The Art of Electronic Deduction
From DocDroppers
| Author: | StankDawg |
|---|---|
| Date Released: | 02/25/2006 - In Blacklisted411 magazine. |
| Added to DD: | 14:30, 11 Apr 2006 (EST) |
The Art of Electronic Deduction
Deduction is the act of applying reason to arrive at some conclusion. It is a skill that is important to detectives or investigators, but it is a skill that can come in handy for everyone, including hackers.
Your powers of intuition and deduction should be something that you always have turned on. Think of it as the hacker’s version of “Spidey-sense”. As the type of people who question everything and believe nothing until we have confirmed it with our own eyes, analytical skills play a huge part in most hacker’s personalities. When you see anything on the internet, or anywhere else for that matter, it should always be studied and questioned. In the age of journalists who make up fake news stories and fudge the facts, and in a world where any image can be easily altered (or even created from scratch) by software, why would we believe anything that we see anymore? The old adage of “seeing is believing” doesn’t have the same meaning as it used to. This is why it is important to develop your skills of deduction.
Electronic deduction is a very vague term since the word “electronic” can refer to a lot of things. This vagueness is intentional. Electronics can be as simple as understanding how technology works and questioning any claims made by salespeople or television commercials. Don’t be led by employees of “Best Lie” or electronics superstores who will tell you anything to get your money. Question them. By understanding the technology of the subject matter, you can catch a salesperson in a lie very easily. You can recognize lies in commercials instantly. More to the point for this article, however, is electronic deduction on a computer.
The aforementioned image-altering software (such as Photoshop, or the gimp) is very powerful and to the untrained eye, the results can be very convincing. Contests are held every day on the internet. We even have them in our own Binary Revolution forums. These are great demonstrations of the power of image manipulation. Those people who know how this process works can take the image apart and know whether an image is fake, or real, by analyzing the data itself.
One well-known example is the picture of the tourist standing on top of a world trade center building with the 9/11/2001 (never forget) hijacked plane seen in the air behind him just before impact. This picture made rounds not only on the internet, but in the mainstream media as well. News agencies were reporting on it with the story that it was found in the rubble of the buildings. This was later discovered to be a hoax, created in Photoshop. One other notable example is the picture of George W. Bush reading a children’s book in front of a Houston classroom. This image was an obvious fake, but it was circulated and believed to be real by most people. Luckily, hackers are smarter than most people. The moral is to always think with your brain, not with your eyes.
So now that you understand the general possibilities of how easy it is to create fake digital data, let us turn our focus more now on applying our powers of deduction to determine facts from digital data. This could go on to become an enormous lesson in metadata and digital forensics, but to get you started down that path, we are going to do some basic footprinting as an application of our deductive skills.
Take this first example below. It is obviously a screenshot that most readers will immediately recognize as Microsoft Windows XP. This is our first assumption. Right now, we can make that assumption, since there are no other public versions of MS operating systems that have the same look that Windows XP does. There are pre-release versions of Windows Vista out there, which could be mistaken as XP, but they are not that prevalent yet. If there are multiple possibilities, you may not make such a high percentage assumption as this example. You may see a Linux toolbar that does not give you any clue as to which distribution of Linux is being used. It is still worthy of note, because in further investigation you may find another piece of software that may combine with this fact to give you a better profile of what you are dealing with. This is the most important point of this article. You do not have to arrive at absolute facts. You only need enough information that combines to form an assumption that may or may not be an absolute fact. It may not be conclusive enough for a court of law, but it can certainly create a preponderance of evidence for real-world scenarios.
From this picture we can make a series of assumptions that may be questionable individually, but when combined together, help create a profile. This simple example can be done quickly by brainstorming while looking at the screen capture above.
We already know that it is the Windows XP operating System so let’s look closer at the clues presented to us. The next thing that you may notice is the icon of an “electric” cord. This is not normally seen on desktop computers, so we can assume that this was taken on a laptop (that was plugged in at the time of the screen capture). It could also have been a desktop with a battery UPS, but this is much more rare since few people actually use a UPS. This is an example where the observation cannot be conclusive by itself, but let’s see what else we can find to corroborate the profile.
There is a speaker icon showing, but it has the circle with a slash though it which indicates that the person has muted their sound. When would someone do this? It isn’t very often that someone would mute the sound in their own house. This may be the corroborating evidence that we need to back up our earlier laptop assumption. You have made your first deduction and filled in a piece of the puzzle on the profile of this user.
We also see other icons that may or may not be familiar to you. You may have to research some of them on the internet. In this example, we see the MS Outlook icon. This is very common and may not lead to anything conclusive, but we note it anyway. Another icon is for the chat application called Trillian which is a program that allows people to use multiple chat protocols (AIM, Yahoo IM, MSN, etc…) in one client. This icon holds a lot of information. Firstly, you can tell from the yellow at the top of the icon that the person is connected. Trillian will show “black” if it is not connected to any services. At the same time, the bottom part of the icon is black, meaning that while they are connected to a chat service, they are not connected to all available chat services. This chat connection is confirmed by the network icon on the far left. This will only show when the person is connected to a network.
So with this small bit of information, what kind of a user do we think this belongs to? We have a profile that shows them to be a laptop user, and someone who uses MS outlook for their mail client. Since the mail client is the only other software open besides the chat client, we realize that this user apparently has a need to be connected to information. We also can make a small assumption that the user has some experience and comfort with computer in general. Trillian is not an application that a basic user would know about. With the volume turned off, this is not likely to be a home computer, so two possibilities that jump to mind are that it is a laptop belonging to a student or a business person. It could be either, but personally, I would assume a student to have even more software installed and more icons showing.
For the record, this was a screenshot from my work laptop taken in an airport terminal where I was connected to the internet and doing some work for a client. This holds true with almost all of the assumptions that we made and it fits the profile that we came up with. With one small screenshot, a very accurate profile of the user was made. The time on this image is 3:37 PM, which doesn’t have any significance in this example (other than confirm that it was taken during work hours), but it is an Easter egg that you can research on your own.
Let’s try another example. Look at the taskbar screenshot below. I am intentionally using small screenshots of the taskbar for these examples because it best illustrates the power of deduction. You can apply these techniques to full screenshots, videos, or anything else that you can think of. If we saw the full screen, we could see wallpaper that may describe a personality, icons for installed software, filenames that may holds clues such as names or businesses. The possibilities are endless.
Let’s take this example and put it through some actual steps that you can recreate on your own. We can create an organized, structured approach that we can use consistently until you get the hang of doing it in your head. Creating a structured approach makes the analysis much more thorough so let’s break the process down into the following steps:
- ) Determine the Operating System being used.
- ) Determine hardware being used.
- ) Enumerate the software being used.
- ) Analyze status of hardware and software by analyzing each one individually.
- ) Note other items such as system settings, time/dates, colors preferences, and other information.
- ) Analysis/Conclusion.
First off, we can determine once again that this image is a screen capture from Microsoft Windows XP. Keep this is mind as a clue to other software. Some software packages are OS exclusive and if you see software from another OS in use, you may have a contradiction in logic that may force you to re-evaluate your assumptions.
How do we determine hardware? There are a couple of ways. Most hardware requires a piece of software called a driver to get the OS and the hardware to communicate. This piece of software usually shows up on the computer. In this screenshot we see signs of hardware. What does the existence of the battery icon represent? What does it indicate, if anything? What about the bars on the far right next to the clock? This indicates a wireless card is present and if you know the specific icon, you will know what type of wi-fi card it is. If you determine what type of card it is from the icon, you will reveal a clue that confirms the manufacturer of the laptop. The network icon with the red “X” on it indicates that the network connection is disabled. Why would someone intentionally do this?
Next we can enumerate the software. It is important to point out that education and, more importantly, experience plays a large part in this process. You may not recognize all of the icons in this image. The more experience you have with different software packages, the more evidence you can compile in your analysis, and the more accurate your findings will be. I will quickly point out the icon with the exclamation is an application that ships with Dell computers called “Dell Support Alert” which sends out alerts from Dell computers for those of you who may not be familiar with them. Knowing that piece of software helps confirm one of our hardware assumptions.
Other software includes MS Office (on the far left), MS Money (the icon with the letter “M”), and GetRight (a download tool). The download tool is an interesting inclusion since it is not something that your typical user might have. The specific icon for MS Office is also a special icon. Some research on it will give you more information about the status of that particular MS Office installation. And what type of user uses MS Money? That is not something you find in an office or from a business user, so what other type of person may use this software? Our profile is starting to become clearer as we continue the process.
Now that we have broken down most of what we see on the screen, is there anything else that we missed? What other clues are there which may be significant? It is difficult to tell in this cropped image, but we can see a small portion of the desktop wallpaper showing in the image (If you cannot see the image clearly in print, the original image will be available online via stankdawg.com). Some of you may recognize it as the default wallpaper on many Dell machines. That is noteworthy, since it further confirms our earlier conclusions about the manufacturer of the hardware. Also, the time of day on the clock may or may not be relevant, but it still should be noted in our analysis. The time of day is 12:39 PM. It doesn’t carry much value in this case, but what if you saw 2:35 AM? What kind of user would be up at that time of day? What if the time was shown in military time? What kind of person would set their computer clock in military time?
So you have a pretty lengthy checklist of information now. Some of it is clear based on hardware and software while some of it is circumstantial and may not mean anything independently. The point is not to make individual conclusions, but to combine all of this information to form a strong profile. What conclusion, if any, can we arrive at based on what we have seen in this tiny image? I think we can safely assume the following:
- This user is probably somewhat of a power user based on the settings that we see applied and the types of applications being used.
- This user has software installed that is not typical of an office environment. This is most likely a home user or possibly a student.
- MS Money is very closely associated with home users, and not with students. This circumstantial evidence lends more towards our home user theory.
- The system is almost definitely a laptop.
- It is almost definitely a Dell brand laptop due to the Dell Alert software, the Dell wallpaper, and the dell wi-fi icon.
All of this adds up to a very accurate profile of the user of this screenshot. Once again, the user in this scenario is me but the system was a little but different. The system was a new desktop from Dell that still had preinstalled items on it, but was also in the process of being customized. I use it on the airplane and took the screen capture while flying so there are no networks present (which is why they are disabled). It came preinstalled from Dell and I have not bothered to uninstall the Dell Alerts software that you see, nor have I activated the MS Office installation (which is why the MS office icon is in the taskbar). I use Get Right because airport wi-fi connections are notoriously unreliable and I want interrupted downloads to pick up where they left off. Can you see that there is certainly enough information in that tiny screenshot to make a very precise profile of me as a user?
This is a great exercise that anyone can do. This article started off as a little game that I made up for my local BinRev meeting and it is a fun exercise that you can do at your local meetings or just privately to hone your skills. You may have never thought of looking so closely at something as common as a screenshot. Not only does a screenshot reveal a lot of information, but metadata in all electronic files can reveal enormous amounts of information. Think about that the next time you upload anything or see anything uploaded. As it turns out, a picture truly is worth a thousand words. The next time that you see a screenshot somewhere, make sure that you apply your skills of reason and practice the art of electronic deduction.
“The Revolution Will Be Digitized!”
Shoutz: The Digital DawgPound, BR561, Jawga, Acidus, Phizone, MC Frontalot, Zearle.
