These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Out of Pod Experience

 
  • Topic is locked indefinitely.
 

looking for technically inclined, under handed people
Author
Previous Topic Next Topic
leviticus ander
The Scope
Gallente Federation
#1 - 2012-05-17 01:24:57 UTC
for a school project, we need to make a windows XP virtual machine for another student to investigate. part of this is installing programs for the investigator to find.
what I'm looking for is some programs that are quite inconspicuous to install that might be overlooked when the investigator is looking for them. preferably something that's made by windows or looks like it's made by microsoft.
SpaceSquirrels
#2 - 2012-05-17 01:37:01 UTC
Um just install various root kits or say vnc with too many permissions... Some Zeus stuff out there or just botnets that run in the background under say MSextensions names... Also run them under system rather than user.

However i'm not sure if it's even teaching to just find random **** to **** with people without first telling them what to look for... That's more a power trip and ******* with someone than anything.

But yeah just look for rootkit type stuff. Or say even legit stuff (jack the ripper, etc.)
I can't remember the one tool we used... (had a Minotaur as an icon) and all anti virus stuff (3rd party) would get it now, but had a screen viewer/capture, keylogger, and input blocker all built in.
Surfin's PlunderBunny
Sebiestor Tribe
Minmatar Republic
#3 - 2012-05-17 02:11:34 UTC
Some good amputee pron would make for a great easter egg Big smile

"Little ginger moron" ~David Hasselhoff 

Want to see what Surf is training or how little isk Surf has?  http://eveboard.com/pilot/Surfin%27s_PlunderBunny
leviticus ander
The Scope
Gallente Federation
#4 - 2012-05-17 02:14:11 UTC  |  Edited by: leviticus ander
I don't think I explained this right.
what we're doing is a project for a computer forensics course. what I'm doing is setting up a "scene" that would be something like what a criminal might have on their computer when it's seized. some deleted files, modified internet settings, favourite pages, visited pages, emails, programs installed, files saved/hidden around the hard drive.
since we were basically told by the teacher to mess with the person who will be investigating this "scene" I'm looking for programs that could be mistaken as part of the operating system. something like finding a program called minesweeper and installing it in the microsoft games directory. getting programs signed by microsoft so it's not obvious that it's 3rd part software that was installed after the fact.
I know I could get viruses and the such. but it needs to be something that can be installed and can be found reasonably (we only have limited experience so far).
EDIT: since it's a school project, I do need to keep it fairly clean. no porn, nothing to scarring. stuff like that. the rule we've been told is that if you wouldn't show it to your grandma (some cases excluded where you have an odd/awesome grandma) then don't use it in the project.
Something Random
Center for Advanced Studies
Gallente Federation
#5 - 2012-05-17 21:42:42 UTC
zip and password the files. then put it anywhere.

"caught on fire a little bit, just a little."

"Delinquents, check, weirdos, check, hippies, check, pillheads, check, freaks, check, potheads, check .....gangs all here!"

I love Science, it gives me a Hadron.
SpaceSquirrels
#6 - 2012-05-18 02:07:53 UTC
SSH, stuff as established connections to other servers, cloud based apps (You can't get into them, but I wouldn't keep incriminating evidence locally)

Stenography type pictures/files. (3rd party stuff does this, and such files are different sizes)

Encrypt files/folders. Reminisce of e-mail. Save other files as different extensions. So say a jpeg or text as a .msi. Rename, repath, and switch icons of common programs...

Destroyed files that winlog still shows. Registry entries/values, spooler files. (Most people think printed files/docs dont remain)
leviticus ander
The Scope
Gallente Federation
#7 - 2012-05-18 02:47:48 UTC
SpaceSquirrels wrote:
SSH, stuff as established connections to other servers, cloud based apps (You can't get into them, but I wouldn't keep incriminating evidence locally)

Stenography type pictures/files. (3rd party stuff does this, and such files are different sizes)

Encrypt files/folders. Reminisce of e-mail. Save other files as different extensions. So say a jpeg or text as a .msi. Rename, repath, and switch icons of common programs...

Destroyed files that winlog still shows. Registry entries/values, spooler files. (Most people think printed files/docs dont remain)

I need to actually have some things installed and they are looking for those programs. unfortunately I couldn't do cloud operation since the investigator does need to be able to find it. that's the point is that it needs to be possible for them to retrieve it. my goal is to make it as hard as possible.
right now I've installed powershell 2.0 since that does not show up as its own program and it's hidden in the accessories directory rather than having its own section in the start menu. plus I don't think the guy that's investigating my image was familiar with XP and may not remember that powershell is not part of XP by default. another one that I've done, but can remove is called pinball and I installed it in the windowsnt directory in the program files directory rather than letting it make its own directory.
what files we need to hide need to be the same file extension as what we are looking for so that it's not insane to look for.
it should be noted that of the official teaching for this so far has only been about 2 weeks. we have lots of functional knowledge of the operating systems, but not much with the retrieval software.
leviticus ander
The Scope
Gallente Federation
#8 - 2012-05-18 02:54:03 UTC
looks like I've found the last one. I'll need to find a way to hide it. but it's called timestomp. I can use it to change all the timestamps.
Herzog Wolfhammer
Sigma Special Tactics Group
#9 - 2012-05-18 06:22:49 UTC
I wonder if the old TSR (Terminate and stay resident) programs work on XP?


Quote:
what we're doing is a project for a computer forensics course. what I'm doing is setting up a "scene" that would be something like what a criminal might have on their computer when it's seized. some deleted files, modified internet settings, favourite pages, visited pages, emails, programs installed, files saved/hidden around the hard drive.
since we were basically told by the teacher to mess with the person who will be investigating this "scene" I'm looking for programs that could be mistaken as part of the operating system. something like finding a program called minesweeper and installing it in the microsoft games directory. getting programs signed by microsoft so it's not obvious that it's 3rd part software that was installed after the fact.
I know I could get viruses and the such. but it needs to be something that can be installed and can be found reasonably (we only have limited experience so far).



For this I would recommend looking at how the pros do it. Look up Access Data and Guidance and their products. They make some powerful forensics software that simplifies the process of violating your 4th Amendment rights at the airport in such a manner that even a TSA agent might figure it out.

Basically these are programs that go into all of the known places where images, cookies, downloaded, and temporary files go.

Beyond that, you might have to rely on some tricky programs to find encrypted files, steganographic stuff, etc. You can go through images looking at where there is no image data, or any data, and look for data that might indicate more information - it would be really sticky if that was encrypted too.

Bring back DEEEEP Space!
leviticus ander
The Scope
Gallente Federation
#10 - 2012-05-18 06:46:48 UTC
Herzog Wolfhammer wrote:
I wonder if the old TSR (Terminate and stay resident) programs work on XP?

For this I would recommend looking at how the pros do it. Look up Access Data and Guidance and their products. They make some powerful forensics software that simplifies the process of violating your 4th Amendment rights at the airport in such a manner that even a TSA agent might figure it out.

Basically these are programs that go into all of the known places where images, cookies, downloaded, and temporary files go.

Beyond that, you might have to rely on some tricky programs to find encrypted files, steganographic stuff, etc. You can go through images looking at where there is no image data, or any data, and look for data that might indicate more information - it would be really sticky if that was encrypted too.


we actually are using an access data trial that came with one of the text books we are working from.
it's not violating your 4th amendment right if one, you're part of a criminal investigation and they have the right documents signed to let them sift through everything you've ever done on your computer. or two, you don't live in the US (aka, I live in Canada).
I've gotten the hard drive I'm supposed to investigate, and it would seem people are being quite lax on the whole "make it difficult" thing. I spent about 5 minutes. found the hidden and deleted files I needed to find, found the installed programs, found the favourites and the deleted favourites, found the hidden directory of images, only thing left is to figure out to how the settings file for IE5 was setup so I can find out what their homepage is.
by the way, to you paranoid people out there that delete everything if they think it will get them in trouble. good luck. they can trace back through you zerofilling your hard drive up to 300 times. they can even find the data that has been overwritten. it just depends on how much time and money they are willing to spend on finding some scrap of nothing to incriminate you.
SpaceSquirrels
#11 - 2012-05-18 13:13:01 UTC
Thats why you true crypt your **** or move it off local machine. Good luck breaking through true crypt without say the NSA's super computer.

I even like the part where you can type a certain password and it takes you to another partion or access level if you're in distress.
FloppieTheBanjoClown
Arcana Imperii Ltd.
#12 - 2012-05-18 17:48:33 UTC
Use system directories to hide stuff. For example, I just picked a nested folder off my hard drive and made up a subfolder that might be overlooked:

C:\WINDOWS\Help\Tours\WindowsMediaPlayer\VideoEncode

Of course it's stupidly easy to mask stuff in C:\windows\system32

Look into portable applications. They're designed to be run from USB storage devices, but there are no rules against running them from some deeply-buried directory on the hard drive. They won't leave much of a footprint except There are portable browsers, portable office apps, text editors, et cetera. Figure out the scenario of your criminal, and put relevant apps in these buried folders. Hide the files they save in other equally-buried folders.

Don't put so much on there that the directories will throw up a red flag for their size. You don't want them to stand out. Most portable apps are small. Those that aren't, you should hide in other places. Maybe install a "pirated" game that takes up several gigabytes and then stick a large app in a subdirectory so that is blends in.

Bonus round: modify the registry and/or config files so that the apps in question will easily open unusual file extensions. Such files become a lot harder to ferret out when they aren't named properly. Especially on a virtual machine where their options on scanning the drive are a bit more limited.

Founding member of the Belligerent Undesirables movement.
leviticus ander
The Scope
Gallente Federation
#13 - 2012-05-18 19:26:22 UTC
SpaceSquirrels wrote:
Thats why you true crypt your **** or move it off local machine. Good luck breaking through true crypt without say the NSA's super computer.

I even like the part where you can type a certain password and it takes you to another partion or access level if you're in distress.

actually, the people that made that also released a tool for forensics offices that can retreive the key for the encryption and decrypt the files/directories/drives. it's only available to offices that have been certified to a certain level.