Go Back > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor


For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
Installation Wizard into new VRC
Manual into existing VRC
Manual into new VRC
Total votes: 17

Baanboard at LinkedIn

Reference Content


Gunter Ollmann: Time to Squish SQL Injection

Security Focus - 1 hour 14 min ago
Time to Squish SQL Injection
Categories: Security

Mark Rasch: Lazy Workers May Be Deemed Hackers

Security Focus - 1 hour 14 min ago
Lazy Workers May Be Deemed Hackers

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
Categories: Security

Adam O'Donnell: The Scale of Security

Security Focus - 1 hour 14 min ago
The Scale of Security
Categories: Security

Mark Rasch: Hacker-Tool Law Still Does Little

Security Focus - 1 hour 14 min ago
Hacker-Tool Law Still Does Little
Categories: Security

Infocus: Enterprise Intrusion Analysis, Part One

Security Focus - 1 hour 14 min ago
Enterprise Intrusion Analysis, Part One
Categories: Security

Infocus: Responding to a Brute Force SSH Attack

Security Focus - 1 hour 14 min ago
Responding to a Brute Force SSH Attack
Categories: Security

Infocus: Data Recovery on Linux and <i>ext3</i>

Security Focus - 1 hour 14 min ago
Data Recovery on Linux and <i>ext3</i>

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
Categories: Security

Infocus: WiMax: Just Another Security Challenge?

Security Focus - 1 hour 14 min ago
WiMax: Just Another Security Challenge?
Categories: Security

More rss feeds from SecurityFocus

Security Focus - 1 hour 14 min ago
News, Infocus, Columns, Vulnerabilities, Bugtraq ...
Categories: Security

Catching up with Blank Slate: a malspam campaign still going strong, (Wed, Jun 28th)

SANS Internet Storm Center - 5 hours 15 min ago


Blank Slate is the nickname for a malicious spam (malspam) campaign pushing ransomware targeting Windows hosts. Ive already discussed this campaign in a previous diary back in March 2017. It has consistently sent out malspam since then. Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign.

Today border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Screenshot of spreadsheet tracking for the 11 emails (image 3 of 3).

The malspam

Normally, emails from this campaign are blank messages with vague subject lines and attachments that dont indicate what it is. Thats why Ive been calling it the Blank Slate border-width:2px" />
Shown above: Example of a typical Blank Slate email from today, Wednesday 2017-06-28.

However, since yesterday, the Blank Slate campaign has sent several Microsoft-themed messages. Weve seen this before. As recently as 2017-04-13, I documented Blank Slate malspam using fake Microsoft messages that led to fake Chrome installation pages. border-width:2px" />
Shown above: Microsoft-themed Blank Slate email from April 2017.

Today however, this time they dont have links to a fake Chrome page. border-width:2px" />
Shown above: Microsoft-themed Blank Slate email from today, Wednesday 2017-06-28.

Otherwise, these emails are similar to previous waves of Blank Slate malspam.

The attachments

As usual, the zip attachments are double-zipped, and they contain a .js file designed to infect a Windows computer with ransomware. I saw two types of .js files. One was about 9 kB in size, and it ran the downloaded ransomware from the users AppData\Local\Temp directory. The other type of .js file was about 31 kB in size, and it ran the downloaded ransomware from the user border-width:2px" />
Shown above: Example of a 9 kB .js file from this wave of malspam.

The traffic

Traffic is also typical of what weve seen before with Blank Slate malspam. border-width:2px" />
Shown above: Ransomware binary downloaded by one of the .js files.

No post-infection traffic was noted for todays GlobeImposter ransomware. I saw the typical post-infection for today border-width:2px" />
Shown above: Traffic generated by a Cerber sample from todays malspam, filtered in Wireshark.

Post infection

As others have noted Twitter and elsewhere, recent Cerber samples use CRBR as their name in the decryption instructions. border-width:2px" />
Shown above: Desktop of a Windows host infected with one of today border-width:2px" />
Shown above: Based on the above MachineGuid, and all my encrypted files end with .BRAD

GlobeImposter also acts the same as weve seen before. border-width:2px" />
Shown above: Desktop from a Windows host infected with todays GlobeImposter sample.

Indicators of Compromise (IOCs)

The following are SHA256 hashes for the todays extracted .js files:

  • 10358fb055b8d8e0d486eafc66be180d52481667fb63bf4e37bf9cafe5a0dbdb - 7941.js
  • 153b11ae2df30b671bd0bd54af55f83fd2a69e47c8bb924b842bc1b44be65859 - 25601.js
  • 1cbf043831b16ca83eeaff24f70b1a3ea4973d2609e64db33fd82cc0629f1976 - 6935.js
  • 567bb9c835306e02dbedc5f10e32c77a2c6f1c2f28ff49c753f963776a9378b5 - 30085.js
  • 7ecd1253aad0935df1249d6504d3f4090a00466fa159c2ec4e2d141b4b75068f - 9177.js
  • 8b7202a672290e651f9d3c175daaf2b8a3635eba193e925da41bd880a611f2af - 13521.js
  • 8ec6455eb9f8a72fef35e9a330e59153f76b8ebd848c340024669e52589ceb18 - 23288.js
  • b6ab00337d1e40f894ca3959ee9a19e4c9e59605ed1f2563f0bde4df5f76981b - 27465.js
  • c9f71912dd39d4d4ed9f54f6a51f99ee0687e084c2e8782f0b0d729b743e7281 - 3047.js
  • d19233fd99213f5a1d299662d9693eb6bc108d72ce676893bc69c8d309caa54a - 26715.js
  • ed855d0b4cfd5150a4b44a1d3b6c26224e2990743d977804bab926d569aa963b - 24703.js

The following are SHA256 hashes for ransomware samples downloaded by the extracted .js files:

  • 0dc831b502f29d4a6a68da9e511feb8c646af4fcfdeaaee301cb5b0dbaf47c5f - Cerber
  • 703b1ea2b0310efdc194b178c777c2e63d5ad1b7f2ac629c01ffa1b36859ba2f - GlobeImposter
  • b1be5af4169014508b17d2de5aa581ea62988cc4d3570ed2ed7f9fb931a5902b - Cerber
  • d1ed3742380539fbef51804e1335c87dd0ef24a6de7f0aa09ce26ad1efe4bcef - Cerber

The following are domains, HTTP requests, and IP addresses associated with todays Blank Slate malspam:

  • port 80 - - GET /1 [returned Cerber]
  • port 80 - - GET /403 [returned GlobeImposter]
  • port 80 - - GET /1 [returned Cerber]
  • thru ( UDP port 6893 [Cerber post-infection scan]
  • thru ( UDP port 6893 [Cerber post-infection scan]
  • thru ( UDP port 6893 [Cerber post-infection scan]
  • port 80 - - Domain leading to the Cerber decryptor

Email from the GlobeImposter decryption instructions:

Final words

As I noted last time, potential victims must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations, but properly-administered Windows hosts and decent email filtering are enough, I think, to keep most people from worrying about Blank Slate.

This is definitely not as serious the recent Petya/NotPetya ransomware outbreak on 2017-06-27. I still wonder how many people are fooled by Blank Slate malspam. Does anyone know someone who was actually infected from these emails? If so, please share your story in the comments section below.

Pcap and malware samples for this ISC diary can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, June 29th 2017, (Thu, Jun 29th)

SANS Internet Storm Center - 6 hours 20 min ago
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Petya? I hardly know ya! - an ISC update on the 2017-06-27 ransomware outbreak, (Wed, Jun 28th)

SANS Internet Storm Center - June 28, 2017 - 6:10pm

This is a follow-up the our previous diary on the ransomware outbreak that happened yesterday on Tuesday 2017-06-27.


By now, it seems almost everyone has written something about yesterdays ransomware outbreak. This led to some confusion after more information became available, and initial reports were updated. border-width:2px" />
Shown above: Screen shot from a host infected with this ransomware.

What we know so far

This ransomware targets systems running Microsoft Windows. Although initial reporting called this ransomware Petya or a Petya variant, Kaspersky researchers reported its a new ransomware. Kaspersky has been calling the malware NotPetya, and other names have been floating around for it. However, many people and organizations still call the ransomware Petya or a Petya variant.

This ransomware uses a modified version of the EternalBlue SMB exploit, and it also spreads using other methods like WMI commands, MimiKatz, and PSExec. Although exploits for EternalBlue are relatively recent, malware has been using file shares and WMI to spread for years, and these older techniques dont require any vulnerabilities.

During the infection process, this ransomware overwrites the MBR with a custom boot loader that implements a tiny malicious kernel. That tiny kernel encrypts the master file table (MFT) so the file system is unreadable. The result is an unbootable system that demands a ransom to restore it. border-width:2px" />
Shown above: Nearly 4 Bitcoin received for that Bitcoin wallet as of 2017-06-28 at 16:44 UTC.

Based on public reports, this attack appears to have originated in Ukraine. According to Krebs on Security the Ukrainian Cyber Police tweeted this attack may have started through a software update mechanism built into M.E.Doc, an accounting program used by companies working with the Ukrainian government. From the Ukraine, it spread to major European firms like Maersk.

Although weve seen some information on files related to this ransomware, we can only confirm two DLL files as samples of the actual ransomware. The SHA256 file hashes are:

How can you protect yourself against this threat? Steps include:

  • Deploy the latest Microsoft patches, especially MS17-010.
  • Consider disabling SMBv1.
  • Restrict who has local administrative access. Most people can operate with Standard User accounts instead of Administrator accounts.
  • If you have a large or complex infrastructure, segment your network.
  • Keep your anti-virus software up-to-date. Vendors are constantly updating definitions to cover the latest malware samples.

Most importantly, you should implement a solid backup and recovery procedure for your critical data, just in case the worst happens and you get infected.

Final words

The day after this ransomware attack, our initial excitement has died down a bit. Affected organizations are conducting response actions, and many others are implementing (or confirming) proper countermeasures.

We hope your organization is following best security practices and is protected against this latest threat.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, June 28th 2017, (Wed, Jun 28th)

SANS Internet Storm Center - June 28, 2017 - 1:00am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Checking out the new Petya variant, (Tue, Jun 27th)

SANS Internet Storm Center - June 27, 2017 - 7:20pm

This is a follow-up from our previous diary about todays ransomware attacks using the new Petya variant. So far, weve noted:

  • Several hundred more tweets about todays attack can be found on Twitter using #petya.
  • The new Petya variant appears to be using the MS17-010 Eternal Blue exploit to propagate.
  • Others claim the new variant uses WMIC to propagate
  • Still no official word on the initial infection vector in todays attacks.
  • People everywhere are saying todays activity is similar to last months WannaCry ransomware attacks.

Samples of the new Petya variant are DLL files. So far, weve confirmed the following two SHA256 file hashes are the new variant:

Examining the new Petya variant

Petya is a ransomware family that works by modifying the infected Windows systems Master Boot Record (MBR). Using rundll32.exe with #1 as the DLL entry point, I was able to infect hosts in my lab with the above two DLL samples. The reboot didnt occur right away. However, when it did, my infected host did a CHKDSK after rebooting. border-width:2px" />
Shown above: An infected host immediately after rebooting.

After CHKDSK finished, the infected Windows hosts modified MBR prevented Windows from loading. border-width:2px" />
Shown above: The ransom note from a compromised system.

Samples of the new Petya variant appear to have WMI command-line (WMIC) functionality. Others have confirmed this variant spreads over Windows SMB and is reportedly using the EternalBlue exploit tool, which exploits CVE-2017-0144 and was originally released by the Shadow Brokers group in April 2017. border-width:2px" />
Shown above: Some of the traffic noted in my lab environment.

Keep in mind this is a new variant of Petya ransomware. Im still seeing samples of the regular Petya ransomware submitted to places like VirusTotal and other locations. From what we can tell, those previous versions of Petya are not related to today border-width:2px" />
Shown above: Difference in ransomware notes between the old and new Petya variants.

New Petya variant ransom message

Ooops, your important files are encrypted.

If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but dont waste your time. Nobody can recover your files without our decryption service.

We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:

1. Send $300 worth of Bitcoin to the following address:


2. Send your Bitcoin walled ID and personal installation key to e-mail Your personal installation key:


If you already purchased your key, please enter it below.

More reports about the new Petya variant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Wide-scale Petya variant ransomware attack noted, (Tue, Jun 27th)

SANS Internet Storm Center - June 27, 2017 - 4:04pm

Sent from a reader earlier today:

  • Hearing some rumors that the company Merck is having a major virus outbreak with something new and their Europe networks are affected more than their US offices. Have you heard anything on this?

A quick check reveals that, apparently, another global ransomware attack is making the rounds today.

Initial reports indicate this is much like last months WannaCry attack. According to the Verge article, todays ransomware appears to be a new Petya variant called Petyawrap. At this point, we see plenty of speculation on how the ransomware is spreading (everything from email to an EternalBlue-style SMB exploit), but nothing has been confirmed yet for the initial infection vector.

Alleged samples of this ransomware include the following SHA256 hashes:

AlienVault Open Threat Exchange (OTX) is currently tracking this threat at:

Well provide more information as it becomes available.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

A Tale of Two Phishies, (Tue, Jun 27th)

SANS Internet Storm Center - June 27, 2017 - 3:56am


Has anyone read A Tale of Two Cities, the 1859 novel by Charles Dickens? Or maybe seen one of the movie adaptations of it? Its set during the French Revolution, including the Reign of Terror, where revolutionary leaders used violence as an instrument of the government.

In the previous sentence, substitute violence with email. Then substitute government with criminals. Now what do you have? Email being used as an instrument of the criminals!

I know, I know... No real ties to Dickens novel here. border-width:2px" />
Shown above: Thats all I got--a somewhat clever title for this diary.

This diary briefly investigates two phishing emails. Its a Tale of Two Phishies I ran across on Monday 2017-06-26.

First example: an unsophisticated phish

The first example went to my blogs admin email address. It came from the mail server of an educational institution in Paraguay, possibly used as a relay from an IP address in South Africa. For email headers, you can only rely on the Received: header right before the message hits your mail server. Anything before that can be spoofed.

Its a pretty poor attempt, because this phishing message is very generic. Im educated enough to realize this didnt come from my email provider. And the login page was obviously fake. Unfortunately, some people might actually be fooled by this.

The compromised website hosting a fake login page was quickly taken off line. You wont be able to replicate the traffic by the time you read this. It border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: The fake login page from link in the phishing email.

Second example: a slightly more complex phish

Every time I see a phishing message like this second example, I hope theres malware involved. border-width:2px" />
Shown above: The second phishing email.

Examining the PDF attachment, I quickly realized the criminals had made a mistake. They forgot to put .com at the end of the domain name in the URL from the PDF file. lillyforklifts should be Id checked the URL early Monday morning with .com at the end of the domain name, and it worked. border-width:2px" />
Shown above: PDF attachment from the second phishing email.

An elephant in the room

These types of phishes are what I call an elephant in the room. Thats an English-language metaphor. Elephant in the room represents an obvious issue that no one discusses or challenges. These types of phishing emails are very much an elephant in the room for a lot of security professionals. Why? Because we see far more serious issues during day-to-day operations in our networks. Many people (including me) feel we have better things to worry about.

But these types of phishing emails are constantly sent. They represent an on-going threat, however small they might be in comparison to other issues.

Messages with fake login pages for Netflix, Apple, email accounts, banks, and other organizations occur on a daily basis. For example, on, the stats page indicates an average of 1,000 to 1,500 unique URLs were submitted on a daily basis during the past month. Stats for specific months show 58,556 unique URLs submitted in May 2017 alone.

Fortunately, various individuals on Twitter occasionally tweet about the fake login pages they find. Of course, many people also notify sites like PhishTank,, and many other resources to fight this never-ending battle.

So today, its open discussion on these phishing emails. Do you know anyone thats been fooled by these messages? Are there any good resources covering these phishing emails I forgot to mention? If so, please share your stories or information in the comments section below.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Tuesday, June 27th 2017, (Tue, Jun 27th)

SANS Internet Storm Center - June 27, 2017 - 1:15am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud (Part 1), (Mon, Jun 26th)

SANS Internet Storm Center - June 26, 2017 - 12:11pm

[This is the first part of a multi-part a guest diary written byDr. Ali Dehghantanha]

One of the nightmares of any forensics investigator is to come across a new or undocumented platform or application during an investigation with tight deadlines! The investigator has only limited research time to detect evidences hoping not to miss any essential remnants! Fortunately there is a field of research called Residual Data Forensic in which researchers detect and document remnants (evidence) of forensic value of user activities on different platforms. Residual forensic researchers are usually listing minimum evidences that can be extracted by a forensics practitioner.

In one of my recent engagements, I had to investigate BitTorrent Sync version 2.0 on a range of different devices. Back then I used papers authored by Scanlon, M., Farina et al., (Refer to References 1,2,3,4) on the investigation of BitTorrent Sync (version 1.1.82). However, as a redesigned folder sharing workflow has been introduced in the newer version of BitTorrent Sync (from version 1.4 onwards), there is a need to develop an up-to-date understanding of the artefacts from the newer BitTorrent Sync applications.

In a series of diaries I am going to discuss about residual artefacts of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, iPhone 4 running iOS 7.1.2 and a HTC One X running Android KitKat 4.4.4 (For a more involved reading which include experiment setup and full details of our investigation please refer to our paper titled Forensic Investigation of P2P Cloud Storage: BitTorrent Sync as a Case Study (Reference 5)). Please feel free to comment about any other evidences that you came across in your investigations and/or suggest other investigation approach.

This diary post explains artefacts of directory listings and files of forensic interest of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS.

The downloaded folders were saved at %Users%\[User Profile]\BitTorrent Sync, /home/[User profile]/BitTorrent Sync, and /Users/[User Profile]/BitTorrent Sync on the Windows 8.1, Ubuntu OS, and Mac OS clients by default, respectively. Within the shared folders (both locally added and downloaded) there is a hidden .sync subfolder. The file of particular interest stored within the subfolder is the ID file which holds the folder-specific share ID in hex format. The share ID would be especially useful when seeking to identify peers sharing the same folder during network analysis.

When a synced file was deleted, copies of the deleted file can be recovered from the /.sync/Archive folder of the corresponding peer devices. It is important to note that the deleted files will only be kept in the archive folder for 30 days by default. Copies of the deleted files alongside the pertinent file deletion information (e.g., the original paths, file sizes, and deletion times) can be recovered from the %$Recycle.Bin%\SID folder on Windows 8.1, but the files are renamed to a set of random characters prefixed with $R and $I. On Ubuntu machine, copies of deleted files can be recovered from /home/[User Profile]/.local/share/Trash/files folder. Original file path and deletion time can be recovered from .TRASHINFO files located in /home/[User Profile]/.local/share/Trash/info/. In contrast to Windows and Ubuntu OS, examination of the Mac OSX trash folder (located at /Users/[User profile]/.Trash) only recovered copies of the deleted files. However, it is noteworthy that the findings are only applicable to the system that initiated the file deletion and as long as the recycle bin or trash folder is not emptied. A practitioner could potentially recover the BitTorrent Sync usage information from various metadata files resided in the application folder located at %AppData%\Roaming\BitTorrent Sync on Windows 8.1 and /Users/[User Profile/Library/Application Support/BitTorrent Sync on Mac OSX.

The application folder maintains a similar directory structure across multiple operating systems, and the /%BitTorrent Sync%/.SyncUserRandom number subfolder is an identity-specific application folder that will be synchronised across multiple devices sharing the same identity. The first file of particular interest within the application folder is settings.dat which maintains a list of metadata associated with the device under investigation such as the installation path (which could be distinguished by the exe_path entry), installation time in Unix epoch format (install_time), non-encoded peer ID (peer_id), log size (log_size), registered URLs for peer search (search_list, tracker_last etc.), and other information of relevance. The second file of forensic interest within the application folder is the sync.dat which contains a wealth of information relating to the shared folders downloaded to the device under investigation. In particular, the device name could be discerned from the device entry. The identity entry records the identity name (name) of the device under investigation as well as the private (private_keys) and public keys (public_keys) used to establish connections with other devices. A similar finding was observed for the peer identities in identities entry. A replication of the identity and identities entries can be located in the local-identity-specific /%BitTorrent Sync%/.SyncUserRandom number/identity.dat file and peer-identity-specific /%BitTorrent Sync%/.SyncUserRandom number/identities/[Certificate fingerprint] file (with the exception of the private key) respectively. The access-requests entry holds a list of metadata pertaining to the identities which sent folder access requests to the device under investigation such as the last used IP addresses in network byte order (addr), identity names (name), public keys public_keys) of the requesting identities, as well as base32-encoded temporary keys (invite), requested folder IDs, requested times (req_time), requested permissions (requested_permissions where 2 indicates read only, 3 indicates read and write, and 4 indicates owner), and granted permission (granted_permissions).

Located within the folders entry of the sync.dat file was metadata relating to the synced folders. It should be noted that this entry will never be empty as it will always contain at least an entry for the identity-specific /%BitTorrent Sync%/SyncUserRandom number application folder. Amongst the information of forensic interest recoverable from the folders entry included the folder IDs (folder_id), storage paths (path), the addition and last modified dates in Unix epoch format, the peer discovery method(s) used to share the synced folders, the access and root certificates keys, whether the folders have been moved to trash, and other information of relevance. Correlating the folder IDs recovered from folders entry with the folder IDs located in /%BitTorrent Sync%/SyncUserRandom number/devices/[Base32-encoded Peer ID]\folders\ may determine the shared folders associated with a peer device. Analysis of the access control list (acl) subentry (of the folders entry) can be used to identify the permissions of identities associated with each shared folder, such as the identity names (name), public keys (public_keys), signature issuers, the times when the identities were linked to a specific shared folder, as well as other information of relevance. Similar details can be located in the folder-specific /%BitTorrent Sync%/.SyncUserRandom number/folders/[Folder ID]/info.dat file. The peers subentry (of the folders entry), if available, would provide a practitioner information about the peers associated with the shared folders added by the device under investigation such as the last completed sync time (last_sync_completed), last used IP address (last_addr) in network byte order, device name (name), last seen time (last_seen), last data sent time (last_data_sent), and other relevant information.

Another file of interest which can potentially allow a practitioner to recover the sync metadata is the /%BitTorrent Sync%/[share-ID].db SQLite3 database. This share-ID-specific database describes the content of a shared folder (including the /%BitTorrent Sync%/SyncUserRandom number application folder) such as the shared filenames or folders (stored in the path table field of the files table), hashes, and transfer piece registers for the shared files or folders. Once the shared filenames or folders have been identified, a practitioner may map the details to the /%BitTorrent Sync%/history.dat file (which maintains a list of file syncing events appeared in the History of the BitTorrent Sync client application) to obtain the sync times in Unix epoch format as well as the associated device names width:300px" />

Figure 1: History.dat file

/%BitTorrent Sync%/ file holds the last used process identifier (PID) which can be used to correlate data with physical memory remnants (e.g., mapping a string of relevance to the data resided in the memory space of investigating PID using the yarascan function of Volatility). It is important to note that all the metadata files aforementioned are Bencoded (with the exception of the file) and the old metadata files would have. width:300px" />

Figure 2:

Disconnecting a shared folder, it was observed that no changes were made to the peer devices, even when the option delete files from this device was selected to permanently delete the sync files/folders from the local device. Unlinking an identity from investigated devices, it was observed that the identity-specific /%BitTorrent Sync%/.SyncUserRandom number application folder will be deleted from the local device. However, only the identity-specific metadata will be removed from the identity and identities entries of the local and peer devices settings.dat files.

Undertaking uninstallation of the Windows client application would remove synced folders from folders containing the .sync subfolder in the directory listing. Manual uninstallation of the Linux and Mac client applications left no trace of the client application usage/installation in the directory listing, but (obviously) deleted files/folders were recoverable from the non-emptied /Users/[User profile]/.Trash folder of the Mac OSX VM investigated.

Undertaking data carving of unallocated spaces (of the file synchronisation VMs) could recover copies of synced files as well as the log and metadata files of forensic interest (e.g., sync.log, sync.dat, history.dat, and settings.dat used by the client applications). A search for the terms bittorrent, bencode keys specific to the metadata files of relevance, as well as the pertinent log entries was able to locate copies of the recovered files. The remnants remained even after uninstallation of client applications, which suggested that unallocated space is an important source for recovering deleted BitTorrent Sync or synced files.

Our next post would describe investigation of BitTorrent log files.


1)Scanlon, M., Farina, J. and Kechadi, M. T. (2014a) BitTorrent Sync: Network Investigation Methodology, In IEEE, pp. 2129, [online] Available from: (Accessed 11 March 2015).

2)Scanlon, M., Farina, J., Khac, N. A. L. and Kechadi, T. (2014b) Leveraging Decentralization to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync, arXiv:1409.8486 [cs], [online] Available from: (Accessed 18 March 2015).

3) Scanlon, M., Farina, J. and Kechadi, M.-T. (2015) Network investigation methodology for BitTorrent Sync: A Peer-to-Peer based file synchronisation service, Computers Security, [online] Available from: (Accessed 9 July 2015).

4) Farina, J., Scanlon, M. and Kechadi, M. T. (2014) BitTorrent Sync: First Impressions and Digital Forensic Implications, Digital Investigation, Proceedings of the First Annual DFRWS Europe, 11, Supplement 1, pp. S77S86.

5) Teing Yee Yang, Ali Dehghantanha, Kim-Kwang Raymond Choo, Forensic Investigation of P2P Cloud Storage: BitTorrent Sync as a Case Study, (Elsevier) International Journal of Computers Electrical Engineering, 2016.

Find out more about Dr. Ali Dehghantanha at

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, June 26th 2017, (Sun, Jun 25th)

SANS Internet Storm Center - June 25, 2017 - 11:50pm
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of &quot;Precious&quot;, (Mon, May 29th)

SANS Internet Storm Center - June 25, 2017 - 5:41pm

For a few months now, passengers on flights from certain countries are no longer allowed to carry laptops and other larger electronic devices into the cabin. Many news media reported over the last weeks that this policy may be expanded to flight from Europe, or to all flights entering the US. But even if you get to keep your laptop with you during your flight, it is difficult to keep it at your site when you travel. So regardless if this ban materializes or not (right now it looks like it will not happen), this is your regular reminder on how to keep your electronics secure while traveling.

Checking a laptop is considered inadvisable for a number of reasons:

- Your laptop is out of your controland could be manipulated. It is pretty much impossible to secure a laptop if an adversary has control of it for a substantial amount of time. These attacks are called sometimes called evil maid attacks in reference to having the laptop manipulated while it is stored in a hotel room.

- Laptops often are stolen from checked luggage. Countless cases have been reported of airport workers, and in some cases, TSA employees, stealing valuables like laptops from checked luggage.

- Laptops contain lithium batteries which are usually not allowed to be checked as there have been instances of them exploding (and this fact may very likely block the laptop ban)

You are typically not allowed to lock your checked luggage. And even if you lock it, most luggage locks are easily defeated. The main purpose of a lock should be to identify tampering, not to prevent tampering or theft.

Here are a couple of things that you should consider when traveling with your laptop, regardless of where you keep it during your flight:

- Full disk encryption with pre-boot authentication. This is a must of any portable device, no matter where you are flying. You will never be able to fully control your device. Larger devices like laptops are often left unattended in a hotel room, and hotel safes provide minimal security.

- Power your device down. Do not just put it to sleep. For checked luggage, this may even prevent other accidents like overheating if the laptop happens to wake up. But powering the laptop down will also make sure encryption keys can not be recovered from memory.

- Some researchers suggest covering the screws on your laptop in glitter nail polish. Take a picture before departure and use it to detect tampering.

- Take a blank machine, and restore it after arrival from a network backup. This may not be practical, in particular for international travel. But you could do the same with a disk backup, and so far, USB disks are still allowed as carry-on and they are easier to keep with you. Encrypt the backups.

- Take a blank machine and use a remote desktop over the network. Again, this may not work in all locations due to slow network speeds and high costs. But this is probably the most secure solution.

- If you are lucky enough to own a laptop with removable hard drive, then remove it before checking your luggage.

- Before departure, setup a VPN endpoint that allows connections on various ports and via HTTP proxies (e.g. OpenVPN has a mode allowing this). You never know what restrictions you run into. Test the VPN before you leave!

Have a plan for what happens if your laptop is lost or stolen. How will you be able to function? Even if you do not have a complete backup of your laptop with you, a USB stick with important documents that you will need during your trip is helpful, as well as a cloud-based backup. You may want to add VPN configuration details and certificates to the USB stick so you can connect to one if needed. Be ready to use a loaner system for a while with unknown history and configuration to give a presentation, or even to use for webmail access. This is a very dangerous solution, and you should reset any passwords that you used on the loaner system as soon as possible. But sometimes you have to keep going under less than ideal circumstances. Of course, right now, you can still bring your phone onboard, which should be sufficient for e-mail in most cases.

In general, this advice should be obeyed anyway when traveling. It is very hard to stay not leave your laptop unsupervised over a long trip. If you dont trust hotel safes (and you should not trust them), then it may make sense to bring your own lockable container like a Pelikan case with solid locks (Pelikan also makes a backpack that works reasonably well but is a bit bulky and heavy). Dont forget a cable to attach the case to something. Just dont skimp on the locks and again: The goal is to detect tampering/theft, not to prevent it. Any case that you can carry on an airplane can be defeated quickly with a hacksaw or a crowbar, and usually, it takes much less.

Also, see this Ouch! Newsletter about staying secure while on the road:

Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 09:30.

©2001-2017 - -