2013
Information Security
and Anti‐Forensics
VERSION 3
MISSIONMAN
P a g e | 1
Foreword
Computer security is not just a science but also an art. It is an art because no system can be considered
secure without an examination of how it is to be used. All components much be examined and you
must know how an attacker goes about a system before you can truly understand how to best defend
yourself. This is where this guide comes in; it exists for the purpose of examining these methods of
attack and the implementation for attack mitigation. You will learn the common techniques used for
attack and how to protect yourself from them. This guide should not be used as an in‐depth analysis of
each attack, but a reference for each of the attacks that exist.
P a g e | 2
Acknowledgements
RogerNyght
I want to thank RogerNyght for creating the Tails Guide. This amazing guide steps you through the
process of installing and using Tails at home as well as the features that it hosts. For anyone thinking
about using this Operating System for true anonymity and security, should read this to guide its entirety.
All credits, attributions, and works go to him for this section. Thanks again!
CuriousVendetta,Goodguy,RogerNyght,andAll
After writing this guide, it was apparent that was a bunch of errors littered throughout the thing.
Thanks to everyone for spending the time going over it and performing a sanity check. It was found that
I am only half as crazy as I thought. Thanks everyone!
P a g e | 3
TableofContents
Chapter 1 _The CIA Triad ........................................................................................................................... 9
Chapter 2 _ Recommendations ............................................................................................................... 10
2.1.
Learn how to chat ....................................................................................................................... 12
2.2.
Intro to Tails ................................................................................................................................ 14
2.3.
Intro to Whonix ........................................................................................................................... 15
Chapter 3 _ Encryption ............................................................................................................................ 20
3.1.
Encryption Dealing with Confidentiality ..................................................................................... 21
3.2.
Encrypting Files or the Hard Drive .............................................................................................. 23
3.3.
Securely Exchanging Messages, Data, and Signing Data ............................................................ 29
3.4.
Steganography ............................................................................................................................ 34
3.5.
Authentication Factors ................................................................................................................ 34
3.6.
Password Attacks and Account Recovery Attacks ...................................................................... 37
3.7.
Creating Secure Passwords ......................................................................................................... 37
3.8.
Hashing, Hashing Collisions, and Birthday Attacks ..................................................................... 38
3.9.
Cold Boot Attacks ........................................................................................................................ 39
Chapter 4 _ Data ...................................................................................................................................... 41
4.1
A Quick Word .............................................................................................................................. 42
4.2
Deleted Data ............................................................................................................................... 42
4.3
Deleting Data Securely ................................................................................................................ 44
4.4
File Slack ...................................................................................................................................... 45
4.5
Alternate Data Streams ............................................................................................................... 47
4.6
Where to Hide Your Data ............................................................................................................ 49
4.7
Changing File Headers to Avoid Detection ................................................................................. 49
4.8
Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache ..................... 51
4.9
Temporary Application Files and Recent Files Lists .................................................................... 53
4.10
Shellbags ..................................................................................................................................... 58
4.11
Prefetching and Timestamps ...................................................................................................... 60
4.12
Event Logs ................................................................................................................................... 60
4.13
Printers, Print Jobs, and Copiers ................................................................................................. 61
P a g e | 4
4.14
Cameras, Pictures, and Metadata ............................................................................................... 62
4.15
USB Information .......................................................................................................................... 65
4.16
SSD – Solid State Drives .............................................................................................................. 65
4.17
Forensic Software Tools .............................................................................................................. 66
Chapter 5 _ Continuity ............................................................................................................................. 68
5.1
Security Concerns with Backups ................................................................................................. 69
5.2
Security Concerns with Sleep and Hibernation........................................................................... 69
5.3
Ensuring Information and Service Continuity ............................................................................. 70
5.4
DoS and DDoS attacks ................................................................................................................. 71
Chapter 6 _ System Hardening ................................................................................................................ 75
6.1.
Uninstall Unnecessary Software ................................................................................................. 76
6.2.
Disable Unnecessary Services ..................................................................................................... 76
6.3.
Disable Unnecessary Accounts ................................................................................................... 77
6.4.
Update and Patch Windows and Other Applications ................................................................. 78
6.5.
Password Protection ................................................................................................................... 79
Chapter 7 _ Antivirus, Keyloggers, Firewalls, DLP’s, and HID’s ................................................................ 81
7.1.
Antivirus ...................................................................................................................................... 82
7.2.
Hardware Keyloggers .................................................................................................................. 83
7.3.
Firewalls ...................................................................................................................................... 83
7.4.
DLP’s ............................................................................................................................................ 83
7.5.
HIDS’s and NID’s .......................................................................................................................... 84
7.6.
Other Considerations .................................................................................................................. 84
Chapter 8 _ Networks .............................................................................................................................. 85
8.1.
Intro to Networking .................................................................................................................... 86
8.2.
Private vs. Public IP Address ....................................................................................................... 91
8.3.
MAC Address ............................................................................................................................... 91
8.4.
Public Wireless ............................................................................................................................ 92
8.5.
Security Protocols ....................................................................................................................... 96
8.6.
Virtual Private Networks ............................................................................................................. 99
8.7.
Chat Sites ‐ How Attackers Attack ............................................................................................. 104
8.8.
Other Considerations ................................................................................................................ 108
8.9.
Extra: MAC Address Spoofing and ARP Attacks ‐ How they work ............................................ 110
Chapter 9 _ Web Browser Security ........................................................................................................ 113
P a g e | 5
9.1.
Downloading and Using the Tor Browser Bundle ..................................................................... 114
9.2.
Configuring Web‐Browsers and Applications to Use Tor .......................................................... 115
9.3.
What is Sandboxing and What is JIT Hardening, and Why Do I Care? ...................................... 117
9.4.
JavaScript .................................................................................................................................. 117
9.5.
Cookie Protection and Session Hijacking Attacks ..................................................................... 118
9.6.
Caching ...................................................................................................................................... 119
9.7.
Referers ..................................................................................................................................... 119
9.8.
CSRF/CSRF Attacks (XSS Attack) ................................................................................................ 120
9.9.
Protect Browser Settings .......................................................................................................... 120
9.10.
DNS Leaks .............................................................................................................................. 121
9.11.
User Awareness, Accidents and System Updates ................................................................. 122
9.12.
Limitations ............................................................................................................................. 122
9.13.
Extra ...................................................................................................................................... 123
Chapter 10 _ Tails ...................................................................................................................................... 124
10.1.1. Tail’s concept ........................................................................................................................ 125
10.1.2. Why can’t I use another OS / Windows in a VM? ................................................................. 126
10.2.1. How to choose strong passphrases ...................................................................................... 126
10.3.1. Requirements for Tails .......................................................................................................... 127
10.4.1. First steps .............................................................................................................................. 127
10.4.2. Using Tails as a completely amnesic system ......................................................................... 127
10.4.3. Using Tails with a persistent volume .................................................................................... 128
10.5.1. Encryption of an external drive ............................................................................................. 128
10.5.2. How to mount a LUKS‐encrypted volume in Windows ......................................................... 128
10.6.1. Secure deletion of a drive or partition .................................................................................. 129
10.7.1. Using the persistent volume ................................................................................................. 129
10.7.2. Storing files on the persistent volume .................................................................................. 130
10.7.3. Firefox bookmark management ............................................................................................ 130
10.7.4. The password manager ‐ Passwords and Encryption Keys ................................................... 131
10.7.5. Pidgin for IM/Chat/IRC .......................................................................................................... 132
10.8.1. Installing software: The basics .............................................................................................. 132
10.8.2. Recommended software additions ....................................................................................... 133
10.8.3. I2P / iMule (not recommended) ........................................................................................... 135
10.8.4. TorChat (not working) ........................................................................................................... 135
P a g e | 6
10.9.1. File and folder handling in Terminal ..................................................................................... 135
10.10.1.
General advice .................................................................................................................. 136
Chapter 11 _ Hacking Tools ...................................................................................................................... 138
Fingerprinting and Reconnaissance ...................................................................................................... 140
DNS Interrogation Tools: ....................................................................................................................... 140
Email Tracking Tools: ............................................................................................................................ 140
Google hacking Tools: ........................................................................................................................... 140
Monitoring Web Updates Tools: ........................................................................................................... 141
Traceroute Tools: .................................................................................................................................. 141
Website Footprinting Tools: ................................................................................................................. 141
Website Mirroring Tools: ...................................................................................................................... 141
WHOIS Lookup Tools: ............................................................................................................................ 141
Other Links: ........................................................................................................................................... 141
Scanning Networks ............................................................................................................................... 142
Banner Grabbing Tools: ........................................................................................................................ 142
Censorship Circumvention Tools: ......................................................................................................... 142
Custom Packet Creator: ........................................................................................................................ 143
Network Discovery and Mapping Tools: ............................................................................................... 143
Packet Crafter Tool: .............................................................................................................................. 143
Ping Sweep Tools: ................................................................................................................................. 143
Proxy Tools: ........................................................................................................................................... 143
Scanning Tools: ..................................................................................................................................... 144
Tunneling Tools: .................................................................................................................................... 144
Vulnerability Scanning Tools: ................................................................................................................ 144
System Hacking ..................................................................................................................................... 145
Anti‐Rootkits: ........................................................................................................................................ 145
Anti‐Spywares: ...................................................................................................................................... 145
Covering Tracks Tools: .......................................................................................................................... 145
Keyloggers ............................................................................................................................................. 146
Password Cracking Tools: ...................................................................................................................... 146
Viruses and Worms ............................................................................................................................... 147
Virus programs and Generators: ........................................................................................................... 147
Viruses: .................................................................................................................................................. 147
P a g e | 7
Worms Maker: ...................................................................................................................................... 147
Sniffing .................................................................................................................................................. 148
ARP Spoofing Detection Tools: ............................................................................................................. 148
DHCP Starvation Attack Tools: .............................................................................................................. 148
MAC Flooding Tools: ............................................................................................................................. 148
MAC Spoofing Tools: ............................................................................................................................. 148
Sniffing Tools: ........................................................................................................................................ 148
Social Engineering ................................................................................................................................. 149
DoS ........................................................................................................................................................ 149
Session Hijacking ................................................................................................................................... 150
Session Hijacking Tools: ........................................................................................................................ 150
Hacking Webservers ............................................................................................................................. 150
Information Gathering Tools:................................................................................................................ 150
Webserver Attack Tools: ....................................................................................................................... 150
Session Hijacking Tools: ........................................................................................................................ 150
Vulnerability Scanning Tools: ................................................................................................................ 151
Web Application Security Scanners: ..................................................................................................... 151
Webserver Footprinting Tools: ............................................................................................................. 151
Webserver Security Tools: .................................................................................................................... 151
Hacking Web Applications .................................................................................................................... 151
Session Token Sniffing: ......................................................................................................................... 151
Web Application Hacking Tools: ........................................................................................................... 152
Web Service Attack Tools: .................................................................................................................... 152
Web Spidering Tools: ............................................................................................................................ 152
Webserver Hacking Tools: .................................................................................................................... 152
Web Application Pen Testing Tools: ..................................................................................................... 152
Web Application Security Tools: ........................................................................................................... 153
SQL Injection ......................................................................................................................................... 153
SQLi Injection Tools: .............................................................................................................................. 154
Hacking Wireless Networks .................................................................................................................. 154
Bluetooth Hacking Tools: ...................................................................................................................... 155
GPS Mapping Tools: .............................................................................................................................. 155
Mobile‐based Wi‐Fi Discovery Tools: .................................................................................................... 155
P a g e | 8
RF Monitoring Tools: ............................................................................................................................. 155
Spectrum Analyzing Tools: .................................................................................................................... 155
WEP Encryption: ................................................................................................................................... 155
WEP/WPA Cracking Tools: .................................................................................................................... 155
Wi‐Fi Discovery Tools: ........................................................................................................................... 156
Wi‐Fi Packet Sniffer: .............................................................................................................................. 156
Wi‐Fi Predictive Planning Tools: ............................................................................................................ 156
Wi‐Fi Security Auditing Tools: ............................................................................................................... 156
Wi‐Fi Sniffer: ......................................................................................................................................... 156
Wi‐Fi Traffic Analyzer Tools: ................................................................................................................. 156
Wi‐Fi Vulnerability Scanning Tools:....................................................................................................... 157
Evading IDS, Firewalls, and Honeypots ................................................................................................. 157
Firewalls: ............................................................................................................................................... 157
Honeypot Detecting Tools: ................................................................................................................... 158
Honeypot Tools: .................................................................................................................................... 158
Packet Fragment Generators: ............................................................................................................... 158
Buffer Overflow ..................................................................................................................................... 158
Chapter 12 _ Standard Acronyms ............................................................................................................. 159
Chapter 13 _ Download Links ................................................................................................................... 159
P a g e | 9
Chapter1 _TheCIATriad
In this guide I am going to reference a well‐known security policy that was developed to identify problem
areas and the recommended solutions when dealing with information security. This policy is known as
the CIA and stands for: Confidentiality, Integrity, and Availability. This triad was developed so people will
think about these important aspects of security when implementing security controls. There should be a
balance between these three aspects of security to ensure the proper use and control of your security
solutions.
Confidentiality is, as the word implies, having something be confidential or secure. In essence, privacy is
security and confidentiality means that third party individuals cannot read information if they do not have
access to it. Data to think about keeping confidential is data stored on a computer (temporary data, data
saved, etc.), data stored for backup, data in transit, and data intended for another person. Confidentiality
will be the main focus point of this article as it is most often referred to as the most important aspect of
security.
The I in CIA stands for Integrity and is specifically referring to data integrity. Integrity is the act of ensuring
that data was not modified or deleted by parties that are not authorized to do so. It also ensures that if
the data was changed, that the authorized person can make changes that should not have been made in
the first place. Simply, if you send a message to someone, you want to make sure that the person does
not receive a message that was altered during transit. Integrity also confirms that you are in fact speaking
to who you think you are speaking to (for example: we download an add‐on from the website, you want
to make sure that you are downloading from that website and not an unscrupulous third‐party).
Finally, the A stands for Availability and ensures that when you need the data it is available to you. Not
only does data have to be available to you, but it has to be reasonably accessible. There's no point in
security controls if you cannot access the data! This component is a concern, but for the average end user,
there is not much that can be done to ensure availability when dealing with webpages, or IRC servers or
anything else managed by a third party host. For this reason we will not be discussing Availability except
for backing up your data in this guide.
P a g e | 10
Chapter2_Recommendations
W
indows was not built with security in mind, therefor should not be used. Tails is recommended
as it is a live DVD or USB that was created to preserve your anonymity and privacy (Chapter
10). It allows you to browse the internet anonymously and safely as all applications are
preconfigured to run through Tor. Other uses includes encrypting your files, sending and receiving emails
and instant messaging, photo editing, document editing and more. Tails also operates completely in
RAM so it does not leave a trace on your computer. RAM is Random Access Memory and is wiped when
the machine shuts down. Everything that you want saved is done so in secure, encrypted persistent
storage. Tails link: Here. A step‐by‐step for installing Tails can be found below. Another distro I would
recommend is Whonix. Whonix is an operating system focused on anonymity, privacy and security. It's
based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are
impossible, and not even malware with root privileges can find out the user's real IP. If you cannot use
Tails or Whonix – or better yet – do not want to use them, you should make sure that Windows is secure.
Windows:
Truecrypt – I would download TrueCrypt and enable FDE (Full Disk Encryption) to make sure that
all evidence is encrypted thus allowing you to skip Chapter 4. If you do not want to enable FDE, I
would create a container and have a Virtual Machine inside the container. Otherwise,
EVIDENCE CAN BE EASILY GATHERED BY INVESTIGATORS. (Section 3.2)
Tor Browser Bundle– This allows you to browse the internet anonymously. Using TBB will also
allow you to visit .onion sites as well as to join the .onion IRC servers with TBB’s instance or Tor.
(Section 9.1)
Anti‐Virus (AV) and a Firewall – This will keep your computer protected from viruses as well as
remote intruders (most all‐in‐one anti‐virus software has these features). (Section 7)
I have decided to move a recommendation from later on in this guide to up here. One good
recommendation is to create and use a standard account with no Administrative privileges. This
way, if a virus is executed, it only has the privileges of the account that you are in. Also, I would
make sure your username does not contain your full name as many applications such as Pidgin
can share this information. Furthermore, make sure that you create a Windows password that
is difficult to guess/attack, as your computer can be explored using that password, over the
network.
P a g e | 11
(Optional) TorChat – TC is a chat application that runs over Tor to provide an anonymous way to
chat. (Section 2)
(Optional) IRC Client – An IRC client allows you to enter Tor chat rooms to talk to many
individuals at one time. You will need one with proxy settings so you can run the client through
Tor. Make sure to NOT use DCC as it can expose your IP address. There are several IRC servers
that run over Tor (.onion addresses) that you can use. They are all logically connected, so
connecting to one will connect you to all. (Section 2)
(Optional) GPG – for sharing messages and files back and forth over a common medium, GPG
ensures confidentiality and integrity. (Section 3.3)
SampleSecurityChecklist:
Check authentication
Checking authorization and access control
Auditing your system
Verifying firewalls, proxy settings, and other security
Verifying encryption for both public and private key encryption
Check communication encryption, including: email, chat, web browsing, and Operating System
data
Update system software, including Anti‐Virus software and scanners
Backup and storing sensitive data securely
Harden your system by removing unnecessary software and services
Thingstobemindfulof:
Don’t assume that something is secured by another layer or process. Verify that the data is
secured and that the data being transmitted over the network or the internet is protected from
attackers. Different levels of sensitivity means different levels of security
Know the limitations of each security product. Each product addresses a specific set of issues
within a specific context. Make sure to know the differences between the employed solutions
and how they protect you. For example, using a VPN does not stop anyone one from stealing
your laptop and gathering all your data. Use several layers of security for maximum security.
Do not relay on authentication at the session initiation alone. Use several levels of
authentication to ensure that the person you are communicating with is whom they say they are
and vice versa.
Assume everything you use is insecure and treat everything like a security threat. Build your
security model based on what you do; security is dynamic, not static.
Plan for handling failures, errors, intrusions, and downtime. Focus on what to do when things
go bad. Plan and practice that plan. Good security means nothing if what you do does not
work.
P a g e | 12
2.1. Learnhowtochat
There are a couple of ways to chat over Tor depending on your wants and needs. In this guide, I will
only be talking about two ways to chat with other people: IRC and TorChat. Using an IRC server allows
you to chat with many people at one time as well as chat with another person in a private chat room.
TorChat on the other hand only allows you to chat privately with someone, but it allows you to share
files with another person whereas the IRC does not.
The first way I will describe is how to connect to the Onionnet IRC. The Onionnet is a network of servers
that are connected together to increase redundancy. For those of you whom don’t know, IRC stands for
Internet Relay Chat and was intended for group communication in discussion forums, called channels,
but also allows one‐to‐one communication via private message as well as chat and data transfer,
including file sharing. When using the Onionnet servers however (as described below), DCC file sharing
is disabled and other security restrictions apply.
SetupIRCClient:
1. Download your IRC client. Personally, I use Pidgin. The link is provided for you:
/>several machines (which is not recommended as the computer can contain spyware). Also,
Pidgin allows you to connect to several servers at once in the chance you get disconnected from
a server or a netsplit occurs
2. To create an account, Click Accounts followed by Manage Accounts. You can add as many
accounts as you want; I created a few accounts to connect to the different IRC servers for the
reason described above
3. Select Add. Under Basic, your settings should look like this: Protocol – IRC, Username – your
username, Server – IRC server (listed below), Local alias – your username. Again, you can use
any of the several Tor IRC servers as they are all connected. Alternatively, you can use one of
the several IRC relays instead of connecting to the Tor servers directly.
4. Under Advanced, your settings should look like this: Port – 6667, Username – your username.
In Pidgin, if you do not specify a username under the Advanced settings, your username will be
exposed. When you enter or leave the chat room the username will appear before the
hostname. For example, if your ID is TheBest and your username is Bob, then it will appear as
TheBest [Bob@OnionNet]. If you are trying to use OFTC, you will replace port 6667 with port
9999 as seen in the IRC Server below (you can also remove the :9999 below if using Pidgin)
5. Under Proxy, your settings should look like this: Proxy type – SOCKS 5, Host – 127.0.0.1, Port ‐
9150 (Tor Port). If you are using Privoxy, the port will be 8118
6. Click Buddies and Join a Chat to join a channel. Add Chat will permanently add the channels to
the Chats list so you don’t have to remember the channel name every time. Right‐clicking the
P a g e | 13
chat under Chats will give you a host of options. I selected Persistent to receive the messages in
the chat‐room even though they are not currently open. You can use /list to get a list of all the
channels or you can use /join #room to join a specific room. #security and #public are two good
channels when asking general questions or questions related to privacy or security
7. You can use the /msg “username” command to send a private message to someone or use the
/query “username” command which will open a new window in both clients for private
messaging. I would advise looking up the IRC client commands for full functionality. Also, even
though I recommended disabling DCC, the servers disable the functionality altogether
8. Lastly, you should know that most ‐if not all‐ IRC clients cache your username for functionality.
Pidgin, takes this further by creating logs for specific channels and individual users that you chat
with using private messaging by default. Under Preferences > Logging, you should disable Log
all instant messages and Log all chats
IRCServers:
Here is a list of the Tor IRC servers (note that all servers are linked):
FTW: ftwircdwyhghzw4i.onion
Nissehult: nissehqau52b5kuo.onion
Renko: ircd5ilf47whang4.onion
OFTC: irc.oftc.net:9999 (NOT ONIONNET – CLEARNET IF NOT CONFIGURED FOR TOR)
IRCChannels:
Here is a list of some of the popular Tor IRC channels (ordered by user count at the moment of writing):
#boys2
#pedo
#cams
#mjb
#girls
#tor (OFTC)
#knaben
#torchan
#public
#security
#hackbb
#nottor(OFTC)
The other method I wanted to talk about is by using TorChat. TorChat is a peer to peer instant
messenger with a completely decentralized design, built on top of Tor's location hidden services, giving
you extremely strong anonymity while being very easy to use without the need to install or configure
anything. This program runs completely portable and can be easily moved, protected or backed up.
Like I said before, TorChat can be used to share data with another person through Tor as it was built is
natively with security in mind.
P a g e | 14
SetupTorchat:
1. Download TorChat from github as it is now the official source for the TorChat project. At of the
time writing the article, the direct link is />loaded, click the Downloads button over on the right. Select the latest build as denoted by the
version number. Make sure to download the Windows executable version for Windows,
Debian / Ubuntu package for Debian/Ubuntu, or the Pidgin plugin if that is what you want to
do. If the build is in Alpha, then it is not recommended
2. The file will be downloaded as a .zip file. Once the file is fully downloaded, open the file and
extract the contents with your favorite archive file manager. I extracted the file to the default
location in Windows which is the Downloads folder. You can move the folder at any time as
TorChat is portable
3. Open the TorChat folder, expand the bin folder, and run torchat.exe to start TorChat for the first
time. Once loaded, you will be provided your TorChat ID (16 characters that are comprised of
letters and numbers)
4. To add a contact, just right‐click in the white space of the program and click Add Contact…
Alternatively, you can edit the buddy‐list file in the bin directory. Double‐clicking a contact will
initiate a chat (right‐clicking and selecting Chat…, will accomplish the same thing). You can also
edit and delete a contact by Right‐Clicking the user and selecting the appropriate function.
Sending a file is as simple as dragging the file into the chat window or right‐clicking the
username and selecting Send file… (Windows can only send one file at a time whereas
Debian/Ubuntu can send many at one time)
5. If you are upgrading your version of TorChat than make sure to backup and copy over
bin\buddy‐list.txt, bin\Tor\hidden_service\hostname, and
bin\Tor\hidden_service\private_key. If you do not copy over the latter two files, you will be
provided a new TorChat ID
2.2. IntrotoTails
If you are handling anything sensitive that you don’t want found, or if you don’t want to leave any trace
on your computer, I recommend you use another Operating System altogether. A good alternative that
was built with security in mind is Tails. Tails was built to route all internet traffic through Tor, to run
completely in RAM, and to save nothing unless explicitly defined to. In this section, I will only be talking
about installing Tails on a DVD or USB as there is another, thorough guide that can be found in section
10.
InstallingTails:
1. Download Tails from the official Tails website. You can either download Tails via the direct link
or the Torrent; which might be faster. However, the direct link is recommended as is
P a g e | 15
2.
3.
4.
5.
6.
downloading and verifying the Tails Signature. The link to the Tails download page is here:
Here. Under option 2, select the latest release to start downloading. To verify the download,
use GPG to verify the Tails signature to ensure that your image has not been modified in any
way
Once downloaded you have a couple of options: you can burn the image to a DVD or a USB (the
image is too big to fit on a CD). If you burn the image on a DVD‐R, an attacker cannot modify the
contents as the disk is read only. This also means that you cannot save anything or make any
permanent changes on the disk. DVD‐RW and the USB can be written to and re‐written to,
meaning files and settings can be saved in persistent storage. But, this comes at a risk as an
attacker can maliciously modify Tails
Installing an image to a DVD is easy, all you need is the right software. ISO Image Burner is a
good software for Windows that can do this for you. Mac’s and computers running Ubuntu can
burn the image natively. Once your ISO burning program is open, insert the blank DVD into the
disk drive and burn the Tails ISO image to the blank disk (or a DVD‐RW disk)
When installing the Tails ISO image onto a USB, it is recommended that you download and
install Oracle VM VirtualBox, and use that virtualization program to boot into Tails. Otherwise,
you cannot create persistent storage for saving files and settings. Once you successfully boot
into Tails, you can use the built in Tails USB installer to install Tails on the USB device
I downloaded and installed VirtualBox from here. Once installed, start VirtualBox and Click
New to create a new VM. Fill out the Name textbox, select Linux for the Type, and select Other
Linux for the version. Proceed past the next page and select Do not add a virtual hard drive and
click Create. At the top of the Oracle VM VirtualBox Manager click on Settings to modify the
settings of the VM you just created. Select Storage and next to Controller: IDE click on the little
disk icon to add a CD/DVD device. Click Choose disk and select the Tails ISO you just
downloaded. Under Controller: IDE you should see the image you just selected. Selected that
image and check Live CD/DVD over on the right under Attributes. Click OK. Start the VM to
boot into Tails.
At this point you should be asked if you would like to view more options. I am going to kill two
birds with one stone and cover how to install Tails on a USB as well as what I recommend after
you install the ISO on the USB. Select Yes on this screen and create an Administrator password
on the next screen. Under Applications > Tails you can create a persistent volume as well as use
the Tails USB Installer. When creating a persistent volume, I would select all the applications
you will use as well as if you are going to save any materials.
2.3. IntrotoWhonix
Quoting directly from the manufacturers’ website: Whonix is an operating system focused on
anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and
security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out
the user's real IP. Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call
Whonix‐Gateway. The other, which we call Whonix‐Workstation, is on a completely isolated network.
Only connections through Tor are possible.
P a g e | 16
Features (from the Whonix website):
Adobe Flash anonymously
Browse The Web Anonymously
Anonymous IRC
Anonymous Publishing
Anonymous E-Mail with Mozilla Thunderbird and TorBirdy
Add a proxy behind Tor (Tor -> proxy)
Based on Debian GNU/Linux.
Based on the Tor anonymity network.
Based on Virtual Box.
Can torify almost any application.
Can torify any operating system
Can torify Windows.
Chat anonymously.
Circumvent Censorship.
DNSSEC over Tor ¹
Encrypted DNS ¹
Full IP/DNS protocol leak protection.
Hide the fact that you are using Tor ¹
Hide the fact you are using Whonix
Hide installed software from ISP
Isolating Proxy
Java anonymously
Javascript anonymously
Location/IP hidden servers
Mixmaster over Tor
Prevents anyone from learning your IP.
Prevents anyone from learning your physical location.
Private obfuscated bridges supported.
Protects your privacy.
Protocol-Leak-Protection and Fingerprinting-Protection
Secure And Distributed Time Synchronization
Mechanism
Security by Isolation
Send Anonymous E-mails without registration
Stream isolation to prevent identity correlation through
circuit sharing
Virtual Machine Images
VPN/Tunnel Support
Whonix is produced independently from the Tor (r)
anonymity software and carries no guarantee from The
Tor Project about quality, suitability or anything else.
Transparent Proxy
Tunnel Freenet through Tor
Tunnel i2p through Tor
Tunnel JonDonym through Tor
Tunnel Proxy through Tor
Tunnel Retroshare through Tor
Tunnel SSH through Tor
Tunnel UDP over Tor ¹
Tunnel VPN through Tor
Tor enforcement
Note: When using Whonix,
you will be responsible for
three Operating Systems. The
Whonix gateway, the Whonix
workstation, and the host
machine. Whonix is only
intened to run on VirtualBox,
so VMWare is not
recommended.
P a g e | 17
TorChat ¹
Free Software, Libre Software, Open Source
¹ via Optional Configuration
Set‐upWhonix:
1. First things first: download both the gateway and the workstation from the manufacturers’
website: Download links can be found here
2. You will need to download and install VirtualBox
3. Next step is to import both of the Virtual Machines into VirtualBox: use VirtualBox to open both
the .ova images (File > Import Appliance…)
4. Click choose and select the Whonix‐Gateway.ova from your download folder and press Open
5. Click Next until you reach the Appliance Import Settings. Click Import without changing any of
the settings. Repeat the process for both VM’s
6. Now start both Virtual machines (gateway followed by the workstation)
7. When you login for the first time, I recommend changing the password:
a. At Terminal enter: sudo su
b. Enter the default password changeme
c. Change the password using this command: passwd and passwd user for both VM’s
8. To learn more about Whonix security and additional functionality, go here:
/>
After you setup and both the Whonix workstation and gateway, you can customize it however you want.
Unlike Tails, Whonix is entirely persistent with a start of 50Gb of space. If you need to increase the size
of Whonix, you will need to utilize VirtualBox. I recommend increasing the size pre‐setup versus after
the fact as it will be much easier (and safer). Once you are done and want to shut down the machine,
you can use the Shutdown button on the workstation and type Sudo poweroff in the gateway. Another
helpful command is sudo arm in the gateway to check the status of Tor and use the character N to force
a new identity when you are viewing the arm output.
ChatinWhonix(usingXChat):
XChat is an IRC client and is recommended as it is already preinstalled and configured to be used on
Whonix. The following steps walk you through the process of configuring a username and adding the
onion servers as found in the previous chat section (section 1.1).
1. Once XChat is opened click the XChat button from the menubar
2. Select Network List… from the drop down
3. Fill in the information under User Information. These names are used by default for each
connection and will be visible to everyone
4. Under Networks, click Add, to Toadd a server that you will connect to
P a g e | 18
5. Give this new value a name. For example, I entered Onion, so I knew it contained all the IRC
servers for OnionnetTest
6. Press the Enter key on your keyboard and select the Edit… button in the program
7. Once you see the Edit page come up, you will see one default server in the Servers for Test
list. You can select that item and click Edit
8. The format for adding a new server is as follows: serveraddress.onion/port. For example, I
entered this: ftwircdwyhghzw4i.onion/6667
9. Remember, the program already configured the proxy information, so this is all you need to
do. If you want specific channels to open once you are connected to the server, you can add
them to the Favorites list. You can now close this page
10. Once you are back to the Network List, select the newly created network and press Connect
11. You can use the same IRC commands as in Section 1.1.
ChatinWhonix(usingTorchat):
The following instructions were taken directly from the Whonix website.
On Whonix‐Gateway
1. Open torrc using this command: sudo nano /etc/tor/torrc
2. Search for:
a. #HiddenServiceDir /var/lib/tor/torchat_service/
b. #HiddenServicePort 11009 192.168.0.11:11009
3. Once found, remove the comment characters from the beginning of each line
4. Save the file
5. Reload Tor using this command using this command: sudo service tor reload
6. Get your onion address
a. First enter this command to become root: sudo su. Enter your password when
prompted
b. Next, open the file that contains your onion address: nano
/var/lib/tor/torchat_service/hostname
7. You can back up your private key in case you need to restore in on another machine: nano
/var/lib/tor/torchat_service/private_key
On Whonix‐Workstation
1. Open up the terminal window: Start > Terminal
2. Install Torchat on the machine: sudo apt‐get install torchat
3. Open the torchat.ini which is in the hidden folder /home/user/.torchat/torchat.ini. Look for
the following line: own_hostname = <your onion hostname without the .onion ending>
P a g e | 19
4. Replace it with your onion hostname. For example if your onion hostname is
idnxcnkne4qt76tg.onion replace it enter idnxcnkne4qt76tg, so it looks like this: own_hostname
= idnxcnkne4qt76tg
KGPG
Whonix uses KGpg, which is a simple interface for GnuPG, a powerful encryption utility. GnuPG allows
to encrypt and sign your data and communication, features a versatile key management system as well
as access modules for all kinds of public key directories. For ease of use, you can import the keys into
KGpg and use the GPG commands found in section 4 for full functionality. To import a public key in
KGpg: open the program and click Import Key from the menubar. Select the public key you downloaded
and click Open. Once the keys are imported, you can encrypt data using the program (right‐click the file
in Dolphin browser, and click Encrypt) or use the command line switches. GnuPG is recommended for
secure communication.
P a g e | 20
Chapter3_Encryption
E
ncryption is the process of encoding messages (or information) in such a way that eavesdroppers
or hackers cannot read it, but that authorized parties can. Using cryptography three purposes are
fulfilled: confidentiality, integrity, and non‐repudiation. Encryption has long been used by militaries
and governments to facilitate secret communication. It is now commonly used in protecting information
within many kinds of civilian systems. Also, many compliance laws require encryption to be used in
businesses to ensure that confidential client data be secured if the device or data is stolen. In this section
I will be talking about using encryption for confidentiality and integrity. Non‐repudiation is used, but is
not normally implemented for our purposes.
Topics
This Chapter will cover the following topics:
Encryption Dealing with Confidentiality
Encrypting Files or the Hard Drive
Securely Exchanging Messages or Data
Steganography
Authentication Factors
Password Attacks and Account Recovery Attacks
Creating Secure Passwords
Hashing, Hashing Collisions, and Birthday Attacks
Cold Boot Attacks
P a g e | 21
3.1.
EncryptionDealingwithConfidentiality
Computer encryption is based on the science of cryptography, which has been used as long as humans
have wanted to keep information secret. The earliest forms of encryption where the scytale’s and the
creation of cipher texts. These forms of cryptography would rely on both parties knowing the key used or
the correct cipher before the message could be delivered. Here's an example of a typical cipher, with a
grid of letters and their corresponding numbers:
1
2
3
4
5
1
A
F
L
Q
V
2
B
G
M
R
W
3
C
H
N
S
X
4
D
I/J
O
T
Y
5
E
K
P
U
Z
Let’s say a general wanted to send the message “I love ponies” he would write the series of corresponding
numbers: 42 13 43 15 51 53 43 33 42 51 34. Only the person with this cipher text would be able to reach
the message. Now obviously, to make the message more difficult to decipher, the letters inside the table
would be arranged differently. Computer encryption uses algorithms to alter plain text information into a
form that is unreadable. Most people believe that AES will be a sufficient encryption standard for a long
time
coming:
A
128‐bit
key,
for
instance,
can
have
more
than
300,000,000,000,000,000,000,000,000,000,000,000 key combinations. Today’s AES standard is AES
256bit encryption which has 2 ^ 256 possible combinations.
Done right, encryption protects private or sensitive data by making it difficult for the attacker to uncover
the plaintext. This is the idea of encryption: to make it harder for others to uncover our secrets. The idea
behind it is that whatever amount of expertise and computer time/resources is needed to decrypt the
encrypted data should cost more than the perceived value of the information being decrypted. Knowing
what to use encryption how it works, and what type of encryption to use depending on the circumstances
will allow you to better your security and make it harder for an attacker to do his job.
As we said before, there are many reasons for encryption. One purpose of encryption is the act of
transforming data from a state that is readable to a state that cannot be read by a third party that does
not have permission. The result of the process is encrypted information (in cryptography, referred to as
ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to as
decryption (i.e., to make it unencrypted). It is also important to know that the word encryption can
implicitly refer to the decryption process. For example, if you get an encryption program, it encrypts
information as well as decrypts it.
P a g e | 22
There are a few types of encryption that should be used for two different purposes: symmetric and
asymmetric (public key encryption). Symmetric encryption can also be known as private key encryption
or single key encryption. “Symmetric” means the encryption and decryption processes are reverses of
each other. I must share the secret passphrase with anyone I want to be able to decrypt my encrypted
data. It is used the most because it is fast, easy to use, and is the most widely needed. You will use this
form of encryption when there is only one password being used (such as TrueCrypt or another simple file
encryption utility). The problem with this is as stated before, it uses only one key, so exchanging that key
is not done securely between two people. Asymmetric encryption fixes that problem by utilizing two keys
instead of just one.
Asymmetric (or Public key) encryption uses two keys, one key to encrypt information and the other to
decrypt the information. “Asymmetric” means that the process of encryption with the public key can only
be reversed (decrypted) by using the private key (and vice versa). Although a message sent from one
computer to another won't be secure since the public key used for encryption is published and available
to anyone, anyone who picks it up can't read it without the private key. This type of encryption is slower,
but is more secure when sending confidential information to someone, signing data, or verifying to a
person is who they say they are. If you want to send me an encrypted message, you must have my public
key‐‐ and only someone who has access to my private key (presumably, just me) can decrypt messages
encrypted with my public key. So, when Bob wants to send you a message, his computer encrypts the
document with a symmetric key, then encrypts the symmetric key with your Public. When you receive the
data, your computer uses its own private key to decode the symmetric key. It then uses the symmetric
key to decode the document.
Symmetric
Asymmetric
P a g e | 23
Last word of note when using encryption is to make sure that you use open‐source encryption programs
such as Truecrypt, as most companies will hand over the encryption keys to law enforcement. Most
companies use the EnCase® Decryption Suite to decrypt a suspect’s hardrive or other portable media
device. This list is pulled directly from EnCase® and provides a list of built in keys that can be used to
read media on encrypted devices:
3.2.
EncryptingFilesortheHardDrive
You will most commonly want to encrypt files for storage or if you want to upload them to several people
securely. Using your computer is also a security risk if you simply created a Windows password and
stopped your security there. Windows hashes your password and checks that against the password you
enter when logging into the device. In no way does it attempt to encrypt your files; meaning they are all
in the clear just waiting for someone to take them. And even if you use Windows encryption, law
enforcement can just request the keys. Furthermore, many of you think that using BIOS passwords are
great for security, which is also not the case. They can be broken as easily as Windows password can.
P a g e | 24
There are several programs that run outside of Windows to either remove or crack a password. Removing
the password does just that; removes the password completely. Cracking a password on the other hand
allows you to obtain the password, instead of removing it. Doing so allows you to log into the device as
the user, or as many people do, use the same password across several logins across several systems.
TrinityRescueKit(removingapassword):
1. Use this link to download TRK: click here. I recommend using the executable, self‐burning
from Windows only format to easily burn the image to a CD
2. Once the burning process is complete, keep the CD in the CD tray and reboot your device
3. Bootup from the device (you might need to google how to do so)
4. When TRK boots up, you will see a bunch of options. Select the first option: Run Trinity
Rescue Kit 3.4 (default mode, with text menu)
5. Click the down‐arrow until you select: Windows password resetting
6. Click the down‐arrow again until you reach the desired option. In this example, select the first
option: Reset password on built‐in Administrator (default action)
7. When prompted, enter 1 to Clear (blank) user password
I won’t get into cracking password with Ophcrack as that is an involved process. Ophcrack cracks
passwords using what they call Rainbow Tables which basically is a list of stored hashed to be used against
the hashes stored on the machine. These tables come in several forms depending on the complexity you
are expecting. You will need to download and store these tables so they can be accesses when you are
attempting to attack a device. Also, make sure you have plenty of space on the harddrive and they can
reach to a couple Terabytes of data.
There are a couple of programs that support this type file and folder encryption and most of you probably
already heard of them. These programs I am referring to are TrueCrypt and 7Zip and they both provide
symmetric file encryption. TrueCrypt is a program that allows you to encrypt your entire hard drive or to
create an encrypted container. 7Zip on the other hand is a program that allows you to create an encrypted
archive. Remember that symmetric file encryption has only one key for the encryption and decryption
process. So you will need to share the key in cleartext if you plan on sharing the files.