Management salaries of a big private company were published on a Blog Through a traditional analysis of the internal network, the company found a suspect:
He accessed the Excel file containing the salaries by connecting from his desktop to his manager’s computer through Terminal Server He saved the file on a pen drive Company denounced the employee and Police seized his personal laptop at home .We started from there to find other interesting artifacts…
TOR is system to browse the Internet Anonymously.
The tools to surf the Internet through TOR are:
Tor Browser Bundle
Windows/Mac/Linux
Can be executed by unzipping it on the hard drive or on an external device (e.g. USB Pen Drive)
Live CD/USB Tails
Orbot (Android App)
Tools available at https://torproject.org
Tor Browser Folder:
The most interesting folders are:
\Data\Tor
Folder Data\Tor
State: it contains the last execution date
Torrc: it contains the path from where the Tor Browser was launched with the drive letter
FOLDER \DATA\BROWSER
It is the traditional Firefox folder containing the user profile, but without usage traces
The Most Interesting Files are Compatibility.ini and Extension.ini and contain the browser execution path
OS ARTIFACTS ANALYSIS
Evidence of TOR usage can be found (mainly) in:
Prefetch file TORBROWSER INSTALL-<VERSION>-<PATH-HASH>.pf
Prefetch file TOR.EXE-<PATH-HASH>.pf
Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf
NTUSER.DAT registry hive à User Assist key
PREFETCH FILES
We can recover:
Install date
First execution date
Last execution date
Number of executions
OTHER ARTIFACTS ON THE HARD DRIVE (PAPER)
In Runa Sandvik paper other files are noted:
USRCLASS.DAT registry file
Windows Search Database
BOOKCKCL.ETL
We can recover information about Prefetch file created by the OS. It is useful because you can identify that the Tor Browser was used also if the Prefetch files were deleted.
Strings are saved in UNICODE
Hear you Can find the visited Website and url.
Search for the keyword HTTP-memory- only-PB
A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive). Tor Browser uses the Private Browsing feature of Mozilla Firefox But Tor Browser typically uses an old Firefox version To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser.Check if Firefox is installed .If it is installed, verify the actual version
ANALYSIS METHODOLOGY
REAL CASE
By analyzing the laptop we found evidence of Excel file opening from the same pen drive on personal laptop.
But no traces were found in browsing history about the publishing activity on the blog…
We indexed the entire hard drive and searched for the blog URL
We found some interesting URLs in the page file, indicating the access to the Blog Admin page
The URLs were always preceded by the string HTTP-MEMORY-ONLY-PB
We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog
By analyzing the OS artifacts we found that it was installed and only executed once…10 minutes before the publish date and time on the blog!
"Carding websites"! Much obliged to You so much this is exceptionally useful about the.
ReplyDeleteSee More:https://www.youtube.com/watch?v=TWlsbg--OJ8&feature=youtu.be
I have tested a few and the best hackers for hire on the dark web are the guys at dark web hackers, download Torbrowser and then go to this dark
ReplyDeleteweb site with Torbrowser:
http://ziagmjbpt47drkrk.onion/
Darknet legit financial vendors and scam marketplace reviews,
ReplyDeleteFULLZ, CC can be bought from Deepweb - ordering from darkweb financial websites .