Michael N. Dundas

http://www.flickr.com/photos/renaissancechambara/349206957/

Just a quick entry as I am busy studying for a two day exam that is this weekend.
Earlier in June, Google posted a response to an open letter on one of their blogs that indicated they are looking into the feasibility having Gmail encryption always on. Other Google applications such as Google Docs can use TLS/SSL, but it is currently not required unless the user specifies it.

Last year Rogers attempted to insert pages and frames into their subscribers browsers when they were surfing, and Google was not impressed.  According to Michael Geist, it is back.

Anyone want to make any guesses as to how long before Google and other web services just turn on HTTPS to stop this and deal with the increased performance requirements?

A few months back I read a post by CEO Michael Hyatt on why he liked Gmail and why he was having his staff investigate switching their corporate email from Microsoft Exchange to Gmail.  This sparked my interest from the perspective that if he would consider it, other CEOs and companies would probably give outsourcing I.T. to Google serious consideration as well.

I have been looking at Gmail and the other Google services for a completely different reasons, but I have to say that I agree with all his points.  The only reason I can think of that you would not want Google to manage your corporate email would be control reasons.  You no longer have physical control of the servers and functionality that house your email.  This could be a problem for certain groups or businesses where privacy is extremely important as well as potential repercussions if the emails were to become public.  Google states they give you complete control over your email on their system, but that statement is technically not completely truthful.   Google also has access to your emails.  Suppose an employee of Google read and extracted your emails.   Sure Google would discipline and probably let the employee go assuming they could find out who was responsible, but what if the impact is large?  What if for example, the emails of a women’s shelter using the Gmail service were published on the Internet?  What about emails from a law firm concerning a sensitive and active court case were to be posted?  Can you sue Google?  And even if you are successful, it doesn’t change the impact of those emails becoming public.   I have commented similar privacy implications before here.

The fact is when you outsource a service or function, you are giving up some control and security, no matter what any company tells you.  It many cases it might be well worth the cost, but it is important to assume this risk consciously.  Does anyone remember Hushmail? (They are still around).  For years they boasted that even Hushmail could not read your email because it was encrypted in storage with PGP encryption.  Without your passphrase or private key that you provide to connect to their service, decryption was not possible.  A company using their service was being investigated by the DOJ.  Despite, PGP, Hushmail was able to provide them with all the relevant emails of the company that were stored on the Hushmail servers. Yes, any company or citizen must comply with a court order, but technically they should not have been able to and they advertised this fact.  I am not advocating not compling with a cout order, obviously that would be bad for any business.  But, if a government can go to a outsourced company, provide a court order for a hosted companies email, documents, calendars, and part of the order is they are not to communicate any knowledge of or actions resulting from the court order, their hands are tied and you don’t know anything about it.  If you host your own email at least they have to serve you with the court order so you know something is up.  The applicable laws may be different too.  Google servers are housed in the United States which I believe brings them under U.S. law.  This could have implications as well.

photo courtesy of http://www.flickr.com/photos/dotlizard/3577921340/

I was doing some network research and came across a site I had not seen before that streamed music.  Similar to my previous investigation with another site, this site was  playing the music, yet the network activity had already stopped.

Checking my  network history monitor the music file had completed in about 15 seconds.  As with the previous investigation I ran the lsof command on the web browser process to see what files were being accessed.  There were no files that related to any media file.  Here is an application actively playing a song for which there is no network activity and no files listed as open by this application.  This caught my curiosity.

No network sockets open moving data and no files open on the file system and the song is playing away.  That left memory as the the only option to where the file could be located.  Firefox has the ability to show what is currently in its memory cache so I started there.

By opening a new tab and entering “about:cache” in the address bar, you will get a list of cache devices.  Selecting the memory cache brought me to this page.  At the top, you can see a 5MB file from the site where I was listening to the music from.   Right click on the entry and select ‘Save link as’.  Give it a file name and save.  Firefox will produce a XHTML file.

Opening this file in your favourite text editor, you can see it contains a bunch of HTML tags, as well as  a complete memory dump in ASCII format of the file.  The memory dump is what we are interested in.

We need to extract the ASCII representation of the binary file.  To do this, you want to search for ’00000000:’ which is the beginning of the binary data that was used by the browser application.  I am using ‘VI’ above, but any edtior with search and replace will work. Delete everything prior to this number, so that the first line in the file is this line containing the ’00000000:’.

Above, you can see the start of the memory dump.  You want to delete everything prior to the start of the memory dump.

Finally there are a few HTML tags at the end of the memory dump that you need to remove as well.  Once you have done that, save the file as a text file.  The file should just contain lines that have a memory offset and a series of hexadecimal numbers.

In order to get data in the text file ready to be converted into a binary file, we have to remove the memory offset column.  This is the first column of numbers up to and including the ‘:’.  To do this, I passed the file through a program called ‘awk’ and gave awk instructions to remove the first column.

The command

‘cat untouchedMem.part | awk ‘{print $1″ “$2″ “$3″ “$4″ “$5″ “$6″ “$7″ “$8″ “$9″ “$10″ “$11″ “$12″ “$13″ “$14″ “$15″ “$16}’ > untouched.hex’

takes the file called ‘untouchedMem.part’, removes the memory offset column and puts the results in a new file called ‘untouched.hex’.  This file can now be converted into a binary file.  To do this I used the command ‘xxd’.  ‘xxd is a *nix command that can take a binary file and create a hex dump of the binary file or do the reverse.  In this case we want the reverse.

The result from the command

xxd -p -r untouched.hex untouched.mp3

creates a binary file called ‘untouched.mp3′ from the ASCII hex dump file ‘untouched.hex’. Select your favourite mp3 player and play the file.  You should be listening to the complete music file as transmitted to your desktop during the streaming.  The process outlined here is not limited to music files.  It will work for any binary file that is kept in the browser memory.

Many system investigations involve immediately pulling the plug on the target system so as to preserve as much current state as possible from the non-volatile memory.  However, this is a simple example of where you would loose potential data.  The concept of live forensics tries to solve this problem by extracting data from a live system.  There are ways to image memory while the system is running and there are ways to fool software that is doing this as well, so one has to be careful.  In a full scale investigation, one would use tools to try and image as much of the memory as you can, not just the browser memory.  But for smaller investigations, this type of procedure would suffice as long as proper documentation was done as the process was being executed.

I have not tried this as of yet on windows, but I suspect it would work.  Most *nix tools have a windows variant.  In the case of xxd, Hextools does the same for windows.  There are browser tools you can add to do this extraction automatically such as Orbit.  From a forensic and explaination perspective, doing the approach this way provides a more detailed understanding and you have documented steps that occurred.   This makes it easier to justify as well as understand.

Photo courtesy of http://www.flickr.com/photos/dokas/102499448/

I picked my daughter from school the other day. As we were driving home she said. “Dad, did you know that downloading is illegal?” I asked her who told her that. She said a teacher told her. I then asked her, what is downloading? Her answer was “when you get movies and songs from the Internet”.

It really upsets me that the MPAA, RIAA and other lobby type groups have the power to actually influence the educational system in this way. It bothers me more that I have teachers teaching my child concepts that they themselves obviously do not understand and probably have read some propaganda from one of these lobby groups and assume that it is truth.

I suspect this is going to surprise some people but … downloading is _NOT_ the process of obtaining movies and songs from the Internet. Downloading _IS_ the transfer of data from one device to another, where the device receiving the data initiated the requested.  Sure you can download a movie or a song, but you can also download a word processing document, you can download a database file, you can download a custom graphic, you can download a piece of open-source or free software, you can download anything really. The concept of downloading has nothing to do with what you are downloading.

Is downloading bad? According to my daughter it is.  An analogy would be teaching the concept that guns are bad.   As a normal citizen in Canada it is illegal to carry a handgun. Any citizen wandering around with a handgun strapped to their belt will have people scared, running away and win themselves a meeting with a police swat team very quickly. If you see a police officer wandering around with a gun on their side, there is no panic, no running away. People just carry on. The gun isn’t bad. It is who has the gun that determines good or bad. As a society we assume that police will only use their guns for good and so seeing a uniformed police officer with a gun is perfectly acceptable.  This is one of the reasons why plain clothed officers go to great lengths to hide their side arms, the general public can not be certain they are law enforcement just by looking at them.

With downloading, everyone has the ability to do it and there are no restrictions. It has been and continues to be a normal part of computing since the days when on-line bulletin board systems were popular.  The concept of moving data from one device to another is what makes the Internet work. Every time you go read a web page, blog, or watch a news clip from a news site you could argue that you are technically ‘downloading’.

I am now slowly educating my daughter on the concepts of downloading and uploading. Once those are grasped, I’ll work on what is illegal and what is not when using downloading. I hope that if schools and other educational institutions do choose to teach children about why downloading content that you do not own is wrong, they first understand the concepts themselves and teach it properly.

courtesy of http://www.flickr.com/photos/stephangeyer/3497409683/

I came across this post on high school student readiness for university.  What interested me were the questions  towards the end of the article.  “What is an author?”, “Who has the authority or expertise to speak?”, “How is trust established?”, “What counts as evidence?”  I would love to know if there is a consensus on these.  I suspect not, and I suspect there never will be.

I know some  computer scientists that present great research at conferences, do amazing work, and are really smart.  Many of them do not have formal schooling but are ‘self taught’.  Are they experts?  In my eyes within their subject area they sure are.  I have no issues referencing them or their work as supporting evidence for a particular problem or project I am working on or involved with.    Anyone that implies they are not qualified because they haven’t published papers through ‘official’ channels is just being silly.

Similar to Music.  There are people such as Jann Arden that I believe have no formal music training (she indicated this once at a concert I attended).    I on the other hand took many years of formal piano.  If anyone was to take my knowledge of music over Jann Arden due to my ‘formal’ training, I’d seriously question their intelligence.

Is Wikipedia bad?  For me it depends on who writes and edits the particular article in question.  How do you verify someones credentials?  Not sure.  Personally, I just assess for myself and use common sense.  For example, if there is a article on a musical concept that Jann Arden or others in her area of expertise agree with and support then personally I would be fine using it as a reference.

I am glad the questions above are being discussed.  I’d love to listen in on the discussions.

http://www.flickr.com/photos/soldiersmediacenter/1039179706/

The other evening I was working on my laptop with imeem.com running in the background.   At a point I required a change, I grabbed a quick trace file of imeem transferring a video for play.  The transfer was done quite quickly and although the video was playing, most of it had yet to be played.  Obviously it must be stored on disk somewhere, and my browser was accessing it.  Executed the list open files command ‘lsof | grep -i firefox’ and parsed for firefox.  The result was many open files.  There were a few that caught my attention in swap (/tmp), so I filtered on them.

What interested me was this line:

firefox   6887        mike   82u      REG        8,1 54674048  892940 /tmp/FlashaxZz4P

I copied that file to my videos directory.  Selected the file and opened if up with VLC.  As expected it is a flash file containing the video I was previously watching.

Subsequent investigation at a some other sites revealed that this is not imeem specific, but the flash player itself.  It works for music, video, and any other type of flash file.  If you close the browser window, then the file is ‘deleted’ so if you do want to copy it, you have to do this prior to closing the browser tab.  I haven’t checked, but I suspect that any of the standard forensics tools would be able to extract the file even if it was ‘deleted’.  Finally, the video or music starts playing while downloading is still in progress, so you have to be sure the file has completed downloading.

Given that imeem allows you to play a video or song as often as you wish, I don’t really know why someone would bother copying the video or music for general watching.  I could see from an evidence perspective wanting to copy exactly what a subject was watching or listening to and putting those files into evidence in case the file becomes no longer available, changes location, or the subject claims that it was not what they were seeing or listening to.  A copy of the file along with the network trace of the file request, submitted with appropriate documentation, hashes would be useful in these cases.

Not sure how this would work on a Microsoft Windows System given the swap process is different, but I may investigate that later to see if there are simlar results.

From The Agenda on TVO, an interesting debate on music downloading. Discussion includes the impact of Napster to present day issues with the Internet and copyright.  Participants include musicians, a record label, and Michael Geist.  The points I found most interesting were that unfortunately the industry was brought kicking and screaming to the Internet; they realize they have to do it now, but it took a long time to get here and that the “corporatization” has made the music industry so big that more and more money has to be continually made in order for it to continue.