Wednesday, March 29, 2017

C-t: Malware: bite-size learning No.4

If you have followed the Cyber-teaching (C-t) bite-size learning module hopefully you will have noticed several references on things that you can do to help yourself as single-person and small businesses  and other SME categories. Further proof that these types of business need to think on their feet and act quickly is making sure you have backed up your data (files, etc.). The obviousness of this will be  apparent quite shortly.

Initially, we need to look at attackers and tools of threat. Those who digitally attack your business look for the weakness in your security. They are looking at this:

The methods adopted for the attacker tools of threat can be in plain sight (email attachment, etc.,) or by stealth (unseen downloads when visiting webpages) are malware that can be inconvenient/ annoying/ threats to person's reputation; to ransomware (demanding monies with menaces to PC/laptop).

If your PC/laptop becomes infected then you will find there are some very helpful and talented companies out there that can provide free solutions to dealing with malware. The company I selected is Emsisoft ( ). When you visit their webpage have a look at all the malware decryption tools the company has created for malware file victims (MFV). In particular, note the number of downloads for malware tools, which give a clear indication which malware is more prevalent in the marketplace.

    Decrypter for LeChiffre
    Decrypter for KeyBTC
    Decrypter for Globe2
    Decrypter for NMoreira or XRatTeam or XPan
    Decrypter for OpenToYou or OpenToDecrypt
    GlobeImposter Decrypter
    Decrypter for MRCR
    Decrypter for Globe3
    Decrypter for Marlboro
    Decrypter for OpenToYou
    Decrypter for GlobeImposter.
    Decrypter for Stampado
    Decrypter for Fabiansomware
    Decrypter for Philadelphia
    Decrypter for FenixLocker
    Decrypter for Al-Namrood
    Decrypter for Globe ransomware
    Decrypter for OzozaLocker
    Decrypter for Nemucod
    Decrypter for DMALocker2
    Decrypter for HydraCrypt
    Decrypter for DMALocker
    Decrypter for CrypBoss
    Decrypter for Gomasom
    Decrypter for Harasom
    Decryptor for Xorist
    Decryptor for 777
    Decryptor for BadBlock
    Decryptor for Apocalypse
    Decrypter for ApocalypseVM
    Decrypter for Radamant
    Decrypter for CryptInfinite
    Decrypter for PClock
    Decrypter for CryptoDefense

Those who are familiar with using the PCs/laptop and the desktop facilities may not be so familiar with the technical operation and tend to be put off from investigating, instead hoping that the antivirus / malware detection cleaner will resolve the problem. In part they do, but they do not decrypt malware file victims (MFV). This is why I chose Emsisoft decryption tools because the function of decrypting is very easy to follow, such that as a user:

1) As you are familiar creating a folder on a desktop: you can create a folder on a USB stick;
2) You know how to download a program;
3) You know how to copy and paste;
4) You know how to move a file from location to another.

You may recall previously it was mentioned about "back-up your data"? And here is one reason for that. For the Emsisoft decryption tool to work it needs a) an original file b) the malware file victim (MFV) in order to conduct its decryption process.

Quite simply:

5) Create a folder on a USB stick (e.g. Malware Test);
6) Download a copy of the relevant decryption tool (determined by the file-extension of the infected file (MFV) and cross-referenced to the tool at Emsisoft website;
7) Copy and paste the original file into the folder;
8) Move the infected file (MFV) into the folder;
9) Highlight both the files (original and MFV);
10) Drag and drop both files on the decryption tool icon and the program runs itself.

Always read and follow the decryption tools instructions.

Remember to run your antivirus/malware detection cleaner programs on your PC/laptop and don't forget to do the same for the USB stick.

Lastly, there are no guarantees that decryption or release tools will work or it might be tools may not have been created for malware, so keep hunting and be patient.

Where fake programs are present holding a user to ransom that require input of release keys the professionals have noted a number of frequently common keys to unlock that have been used:

Master Boot Record Blocking Keys Unlock Codes:

- Pwn8
- 721A
- g81A
- wb8A
- oc8A
- Gd8A
- Wf8A
- lc5L
- Og8A
- 7j8A
- 7r9A
- gx9A
- xmnL
- XqnL
- prnL
- hsnL
- 8unL
- PvnL
- HwnL
- 0znL
- XapL
- pbpL

Frequent common keys unlock codes:


As a reminder using these keys wont clean your PC/laptop, you will still need to run antivirus/malware detection cleaner programs.

These C-t: bite-size learning modules are free of charge. They are based upon research and surveillance in the marketplace to help others. There is no connection with the companies or their products.

Cyber-teaching: bite-size learning No.3

In posting these Cyber-teaching: bite-size learning modules for single-person and small businesses and other SME categories the intention is to make explicit that which is implicit from running these types of business and that is limited finances. To bridge the financial gap of disadvantage which larger organisation do not appear to be exposed, the information highlighted in these modules aims to show how free-of-charge tools and literature or tools with a minimal costs or purchased literature can be achieved to help install cyber-preventions or cyber-security - and on a very modest budget. For a single PC/laptop this can be as little as nothing to £150.00 if a user is willing to be security-aware and conscientious in practising security.

When suggesting 'practising security' it is meant adopting practical procedures users can do. For instance, does your PC/laptop need to be "always on"? That is constantly connected to the internet? Could you not switch off 'WiFi' until you need it or put the wireless settings into 'Pilot Mode' or remove the telecom plug from the PC/laptop until you are ready to go on line again?

How do you conduct malware (virus/ransomware/etc.) testing? Only on email attachments? What about USB sticks connected to the PC/laptop? Have you ever thought of getting a second-hand PC/laptop with free malware/phishing software on it and only use that for internet connectivity which contains no business information or important data. If the user then practises using the second-hand PC/laptop only dealing with internet access, emails/attachments and USB connections then if free malware etc programs don't work and your machine is held hostage then what the heck. Just wipe the drive clean and start again: 10 Alternative PC Operating Systems You Can Install ( ).

One useful publication costing just £0.99 (yes, 99-pence) is available from amazon and published by PeerLyst - Second Community eBook: Essentials of Cybersecurity (  ).

If you believe your skillsets are sufficient to understand networks, as well, then here is a publication which is FREE and can be downloaded by way of the internet called Cybersecurity for Dummies (  )

Moreover, the British Government hosts a webpage called "Cyber security guidance for business" ( ) which is full of free and helpful advice and where to get help.

Cyber-teaching: bite-size learning No.2

We are told there are many millions of PCs/Laptops bleeding information, leaking details (about devices, their operations and data) on to the world wide web (WWW). That being so, it must generate voluminous traffic (in addition to the payload it brings to the receiving party). This suggests to me that, today, in my view, it might justify the WWW being also titled the "information-spillage superhighway".

We are also told we're not doing enough to control the flow (egress) of information from out devices. That could be because for some it is not easy changing mind-sets at the flick of a switch. Some basic information is needed to help us understand what to look out for on our PCs/Laptops.

I mentioned about bite-size learning (No.1) when cyber-teaching to assist cyber-discovery for those who are non technical, technology-savvy, or over-whelmed with technical presentation. The Graphical Network Monitor shown yesterday is a useful graphical user interface (GUI) to present static presentation of programs and connections that programs can make externally to the PC/Laptops, etc. and externally to the organisation (WWW).

There are many built-in software tools within operating systems but for the less knowledgeable they may not be aware. Sometimes when cyber-teaching it can be helpful to show how an external program (e.g. ESET SYSINSPECTOR) can extract the tool information from the PC/Laptop to illustrate, for instance, "active programs" at the system level that are communicating with the outside world whilst the user PC/Laptop is powered up and logged on.

So the user has already seen previously "the GUI" and now can see how harvested information via SYSINSPECTOR can be obtained about active programs on the PC/Laptop.  Looks too technical? May be not. Everything in life is a state of mind; the more complex you think something is, the more you convince yourself it is difficult. Changing that state of mind requires perhaps using imaginative ideas to present the so-called complex and difficult into an ordinary, everyday common practice which people are familiar. In this case, the photo image could be described and read as if it were a food cooking recipe.

The  SYSINSPECTOR program is your recipe book showing various recipes. At the top the filtering (which is a risk indicator) can be set the same way one  would set the temperature on the oven. Metaphorically speaking, the riskier the program, the higher the cooking temperature (food burns).

The highlighted program (in green) is a recipe you didn't realise was in the book. The recipe is not good for you because it has an ingredient in it that you have an allergic reaction (nut); it is a high risk to you and needs to be quarantined or removed. Importantly, you need to know whereabouts in the recipe the ingredient, which can cause allergic reaction, is located; this is found the program processes (top right-hand pane).  Finally, you need to know if the ingredient is active to make the recipe work? Can it be substituted with something safer? If not, should you switch it off and remove the program (showing the status in the bottom right-hand pane)?

I am not suggesting you should follow the above, just illustrating that cyber-teaching does require using varying techniques to get the message across.

So the next step forward? Can you help others know which are safe programs and which are not? Can you show others how to switch off an offending program and then remove it?

In closing, there are a number points about my observations in this discussion I would like to raise with you:

1)  In writing these bite-size discussions I am not telling you what to do or selling anything; nor am I selling any teaching (this is free here). I do not work for or on behalf of any of the organisations mentioned.
2) Single-person businesses and self-employed and SMEs do not have a fortune to spend and cannot bank-roll vast monitoring services.
3) The above workplaces need cost-effective methods.
4) The two programs identified in this bite-size discussion: the GUI costs approx. £Sterling (£4.00), but there are other free versions, and the other(SYSINSPECTOR) is free of charge. Again there are other tools out there that can do a similar job, too. Remember these are what we call starting-point tools to introduce a subject matter and assist comprehension.
5) There are a wide range of programs out there that monitor in 'static' and 'live' modes (and that is important, too) but this discussion is about awareness, first, and then  strengthening your knowledge thereafter.
6) The tools discussed can be installed and run from a USB stick.
7) Before changing anything on your PC/Laptop get hold of a second-hand PC/Laptop and play around until you feel comfortable with making changes to your own PC/Laptop.
8) Remember to always back-up your data etc. first.

Cyber-teaching: bite-size learning No.1

Cyber-teaching requires presenting practical demonstrations to help those who are not technical, technology-savvy, or over-whelmed by monitoring service promotions showing PC screens with multiple open panes with streaming data.

Bite-size learning can be helpful. For instance, using a Graphical Network Monitor demonstrate where a program is connecting to where in the world and the destination point? Is the operation of the program required to connect there and, if not, how to stop that process.

In the scheme of things, not massive cyber-discovery but one I have found clients/customers find useful to know.

Wednesday, March 01, 2017

Digital Finance Stakeholders

Digital forensic students looking to research digital finance may find this useful as a starting point.

Through the financial support of the Bill & Melinda Gates Foundation, MicroSave isconducting a four-year research project in the following eight focus countries as part ofthe Agent Network Accelerator (ANA) Project:

Good luck!!

MI5, MI6 and GCHQ

Wow!!! What a brilliant digital image for recruitment; and if they're that thoughtful enough and good at presenting their case, why aren't you believing in yourself to enquire about national security careers in our country? Come on! Go beyond the fear of others knowing your value.

You think differently.
You create and innovate.
You safeguard our nation.
Technology, Software and Engineering roles
Salary depending on role and experience
A range of locations including London and Cheltenham
At MI5, MI6 and GCHQ, we safeguard the nation. In our worlds, innovation is boundless and technology is limitless. While we have our own unique specialisms, we work closely together to ensure the UK is always protected from a range of threats – both here, and overseas.
We're looking for creative problem-solvers who naturally think differently. Ours is a culture where creativity and innovation is as valued as expertise and insight. So whether you have years of experience, or are just starting out, we offer tailored training to help you safeguard our nation.
We have a range of opportunities across MI5, MI6 and GCHQ, in a range of locations, including:
  • Business Analyst (MI6)
  • Project Manager (MI6)
  • Software Specialist and Support Role (MI6)
  • Software Graduate and Support Role (MI6)
  • Global IT Infrastructure Engineer (MI6)
  • Covert Technical Operations Specialist (CTOS) (MI5)
  • Cyber Technical Analysts (MI5)
  • Various technical opportunities (GCHQ)
To work in a world where the seemingly impossible is made possible, please visit:

Thursday, February 23, 2017

Secrets and Evidence of Older Mobiles

It is good to learn that the Nokia 3310 may make a return, albeit with an Android operating system. The nostalgia for these types of mobile phones has clearly not been lost. What it might suggest is that consumers still want a mobile telephone to remain a mobile telephone and to look like one.

The older mobile phones I have in mind though are the ones that are still used in examinations, investigations and research. Since there is nostalgic sentiment in the air I thought you might be interested in some examples of older mobile phones from my lab toolkit.

Now these old buzzards are used for basic GSM telephony services. There isn't a universal SIM that will work with these as some from my collection operate with a 5-volt SIM and so on. Importantly they are used due to the fact they have an external antenna and extendable external antenna. In some investigation instances RSSI will show network detection and a small amount of RF power whereas mobiles/smartphones with embedded antennas show Emergency Calls Only.

You might recall I have written numerous articles on radio surveys and two that may seem appropriate to this discussion are:

CSA: Mobile Phones and Fringe Coverage

GSM Radio Test Measurements

The next selection of mobiles/smartphones each provide different radio characteristics due to the manufacturer's selection of RF chipset and functionality.

My five beauties, as I call them, are my Nokia 3210s. Great phones and they still operate perfectly well today. You can also see in the photo that all bar one mobile have embedded antenna. Some are mobile phones and some are smartphones. Combined they offer the ability for RF surveys and testing voice telephony, data downloads, instant messaging etc. The common laptop application Network Monitor (NMonitor/NetMonitor) still provides good feedback when connected to the Nokia 3210 (nmon activated). Blackberry requires a bit of setting up with applications such as MagicBerry, BBHTool, etc., and creating JAD-files (depending on what you want to achieve). Now with the Samsung models GT-I8160 and GT-I9100 both are used with 2G and 3G networks and illustrates the point that two models of smartphone from the same manufacturer display didn't RF survey details.

Now I wont bore you with an explanation of the details just to say these investigation RF surveys require knowing the various ServiceMode states. In particular, if you are conducting a PRACH and RACH survey, relevant to investigations for Access Requests (e.g. the phone is not in idle mode but seeking a service), then the GT-I9100 is useful in that it displays not just the LAC but also the Cell ID the RACH (access) request was made. Quite a few mobiles do not do this when looking into the ServiceMode states. You have to be quick, mind you, as the ServiceMode screen changes fairly quickly if you are not ready to take a photo.

Yet another, quite old-ish, mobile phone that I haven't shown so far is the Nokia 6303. The photo shown below should explain everything. But for those not familiar to testing and examination; where a charge in the billing appears for an SMS or at least details of a called number sent an SMS (even if sent message is free) it is quite possible the party receiving the message can read it but the message wont be saved. This is known as a Class 0 message (commonly referred to as a Flash Message). Depending on make and model of mobile phone, part or all of the message which is only held in RAM might still be recoverable, provided seizure and examination is undertaken and completed fairly quickly, as RAM is updating perpetually. 

The Nokia 6303 is one of those mobiles that the handset manufacturer in combination with mobile network operator enabled this feature as they foresaw revenue generation from it and also recognised that a reasonable memory storage capacity in handset and SIM card need not be blocked up with trivial messages.

The 6303 came with a 940 MB memory card for downloaded applications etc. This proved to be useful in an investigation where text messages didn't have alphabet characters but a series of dots and dashes. At first it was thought this was incomplete text chat messages or some sort of smiley face that didn't form properly when typed on the screen.

When reviewing hundreds of text messages recovered from a mobile or smart phone it is quite easy to overlook or ignore a message as being meaningless. However, I researched the matter and following testing the message turned out to be Morse Code. I tracked down the application for this and cross-checked with the device that had been examined.


So next time you see a text message with an odd presentation look closely to see if it has relevance and whether your mobile phone forensic suite software has the capability to either identify the message contains additional features or can translate the message.

Hope you have enjoyed this brief look at older mobile phones used in and for mobile forensic examination, investigations and research.

Wednesday, February 01, 2017

HERREVAD Databases Geo Location Artefacts

From a recent discussion regarding HERREVAD Databases it has emerged that they are in fact undocumented Android features for google mobile services (GMS). Any extracted and harvested data from these databases is on the basis "as is" recovered. Oxygen Forensic Detective 911 WiFiHistory.png presents a helpful and useful example of recovered data from HERREVAD:

From research conducted the results identified little has been written about HERREVAD (GMS). It may be there is more information out there, possibly in a internet walled garden, but not very much is revealed using the well-known internet search engines. From what has been discovered it is recorded below so should more information come to light this discussion can be updated.

As can be seen in the above screen image it shows records of WiFi History of connections to WiFi network servers. In this regard, as has been previous stated in another discussion at this blog, WiFi location analysis should naturally form part of cell site analysis as smartphones have multiple radio in them (

Three databases have been identified so far, but no information was found that actually described what each database actually recorded, so assumptions are based upon the title of the databases and data recovered:


Moreover, no guidance was found to define whether each of databases are providing data-support to one another. It is an assumption that the information stored in each combines together to provide an abstract of connection events. It could be said this is evidence of the 'fact' the data are recorded there. It means the recording was made due to a smartphone's sensor activity showing the device had detected and decoded the WLAN networks, including SSID and BSSID (MAC address) info, as well as timestamps; thus there is proximity to a source. So here is potential evidence, but that doesn't necessarily confirm what is happening during the connection.

In the above image WiFiHistory.png it displays a number of connections consistent with the same network (so to speak) and on various dates and times. It is possible to draw an inference from that of a device in regular proximity to a particular WiFi network, thus a 'distance' (in space and time) to a location. This would support the merits of investigating those identities.

the only independent document found at this time discussing HERREVAD is that from Connie Bell, in her partial MSc thesis:


In this thesis Connie states:

"However, during a review of the databases’ contents, it became clear that the database did not capture all of the instances in which the  devices were connected to WLAN networks, based on test session activity."

"From these examinations, it seems clear that connectivity-related log artifacts may be quite useful in ruling out the possibility that the  WLAN sensor was disabled at a particular time. However, it may be more difficult to affirm that the sensor was indeed enabled at a particular  time, since these logs seem to only document when the device is actually connected to a network."

"A device may have the WLAN functionality enabled but be out of range or not connected due to wireless network security, for example. In  situations like these, it seems the log files would not indicate that the device WLAN feature was active, since the device would then default  to cellular data services"

The research took into account Connie's observations regarding lost WiFi updates to the databases. Two useful web resource site to search are github and pastebin; both commonly have various types of processing dumps which field useful clues for investigation.

The following is part of a logcat dump. This logged failed event (colour red) could be due to the device's sensor proximity to/from a network or surrounding noise meant insufficient data was available to complete sending a HERREVAD record entry update or that the third party plugin failed for some other reason:

( from content://downloads/my_downloads/6 format 2
98.12-26 19:31:01.741   536   536 I installd: free_cache(6186696) avail 33903247360
99.12-26 19:31:01.764  4260  4260 V Herrevad: NQAS connected
100.12-26 19:31:01.776  1016  2567 D WifiService: New client listening to asynchronous messages
101.12-26 19:31:01.796  4678  4678 I ConfigService: onCreate
102.12-26 19:31:01.927  4260  7615 I ReportNQOperation: [202] g.a: Not enough data to save wifi report to local

This .pdf shows a complete logcat dump from a post on pastebin. Another example can be found here at github

It was noted during research that a number of logcat dumps were for third party apps making use of HERREVAD Databases, so any further research may wish to include:

- Gaming
- Apps download
- Weather
- Travel
- Leisure (running etc)
- Photos
and so on

Some search terms you may wish to consider when analysing images from smartphones or logcat dumps:

Connie Bell thesis suggests:

select local_reports.network_type, local_reports.ssid,
local_reports.security_type, local_reports.bssid,
as "Converted timestamp (UTC)"
from local_reports
order by local_reports.timestamp_millis asc

Additionally, from the research here it is suggested the following maybe helpful, too:

download or downloaded

For time-stamps they may require conversion so here are a couple of sites that might assist you:

Further research will continue and efforts will be made to update this thread. If any reader can provide any additional information, please send an email to and please provide your details and confirm if you wish to have these included in any update.

Thursday, January 19, 2017

The Crime Survey for England and Wales 2016

For the first time in its annual report the Office for National Statistics (ONS) - - has included the offences of Fraud and *Computer Misuse (also see sub-label 'cybercrime')  in The Crime Survey for England and Wales 2016 ons.yearendingsept2016/pdf

MTEB & IDF .\fcord adopted Chapter 18 as a focus group from the original Computer Misuse Act (CMA) 1990 Chapter 18 which makes wide provision for events associated with misuse of computer devices and systems; CMA has been to subjected to amendments over the years, such as The Police and Justice Act 2006 Chapter 48 amends the Computer Misuse Act, see Part 5 sections 35-38. The new amendments came into force on October 1, 2008.

Recent work of Chapter 18 can be found here

Investigating AKA - USIM MILENAGE Attack
For the last two years Chapter 18, Smith et al have been studying AKA (authentication and key agreement). One candidate for AKA is MILENAGE which, in 2014 & published 2015, was hacked using DPA (a side channel attack). 

Having spent 2016 researching through a huge range of documents, presentation, test data and scripts etc., it was noted there had been  nothing written as to what to look for and how practitioners could handle this information. It is hoped with the discussion, embedded links  and those willing to learn this presentation goes some way to help in that regard.

Investigating AKA - USIM MILENAGE Attack

For the last two years Chapter 18, Smith et al have been studying AKA (authentication and key agreement). One candidate for AKA is MILENAGE which, in 2014 & published 2015, was hacked using DPA (a side channel attack).

Having spent 2016 researching through a huge range of document, presentation, test data and scripts etc., it was noted there had been nothing written as to what to look for and how practitioners could handle this information. It is hoped with the discussion, embedded links and those willing to learn this presentation goes some way to help in that regard.


Saturday, October 15, 2016

ISO/IEC 17025/17020 - One-Person Organisation

Having just finished part two of the work study into QA and Laboratory Accreditation MTEB UK SEMINARS 2016 II v03- QA Lab Accreditation.pdf ( ) I came across this cracking article by Karin Athanas, Program Manager at the American Association for Laboratory Accreditation (A2LA) titled "Accreditation for the One-Person Organization - The smallest laboratories can teach us the biggest lessons." ( )

Basically Karin's article helps us understand that one, two or three person/s organisation/s should not be put off but can and should apply for ISO/IEC 17020 and 17025 as the requirements are not insurmountable, particularly when it comes to allocation to whom the quality manager's role, audits etc. will be allocated and deemed to be responsible. I also read this to mean that ABs might need to widen their scope to appreciate many roles in a accredited system can be held by one person.

Karin's article is a recommended read.