Enhancing Security for Mobile Adhoc Networks by using Elliptic Curve Cryptography
Security Analysis of Social Networks - CiteSeerX
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Security Analysis of Social Networks - CiteSeerX
Security Analysis of Social Networks
GRADUATE PROJECT REPORT
Submitted to the Faculty of the Department of Computing Sciences Texas A&M University-Corpus Christi
Corpus Christi, Texas
in Partial Fulfillment of Requirements for the Degree of Masters of Science in Computer Science
by
Vamshi Kancheti Fall 2010
Committee Members
Dr. Mario Garcia _________________________ Committee Chairperson Dr. Hongyu Guo _________________________ Committee Member Dr. Long Zhuang Li _________________________ Committee Member
ii
ABSTRACT
A social network is a simple social structure made up of different individuals who are
related to each other through interdependencies such as relationship, friendship, and business
contacts. Social networking plays a vital role in the modern day society. Social network is the
place, where any one can maintain the relationship with any one irrespective of their location.
What succeeds invites attraction, both good and evil. Given the popularity of these social
networking websites, evil intentions of hackers online must be monitored and addressed
thoroughly. Risks of social networking include unauthorized account access and spread of
malware. Recent incidents reveal the spread of crime through social networks and we have come
across reports where cops have identified suspects using Facebook. The context of security in
current global world is significant. The outline of the project is detecting the ways to find the
evidence against; who ever use the social networks in unlawful ways. In this project the main focus
is on the current popular social networks like Facebook, Orkut and Twitter. Examining the
different locations on computer to find the evidence is the main task of this project.
TABLE OF CONTENTS
iii
ABSTRACT………………………………………………………………………………ii
Table of Contents………………………………………………………………………....iii
List of Tables……………………………………………………………………………...v
List of Figures…………………………………………………………………………….vi
1. Background and Rationale……………………………………………………………...1
1.1 Introduction…………………………………………………………...1
1.2 Social Networks……………………………………………………....2
1.3 Types of Social Networking…………………………..........................5
1.3.1 Facebook…………………………………………………….5
1.3.1.1 Platform and Applications………………………...6
1.3.2 MySpace…………………………………………………...13
1.3.2.1 Platform and Applications……………………….14
1.3.3 Twitter……………………………………………………...16
1.3.3.1 Platform and Applications……………………….17
1.3.4 Orkut…………………………………………………….…20
1.3.4.1 Platform and Applications……………………….21
2. Narrative………………………………………………………………………………26
2.1 Different types of security analysis……………………………….…26
2.1.1 Personal Information Shared……………………...............26
2.1.2 Identity Theft……………………………………………...27
2.1.3 Applications on Social Network…………………………..27
2.2 Possible Attacks on Social Networks……………………………….28
2.2.1 Attacking Techniques……………………………………..29
iv
3. Testing and Evaluation……………………………………………………………………31
3.1 Forensics Tools used…………………………………………………….31
3.1.1 FTK……………………………………………………………31
3.1.2 EnCase………………………………………………………...32
3.1.3 ProDiscover…………………………………………………...32
3.2 Methodology……………………………………………………………33
4. Experimentation………………………………………………………………………….36
5. Results……………………………………………………………………………………45
5.1 Analysis and Results……………………………………………………………59
6. Conclusion and Future Work…………………………………………………………….60
BIBLIOGRAPHY AND REFERENCES………………………………………………....61
v
LIST OF TABLES
Table 4-1 Test cases and respective expected results………………………………………43
Table 5-1 Test cases and results……………………………………………………………61
vi
LIST OF FIGURES
Figure 1.1 Pictorial Representation of Networks……………………………………………...4
Figure 1.2 Face book Homepage……………………………………………………………...7
Figure 1.3 Face book Applications……………………………………………………………8
Figure 1.4 Face book Security Features……………………………………………………….9
Figure 1.5 Twitter Homepage………………………………………………………………..16
Figure 1.6 Twitter after logging in…………………………………………………………...18
Figure 1.7 Orkut User Traffic………………………………………………………………..20
Figure 1.8 Orkut Home page………………………………………………………………...22
Figure 1.9 Orkut features…………………………………………………………………….22
Figure 1.10 Orkut Applications page………………………………………………………...23
Figure 4.1 FTK imager startup……………………………………………………………….36
Figure 4.2 Adding the physical drive in FTK imager to acquire…………………………….37
Figure 4.3 Selecting the drive K, which contains evidence files…………………………….38
Figure 4.4 Selecting Raw Format to acquire image………………………………………….39
Figure 4.5 Selecting the destination to store the image……………………………………...40
Figure 4.6 Creating disk image………………………………………………………………41
Figure 4.7 Image verification………………………………………………………………...42
Figure 5.1 AccessData FTK tool interface…………………………………………………..45
Figure 5.2 Starting new case to analyze hard disk…………………………………………..46
Figure 5.3 Case Log Options………………………………………………………………...47
Figure 5.4 Evidence Processing Options…………………………………………………….48
vii
Figure 5.5 Filtering the evidence…………………………………………………………….49
Figure 5.6 Adding acquired image to analyze……………………………………………….50
Figure 5.7 Completion of new case setup……………………………………………………51
Figure 5.8 Processing Files…………………………………………………………………..52
Figure 5.9 Files retrieved…………………………………………………………………….53
Figure 5.10 Filtered files and documents selected…………………………………...……...54
Figure 5.11 Bad extension files……………………………………………………………...55
Figure 5.12 File trying to launch…………………………………………………………….56
Figure 5.13 File trying to load into computer……………………………………………….57
Figure 5.14 Setup log file……………………………………………………………………58
Figure 5.15 Phishing site trying to steal user credentials……………………………………60
viii
1. BACKGROUND AND RATIONALE
1.1 Introduction
Rapid Growth in the dot com world has given a different form for communication
over the computers for the past few years. Apart from email, this form of
communications allows different users to share their information to the desired people all
around the word through a common medium. The common example for such a medium is
Social Networking, which is a web-based application used for incorporating different
kinds of communities for people who share a common interest or activities. The basic
types of services that are provided by the social networks are communities, friends list,
testimonial, and the user’s profile. Even chat sessions and number of applications are
available today. Significant number of applications is developed in gaming field given
the interest all around in game development.
As there is a brisk growth of users using this social networking, the major issue
that comes into play is security. The security issues that primarily considered are
password protection, protection for the user private data and the privacy of the user.
These security issues are not only the primary concerns of the users and the owners of the
social networking, but also provide the wide scope to hackers if these security issues are
not properly taken care of.
Apart from the common security issues, the main concern is the database of a
particular social network, this has to be dealt with utmost care and some definite rules are
to be framed in order to protect the privacy of the users, as this is the primary goal of the
hackers to break into it where they can acquire lots of data and information.
2
The exponential growth in using the social networks can be seen in past few
years. “Social networking has become a fundamental part of global online experience,” –
John Burbank, CEO of Nielsen Online (Nielson wire). As the social networks are
becoming a part of personal lives, what about the security features? Only very few people
who are in proficient in using the computers know about the attacks on this kind of web
based social networks. But the people who are not aware of the computer security are the
victims of the cyber attacks in loosing their private data. Apart from this, there are
categories of people who are pretty much familiar with web accessing who are misusing
the social networks in unlawful ways. Even there is scope for accessing others profiles by
using their own methods. The focus of the project is to collect the evidence against such
guys who involve in illegal activities. The project starts with analyzing the popular social
networks available on Internet, their working mechanisms, and the applications that
supported on the social networks. Different possible attacks are analyzed before
collecting the evidence. The evidence is collected with the help of forensic tools like
FTK, EnCase and Pro Discover. The process involves disk imaging and analysis of
different files related to the browser perspective to the social networks on web.
1.2 Social Networks
A social network according to computer terminology is a social structure which is
made of different individuals or organizations called nodes, where these nodes are
connected by one or many but specific types of interdependencies. This interdependency
may be any kind of relation such as a friendship, love, likes and dislike, regional
relationship, prestige or knowledge [Jan Nagy 2009].
3
A social network uses network theory about nodes and ties to view the
social relationships. A node in the network represents the individual actor, and ties
represent the relationship between the nodes. There can be any kind of relationship
between two nodes and also any number of relationships between them.
“Research in a number of academic fields has shown that social networks
operate on many levels, from families up to the level of nations, and play a critical role in
determining the way problems are solved, organizations are run, and the degree to which
individuals succeed in achieving their goals”[Wiki 2009].
F
t
n
n
a
Figure 1.1
the dots ind
nodes; ties
nodes repre
actors.
Figure 1.1
gives the
dicates ind
indicates
esent the in
Pictorial Re
pictorial r
dividual no
the commu
ndividual a
4
epresentation
representat
odes conne
unication b
actors and
ns of Netwo
tion of So
ected by bl
between no
ties repres
orks [Wiki].
ocial Netw
lue lines ar
odes. In so
sent relatio
orks, in w
re ties betw
ocial Netw
onship betw
which
ween
works
ween
5
1.3 Different types of Social Networks
In the modern digital era of life, the distance between the people flooded by the
different kind social networks available on the web world. These social networks are the
scope to exchange ideas as well as data. Keeping in mind of the growing illegal activities
through social networks, this project is a study and analysis of three such social networks
Facebook, Orkut, and Twitter. The data that resides on the computer from where the
social networks being used plays major role in forensic investigation [Mitchel, J. (nd)].
1.3.1 Facebook
Facebook is global social networking website that is operated and privately
owned by Facebook, Inc. Facebook provides user with variety of options to maintain the
contacts with friends loved ones and even with different people in the society. The
options include adding friends sending public and private messages to friends, updating
profile. In addition to this, users can part of different communities on the web through
Facebook, like the city, workplace, school and regional communities. The Website's
name stems from the colloquial name of books given at the start of the academic year by
university administrations with the intention of helping students get to know each other
better.
Mark Zuckerberg founded Facebook with his college roommates and fellow
computer science students Eduardo Saverin, Dustin Moskovitz and Chris Hughes while
he was a student at Harvard University. The Website's membership was initially limited
to Harvard students, but was expanded to other colleges in the Boston area, the Ivy
League, and Stanford University. It later expanded further to include any university
6
student, then high school students, and, finally, to anyone aged 13 and over. The Website
currently has more than 300 million active users worldwide [Wiki 2009].
1.3.1.1 Platform and Applications
Although Facebook had very limited number of applications when it was first
introduced, over a period of time span it has developed and launched many number of
applications making the usage of the website more convenient and much more advanced
for the users. The most popular applications that the Facebook toady has are as follows:
• Photos through this application the users can upload albums and photos, and status
message, this application allows users to inform their friends of their whereabouts and
actions. A user's Wall through this application it is visible to anyone who is able to see
that user's profile, depending on privacy settings. In July 2007, Facebook began
allowing users to post attachments to the Wall, whereas the Wall was previously limited
to textual content only.
• Tag this application is used to label users in a photo. For example, if a photo contains a
user's friend, then the user can tag the friend in the photo. This sends a notification to the
friend that they have been tagged, and provides them a link to see the photo.
• Facebook released a Comet-based instant messaging application called "Chat" to several
networks, which allows users to communicate with friends and is similar in functionality
to desktop-based instant messengers.
• Facebook launched Gifts application on February 8, 2007, which allows users to send
virtual gifts to their friends that appear on the recipient's profile. On July 20, 2008,
Facebook introduced "Facebook Beta", a significant redesign of its user interface on
s
i
g
b
i
t
F
lo
n
selected netw
into tabbed
giving users
beginning S
in the Faceb
the dot com
igure 1.2 is
ogin Colum
ew user who
works. The
sections, an
s a choice to
eptember, 20
book, which
world [Face
a pictorial re
for the exist
o is intereste
Mini-Feed a
nd an effort
o switch, Fac
008. These a
h made Face
ebook 2009]
Figure 1
epresentation
ing user to e
ed in creating
7
and Wall we
was made t
cebook bega
are the some
book one of
.
1.2 Facebook
n of the Face
enter the user
g a user acco
ere consolid
to create a "
an migrating
e of the famo
f the leading
k Home Pag
ebook home
rs account a
ount. The sig
dated, profile
"cleaner" loo
g all users to
ous applicati
g social netw
ge.
e page, which
and a signup
gn up Colum
es were sepa
ok. After ini
o the new ve
ions that are
works webs
h consists of
Colum for t
m has five
arated
itially
ersion
e used
ite in
f
the
d
ad
F
m
th
F
h
ar
et
ifferent secti
ddress, and p
igure 1.3 is
many applica
he friend’s li
igure 1.4 sh
is/her setting
re changing
tc.
ions asking t
password for
a pictorial re
ations and fea
ist, requests,
hows the di
gs according
the passwo
the user to e
r the accoun
Figure 1.3
epresentation
atures availa
suggestions
fferent secu
g his/her pre
rd, changing
8
enter the full
nt, gender of
3 Facebook A
n of the appl
able in Faceb
s, Highlights
urity options
eference. Ex
g the associa
name of the
f the user and
Applications
lications in F
book. This fi
s and news fe
s available o
xamples for
ated E-mail
e user, any e
d the date of
s.
Facebook. T
figure shows
feed.
on Facebook
this kind of
address wit
xisting emai
f birth of the
This figure sh
applications
k. User can
f security fe
th Facebook
il
user.
hows
s like
alter
eature
k, and
In
M
P
F
gr
or
p
O
H
h
h
n January 20
MySpace by
Privacy Setti
Friend Lists:
roup of fri
rganization,
olicies; as an
One friend ca
Hide from se
ide their ow
is/ her visibi
Fig
009 Faceboo
compete.com
ings:
Facebook p
ends accord
community
n example u
an be in two
arch results
wn profile fro
ility on searc
gure 1.4 Face
ok was ranke
m [Facebook
rovides an o
ding to cat
y, region and
user may wan
groups.
: Under Fac
om unwante
ch engines li
9
ebook Securi
ed second m
k 2009].
option to org
egory they
d etc. Each g
nts to give a
cebook priva
d people to
ike Google, Y
ity Features
most used soc
ganize user’s
belongs, li
group can be
access to his
acy settings
visit their p
Yahoo and e
cial network
s friend list.
ike family,
e assigned w
photo album
there is an o
profile. Even
etc.
k worldwide
User can cre
friends, sc
with some pr
m to only fri
option to use
n user can co
after
eate a
chool,
ivacy
iends.
ers to
ontrol
10
Tags on photos and videos: User can protect his/her name from tagging in photos or
videos shared by others. There are four options provided by Facebook: Friends of
Friends, Only Friends, Some Friends and Only Me, are the options can be used by
Facebook user to allow people to tag his/her profile to shared photos or videos.
Wall Posts Privacy: User can customize his/her wall posts. User can avoid unnecessary
wall posts on their wall. User has the possibility to restrict people from writing something
on their wall, can hide unnecessary wall posts or News Feeds on his/her wall. User can
avoid showing up his/her private stories on Friend’s News Feeds.
Contact Information Privacy: Users can set their contact information visibility; even they
can hide their friend’s information visibility through their profile [Nick O’Neill].
Security Attacks:
Most Hilarious Video Attack:
One of the recent attacks that attract Facebook users to access a video tagged as most
hilarious video ever on Facebook, and title of the video may vary. When clicked on
the video link, it directs the user to a fake Facebook login page. With this, the attacker
can steal the user’s login information. After sign-in process, then browser jumps to
original Facebook and prompts to down load HD media player. After this everything
depends on location of the user. For example, if the user is from United States then it
prompts to download HLV player to play this video, if the user is from United
Kingdom it forces the user to take IQ quiz and redirects the user to a page containing
win an iPad offer and forces the user to fill the details like address and phone number.
11
All this information will reach the attackers as soon as users hit the register button on
the page win an iPad offer [websense].
Like Jacking:
Clickkacking or Likejacking is an attack that tricks the user to post a message to their
own page saying that they like a malicious link. This worm attracts the users with
messages like: “ LOL This girl gets OWNED after a POLICE OFFICE reads her
STATUS MESSAGE, The Prom Dress That Got This Girl Suspended From School”.
When the user clicks on messages like this, this worm redirects the user to a blank
page having message click here to continue. If the users click any where on the page,
a message will be posted on the user’s newsfeed page saying that the user like that
malicious link, it is shared among the friends of the user there by it spreads all over
[Elinor Mills] [sophos].
One of Phishing Attack:
This attacks spreads as emails with different subjects like “Richard sent you a private
message Subject: Hello check 121.im” and the link is redirected to Facebook like
page which is actually a fake Facebook site prompting user to login. If the user enters
is login details, they will be directed to the attacker [Aurellja].
Phishing Page with Exploits:
Looks like normal phishing techniques; phishing page contains web exploit tool kit.
This tool kit, depending up on the user browser delivers variety of exploits on to the
user browser. For example, if Firefox is used then Web exploit tool kit forces Trojan
12
named TROJ_PIDEF.PAL .PDF format, which allows Trojan owner to run any
malware function on victim’s computer. If any failure occurs in exploit, still the user
safety is not ensured. The phishing page prompts the user to download updatetool.exe
file. This executable drops the files into folder with hidden properties, passes
unnoticed by users. This file alters registry entries, to load on system startup. Once
they sit on operating system they start communicating with attacker’s computer
through an accessing website. The injected file contains information such as where to
download the updates for itself, website to monitor, credentials to steal and the
address that the stolen information to sent. This malware waits until the user accesses
the websites that were listed in it and steals the information that accessed through
those sites [Web Threat Spotlight].
Worm Based Virus:
In this kind of attack a worm spreads as message on user’s accounts containing
alluring link like ”LOL. You, have been caught on hidden camera”. This link redirects
the user to YouTube like page and forces user to install certain flash player. When
user tries to install flash player, a malware function installation will be started. The
vicious side of the worm is that it captures the profile picture of infected user and
adds it the linked website containing the worm. There by it looks like genuine for the
next probable victim [Michael Arrington].
Bredolab Attcak:
This attack forces Facebook user download malicious executables on to their
computers by sending a false message. The false message seems to receive from
13
Facebook support team. The message contains a .zip enclosed executable file, which
on click downloads more malicious executables and joins the computer in Bredolab
botnet. With Bredolab botnet gains the full access to the victim’s computer. The
malicious executables just downloaded turns off the local firewall and runs identity
related thefts [Ryan Naraine].
1.3.2 MySpace
MySpace is one of the leading social networking websites. Its headquarters
are in Beverly Hills, California, USA, where it shares an office building with its
immediate owner, Fox Interactive Media, which is owned by News Corporation.
MySpace became the most popular social networking site in the United States in June
2006. The very first MySpace users were eUniverse employees. The company held
contests to see who could sign-up the most users. The company then used its
resources to push MySpace to the masses. eUniverse used its 20 million users and e-
mail subscribers to quickly breathe life into MySpace, and move it to the head of the
pack of social networking Websites. A key architect was tech expert Toan Nguyen
who helped stabilize MySpace platform when Brad Greenspan asked him to join the
team. Throughout the course of 2007 and 2008, MySpace redesigned many of the
features of its site in both layout and in function. One of the first functions to be
redesigned was the user home page, with features such as status updates, applications,
and subscriptions being added in order to compete with Facebook. In 2008, MySpace
homepage was redesigned. MySpace Music was recreated in fall of 2008 along with
an updated version of MySpace profile [My Space 2009].
14
1.3.2.1 Platform and Applications
The applications that are provided by the MySpace are as follows:
• Bulletins are posts that are posted on to a "bulletin board" for everyone on a
MySpace user's friend’s list to see. Bulletins are deleted after ten days.
• MySpace has a Groups feature, which allows a group of users to share a common
page and message board. Groups can be created by anybody, and the moderator of
the group can choose for anyone to join, or to approve or deny requests to join. In
early 2006, MySpace introduced MySpace IM, an instant messenger that uses
one's MySpace account as a screen name. MySpace user logs in to the client using
the same e-mail associated with his or her MySpace account. Unlike other parts of
MySpace, MySpace IM is stand-alone software for Microsoft Windows. Users
who use MySpace IM get instant notification of new MySpace messages, friend
requests, and comments.
• MySpace TV In early 2007, MySpace introduced MySpace TV, a service similar
to the YouTube video sharing website. MySpace TV is now in beta mode, and
will probably be launched as a separate site in either 2008 or early 2009.
MySpace TV might be a standard channel that will be shown on television. The
above mention is the some of the important applications that are used in Myspace
Website users [MySpace 2009].
Privacy Settings:
15
Profile privacy setting: The default setting on profile privacy allows any
MySpace user; this is applicable for any user over age 18 and above. User can
control who can visit his/her profile by changing the setting to “Only my friends”,
which is default to the users having the age under 18. Users who are above age 18
can control visibility of photo albums, videos and blogs. User can make play lists
and events available to anyone [Myspace].
Security Attacks:
Koobface Attack:
This attack was detected by Kaspersky lab. Kaspersky detected two variants of
attacks, in which one variant attacked Facebook and other attacked MySpace.
Worm.Win32.Koobface.a attacked Myspace. This attack downloads a malicious
code into MySpace account, which transform infected computer of a user into
zombie computers, which forms a botnet. This worm creates a spam message, and
sends it to the users in the friend list. Generally this message attracts the users
with alluring video links. When user tries to access the video, it again prompts the
user to install or update the flash player, with an executable file named
“codecsetup.exe”. This malicious file downloads more malicious files, leads to
identity theft [Kaspersky labs].
Image Attack:
The attacker makes a transparent cover image over MySpace website and forces
user to click any where on the image. This single click redirect the user to a
1.3.3
fa
A
eq
n
m
b
an
MySp
fake li
Twitte
alls under th
According to
quivalent to
etworking s
messages in t
e entered an
nd these mes
pace like fak
ink transport
er is the one
he micro logg
o the recent
o about 750
site is to se
this network
nd posted on
ssages are di
ke page, prom
ts the user lo
e of the mos
ging service
survey abou
tweets sent
end and vie
king site are
a single twe
isplayed on t
Figure
16
mpts user to
ogin informa
st comely us
e, that was d
ut 65 millio
t each secon
ew the mes
known as t
eet is 140 ch
the account
1.5 Twitter
o login into t
ation to the a
sed social ne
developed an
on tweets ar
nd. The bas
ssages poste
tweets. The
haracters and
owner’s pag
homepage
their MySpa
attacker. [Se
etworking se
nd maintaine
re posted ea
sic mechanis
ed by differ
maximum l
d the format
ge.
ace account.
ecurity Focus
ervice and it
ed by Twitte
ch day, whi
sm in this s
rent users,
length allow
t is the text b
This
s]
t also
er inc.
ich is
social
these
wed to
based
17
Figure 1.5 shows how a Twitter home page looks like. It has the options like signup and
sign in. It even provides the search bar to find people on Twitter.
1.3.3.1 Platform and Applications
Security is one of the prime concerns of the Twitter; Twitter collects the
personnel data entered by the user of the account and gives them to the third party for its
usage. One of the most important things that are Twitter does not encourage any kind of
advertisements directly. The only way you can advertise is through sending tweets.
Twitter faced serious security vulnerability in the year of September 2007 where user
update can be made by other user and this vulnerability was later found to be SMS
spoofing. Using this spoofing attack the attacker can retrieve the phone number of the
user that is associated with the account; this was then resolved by issuing a personal
identification number to access the account through SMS making it more secure. Before
this vulnerability was discovered, another security issue was identified in 2005. This
attack was to crack the administrator accounts passwords through the dictionary attack
and pass all the illegal issues like the drugs and sexual information through these
accounts that are cracked. This problem was fixed by introducing the verified accounts,
through which all the celebrities and well-known people are asked to reveal their existing
twitter account names. The other bug, which came in to light after these two attacks, was
very important; it made the users to follow a different account without the user’s
knowledge. This problem was then taken seriously and FTC has taken several steps to
provide the security to the user’s information [Twitter].
A
follows.
right corn
After singing
In figure 1.
ner of the sc
Priva
On tw
my up
update
by the
g into Twitte
6 it clearly
reen.
acy Settings:
witter, user tw
pdates. Up o
e informatio
e people, onl
1.6 Twitte
er the wall p
shows the t
:
weets will be
on setting up
on publicly;
ly who appro
18
er after logg
page shows t
tweets on th
e displayed p
protect my
with this se
oved by the u
ging in
the tweets p
he wall. Rela
publicly if n
updates twi
etting update
user [Ofzen
posted by the
ated links ca
not the setting
itter stops pu
es from the
and comput
e people the
an be seen t
g is done: pr
ublishing the
user only sh
ting].
e user
to the
rotect
e user
hared
19
Security Attacks:
Denial of Service Attack:
On August 6, 2009 twitter website was shut down for 4 hours by the attack named
Denial of Service (DoS). With this attack the hacker created a worm and sent it on
network. This worm consumed the bandwidth that is designated for Twitter and few
other social networks. In this attack some unnecessary information in huge volumes
sent out in network, which makes network busy and causing DoS. “Cyxymu” is the
user name from the account, which the DoS attack has been carried out. From the
account Cyxymu in the form tweets the worm spread rapidly over the Twitter
network there by causing huge network traffic. McAfee found that the hackers are
using search engine optimization techniques to attract the people to access malicious
websites. Such a method is used spreading the DoS attack [Miko] [Niko Nergaze]
[Brian Prince].
Worm Infects Twitter:
In 2009 four serial attacks have been carried out. A worm, which was spread,
attacked the Twitter by four different attacks in series of steps each time increasing
the intensity of worm in spreading and stealing the personal information from Twitter
accounts. This worm automatically updates the user information and statuses of users
on Twitter website. This virus spread in to Twitter by using cross-scripting
vulnerability concept [Stefanie Hoffman].
Phishing Attack:
1.3.4
The recen
Twitter u
the victim
redirects t
attackers
Orkut
On Janua
called Or
ones. Ork
of Orkut.
profile. A
upload ph
nt phishing a
ser accounts
ms of this to
the user to T
gains the acc
ary 24th 200
kut, to help
kut is named
It provides
Along with th
hotos and vid
Figure
attack on Tw
s. Innocent u
orrent-based
Twitter like p
cess to user’
04 Google la
the people
d after Googl
s the user w
his feature O
deos to their
e 1.7 Orkut U
20
witter used t
users who ar
d attack. Att
page and pro
’s Twitter ac
aunched a r
in maintain
le employee
with adding n
Orkut also pr
profiles.
User Traffic.
torrents as m
re looking f
tackers creat
ompts to ent
ccount [Stan
revolutionary
ning relation
Orkut Büyü
new friends
rovides the u
. [Wiki-Orku
medium to g
for informati
te some torr
ter login deta
Schroeder].
y free-acces
ships with f
ükkökten, w
and commu
user with ad
ut]
gain access t
ion in forum
rent links, w
ails. There b
.
ss social net
friends and l
who is the fou
unities to hi
dditional spa
to the
ms are
which
by the
twork
loved
under
is/her
ace to
21
Figure 1.7 shows the statistics of Orkut User Traffic in different countries. Even
though in United States Facebook and MySpce are the most visited websites than the
Orkut, India and Brazil have significant number of users. Statistics shows that 50% of the
Orkut users are from Brazil followed by India with 15% dated May 13th 2009 [Wiki
2009].
1.3.4.1 Platform and Applications
A user first creates a "Profile", in which the user provides "Social",
"Professional" and "Personal" details. Users can upload photos into their Orkut
profile with a caption. Users can also add videos to their profile from either YouTube
or Google Video with the additional option of creating either restricted or unrestricted
polls for polling a community of users. There is an option to integrate GTalk (An
instant messenger from Google) with Orkut enabling chatting and file sharing.
Currently GTalk has been integrated in Orkut - users can directly chat from their
Orkut page. The new features in Orkut are Themes. Users can change their interface
from a wide range of colorful theme library. Themes are currently only available in
India and Brazil. Members can make groups to join friends according to their wishes.
Further, each member can become fans of any of the friends in their list and can also
evaluate whether their friend is "Trustworthy", "Cool", "Sexy" on a scale of 1 to 3
(marked by icons) and is aggregated in terms of a percentage. Orkut allows anyone to
visit anyone's profile, unless a potential visitor is on "Ignore List". Importantly, each
member can also customize their profile preferences and can restrict information that
appears on their profile from their friends and/or others. Another feature is that any
member can add any other member on Orkut to his/her "Crush List" and both of them
will be in
[Orkut 20
Figure 1.
Figure 1.9
many app
the friend
nformed only
009].
8 shows the
9 is a pictori
plications and
ds list, reques
y when both
Figure 1.8
Figure 1.
e Orkut hom
ial represent
d features av
sts, suggestio
22
h parties hav
Orkut Home
.9 Orkut feat
me page, wh
tation of the
vailable in O
ons, my com
ve added eac
e Page.
tures.
hich has opti
applications
Orkut. This f
mmunities an
ch other to th
ions for sign
s in Orkut. T
figure shows
nd apps.
heir "Crush
n in, and sig
This figure s
s application
List"
gnup.
shows
s like
Figure 1.1
shows ma
applicatio
Privacy S
Orkut pro
allow scr
option us
and profi
notificatio
notificatio
user can h
Orkut use
photo alb
called pri
sender on
Fig
10 is a pictor
any applicati
ons like the a
Settings:
ovides the p
aps to be w
er can has c
le changes w
ons on his/h
ons sent, wh
have control
er can restric
ums, videos
ivate scraps;
nly [Doree].
gure 1.10 Or
rial represen
ions and feat
ask friends, s
privacy settin
written by, an
choice to sh
with their fr
her profile w
hen user visi
l over who c
ct the others
s and testimo
with this fe
23
rkut Applica
ntation of the
tures availab
stylish fonts
ngs in four
nd allow co
hare his/her
friends. Profi
when visited
its others pr
can visit his/
from viewin
onials [teck
eature the sc
ations Page.
e application
ble in Orkut.
and scraps,
categories,
ontent viewe
updates on
file visitors:
by friends
rofile. Allow
/her scraps.
ng personal
in]. Recentl
crap from a
ns in Orkut. T
This figure
photos and
my updates
ed by. My u
photos, vid
User can c
or anyone,
w scraps to b
Allow conte
information
ly Orkut add
sender is vi
This figure
shows
add apps tab
, profile vis
updates: with
deos, testimo
hoose optio
and can sto
be viewed: O
ent to be vie
n of that user
ded a new fe
isible to use
b.
sitors,
h this
onials
on get
op the
Orkut
ewed:
r, like
eature
er and
24
Security Attacks:
XSS:
XSS is a message-based attack, in which Orkut users receives the messages from their
friends, the message consists malicious code in it. Even if the user tries to read the
scraps from account the malicious code starts its action. It works based on cross site
scripting, and executes the malicious code, which in turn steals Orkut users
credentials, cookies, redirects them to a fake page, and automatically installs key
loggers and viruses on the victim computer [Vikas].
Spam phishing attack:
This attack starts from “Updates from my Friends” section. Spam messages will be
posted as message update from friend of that user. A typical spam message will be a
link like “CHECK my nude pictures”, which redirects the user to website
“hxxp://orkut2010new.blogspot.com”. This page looks very similar to Orkut login
page, which prompts the user to enter login information. This redirected page will
send the user credentials to the attacker [Satyendra Kumar].
Spoofed Email Attack:
With this attack spam emails will be sent to Orkut users. Summary of the email will
be like this, the user being investigated and will be terminated with in 72 hours. If the
user wants to stay connected with Orkut click the link below. When the user clicks
the link malicious code will be executed on the victim’s computer. This Trojan
downloaded called “regulamento_orkut.exe”. This Trojan downloads other malicious
25
file named “fax.exe”. This malicious file automatically duplicates itself on different
location of the victim computer with different names. This file starts up along with
the operating system in the victim’s computer, and monitor user activity on browser
to steal users credentials [Aurellja 2008].
26
2. NARRATIVE
This project analyses possibilities of misusing social network sites due to
irresponsible behavior of users. Recent surveys show that problems in social networks are
more often to occur, due to the fact that openness is one of the key features of these sites.
Social engineering can be misused by attackers concerning social network with the purpose
of gaining sensitive information. There is a conflict between users ‘security awareness and
their actual behavior’, so called privacy paradox. This project is interested in the amount of
information that can be retrieved from the hard drive when an illegal activity took place.
There might be sensitive information stored on hard drive that could be useful as evidence in
case. Hard drive of a computer is analyzed through a series of steps to estimate security
vulnerabilities of social network.
The first step of the project is taking the clean disk image. Then the designed test
cases are deployed on that computer. In this project, four different operating systems are
used, in that one operating system is chosen to perform the search operation when there is a
lot of information hard drive. For analyzing the hard drive, this project uses three forensic
tools: FTK, EnCase and ProDiscover. FTK and EnCase are used to capture the disk image
explained in the next sections Forensic Tools Used.
This section explains more about security analysis and possible attacks on social networks.
2.1 Social Networks and Security Analysis
2.1.1 Personal Information Shared
Social networks provide space for users to update their personal information
on web. Personal information can be updated on web in two modes: private and
27
public. Due to limiting preferences in private information, most users expose their
personal data on web that forces them to be easily attacked. Personal information on
social networks may reveal more information about that particular user from different
websites [R. Gross and A.Acquisti]. Most teenagers on social networks reveal their
personal information to their friends on the web. Power full search options available
breaking the barriers to reach any one web, and technology improvements are threats
to digital security wall. The technology advancements are becoming the roots to the
loss of private information [Jan Nagy and Peter Petcho].
2.1.2 Identity Theft
Identity theft is a big challenge to any social network user. The traces of
personal information like name, date of birth, location etc in the hands of hackers or
attackers leads to this issue. Identity theft is nothing but stealing the personal
information like social security number name and other credentials and pretend like
other user. Social networks are prone to this kind of attacks. Phishing, Spyware are
the example ways to do identity theft. It is easier list the user details by knowing their
name and location. Even first three digits of social security number reveal
information like where it was generated and the physical location of the user [R.
Gross and A.Acquisti]. With all these details any one makes a clone to the other
account and may misuse the account.
2.1.3 Applications on Social Networks
There is exponential growth in number of users of social networks in last 5
years. What made an impact on such growth? The answer for the question is simply
the competition. iPhone proved as top most in mobile sector because of its extensive
28
application list. Apple and Facebook have realized the importance of third party
applications and took step towards accepting third party applications on their
platforms. From there, it spread to all other social networks. In early days of third
party applications, they needed an authentication process to get approved and that
became cumbersome to website maintainers. As this information is made public, key
concerns about security issue have been raised. Of the available Application
Programming Interfaces (API), APIs are divided into two groups public and private.
With the public APIs does not support much to authentication and security where as
private APIs made to work with the authentication process. Private APIs requires
high level data accessing so they made an agreement process with users to share their
information. Recently, many social networking vendors concentrated on security and
enforcing security protocols in developing the applications [Marc Grosz et all].
2.2 Possible Attacks on Social Networks
In the year 2005, a very dangerous attack on MySpace is noticed named as
Sammy attack. Sammy attack spread over MySpace very fast by using the loopholes in
the named social network. Even though Sammy attack did not extract the personal
information on the social network, it seriously effected the functioning of the social
network. In 2009, now popular social network Twitter effected with attack Mikeyy.
Twitter was attacked by Mikeyy and altered personal profiles in Twitter. In the same
year another vulnerability was discovered, namely Koobface. It first attacked Facebook
and then spread to other social networks.
29
Attackers are now capable of extracting more information such as commercial
and corporation secrets along with personal information through social networks using
the worms they designed [Chengyu Fan]. In the survey reports from Sopho shows that
62.8 percent of employees revealed their personal information on social networks
[Sophos]. Cyber criminals are using the social networks efficiently for illegal earnings
by using malware and spam applications. Over 40,000 malicious files have been
collected by Kaspersky Lab in the year of 2008 [Gostev].
2.2.1 General Attacking Techniques
Spam: Earlier spam spread by using email, which spreads through social networks.
Spam damages the network by residing at the computer. Spam mainly spreads
through advertisements with help of friend list on the social network.
Third party applications: Flaws and security features in the third party applications
are the major areas through which attackers can get access to the social networks. As
number of applications increases, more number of flaws increase there by resulting in
loss of data.
Worm: Worms will replicate themselves automatically by their self-replicate nature.
Worms are specialized in stealing the personal information like password, bank
account number etc.
XSS: Web page code is injected into the social networks, which steals COOKIE,
takeover the account access and forces the user to download malware.
Plug-in: Some applications on social networks prompt user to install some plug-ins
like flash and Silverlight. The flaws in the plug-ins are threat to personal information.
30
Phishing: In this attack, attacker pretends like a legitimate user and sends requests
the other users by using his own URLs, which gains access to others personal
information on their acceptance to the request [Chengyu Fan].
Viral Marketing: Attackers makes use of weakness of users to receive advertisements
from friends. The attackers make the marketing malware functions through attracting
videos or advertisements. The only investment for the attackers is marketing the
videos or advertisements [NisheethShrivastava].
31
3. TESTING AND EVALUATION
3.1 Forensic Tools Used
3.1.1 FTK
Forensic Toolkit (FTK) is a widely known computer forensics software tool used for
ensuring relevant solutions. FTK generates images of the information to be saved. The tool
analyzes the registry entries in the computer apart from shepherding investigation. File
decryption is provided by FTK. Generating reports is not far from FTK as the tool is quite
capable of doing this. The tool boasts of reconstructing passwords of over hundred applications.
Users can access over two hundred unique file formats apart from creating auditing reports and
case documents. FTK is adaptable to different available forensics solutions. Sophisticated search
approaches are implemented by FTK to retrieve images, documents, and deleted documents. It
can also obtain privileged information that has already been stored.
FTK is designed to acknowledge objectionable content using file filter concepts such as
Known File Filter (KFF) that supposedly includes about forty five million hashes. FTK allows
distributed processing which is very effective. The tool also includes very sophisticated analytic
approaches such as RAM dump analysis, acknowledging objectionable content, effective search
index and assists known cryptic approaches. Rich graphic interface supported by numerous
features place FTK as a unique forensics analysis tool enabling crystal clear information
reporting and multi-code assistance.
32
3.1.2 EnCase
Encase is a computer forensic tool that is used for analyzing the digital media and this
product was introduced by Guidance Software, This Software plays vital role in finding and
investigating the criminal and network crime evidences. The law enforcement department for
collecting digital forensic evidence also uses this software. This software includes different types
of tools which are used for recovering different types of files and acquisition of data. Encase is
undoubtedly one of the most important and well known forensic software used in the market, this
software is well known for verification of the evidences. Encase is most commonly used for
making an image of the hard drive or any other digital media, as soon as the image is made the
encase starts verification of the digital media whose image was made. One of the important
feature of Encase is that in can be used in large organizations where the systems are connected in
wide area network and can be used on any system in that network without disrupting any kind of
operations. Snapshot is a special feature that comes with Encase, which enables the examiner to
make snapshot of the key violent and binary date that is quickly available on different systems on
the network. This software also has an important feature to analyze the data live without visible
to the attacker.
3.1.3 ProDiscover
Another tool that looks at assisting security is ProDiscover. This tool makes a big impact
for administrators or developers who use it. ProDiscover efficiently addresses incident response
and provides e-discovery. This tool retrieves information by safeguarding evidence. ProDiscover
provides search facility for the whole drive enabling smooth forensic analysis. Support for
VMware software is provided as well in this tool. Preview of large document volume is offered.
33
ProDiscover independently creates, maintains cryptic approaches to establish data integrity
feature. The tool dynamically provides the preview and searches the privileged region of hard
drive apart from retrieving lost files and scrutinizes old files.
3.2 Methodology
The main aim of the project is to find evidence in support to the case that involved social
networks. The collection of evidence starts with analyzing the hard drive on which the social
network has been used. The evidence related to the case can be identified by carefully looking
into files that have been altered with the use of social networks. This information can be
extracted with help of forensic tools like FTK, EnCase, ProDiscover and more tools available.
The steps followed in this project are:
Step 1: Clean hard Drive Image
A clean hard drive is taken, that just installed with the operating system. This project uses
the hard drive with windows 7 operating system. In order to estimate the performance of
the search operations in tools, the volume of files to be searched is increased significantly
by installing three operating systems that share the file system. Given the large number of
files in a single operating system installation, the combination of files in three operating
systems meets our test criterion. The hard disk has been removed from the testing
computer and connected to forensic workstation to capture the disk image. To capture the
disk image, FTK and EnCase are used. Bit-to-bit copy format is used to guarantee no loss
in evidence. To ensure data integrity, write-blocker has been used. Write-blocker
prevents the alteration of information on the evidence disk by forensic workstation.
34
Step 2: Performing the test cases
Now the hard disk is connected to Internet, and different activities are performed
on social networks. The social networks used for this project are Facebook, Orkut and
Twitter.
The test cases as follows:
1) Chat session has been established on the specified social networks and continued for
a while. Then chat history on the browser has been cleared.
2) Played with different third party applications like games, future cookies, business
applications, health applications, quiz applications and more.
3) Advertisements and videos have been accessed.
4) Public and private messages have been exchanged and few of them were deleted.
5) New friend requests sent from the evidence computer and accepted few. Some of the
friends from friend list have been deleted. Made the user join in few communities and
withdrawn from few communities.
6) User profile has been updated.
7) Some of the applications added to favorites.
8) The pop up messages have been accessed, some plug-ins have been installed.
These test cases are performed, to check the information flow when any activity is
performed. This project records the changes in the hard drive because of these activities.
These test cases are deployed in two conditions: one when firewall is turned on and the
second when the firewall is turned off.
35
Step 3: Imaging the Hard Drive
Now the hard drive has been connected to the forensic workstation for
examination. The hard disk image has been captured with the help of the forensic tools
FTK and EnCase.
Step 4: Examining the images
The two images before any activity and after deploying the test cases are
examined by using the tool FTK.
Step 5: Reporting the changes
The difference between the contents in the two images have been examined, and
logged. Initially the size of the contents in both images gives the picture of amount data
that might exchange through social networks. The report includes different URLs
accessed other than the social network URLs.
Step 1: A
Figure 4.
the first
image ac
Acquiring C
.1 shows the
step in the
cquiring is sh
Clean Hard
e FTK imag
project. A c
hown in this
4. EXPER
Disk Image
Figure 4.1 F
er interface.
clean hard d
section.
36
RIMENTA
e
FTK imager
. FTK image
disk is taken
ATION
r startup
er is used to
n and image
o acquire har
e is acquired
rd disk imag
d. The hard
ge, as
d disk
Figure 4.
the imag
drive con
when soc
system fi
evidence
Figu
.2 shows ima
ge. In this pr
ntains opera
cial network
iles is added
drive. K dri
ure 4.2 Addi
age acquisiti
roject, the ha
ating system
king websites
d as evidence
ive contains
ing the phys
ion processin
ard drive co
m files. This
s are accesse
e drive. In fi
all the syste
37
sical drive in
ng step, whi
onsists two l
project ana
ed. So, only
igure 4.3, it i
em files, whi
n FTK image
ch involves
logical drive
alyses the ch
y the logical
is clearly vis
ich needs to
er to acquire
selecting the
es, in which
hanges mad
drive that co
sible that K
be investiga
e drive to ca
only one lo
e to system
ontains oper
drive is add
ated.
apture
ogical
m files
rating
ded as
Im
lo
op
b
mportant ste
oss in data t
ptions availa
it format use
Figur
p in any fore
the hard disk
able for sele
ed in this pro
e 4.4 Selecti
ensic investi
k image form
ecting the im
oject.
39
ing Raw For
igation is to
med by usin
mage format
rmat to acqu
avoid data l
ng bit-by-bit
in FTK ima
uire image
oss. To mak
t copy. Figu
ager tool. Ra
ke sure there
ure 4.4 show
aw (dd) is bi
is no
ws the
it-by-
F
co
w
or further i
omputer. Fi
workstation.
Figure
investigation
igure 4.5 sh
4.5 Selecting
n, the image
hows selecti
40
g the destina
e needs to
ing the dest
ation to store
be saved o
tination to s
e the image
on the foren
store the im
nsic investig
mage on for
gating
rensic
Figure 4.6 shoows progres
Figure 4
s in acquirin
41
4.6 Creating
ng the hard d
g disk image
disk image inn “Raw” formmat.
A
ch
D
sh
After finishin
heck the int
Drastic chang
hows the ver
ng the acqui
tegrity, FTK
ge in hash v
rification res
Figure
isition, imag
K imager com
value can b
sult; found m
42
4.7 Image v
ge needs to
mputes hash
be seen, even
match in both
verification
be verified
h value of th
n with chan
h computed
to ensure d
he hard disk
nge of singl
and report h
data integrity
k and the im
le bit. Figur
hash values.
y. To
mage.
re 4.7
43
Step 2:
Table 4-1 Test cases and respective expected results
Chat session has been established and
continued for a 5 minutes
Expected to retrieve the information exchanged
and time of the chat session
Third party applications have been accessed. Expected to view the concerned URLs and
time frames
Advertisements and videos on social networks
have been viewed; some flash players have
been downloaded.
Expected to retrieve the links and installed
files.
Public and private messages have been
exchanged
Expected to retrieve the messages and the
timings
Managing friends (adding, deleting and
editing)
Expected to retrieve friend list and alterations
to friend list
Community list management Expected to retrieve community list
User profile has been updated Expected to retrieve the modifications to the
user profile and the time of modification
Some of the applications have been added to
favorites and some applications have been
removed from favorites list
Expected to retrieve the favorites list and
modifications
Table 4-1 shows the test cases prepared. The table consists the test cases and the
expected results in forensic perspective for each test case. When session established
expected to retrieve the messages exchanged and the time when the chat session
established, same expectation for public and private messages exchanged. When the
third party applications, videos or advertisements accessed expected to retrieve the
URL belongs and the time of access. When friend’s list, communication list,
Test Cases Expected Results
44
application list and user profiles expected to retrieve the respective URLs and time of
access.
Step 3: Acquiring the image of hard disk after deploying the test cases
Again FTK imager tool is used to acquire the image of the hard drive after deploying
the test cases. Hard drive is connected to the forensic workstation using write blocker,
to avoid the data contamination. The same procedure used as in the step 2 to acquire
the image of hard drive.
Step 4 in the process shown in the next section Results.
S
F
to
to
co
tep 4: Exam
igure 5.1 sh
ool is used t
ools filters r
olumns, nam
mining Hard
F
hows the Acc
to analyze th
etrieve files
mely Evidenc
5. R
d Disk Imag
Figure 5.1 Ac
cessData FT
he hard disk
based on th
ce items, Fil
45
RESULTS
ge
ccessData FT
TK tool inter
k and to retr
heir properti
e status and
S
TK tool inte
rface and sta
rieve the file
ies. FTK cat
File Catego
erface
artup page. A
es from evid
tegorizes the
ory.
AccessData
dence image
e files in to
FTK
. The
three
F
h
ev
igure 5.2 sho
ard drive im
vidence and
Figur
ows setting u
mage. FTK pr
go directly t
re 5.2 Startin
up new case
rovides optio
to working p
46
ng new cases
e to analyze t
ons to open n
program.
s to analyze
the evidence
new case, op
hard disk
e files stored
pen existing
d by acquirin
case, previe
ng the
ew
F
lo
ev
op
TK provides
og options ar
vents, Data
ptions in the
s case log op
re case and e
carving/Inte
e report. Figu
Figure
ptions to pre
evidence eve
ernet searche
ure 5.3 show
47
5.3 Case Lo
epare the evi
ents, error m
es and other
ws all options
og Options
dence report
messages, boo
r events. De
s.
t to submit i
ok marking
efault setting
in court. The
events, searc
g is to includ
e case
ching
de all
F
fi
K
th
in
in
igure 5.4 sh
iles. MD5 ha
KFF files are
he file’s data
ndexed. Full
nstantaneous
F
ows the ope
ash and SHA
e not import
a is compres
l Text Index
s searching o
Figure 5.4 E
ration list th
A1 algorithm
ant as in mo
sed or encry
x is a power
of textual da
48
Evidence Pro
hat the FTK
ms are includ
ost cases. En
ypted. Such f
rful search e
ata. Data car
ocessing Opt
tool to do al
ded to check
ntropy test i
files contain
engine, whic
rving allows
tions
long with ret
the integrity
is used to de
n no plain tex
ch enables in
s: automatic
trieving evid
y of the evid
etermine wh
xt and will n
nvestigator
cally find spe
dence
dence.
hether
not be
to do
ecific
fi
C
In
m
ch
ile types em
Carving Optio
n order to sa
may choose t
hoose defau
mbedded in
on on tools M
ave time and
to exclude c
ult settings th
other files
Menu.
Figure 5
d resources, a
certain kinds
hat will appl
49
and from f
.5 Filtering t
and/or to ma
s of data fro
ly to each ev
free space.
the evidence
ake searchin
m being ind
vidence item
Retrieve re
e
g more effic
dexed. Here,
m that gets a
esults using
cient, investi
, investigato
added to the
Data
igator
or can
case.
T
F
A
it
in
sh
To exclude it
igure 5.5 sho
Any number
tems. The m
ndividual fil
hows the add
tem from be
ows the inde
Fig
of evidence
ain types of
e. This proje
d device opt
eing indexed
ex options.
gure 5.6 Add
es can be add
f the evidenc
ect uses the
ions.
50
d, investigato
ding acquired
ded to the c
e are acquire
acquired im
or can make
d image to a
case. There a
ed image of
mage to anal
e any change
analyze
are several t
f drive, local
lyze the evid
es to the sett
types of evid
drive, folde
dence. Figur
tings.
dence
er and
re 5.6
F
ar
in
igure 5.7 sho
re the option
n retrieving t
F
ows the setu
ns included i
the files but
Figure 5.7 C
up completio
in the case. E
adds more in
51
ompletion o
on for the cas
Even though
nformation s
of new case s
se. In the fig
h all this opti
support the e
setup
gure, it is cle
ion may take
evidence.
early shown w
e additional t
what
time
F
pr
in
lo
“R
igure 5.8 sh
rocess it sh
ndexed only
og for the c
Reading data
hows the pr
hows that to
52. This ind
case is upda
a” and the it
Figure
rocess of re
otal files ex
dex features
ated every
tem size that
52
e 5.8 Proces
etrieving the
xamined arou
filters out fi
10 min. Cu
t currently th
sing Files
e files from
und are 260
files that are
urrent action
he FTK tool
the evidenc
00, but the
unnecessary
n can be se
retrieving.
ce image. In
files added
y in the case
een in the f
n the
d and
e. The
figure
F
fi
fi
to
ev
th
fi
A
et
igure 5.9 sh
iles from the
iles. In total
otal number
vidence ima
heir status, l
ilters the fil
AccessData F
tc. this mak
hows the retr
e image of
l, around 47
r of evidenc
age and total
like bad exte
les based on
FTK are doc
kes searchin
Figur
rieved files u
the hard dri
00 files reco
ce items ad
l filtered in
ension files,
n type of th
cuments, spre
g process e
53
re 5.9 Files r
using AcessD
ive and cate
overed from
ded and ex
files. Middl
deleted file
he file. Diff
eadsheets, d
asy. The bo
retrieved
Data FTK. A
egorized acc
m the image.
xamined, tot
le column s
es, duplicate
ferent types
databases, arc
ottom pane
AccessData F
cording the
. The left co
tal file item
hows the fil
e files and e
of files tha
chives, e-ma
shows the f
FTK retrieve
properties o
olumn show
ms present in
les dependin
tc. Right co
at are filtere
ails, graphic
files up on
ed all
of the
ws the
n the
ng on
olumn
ed by
cs and
filter
se
op
w
cr
F
th
p
5
D
election. Rig
ption to exp
will be shown
reate date, m
ile scesetup
he users who
lays support
.10. The hig
Downloaded
ght pane sh
port the files
n with attrib
modified date
Figur
log tells the
o logged in t
tive role in e
ghlighted bo
log file show
ows the con
to the foren
butes file na
e and access
re 5.10 Filte
e configurati
to the system
evidence rep
x shows tha
ws the latest
54
ntent of the
nsic workstat
ame, full pat
ed date.
red files and
on of the sy
m and what
ort. This is c
at a user wit
user login d
file up on
ation. In the b
th, extension
d documents
ystem and us
time they a
clearly visib
th administra
details.
selection. F
bottom pane
n, file type,
s selected
er privileges
ccessed the
ble in the righ
ative privile
FTK provide
el individual
category sub
s. This file s
computer, w
ht panel in f
ges login de
es an
l files
bject,
shows
which
figure
etails.
F
sy
lo
an
fi
ex
igure 5.11 s
ystem when
oaded into c
nd the file c
iles attacks t
xtension.
shows the fil
the advertis
computer and
content are d
he user to ac
Figure 5
les retrieved
sements and
d automatica
different in
ccess them a
55
5.11 Bad ext
d with bad e
d video files
ally spread i
these files.
and upon clic
tension files
extension. Th
s accessed. F
in different
By making
cking they ru
hese files ar
Files with .w
locations. T
use of bad
un according
re loaded int
wpl extensio
The file exten
extensions
g to their ori
to the
on are
nsion
these
iginal
A
in
ab
re
op
p
Again some f
n improper f
ble to retrie
etrieved try
peration by
layer is insta
files with ba
functioning o
eve those m
to launch
the file is s
alled on the t
Figure 5
ad extension
of computer
malfunctioni
automatica
shown in fig
testing comp
56
.12 File tryin
n are automa
. This is obs
ing applicat
ally on inv
gure 5.12. T
puter during
ng to launch
atically laun
served while
tion by usin
vestigating c
These files ar
the test case
h
nched on com
e preparing t
ng FTK. T
computer. T
are download
e process.
mputer and r
the test case
These files w
The auto la
ded when a
result
es and
when
aunch
flash
In
te
as
w
on
cl
at
n figure 5.13
esting compu
sking for the
with the help
nto the user
lones monito
ttacker throu
Fig
3 we can see
uter with dif
e permission
p of cookies
computer a
or the user a
ugh the web
gure 5.13 Fil
e the file tryi
fferent file e
n to load int
on social n
and makes cl
activities and
media.
57
le trying to l
ing to load o
extension. W
to computer
networking w
lones of it o
d collect the
load into com
on to compu
When the bad
. These files
websites. Up
on different a
e user creden
mputer
uter. This file
d extension
s came into
p on clickin
areas of the
ntials and tr
e entered int
file is acces
testing com
ng this file s
computer. T
ransports it t
to the
sses it
mputer
stores
These
to the
F
co
an
ac
sy
S
1
fa
2
tw
3
fa
igure 5.14 s
omputer alo
nd their act
ccess to the
ystem files. L
ome of the C
) lv=Sun, 29
acebook.com
) lv=Sun, 29
witter.com/
) lv=Sun, 29
acebook.com
hows setup
ong with dat
tivities. This
e different f
Log even sto
Cookies ret
9 Aug 2010 0
m/
9 Aug 2010 0
9 Aug 2010 0
m/home.php?
Figur
log file, whi
e and time.
s log conta
files and tim
ores the user
trieved:
02:03:50 GM
02:33:27 GM
02:05:37 GM
?#!/profile.p
58
re 5.14 Setup
ich shows th
The log ent
ins informa
me when ac
r privileges,
MT&mra=Su
MT&mra=Su
MT&mra=Su
hp?id=1756
p log file
he different f
tries tell the
ation about
ccessed, cha
when log in
un, 29 Aug 2
un, 29 Aug 2
un, 29 Aug 2
6405671&ref
files that acc
e information
user activit
anges made
n takes place
2010 02:11:1
2010 02:50:4
2010 02:06:0
f=pymk
cessed the te
n about the
ties, include
to the oper
.
15 GMT
48 GMT
01 GMT
esting
users
es the
rating
59
4) lv=Sun, 29 Aug 2010 02:05:37 GMT&mra=Sun, 29 Aug 2010 02:06:01 GMT
http://www.facebook.com/TexasHoldEm?ref=ts
5) lv=Sun, 29 Aug 2010 02:10:23 GMT&mra=Sun, 29 Aug 2010 02:11:18 GMT
192.0.0.011/kingdomsofcamelot/?entrypt=fb159/
6) lv=Sun, 29 Aug 2010 02:08:42 GMT&mra=Sun, 29 Aug 2010 02:09:38 GMT
facebook.com/?ref=logo#!/profile.php?id=1037962463&ref=hpbday&pub=2386512837
7) lv=Sun, 29 Aug 2010 02:33:37 GMT&mra=Sun, 29 Aug 2010 02:34:21 GMT
twitter.com/#search?q=%23momsalwaystoldme
8) lv=Sun, 29 Aug 2010 02:46:16 GMT&mra=Sun, 29 Aug 2010 02:48:01 GMT
orkut.com/Main#FavoriteVideoView?rl=as&uid=4743995036345575014&ad=1284824637&uit=/Home.aspx
These are the some of the cookies that have been recovered and analyzed. The very first
and second cookie log entry shows the timings the Facebook and Twitter access timings
on the tested computer. The third cookie entry tells user activity, and that is a profile
visit, and the timings shows when this event had occurred. The fourth entry shows
TexasHoldem application access timings. Fifth one in the list is a recovered URL from
cookies files gives the information about a fishing site that tried to steal the information
from the Facebook user.
F
F
th
so
cr
igure 5.15: P
igure 5.15 sh
he URL in b
ome unknow
redentials to
Phishing site
hows the int
rowser URL
wn attacker.
o the attacker
e trying to st
ter face of th
L pane is not
This URL u
r.
60
teal user cred
he phishing s
t original Fa
upon user lo
dentials.
site, which lo
acebook login
ogin credent
ooks like Fa
n page. This
tials entry tr
acebook page
s URL belon
ransports the
e, but
ngs to
e user
61
5.1 Analysis of Results
Table 5-1 Test cases and results
Test Cases Results using FTK
Chat session has been established and
continued for a 5 minutes
Unable retrieve chat items
Third party applications have been accessed. Able to retrieve the URLs for the applications
and can be distinguished based on the time.
Advertisements and videos on social networks
have been viewed; some flash players have
been downloaded.
Able to retrieve URL information and timings
Public and private messages have been
exchanged
Unable to retrieve the messages
Managing friends (adding, deleting and
editing)
Unable to retrieve the friend’s list
Community list management Unable to retrieve community list but able to
see the URL belongs
User profile has been updated Able to retrieve the concern URLs but not
profile changes.
Some of the applications have been added to
favorites and some applications have been
removed from favorites list
Only the applications accessed URLs are
retrieved but not the favorites list.
Table 5-1 shows the test cases and the obtained results. These test cases performed on a
single computer. To record some of the attacks it took 3 months of time. This happened
because the attacks won’t hit every time. Moreover some of the attacks passed unnoticed.
Such a long time in waiting made difficult in performing the same test case for number of
times. So this project tested the attacks only twice. But the hard disk analysis was carried
62
out 10 times, expected the same results, and ended up with expected results. Some of the
URLs that are recovered mainly the spam URLs when tried point on browser after three
days they have been expired. This shows that capturing the attacks is a tedious job. This
project mainly focused on analyzing the hard drive and the changes happened to the
content of the hard drive because of security attacks on Social Networking sites. This is a
time taking process to check each and every file on the hard disk, to check for the
modifications on the hard drive.
63
CONCLUSION AND FUTURE WORK
The project contributes significantly by analyzing security in popular social networks such as
Facebook, Orkut and MySpace. FTK toolkit is used for security analysis in social networks and
user activities are monitored. This project gives the detailed information about the security
attacks happened recently, and generalizes the types of attacks on social networks. This project
dealt with hard disk to give the primary evidence, based on the modifications carried out by
security attacks on Social Networks. This report also shows different activities took place on the
user computer while accessing the Social Networks. Cookie information was retrieved
successfully listing time of url access by users. Malware activity is identified fruitfully. The
evidence collected using FTK projects limits of FTK tool in analyzing the Social Network
attacks. Major part of future work would include extending current idea using other forensics
tools such as EnCase and ProDiscover. Accessing confidential data such as friends list and
profile of friends in social networks would pave way for access to chat history, which has great
potential to reveal critical information. Limitation of FTK tool in retrieving the chat session
content and content of messages exchanged gives the scope to experimenting with some
scripting tools like PHP, Javascript and etc.
64
BIBLIOGRAPHY AND REFERENCES
[Aurellja] Aurellja, “Yet Another Attack on Facebook: Avoid clicking on 121.im, 151.im and ponbon.im!”, pc1 news, May 15, 2009. http://www.pc1news.com/news/0642/yet-another-attack-on-facebook-avoid-clicking-on-121-im-151-im-and-ponbon-im.html
[Aurellja] Aurellaja, “Social Networking Sites under Spammers’ Attack: Spoofed Orkut Emails!”,
PC1 NEWS, November 17, 2008. http://www.pc1news.com/news/0372/spoofed-orkut-emails.html
[Brian Prince] Brian Prince, “Twitter DDoS Attack Takes Twists and Turns”, eWEEK, August 8,
2009. http://www.eweek.com/c/a/Security/Twitter-DDOS-Attack-Takes-Twists-and-Turns-325868/
Chengyu Fan, Weimin Luo1, Jingbo Liu1 and Jing Liu, “An analysis of Security in Social
Networks ” 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing, DOI 10.1109/DASC.2009.100
[Doree] Doree, “Orkut’s new privacy settings and commentable scraps!”, Orkut help forum,
June 10, 2010. http://www.google.com/support/forum/p/orkut/thread?tid=0360fd559928f2d3
[Elinor Mills] Elinor Mills “ Facebook attack tricks users into ‘liking’ malicious links”, cnet
news, June 1st, 2010. http://news.cnet.com/8301-27080_3-20006478-245.html [FaceBook 2009] FaceBook, Available from www.facebook.com/ (visited Sept. 18, 2009) [Gostev] A. Gostev, O. Zaitsev, S. Golovanov and V. Kamluk: Kaspersky Se- curity Bulletin:
Malware evolution 2008. http://usa.kaspersky.com/threats/docs/KasperskySecurityBulletin_Ma lwareEvolution2008.pdf.
[Jan Vykopal 2009] Jan, Network-based Dictionary Attack Detection, International Conference
on Future Networks, 2009. [Jan Nagy and Peter Petcho] Jan Nagy and Peter Petcho, “Social Networks Security”, 2009 Third
International Conference on Emerging Security Information, Systems and Technologies, DOI 10.1109/SECURWARE.2009.56
[kaspersky Labs] “Kaspersky Lab Detects New Worms Attacking MySpace and facebook”,
Kaspersky Labs, July 31, 2008. http://www.kaspersky.com/news?id=207575670 [Marc Grosz et all] Marc Grosz, Nathaniel Anderson and Flaviu Simihaian, “Social Network
Application Security” Retrieved on August 27th 2010.
65
[Michael Arrington] Michael Arrington, “Elaborate Facebook Worm Virus Spreading”, TechCrunch, Aug 7, 2008. http://techcrunch.com/2008/08/07/elaborate-facebook-worm-virus-spreading/
[Miko] Miko, “Silence Cyxymu”, News from the Lab, F-Secure, August 7, 2009. http://www.f-
secure.com/weblog/archives/00001746.html [Mitchel, J. (nd)] Mitchell, J. (nd). Computer Forensics : Finding & Preserving the Hidden
Evidence. Retrieved on April 22, 2010 from http://www.lhscontrol.com/Computer%20Forensics%20Article.pdf
[Myspace 2009] Myspace, Available from www.myspace.com/ (visited Sept. 22, 2009) [myspace] “Privacy Settings on MySpace: What you need to know”, myspace.
http://www.myspace.com/cmspg/PrivacySettings [Nick O’Neill] Nick O’Neill, “10Privacy Settings Every Facebook User Should Know ”, All
Facebook, February 2, 2009. http://www.allfacebook.com/facebook-privacy-2009-02 [Niko Nergaze] Niko Nergadze, “’Cyxymu’ Blogger Says Russia To Blame For Attack Brought
Down Twitter”, Rapid Free Europe Radio Liberty, August 14, 2009. http://www.rferl.org/content/Cyxymu_Blogger_Says_Russia_To_Blame_For_Attack_That_Brought_Down_Twitter/1799808.html
[Nilsonwire] Social Networking’s New Global Footprint, 9th march, 2009.
http://blog.nielsen.com/nielsenwire/global/social-networking-new-global-footprint/ [NisheethShrivastava] NisheethShrivastava,AnirbanMajumder,RajeevRastogi, “Mining (Social)
Network Graphs to Detect Random Link Attacks”, ICDE 2008. [ofzen and computing] “How to Protect Your Privacy on Twitter”, Ofzen and Computing.
http://www.ofzenandcomputing.com/zanswers/1815 [Orkut 2009] Orkut, Available from www.orkut.com/ (visited Oct. 10, 2009) [Patsakis 2009] Patsakis, Social Networks as an Attack Platform: Facebook Case Study,
Networks, ICN '09. Eighth International Conference on 1-6 March 2009 Page(s):245 – 24, 2009.
[Phishing 2009] Phishing, Available from www.antiphishing.org/ (visited Oct. 31, 2009) [Pinkas 2002] B.Pinkas, Securing Passwords Against Dictionary Attacks, Proc. 9th ACM Conf.
Computer and Comm. Security, ACM Press, 2002, pp. 161-170. [R. Gross and A. Acquisti] R. Gross and A. Acquisti. Information and Privacy in Online Social
Networks. Workshop on Privacy in the Electronic Society (WPES), 2005.
66
[Ryan Naraine] Ryan Naraine, “Facebook password-reset spam is Bredolab botnet attack”,
ZDNet US Edition, October 27, 2009. http://www.zdnet.com/blog/security/facebook-password-reset-spam-is-bredolab-botnet-attack/4724
[Saikat 2007] Saikat Chakrabarti, Password based Authentication: Preventing Dictionary
Attacks, IEEE International Symposium, July 2007. [Satyendra Kumar] Satyendra Kumar, “Orkut Spam Phising Attacks”, CA Community,
November 23, 2009. http://community.ca.com/blogs/securityadvisor/archive/2009/11/23/orkut-spam-phishing-attacks.aspx
[Security Focus] “Image attack onMySpace boosts phising exposure”, SecurityFocus, June 11,
2007. http://www.securityfocus.com/brief/522 [Sophos] Sophos: Two thirds of businesses fear that social networking endan- gers corporate
security. http://www.sophos.com/pressoffice/news/articles/2009/04/social- networking.html.
[sophos] SophosLabs blog, “Facebook Worm – “Lkejacking””, CARO Workshop 2010,
http://www.sophos.com/blogs/sophoslabs/?p=9783 [Stan Schroeder] Stan Schroeder, “Twitter Explains Recent Phising Attack”, Mashable/Socail
Media, January 2010. http://mashable.com/2010/02/03/twitter-explains-recent-phishing-attack/
[Stefanie Hoffman] Stefanie Hoffman, “Worm Infects Twitter Tweeters In Four Attacks”, CRN,
April 13, 2009. http://www.crn.com/blogs-op-ed/the-channel-wire/216500495/worm-infects-twitter-tweeters-in-four-attacks.htm
[teck in] “Orkut Privacy Settings – Lock Your Album, Video and Scraps”, TECK.IN, November
24, 2007. http://teck.in/orkut-privacy-settings-lock-your-album.html [Twitter] http://blog.twitter.com . [Vikas] Vikas, “Orkut scrap problem (XSS attack)”, whatyouwant.in, December 19, 2007.
http://whatyouwant.in/show_want.php?id=659 [websense] websense security labs, “most hilarious video attack on facebook”, 28th May, 2010.
http://community.websense.com/blogs/securitylabs/archive/2010/05/28/most-hilarious-video-attack-on-facebook.aspx
[Web Threat Spotlight] “Facebook Phishing Page Leads to Exploits and ZBOT ”, Web Threat
Spotlight, ISSUE No. 53, December 21, 2009.
67
[Weider 2008] Weider D.Yu, A Phishing Vulnerability of Web Based Systems, 9th IEEE International Symposium, 2008.
[Wiki 2009] Wikipedia, Available from www.wikipedia.com/ ( visiting since Sept. 3, 2009) [Wiki - Orkut] Wikipedia, http://en.wikipedia.org/wiki/Orkut [Yan 2004] Yan, Password Memorability and Security: Empirical results, IEEE Security and
Privacy, 2(5):25–31, 2004.