John Jay College of Criminal Justice


I will be speaking in Prof. Sengupta’s class at John Jay College of Criminal Justice at the City University of New York on Oct 28, 2010.  The topic of discussion will where does Digital Forensics fit in the big picture of organizations.  The talk will introduce the students to a variety of topics including choosing a career as a digital forensics investigator, their duties as an investigator, being successful as an investigator, case studies and real-life problems faced by the computer forensic investigators.


Reverse tunnels


SSH is an excellent piece of software which can help you do a lot of things such as have encrypted shells etc. But what makes SSH incredibly flexible is having tunnels.

A typical ssh tunnel works from the client to the ssh server and it forwards a local port on the client to the server seamlessly.

client ----> ssh_conn ----> ssh_server
client --> tunneled_port --> ssh_server
ssh -L 10000:localhost:10000 username@ssh_server

This connection creates a tunneled port on client:10000 i.e., anything sent to this port appears as if it’s automatically sent to ssh_server on port 10000. The localhost here is confusing, but think of it as….”what is localhost for ssh_server?”. It would be the ssh_server itself, right?
If you do a netstat on the client, you see a listener on the port 10000/tcp.

Now comes the more interesting reverse tunnel. The reverse tunnel is different in that, you have a tunnel being initiated by the client that says to the ssh server, “Hey, I’m initiating this connection that will allow you to automatically access a port on *me* after *I* initiate the connection?” (confused!!?!)

client ---> ssh_connection ---> server  ---+
client <-- tunneled_port  <----- server ---+
ssh -NR 10000:localhost:10000 user@ssh_server

Here the meaning of localhost is slightly different, though.  The “localhost” means what is localhost for the client (and not on the server as in the previous case)!   So what you’re saying is, “Hey SSH server, I’m initiating this connection to you but if you connect to your port 10000 you will get a tunnel to *my* port 10000.”  If you do a netstat on the server you see a listener on port 10000. Isn’t it great that you can make the server listen to a port which acts as a tunnel to you…so anyone on the server can seamlessly connect to you even though technically you were the client!


VMWare snapshots issue


VMWare is excellent for malware analysts because it lets you keep snapshots of pristine Virtual machine states and you can revert back to them when you want to.
I encountered a weired error this time around on my Windows XP Pro VM. Whenever I would try to take any snapshots I would get an error: “Error taking snapshot: Windows XP Professional.VMX-Snapshot1.vmsn file already exists”. When I looked into the folder there was no .vmsn file with that name. I deleted all the files .lck and .lock files and still to no avail. Then I saw the files named as
Windows XP Professional-000001-s00?.VMDK.
The regex for these files was:
Windows XP Professional-00000?-s00?.VMDK
where ? is one character replaced by 0-9. Upon deleting these files, my snapshots started working properly.


Tryst with Customer Service


In the capitalist world, it is said that the companies survive on the hyper-consumerism of the people. The highly competitive economical scenario results in an environment where (as they say) consumer is the winner, but not without a fight.
A few weeks back, my Compaq Presario Laptop 2575us went bad. Well, the laptop is 2 yrs old and it has already been serviced twice so I guess my patience thresholds have diminished over a period of time. But this time around a person with even immense patience could have lost his mind. So here’s what happened. My laptop’s S-video port had been dysfunctional since the time I can recall but I never had so much time to let my laptop go out of my hands. This time when I sent it for repairs my laptop almost disappeared from the face of the earth for almost 25 days. And when they returned it to me to a wrong address I had a premonition of difficult times. The “repaired” laptop even failed to start.
This really infuriated me coz my 25 day wait had gone down the drain. So I called up the customer care and they asked me to ship the laptop to service center yet again. But this time around they wanted me to wait for 3 days before I could FedEx it to them. It was completely unacceptable to me. So I spoke to the supervisor and became as adamant as a stone. I continued to ask him for next day shipping and he continued to repeat that he could not do that. A 2hr45min sparring continued on the phone and it resulted in him being the loser as he disconnected the phone. He kept saying that this discussion is going nowhere as we cannot reach an agreement and I kept insisting that the call had multiple destinations : 1. To the HP supervisors and 2. To the BBB .
This guy called himself Nick and he also refused to give me his employee number. I knew very well (because of past experience that Compaq uses words like “You have no proof for your requests” etc.) so this time I needed some real strong evidence of my conversation. So I requested the permission from this Nick guy to allow me to record the conversation. I think this made him a little wary of my intentions. But still he did not give me his details. I think he was really scared because he felt that my wrath could result in him facing the music from his bosses in Palo Alto, CA. There were a few interesting discussions, for example, he said “I am Nick and you can identify me with this name alone.” to which I retorted by saying “Well…I know that Nick is a common name in U.S and you guys might as well redirect my call to NY Knicks judging by the way things are going.”.
So the next day I called up the HP Customer Care Service Manager’s Line at 1-877-917-4380 , code 94 option 1. This time I spoke to a guy called Douglas Gilmore who was equally tough with me (if not more). He refused to acknowledge any of my concerns initially. But later as the conversation progressed, it went on from being just a plain discussion to a heated argument. However, I did not utter even a single foul word because I knew that he could use my language as a pretext to disconnect my call which I was not willing to risk at all. So throughout the discussion I kept my head cool and tried to explain the things to him. But after going through the history of the whole thing, he realized that I had suffered a lot because of this laptop and that the attitude of the Customer care was rather cold. So he finally agreed to give me a replacement after much requests. This was probably my best argument till date and I think that it was some good thinking on my part as well as some codial behavior on the part of the managers that I could get what I truly deserved: a replacement to my defective laptop.
Japanese art forms


Custom Android Kernel Compilation HOWTO


I have been trying for the last few weeks to get the Android Kernel source and then build a kernel of my own and then load it into the emulator to try to test out the modules. I spent numerous hours in trying to understand about how to go about it. So here’s a post so I can log all that I did in an effort from going from nothing to having my kernel loaded in the Android Emulator.

There are posts such as the one on eeknay32’s blog and the Stackoverflow post that really helped me in getting started. Also there is a HOWTO in the qemu documentation located at external/qemu/docs/KERNEL.TXT

I first started to follow the directions from here but this is only to get the source code of the Android SDK and other tools and to compile those. That was not initially my goal because getting the source of the tools and SDK was not my goal. Don’t bother downloading this (you could get the tools pre-compiled) unless you really want to compile the tools on your own.

The following steps will help you compile the code for the Android emulator and other tools:
sudo apt-get install git-core gnupg flex bison gperf build-essential \
zip curl zlib1g-dev libc6-dev lib32ncurses5-dev ia32-libs \
x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev \
libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown \
libxml2-utils xsltproc
mkdir ~/bin
export PATH=~/bin:$PATH
curl https://dl-ssl.google.com/dl/googlesource/git-repo/repo > ~/bin/repo
chmod a+x ~/bin/repo
cd src
repo init -u https://android.googlesource.com/platform/manifest -b android-2.3_r1
repo sync
. build/envsetup.sh
lunch full-eng

Now going to our main goal.

Get the Android source
git clone https://android.googlesource.com/kernel/goldfish.git goldfish
cd goldfish

Put the cross compilation toolchain into your path and also put the tools (emulator, android tools etc) in your path:
export PATH=$PATH:~/bin:~/bin/src/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin:/root/bin/src/out/host/linux-x86/bin
make ARCH=arm goldfish_defconfig
make ARCH=arm SUBARCH=arm CROSS_COMPILE=arm-eabi- -j4

This is a good resource on different errors you could encounter. If you get a message “zImage is ready” you are good to load this image into the emulator to have a running emulator.
Before you run the android tool you need to first set an environment variable otherwise the tool will complain that ANDROID_SWT is not set.
export ANDROID_SWT=/root/bin/src/prebuilt/linux-x86_64/swt

Now you have to download some of the SDK Framework from the Google website so that you can create your own Android Virtual Device (AVD). Without downloading the SDK platform you will get no output when you issue the following command:
android list targets
After you get the right ANDROID platform you can issue the following commands:
android create avd -n my_android1.5 -t 1
emulator -kernel ~/bin/kern/kernel-common/goldfish/arch/arm/boot/zImage -show-kernel -verbose @my_android1.5

Now you should have a running emulator with your shiny new kernel.
Now if you want to compile your own kernel module and load it into the emulator at runtime then you need to use Android Debug Bridge (ADB) tool. See this post, where the author creates a kernel module. For me I had to modify the Makefile a little as shown below:
EXTRAVERSION = -00054-g5f01537
obj-m += hello.o
PWD := $(shell pwd)
make -C $(KDIR) ARCH=arm CROSS_COMPILE=/root/bin/src1/prebuilt/linux-x86/toolchain/arm-eabi-4.4.0/bin/arm-eabi- SUBDIRS=$(PWD) modules

make -C $(KDIR) ARCH=arm CROSS_COMPILE=/root/bin/src1/prebuilt/linux-x86/toolchain/arm-eabi-4.4.0/bin/arm-eabi- SUBDIRS=$(PWD) clean

Issue the make command from the directory where you have your makefile and the sources to get hello.ko.
See the partition not mounted as read only by searching for “rw” mount mode by issuing the following command:
/root/bin/src/out/host/linux-x86/bin/adb shell mount
/root/bin/src/out/host/linux-x86/bin/adb push hello.ko /data
/root/bin/src/out/host/linux-x86/bin/adb insmod /data/hello.ko


Kubuntu Static IP Script


I wrote a very small script to set static IPs on a kubuntu box.

if [ $# -lt 4 ]
    echo "Usage: $0 <interface> <ip> <netmask> <gateway> <dns1>"
ifconfig $1 $2 netmask $3
echo "Static IP set"
route add default gw $4
echo "Routes added"
if [ "$5" != "" ]
    echo "nameserver $5" >>/etc/resolv.conf
echo "DNS set"

Backtrack4 on USB (on Windows)


A simple way to install Backtrack 4 on a USB stick is to use UNetBootin. UNetbootin can be used to create live (i.e., bootable images with a fully functional OS on it) USB images. This is the first time I tried this route and it seems to work alright.
Otherwise, if you are the linux fans, our good old friend dd does a great job.

dd if=bt4-final.iso of=/dev/sda bs=4096 conv=noerror,sync