This paper will discuss four important open-source tools used in digital forensics and incident response investigations. The tools covered will be: Nmap/Zenmap, NetworkMiner, Dumpzilla, and Ophcrack. 

Nmap/Zenmap

Nmap (and its GUI counterpart, Zenmap) are active network enumeration tools. They allow you to send specially crafted packets to network devices and listen for the responses. Based on these responses, the tools will determine basic network enumeration information, like OS guessing, open ports, and even open services. Nmap is the CLI version, and Zenmap is the GUI version. I personally prefer command line, because I believe it is faster, but many people are more comfortable on a GUI than in CLI. When testing Nmap on Google’s DNS server, it comes back with the open ports and some service fingerprinting to let us know more about the machines we are enumerating. I was able to see that the DNS server has port 53 and 443 up, however other ports may have been blocked by the firewall from replying to my nmap scan. This tool can be used in investigations to help enumerate a network, but keep in mind that it can often be noisy and bring unwanted attention to yourself. 

I used the option: -sCV to specify that I want default scripts to run and I want to do service enumeration. There are a lot of options you can use, some of which are more aggressive and will get you more information, others that are slow and stealthy to avoid detection. 

Zenmap is the GUI counterpart to nmap, performing the same functionality only in a graphical interface. The interface is simple to use, and uses common parlance for the types of scans you want to do, while also showing you the command that nmap will run in the backend. This isn’t a bad way to learn different kinds of scans and how they interact. The output will look something like this:

NetworkMiner

Sometimes, active enumeration is not an option. Actively touching a network can negatively affect network performance and sometimes even bring down machines. This is where NetworkMiner comes in. NetworkMiner is a passive network sniffer used to detect OS, hostname, and other features of network machines. After running it on my machine and surfing the web for a short while, these were my results:

Where WireShark focuses on network traffic, making that the forefront of what a user sees, NetworkMiner seems to focus more on enumeration. When I look my results, they are contained in the IP that interacted with/on my network. I expanded the IP of my device and saw that it guessed Windows, which is correct. It probably does this based on the TTL of the packets. Although I would not use this tool for real-world network diagnosis, it may be another tool in your arsenal for enumerating a network and putting together a more detailed network map. 

Dumpzilla

Dumpzilla is a tool used to scrape traffic information from Firefox browser (along with other, lesser used browsers.) This is an incredibly useful, and dangerous, tool if it can get on a victim machine. I ran the tool and got results from an older profile of Firefox I used to use in 2021: 

It is kind of scary seeing that a tool can extract exactly what I put into a search bar on my browser, but thinking from a red team perspective, it can serve extremely useful during a penetration test to try and find possible sites to use for a watering hole attack. In terms of Incident Response, this tool allows an investigator to quickly gather browsing data from a host machine. A script can be written to download the tool onto the machine, run the script on all Firefox profiles on the machine, transfer the results back to the investigator, and then remove the tool from the machine. 

Ophcrack

Ophcrack is a free Windows password cracker that uses rainbow tables to accomplish its goals. Rainbow tables are basically precomputed tables storing hashed strings. This can be checked against password hashes to find a result. One downside of rainbow tables is that quite a large amount of storage is usually needed for them. When you download the program, you also need to download the tables you want. To emphasize my point before about storage size, one table I saw was around 3 Gb, which isn’t exactly small for a password cracker. After running the tool with the XP free fast rainbow table, it couldn’t crack the “test” password I provided it:

This is quite disappointing, but I believe with more rainbow tables and proper password hashes, this tool could be useful for getting into a computer. 

Data hiding is a method of doing exactly what the name suggests, hiding sensitive data. This can be used to watermark images, hide exploitative code, and transfer secret messages. This paper will cover 4 techniques used for data hiding, as well as the tools employed in these techniques.

First, we will cover Steganography. Steganography is “The practice of hiding a secret message inside of… something that is not secret. (Stanger, 2020) One of the core focuses of steganography is to “focus on the imperceptivity of both the hidden data and the act of data embedding.” (Shi et al., 2016) In other words, not only is it important to successfully conceal data in another cover medium, but the integrity of that medium must not be noticeably deteriorated. If you choose to hide data within an image, a human must not be able to notice that the image quality has decreased. This technique is commonly used with images to embed an invisible watermark in them. If somebody were to steal the image, this could be proven by looking at where this watermark data is hidden. 

There is an online steganography tool (https://stylesuxx.github.io/steganography/) that can be used to freely hide messages within images. 

As you can see above, it is as easy as selecting an image and typing a message. The two images (before and after steganography) are below, and there is no noticeable difference. We can send this photograph to somebody else, who can then use the decoding function to view our original message. 

Another method of data hiding is code obfuscation. When you write malicious code, you probably do not want it to be reverse engineered, especially by the blue team. By obfuscating your code, you make it incredibly difficult to understand, by adding an overwhelming amount of redundancy. For example, instead of writing a function that prints out “Hello World”, you can write a function that calls out to some random internet page with the word “Hello” in the HTML code. Rip that word out from the HTML and store it into a variable, then display that variable followed by the word “World.” Once run, both functions would accomplish the same task, but one of them is more difficult to understand, especially by a human reader. There is a free online JavaScript obfuscation tool that can employe this very method (https://obfuscator.io/). Below, we can see the stark difference between a simple Hello World script, and that same code once it has been obfuscated. 

The third method of data hiding is bit shifting. This is when you shift the bits of data to make readable material look like gibberish. You can perform this on almost any medium, as to get your original data back you only need to shift the bits back to their original position. This can be used with code to make it appear as a binary file or some other oddly-formatted file. Because the computer analyzes the hex values of the file, you likely will not be able to run a bit-shifted piece of code until you reverse the bit-shift process. The online tool Dcode (https://www.dcode.fr/circular-bit-shift)  will allow us to bit-shift a message and make it literally unreadable. 

The last technique covered will be hiding data in bad blocks. When a computer looks for places to store information, it knows not to looked at marked bad blocks. These are “blocks [that] have (supposedly) gone bad.” (Verhasselt, 2009) These locations will not be looked at by the file system. If we tell the filesystem which blocks are bad (even if they aren’t), we can hide data there and the filesystem will never check it. This is more useful on older machines, as this technique is a bit out-dated, but most valuable infrastructure is on dated machines. Creating and using bad blocks is a straightforward, but fairly technical process. If you want to see an in-depth example on this technique, see the following blog post: https://davidverhasselt.com/hide-data-in-bad-blocks/

References

dCode. (2022). Circular bit shift. Online Decoder, Encoder, Solver, Translator. Retrieved February 14, 2022, from https://www.dcode.fr/circular-bit-shift

Kachalov, T. (n.d.). JavaScript obfuscator tool. JavaScript Obfuscator Tool. Retrieved February 13, 2022, from https://obfuscator.io/

Shi, Y.-Q., Li, X., Zhang, X., Wu, H.-T., & Ma, B. (2016). Reversible data hiding: Advances in the past two decades. IEEE Access, 4, 3210–3237. https://doi.org/10.1109/access.2016.2573308

Stanger, J. (2020, July 6). The ancient practice of steganography: What is it, how is it used and why do cybersecurity pros need to understand it. Default. Retrieved February 13, 2022, from https://www.comptia.org/blog/what-is-steganography

stylesuxx@gmail.com. (n.d.). Steganography Online. Steganography online. Retrieved February 14, 2022, from https://stylesuxx.github.io/steganography/

Verhasselt, D. (2009, April 22). Hide data in bad blocks. Retrieved February 14, 2022, from https://davidverhasselt.com/hide-data-in-bad-blocks/