They need a place to 

hide their trace 

• They need your host as 

a stepping stone to hack 

other sites 

• They need your host 

resource to carry out 

their activities 



The Threats 

The Threats 

 

Hacking Tools become more and more 

sophisticated and powerful in term of 

• Efficiency 

• Distributing 

• Stealth 

• Automation 

• User friendliness 



The Threats 

The Threats 

 

These hacking tools could be easily 

downloaded from the Internet => 

– Hacker tool ability increases 

– Knowledge of hacker decreases 

– Population of hacker increases 

– Some day, even elementary school kid may hack into 

your system 

 

Your host does not need to be as famous as 

yahoo or ebay to be targeted 

– They need a place to hide their trace 

– They need your host as a stepping stone to hack other 

sites 

– They need your host resource to carry out their activities 



The Threats 

How they hack in 

 

 

 

Your host security weakness can be 

identified by scan tool 

Security of any network on the Internet 

depends on the security of every other 

networks 

No network is really secure 

 

General Steps 

• Locate the victim host by some scanning 

program 

• Identify the victim host vulnerability 

• Attack the victim host via this vulnerability 

• Establish backdoors for later access 



General Prevention 

How do PCs get infected 

Test and apply service packs and hotfixes 

Run and maintain antivirus software 

Run an intrusion detection system at the 

perimeter to your network 

Block all messages containing *.exe, *.vbs 

or *.dll attachments 

Reinstall infected systems 

 

Trojan horses 

• Animations 

• Screen savers 

• 'Y2K' utils 

• Video games 

 

Manual insertion 

• Through shares 

• Physical access 

Policy: 

Control hostile 

code on desktop 



We’re All in this Together 

End users 

Network 

Security 

Service 

Providers 

Attack : Corporate Espionage 

Software and 

System Vendors 



Scenario 

Demo 

Robin is working as a sales executive with a 

Drug manufacturing firm. Despite achieving 

the set target he fails to get the 

remuneration he desires. 

He feels his loyalty and commitment is not 

valued by his superiors. A frustrated Robin 

approaches the rival company for the post 

of Associate Manager (Sales) that was 

posted on a job site he had visited. 

The Manager of a rival company agrees to 

offer him the job if he could pass them the 

patent information related to a particular 

drug. 

Robin agrees to the condition. 



Part 3: Forensics – Catch Me If You Can 

What is Computer Forensics 

Computer hacking forensic investigation is 

the process of detecting hacking attacks and 

properly extracting evidence to report the 

crime and conduct audits to prevent future 

attacks. 

Computer forensics is simply the application 

of computer investigation and analysis 

techniques in the interests of determining 

potential legal evidence. 

Extremely important in the banking industry ! 



Thought … 

 

Beautiful ! Finally we have a way to bust those 

terrible hackers ! 

Answer: YES ! 

But .. Wait a minute ! 

Don’t the hackers know about Forensics 

Can they break in a Bank and escape with it 

Do you want to know how 

the hackers can make 

a fool of forensic experts 



Anti Forensics 

C’mon, I CANT HEAR YOU ! 

Do you want to know how 

the hackers can make 

a fool of forensic experts 



Forensic – a challenge 

Data Destruction 

• Data is evidence 

• Anti-Forensic Principles :- 

1. Data 

Destruction 

2. Data Hiding 

3. Data 

Contraception 

•DFT 

•Inode - Necrofile 

•Dir -Klismafile 





# ./ils /dev/hda6 

class|host|device|start_time 

ils|XXX|/dev/hda6|1026771982 

st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|\ 

st_nlink|st_size|st_block0|st_block1 

12|f|0|0|1026771841|1026771796|1026771958|1026771958|100644|0|86|545|0 

13|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|546|0 

14|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|547|0 

15|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|548|0 

16|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|549|0 

17|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|550|0 

18|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|551|0 

19|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|552|0 

20|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|553|0 

21|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|554|0 

22|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|555|0 

23|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|556|0 

24|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|557|0 

25|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|558|0 

26|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|559|0 

27|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|560|0 

28|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|561|0 

29|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|562|0 

30|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|563|0 

31|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|564|0 

32|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|565|0 

33|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|566|0 

34|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|567|0 

35|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|568|0 

36|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|569|0 

37|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|570|0 

# 

# ./necrofile -v -v -v -v /dev/hda6 

Scrubbing device: /dev/hda6 

12 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f 





























Forensic – a challenge 

# ./ils /dev/hda6 

class|host|device|start_time 

ils|XXX|/dev/hda6|1026772140 

st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|\ 

st_nlink|st_size|st_block0|st_block1 

# 

• Where is the rest Data 

Hiding & Data 

Contraception 



Part 4: Any Questions 

Question and Answer 

 

Q&A 

 



XtremeSecurity 

Questions 

 

 

Further trainings 

• Certified Ethical Hacker – March 2007 

• Computer Hacking Forensics Investigator – TBA 

• eBusiness (ERP/CRM/SCM/KM/CM) - TBA 

Services 

• Ethical Hacking & Penetration Testing 

• Enterprise Security Review 

• Computer Forensics Investigation 

 

Please direct your enquiries and questions 

to: 

• Services, Training and Exams 

– Feedback@xtremesecurity.com.hk 

• My Personal Email 

– Kraj@xtremesecurity.com.hk 



Thank You 

No Man is an Island. 

Get Connected! 

 

Thank you for your time. 


It is Break Time! Let’s have some Coffee

Hacking Forensics

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?